ISO 9004:2000 is a guideline for performance improvements.
It’s not a traditional standard to which organizations
become registered. Instead, ISO 9004 provides guidance
for organizations that want to go beyond the requirements
of ISO 9001:2000. ISO 9001 is a quality management
standard with a process-based approach toward continuous
improvement and addressing customer needs. ISO 9004
goes beyond the requirements of ISO 9001 and focuses
on stakeholder needs. Stakeholders include internal
personnel, customers, owners, suppliers, society and
other shareholders. The ISO 9004 audience is much
broader and encompasses a variety of potentially different
By applying ISO 9004, organizations are afforded
the opportunity to understand the wider environment
in which they operate. A large number of stakeholders
affect the decisions of organizations. In many established
organizations, the needs and expectations of stakeholders
are not incorporated into how resources are being
In developing both short- and long-term strategic
objectives, your organization should consider current
and future stakeholders’ needs. Of course, you
cannot and should not meet all stakeholder needs.
Some stakeholder needs may be in direct conflict with
others. All organizations have limitations on the
resources they can deploy. Organizations must develop
their business strategies carefully in order to balance
stakeholder expectations and remain profitable. In
determining stakeholder needs and prioritizing those
needs, your organization gains the content and balance
for sound strategic and operational decisions. You
can then use this information as a fundamental part
of your risk management processes.
The concept, structure and principles of ISO 9004
are similar to those used in ISO 9001, but ISO 9004
incorporates the needs of a larger audience and covers
additional aspects in greater detail. Organizations
already familiar with ISO 9001 will find it relatively
straightforward to apply ISO 9004. However, the results
will dramatically affect how your organization’s
resources are allocated and utilized. ISO 9004 provides
the opportunity for your organization to improve your
management system to incorporate all appropriate stakeholder
Recent news events have focused
business leaders on the importance of looking after all
their stakeholders. Although profit is fundamental to business
success, it’s no longer acceptable to drive businesses
exclusively through financial controls. Other factors must
be considered to ensure that the business of business remains
successful during the medium term. Customers, employees,
legislation, litigation, and local and worldwide opinions
can all significantly affect the health and prosperity of
Will your company be the next one to hit the headlines?
Consider the following leads from July 2002 issues of the
• U.S. regulators are underfunded and pulled in dozens
of directions in their efforts to restore investor confidence.
• Sony became the latest victim of investor concern.
• Tyco shares dropped sharply after a Goldman Sachs
• China’s insatiable demand for coal has precipitated
a series of terrifying underground explosions.
• The World Health Organization yesterday released
the draft text of a groundbreaking international tobacco
• Farmers and residents are protesting the planned
seizure of their land to build a new international airport
for Mexico City.
Governments in North America, Europe and Asia are increasingly
focusing on corporate governance and internal controls.
As a result, organizations will have to demonstrate that
they have structured management systems in place to review
and prioritize all their stakeholders’ needs as well
as manage the business risks they face. Many view these
issues as related initiatives that must be adopted as additional
How can organizations juggle the conflicting requirements
of high financial returns, fair salaries, decent working
conditions, low prices, excellent service and minimal impact
on the environment?
Encouraged by such standards as ISO 9001:2000, many organizations
are adopting a process-based approach and applying it to
all their activities. It’s become an essential tool
in helping them understand their customers’ needs
and expectations. Quality management is no longer the exclusive
domain of manufacturing operations; the process approach
has proved invaluable to service organizations such as local
governments, health care institutions and financial organizations.
As an additional benefit, management standards require that
companies build a cycle of continuous improvement into everything
Companies that have implemented these standards and evolved
with them have seen that they help manage conflicting priorities
in a structured way. The challenge for these organizations
is to recognize what’s not being done and where development
is required to build upon systems already in place.
In addition to ISO 9001:2000, two other risk-based approaches
to management systems have been introduced with the environmental
standard ISO 14001 and the occupational health and safety
system OHSAS 18001. With these, organizations are encouraged
to identify and evaluate all the environmental and occupational
risks they face. Significant risks with severe consequences
must be managed, either by eliminating them or reducing
their frequency and/or severity.
By adopting these process and risk-based approaches, organizations
can improve their understanding of customer requirements
and expectations. Organizations that do so will also be
in a better position to manage the way in which they interact
with their physical environments and look after the health
and safety of people at work. Standards offer a method of
measuring progress against objectives, which in turn helps
drive continual improvement, competitiveness and success
in an increasingly demanding environment.
A new standard, ISO 9004:2000, Guidelines for performance
improvement, can help companies effectively review and prioritize
stakeholder needs. This standard takes them beyond the requirements
of the global benchmark quality management standard ISO
9001:2000 by using eight management principles:
• Interested parties
• Involvement of people
• Process approach
• System approach to management
• Continual improvement
• Factual approach to decision making
• Mutually beneficial supplier relationships
By adopting ISO 9004:2000, organizations develop a better
understanding of the wider environment in which they operate.
All organizations are affected by stakeholders. In some
cases these effects are highly visible, and a detailed review
of them is unnecessary. However, in most organizations,
stakeholder needs and expectations are often taken for granted,
and this leads to inappropriate use of the organization’s
Stakeholders can include owners/shareholders, suppliers,
competitors, society, employees and customers. Their immediate
and future needs must be considered when developing both
short- and long-term strategic objectives. Of course, not
all stakeholder needs can or should be met. Some may directly
conflict with others, and all organizations inevitably have
limitations on the resources they can deploy. Companies
must develop business strategies that will balance stakeholder
expectations against survival in a competitive business
climate. One aspect of such strategies is allocating resources
to the most appropriate stakeholder needs. Knowing and prioritizing
stakeholder needs contributes to sound strategic and operational
decisions and also can be input into the risk management
The concept, structure and principles of ISO 9004:2000
are similar to those of ISO 9001:2000. Organizations already
familiar with ISO 9001:2000 will find applying ISO 9004:2000
relatively straightforward. However, the new standard can
have a dramatic impact on the way these organizations’
resources are deployed—particularly stakeholder needs,
expectations and relative priorities.
Risks can be seen positively as business opportunities,
such as investing in an innovative new product, moving into
new geographical markets or merging with another organization.
Organizations that can effectively manage these risks are
much more likely to protect and enhance their stock market
valuation and expand their business.
In a more traditional—i.e., negative—sense,
risk is usually seen as a potential for loss, whether it’s
lost revenue, litigation, claims or harm to people, property
or the environment.
In fiercely competitive manufacturing industries that use
just-in-time techniques, late delivery from a supplier means
production downtime and unhappy customers. Claims for lost
revenue and damage to reputation ricochet down the supply
chain, destroying the financial viability of otherwise successful
businesses. Aside from the obvious negatives incurred when
people or the environment are injured, the inevitable and
damaging press coverage that follows can destroy shareholder
confidence and business value.
The risks associated with less-tangible assets, such as
an organization’s brands, must also be carefully evaluated.
Brands take years and significant financial investments
to build but only seconds to destroy. For example, air traffic
controllers have recently charged the pilots of some low-cost
airlines in the United Kingdom with putting efficiency above
other criteria. Would you fly with an airline with a poor
After all the necessary business information is gathered,
the next step in a risk management process is to perform
a risk assessment. This may seem more of an operational
issue, but in fact it requires a companywide approach. Risk
can be inherent in an acquisition opportunity just as much
as it is in an accident.
Organizations that have successfully applied the environmental
management system standard ISO 14001 have reviewed their
operations with respect to significant environmental issues
(e.g., air and water emissions, waste management, land contamination,
raw materials and natural resources, and other local environmental
and community concerns). As part of the process, the standard
helps these companies respond to a common stakeholder expectation:
managing risk and preventing loss with respect to the environment.
Organizations that have successfully applied OHSAS 18001
have identified hazards and performed risk assessments relating
to routine and unusual activities performed by anyone who
has access to the workplace, even subcontractors and visitors.
They’ve also extended this examination to workplace
facilities, whether the organization or an outside supplier
provides them. Organizations that adopt this standard not
only establish a culture of risk management, but also address
another key stakeholder concern: the people within the organization.
Essentially, the challenge to organizations is to master
the risk assessment process and apply it companywide. Once
the process is adopted for obvious concerns, such as those
related to waste management or heavy machinery, it can be
used to evaluate less tangible assets—like brand management.
Again, the environment in which an organization works—and
this includes the stakeholders who influence how it operates—is
a key prerequisite and shouldn’t be forgotten.
Once risks have been identified, a company must decide
how it plans to tolerate, terminate, transfer or treat them.
Treating a risk is often the most complicated choice because
it requires control and measurement. These form the foundation
of an effective management system.
Difficulties arise when an organization determines that
a risk falls outside its management system’s usual
scope. For example, a risk might be identified in information
security and how information is collected, stored, maintained,
accessed and communicated throughout the business and to
other stakeholders. By adhering to the requirements agreed
upon by industry and applying appropriate management system
safeguards, such as those outlined in the information security
standard ISO 17799, the organization can improve its current
system and mitigate significant risks.
Another aspect of managing risks through treatment is maintaining
the balance between competency and procedure. Organizations
that have implemented ISO 9001:2000 are aware that it’s
often more appropriate to manage a process by means of competent
personnel rather than requiring them to follow meticulous,
step-by-step instructions. This philosophy also applies
to risk management: By its very nature, risk can’t
always be controlled through checklists.
Using the skills of a trained and highly competent staff
is a very effective method of managing risk. Proper training
and experience allow staff to identify inherent risks in
given situations and quickly work out the most appropriate
course of action. This implies a very different culture
from one in which staff is expected to work methodically
through detailed procedures before filling in the required
When managing risk, it may therefore be appropriate to
build in checkpoints along a process to measure and identify
potential risks. Staff competency can be matched to perceived
risks at each stage in the process, ensuring that the risks
are managed safely. Employee competency can be tested periodically,
which will in turn help drive training programs and succession
Most management system standards require that an organization
measure its performance against objectives. For organizations
that have successfully implemented management system standards,
these measurements can be applied to risk management. Also,
because processes are already in place to measure and analyze
information, additional data required for risk management
can be more readily obtained. For example, a company might
decide that storing a particular manufacturing byproduct
beyond an established amount is an unacceptable risk. To
monitor and continuously evaluate this risk, the company
can determine from the sales process the number of orders
anticipated and from those figures, the corresponding amount
of byproduct expected once production is completed. A process
can then be developed to ensure that when the byproduct
exceeds the established storage amount, it’s safely
disposed of or recycled.
Any business using an integrated approach that includes
risk management will be able to provide objective evidence
to top management, who can use the information to ensure
the organization’s health and implement continuous
improvement through management review. Applying a management
system standard ensures a structured approach to fact-based
decisions about the organization’s future.
Is risk management an independent issue, something that
must be managed separately from everyday operations? Evidence
indicates that most organizations are already managing risk
through their management system standards.
Building upon what’s already in place is often the
most appropriate way forward. Perhaps the true challenge
for organizations today isn’t identifying and managing
risk but figuring out how to establish a culture based on
a single business management system that can be used to
apply best practices.
Internationally recognized standards can help organizations
assess all their stakeholders’ needs and expectations.
The results of internal and external audits to these standards
can be used to drive organizational risk management. The
whole system must have a continual improvement focus in
line with strategic objectives in order to safeguard the
organization’s future prosperity. Such a system could
be described as a total business management system.
Simon Ledgard is a sector category manager of manufacturing
at BSI Inc. He assists in the development of services for
key manufacturing sectors around the world and the development
of new BSI assessment services, such as business performance
improvement review, based upon the principles of ISO 9004:2000.
Erroll Taylor is global marketing manager of manufacturing
at BSI Inc. He is responsible for developing BSI’s
services aimed at key manufacturing sectors around the world,
including automotive, aerospace and defense, engineering,
electrotechnology, and building and construction.
For more information about BSI Inc., visit www.bsiamericas.com.
Letters to the editor regarding this article can be sent