Approaching ISO 9001/14001:2015 Standards
Process Approach and Risk
One of the key changes in the 2015 revision of both ISO 9001and ISO14001 is to establish a systematic approach to risk, rather than treating it as a single component of the relevant management system. In previous editions of both standards, there was a completely separate clause on preventive action. Now risk is considered and included throughout both standards. By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is therefore automatic when a management system is risk-based.
For many smaller companies where this may be a new concept, Key Process Mapping is an ideal start; any identified risks to the key processes can then be identified and the Controls already in place can be highlighted that mitigate against the identified risk. The process approach provides the ideal vehicle for internal auditing to establish that the controls in place are in fact an effective measure in mitigating any identified risk.
This approach will help:
Describe the flow of materials, information and documents;
Display the various tasks contained within the process;
Shows that the tasks transform inputs into outputs;
Indicate the decisions that need to be made along the chain;
Demonstrate the essential inter-relationships and interdependence between the process steps; and reminds us that the strength of a chain depends upon its weakest link.
Some medium sized companies are going the extra mile and applying a Failure Mode Effects Analysis (FMEA) to any identified risk along with the controls in place. An FMEA is a systematic, proactive method for evaluating a process to identify where and how it might fail and to assess the relative impact of different failures, in order to identify the parts of the process that are most in need of change or improvement. It will also identify the, further actions to be taken, the person responsible and timescales. The FMEA is also a good tool for the control of any future un-identified risks.
What are your organization’s key products and services? Larger companies are adopting a Risk Register to identify and mitigate risk; this document is a live document that tracks a project/client/design through to completion and often includes a host of different processes/departments within the same business. The risk register is usually reviewed at project handover/completion to ensure a ‘lessons learned’ philosophy is adopted.
The development of a Business Continuity Plan / Disaster Recovery Plan is becoming a very useful document when approaching business risk. Indeed, more and more companies are adapting this document to demonstrate how they mitigate against business risk on a number of fronts such as loss of premises, loss of utilities, loss of a key member of staff. It sets out how the business will operate following a major incident and how it expects to return to 'business as usual' in the quickest possible time afterwards. Such a document is applicable across both standards.
To implement Business Continuity Plan you will need to consider the following questions:
What are the critical activities and resources required to deliver these?
What are the risks to these critical activities?
How will you maintain these critical activities in the event of an incident (loss of access to premises, loss of utilities etc)?
Work Based Risk
Risk Assessments are not a new concept, yet providing they are regularly reviewed, they provide an ideal document to define and mitigate work based risk in terms of either specific location or the use of particular machinery or actual work based activities.
There are 5 accepted steps to carrying out a risk assessment:
Step 1: Identify the hazards. In order to identify hazards you need to understand the difference between a 'hazard' and 'risk'.
Step 2: Decide who might be harmed and how.
Step 3: Evaluate the risks and decide on control measures.
Step 4: Record your findings.
Step 5: Review your assessment and update as and when necessary.
ISO 14001:2015 identifies three possible sources that present risks and opportunities to the business:
- Environmental aspects,
- Compliance obligations and
- Issues and requirements from the context review.
The strategic context and interested parties workshops, outlined in previous blogs, along with its aspects and compliance obligations will have given an organization the knowledge to understand its risks and opportunities. However, a risk management approach cannot be applied to the compliance with relevant legislation. A documented acceptable risk of non-compliance cannot be allowed within the system.
This application of risk has been approached in a number of other ways:
Financial Risk – The cost to the company of non-compliance.
Reputation Risk – Would non-compliance damage the repute of the company e.g. through continued Media intrusion?
Life Cycle Approach
One of the simplest but effective documents to demonstrate the Life Cycle approach is by applying the ‘cradle to grave’ philosophy to all of the key Aspects/Impacts from the aspects matrix, using the headings listed below (all headings may not be applicable) to determine how the company is ensuring that all elements of the lifecycle are considered within its daily operations:
- Major positive and negative aspects
- Acquisition of raw material
- End of life treatment
- Final disposal
Other manufacturing based clients are also approaching lifecycle in a similar way but through an analysis of their waste streams regarding the possible opportunity for re-use, disposal methods and end of life destination.
The organization should consider those stages in the life cycle over which it has the greatest control or influence as these may offer the greatest opportunity to reduce resource use and minimize pollution or waste.
This can also be approached through a number of ways:
Interested Party’s can for example be included within the Aspects / Impacts matrix and be provided with a positive/negative significance rating similar to the Aspects & Impacts ratings (depending on their relative impact on the business).
Simply listing suppliers, customers, communities etc. is not enough to meet the requirements of the standard i.e. understanding the needs and expectations of relevant interested parties.
Make the information more meaningful by grouping interested parties based on their relationship with the organization. This is advised in ISO 14004 – EMS Guidelines for Implementation, which provides examples of interested parties based on their relationship with the organization, by their:
- Responsibility – investors, etc.
- Influence – pressure groups, etc.
- Proximity – neighbours, etc.
- Dependency – employees, etc.
- Representation – trade unions, etc.
- Authority – regulators, etc.
Some categories may contain sub-categories, which require a different management approach. For example customers may include key accounts which have different needs and expectations to transactional customers.
If you’re ready to begin your journey towards ISO 9001/14001:2015 certification, then you can find out more from our monthly held webinar sessions on each of the standards, as they will explore each of the subject matters mentioned above in detail.