The Imperative of Context
Previously in this series of articles we have explored the imperatives of Culture, Governance, Assurance and Improvement. We have learned that good auditors understand these things.
They appreciate the negative impact a bad culture and poor governance will have on an organization’s performance and its achievement of management systems objectives, and they recognise the particular challenges associated with conducting audits in such hostile environments.
But we have also learned that as auditors we are ideally placed to do something about this. We are the stakeholder’s advocates, their representatives, and we are professionally and morally obliged to act where we see the needs and expectations of relevant interested parties being ignored. By providing sound assurance and identifying opportunities for improvement we have the power to turn failing organizations around.
The question then becomes, ‘do we have the morale courage to do this?’ We will explore this in the last article of this series, ‘the imperative of leadership’, however before we get to that point there is something else auditors must understand and that is the organizations we are assessing are not operating in vacuums. Each is part of a complex inter-relationship with other organizations, and the wider world. In management systems terminology we refer to this as the organization’s ‘Context’.
The imperative of Context
The world is a very complex place. Every day, every organization experiences a series of interactions with private individuals or representatives from other organizations. Some of these interactions can be small, a delivery driver passing a parcel to a customer, and some can be huge, a multi-million dollar acquisition of a competitor, but each and every one has an impact on the organization’s business management system.
Annex SL tells us that organizations need to understand these impacts, and must take them into account when designing, implementing and improving their management systems. This is important because any organization that does not properly understand its context WILL ultimately cease to trade. It is simply a matter of how quickly that happens.
Part of our role as auditors is to do our best to prevent this. For third party auditors this ability is limited to an assurance activity, identifying to top management that the organization is experiencing issues are arising as a result of its failure to properly understanding its wider business environment.
Internal auditors however have an added advantage. They are positioned to not only identify such issues, but they can then work with their colleagues and others to resolve them. This takes them beyond assurance and into the realms of improvement.
Context in the ISO world
Until relatively recently ISO management system standards focussed mainly on ‘The Inside World’ (figure 1). They placed great emphasis on ensuring that the organization’s management system was appropriately structured to efficiently and effectively produced its intended results.
Yes, there were inputs into the management system from key stakeholders, e.g. customer expectations, external provider’s materials and services as well as outputs in the form of products or services, increased customer satisfaction, reduced environmental impact, the creation of safe and healthy workplaces etc., but these pre-annex SL management system standards failed to acknowledge that the achievement of the management systems’ intended results was dependent not only by what goes on within the boundaries of the business, but also what goes on outside of these boundaries.
Figure 1 – look outwards, not just inwards
With the introduction of annex SL came the requirement to properly consider the outside world too. The world changes literally second by second and whilst the majority of events that take place will have no significance for an organization’s management system, some will. Most of these will be incidental, but every so often there will be an event that the organization is forced to respond to. It is not all bad news however. Some of these events will open up new opportunities for the organization to develop and thrive, e.g. a competitor closing down or a reduction in raw material costs.
Modern annex SL based management system standards acknowledge that what is going on in the wider world can have profound implications, both good and bad, for the organizational management systems and, as a result, require organizations to now proactively look outwards, as well as inwards.
Annex SL based management system standards require organizations, as a minimum, to determine their context. ISO 9000’s definition of determination is ‘activity to find out one or more characteristics and their characteristic values’.
Some standards go further than simply determining context, (e.g. ISO 9001:2015) which explicitly requires organizations to then ‘monitor’ and ‘review’ their context over time. This is a critical additional and one that all annex SL based management systems should include – we will see why in a moment.
There are two stages involved in establishing the context of an organization. The first step is to determine those internal and external issues that can affect the management system’s ability to achieve its intended results. The second step is to determine the relevant requirements of relevant interested parties. Collectively the results of these two activities give us context. (see figure 2).
Figure 2 – context is comprised of two elements
As auditors we must ensure that the organization has carried out this determination. Our task is not helped by the fact that there is no requirement for the organization to document their context. ‘Determine’, as we have just learned, simply means ‘find out’ about your context. Determine does not mean ‘find out about it and then write it down’.
Auditors must take care NEVER to raise a non-conformance just because an organization has no written record of its context. That said, from a practical perspective most organizations are likely to want to commit their findings to paper, so for the majority of audits I would expect there to be something tangible for audits to examine.
Internal and external issues
So what aspects of their business might we reasonably expect to evidence that the organization has examined in order to identify its internal and external issues? The lists below provide possible examples.
The organization may have determined internal issues relating to:
- organizational governance, organizational structure, roles and accountabilities
- the culture of the organization
- policies, objectives and the strategies that are in place to achieve them
- operational processes, procedures and working arrangements
- capability in terms of available resources, knowledge and competence
- information flows and decision-making processes
- introduction of new products, materials, services, tools, software, premises and equipment;
- relationships with internal stakeholders e.g employees, top management.
The organization may have determine external issues relating to:
- political, economic, social, technological, legal and environmental factors
- the emergence of new competitors at local, regional, national or international level
- new knowledge relating to the organization’s products or services and their ability to meet end user requirements
- key drivers and trends relevant to the organization’s industry or sector
- the perceptions and values of the organization’s external interested parties;
Whilst there is no requirement to consider these specific areas, the examples above will be applicable to most organizations, irrespective of discipline or sector.
Techniques organizations employ for determining internal and external issues
Neither Annex SL nor annex SL based management system standards tell the organization how it must determine its issues. There are a number of well-established techniques however that auditors are likely to see being employed as they carry out annex SL management system based audits. Perhaps the most commonly encountered methods are SWOT analysis and PESTLE analysis.
SWOT is an acronym for strengths, weaknesses, opportunities, and threats. This is a structured planning method that evaluates these four elements of an organization in order to identify issues and potential opportunities.
Strengths: characteristics of the organization that give it an advantage over others
Weaknesses: characteristics of the organization that place it at a disadvantage relative to others
Opportunities: elements in the environment that the organization that could be exploit to its advantage
- Threats: elements in the environment that could cause trouble for the organization
These results of a SWOT analysis are usually presented in a table (see figure 3a).
Figure 3a Figure 3b
PESTLE analysis is another popular tool which allows the organization to understand its strategic position. PESTLE is an acronym for Political, Economic, Social, Technological, Legal and Environmental. Here the organization considers each of these areas in turn to identify the external and/or internal issues relating to that area.
SWOT and PESTLE are just two examples of the many techniques auditors are likely to come across when auditing clause 4.1 of annex SL based standards. What auditors must remember it is not how internal and external issues are determined that is important. What matters from an auditing perspective is that they have somehow been determined.
Relevant interests of relevant interested parties
The second element of context requires the organization to determine the relevant interests of relevant interested parties. But what do we mean by this?
The world is full of people and only a tiny percentage of these will be interested in any given organization’s management system. These individuals are referred to as ‘interested parties’. But whilst these people may be interested in the organization, the organization may not be interested in them. Those individuals or groups who the organization is interested in are called relevant interested parties.
There is another stage to go through though. Once the organization has determined who its relevant interested parties are it then needs to determine which of their many needs and expectations (requirements) its should fulfil.
A major challenge for the organization is that the relevant interests of relevant interested parties will not align, indeed they often conflict. Employees may want a high salary, but top management will be looking to keep costs under control; shareholders may want to maximise dividends, but the Board may want to hold back money for investment; the design department may want a technically perfect product, but customers want something more affordable.
The organization will therefore need to determine which of the relevant requirements of relevant interested parties it should focus on. This decision will be largely driven by the organization’s business strategy and strategic objectives.
Techniques for determining the relevant interests of relevant interested parties
There are many ways in which the relevant interests of relevant interested parties can be determined. Some of these will be prescribed – e.g by a regulator imposing a code of practice on the business, or by government imposing the rule of law.
Other relevant interests can be determined through activities such as market research, focus groups, structured interviews, and analysis and evaluation of feedback. Once again annex SL based standards are not prescriptive about how the relevant interests of relevant interested parties should be determine, they just require it to have been done.
Challenging the organizations determination of context
We have already established that auditing context presents us, as auditors, with a number of challenges. We know that the results of context determination do not have to be written down. In most cases we can expect to see documented information to evidence this activity but in small and micro organizations the determination may have been (perfectly validly) carried out in the head of a single individual.
In the absence of records, we will need to use methods such as interviews to establish conformity.
We also know that it is the organization and not the auditor who decides which internal and external issues are relevant, which interested parties are relevant and which of their requirements are relevant.
The auditor can only challenge the organization’s determination if they can prove by through submission of objective evidence that non-conformities have been identified elsewhere in the management system that can be directly traced back to the organization’s determination of context. e.g. a failure to fit the appropriate plug to a device as a result of not identifying the requirements of customers in a specific country or not providing product installation instructions as a result of a failure to national laws.
Simply being of the opinion that the organization has got it wrong is not sufficient. Auditors must be able to prove they have got it wrong. Expect to be challenged you if you are unable to do this.
Why is determination of context so important?
You may by now be wondering why determination of context is so important. The reason is that the results of context determination form a critical input into other management system processes (see figure 4).
Within ISO 9001:2015 these relationships are explicit. That standard requires context (the organization’s internal and external issues and the relevant interest of relevant interested parties) to be considered by the organization when it is setting the scope of its QMS, when planning the QMS, when setting QMS policy and objectives and when reviewing QMS performance.
Other standards are not quite so explicit in terms of how the determined context is to be used. Auditors need to be wary of this and must ensure that they audit the context of the organization against the specific context requirements of the appropriate individual standard.
Figure 4 also contains a warning. If the organization’s determination of context is wrong or incomplete, the scope of the management system is likely to be wrong or incomplete too. The organizations planning will be based on incorrect assumptions about what stakeholders require and the challenges the organization faces.
As a result, Policy and Objectives may be set which drive actions contrary to what the organization should really be doing. And because the organization will be assessing its performance against the delivery of misinterpreted ‘required results’ it may be completely convinced that it is doing well when what is really happening is it is doing well at doing the wrong things.
The correct determination of context by the organization matters. It matters a lot.
A change in context can spell disaster
Sometimes an organizations greatest strength can suddenly become a weakness if their context changes. And context does change, in fact for some organizations it can change literally on a daily basis. The needs and expectations of relevant interested parties are constantly shifting – it was not that long ago that everyone wanted a Sony Walkman or a Hula Hoop, and new external and internal issues arise all the time. Organizations that either do not spot the need to adapt to a change in context, or worse still spot the need but choose to ignore it, will go the same way as the dinosaurs.
Part of our role as auditors is to alert organizations to any incorrect determination of context. Requirements within the ISO 17021-X series and the yet to be released ISO 19011:2018 necessitate that individual auditors and audit teams have sector and/or discipline specific knowledge for precisely this reason.
When conducting assessments, auditors need to be aware of the typical issues and requirements of relevant interested parties that are applicable to specific sectors/disciplines. If they are not then it is almost impossible for them to spot any ‘gaps’ in the determination of context by the organization.
If the organization has missed something critical we, as auditors, may well be their last line of defence.
The CQI competence framework identifies that in order to become a competent quality profession you need to possess knowledge and skills and the ability to apply them in 5 key areas. These ‘core’ competencies are equally as relevant to first, second and third-party auditors as they are to other quality professionals. The framework (figure 5) specifically identifies an understanding of context as one of the core competencies. It is something we must remain mindful of when assessing the areas of governance, assurance and improvement.
Figure 5 - The CQI Competence Framework
In this article we have identified what context means in respect of annex SL based management systems standards as well as the challenges auditing context poses for audit professionals.
Of all of the clauses in the high-level structure of annex SL it is this one, Clause 4, that is likely to cause the greatest number of disputed findings. Remember, if you cannot prove the organization has incorrectly determined its context you cannot raise a non-conformance. Resist that temptation!
“Leaders create the conditions in which individuals and organizations thrive.”
Source - Bob Anderson, Mastering Leadership: An Integrated Framework for Breakthrough Performance and Extraordinary Business Results
In the final article in this series we will examine what is without question the most significant of all of the audit imperatives. No matter how great your appreciation of organizational context and culture, your proficiency in conducting assessments or your ability to identify improvement opportunities, your impact as an auditor will be minimal unless you possess the necessary skills and determination to force others to act on your findings.
If you do not have the necessary leadership skills to effect material change, change will not occur, and all your valuable efforts will be wasted.