The Benefits of Integration - Your Questions Answered
26 May 2020
Following on from a webinar on this topic in May 2020, Principal Assessors Richard Walsh and Terry Fisher have answered some of the questions we often get asked on this subject...
Integrate your management systems to reduce duplication and improve efficiency. If you are currently running separate management systems, get in touch to see how you could make potential savings.Q: I manage a system certified to ISO 9001 and ISO 27001. I have separate policies (in the manual) because I prefer to clearly and separately state different quality and information security objectives. Is this acceptable?
A: Yes – of course, within the management standards there is a great deal of flexibility and the level of integration can differ from one organization to another.
Q: In an integrated system (e.g. ISO 14001 & ISO 45001) the auditor finds 0 Major NCR for ISO 14001 but 5 Major NCR against ISO 45001, would you lose your integrated certification? So is it better in this case to be certified to ISO 14001 & ISO 45001 separately?
Are non-conformities still Quality, H&S and Environmental - ie would to many N?C in on discipline affect the whole system?
If you do raise a N/c against 1 clause of a standard and then a second against the same clause of another standard will it be counted as 2 n/c?
A: Your system registration would require you to effectively action the major / minor NC’s identified. If not suitably achieved, this can and will result in potential suspension of registration of the applicable standard – however integration does not change this – if you did not address the major NC’s effectively if registered separately – it will result in the same outcome.
So integration is there to enable enhanced effectiveness of the management standards by reducing duplication etc. etc. It does not dilute the requirements of any element.
N/C’s can and will be raised against the relevant standard and therefore you can have 2 findings against the same clause but in different standards – but you should also remember effectiveness of corrective actions requires consideration for the same issue clause 10.2.
Q: If systems are integrated, do they get audited as one with a single certification?
A: The integrated systems are generally audited together but the registration and certificates are individual. NQA do not issue integrated certificates.
Q: How do you compare the risk analysis in OHS versus the aspects register? It seem like in OHS you never end doing risk assessments, while in an EMS you only seem to do one Risk Assessment a year. How do you think about it?
A: I would consider the difference as ‘frequency of changes’ – Aspects and risk assessment are both trying to achieve a method of identifying and prioritising risks. These are both driven by changes and performance – OHS may change more frequently and therefore require more frequent reviews, whilst aspects may be more stable and only require scheduled review.
Q: How to do the integration when the organization is certified by 2 different bodies?
A: The number of certification bodies involved does not change the integration as they are looking and assessing separate standards – the integrated system still needs to meet the requirements of each integrated standard. The different assessments may look at the same elements of the system and potentially duplicate assessment time used. The organization still saves the internal resources and time spent operating an integrated system even though the external assessments are not integrated.
Q: Which procedures is mandatory to be combined in one procedure covering ISO 9001 & ISO 45001? Integrated Management System Manual, Internal Audit, Non-Conformances ..? Is there anything else?
A: The mandatory elements of each standard remain – how you integrate them is up to you. Each standard can have its own specific requirements in the same section of the standard – this does not prevent integration. For example ; Management Review for ISO 9001 has similar but not the same requirements as ISO 45001 – this does not mean you cannot integrate Management review and the records / documented information of the review can be applicable to both standards and they could be conducted in a combined review.
Q: What is the difference between PAS 99:2012 and Annex SL? Is integration the same as PAS 99?
A: PAS 99 is a specification for integration – Annex SL is the system structure used for all recently revised ISO management standards. PAS 99 is a specification which leads to integration if implemented effectively.
Q: How can an organization implementing ISO 9K+14K+45K integrate item 6.1 Actions to address risks and opportunities ?
A: Firstly not all risks and opportunities identified need to be addressed – the organization must decide. For an integrated or single system these risks and opportunities may be generated by external / internal factors , internal / external interested parties and are part of the reasoning for considering the context – hence why if you consider it, and decide it is to be addressed, logic dictates it must then be actioned or is already actioned as part of the processes and operations. Any actions taken need to be planned, risk assessed, implemented, reviewed for effectiveness and will have documented information.
Q: I am about to integrate my quality and security management systems. I am also starting to implement the EMS. Should this be integrated from the start?
A: Unfortunately only you can answer that for your organization – potentially the more you integrate from the start (even if it isn’t formerly recognised) it should be easier if the long-term strategy is to integrate.
Q: Will greater uptake for IMS (HSQE) result in reduced costs? Could integration reduce the UKAS required number of days?
A: System integration can reduce external assessment time allocation / costs (by up to 20%), but probably more importantly it can certainly reduce internal costs and duplication of effort.
Q: So if for example a Company wants to integrate ISO 9001, ISO 14001 and ISO 45001 could have one Manual for all three Standards but different Policies for each one Standard. Is it right?
A: That is fine – the level of integration and the exact details are decided by the client to meet the needs of their organization.
Q: Aren't Risks and Opportunities (6.1) business risks and not the same as Risk assessment?
A: To some degree I would differentiate OHS Risk assessments (ISO 45001 clause 6.1.2.) but risk assessments must be made prior to implementing changes (including strategic and process changes) as the outcome of risk assessments can change or influence the strategic direction and decision making outcomes. Risk/Benefit – Opportunity/Benefit. On occasion changes can be implemented and non-considered risks are created.
Q: Clause 8.2 has a different title (Not just different content) in ISO 9001 and ISO 45001, I renumbered them 8.2 a and 8.2b in a recent HSQE Manual. Not sure how right or wrong that is?
A: As discussed at the start of the webinar under Annexe SL section 8 ‘Operations’ does have discipline specific requirements. ISO 45001 clauses 8.1.1./8.1.2/8.13 etc. whilst in ISO 9001 8.1 (Operational Planning and Control) then 8.2 (Requirements for products and services) then 8.3 (Design and development of products and services etc. This must be considered when revising or updating system manuals – the standards themselves do not require system manuals for ISO 9001, ISO 14001 and ISO 45001.
So that concludes the summary of the questions from the webinar, and as always there is a range of support information on the NQA web site including some UK legislation updates etc.
If you need anything specific in relation to your current certificates with NQA or you are think of transferring then we are here to help.