I often say this to clients, but this is advise that often goes unheeded. These days integrated management systems are becoming more common place. A lot of people are moving away from ISO 9001 (quality management) and are instead utilising increasingly diverse management system frameworks, ISO 27001 (information security), BS 25999-2 (business continuity), ISO 14001 (environment) etc etc.
All well and good. The problem comes when trying to “sell” these to staff. Frequently, these management systems are perceived as heavy amounts of documentation without any real business benefit to the end user – the staff and management. More of an overhead, especially when the key driver comes not from an internal desire to improve, but from an external tender requirement placed on the organisation concerned. The task is given to an individual, who then spends hours writing the documents and putting them in a collated mighty tome, that then sits on the shelf, unused and unloved until the certification auditor arrives. This approach may well be more of a cost to the business than a benefit.
All management systems have a similar chassis, a series of seven documented procedures that are common, internal audit, management review, corrective action, preventive action, document control, record control and exception management (be these security incidents or non conforming products). In fact, the news from ISO is that subsequent revisions to these standards will further harmonise these management system documents, so you know these common areas will even have the same clause number from standard to standard.
So what does this mean for a business? It means that you don’t need weighty tomes for each standard. It means that management systems can be integrated, with a single business wide document that governs the whole of the business, that does not have to refer to the management system standards at all. Why have an ISO 27001 document control procedure, a 14001 document control procedure and a 9001 document control procedure, when instead you can have a single business wide document that tells you how the business as a whole manages documents? The fact that this business wide procedure meets the relevant standards should be a happy coincidence, not the driving goal. It is worth remembering that it is the certification body’s assessor’s job to evidence that you are meeting the standards, not yours by littering your documents with references to standards and standard clause numbering conventions.
This approach means that the management system begins to fade from your average users eyes, they don’t care what ISO 9001 or ISO 27001 says, but if you tell them all their documents have to meet this procedure because it is what your business expects (not some external standard), then they will probably get on board. The management system stops being some external requirement, and just “what we do as a business”, embedded within the culture.
The other two major factors here are management commitment, and local ownership. If either is lacking the management system may fail. Frequently the management nominate an individual to write the MS documentation and this individual is then engaged in writing meaty tomes that no one else will use or read. It is worth remembering that these are management systems and most will have a business wide scope. The management, instead of nominating an individual should realise how important that this is embedded business wide and be adopted by the whole of the business as a cultural change, and take ownership themselves as a methodology to run the business, not as a single project which has been forced on them. Embracing the change will reap the benefits, begrudgingly chucking a single resource at it will only produce cost.
Finally, the best way to engage the business is to encourage local ownership. This means abandoning the huge manual and splitting up the documents into a framework of smaller documents, much more easily updated and owned locally, rather than controlled centrally in some goliath book that rests on the shelf. They are much more easily updated, by those who need to update them.
All MS standards have a requirement for training awareness and competency, which is the remit of the HR department. So why then, is the quality/information security manager writing these in isolation as part of his huge manual? Who is best to write a business procedure, someone remote from the process, or the people who actually do it? To embed management systems in the culture of the business, individuals within the business must own their own process documentation, and the organisation will be better off for it. HR write the HR docs, IT write the IT docs, Operations write the operational documents. The standard has an internal audit mechanism to police these are completed, and a document control procedure to make sure they are all looking consistent. Electronic document storage tools similar to “sharepoint” and cloud based storage solutions can help in their overall management.
And if the staff ask why they must document what they do? Not because the ISO standard tells you too, but because it is good business practice. Because the organisation itself requires it to be. It is embedded in the organisations culture, because the organisation wants to have a mature level of corporate governance.
Management systems with proper levels of management commitment, embedded in the culture of the business, locally owned and split into a framework of business focussed activities can reap huge reward. Those owned by a single individual, collated into a huge folder no one looks at, uses or reads, pulled off the shelf for update shortly before the assessor arrives, will only ever be a cost.
The best management systems are invisible. They are “just what we do as a business”.