As the third part in our 3-part series about the upcoming changes to the standards for ISO 9001, ISO 14001, and ISO 45001, we’ll be concentrating on three of the biggest changes for organizations, along with specific details of what the current drafts of the standards require. The three areas we’ll be featuring are the Context of the organisation, Documented information, and Risk-based thinking.
Changes to the Standards
Context of the organization
There are two new clauses relating to the context of the organization, 4.1 Understanding the organization and its context and 4.2 Understanding the needs and expectations of interested parties. Together these clauses require the organization to determine the issues and requirements that can impact on the planning of the management system. For this blog, we’ll be focusing on the first, Understanding the organization and its context. The intent here is an understanding of the issues that have or can have an affect, either positively or negatively, on the way the organization manages its responsibilities in relation to the management system. Issues can include conditions, characteristics, or changing circumstances that can affect the management system, both external and internal including: External issues, such as:
- The cultural, social, political, legal, financial, technological, economic, natural surroundings, and market competition, whether international, national, or local;
- Introduction of new competitors, new technologies, new laws, and the emergence of new occupations,
- Key drivers and trends relevant to the industry or sector having impact on the objectives of the organization,
- Relationships with, and perceptions and values of, its external interested parties,
- Changes in relation to any of the above.
Internal issues, such as:
- Governance, organizational structure, culture, roles, and accountabilities,
- Policies and objectives, and the strategies that in place to achieve them,
- The capabilities of the organization, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems, and technologies),
- Information systems, information flows, and decision-making processes (both formal and informal)
- Introduction of new products and equipment
- Relationships with, and perceptions and values of, its internal interested parties,
- Standards, guidelines, and models adopted by the organization,
- Form and extent of contractual relationships,
- Changes in relation to working time requirements and any of the above.
The aim is to assist the organization in determining its risks, developing or enhancing its policies, setting its objectives, and determining its approach to maintaining compliance with its customers, community, and applicable legal and other requirements. Note: There is no requirement in the standards to consider interested parties which have been determined not to be relevant. Similarly, there is no requirement to address a particular requirement of a relevant interested party if the requirement is not relevant. Determining what is relevant or not is dependent on whether or not it has an impact on the organization’s ability to consistently meet its objectives.
Documented information replaces the previous Control of Documents and Control of Records clauses from the prior revisions of ISO 9001, ISO 14001, and AS/NZS 4801. Documented Information is now defined as being information required to be controlled and maintained, and the medium on which it is contained. Interestingly, the distinction between what was considered a document and what was a record has been removed; the term documented information should be taken to mean both. It is important to note that the amount and format of this documented information is determined by the organization, not by auditors. This update will hopefully result in organizations’ documentation being more tailored to the organization’s individual needs, and also cope better with non-traditional forms of documentation (such as video and websites). Organizations will still need to retain documented information (née records) to demonstrate conformity to the standard along with the requirements of their own system.
Note: ISO/DIS 9001:2014 Annex A.6 Documented information states: Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control or support a process) this is now expressed as a requirement to maintain documented information. Where ISO 9001:2008 would have referred to records this is now expressed as a requirement to retain documented information.
One of the key purposes of any management system is to act as a preventive tool – to stop things going wrong, to get it right first time, to make it fit for purpose, to not hurt people etc. Consequently, the new standards do not have an individual clause for ‘Preventive Action,’ instead, preventive action is expressed through adopting a risk-based approach. This risk-based approach means less prescriptive requirements and more performance-based requirements. The context in which the organization will operate, the views of its interested parties, and its scope are to be considered to ensure the management system identifies its risks, be they adverse or beneficial. Planning for these risks is not a single event, but an on-going process, anticipating any changing circumstances.
The level of risk will be influenced heavily by the disciple of the system – Quality is primarily concerned with the risk of not being able to meet customer expectations, OHS is concerned with the risk of causing human injury or ill health, and Environmental risk is concerned with the impact of the organization on its local community and environment. Although risks, both threats and opportunities have to be determined and addressed, there is no specific requirement for formal risk management.
Also the new standards do not require a risk management process in line with other risk management standards (namely ISO 31000:2009 Risk management – Principles and guidelines), however it may be beneficial if they did.