0 1895

The new ISO 31000 Risk Management Standard was released in February. ISO 31000:2018 supersedes ISO 31000:2009. The risks organizations face have changed significantly the last 9 years. Risks such as terrorism and cyber-attacks were not as prevalent a decade ago.  To adapt to these new realities and to facilitate risk management, the standard Risk Management standard ISO 31000 has been revised, and the latest version has just been released.

Simple is the best way to describe the new ISO 31000:2018 standard. It is clear and concise while giving enough detail to be applicable to organization anywhere in the world and applied to different processes from finance to production. It has been presented with a simple language where risk management fundamentals can be understood by everyone. To make the standard accessible and easy to understand, its terminology has been revised and certain terms used in risk management have been moved to ISO Guide 73, Risk Management – Vocabulary.

In addition to the changes aimed at making the standard easier to read and apply, there have also been changes regarding the principles of risk management. In ISO 31000:2018 these principles are designed in order for risk management to provide Value Creation and Protection to every organization. These principles make risk management:

  • Integrated
  • Structured and comprehensive
  • Customized
  • Inclusive
  • Dynamic
  • Based on best available information
  • Aware of human and cultural factors
  • Focused on continual improvement

These principles and the standard’s new definition of risk as the “effect of uncertainty on objectives” will drive organizations to look at the internal and external uncertainties that could jeopardize the accomplishments of their objectives. In this way, risk management is tailored to the needs and objectives of each organization. The integrated and inclusive principles help organizations develop a system which brings risk management to the center of decision making and which supports all activities across the organization.

ISO 31000:2018 recognizes risk as ever changing, therefore the system must be flexible and dynamic to adapt to the changing uncertainties, while always focusing on the continual improvement of processes.

Overall, the new ISO 31000:2018 standard presents guidelines for effective and efficient risk management in a simple manner. These guidelines will help organizations understand and address the different uncertainties which will inevitably appear in their path to achieving their objectives.

0 688
Organization Knowledge and ISO9001:2015
Organization Knowledge and ISO9001:2015

This column will cover the background and importance of Auditing Multiple and Integrated Management Systems, the advantages and disadvantages organizations accrue when integrating and when auditing their systems. And adjusting their auditing programs to fit the new reality of multiple and integrated management systems (intMS) increasingly prevalent today.

The adoption of formal Management Systems has risen dramatically the past few decades, and an increasing number of organizations have implemented multiple management systems. Organizations are increasingly recognizing the advantages and efficiencies that accrue by their integration, whether it be full, or partial integration.

Integration was more difficult prior to the harmonization of the ISO Standards – now guided by ISO’s Annex SL – the high-level structure that provides identical structure, text, and common terms and definitions for management system standards of the future. This will ensure consistency among future and revised management system standards and make their integration, and integrated use simpler. This is highlighted in the recent adoption of ISO 9001 and ISO 14001: 2015, and ISO 45001, ISO’s Occupational Health and Safety Management System Standard, and ISO’s newest.

With the addition of each management system, auditing resources necessary to ensure their effectiveness could, without integration and streamlining efforts, roughly double. Those organizations with a QMS, EMS, and HSMS could triple the auditing resources – including time, utilized over that of a single system.

For the commonly used 2-3 auditors per system, 6-9 auditors may be necessary for those with a QMS, EMS, and HSMS. For those using 3 or more audit team members, imagine the audit army this creates, let alone the time necessary to audit separate systems, and the disruption to the organization.

Considering all the other financial, customer, supply chain, and other audits organizations are subjected, and you can understand why many organizations are ‘audit weary’!

Integrated Audits

Professionals who have conducted integrated audits recognize how much more efficient they can be. The process under review, along with all its controls; environmental, health, safety, and quality; has to be evaluated only once.

There is less duplication of effort during the planning, execution, and even follow-up phases of the audit. Other efficiencies, often unforeseen, are uncovered or revealed once an organization begins an integrated management system pathway, and is yet another advantage to integrated auditing.

Typically, management systems integration allows the organization to minimize duplication and redundancy of effort, streamline or leverage the use of its limited resources, and reduce or eliminate overlapping responsibilities. This is true of integrated systems in general and is especially true regarding the audit function. minimizing duplication and redundancy of efforts translates to significant cost savings, productivity increases, risk reductions, and enhanced effectiveness and efficiency that the intMS are designed to achieve.

When it comes to intMS registration, Registrars should confer savings when auditing and certifying intMS through the same efficiencies and streamlining efforts organizations achieve internally.

Disadvantages of Integrated Audits

While there are many advantages to implementing and auditing intMS, it is important to recognize that there are disadvantages as well.

If an organization is seeking third-party registration to one or more standards, a non-conformance against a requirement of one standard may carry over to another standard. In the worst case scenario, if the non-conformance is major, all registrations could be at risk unless effective corrective action is taken.

Another disadvantage is the learning curve and attendant training that will likely be an adjustment for staff members, many of whom will not be familiar with the requirements of all the management systems involved in the IntMS.

For example, Quality staff may be intimately familiar with ISO 9001 requirements, while needing extensive and perhaps costly training on ISO 14001. The same will be true of OHSMS staff, and vice-versa for each staff function.

In the next installment of this column, we will dive into the mechanics and logistics of intMS auditing, as well as provide tips and techniques to help improve intMS audit team effectiveness and efficiency.

About John Grosskopf: Since a Dr. Deming led quality and environmental paradigm shift at General Dynamics in the late 80’s, John has been a strong management systems (MS) advocate. He has pioneered advances in auditing, integrating MS, a chief contributor to two national MS Standards, and has led the development, implementation, and improvement of hundreds of MS in the public and private sectors. He is an accredited EMS, HSMS, and QMS auditor (accreditations pending), a published author, instructor/trainer, and has presented widely on MSs. Through his firm, DeepGreen Consulting, he is currently assisting clients to improve their triple bottom line through a combination of MS, best practices, collaboration, and leadership

Reference: Auditing Integrated Management Systems: Considerations and Practice Tips, November 2008, Journal of Environmental Quality Management, John Grosskopf, with co-author Jennifer Kraus.

0 667

ISO 14001 is an international standard. An accredited certification to this standard demonstrates a committed stance on environmental management to stakeholders. Moreover, when an organization has correctly implemented an environmental management system it ensures environmental compliance, improves environmental performance and provides a systematic and strategic approach to environmental issues.

There are many benefits to implementing ISO 14001, here are the top 5.

1. Ensuring Management Commitment

ISO 14001 requires top management to commit and lead the implementation and maintenance of best environmental practices. Engaging the leadership team will increase employee engagement. When everyone in the organization is working towards the same goal, the probabilities of achieving it increase.

2. Strengthen Stakeholder Relationships

An ISO 14001 certification can improve an organization´s reputation and improve stakeholder relationships. If a stakeholder requires ISO 14001 certification, it is obvious the relationship will improve upon certification. However, even if stakeholders do not require ISO 14001 certification, having the certification can increase stakeholder confidence.

3. Improve Business Development

If an organization is seeking for new clients, it is possible that an organization might encounter a client that requires its suppliers to be ISO 14001 certified. Thus, having certification can give organizations a competitive advantage.

4. Identify Risk and Opportunities

Every organization is different, ISO 14001 allows organizations to identify the environmental issues that apply to them. It guides organizations in the management, monitoring and control of these issues and the identification of risks and opportunities that could either enhance or prevent the achievement of their environmental goals.

5. Safeguards Process Improvement

The certification audit process can also be beneficial to an organization. A certification body audit ensures that the management system has been implemented and maintained correctly, and it also identifies opportunities for improvement and potential risks that the organization might have missed.

Organization can implement ISO 14001 without seeking certification, however, in many cases it is the certification that will give confidence to stakeholders. To find an accredited certification body visit the ISO Update Registrar Directory.

0 1748

ISO 9001 was revised to meet the needs of the changing business environment and to ensure that the standard is relevant to the current needs of the marketplace. Here are the 5 major differences between the old ISO 9001:2008 and the new ISO 9001:2015 standards.

High Level Structure

The most prominent change to the new standard is a new structure known as High-Level structure. This structure is common across multiple standards and increases the ease of implementing several ISO standards within an organization, due to the commonality of the structure being followed.

Risk Based Thinking

There is increased focus on risk-based thinking in ISO 2001:2015. The standard requires organizations to address risks and opportunities in a structured manner. To address this requirement, organization may need to use techniques of risk analysis like FMEA to identify and mitigate risks.

Context of the Organization

ISO 9001:2015 gives lot of emphasis on capturing the context of the organization. Context of the organization means business environment driven by external factors such as legal, regulatory, financial, social and cultural while still considering the internal environment. Internal factors may include; organizational structures, resource capabilities. Context of the Organization is also dependent on the needs and requirements of the interested parties. The context that is relevant to strategic direction of the organization should be used to define your Quality Management System. This is an additional requirement which needs to be handled within an existing Quality Management System.

Requirements of Interested Parties

Suppliers, shareholders, employees, Legal or regulatory bodies, are now included as interested parties, in addition to customers who were predominately the only interested party in ISO 9001:2008. To address this requirement, organizations need to identify all relevant stakeholders and capture their requirements relevant to the quality management system.

Leadership Engagement

ISO 9001:2015 puts lot more emphasis on leadership engagement and management commitment. The standard requires greater involvement of top management in controlling the quality management system.

New requirements on understanding context, capturing risks and opportunities and involving all interested parties to understand strategic direction of the organization requires that the Quality Management System operates in conjunction with business processes and strategies. Involvement of top management becomes important to achieve this and improve the effectiveness of Quality Management System.

In previous version of ISO 9001, there was a concept of appointing Management Representative (MR). This has been removed in the 2015 version. The duties of the management representative are still required however, some of these duties now need to be managed by upper management. This change ensures management is directly involved in establishing and implementing the Quality Management System, therefore integrating it into all elements of the business.


ISO 9001:2015 does not mandates certain documented procedures or a Quality Manual. The Quality Manual has been replaced by the concept of Documented Information. The information can be any format and can come from various sources.

0 2095
What are the differences between ISO 14001:2015 and ISO 14001:2004 -

The latest version of ISO 14001, ISO 14001:2015 has brought changes to the most widely used standard on Environmental Management Systems (EMS). One of the major changes is its structure. ISO 14001:2015 now has the high level structure that is now common to all ISO management system standards referred to as Annex SL. This new common structure brings a more strategic focus to the standard and facilitates the integration with other ISO management system standards. In addition to this new structure, there are many differences between ISO 14001:2015 and ISO 14001:2004.  Here we will briefly explain the most relevant ones.

Organizational Context

Organizations are now required to systematically take into account the organizational context.  Organizational context can be looked at as the environment in which your business operates.  Now you will need to consider which internal and external factors can influence the environmental goals of your organization.

This will allow organizations to have a better understanding of the risks and opportunities it will encounter and to be better prepared to minimize (risks) and maximize (opportunities) in order to favour the organization’s environmental performance.

Needs and Expectations of Interested Parties

Organizations are now required to take a careful look at the needs and expectations of interested parties (stakeholders). They will need to identify relevant stakeholders and understand how these can impact the EMS if their needs and expectations are not met.

Leadership and Commitment

Top management is now required to demonstrate commitment and leadership to the EMS. In the new standard there is no such a thing as a management representative, now everyone is required to commit in a number of specified ways.

In ISO 14001:2004, organizations were required to commit, among other things, to reducing negative environmental impacts. Now, the new standard goes further by requiring organizations to also aim at having a positive impact and improve environmental conditions.

Life Cycle Perspective

The term life cycle has been included many times more in the new standard than in the 2004 revision. While in the last version, organizations were not required to consider the life cycle of products or services for the identification of environmental impacts, the new one does.

Organizations are now required to take a life cycle perspective when identifying and evaluating environmental aspects. For example, procurement, designed, transportation and disposal activities will now need to be considered. The purpose of this life cycle perspective is to contribute to sustainable development and prevent negative environmental impacts from shifting through the life cycle of a product or service.

Environmental Performance

The standard is now more specific regarding the evaluation of environmental performance. Organizations are required to use quantitative data in the evaluation process.


According to this new version, organizations are required to communicate externally relevant information regarding the EMS. This should be done following a communication process that the organization must establish.

In general, this new standard emphasises environmental performance improvement and drives organization to focus on organizational context and relevant stakeholders. It also promotes risk based thinking and a life cycle perspective.

0 2284

Determining the Context of the organization is a new requirements in ISO 45001 and, has already been incorporated in ISO 9001:2015 and ISO 14001:2015.

Context of the Organisation is about understanding the entire environment in which the organisation operates. The Context can be external or internal. Utilizing SWOT Analysis and PESTLE Analysis (Political, Economic, Social, Technological, Legal and Environmental factors) are two methodologies which can be useful determining context.

Firstly, the organization needs to determine in internal and external issues which have the ability to affect the outcomes of its Occupational Health & Safety (OH&S) Management System. The internal or external issues can be positive or negative. They can include conditions, characteristics or changing circumstances which can affect the OH&S management system.

External issues can be:

  • PESTLE (Political, Economic, Social, Technological, Legal and Environmental) etc. factors.
  • New competitors, contractors, suppliers, partners etc.
  • Latest knowledge about products and their ability to affect OH&S.
  • Key drivers and trends relevant to industry.
  • Relationships with external interested parties.
  • Changes in any of the above factors.

Internal issues can be

  • Organizational structure, and roles.
  • Policies and objectives.
  • Capabilities in terms of Resources such as capital, human and technological.
  • Information systems.
  • Relationship as well as perception of workers.
  • Contractual relationships such as outsourced activities.
  • Working conditions and organizational culture.
  • Working time arrangements.
  • Changes in products, processes, equipment.
  • Changes in any of the above factors.

Secondly, the organization has to determine the Interested Parties in addition to workers, and their needs and expectations which are relevant to its OH&S Management System.

Interested Parties can be legal and regulatory authorities, parent organizations, suppliers, contractors and subcontractors, workers representatives, workers organizations such as trade unions and employers’ organizations, customers, medical or other community services, media, business associations and NGO’s, occupational health & safety organizations and practitioners.

Some needs and expectations are incorporated in to the laws and regulations and are therefore mandatory. Then there are some voluntary requirements which the organization may have subscribed to. The organization addresses the needs and expectations through the planning and implementation of its OH&S Management system.

Thirdly, the organization has to define the Scope of its OH&S Management System by defining its boundaries and applicability.

To determine the scope, the organization has to consider the Issues relevant to it. Then it has to consider the interested parties and their needs and expectations. After that it has to take in to account the planned or performed work related activities. The boundaries can include the whole organization or a specific part of the organization. The scope shall not be used to evade its legal and other requirements. Those activities have to be considered that can affect the OH& S performance of the organization. The scope has to be maintained as documented information.

Fourthly, the organization must establish, implement, maintain and continually improve an OH&S management system according to requirements of ISO 45001 and establish one or more processes that fulfil the requirements of this standard and implement those processes, control them and achieve the intended outcomes. The organization shall also integrate and incorporate the requirements of this standard into its business processes such as design and development, procurement, training and education, human resources, sales and marketing.

0 522

If your organization is looking to obtain Certification to an ISO Standard there are few areas within your business which will require specific focus, regardless of which Standard you are seeking Certification against.

1 – Policies

Begin by reviewing your organizations policies to ensure they include a commitment to the requirements of the Standard. Make sure the policies have been communicated effectively within the organization and externally to relevant Interested Parties. Auditors will most likely ask several people about the policies of the organization to confirm Interested Parties know and understand how the organization has committed to achieving the standard and how their activities influence those commitments.

2 – Objectives

What are your organizations objectives, in relation to the Standard? They need to be documented. The achievement of these objectives is what drives the entire management system. An Auditor will ask for these objectives and check how they have been established, an outline of the plan to achieve them, and evidence of how they are being measured and monitored. Auditors will now be looking for quantitative data relating to how your organization has measured and monitored these objectives.

3 – Organizational Context

This is a term which has emerged within many of the recent revised ISO standards such as ISO 9001:2015 and ISO 14001:2015. Based upon the notion that your organization does not exists in a vacuum, it requires your organization to consider factor both internal and external issues that could impact the management system into your strategy. An Auditor will require you to show evidence about how your organization has identified, evaluated and incorporated these internal and external issues.

4 – Risks and Opportunities

You need to to identify and evaluate factors which could negatively affect your management system, and the likely hood of achieving your objectives, these are the risks. Your also need to identify the factors which can enhance and improve your organization’s performance, the opportunities. Auditors will need to see an outline of your risks and opportunities along with evidences of how they have been identified and the actions which are in place to address them.

5 – Planning Changes                                                       

Change is both constant and inevitable. Within a well-functioning management system change needs to be identified and addressed. In preparing for an audit, identify and document changes which have and will be occurring within your organization. These could be new and stricter regulations, new products or new equipment. An Auditor will look for evidence that changes were identified and addressed proactively. You may also be asked to identify how you future proof your organization and identify upcoming changes.

0 1852

ISO Management Systems  consider Interested Parties an essential element in the success of any business. Interested parties, also referred to as Stakeholders must be managed in order to obtain and retain their support. Additionally, many ISO Management Standards including; ISO 9001, ISO 14001, and ISO 45001, require organizations to understand and manage the interests and expectations of their Interested Parties as part of the certification process.

Most organizations have a many Interested Parties. Determining which are the most relevant is critical step towards developing a plan to  prioritize and manage them.

How can an organization begin this process? 

First, it needs to understand the organizational context it works in and its goals regarding the management system being considered. Whoever can affect these goals or who can be affected by them, is considered an Interested Party. The most relevant Interested Parties are the ones who provide risk to the organization’s sustainability if their needs and expectations are not met.

Identify who the Interested Parties are: 

The list may include:

  • Owners / Shareholders
  • Customers
  • Clients
  • Suppliers
  • Partners
  • Employees and their families
  • Regulators / Government organizations
  • Contractors
  • Communities
  • NGO’s
  • Unions
  • Emergency services
  • Media

This list can grow or be reduced depending on the organization’s complexity, its context and goals.

Classify the Role of the Interested Parties 

After listing all the interested parties, it’s useful to categorize them based on how these relate to the organization. For example, do they hold responsibility for the organization, do they influence it, do they depend on it, are they close to the organization’s operations, etc.  Guidance on how to categorize them can be found in ISO 14004.

Prioritize their Relevance 

Not all interested parties will have the same interest and power to influence an organizations decisions and activities. Thus, it is necessary to differentiate the ones that have high interest and high power to influence decisions and activates from those that have low interest and power to influence the organization.

Determine the Needs and Expectations of the Interested Parties 

Depending on the size and complexity of the organization, this can be done by either reviewing formal or informal documents of requests, complaints, or talking directly with them. However, complex and big organizations may require research methods to determine their interested parties’ needs and expectations.

Regardless of the size of the organization, establishing a process to manage Interested Parties is essential. Without a proper plan an organization can easily incorrectly allocate its resources on the less relevant Interested Parties, while failing to meet the needs of a critical Interested Party.

0 805

IATF 16949:2016 was released in October 2016. This new standard supersedes and replaces ISO/TS 16949:2009 and its certificates. The deadline for transitioning to this standard is September 14 2018. As this deadline gets closer, organization may start to panic. To avoid the panic, here are some of the most important requirements to assist organizations in developing their strategy.

Timing requirements

  • By now, no organization should be conducting any type of audits regarding ISO ISO/TS 16949:2009. October 1st was the deadline for performing initial, surveillance or recertification audits to this standard.
  • Only organizations that currently hold an ISO ISO/TS 16949:2009 can take a transition audit to seek IATF 16949:2016 certification. This transition audit should follow the organization’s audit schedule, for example, it should take place at the time when a surveillance or recertification audit was planned.
  • The transition audit and a positive VETO approval must be obtained by September 14 2018.
  • Organizations undertaking their audits between July and September 2018 will have no more than 120 days for VETO approval after completing their transition audit.

Transition audit requirements

  • The transition audit will have to be a full system audit, such as a recertification audit.
  • First, a documentary review (off site) has to be conducted for every manufacturing site seeking the transition. A review of the organization’s quality management system must be included in this revision, such as quality manuals, procedures and evidence of conformance to the new IATF 16949 requirements.
  • If the organization has any supporting function(s) that are on-site or remote, documentation of these must also be included, and if these function(s) have not already completed a transition audit, a gap analysis and an action plan for meeting IATF 16949 requirements must be included.
  • From this review it will be determined if the organization is ready to undertake the transition audit and critical areas will be prioritized.
  • If for any reason an organization is unable to conduct the transition audit according to the time requirements, they would have to start again with an initial audit.
  • Also, if there’s a negative certification decision from the transition audit, the organization’s ISO/TS 16949:2009 certificate will be withdrawn and they would have to start over with an initial certification audit.
  • A very important point for organizations to consider is that in the transition audit the requirements for ISO 9001:2015 will also be verified

Certification body requirements

The certification body performing the audit must have met all the requirements for establishing their audit team. Organizations need to ensure that the auditors have passed all the necessary training and quizzes.

If organizations meet these requirements and obtain a positive decision after their transition audit, their IATF 16949:2016 certificate will be issued, which will include the issue and expiration date and a new IATF number.

0 828

The new ISO 9001:2015 has introduced updated management system standards that override the requirements presented in its predecessor, ISO 9001:2008. In particular, the original standards identified in ISO 9001:2008 under 4.2.3 Control of Documents and4.2.4 Control of records have been overridden by the new standards in the 2015 version under 7.5.3 Control of documented information.

As part of the alignment with other management system standards a common clause on ‘Documented Information’ has been adopted. The terms “documented procedure” and “record” have both been replaced throughout the requirements text by “documented information”. Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control or support a process) this is now expressed as a requirement to maintain documented information. Where ISO 9001:2008 would have referred to records, this is now expressed as a requirement to retain documented information.

To better understand the changes presented in section 7.5.3 over the previous standards outlined in 2008, it is important to identify the difference between Documents and Records:

  • A document is information used to support an effective and efficient organizational operation. A document consists of any information you use to run your company.
  • A record is evidence about a past event. Records consist of any data you collect during the operation of your business QMS. Records are facts and should not change. If new facts arise that contradict the old facts (an error), then you should strike through the old fact and record the new fact.

ISO 9001:2015 outlines the Control of Documented information in section 7.5.3 and is broken down into two separate requirements: Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

  • it is available and suitable for use, where and when it is needed;
  • it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable:

  • distribution, access, retrieval and use;
  • storage and preservation, including preservation of legibility;
  • control of changes (e.g. version control);
  • retention and disposition.

With the new standard structure in place, don’t get confused by this “new requirement” as it really isn’t new. We used to have “documents” and “records” and now we “maintain” (i.e document) and “retain” (i.e. record) documented information.

Christopher Spranger is the owner and CEO of Spranger Business Solutions; a management consulting firm that helps people run more efficient businesses across the United States. They have a team of Quality Management experts that assist companies with internal audits and in achieving Quality Management System Certification.

Interested in having Spranger Business Solution do your internal audits click here.

This article was originally posted on Spranger Business Solutions website and is published here with permission.