In my previous blogs I covered:
Step 1: ISO Publication and Beyond
Step 2: The High Level Structure
Step 3: Clauses 1, 2 and 3 – Scope, Normative References and Terms and Definitions
Step 4: Context of the Organization
Step 5: Leadership
A quick reminder of the 10 Clauses of the HLS – this blog covers Clause 6:
2 Normative References
3 Terms and references
4 Context of the organization
9 Performance evaluation
STEP 6: PLANNING
This Clause is an excellent addition to both ISO 9001 and ISO 14001, because it introduces the concept of risk (and opportunity) to both standards via the High Level Structure (HLS). This is also where I can genuinely claim that DNV GL has been in the “risk” business for a very long time- and by that I mean in the field of certification also- since we have been delivering Risk Based Certification since 2004. The approach is based on the audit being built around areas of risk to the organization’s business, in any relevant area, and auditing in depth to assess whether the organization is managing that risk effectively.
The new ISO 9001 and ISO 14001 have now captured the key concepts of risk management in Clause 6, primarily split into two main sub-clauses: 6.1- Actions to address risks and opportunities and 6.2- Objectives and planning to achieve them. In basic terms, it requires the organization to:
– Understand the range of risks and opportunities relevant to the scope of the organization and determine actions, objectives and plans to address them.
– In understanding those risk and opportunities, use the inputs that the organization has identified in understanding its context as required in Clause 4.1, and the views and inputs from interested parties in Clause 4.2.
– For ISO 14001 this Clause also includes the previous requirements to consider environmental aspects and compliance obligations, and determine those impacts which are of significance to the organization.
– Also consider the impacts of change and ensure that planning of change is effectively considered and managed.
– Establish objectives and targets and plans for quality and environment, ensuring that these are clear, measurable, monitored, communicated and resourced.
The strength of this Clause lies in both introducing the principles of risk and opportunity to management systems standards via the High Level Structure, and by connecting it very clearly to the processes defined under Clause 4. To remind us all- these are the clauses for determining the context of the organization and also considering the views and inputs from interested parties. Within the detail of ISO 9001:2015 and ISO 14001:2015 there are differences in content, with the ISO 14001 version containing the familiar previous content on aspects/impacts and compliance obligations. In this area the revised ISO 14001 also introduces the concept of “considering a life cycle perspective” for its products, services and activities. This makes the previous concepts of the upstream and downstream aspects clearer, and also introduces language now in common use across other standards as well as Corporate Social Responsibility (CSR) and product assessment standards. The ISO 14001 standard content in Clause 6.1 has now been consolidated, clarified and streamlined to make the ‘flow’ of context, aspects and compliance obligations work better. In the previous version of my blog on this topic I said: “From a wider perspective, I think that there is natural overlap between the Clauses 4.1.and 4.2 on context and interested parties and the aspects/impacts/legal/other requirements. Perhaps there might be some streamlining of this in later versions of the new standards.” Job done.
With ISO 9001, there is an additional Clause 6.3 on Planning of Changes, which is effectively covered in ISO 14001 by the additional text on aspects and impacts. What is important is that both standards contain content requiring proper consideration of change and the impacts of change in terms of risk and opportunity.
How will organizations approach this new clause? A well-established approach already implemented by many organizations is the use of Risk Registers, which, if properly managed and implemented can capture effectively risks and opportunities across a wide range of areas and issues. There will also be other approaches which comprise different ‘elements’ from the various relevant Clauses of 9001 and 14001- the results from Clause 4.1 and 4.2, the existing ISO 14001 output from aspects/impacts, and legal/other requirements (expanded to ensure life cycle coverage), elements relating to management of change, with an overall analysis and review resulting in objectives, targets and plans.
The depth and complexity of approach will depend significantly on the size and complexity of the organization, as well as other factors which could include level of external regulation, existing requirements for public reporting, shareholder interests, public profile, numbers and types of customers, range and types of suppliers. Hence there will be a range of approaches which will be appropriate for the wide spectrum of organizations.
Overall, it is also worth repeating that there is very good informative content in both standards under both the Introduction and Annex A sections.
In Step 7 I will look at an important practical area of the standards- Clause 7: Support.