Implementing and developing ISO management systems

Begin with the end in mind

We come across many organisations wanting to implement an ISO system and, in general, there appear to be three core reasons for doing so;

1. Because you are being told to by a client
2. Because you need to get onto tender lists
3. Because you want to improve the way things are done

Obviously, if you’re having your arm twisted by a client you’re unlikely to be inclined to get the best out of the project; as the initiative is probably being undertaken under duress.  At least if you’re wanting to get onto tender lists there’s an inkling that you’re looking to grow the company, so you’re slightly better positioned to get more out of the process and it’s even better and more enjoyable (for us and for you) if you’re pursuing ISO certification because you want to use ISO to improve the way stuff is done in your company.

So, where do you start?

It is highly likely that the directors and leaders of most organisations have thought about the long-term ambitions of the business.  Various research, and our own experience, would however, tend to suggest that very often, especially in smaller organisations, this thinking has not been documented into a formal business plan.  But that doesn’t mean to say that the thinking hasn’t been done.  The more we understand what the directors have in mind with regard to the long term plan the more we can align the management systems for helping them get there.  Very broadly we think there are four typical long-term goals for exit:

• Sale
• Next generation
• Lights out
• Don’t know

All of the four most common management standards; Quality – ISO 9001, Environmental – ISO 14001, Health and Safety – ISO 45001 and Information Security – ISO 27001 require a company to set related objectives and targets.  For the most part these usually appear under the ISO clause 6.2.

However, one of the things we find is that when companies implement management systems, they tend to divorce the quality, environmental, health and safety, information security system objectives and targets from the strategic reality of what the organisation needs to achieve over time.

In our view this is a mistake; you don’t want the ISO tail wagging the business dog.

But the business plan isn’t the answer 

The interesting thing we find is even those companies with a beautifully written and presented business plan still sometimes founder.  The business plan is lovingly developed, beautifully presented … and left on a shelf.  It’s dusted down a year later to review what’s been done, at which point you find … not much!

The missing link -The action plan

The business plan is critical, but it isn’t in itself sufficient.  The business plan should represent all of the thinking behind the end in mind.  The missing piece of the puzzle, nearly always missing from the business plan, is what action needs to be taken by who and when.  The missing piece of the puzzle is the action plan.

Whenever we are presented with a business plan, we print it out, read through it, and in the margin somewhere put an “A” with a ring round it to denote an action that needs to be assigned.  In fact, with our own 5-year business plan we have been through the text with a fine-tooth comb and highlighted each and every action, numbered them, and added them to an action list which appears as an appendix at the rear of the business plan.  It’s this action plan that then drives our quarterly, 90 day action plan which then breaks down actions week by week.

Each of these actions may, or indeed may not have, a quality, environmental, health and safety and, information security implication.  Using this approach, you align what the business needs to do with what the management system needs to do and then we make the objectives SMART.

But we also have a different, and I’d like to think better, take on SMART objectives.

Non-SMART objectives

Before we get into the detail of SMART objectives, let me just say that whilst SMART objectives seem to have taken pole position for objective setting there are other models.  One of which is PACER where the letters stand for:

• P = positively stated
• A = achievement focused
• C = context
• E = ecological
• R = resources

We’re not going to go into detail here but the bits that need perhaps a little explanation are context, which encourages you to think about the situation in which the objective will be realised, who with, where and when you want (and indeed don’t want) the objective to be achieved.  Ecological relates to how well the goal fits with your values and who else will be affected; friends family colleagues and how will they feel?  We certainly think in some circumstances that these, or other, modifications may make useful additions.

Different SMART objectives

In most instances SMART is taken to mean Specific, Measurable, Achievable, Realistic and Time bound.  All good stuff but we think this can be modified and made slightly more precise therefore, improved on slightly.

• Specific – is the goal sufficiently specific to make it measurable?
• Measurable – this is more than just a metric. You need to be able to say, at the end point, this has been achieved – Y or N?
• Achievable – is it possible within the time frame?
• Reason – what is the intention behind the goal and why is it important?
• Time – has a specific deadline been set?

The main difference here is “realistic” has been replaced with “reason”.   Realistic is a judgement call is it possible to do whatever it is with the resources available in the time frame set.  We think that in going through this process the other aspects of the SMART model have already effectively closed that off, so, realistic is actually superfluous.  Replacing realistic with reason is an attempt to get to the real heart of the issue.  It’s an attempt to make an emotional connection to the reason you’re actually doing this.  Digging into the “reason”, we think, makes you think deeply about what’s driving the rationale.  Reason works to put more fire in your belly and make the whole process hugely more engaging.

As ever, feel free to adapt any of the models liberating ideas and concepts to suit your own preference or circumstances.

Conclusion

Many organisations implementing ISO get caught up in the relevant subject objectives; quality environmental health and safety information security.  We think this approach tends to divorce the day-to-day commercial reality from the management system and in doing so, inadvertently, degrades it.

It is our belief that the better, more robust and more commercially astute, management systems will be developed so that they are completely and utterly aligned to the commercial interests of the organisation and that quality, environmental, health and safety, information security objectives and targets are subservient to it.

Business first, ISO second and supporting.  This way you won’t get the ISO tail wagging the business dog.

Related tools and ideas

• Business planning webinar – Manufacturing
• Business planning webinar – Construction

Recommended references

• Various Statius blogs

Downloadable resources

• Various Statius blogs