epinjen

epinjen

Welcome to epinjen - the selufen blog page

Hello, this is the selufen blog page - epinjen. This is our way of sharing ideas, thoughts and opinions about certification, compliance and general business updates in a fun, informal and informative way.

To receive regular updates from selufen about what we are doing, our thoughts and our experiences, please complete 'Contact Us' section and consent below. The Privacy Notice detailing what, how and why of the processing of your personal information can be viewed her - Privacy Notice.

Bite Sized ISO 9001 - Supplier Management

A few thoughts...Posted by epinjen Mon, May 07, 2018 09:05:59


Bite Sized ISO 9001 – Supplier Evaluation


A key staple of ISO 9001 certification and a somewhat “unnatural” process for many where purchasing is not critical to their service, supplier evaluation is frequently picked up as an opportunity for improvement or a non-conformity by auditors. In my opinion, it is frequently not flagged because one of two things are happening.


1. Reviews of suppliers are done all the time, the first time a supplier lets you down, you start to think about changing them;
2. Reviews of suppliers are frequently discussed as part of the annual management review, however the minutes or the report rarely reflect the detail that is involved in this review because most suppliers don’t screw up and will not be challenged. That simple.

So how do you evidence that the review of suppliers is being done and how do you get this to add value, you can try to follow this step by step guide:

1. Open Excel and in the top row, populate each column from left to right with the following –

a. Supplier;
b. Reviewer;
c. Price;
d. Service;
e. Geography;
f. Partnership;
g. Other;
h. Last Review Date;
i. Review;
j. Next Review Date.

2. Go to your list of invoices received (whether on Excel or bookkeeping software) and after filtering the list to the period you want to review, copy the list into the “Supplier” column of an Excel spreadsheet and remove the duplicates. This will give you a list of every supplier used in that review period;

3. In the columns to the right, “Reviewer”, enter the name of the person within your organisation who has the most contact with the supplier or has the authority to make decisions about the reason behind selecting this supplier;

4. Now would be a good time to sort the list by reviewers, then arrange a time to sit and talk to each reviewer and identify the reason for using each supplier. It will (more than likely) be because of price (cheapest), service (or quality of the product), geography (they may be in the office next door or just down the street), because there is a special relationship or partnership with that company (you give them work because they give you work, etc.) or for another reason not covered above (such as a legal or contractual obligation, they are the only provider available to you of this product or service or maybe no other supplier will work with you, etc.). Put an x in the column that corresponds to that reason;

5. Record the date of the chat with the relevant reviewer and ask them two simple questions:

a. Did the supplier remain the cheapest / provide a good service / still be the most conveniently located, etc. depending upon the reason they were chosen in the first place;
b. Is there a need to change the supplier and if so, when?

Your table should now look a little like this:


With this simple table in place, you will be ready for the auditor when they ask to see how you have managed supplier evaluation.

Of course, it would be great to record some of the evidence seen in the review (think about hyperlinks to quotes from other suppliers or their webpages, or a screenshot of their location in relation to your premises, etc. depending upon the reason for using that company), but what we now have is a quick and easy review of your suppliers, meeting the requirements of ISO 9001 and, if done properly, prompting a potential change of supplier or review of arrangements with under-performing suppliers. Also, there is no absolute reason in the standard why one supplier should be chosen over another. It is great to stay away from price as you frequently get what you pay for but it is a reality, costs weigh heavily upon a business and sometimes, it is necessary to base a decision on this. It is up to you to decide and justify this choice.

Going forward, it would be easier to start this process when selecting a new supplier and requiring the purchaser to pass this “test” before doing business with them, however you can always come back to this each year to demonstrate compliance and keep purchasers and suppliers on their toes.

P.S. With GDPR in mind, this could also be an opportunity to record the non-disclosure or confidentiality agreements in place with each supplier as well.



Identifying Personal Data

A few thoughts...Posted by epinjen Fri, March 30, 2018 18:05:35

Having trouble identifying personal data within your organisation? The starting point should be to consider the definitions of personal and sensitive data.

Personal data questions to ask:

- Can a living individual be identified from the data, or, from the data and other information in your possession, or likely to come into your possession?
- Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?
- Is the data ‘obviously about’ a particular individual?
- Is the data ‘linked to’ an individual so that it provides particular information about that individual?
- Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
- Does the data have any biographical significance in relation to the individual?
- Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
- Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

Sensitive personal data means personal data consisting of information as to:

- The racial or ethnic origin of the data subject;
- Their political opinions;
- Their religious beliefs or other beliefs of a similar nature;
- Whether they are a member of a trade union;
- Their physical or mental health or condition;
- Their sexual life;
- The commission or alleged commission by them of any offence;
- Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

In relation to sensitive personal data, most organisations will only be beginning to consider any of these points in very specific situations. Certain standards such as the SIA Approved Contractor Scheme or certain Codes of Practice (specifically BS 7858 or any other security sector standard) may make it a requirement for you to process information about trade union membership, physical health or any criminal convictions. Here, we need to be very specific about the justification for lawful processing. In many cases, contractual obligations would still necessitate the processing of this information however it is worth exercising as much caution as possible, balancing the rights of the individual with your ambitions as an employer. In any case, consent is still going to be required before processing any of the sensitive data, regardless of a company's obligations for this processing.



Bite Sized ISO 9001 – Non-Conformity Management

A few thoughts...Posted by epinjen Wed, March 14, 2018 18:19:14

Bite Sized ISO 9001 – Non-Conformity Management

There is nothing more frustrating in ISO 9001 than a non-conformity. I have seen non-conformities for incorrect maths, a single missing signature, bad handwriting and many others that range from the helpful to the unbelievable. Regardless of reason for the non-conformity, there are five things that need to get documented to get them resolved (if you include a few other details, this could also serve as a template for a non-conformity form):

1. Remedial Action – This is what you do to put that particular instance right. If a customer signature is missing, wither get the form signed or if this isn’t possible, get it in writing that they acknowledge the receipt of the service or detail that they were supposed to have signed for;

2. Root Cause Analysis – By far the most important. Identify the issue at the very heart of the problem. At the bottom of this article is a list of root causes I have found to be very helpful. You will note that there is something missing – human error. The reasons for not including human error in this list could be the subject of an article all by themselves, but I will summarise most of them with this – if you think someone screwing up is simple human error, please ask the person responsible for them what they were doing to a) ensure it didn’t happen (clearly not supervising their work), b) prevent them from screwing up (were they not trained for this task, if not, what was the person responsible for them doing) and c) who approved a process that could be undone so simply and not picked up on? All of sudden, human error is not the issue at the very heart of the problem, is it?

3. Action(s) to Address the Root Cause – This is essentially, what will be done to prevent this root cause from occurring again. Here is another free bit of consultancy – there is always something that can be done. Even when the most improbable event occurs, think about training, process review, policy review, client or supplier meetings, tool box talks, etc. The answer is never “nothing”;

4. Review of Actions Taken – Frequently overlooked on a lot of the mediocre non-conformity form templates, it is essential that a summary (two lines can be enough) of the review of remedial actions and the actions taken to address the root cause be documented. It may be that these actions were discussed at a management meeting, the solutions were tested and found to have worked in a test environment, it may be the customer or supplier agreed that with your chosen course of action and the world is right again. It is weak to simply state that everything is now OK and the MD has signed it off (remember that bit about leadership in clause 5?);

5. Trend Analysis – Part of the required inputs for the management review, there are some pretty simple steps that can be taken. Summarise the non-conformities with their corresponding root causes in an Excel table, select all of the cells and then create a pie chart and just like a magic, there is a trend analysis of root causes. If you are a bit more comfortable with Excel, try adding in dates or departments, playing around with chart types. In any case, it will be easy to provide a visual description to the management team to review and comment upon. Include the charts or a link to the charts in the management review minutes or report and take note of the comments made. It will be very difficult not to see some pattern if not the fortunate instance of very varied non-conformities.

In short, stop being afraid of non-conformities, they are here to help us! As an auditor, I was always horrified of any objective that stated zero non-conformities. This would almost always suggest one thing, any problems were going to be ignored. Of course, this would only constitute an issue when a non-conformity would be identified and the objective therefore not achieved. Try setting an objective of “have no increase in non-conformities over the next twelve months” or “have all non-conformities reviewed and resolved within a pre-determined time frame”. Both of these should be achievable and both of any improvement that stems from a non-conformity is still improvement, not a bad payoff for something so frustrating and a little bit of work.

List of Potential Root Causes:

· Machine – Machine or equipment related;

· Machine – Fixture related;

· Machine – Tool related;

· Management – Training was insufficient or inadequate;

· Management – Responsibilities not defined or not understood;

· Management – Resources competencies were inadequate;

· Management – Communication issues (e.g., shift hand over between operators);

· Management – Planning and controls were insufficient;

· Management – Instructions or requirements were insufficient or inadequate;

· People – Instruction or requirements were not followed;

· People – Wrong decision was made;

· People – A reading error was made;

· People – Material handling error;

· People – Known defect or issue not reported or inadequately reported;

· Material – Material did not comply with specification;

· Material – Material shelf life expired;

· Material – Contamination of product;

· Method – Validation of process was insufficient;

· Method – Manufacturing process capability was insufficient or inadequate;

· Method – Packaging, labelling or identification of material was inadequate;

· Method – Design process was inadequate;

· Environment – Natural disaster (e.g., earthquake, flood);

· Environment – Information technology system failure;

· Environment – Fire or power outage;

· Environment – Unpredictable event (e.g., theft, sabotage);

· Environment – Environmental conditions were inadequate (e.g., climate);

· Environment – Lighting conditions were inadequate;

· Environment – Ergonomic conditions were poor (e.g., unsuitable equipment set up);

· Measurement – Inspection tool inadequate (e.g., insufficient accuracy);

· Measurement – Uncalibrated inspection tool used;

· Measurement – Calibration error;

· Measurement – Instruments, displays, or controls were inadequate;

· Measurement – Transcription error while recording result;

· Measurement – Verification method (i.e., inspection, sampling) was inadequate;

· Measurement – Inspection criteria was inappropriate or unclear.



GDP-What?

A few thoughts...Posted by epinjen Thu, March 01, 2018 14:59:31
Articles originally posted on LinkedIn on 26th January 2018, 10th and 17th February 2018.

What can we learn from preparing clients for GDPR?

As we march towards the 25th May 2018 and the overwhelming shadow cast by the General Data Protection Regulations (GDPR) looms ever larger, I have begun to notice a couple of trends among clients I have worked with on their data protection management systems. Although the impact and complexity varies from business to business, there definitely seems to be some similarities in terms of what can be anticipated and what appears to be a certainty in terms of preparing for the biggest compliance shift on the horizon.

Of course, these are only personal observations from work I have done on preparing organisations for GDPR. I’m sure every consultant and data protection expert has also seen some of these trends, as well as others. Given how long this list is, I have decided to break it up into multiple parts. This list is not exhaustive, but gives me a chance to highlight the key trends in issues identified from my experience thus far.

1. Suppliers are a lot slower than hoped. Of course, this isn’t true of all suppliers, nor is this a surprise (having worked on ISO 28000 in a past life, nothing suppliers say or do will ever surprise me again). Allow me to use a recent example. During a gap analysis and with nearly the whole management team in agreement, there was an assurance given to me by the MD of the company I was working with that their IT support supplier will respond to all queries immediately, no delay or hesitation - "we ask, they jump". Despite my reservations, I take the MD at their word and when we get to the point where we need to start engaging with suppliers (sometimes as early as the data protection impact assessment), I found that we were confronted with a brick wall (at worst) or an accusatory “why do you ask” (at slightly less worse). Of course, the mention of GDPR non-compliance or an assessment of adequacy is usually sufficient to motivate the lacklustre contact at the IT company, however, even then, I have found a number of them to be slow in responding and supporting their client. For this reason, I have started to engage with suppliers much earlier in the consulting process (which ultimately risks delaying other actions). I should also point out that there have been some excellent IT companies and I would be happy to recommend some if anyone is struggling to get the support they need from their existing nightmare / provider.

Time is marching on and it is very much a case of looking after one's self. Frequently, your urgency may not be shared by your supplier so it is worth factoring this in to your project planning.

2. Put simply, copying your mate’s data protection policies, assessments and procedures does not work. This is an ugly truth within the certification / compliance / management consultancy sector – a lot of my “peers” seem to think it is acceptable to use incredibly generic documents copied from one customer to the next in an attempt to save time, hide ineptitude or worse, succeed through good luck (as opposed to good judgement), without sparing any thought for the people that have to survive the hurricane that is their service. Every organisation is unique, indeed, some of the solutions for their problems are the same, but each of these has to be tailored to fit. The one size fits all approach of many cowboys is not only unprofessional, but in some cases, dangerous. I was asked to review the policies and procedures of one client following a whirlwind visit by another consultant just before Christmas. Imagine my horror in finding the information flow analysis making reference to the small amount of personal data collected about the contact details of their employed gardeners, but absolutely no mention of the sensitive personal data required to adequately screen and vet their collection of security personnel (a minimum requirement for a SIA Approved Contractor Scheme status)! Ultimately, this fails the requirements of GDPR on many levels and leaves the company open to prosecution by the Information Commissioner's Office as well as considerable damage to their reputation (a security company that can't manage their own personal information, how are they to manage your personal information?).

Of course, I continued to work with them to put this right and the important lesson has been understood.

3. When it comes to data privacy, start with the beginning. As obvious as this sounds, it would be easy to not do this. A number of companies have started by hacking away at potential lead lists, needlessly changing processes or inventing forms for managing forms. Instead, a gap analysis could have highlighted the amount of compliant arrangements they already have in place and then taken comfort in their very positive starting point. They could also have completed an information flow register, a processing activities register and a data protection impact assessment, identifying a clear, coherent and balanced action plan. Or they could shoot themselves in the foot and hope that GDPR never happens… I should caveat this a little. I have seen two companies who were already working on ISO/IEC 27001 when they began to work on GDPR compliance. In this case, a thoroughly different approach suited them best, although they would still need to dedicate a lot of time of reviewing their information security policies and arrangements after having done data privacy preparation work.


4. This is the opportunity to get lean. A manager once explained a simple idea to me many years ago (and I wish I had learned more at the time) – it was a customer service role where in an attempt to be more lean in our processes, every time a customer asked me to do something that cost me time, but saved them time, I should ask myself the question “would the customer be prepared to pay extra for this?” Ultimately, they probably wouldn’t. I think the same logic can be applied to personal data. I have found it very useful to ask the question “do I really need this personal data?” when working with clients on data protection management. Of course, if they don’t it shouldn't be collected in future. It represents a risk to their compliance and if nothing else, this is more data to manage. If it was necessary, it is always worth checking to see if the personal had already been collected. In other words, are things being duplicated unnecessarily? In my line of work, that would be considered “continual improvement”.


Preparing for the arrival of GDPR will probably be difficult for most organisations, but aside from the legal compliance, it can be considered as a great opportunity for spring cleaning. It is worth considering using this opportunity to address the mountains of archived records that have built up over the years, “just in case”. It is worth considering using this opportunity to tackle a compliance project in a way as to add value to your organisation. In short, GDPR is an intimidating beast, but the best adversaries always are.





Political Uncertainty and Quality Management

A few thoughts...Posted by epinjen Thu, March 01, 2018 14:50:27
Article originally posted on LinkedIn on 11th June 2017.

The 2015 revision of the ISO 9001 standard has made us all aware of the need to identify the risks and opportunities that our respective organisations are faced with. Current events since then have also made us aware of the complex times we live in. Although I don’t wish to seem insensitive in these times of crisis or appear to jump on the band wagon, cashing in on the recent tide of fear and insecurity, there is a thought that has been swilling around in my mind since November 2015. An idea which this week’s events has compelled me to put pen to paper (so to speak). With the need to identify and discuss the risks and opportunities that an organisation may face in relation to the context of the organisation, is it reasonable to expect political uncertainty to be a guaranteed risk and / or opportunity for all organisations? If so, can the absence of this consideration in the strategic risk assessment, risk register or management review constitute a non-compliance with this requirement of the standard? Referring back to my earlier statements about not wanting to be insensitive, please allow me to explain.

Please note, this is not a comment on politics or politicians, nor an exercise in lobbying or campaigning, simply an opinion in relation to the management of quality management systems.

There is no requirement to hold a MBA or PhD in political science when reviewing the current political landscape. Regardless of our varied political persuasions, ambitions or beliefs for what is good for the country, operating an ISO 9001:2015 compliant company in the United Kingdom at the moment means having to contend with political uncertainty. The impact of politics on the business world can be reviewed from a number of different perspectives. In terms of legal requirements (focusing solely on your quality management system), we know that in order for significant changes to occur, new legislation needs to be introduced. I attended the Security Industry Authority’s Stakeholder Conference earlier this year and the message was quite simple – no new primary or secondary legislation can be expected anytime soon. Thinking about this from the point of view of a security company, this means that there will be no changes to the current scope of activities requiring a licence, no changes to the legislation that underpins the UK regulator of the security industry and still no appetite to push for business licencing in the security sector. Whether this represents an opportunity (to continue to operate in potentially grey legal areas), or a risk (to continue to operate in potentially grey legal areas), or both, is a decision that each management team needs to arrive at themselves and to persuade you either way is again, not the aim of this post. However, the absence of this matter from any documented evidence – please see the brief list above – indicating the review or discussion by the management team has at least occurred in relation to political uncertainty, must surely mean that clauses 4.1, 4.2 or 6.1 have not been met, at least not in full...

While participating in the management review of a cleaning company in early 2016, I was fortunate enough to be witness to an amazing moment in that company’s history, the moment political uncertainty was finally acknowledged as a risk. There was a lot of discussion surrounding the possible outcomes of Brexit with the only known – known was the uncertainty of the situation. Sitting across from the Managing Director, we started to discuss Brexit as a risk when the Managing Director intervened to shut down the conversation stating that "none of their customers were European companies and therefore, Brexit did not present a risk to the organisation". Quizzically, the other members of his management team enquired as to the percentage of their front line workforce were from mainland Europe, as well as the countries of origin of their top ten customers whose premises they cleaned. Needless to say the answers stopped the Managing Director in his tracks. Over 90% of their workforce hailed from Europe and 70% of their customers were American companies, based in London in part because of its proximity to Europe. The realisation that political uncertainty would impact their employees and customers – and therefore their respective availability and potentially purchasing – suddenly hit home and the risk of political uncertainty became a key discussion point in their strategic planning. Over a year later, the focus of uncertainty may have shifted a bit, however it remains a subject that is still reviewed when planning and considering the future of the organisation.

Indeed, political uncertainty as a risk remains very difficult to mitigate. Some may opt to defer certain decisions or investment, waiting for politically calmer seas, while others may accelerate certain project timetables to avoid having to rush should the clouds not clear. For some, it will also be an opportunity to lobby or capitalise on the indecision of others. In either strategy, failure to acknowledge the political landscape, especially the uncertainty that has become somewhat consistent in British business since 2015 (as I write, multiple news feeds are informing me of everything from the likelihood of early elections to subsequent policy shifts, as well as new full proof cyber protection and a potential cure for the common cold). Should the absence of political uncertainty in quality risk management constitute a non-conformity? For an ISO 9001 certified company then I believe it should. Maybe my view oversimplifies the impact politics has on business. Maybe my interpretation of quality management exceeds the letter or spirit of the revised standard. However, in my humble opinion, failure to consider political uncertainty and to not comply with a clause of ISO 9001 should constitute a non-conformity. Failure to monitor current events and prepare for whatever the future holds, may prove to be even more costly than that.



Thinking Socially about Internal Auditing and Quality Management

A few thoughts...Posted by epinjen Thu, March 01, 2018 14:47:58
Article originally posted on LinkedIn on 19th May 2017.

Quality management and social media. Not two things I would have previously put in the same sentence. Social media use has long been a scary subject for me from a compliance perspective. From the inevitable posts by former colleagues advertising their entire travel itinerary to a high risk area on business, to the disgruntled former colleague venting their frustration on social media, the plethora of opportunities where someone can (sometimes recklessly) work against the organisation they are employed by has made social media a bête noire for many compliance and quality managers (I am aware of the irony of discussing the compliance issues of social media on LinkedIn, please bear with me).

The digital age phenomenon that is social media isn’t all bad though. Many companies and professionals use social media to great effect. It provides another dimension to customer engagement and the ability to address interactive and relevant messages to anyone who is prepared to look, listen, see or hear. This has presented an interesting opportunity and challenge for me while performing internal audits for customers and the companies I work with. In addition to looking at the results of customer satisfaction surveys and feedback forms, as well as compliant management and press releases, I have found myself asking the question, does a company’s social media content constitute customer engagement and feedback in relation to its quality management system? Of course, ISO 9001:2015 is not explicit about reviewing social media and instead focuses upon the need to “monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled”.

When I ask companies about customer engagement and social media, the responses vary from acknowledging their company’s various social media pages to an enthusiastic "we are constantly publishing everything". Of course, quantity and quality use of social media is a subject that could be better addressed by a subject matter expert, however while incorporating the various strategies in to internal audits, I have noticed a trend that worries me as a quality management consultant. It quite interesting to review the arrangements and activities of these companies on seen it creep in to more and more internal audits of customer satisfaction, feedback and focus and on the whole, the monitoring of social media appears to provide a very modern a dynamic means of communicating a company’s message to their clients, however a lot of negative responses seem to be ignored.

For example, I recently did the audit of customer focus and engagement for one of the many companies that claimed to be very active online, frequently posting, tweeting and sharing with their online community of followers. During the audit, I put the customer’s business into Google and noticed that there were a large number of one star ratings on Google+ for this business. These detailed missed visits, rude staff interactions and even poor driving by company employees in company vehicles. When I approached the management team asking if there had been any complaints or negative feedback, I got a resounding ‘no’. Needless to say, the bombshell that followed when I showed the management team what their customers were telling the online community about the company in question, didn’t make me very popular. After a brief moment of denial, anger, bargaining, depression and acceptance, the mood was further darkened by the acknowledgement that a key part of the social media strategy on other platforms was to drive more traffic and interest through Google to the company’s website. I didn’t feel good about this conversation and I felt even worse after completing the non-conformity report and sheepishly presenting this to the management team. The root cause identified in the report – human error, the company wanted to put their message out there, without acknowledging there would be a response.

At the subsequent visit (yes, they let me back in a few months later), we went back and searched for the company on Google again. Two things were immediately evident – there was already a decrease in the number of one star ratings (largely due to the rollicking all front line employees had received to avoid anyone upsetting any customers in the future) and secondly, where there was negative feedback, the company were very proud to present e-mail evidence of where they had not only monitored and captured the comments, but had used their complaints management process to address these in a structured and controlled way. Additionally, their IT manager was very excited to confirm that traffic to their website had also increased since the non-conformity had been identified.

Social media remains a dynamic platform which, despite my past reluctance, even I can acknowledge the benefits in an ever more dynamic market place. I maintain that it can present more than its fair share of human resources nightmares, however, having seen how a bit of sideways thinking can be applied to ISO 9001, I am increasingly convinced of the merits of including social media inputs and outputs in the monitoring of customer focus and satisfaction. I still believe that social media will continue to present a unique set of challenges to quality managers, however it is a part of the 21st century business strategy and should be embraced, not feared.

For today’s quality management system to continue to ignore the benefits and costs of social media would be to ignore a very modern problem solving resource – good, old fashioned customer feedback.



Thinking about Certification this year? Start Now!

A few thoughts...Posted by epinjen Thu, March 01, 2018 14:33:06
Article originally posted on LinkedIn on 29th January 2016

Having made it through the first few months of 2018, there is almost certainly one subject that would have been discussed in board rooms, break out areas and project meetings at some point in January, “should we do the ISO thing this year?” For many, the subject would have been thrown around, maybe even had some cost (financial, emotional or technical) attached to it. Finally, a resounding “let’s do it !”, would have been the answer provided by those in the decision making roles. Of course, undertaking this project is daunting, it can be a complex and taxing task, therefore those who rationally postpone the inevitable for another year are possibly right to do so.

However, may I suggest a better course of action?

Of course, this may seem like another consultant desperately trying to generate potential leads by stating in my most compliant tone “thou must do ISO” (whatever this actually means). Instead, I hope you will see this post as not a well-crafted sales pitch (if I do say so myself), rather it should be read as a “benefit of my experience” recommendation, as it is intended to be read.

Disclaimer completed, the alternative approach I would like to suggest to anyone contemplating ISO certification in 2018, is to start now. Not next January when the same discussions will take place, not once the financial year is over and done with, do it now – as soon as you can get something prepared and feel confident enough to lead the charge. By this, I mean lay down some of the foundations to the heavy lifting to come, delicately introduce the concept of a management system in a way so as you do not send the compliance dodgers or those afraid of change (metathesiophobics, apparently) running for the hills. What if you try gently adding a few “vegetables” of control to the plate and encourage your colleagues, peers and management to give them a little try? You never know, they might like it.

Do you know where to begin with this process? Should you write down all the procedures, processes, policies, authorities, meeting minutes and passwords so as to establish the management system’s omniscience? Should you document control and risk assess every single piece of paper in the office only to find that drawer where an intern printed and then hid every document the company ever produced in an attempt to leave an organisational mark on the company? Should you shred, shred and maybe shred again? Strangely enough, none of these possible actions make it into the list of recommended starting points below. There are probably others and I’m sure that many of us will feel more comfortable with some more than others.

1. Get the Name Right – Minding your Language!

It may seem very simple and maybe a little simplistic, but not referring to certification as “the ISO” (especially as not all certification is “ISO”) will make an extraordinary difference to the mind-set of the people you are looking to win over. Being precise about the title (for example, ISO9001) will prove to be more engaging than the (dreaded) “ISO”. If you want to go a step further, try referring to it as a quality management system. Strangely enough, if you are providing the product or service that another party is buying, you are already operating within a quality management system. I have found that, calling this “monster” by its real name demystifies it a little bit

2. Introduction to Management Systems – The Common Enemy!

If presented with some facts about management systems and standards, your colleagues will be more willing to take it on board and engage with it – particularly if it isn’t your MD telling them, but a neutral voice, outlining the requirements of leadership, management responsibility and “support coming from the top down”. A very canny manager could arrange for part of a team building day to be spent listening to a presentation where these new weird and wonderful ways of torturing those in the ivory tower were presented by a new comer to the group. Needless to say, the human ability to evolve one’s thinking is never more evident than when they realise how much more inconvenient it would be to the MD than to themselves – a reluctant team can unite around the impending fresh hell your Directors are now facing.

3. Internal Auditing – Knowledge Dispels Fear!

A critical part of everyone’s least favourite part of implementing and maintaining a management system is the checking. More precisely, internal auditing. For a lot of organisations, this is something that is introduced towards the end of the implementation process. Here is the twist, providing you have the competent resource at your disposal, introducing this far from excruciating before the rest of the management system yields three important benefits. Firstly, it will take the fear out of the internal auditing process when those overwhelmed with fear realise there is nothing to be afraid of, especially as there is no certification in jeopardy (a common irrational fear attached to internal auditing). Secondly, when everyone realises that most processes are actually done properly most of the time in most organisations, that knowledge will dispel the fear of not only checking, but of the eventual certification. Finally, internal auditing is the opportunity to test, stress and push a management system in a safe environment. Certainly a safer way of determining the tensile strength of your system compared to waiting for your biggest customer to pile on the pressure. Come January 2017, you will find you are in a much healthier mind-set to move forward with real objective – compliance with the chosen standard.

4. Risk – Not just a Board Game!

If certification in 2017 is your objective, then you will find a possible increase in the focus upon risk. As has been common place with risk assessments, threat assessments and impact evaluation surveys in their respective management systems for some time, risk based thinking and in particular the documenting of risks and opportunities will provide you a unique opportunity to really examine the robustness of the arrangements in place. Whether the risks are operational, financial or compliance by nature, establishing a risk register or a strategic risk assessment is a fantastic starting point for any management system. In either case, your company will probably be confronted with the notion of risk tolerance or business continuity for the first time. It is important to remember that this approach may present added complications and if mismanaged (used as a stick to beat perceived or real underperformers), it can be incredibly unpopular, divisive and, on occasion, nothing short of brutal. Competence is a key part of any successful strategy that focusses upon risk. The ISO standard ISO31000:2009 Risk Management – Principles and Guidelines is a fantastic way to learn, to scope and to structure your approach to risk management, quite simply, it is a must read for anyone approaching a risk management system or certification process based on risk (in my opinion, it should be compulsory reading for anyone in a management role). Ultimately, if risk is approached properly, you can stimulate some of the healthiest conversations your company will ever have and provide you the confidence to cope with the rough as confidently as you cope with the smooth.

5. Gap Analysis – Open the Gates!

A gap analysis can be a very effective tool for introducing the requirements of a management, gauging where your organisation is in relation to the standard you will want achieve or simply give everyone the opportunity to experience a bit of healthy scrutiny. Much like the internal audit (as outlined above), there is a degree of “no harm, no foul” (compliance wise) as there is no certification at stake. As such, if the evidence suggests that the standard isn’t being met, then OK, the standard isn’t being met. In the worst case scenario, you may identify areas where you know improvement will be required in the future. In the best case scenario (and this is the outcome you will see the most), a desire to change before the implementation, planning, checking and scrutinising starts for real further down the line. Of course, there is always the possibility that most businesses do quite well (a tendency I have seen very often – it is never as bad as people think it will be). Surprisingly, seeing your work get any kind of approval tends to look quite good on your own self-assessment.

6. Supplier Evaluations / Due Diligence – Know Thy Neighbour!

An area where a lot of companies seem to struggle, due to time constraints mostly and partially because the reward is less evident in the short term, is evidencing the justification of using this supplier instead of this one, outsourcing to so and so as opposed to the other company next door, the list is as endless and irritating. In much the same way as demonstrating how competent your staff are through the development of personnel files, training matrices and career development plans, this logic can be and should be applied to those outside of your organisation, upon whom you are dependent. It can be as simple as taking your customer’s requirements (often established in the contract) and asking your suppliers or outsourced service providers how they are going to make sure that you don’t have to get it wrong, when they get it wrong. Is it unfair to ask your supplier to justify the trust you have put in them? If you think it is fair to expect your supplier to be suitably insured, certified, financially solvent and to guarantee you a designated account manager, just ask. Remember the first rule of logistics – if you don’t ask, you won’t get.

7. Do some Research – Wise Up!

Some of you may have experienced some hostility from co-workers, employers or employees regarding your pro-certification stance during the January discussions (as outlined above). If this is the case and all of the above has not worked, been thwarted or you just don’t have the resources to make it work, then stop what you are doing and step away from the standard. Counter intuitive as it may seem, there is always the possibility to draw inspiration from outside your organisation. What logos are on your competitor’s website and should the same be on yours? How did your suppliers or customers achieve this success? If we sifted through our LinkedIn contacts, I’m sure we could all find plenty of people who wouldn’t mind taking five minutes to share some suggestions with you (if nothing else, it probably beats reading this post). The important elements to understand here are that you are not the first and certainly not the last to be looking at certification with fear and loathing and that a bit of perspective can be as healthy as any kick off meeting, brainstorming session or late night spent searching the internet for the elusive secret to certification in five minutes.

Of course, any legal, statutory, regulatory or customer requirement to go ahead with certification will make these recommendations obsolete in terms of easy going management system implementation. If it is critical for your business, get the standard and begin the work immediately. For those who have a luxury (or curse) of time, then “make hay while the sun shines” and enjoy a challenging, but rewarding experience.

It is worth remembering that some of the recommendations may well be scheduled for implementation in January 2017 and may then become “urgently mandatory” as opposed to the “relaxed optional” of Q1 2016. I would encourage anyone to begin this undertaking during the “relaxed optional” time, resource permitting. However, I’m sure that like most companies, there is barely enough time to do the work in front of you now, let alone the work that will be expected of you in twelve months’ time. If this is hitting a little too close to home for you, then best of luck and get back to work. If I may I would like to offer one last recommendation to you which will never do any harm to a management system – say what you do, then do what you say.

If your company can do that, you are already doing better than most.