Understanding organisational context in ISO 9001 and ISO 14001
John Hartill looks at what evidence auditors should be looking for to confirm 'understanding of context' in ISO 9001 and ISO 14001
Understanding the organisation and its context is a new requirement within Annex SL-based revisions in ISO 9001:2015 and ISO 14001:2015.
This is a 'shall determine' requirement, indicating to the auditor a requirement for an output in terms of knowledge gained.
This knowledge relates to both internal and external issues relevant to the organisation’s purpose and which affect the organisation’s ability to achieve the intended outcomes of the management system in question.
The detail requirements between ISO 9001:2015 and ISO 14001:2015, for example, are not identical.
Within ISO 9001:2015 there is an additional consideration of strategic direction together with a specifically stated 'shall' requirement to monitor and review the determined internal and external issues.
Quite legitimately, standards are intended as appropriate to organisations with wide-ranging scale and complexity and therein lies an element of challenge for auditors in applying consistent standards to their evaluation of conformance to this clause.
The approach organisations adopt to meet the requirements will be many and various in scale, content and detail.
Auditors will need to exercise their knowledge/experience of the industry/market sector.
Questioning and comment will require diplomacy and sensitivity as the views and judgement of senior managers and owners are probed and investigated.
There needs to be a recognition that the purpose of the audit is not to confirm or contest the issues identified are correct, accurate, pertinent or valid, but to record within the audit report sufficient objective evidence that the organisation has established the internal and external issues relevant to its purpose (and strategic direction for ISO 9001) and affect the management system ability to achieve the intended results.
Irrespective of scale and complexity of an organisation, issues may be few or numerous.
In the majority of organisations the comments from an auditor regarding issues for consideration are often well received, although it is not the role of the auditor to provide direct consultancy with respect to potential omissions.
Auditors should consider the need for additional planning time in preparation for an audit against standards based on the Annex SL structure.
Determining in advance: (i) the purpose of the organisation, (ii) the need, purpose and intended outcomes from the management system, (iii) an appreciation of the trading and operational environment of the organisation, (iv) website review of product services, brochures etc, (v) making appointments within the audit schedule to interview a sample of members of top management will assist in developing a view of the likely internal and external issues for the organisation within the management system design.
As previously mentioned, ISO 9001:2015 includes stated requirements for monitor and review of internal and external issues indicating the output must be in a suitable format to facilitate that monitoring and review activity.
Clause 7.5, Documented Information, places the onus on the organisation to determine the documented information necessary for the effective operation of the management system.
The auditor therefore is challenged to judge and confirm that the output presented for “Understanding the Context of the Organisation” is fit for purpose in the implementation of an effective management system.
Each organisation will require specific and separate judgement to be made.
It should be noted that while Clause 6.1.1 of ISO 14001:2015 requires risks and opportunities to be addressed as documented information, there is no similar requirement within ISO 9001:2015.
It is feasible that not all or any external/internal issues identified from 'Understanding the Context of the Organisation' may be considered by the organisation as risks and opportunities to be addressed.
What tools, formats, presentations etc may be presented as evidence of 'Understanding the Context of the Organisation'?
The options are numerous but here are a few examples: business plan, PESTLE analysis (political, economic, social, technological, legal, environment, of operation) and SWOT analysis (strengths, weaknesses, opportunities, threats), risk register, consultant report, market analysis, customer audit report, sales analysis, cash flow report, credit note report, internal meeting minutes and complaint/feedback analysis.
It is important to recognise that some issues may be opportunities. Organisations should be encouraged to treat positive issues equally with negative.
Investment in new machinery for example may be an issue vital to the organisation’s strategic intent and also potentially a key consideration in the design of the operational aspects of the management system.
The main consideration is not necessarily to record all issues but to focus on those that are important to the organisation achieving its intended purpose and outcomes.
Clauses and how they interact within Annex SL-style standards introduces much wider implementation and audit challenges than previous versions.
A clause may not be considered on a standalone face value without risk of ineffective audit.
What audit trails may be necessary to consider in order to more reliably confirm 'Understanding the Context of the Organisation' requirements are met?
Here are a few suggestions:
- Alignment of identified internal/external issues with organisational purpose and intent
- Match with the business strategy and customer/regulator needs/expectations as interested parties
- Operational processes designed to mitigate issues identified and benefit opportunities available
- Demonstrate knowledge and awareness of current internal/external issues within the management team
- Consistency with improvement objectives/targets and actions
- Visibility that the output from 'Understanding the Context of the Organisation” is used as business as usual, is reviewed and updated and is of business benefit.
John Hartill, CQP MCQI, is managing director of ZuTec, which provides external audit and consultancy services for ISO-based management systems
Gain the skills and knowledge you need to audit against revised ISO standards with IRCA Certified Transition Training