A new ISO on its way: how will this influence governance, risk and control for auditors?
Hope Kiwekete – principal consultant of quality assurance and audits, as well as risk management, at Transnet Freight Rail – takes a glimpse into the imminent ISO 9001:2015. It is evident that a risk-based quality management system is already embedded into any organisation’s processes …
It is anticipated that the International Organisation for Standardisation’s ISO 9001:2015 will be published during September 2015. How are auditors of management systems preparing for the transition?
Every five years, ISO standards are revised. Since 1987, the inception of ISO 9001 Quality Management System (QMS) standards revealed that the user community may not have been aware of how a risk-based approach was already embedded into their processes.
The topic of risk, in the context in which organisations deliver their services and products, is now more predominant thanks to the work of ISO/Technical Committee (TC) 176, the related sub-committees and the global standards user community.
Many organisations have realised the necessity to implement formal risk-management processes. It should, therefore, not be overwhelming for auditors who are already active in this environment. As we take a glimpse into the current ISO 9001:2015, it is evident that a risk-based QMS is already embedded into any organisation’s processes.
It has been widely publicised that a risk-based approach is what is foreseen in the forthcoming standard. As the timeline gets closer, are auditors of ISO management systems getting acquainted with governance, risk and control principles?
The Institute of Internal Auditors (IIA) defines these as follows:
Governance; is the combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organisation toward the achievement of its objectives.
Risk; is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
Control; is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
As stated in ISO 17021:2011, clause 4.3: “Competence of the personnel, supported by the management system of the certification body, is necessary to deliver certification that provides confidence.” Would governance, risk, and control be among the set of competencies auditors require or already possess?
Although there is no specific set of desired competences, the IIA Global Internal Audit Competency Framework, 2014, is a good point of reference. It states: “Additionally, internal auditors require technical expertise in governance, risk and control to inform their work and help organisations accomplish their objectives.”
As much as emphasis was put on auditors understanding the process-based approach, the same should apply to them understanding the risk-based approach.
Auditors will need to pay attention to how they interpret the new requirements and how they understand the rationale of the forthcoming ISO 9001:2015 standard.
The bottom-line is that auditors need to be comfortable while speaking the language of the business.
What benefits will ISO 9001:2015 bring to organisations?
With the revision of ISO 9001 at Final Draft International Stage (FDIS), and the publication of the final draft expected in the coming months, organisations are beginning to focus on their transition plans for ISO 9001:2015.
One of the questions that many organisations ask is: “What are the benefits for my organisation and our stakeholders?”
Lloyd’s Register Quality Assurance Limited (LRQA) Southern Africa – a leading provider of independent assessment services including certification, validation, verification and training across a broad spectrum of standards and schemes – list some of the anticipated overarching benefits while looking at the standard’s current version.
Enhancing continuous improvement: The revisions to ISO 9001 will ensure that your Quality Management System (QMS) is integrated with, and aligned to, your organisation’s objectives.
Leadership: By placing more emphasis on leadership, ISO 9001:2015 will drive greater involvement in your organisation’s QMS by top management. This will help to ensure that employees are motivated towards the stated goals and strategic objectives.
Managing risk: ISO 9001:2015 also introduces a “risk-based approach”. This focuses the organisational resources on the areas which are most likely to cause concern.
A risk-based compliance programme will assist in identifying, managing, monitoring, and reducing the compliance risks key to your business – making board and regulatory reporting easier to conduct and maintain.
Through the use of your QMS as a governance tool you can identify business opportunities that contribute to bottom-line improvements and effectively manage your risks.
Performance Measurement: Self-governance and organisational behaviour have a direct influence on performance and the capacity to create value for customers and employees.
Effective performance measurement and self-governance can result in higher levels of innovation, employee loyalty, and customer satisfaction; as well as superior financial performance.
Integration: At first glance, the new high-level structure common to all new and revised management system standards, Annex SL, appears to make the standard writers’ lives much easier. In reality, however, as organisations begin to understand and appreciate the value of different management systems all speaking a common language, it will be organisations – and in turn the consumer – who stand to be the true beneficiaries.