Auditing for effective integration: Mind the gap

‘Keep it simple’ is easy to say, but not always easy to do when it comes to developing and maintaining an effective management system. While businesses exist to manage risk, add value and make money, in doing so, they can also inadvertently create complexity and waste in how they organise themselves. Developing a management system is in itself a risk and being compliant does not necessarily result in an efficient organisation, particularly when meeting the requirements of multiple ISO standards and interested parties.  

Integrated management systems have evolved to address this risk and are now the norm for most businesses. Indeed, for many quality professionals, having anything other than an integrated system would be contradictory and it should include all aspects of management. Integration is seen as a way of avoiding complexity by managing everything in one place but is not without its challenges. 

Supporting integration 

So how can auditing both challenge and support how effectively we are integrating our systems? Auditing provides a unique opportunity and perspective not just to confirm compliance, but also to challenge organisational efficiency. But where to start and what to look for? 

Unsurprisingly, the ISO standards themselves already provide some of the answers, for example, by promoting a process and risk-based approach. However, as the common standards, such as ISO 9001, ISO 14001 and ISO 45001, still exist as separate standards (and certifications), there is little emphasis on how to integrate them. The following areas offer a few suggestions for integrating management and how to focus an audit to look for evidence of ‘keeping it simple’. 

As auditors, we should always challenge how an organisation is using documentation to define its policies and procedures. If a management system contains thousands of documents and appears very prescriptive or complex, is this really effective, easy or even a value-adding experience for users?  

Experience shows there is a limit to what we should expect people to manage, read and understand, and systems can become unwieldy if continually added to where information is fragmented. Documented requirements have to be proactively managed, simplified and integrated if they are to be effectively maintained and implemented. If not, disconnects can creep in or cross-referencing ends up creating a tangled web.  

While documentation may indicate compliance, reliance on it as a form of implementation, in a world where we are already bombarded with information, can also result in unrealistic expectations in relation to how we expect people to comply.  

Technology is the key 

The technology used to present information to users is also key to effective integration of a management system and to getting the right information to the right people at the right time.  

How easy does the IT design make it for users to understand requirements? Systems that rely on users searching or navigating libraries of documents depend on people knowing what they are looking for and are often inefficient in terms of the number of clicks it takes to find information.  

More visual forms of presenting end-to-end integrated processes – through Kanban-style boards, for instance – can be powerful in establishing a cross-functional understanding, and even delivery, of a process without being cluttered by supporting navigation or procedural detail.  

Ultimately, users should want to access and use the management system because it makes their lives easier by helping people work together more efficiently. Do people like it and how does it add value for them? 

Managing risk and change 

Talk to management about risk and you will capture their attention. This can then quickly lead to understanding if managing risks is integral to how the management system operates or not.  

Auditors should question if the core, inherent risks to the business have been identified and, in turn, mitigated effectively through the defined policies and procedures. Are the strategic risks also prompting a review of existing controls in addition to specific actions?  

By understanding how the organisation uses risk management to help focus, understand and plan the governance it needs, there should be no disconnect between risks and controls. Management systems exist to prevent failure, so finding out if there is an effective understanding of how risks and controls are balanced is a good way of discovering how integrated the system is. 

How is the organisation managing change? Every business is subject to continual change from external and internal sources, and the management system should be integral to coordinating change as a point of reference. This is to avoid duplication and complexity and to ensure change is effectively integrated into the ‘business as usual’.  

Effective change management through project and programme management is essential to maintaining the integrity (integration) of the system – so challenging how this is managed by an organisation is usually a good indicator of how integrated the management is. 

Integrated management should help people simplify how they work together and avoid creating complexity when trying to manage involved projects. Integration requires an awareness of dependencies and avoidance of assumptions, and audits provide a unique opportunity to help organisations to keep it simple and avoid gaps in and between their business processes.