Published: 9 Aug 2016

John Hartill looks at how quality professionals should address the organisational context requirements of ISO 9001 and ISO 14001.

Understanding the organisation and its context is a new requirement within Annex SL-based revisions to ISO 9001:2015 and ISO 14001:2015.

This is a 'shall determine' requirement, indicating that there is a requirement to demonstrate an output in terms of knowledge gained and action taken.

This knowledge relates to both internal and external issues relevant to the organisation’s purpose and which affect the organisation’s ability to achieve the intended outcomes of the management system in question.

The detail requirements between ISO 9001:2015 and ISO 14001:2015, for example, are not identical.

Within ISO 9001:2015 there is an additional consideration of strategic direction together with a specifically stated 'shall' requirement to monitor and review the determined internal and external issues.

Quite legitimately, standards are intended as appropriate to organisations with wide-ranging scale and complexity and therein lies an element of challenge for implementers in matching the management system design to the business need, with minimal additional overhead and unnecessary bureaucracy.

Implementer diplomacy

The implementer often additionally holds responsibility to meet customer and/or line manager expectations.

The approaches organisations adopt to meet the requirements will vary in scale, content and detail.

The implementer has flexibility and choice to design, and demonstrate, a bespoke solution that is well matched to the business needs of the organisation and that adds value rather than inconvenience.

A balance must be achieved requiring diplomacy and sensitivity as to the expectations, views and judgement of clients and senior managers, while satisfying certification body expectations regarding conformance.

The management system design must be robust enough to provide sufficient objective evidence to certification body auditors.

Irrespective of the scale and complexity of an organisation, the issues identified may be few or numerous.

The consultant implementer faces additional effort in developing sufficient understanding of the organisation, its purpose and strategic intent to advise and support the determination of those internal/external issues that need to be considered within the management system design.

Advance understanding is essential regarding:

(i) the purpose of the organisation

(ii) the need, purpose and intended outcomes from the management system

(iii) an appreciation of the trading and operational environment of the organisation

(iv) the organisation’s products and services

(v) top management expectations (positive and negative) regarding the management system purpose

(vi) any available performance/feedback information

(vii) any relevant legal and/or regulatory considerations.

This advance knowledge and understanding must precede any management system design/implementation activity.

As previously mentioned, ISO 9001:2015 includes stated requirements to monitor and review internal and external issues indicating the output. Therefore these must be in a suitable format to facilitate that monitoring and review activity.

Clause 7.5, 'Documented Information', places the onus on the organisation to determine the documented information necessary for the effective operation of the management system.

The implementer therefore is challenged to provide objective evidence that the output presented for 'Understanding the Context of the Organisation' is fit for purpose and aligned with scale/complexity in the implementation of an effective management system.

In general, every organisation will benefit from bespoke, rather than generic, management system designs and solutions.

It should be noted that while clause 6.1.1 of ISO 14001:2015 requires risks and opportunities to be addressed as documented information, there is no similar requirement within ISO 9001:2015.

Context tools

What tools, formats, presentations etc may be presented as evidence of 'Understanding the Context of the Organisation'?

The options are numerous but here are a few examples: business plan, PESTLE analysis (political, economic, social, technological, legal, environment, of operation) and SWOT analysis (strengths, weaknesses, opportunities, threats), risk register, consultant report, market analysis, customer audit report, sales analysis, cash flow report, credit note report, internal meeting minutes, complaint/feedback analysis.

It is important to recognise that some issues may be opportunities and organisations should treat positive issues equally with the negative.

Investment in new machinery for example may be an issue vital to the organisation’s strategic intent and is potentially a key consideration in the design of the operational aspects of the management system.

The main consideration is not necessarily to record all issues, but to focus on those that are important to the organisation achieving its intended purpose and outcomes.

Clauses and how they interact within Annex SL-style standards introduces much wider implementation and audit challenges than previous versions.

A clause may not be considered on a standalone, face-value basis without risk of ineffective implementation.

What audit trails should the implementer consider in order to reliably demonstrate that 'Understanding the Context of the Organization' requirements are met?

Here are a few suggestions:

  • Alignment of identified internal/external issues with organisational purpose and intent
  • Match with the business strategy and customer/regulator needs/expectations as interested parties
  • Operational processes designed to mitigate issues identified and benefit opportunities available
  • Demonstrate knowledge and awareness of current internal/external issues within the management team
  • Consistency with improvement objectives/targets and actions
  • Visibility that the output from 'Understanding the Context of the Organization' is used as business as usual, is reviewed and updated and is of business benefit.

John Hartill, CQP MCQI, is managing director of ZuTec, which provides external audit and consultancy services for ISO-based management systems