Published: 9 Apr 2021

Horacio Martirena, a CQI technical assessor, IRCA Lead Auditor and Independent Consultant in management systems, outlines the development of the Harmonised Approach and the issues it addresses, and what it needs to resolve.

The beginning: two standards

Until the beginning of the 21st century, there were two ISO management system standards: ISO 9001 (quality) and ISO 14001(environment). They were based on the same model of the plan, do, act, check (PDCA) cycle. Several clauses responded to the same basic management concepts, but the related requirements were different, including policy, objectives, document and records control, internal audits, competence and management review.

ISO decided to establish an identical core text, common terms and core definitions for these two standards. The project had to be terminated when ISO became aware that many other management system standards could be issued in the future, and that all technical committees needed to agree on this common text, not only quality and environment committees.

Birth of the High Level Structure (HLS)

A Joint Technical Coordination Group was formed to handle the issue. Its members were the chairpersons of all ISO committees that had developed or were developing management system standards. The result was a document called HLS or Annex SL, issued in 2013. Fewer than ten technical committees participated in this project, with a strong influence from ISO 9001 and ISO 14001 representatives.

HLS introduced several new concepts into the management system standard. Some of them are:

  1. Context of the organisation (clause 4): This addresses the need to ensure an organisation’s sustainable development (with three components: economical, environmental and social). This is a challenge for auditors and thorough training is necessary. If not, auditors may become used to seeing a simple Excel sheet, with no link to the other elements of the management system standard.
  2. Leadership and commitment (clause 5): Top management have to demonstrate leadership and commitment to the employees and other interested parties. This is a nice requirement, but difficult to demonstrate. Auditors should ask employees if they feel that top management are demonstrating leadership and commitment and then compare their answers with top management’s answers. Usually, no documented information is available for some of these requirements, so it is quite a challenge for auditors to show their skills.
  3. Control of documented information (several clauses): This change was introduced to clarify that the key issue is the information contained in any media, not the media type (paper, photo, video, etc). So, instead of “documents” and “records”, now organisations have to retain and maintain documented information. Some confusion arose between “retain” and “maintain”.
  4. Outsourcing (clause 8): In the previous decades, organisations preferred to ask other organisations to carry out some of their own processes on their behalf. Requirements on outsourcing were introduced without establishing a link with purchasing process.
  5. Risk-based approach (clause 6): A key and controversial addition. The definition of risk is quite mysterious: “Uncertainty in the results” and the words “risks and opportunities” have triggered various different interpretations.

In my opinion, risk is the uncertainty in the results of a process. Results can be those actually expected, but can also be better or worse than expected. Therefore, if the results are:

  • those expected, everything is okay, and these results can input the following process
  • worse than expected, the organisation should plan beforehand how it will react to these threats and mitigate the impact of unexpected bad results
  • better than expected, the organisation should plan in advance how it will benefit from unexpected good results. This seems to be an unintended and unplanned opportunity from which a benefit can be obtained.
Risk is the uncertainty in the results of a process. Results can be those actually expected but can also be better or worse than expected.
Horacio Martirena

So why does HLS state “risks and opportunities” if opportunities are already embedded into the concept of risk? Should this be resolved by changing to “threats and opportunities” or removing “opportunities” and leaving “risks”?

Another option to consider, is that risk is only negative (ie, a threat). There are some industrial sectors that claim to use only the negative part of the definition of risk and will keep doing so, because this is how it is used in the applicable legal requirements.

But what are opportunities in this case? Some claim that there are two types of opportunities: unintended and unplanned (arising from better-than-expected results) and intended and planned opportunities for improvement that come from activities like audits or management reviews. It seems a bit confusing.                              

After eight years, the results of the application of the HLS showed that concepts a) and b) have been inserted in management system standards without many problems, but items c), d) and e) needed further clarification.   

Birth of the Harmonised Approach

There are now 48 management system standards published by ISO, all following the HLS. The HLS has been reviewed and revised recently, with the participation of many other technical committees, diluting the influence of ISO 9001 and ISO 14001. The new revision of the HLS is called the Harmonised Approach (HA). All those 48 standards will have to migrate to the HA following ISO standards revision processes.

Does the new HA solve the three issues from the HLS?

For control of documented information, retain and maintain are not used and have been replaced in the HA by text such as “The scope shall be available as documented information”. There is no need for a distinction between documents and records or an understanding of the difference between retain and maintain. Problem solved.

Outsourcing has been replaced by requirements on “externally provided processes, products and services”. The externally provided processes (previously called outsourced processes), products and services that are relevant to the management system standards may need to be controlled. Even if it not explicitly said, these controls have to be within the scope of the management system standard. Problem solved.

However, for risks, no consensus was reached to clarify the text and no changes were introduced. This problem remains unsolved. ISO should take urgent measures to address this pending issue.