The 2015 version of the Standard introduced several significant changes including.
Part 4: Context of the Organization
The organization needs to determine external and internal issues that are relevant to its purpose.
These include relevant issues, both inside and out, that have an impact on the organization and its ability to achieve management system objectives.
The term ‘issue’ does not only cover problems that would have been the subject of preventive action in previous standards. It also covers important topics for the management system to address.
Examples of these are market assurance and governance goals that the organization might set for its management system.
Tools such as Strengths, Weaknesses, Opportunities, and Threats analysis (SWOT) and Political, Economic, Social, Technological, Legal, Environmental analysis (PESTLE) are frequently used.
Alternatively, simple approaches such as brainstorming and asking “what if” questions can be useful for your organization.
Part 5: Leadership
This means that senior managers need to be able to demonstrate an understanding of the wider business environment. This includes the social, cultural, and regulatory framework in which it operates. How they impact the organization’s ability to meet customer requirements should be considered as well.
Similarly, they need to have a grasp of the organization’s internal strengths and weaknesses. They also need to understand how these could impact their ability to deliver products or services.
This strengthens the concept of business process management including the need to know how to allocate specific responsibilities for processes. This also demonstrates an understanding of the key risks associated with each process and approaches used to mitigate them.
Part 6: Planning
Clause 6.1 Actions to address risks and opportunities
The new standard makes risk-based thinking more explicit throughout. Risk, as determined by the standard refers to any of the following.
- An effect is a deviation from the expected – positive or negative.
- Risk is about what could happen and what the effect of this happening might be.
- Risk also considers how likely it is to happen.
Senior management must be able to demonstrate an understanding of business risks. They should also know how they could impact the ability to meet customer requirements. An effective risk management process will be critical for successful certification to the new version.
It must ensure the management system can achieve its intended outcomes and achieve continual improvement. Clause 6.1 is where this is covered and it addresses the ‘what, who, how, and when” of risk management.
The organization should plan actions to address these risks and opportunities. It also has to know how to integrate and implement the actions into its management system processes and evaluate their effectiveness.
Risk replaces preventive action. Because of this, you will need to identify where risk arises and ensure controls are in place to manage it.