When getting to grips with ISO standards for the first time, you will notice that they are structured in clauses, a bit like a contract. This structure is common across all of the management system standards that ISO publishes, such as ISO 9001, ISO 22301 and ISO/IEC 27001, and is known as the “Annex SL” format or, more helpfully, the “High Level Structure”. So, what we’re about to say applies to all of these standards. Note however that the Annex SL wording has evolved over time, so the exact format and wording of each standard depends not only on its subject, but also on when it was last revised.
What’s in Clause 5?
Clause 5 of the management system is called “Leadership” (“Leadership and worker participation” in ISO45001) and is divided into 3 sub-clauses (with an extra one for ISO45001):
Leadership and commitment
Policy
Organisational roles, responsibilities and authorities
Consultation and participation of workers (ISO45001 only)
Let’s look at each of these in turn.
Sub-Clause 5.1 – Leadership and commitment
In all the ISO management system standards, Sub-clause 5.1 is very important. It requires top management to demonstrate its support and commitment to the management system. There are some variations across the standards, but in general top management has to:
Make sure the management system is effective (the buck stops here!).
Define the policy and set the objectives for the management system (or make sure these happen).
Ensure the management system requirements are integrated into the organisation’s business processes and aren’t an artificial add-on.
Promote and communicate how important the management system is to the success of the organisation.
Provide enough resources to run the management system.
Ensure that the management system achieves what it is meant to do.
Strive for continual improvement.
Encourage and lead other people in the success of the management system.
There are slight variations in each standard (for example ISO45001 also talks about protecting workers and preventing injury), but they all emphasise the importance of top management taking responsibility for the management system. This is something that all auditors will be looking for during certification and recertification audits. So it cannot be ignored!
5.1.2 Customer focus (ISO9001 only)
ISO9001 includes an extra sub-clause here to emphasise the importance of customer focus. This further requires top management to:
a) address customer requirements and those arising from statutory and regulatory frameworks.
b) identify and do something about the risks and opportunities that can affect the conformity of products and services produced and the organisation’s ability to enhance customer satisfaction.
c) maintain the focus on enhancing customer satisfaction.
ISO9001 looks for a commitment to the customer as well as to the management system.
Sub-clause 5.2 - Policy
Now that we’ve established the level of commitment expected of top management, we move onto the question of policy. There are two parts to this – creating the policy and then communicating it.
There is a requirement for top management to establish a policy that:
a) is relevant to what the organisation is trying to achieve.
b) talks about how objectives are set.
c) formally commits the organisation to satisfying applicable requirements.
d) also commits the organisation to continually improving the management system.
Some of the standards also require additional commitments to areas such as eliminating hazards and consulting workers (ISO45001) and preventing pollution (ISO14001).
It is sometimes said that the policy needs to cover at least the 4 Cs.
Customers – a commitment to providing services that meet and exceed the expectations of customers.
Compliance – while adhering to the requirements of the standard.
Competence – ensuring employees have the skills, knowledge and support needed to deliver services.
Continuous Improvement – striving to continually improve services and processes and establishing and reviewing measurable objectives.
It is common practice to get the policy signed and dated by the CEO or MD.
Once the policy is written it has to be:
a) available in a documented form (it doesn’t have to be an actual document, but it must be readable).
b) communicated within the organisation (there are lots of ways this can be done).
c) available to that list of interested parties you defined under Clause 4.
For example, in a small consultancy business, the following steps could be taken to communicate the policy and meet these requirements:
Write the policy in clear and concise language and make it available to all employees and stakeholders on the company’s intranet site.
Communicate the policy to all employees, contractors, and stakeholders through training sessions, internal memos, or other appropriate means.
Display the policy in prominent areas within the organisation, such as the reception area or employee break room.
Include it in the company’s annual report and other public-facing documents.
The company’s management team review the policy annually to ensure it remains relevant and effective. Feedback from employees and clients is also considered as part of the review process. Any necessary updates or revisions are communicated to all relevant parties.
Now we have a communicated policy, let’s move on to who does what in the management system.
Sub-Clause 5.3 - Organisational roles, responsibilities and authorities
Obviously, it’s important that everyone involved in the management system knows what part they have to play. The requirements in this sub-clause are fairly brief in most of the standards we’re looking at, with ISO9001 going into a bit more detail than the others.
It’s up to top management to ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organisation. This means you will first have to define the titles of the roles, bearing in mind that they don’t have to be full-time jobs – people can wear more than one “hat” within the management system. Each role will have a list of activities it is intended to fulfil and some thought will be needed to avoid overlaps and confusion in some areas. The question of authorities is often overlooked; you will need to define what each role is authorised to do, and when it must raise an issue with the next level for a decision.
In addition to this management system organisation structure, top management must explicitly assign the responsibility and authority in two key areas:
a) ensuring that the management system conforms to the requirements of the relevant standard(s).
b) reporting to top management on how well the management system is performing.
ISO9001 goes a bit further and also requires that top management explicitly assign the responsibility and authority for:
ensuring that the processes are producing what was intended.
promoting customer focus within the organisation.
Making sure that the integrity of the management system is maintained when changes happen.
An example of the allocation of roles, responsibilities and authorities could be as follows.
Step One: Identify the key roles and responsibilities.
The following key roles and responsibilities related to the management system are identified:
Management System Manager: responsible for overseeing the management system and ensuring that it meets the requirements of the relevant ISO standard.
Project Managers: responsible for ensuring that the management system objectives are established and met within their respective projects.
Workers Representatives: Responsible for representing the employees at meetings, promoting a safe and healthy workspace, participating in hazard identification, etc.
Consultants: responsible for delivering services in accordance with the management system.
Step Two: Define the authority of each role.
The authority of each role is clearly defined in the company’s manual. For example, the Management System Manager has the authority to approve changes to the management system, while Project Managers have the authority to make decisions related to their respective projects.
Step Three: Document the roles, responsibilities, and authorities.
The roles, responsibilities, and authorities are documented in the company’s management system manual and are easily accessible to all employees through the company’s intranet.
Step Four: Involve individuals with appropriate authority in decision-making.
Individuals with the appropriate authority are involved in decision-making processes related to the management system. For example, for a QMS, the Quality Manager is involved in the review and approval of all changes to the quality management system.
Step Five: Review and update regularly
The roles, responsibilities, and authorities are reviewed annually as part of the company’s management review process to ensure their ongoing relevance and effectiveness. Any necessary updates or revisions are communicated to all relevant parties.
Sub-Clause 5.4 - Consultation and participation of workers (ISO45001 only)
For the ISO45001 Occupational Health and Safety standard, there’s a bit more to say in Clause 5. The additional Sub-clause 5.4 requires top management to make sure that workers are involved in most aspects of the management system and that barriers to their participation, such as lack of training or information, are removed as far as possible. This is a lengthy sub-clause with a long list of areas of the management system where consultation and participation of non-managerial workers must be “emphasised”.
In some ways, it’s interesting that this sub-clause is not included in the requirements of the other standards (such as quality and environmental management) as encouraging consultation and participation would seem to be a good idea in general.
In Summary
Leadership is absolutely key when putting a management system in place, whether it’s to address quality, environmental, health and safety or any of the other subjects covered by ISO management system standards. Top management need to lead from the front and demonstrate to the rest of the organisation that “this is the way we do things now”.
Clause 5 covers this leadership requirement and also mandates the creation of a relevant policy to communicate the approach, and the definition of a structure of roles with defined responsibilities and authorities to make it happen. These are the basic building blocks of every successful management system and must be taken seriously.
So whichever standard you’re looking at, take a little time to focus on Clause 5, and you won’t regret it.
