When getting to grips with ISO (International Organisation for Standardisation) standards for the first time, you will notice that they are structured in clauses, a bit like a contract. This structure is common across all of the management system standards that ISO publishes, such as ISO 9001, ISO 22301 and ISO/IEC 27001, and is known as the “Annex SL” format or, more helpfully, the “High Level Structure”.
So, what we’re about to say applies to all of these standards. Note however that the Annex SL wording has evolved over time, so the exact format and wording of each standard depends not only on its subject, but also on when it was last revised.
What’s in Clause 6?
Clause 6 of the management system consists of three subclauses:
6.1 Actions to address risks and opportunities
6.2 Objectives and planning to achieve them
6.3 Planning of changes
Let’s look at each of these in turn to better understand what they require us to do.
Subclause 6.1 - Actions to address risks and opportunities
Subclause 6.1 of the ISO management system standards deals with the actions required to address risks and opportunities related to the requirements of interested parties. This subclause emphasises the importance of identifying, analysing, and evaluating risks and opportunities that can affect an organisation’s ability to achieve its objectives. It fits in with one of the key principles of ISO management systems, which is risk-based thinking.
Risk-based thinking is a fundamental concept in ISO management systems, such as ISO 9001 (quality management) and ISO 14001 (environmental management). It is an approach that enables organisations to identify and manage risks and opportunities that could impact their objectives, performance, and stakeholders. It involves considering potential risks and opportunities at every stage of the quality management process, from planning to delivery, in order to prevent or mitigate negative outcomes and maximise positive outcomes. This approach emphasises proactive and preventive actions, rather than reactive measures.
For instance, in ISO 9001 the key principles are to:
Identify risks and opportunities that could impact their quality management system, products or services, customers, and stakeholders.
Evaluate the significance of these risks and opportunities, taking into account their likelihood, potential impact, and the effectiveness of existing controls.
Develop and implement appropriate risk mitigation or opportunity exploitation measures, based on the evaluation of risks and opportunities.
Continuously monitor and review the effectiveness of the risk management process and update the risk management plan as necessary.
By adopting a risk-based thinking approach, organisations can identify and address potential risks and opportunities in a proactive manner, leading to more efficient and effective quality management practices, increased customer satisfaction, and improved overall performance.
Benefits of risk-based thinking
Some of the benefits of adopting risk-based thinking are:
Improved decision-making: By identifying and assessing risks and opportunities, organisations can make informed decisions that are based on a thorough understanding of the potential consequences of their actions. This can lead to more effective and efficient decision-making, reducing the likelihood of costly mistakes or missed opportunities.
Increased resilience: By understanding the risks and opportunities that could impact their business, organisations can build resilience and better prepare for unexpected events. This can help them to respond quickly and effectively to crises, reducing the impact on their business and stakeholders.
Continuous improvement: Risk-based thinking encourages organisations to continuously review and improve their management systems. By identifying risks and opportunities, organisations can identify areas for improvement and take proactive steps to address them.
To summarise risk-based thinking, it is a critical component of ISO management systems that can help organisations to make better decisions, increase resilience, and drive continuous improvement.
Examples of how this requirement can be applied
The following are some examples of how the requirements in this subclause can be applied in practice:
Identification of Risks and Opportunities: The first step is to identify the risks and opportunities that may affect the organisation. For example, an organisation may identify the risk of a cybersecurity breach or the opportunity to expand into new markets.
Risk Assessment: Once the risks and opportunities are identified, the next step is to assess their potential impact on the organisation. For example, a cybersecurity breach could lead to a loss of customer data, reputation damage, or financial losses.
Risk Mitigation: After assessing the risks, the organisation must take steps to mitigate them. For example, the organisation may implement a cybersecurity policy, invest in IT infrastructure, and train employees on cybersecurity best practices.
Opportunity Maximisation: Organisations must also take steps to maximise opportunities. For example, an organisation may develop a marketing strategy to expand into new markets, invest in research and development to develop new products, or form partnerships with other companies.
Monitoring and Review: Finally, it is essential to monitor and review the effectiveness of risk and opportunity management actions taken. This helps to ensure that the organisation is continually improving its management system and achieving its objectives.
Example of an actions to address table
Let’s look at an example of how risks and opportunities relate to the interested parties of the management system.
INTERESTED PARTIES | REQUIREMENTS | RISKS & OPPORTUNITIES | EFFECTIVENESS OF ACTIONS |
INTERNAL | |||
Employees | Consistent access to IT infrastructure | (Risk of downtime and lack of training on new system)
(O) Increase effectiveness/efficiency with new system | Minimal downtime allowing staff to work more efficiently |
HODs | Expectations for the team | (R) Unhappy employees leading to high turnover of staff
(O) Retain staff and core knowledge in the business | Everyone working towards the same goal
Retain staff |
Accounts Department | Bank balance | (R) Lack of working capital
(O) Investment opportunities | Retaining a good working capital |
EXTERNAL | |||
Clients | Quality Service | (R) Bad reputation
(O) Build a good name in the market for client relations | Happy clients
Increase business due to good reputation |
Government Departments | Compliance with changing regulations | (R) Potential fines for non-compliance with regulatory requirements
(R) Unhappy clients. Less efficient service
(O) Provide clients with the correct information and gaining good reputation in the market | Remain compliant with regulatory requirements
Efficient quality service
Realistic timeframes
Happy clients |
Competitors | Maintain larger market share | (R) Loss of business to competitors
(O) Enhance our services to our clients | Remain competitive within the market
Enhance the clients’ service |
The above table sets out the following:
The interested Party
Their Need or Expectation
The identified risk or opportunity
The effectiveness of the actions that were implemented to meet their needs or requirements
Remember that this sub-clause is linked to sub-clause 4.2. which is titled Understand the needs and expectations of interested parties, so using the same columns 1 and 2 in the table above would help to show an auditor alignment.
Overall, clause 6.1 of the ISO management system standards requires organisations to take a proactive approach to managing risks and opportunities. By identifying, assessing, and mitigating risks and maximising opportunities, organisations can improve their performance, meet their objectives, and remain competitive in their industries.
Subclause 6.2 - Objectives and planning to achieve them
ISO management system objectives refer to the goals and targets set by an organisation to achieve compliance with ISO standards. These objectives help organisations to establish a framework for consistent and effective management practices across all areas of their operations, leading to improved efficiency, customer satisfaction, and overall performance.
The actions used to achieve ISO management system objectives typically involve a systematic and structured approach that includes the following steps:
Planning: This involves establishing clear and measurable objectives, identifying the resources needed to achieve them, and developing an action plan to implement the necessary changes.
Implementation: This involves carrying out the action plan, assigning responsibilities, and monitoring progress towards achieving the objectives.
Evaluation: This involves assessing the effectiveness of the actions taken and identifying areas for improvement.
Improvement: This involves making changes to the management system and taking corrective actions where necessary to ensure continued compliance with ISO standards and the achievement of the organisation’s objectives.
Some common examples of objectives
Some common actions that organisations take to achieve ISO management system objectives include:
Documenting policies and procedures: Organisations create clear and concise documentation outlining their policies and procedures to ensure that everyone in the organisation understands the standards they need to meet and the actions they need to take.
Training and awareness: Organisations provide training and awareness programs to ensure that all employees understand their roles and responsibilities in implementing the management system and achieving the organisation’s objectives.
Monitoring and measurement: Organisations use monitoring and measurement tools to evaluate their performance against the objectives and identify areas for improvement.
Continual improvement: Organisations use a continuous improvement process to regularly review and update their management system to ensure ongoing compliance with ISO standards and the achievement of their objectives.
The difference between business and ISO management system objectives
A business objective is a specific, measurable, achievable, relevant, and time-bound goal that an organisation sets to achieve its overall mission and vision. Business objectives are usually focused on improving the organisation’s financial performance, customer satisfaction, market share, employee engagement, or other strategic areas of focus.
On the other hand, an ISO management system objective is a specific goal that an organisation sets to meet the requirements of a specific ISO management system standard, such as ISO 9001 (Quality Management), ISO 27001 (Information Security Management). ISO management system objectives are designed to improve the organisation’s management practices, processes, and systems to meet the requirements of the relevant standard. These also need to be SMART.
While business objectives and ISO management system objectives are different, they are not mutually exclusive. In fact, an organisation can use ISO management system objectives to achieve its business objectives. For example, an organisation may set an ISO management system objective to improve its product quality, which can help it achieve its business objective of improving customer satisfaction and market share.
Additionally, an organisation may set business objectives that align with ISO management system standards, such as reducing its environmental impact, which can help it achieve compliance with ISO 14001.
Subclause 6.3 - Planning of changes
This part of the clause deals with changes to the management system, and requires them to be adequately carried out, with due regard to what’s intended to be achieved, and making sure that all of the relevant parts of the system are updated consistently. This involves identifying when a change is happening, understanding its consequences for the management system, and then implementing it smoothly. A simple change management process will help to achieve this.
Additional requirements in other management systems
While there are similarities in the requirements of Clause 6 across ISO management systems written in the Annex SL format, there may also be some differences based on the specific standard and its focus. Here are some key differences you may encounter in the requirements of Clause 6 for different ISO management systems:
ISO 9001 (Quality Management System)
The emphasis is on planning changes related to the quality management system, including processes, products, and services.The requirements focus on meeting customer requirements, enhancing customer satisfaction, and improving product and service quality.
1. ISO 14001 (Environmental Management System)
The focus is on planning changes related to the environmental management system, particularly addressing environmental aspects, impacts, and performance
The requirements emphasise the prevention of pollution, compliance with applicable environmental regulations, and continual improvement of environmental performance
2. ISO 45001 (Occupational Health and Safety Management System)
The requirements centre around planning changes related to the occupational health and safety management system, with a focus on hazard identification, risk assessment, and risk control.
The emphasis is on ensuring a safe and healthy work environment, preventing work-related injuries and ill-health, and complying with applicable health and safety regulations.
3. ISO 27001 (Information Security Management System)
The focus is on planning changes related to the information security management system, including the identification and assessment of information security risks.
The requirements emphasise the protection of sensitive information, safeguarding data confidentiality, integrity, and availability, and complying with relevant legal and regulatory requirements.
While these are some notable differences, it’s important to remember that the Annex SL format establishes a common high-level structure and core requirements across ISO management systems. This allows for easier integration and alignment of different management systems within an organisation, facilitating synergies and streamlining the overall management system approach. However, each specific ISO standard has its own unique context and requirements that reflect the nature of the discipline it addresses.
Links to other areas of the standard
Clause 6 in an ISO management system written in the Annex SL format serves as a critical link between various other clauses of the standard. It establishes the foundation for effective planning and management of changes throughout the management system. Here’s how Clause 6 typically connects with other clauses.
1. Context of organisation (Clause 4)
Clause 6 builds upon the organisation’s understanding of its context, including internal and external factors and interested parties.
It considers these factors when determining the need for changes and planning their implementation.
2. Leadership (Clause 5)
The leadership’s commitment and involvement are crucial in driving and supporting the planning and management of changes.
The leadership sets the direction, objectives, and resources for change initiatives and ensures they align with the organisation’s strategic goals
3. Support (Clause 7)
The support clause ensures that resources, including human resources, infrastructure, and competence, are identified, and allocated for implementing planned changes.
It also emphasises the importance of communication and creating awareness of changes to stakeholders within the organisation
4. Operation (Clause 8)
Changes planned in Clause 6 often lead to adjustments in the organisation’s operational processes, procedures, and activities.
Clause 8 guides the implementation of these changes, ensuring that they are executed effectively and in line with the planned objectives.
5. Performance evaluation (Clause 9)
Clause 6 establishes the framework for evaluating the performance of changes within the management system.
Clause 9 then focuses on monitoring and reviewing the effectiveness and suitability of the implemented changes, including identifying nonconformities and opportunities for improvement.
6. Improvement (Clause 10)
The changes implemented under Clause 6 are subject to continuous improvement.
Clause 10 guides the organisation in taking corrective and preventive actions based on the monitoring and review results, driving further enhancements and adjustments to the management system.
In summary
Clause 6 is the core of identifying risks, opportunities and improvements within the ISO management standards.
Subclause 6.1 – Actions to address risks and opportunities is linked to clauses 4.1 and 4.2 and needs to be documented.
Subclause 6.2 – Organisations need to establish relevant objectives for their management system, that are implemented, monitored, communicated and updated as appropriate.
Subclause 6.3 – The organisation must control changes that affect their management system by considering their potential consequences, the integrity of the management system, availability of resources and responsibilities.
There are variations of the requirements as stated earlier, but these are the core requirements.
Overall, Clause 6 acts as a vital thread that runs through the entire management system, linking together various aspects of planning, support, operation, evaluation, and improvement. It ensures that changes within the organisation are effectively planned, managed, monitored, and improved in alignment with the organisation’s context, leadership commitment, and strategic objectives.
