Management system guidance
4.0 Context of the Organization
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
4.2 Understanding the needs and expectations of interested parties
Understanding the needs and expectations of interested parties is a new requirement. You should allow time to develop an understanding of your business's internal and external stakeholder interests that might impact upon your management system's ability to deliver its intended results, or those that might influence your business's strategic direction.
This information should be gathered, reviewed and regularly monitored through formal channels, such as management review meetings. We suggest that you undertake analysis of interested parties to determine the relevant interested parties and their requirements that relate to your business activities, and those which impact the management system.
In order to determine the relevance of an interested party or its requirements, your organization needs to answer: ‘does this interested party, or their requirements, affect our organization’s ability to achieve the intended outcomes of its management system?’ If you need a procedure to help with determining your organization's internal and external interested parties, click here.
If the answer is 'yes', then the interested parties’ requirements should be captured and considered when planning your management system. There are many ways to capture this information, your approach could include:
- Information summarised as an input to the quality risk and opportunity registers;
- Information summarised as an input to the identification of environmental aspect and impact registers;
- Information summarised as an input to the identification of health & safety hazard and risk registers;
- Recorded in a simple spreadsheets with version control;
- Logged and maintained in a database to allow tracking and reporting;
- Captured, recorded, and disseminated through key meetings.
Try using brainstorming techniques to identify relevant external and internal interested parties, e.g. customers, partners, end users, external providers, owners, shareholders, employees, trade unions, government agencies, regulatory authorities, local community. We suggest that you capture this information using a free copy of our 'Interested Party Analysis' template.
Similar to the context review discussed previously in Clause 4.1, cross functional input is vital, as certain functions will identify with particular stakeholders, for example procurement with suppliers, and sales with customers. A workshop approach should be encouraged which can be undertaken independent to, or in conjunction with the context review workshop.
Once stakeholders and their requirements are identified, the next step is to consider which stakeholder requirements generate compliance obligations. Legal requirements should be identified before other requirements. This process of adopting requirements will allow you to focus and coordinate on what’s important.
Make reference to all objective evidence, including examples of interested parties and any resulting compliance obligations. Look for evidence that your organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your management system.
You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s management system are planned. Ensure that your organization has properly identified its interested parties, and subsequently determined if any of their needs and expectations to be adopted as a compliance obligation. Ensure that this process is revisited periodically because the relevant requirements of relevant interested parties may change over time.
Although not specifically required, objective evidence could be a list or matrix of the interested parties, their corresponding needs and expectations, and indication of which of these accepted as compliance obligations. Compliance obligations might include:
- All relevant legal requirements;
- All requirements imposed by upper levels in the organization (for example corporate requirements);
- All relevant requirements of relevant interested parties that the organization decides to comply with, whether contractually (customers) or voluntarily (environmental or safety commitments).
Communicating with stakeholders, particularly in relation to compliance obligations is vital. Communication with stakeholders should be based on performance data generated by your organization’s management system, which will require robust monitoring and measurement to ensure that the data is reliable.
You should ensure that the monitoring and measurement processes are included in the internal audit programme so your organization can assure itself that the checking processes and validated and that the data it is communicating is accurate. It is important to remember that Clause 4.2 'Understanding the needs and Expectations of Interested Parties' interacts with the following clauses:
- Clause 4.3 - 'When determining the scope, the organization shall consider requirements of relevant interested parties referred to in 4.2';
- Clause 5.2.2 - 'The quality, environmental or health & safety policies are available to relevant interested parties, as appropriate';
- Clause 6.1.1 - 'When planning the management system, the organization shall consider the requirements referred to in 4.2, and determine risks and opportunities that need to be addressed';
- Clause 8.3.2 - 'In determining the stages and controls for design and development, the organization shall consider the level of control expected for the design and development process by customers and other relevant interested parties';
- Clause 9.3.2 - 'Management reviews are planned and carried out considering information on management system performance and effectiveness, including trends in customer satisfaction and feedback from relevant interested parties'.
Internal stakeholders could include:
|Types of Internal interested parties:||Possible needs and expectations:||How to capture key issues:|
|Employees and contractors||Shared culture, attitudes and job security||Employee meetings, consultation and feedback|
|Clients and customers||Competitive pricing, reliability and value||Client/customer reviews and relationship management/customer feedback|
|Suppliers||Beneficial supplier-client relationships||Supplier reviews and relationship management|
|Unions and worker representatives||Representation and cooperation||Consultation and feedback on employment and safety issues|
External stakeholders could include:
|Types of External interested parties:||Possible needs and expectations:||How to capture key issues:|
|Regulators||Compliance and reporting||Critical product specification issues and conformity|
|Shareholders||Profitability and strategies for growth||Consultation and engagement exercises to identify concerns|
|Neighbours and communities||Social responsibility and engagement||Consultation and engagement exercises to identify environmental concerns|
|Local Authorities and Government||Consultation and information||Engagement with planning and development issues|
The relevant requirements of interested parties must be available as inputs into the management system planning process, as potential risks and opportunities (Clause 6.1). There is no requirement to retain documented information, but the following types of documentation would help to evidence this:
- Minutes of meetings (from meetings from each group of interested party);
- Requirement spreadsheets and databases (CRM & ERM type applications);
- External communications and documentation;
- Quality manual;
- Flow down and capture of requirements relevant to the management system defined in contracts, orders, statements of work, terms of business etc;
- Records of meetings where interested parties and their requirements are routinely discussed and monitored.
- Stakeholder mapping to determine importance;
- Records of surveys, networking, face-to-face meetings, association membership, attending conferences, lobbying, participation in benchmarking.
Look for evidence that your organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organization’s management system.
You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s management system are planned.
More information on PDCA
Free internal audit checklists
Check out our free internal audit checklists. The audit checklist template is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.
Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.