Management system guidance
4.0 Context of the Organization
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
4.4 Management system processes
Most of the requirements from Clause 4.4 Management System and its Processes are comparable to those found in ISO 9001:2008 Clauses 4.1 and 8.1 - General Requirements and Clause 8.2.3 - Monitoring and Measurement of Processes.
Based upon the extent of your organization’s management system processes, you should seek evidence that your organization has maintained documented information to support the operation of its processes; and that it has retained documented information to provide confidence that the processes are being carried out as planned.
ISO 9001:2015 includes specific requirements necessary for the adoption of processes when developing, implementing and improving a management system. This requires your organization to systematically define and manage processes and their interactions so as to achieve the intended results in accordance with both the policy and strategic direction.
We suggest that you map out which departments and functions are responsible for executing each element (from Section 4.0 to Section 10.0) of the standard as it applies to each process, using a free copy of our 'Process Clause Matrix' template. If you need a procedure to help with determining your organization's processes, click here. Auditors will want to determine:
- How well the ‘process approach’ understood and deployed within the organization;
- How well the management system aligns line with the organizational context and the requirements of interested parties;
- How likely the will the management system achieve its intended outcomes and enhance environmental, safety & quality performance?
- Identification of the processes needed for the management system (e.g. process models, process grouping, process flow diagram);
- Management system processes and their sequence and interaction (e.g. process mapping, turtle diagrams, SIPOC;
- What information exists to ensure effective operation and control of the processes, e.g. defined process requirements, defined roles, required competencies, associated training, guidance material;
- How the expected inputs and outputs from each of the identified processes, together with assignment of responsibilities and authorities are aligned;
- The necessary criteria and methods to ensure effective operation and control of the processes, e.g. process monitoring indicators, performance indicators, target setting, data collection, trend analysis, audit results.
- The arrangements for governing the processes (e.g. process reviews, dashboards, risks and opportunities relating to the process, resource needs, user training and competency, continual improvement initiatives, frequency of reviews, agenda, minutes, actions);
- The organizational approach towards continual improvement and the type of action taken when process performance is not meeting intended results;
- How the capture of customer, statutory and regulatory requirements, and the method used to build these into the QMS (e.g. requirements capture, gap analysis, requirements embedded into the process definition, assigned contract assurance instructions, formal links to information, use of specified documentation).
Existing operational procedures, quality manuals, work instructions and flow charts are valid examples of documented information and can be used to evidence the requirement for ‘documented information to support the operation of processes is being met’. Check that process inputs and outputs are defined, and review how each of the processes are sequenced and how they interact.
Your organization should begin using quality, health and safety, and environmental performance indicators to control and monitor issues, and associated risks and opportunities. These types of objective evidence will indicate that your organization has successfully integrated the management system processes into its business processes.
Evidence may include management reviewing management system KPI’s as part of regular business reviews, awareness of contractors and employees of management system goals and expectations, etc.
Check that process inputs and outputs are defined and review how each of the processes are sequenced and how they interact. Look for evidence that your organization has:
- Assigned duties/process owners; (Clause 5.3)
- Assessed risks and opportunities; (Clause 6.1)
- Provided resources; (Clause 7.1)
- Maintained and retained documented information. (Clause 7.5.1)
- Implemented measurement criteria; (Clause 9.0)
- Improved the management system and its processes; (Clause 10.3)
Ensure that the documentation created and maintained by your organization to support the operation of the processes, such documentation might be in the form of a management system manual, staff handbook, documented procedures, work instructions, guidance material, data cards, physical samples, IT systems (including intranet and internet), universal or bespoke software, templates and forms.
Documentation identified and retained by your organization that shows that the processes were carried it as planned, should be retained as physical hard copy records, electronic media (data servers, hard drives, compact discs, or flash drives etc.).
Specific documentation created and maintained by your organization that includes a description of relevant interested parties (Clause 4.2), scope of the management system including boundaries and applicability (Clause 4.3), description of the processes needed for the QMS together with their sequence, interaction and application and assignment of responsibilities for the processes.
Certification Auditors are likely to audit your organization's processes in sufficient depth and detail to evaluate if those processes are capable of meeting planned results and performance levels. You should therefore audit your organization's management system to focus on process performance and effectiveness. Give priority to the following:
- Review your organization's processes, their sequence and how they interact;
- Identify functions and the assignment of responsibilities;
- Review performance against requirements and defined measures, focusing on processes that directly impact the customer;
- Review your organization's process for monitoring and measurement, validation and approval of processes, and process changes;
- Review the availability of resources and the information required to operate and support associated activities, including appropriate training and competency of personnel;
- Review process-based management techniques, including the examination of process measures that might include level of quality, output effectiveness, control limits, process capability determination;
- Review any existing plans to ensure performance objectives and targets are monitored, measured, and analyzed in order to realize the planned activities and achieve the planned results;
- Review all applicable action taken when objectives and targets are not met to promote continual improvement;
- Pursue audit trails that address customer concerns or requests for corrective actions, performance against objectives, and relevant process controls.
Identify key and supporting processes
Processes such as design and development, manufacturing, customer service and purchasing are key to giving the customer what they want.
Supporting processes do not contribute directly to what the customer wants but do help the key processes to achieve their output. Support processes include often human resources, finance, document control, training and facilities maintenance, etc.
Think about how workflows through your organization. Consider how the inputs and outputs of the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in.
For now, ignore the standard, in fact put it in a draw and forget it exists. Instead focus on your key processes and how the related departments interface with each other. When defining your processes, try to keep it simple. A process such as 'receiving inspection' could be a a sub-process of the 'purchasing' process, for example.
Auditors will expect to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses.
It should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy. In determining which processes should be determined and documented the organization may wish to consider factors such as:
- Effect on quality;
- Effect on the environment;
- Effect on safety and wellbeing;
- Risk of customer dissatisfaction;
- Statutory and/or regulatory requirements;
- Economic risk;
- Effectiveness and efficiency;
- Competence of personnel;
- Complexity of processes.
Once you have defined the processes and interfaces; go back to the standard and determine which processes are responsible for meeting which requirements. When defining your organization’s processes, think about each process and department and assign try to define those processes around the current organizational model and not around the requirements of the standard. For each process, ensure that is has:
- Owner(s) and participants, defined and documented;
- Procedures, work instructions or forms;
- Inputs, activities and outputs;
- Key performance indicators;
- Risks and opportunities.
Determine the sequence and interaction of processes
The auditor must see evidence that the organization has determined their processes and that the interactions are also defined, all within the quality manual. Subsequently, this includes the actual and technical inputs and outputs of the processes to show their inter-relationship.
This requires the description of the interactions between the processes and should include process names, process inputs and process outputs in order define their interactions. Interaction means how one influences the other. Auditors commonly agree that the description of the interactions of the processes cannot be done if the processes are not determined (names).
The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the processes and their sequence and interactions were determined.
Such documents may be used by organizations should they deem them useful, but they are not mandatory. Graphical representation such as flow-charting is perhaps the most easily understandable method for describing the interaction between processes.
Controlling outsourced processes
Outsourced processes must be controlled by the organization and these controls must be defined and described within their system. Organization's are required to identify the controls they apply for any outsourced processes. Examples of some outsourced processes include:
A process completed wholly or partially by a sister facility outside the scope of registration. Such as corporate performing design, purchasing or customer related processes, this includes management activities i.e. business planning, goal setting, resources, data analysis, budgeting, etc.
This may include the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase orders.
A process completed by an outside vendor or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc. These types of processes may be controlled by the purchasing process where a formal contract or purchase order may be the controls.
If this is the case, written documentation would be the purchasing documentation and records however; these processes are required to be documented in the quality manual.
If an outsourced process is controlled through purchasing, there must be documented objective evidence to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes.
Outsourced processes may be controlled through such methods as, but not limited to, auditing, contractual agreements, process performance data review on an on-going basis or purchasing processes.
Ensuring control over outsourced processes does not absolve the organization of the responsibility for conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as, the potential impact of the outsourced process on the organization’s capability to provide a product or service that conforms to requirements, the degree to which the control of the process is shared, or the capability of achieving the necessary control through the application of the purchasing process.
You should expect to see evidence that your organization has determined their processes and interactions. If your organization calls it a ‘process’, it must be monitored for effectiveness and improved.
Look for evidence that your organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organization’s management system. You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s management system are planned.
More information on PDCA
Free internal audit checklists
Check out our free internal audit checklists. The audit checklist template is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.
Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.