4.4 Management System and its Processes

ISO Navigator Pro

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret the fundamentals of ISO 9000:2015 to help understand, and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and OHSAS 18001:2007. The ISO Navigator Pro™ database divides the requirements into four sequential stages; Plan, Do, Check and Act.

If you're looking for quality manual templates, audit checklists or integrated management system documents for ISO 9001:2015, ISO 14001:2015 and OHSAS 18001:2007, please click here.

Plan

Step 1 - Plan: Define, build, operate and improve your Environmental, Health & Safety or Quality Management System (EHQMS). Your mangement system should define your organization’s goals and intended outcomes, determine internal and external issues, identify stakeholders and their requirements, and define the management system’s scope.

The management system and its processes

Most of the requirements from Clause 4.4 are comparable to those found in ISO 9001:2008 Clauses 4.1 and 8.1 - General Requirements and Clause 8.2.3 - Monitoring and Measurement of Processes. Based upon the extent of your organization’s management system and processes, you should seek evidence that your organization has maintained documented information to support the operation of its processes; and that it has retained documented information to provide confidence that the processes are being carried out as planned.

ISO 9001 and ISO 14001:2015 include specific requirements necessary for the adoption of processes when developing, implementing and improving a management system. This requires your organization to systematically define and manage processes and their interactions so as to achieve the intended results in accordance with both the policy and strategic direction. Auditors will want to determine:

  1. How well the ‘process approach’ understood and deployed within the organization;
  2. How well the QMS aligns line with the organizational context and the requirements of interested parties;
  3. How likely the will the QMS achieve its intended outcomes and enhance environmental, safety & quality performance?
  4. Identification of the processes needed for the QMS (e.g. process models, process grouping, process flow diagram);
  5. QMS processes and their sequence and interaction (e.g. process mapping, turtle diagrams, SIPOC;
  6. What information exists to ensure effective operation and control of the processes, e.g. defined process requirements, defined roles, required competencies, associated training, guidance material;
  7. How the expected inputs and outputs from each of the identified processes, together with assignment of responsibilities and authorities are aligned;
  8. The necessary criteria and methods to ensure effective operation and control of the processes, e.g. process monitoring indicators, performance indicators, target setting, data collection, trend analysis, audit results.
  9. The arrangements for governing the processes (e.g. process reviews, dashboards, risks and opportunities relating to the process, resource needs, user training and competency, continual improvement initiatives, frequency of reviews, agenda, minutes, actions);
  10. The organizational approach towards continual improvement and the type of action taken when process performance is not meeting intended results;
  11. How the capture of customer, statutory and regulatory requirements, and the method used to build these into the QMS (e.g. requirements capture, gap analysis, requirements embedded into the process definition, assigned contract assurance instructions, formal links to information, use of specified documentation).

Existing operational procedures, quality manuals, work instructions and flow charts are valid examples of documented information and can be used to evidence the requirement for ‘documented information to support the operation of processes is being met’. Check that process inputs and outputs are defined, and review how each of the processes are sequenced and how they interact.

Your organization should begin using quality, health and safety, and environmental performance indicators to control and monitor issues, and associated risks and opportunities. These types of objective evidence will indicate that your organization has successfully integrated the QMS processes into its business processes.

Evidence may include management reviewing QMS KPI’s as part of regular business reviews, awareness of contractors and employees of QMS goals and expectations, etc. Check that process inputs and outputs are defined and review how each of the processes are sequenced and how they interact. Look for evidence that your organization has:

  1. Assigned duties/process owners; (Clause 5.3)
  2. Assessed risks and opportunities; (Clause 6.1)
  3. Provided resources; (Clause 7.1)
  4. Maintained and retained documented information. (Clause 7.5.1)
  5. Implemented measurement criteria; (Clause 9.0)
  6. Improved the management system and its processes; (Clause 10.0)

Ensure that the documentation created and maintained by your organization to support the operation of the processes, such documentation might be in the form of a Management System manual, staff handbook, documented procedures, work instructions, guidance material, data cards, physical samples, IT systems (including intranet and internet), universal or bespoke software, templates and forms.

Documentation identified and retained by your organization that shows that the processes were carried it as planned, should be retained as physical hard copy records, electronic media (data servers, hard drives, compact discs, or flash drives etc.).

Specific documentation created and maintained by your organization that includes a description of relevant interested parties (Clause 4.2), scope of the QMS including boundaries and applicability (Clause 4.3), description of the processes needed for the QMS together with their sequence, interaction and application and assignment of responsibilities for the processes.

Certification Auditors are likely to audit your organization's processes in sufficient depth and detail to evaluate if those processes are capable of meeting planned results and performance levels. You should therefore audit your organization's management system to focus on process performance and effectiveness. Give priority to the following:

Review your organization's processes, their sequence and how they interaction. Identify functions and the assignment of responsibilities. tick
Review performance against requirements and defined measures, focusing on processes that directly impact the customer. tick
Review your organization's process for monitoring and measurement, validation and approval of processes, and process changes. tick
Review the availability of resources and the information required to operate and support associated activities, including appropriate training and competency of personnel. tick
Review process-based management techniques, including the examination of process measures that might include level of quality, output effectiveness, control limits, process capability determination. tick
Review any existing plans to ensure performance objectives and targets are monitored, measured, and analyzed in order to realize the planned activities and achieve the planned results. tick
Review all applicable action taken when objectives and targets are not met to promote continual improvement. tick
Pursue audit trails that address customer concerns or requests for corrective actions, performance against objectives, and relevant process controls. tick
 

Identify key processes

Key processes are steps that you go through to give the customer what they want, e.g. from order acceptance to design through to delivery. Whereas support processes do not contribute directly to what the customer wants but do help the key processes to achieve it. Support processes include often human resources, finance, document control, training and facilities maintenance, etc.

A good way to do this is to think about how workflows through your organization. Consider how the inputs and outputs to the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in. For now, ignore the standard, in fact put it in a draw and forget it exists. Instead focus on your key processes and how the departments interface with each other.

Auditors will expect to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses, but should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy. In determining which processes should be determined and documented the organization may wish to consider factors such as:

  1. Effect on quality;
  2. Effect on the environment;
  3. Effect on safety and wellbeing;
  4. Risk of customer dissatisfaction;
  5. Statutory and/or regulatory requirements;
  6. Economic risk;
  7. Effectiveness and efficiency;
  8. Competence of personnel;
  9. Complexity of processes.

Once you have defined the processes and interfaces; go back to the standard and determine which processes are responsible for meeting which requirements. When defining your organization’s processes, think about each process and department and assign try to define those processes around the current organizational model and not around the requirements of the standard.

Determine the sequence and interaction of processes

The auditor must see evidence that the organization has determined their processes and that the interactions are also defined, all within the quality manual. Subsequently, this includes the actual and technical inputs and outputs of the processes to show their inter-relationship.

This requires the description of the interactions between the processes and should include process names, process inputs and process outputs in order define their interactions. Interaction means how one influences the other. Auditors commonly agree that the description of the interactions of the processes cannot be done if the processes are not determined (names).

The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the processes and their sequence and interactions were determined. Such documents may be used by organizations should they deem them useful, but they are not mandatory. Graphical representation such as flow-charting is perhaps the most easily understandable method for describing the interaction between processes.

Controlling outsourced processes

Outsourced processes must be controlled by the organization and these controls must be defined and described within their system. Organization's are required to identify the controls they apply for any outsourced processes. Examples of some outsourced processes include:

A process completed wholly or partially by a sister facility outside the scope of registration. Such as corporate performing design, purchasing or customer related processes, this includes management activities i.e. business planning, goal setting, resources, data analysis, budgeting, etc. This may include the entire element or a subsection i.e. corporate completes supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase orders.

A process completed by an outside vendor or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc. These types of processes may be controlled by the purchasing process where a formal contract or purchase order may be the controls. If this is the case, written documentation would be the purchasing documentation and records however; these processes are required to be documented in the quality manual.

If an outsourced process is controlled through purchasing, there must be documented objective evidence to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes. Outsourced processes may be controlled through such methods as, but not limited to, auditing, contractual agreements, process performance data review on an on-going basis or purchasing processes.

Ensuring control over outsourced processes does not absolve the organization of the responsibility for conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as, the potential impact of the outsourced process on the organization’s capability to provide a product or service that conforms to requirements, the degree to which the control of the process is shared, or the capability of achieving the necessary control through the application of the purchasing process.

Demonstrating compliance

You should expect to see evidence that your organization has determined their processes and interactions. If your organization calls it a ‘process’, it must be monitored for effectiveness and improved. Look for evidence that your organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organization’s management system. You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s management system are planned.

Management system templates

Our range of ISO 9001 quality manual templates and integrated manual templates offer an easy way to assess, document, retain and communicate information about the processes that comprise your organization's quality management system and how they interact.

More

4.1 Understanding Context
4.2 Interested Parties
4.3 Determining Scope
5.1 Leadership & Commitment
 

Free internal audit checklists

Check out our free internal audit checklists. The audit checklist is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.

Client list

Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.