Auditing Context
The concepts around context of the organisation can be confusing for those new to ISO standards and auditing their requirements. In order for an organisation to have an effective management system it should be aligned with its strategic direction and take into account the internal and external issues that are relevant, when planning to achieve its objectives. For the purpose of effective planning the organisation needs to understand:
a) its status,
b) what it wants to achieve, and
c) its strategy on how to achieve it. (If you don’t know clearly your starting point for your journey it will be difficult to achieve the desired destination.) Auditors need to evaluate whether the organisation has addressed these issues. This may include the application of PDCA (the Plan Do Check Act Cycle)
What is Context?
Understanding organisational context is fundamental if we are to begin the application of risk management and risk-based thinking in an organisation. Clause 4.1 of modern ISO management system standards provides us with guidance as to gaining an understanding of internal and external issues, in other words the context within which we operate. We mentioned meeting objectives – in section 6 of the standards we find the mitigation of risk and the pursuit of opportunities for improvement – objectives by any other name!
What might we look for as evidence?
There are many ways and supporting techniques for organisations to observe and analyse their context. The output from this activity should be evident in the determined risks and opportunities. Although there is no requirement for documented information in this section (see for example ISO 9001:2015, clause 4.1), most organisations will find it useful to retain documented information to help understand the rationale and level of understanding of their challenges (e.g., “known knowns, known unknowns and unknown unknowns”). The information which might be helpful in this process could include:
- Business plan
- Review of strategy plans
- Competitor analysis
- Economic reports from business sectors
- SWOT & PESTLE analysis
- Minutes of Meetings
- Action lists
- Diagrams, Spreadsheets, Mind mapping diagrams
- External consultant’s reports
The auditor could approach this area through an interview with members of the organisation’s top management. It should be evident whether top management have adequately considered their organization’s context; the evidence of this may be adequately demonstrated by showing how the review outputs became the inputs into the management system planning process (risk-based thinking). However, in exploring the nature of the risks and opportunities, the auditor should be able to understand the adequacy of the organisation’s review of its context.
It may be that you’re still seeking that lightbulb moment or perhaps you fully understand the importance of organisational context in developing management systems. Whichever it is ensuring that there’s good solid evidence and clarity of process is crucial in auditing management systems.
To continue this discussion on context of the organisation and other management system requirements get in touch with the team at QCS International for an informal chat in the first instance. We’ll be happy to assist and perhaps help you signpost your next steps.
