I can’t recall a time during my employment at risual where we haven’t been pushing ourselves to achieve a new certification – whether it be ISO 27001 – Information Security Management back in 2015, ISO 20000-1 – IT Service Management in 2016, or Cyber Essentials Plus in 2017…the list goes on! There are obvious benefits of achieving these certifications such as; giving our customers confidence that our services, products and processes are robust and reliable, and winning more business by demonstrating conformity to standards that customers require – both of which are very important to us. But the main reason we chose to achieve them, aside from the all-important badge, is that they drive and deliver real internal improvements.
Using the ISO standards as examples, over the years they’ve ingrained some fundamental principles across the business which help us all to drive quality.
The Process Approach
Processes aren’t there to slow people down or to block people, they are there to ensure quality and that customer, risual, stakeholder and sometimes legal requirements are met. Every activity is part of a process. By clearly identifying and monitoring a process, you can ensure it meets set performance levels, identify abnormalities and prevent their reoccurrence by identifying the root cause. A well-managed process is a ‘leading indicator’ of good performance whereas results are a ‘lagging indicator’ and only give you a view of what’s already happened, so the focus should be on ensuring the process is managed and the positive results will come.
The backbone of most quality frameworks and for a good reason – it’s simple and effective! The PDCA cycle enables you to ensure that your processes are adequately resourced and managed, and that opportunities for improvement are determined and acted on.
- Plan: establish the objectives of the system and its processes, and the resources needed to deliver results in accordance with customers’ requirements and the organisation’s policies, and identify and address risks and opportunities;
- Do: implement what was planned;
- Check: monitor and (where applicable) measure processes and the resulting products and services against policies, objectives, requirements and planned activities, and report the results;
- Act: take actions to improve performance, as necessary.
Risk Based Thinking
Risk-based thinking enables us to determine the factors that could cause our processes and quality management systems to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise.
I’ve personally shifted from just demonstrating compliance against a standard based on solid working practices (nothing wrong with that), to realising the real benefits that learning from the frameworks can bring to the business. The standards are intended to support ‘best in class’ practices, we should not be afraid to strive for that goal; seeing the achievement of the certification as a bonus along a much bigger journey.