System, process and procedures in context
The primary role of a process management auditor is to discover to what extent the process is being managed and what effect this has on the achievement of business objectives. In order to do this successfully, as we have already discovered, this may or may not involve documented procedures.
Before you can undertake any process management audit you must frst appreciate how a management system works and the interactions that go on between the overall system, processes and procedures.
Chapter 1 of this book gave a brief overview of the management system and processes with examples for each, and it is being able to make the connections between these and supporting procedures that you need to focus on.
Management system
The management system defnes the overall scope of the business, which is in turn supported by any number of processes that require management, which in turn are supported, where appropriate, by procedures, as shown in Figure 3.1.
Defned by senior management and owned by the head of scope, typically the managing director, the management system is a visual representation of an organization’s processes needed to deliver the business performance at the highest level and contains everything from business planning through to developing staff.
18
Process Management Auditing for ISO 9001:2008
Typically 8 to 15 high level processes are identifed and they in turn link or are delivered through any number of operational processes containing the detail of what activities are performed.
Process management
Related directly to the management system are the processes themselves, which exist to convert input requirements into customer output requirements through a series of value adding activities. In other words they provide the mechanism that allows the organization to achieve its objectives, with a focus on how the different departments within the organization work together towards this aim.
Just by having processes does not ensure that the business will achieve its objectives. They need effective management and it is this ‘process management’
that you need to focus on when auditing. To be able to do this effectively you frst need to understand how processes should be managed in a manner that supports the business in the achievement of its stated objectives.
Management system
Process
The ‘what’ we do level Owned by Process Owner
Measures overall process performance
Procedures Procedures
Overall management system organigram owned by head of scope, typically the Managing Director (MD)/Chief Executive Officer (CEO) Measures overall business performance
Procedures
The ‘how’ we do it level Supports process activity
Figure 3.1 The management system in context
The system-process-procedure relationship
19
Too many auditors audit processes in isolation, failing to make the vital connections between business objectives and process outputs and measures.
Failure to make these connections will result in an incomplete, inadequate and non-value-adding audit. It’s rather like checking a route map without knowing where you are trying to get to – all a bit pointless.
You need to be thinking about asking the process owner the following questions.
• What is the purpose of this process?
• How does it contribute to the organization achieving its business objectives?
• Are there process performance measures?
• Do the measures relate to the objectives/are we measuring the right things?
• Is the performance known and are effective improvement actions in place?
There are many more questions related to assessing process management but hopefully you can begin to appreciate that to be a successful auditor requires considerable skill and competence. These skills and competences need to be in different areas than have been required in the past in order to make the necessary connections and identify issues worthy of reporting.
Procedures
This is often a very diffcult concept for many people to come to terms with.
ISO 9001:2008 allows organizations the freedom to decide for themselves to what extent they have documented procedures, whereas the 1994 version of the Standard required virtually all operational activities to be documented. There is a certain reassurance one gets from having things documented and there is no doubt that having documented procedures does make compliance auditing possible. In themselves, however, procedures do not help us to carry out an effective process management audit.
So when you are auditing the activities within a process itself you should be thinking about asking the following questions.
• What risks to the process are there by not having procedures documented?
• If the risks are high, has the organization considered them and chosen an alternative way to reduce them, such as training?
• If there are procedures are they adequate for the risks they are controlling?
• Do the procedures add value or just increase bureaucracy?
The process owner should have considered what, if any, procedures are required to support process activities. Your role is to help the process owner by confrming they have got it right or identifying any potential risks they may have overlooked.
20
Process Management Auditing for ISO 9001:2008
You will be working in partnership with them to improve both the potential and actual performance of the process.
Auditing the system, process and procedures
The focus of this book is process management auditing but in order to set this in context you need to recognize that processes do not operate in isolation.
Hopefully this section of the book has gone someway to clarify this for you.
Figure 3.2 summarizes types of audits depending upon the level you are looking at in the organization and as an auditor you need to remain conscious of these connections throughout your audit.
Procedures
Process level
Compliance level System level
Date: 04/08/2009BSI/PM: Siobhan FitzgeraldModifications: Approval of issue Operator: Nora Dawson 7769Department:Modifications:Date:Signature:
File name: 2009-01 730_3.2.eps BIP 201 5
Figure 3.2 Summary of auditing levels
21