The Management Review (clause 9) is the capstone of any Management System. But, this is often overlooked or treated as the final element of an ISO Management Standard implementation.
Firstly to dispel some myths:
a) The management review does not need to be a new practice you introduce in order to demonstrate you have an operational management system,
b) Nor does it need to be a high-frequency exercise.
For the purpose of meeting requirements of your ISO Management System/s there are some key agenda items within the context of a Management Review that must be addressed (and these will be referred to shortly), however, these could (and should) be an integral part of your normal business practice.
Too often organisations set up discrete Management Review exercises to meet the ISO management standards requirements, overlooking the fact that a well-run business should be addressing many of these already in other forums.
- This approach serves to both duplicate existing process and add additional workload to busy management teams,
- It also reinforces the idea that the management system/s are peripheral to core business rather than embedded in core business.
When looking at implementing an ISO Management Standard, or when you take a step back from the business as usual to appraise your business health, the starting point could actually be the Management Review.
Taking an example from clause 9.3 of ISO 27001:2013:
“Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.”
To break this down, the Standard/s require an organisation to consider:
- Changes in external and internal issues that are relevant to the management system
- Feedback on the performance of the management system, including trends in
- nonconformities and corrective actions,
- monitoring and measurement results,
- audit results and fulfilment of management system objectives,
- feedback from interested parties,
- and results of risk assessment and status of risk treatment plan, and opportunities for continual improvement.
Alongside these, the status of actions from previous management reviews should be reflected upon, and the outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the management system.
The differences between an effective Management Review and one that ticks the boxes for achieving or retaining ISO certification is the substance of these reviews seen through the quality and availability of qualitative and quantitative data which is repeatable, reproducible and replicable.
In essence, however all of these agenda items should, in a well-oiled business, be reflected upon by leaderships teams through their normal good practice. To reinforce this point, hot off the press is the publication of ISO 10014:2021 – Guidance for realizing financial and economic benefits, which complements ISO 9001:2015’s quality management principles to “monitor and manage trends in key performance metrics” and enable an organisation to “take improvement action based on the observed metrics”. This guidance document explicitly moves the focus of the Management Standard to a point where it is a leadership tool for sustainability and growth.
It is a well-travelled path to cite that the ISO Management Standards are based on Deming’s Plan-Do-Check-Act cycle, though what is not necessarily enforced is the value of the ‘Check’ element.
As our athletes in Tokyo know all too well, training hard for four (or even five) years, watching their diets and developing their techniques means little without checking their progress. The Management Review is this progress check and acts as a spirit level for your organisation.
So next time you try to rationalise the value of implementing an ISO Management System, or reflect on the health of your business (or Management Standard/s), why not start with a Management Review and take stock of where your business is.
In these highly disruptive and ever-changing times, is it not fair to say that if you don’t know where your business is at, you are not in a position to change or adapt?
Please contact us to learn more about the Management Review and how it can benefit you and your organisation.