ViewPoint Espresso Collection – Capturing value from the new ISO requirements # 4 – February 2019 - Actions to address risks and opportunities
1
DNV GL ©
SAFER, SMARTER, GREENER
Setting the Scene
ISO (International Organization for Standardization) released the new version of the ISO 9001 and ISO 14001 standards in 2015 and more recently the ISO 45001.
2
DNV GL ©
September 2018 is when the transition period for two of the schemes ended and all companies had to be aligned with the new requirements in ISO 9001 and ISO 14001.
In 2015 we surveyed our customers before they started their journey towards the transition to the new standards. For each of the most relevant new requirements, we asked how they will implement and plan to be compliant to the new requirement.
Today in 2018, we are repeating our investigation limited to those companies that have already completed the adoption of the new standard version, with the aim of understanding: ▪ How they have actually met and satisfied specific standard requirements in comparison with what they planned to do 3 years ago. ▪ What kind of benefits and value each new requirement created or is expected to create for the company.
ISO Requirements in Focus We will apply the same investigation format to the following set of new ISO requirements, which we consider the most relevant within the wider full set of new requirements brought in by ISO in the new standard version: 4.1 – Understanding the organisation and its context 4.2 – Understanding the needs and expectations of interested parties 5.1 – Leadership and commitment
6.1 – Actions to address risks and opportunities 7.4 - Communication The requirement in focus is 6.1 – Actions to address risks and opportunities. Clause 6.1 requires that you determine risks and opportunities when planning for the quality management system. This will provide assurance that the quality management system is designed to achieve its intended result(s), enhance desirable effects, prevent or reduce undesired effects and achieve continual improvement. For the quality management system, this is largely a new requirement for certified companies. Therefore this Espresso Survey has polled companies certified to ISO 9001 only. 3
DNV GL ©
Question 1 – Means for meeting the requirement How have you met the requirement (6.1) in your organisation? Mark initiatives that your organisation has implemented (multiple answers are allowed).
45%
Promoting a risk based thinking in the entire organisation Focusing both on operational (e.g. related to its processes) as well as more strategic risks (high level risks) Raising awareness and competence of the management team in the area of risk/opportunity determination Using a structured and documented approach for determining the opportunities and the actions for… Using a process for determining the risks where at minimum the outputs/results are documented Using a defined and structured method for risk determination/assessment (e.g. FMEA, HACCP, HAZOP) Measuring risk management performance against indicators Establishing internal communication and reporting mechanisms in order to support and encourage…
44% 42% 38% 36% 28% 24% 22% 18%
Allocating appropriate resources for risk management Using a mental/not documented and unstructured analysis for determining risks and planning actions for addressing… Using an unstructured/mental approach for determining opportunities and actions for addressing them Designing and implementing a formalized framework for risk management (e.g. based on ISO 31000 or similar) Other initiatives
4
DNV GL ©
12% 11% 10% 2%
None of the above
1%
Don't know
1%
▪ The top 3 means adopted by companies reflect what was in their plans almost 3 years ago ▪ Promoting risk based thinking (1st) is what the norm push for and is top for almost 1 out of 2 ▪ Interesting and positive to see that (2nd) focus for companies is not only limited to operational risks but includes a more rounded set of risks (e.g. strategic risks) ▪ Actions aimed at raising awareness and culture on risks/opportunities ranks 3rd ▪ More mature approaches to risk determination based on structured methods (e.g. FMEA, HAZOP) are used by 1/3 of companies whilst risk management approaches based on best practice standards (ISO 31K) is only applied by 1 out 10 ▪ Good to see that only a fraction of companies base their approach on mentally unstructured and undefined routines
Question 2 – Benefits from implementing the requirement Please rate how much the new requirement (6.1) contributes, or will contribute, to the achievement of the listed possible benefits. Some of the listed general benefits might not be relevant or applicable to the specific requirement (6.1) in focus in this Espresso survey. 1 No contribution at all
1,0
3 Moderate contribution
2,0
3,0 2,5
Improved financial results Advantages with tax, banks or insurance companies
2 Low contribution
1,9
Creation of new market opportunities
2,5
Improving public image
2,6 2,9
Ability to meet legal requirements
3,1
Customer satisfaction/meet customer needs Better relations with relevant authorities
– Ability to meet customer requirement/improved customer satisfaction
2,7
Providing a competitive advantage
2,5 3,2
Identification/management of risks
3,0
Top management commitment & engagement Enhanced employees engagement Improved communication with stakeholders
Improvement in management of suppliers
5
DNV GL ©
2,7 2,7 2,6
4,0
▪ The adoption of this requirement led to positive contributions (≥ 3) and hence generation of value for: – Identification/management of risks, which is the main aim for the requirement
3,0
Achievement of strategic objectives
4 High contribution
– Achievement of strategic objectives, which is very much dependent on the ability of the company to identify and manage risks as well as opportunities – Top management commitment, through the cultural factor that a risk based thinking approach is pushed through the company, including focus on strategic risks
Question 2 – Benefits, overall view (cont’d) The chart below shows the contribution of each of the 5 requirements in focus to the list of identified benefits. The chart will be progressively updated when a new requirement is analysed. When all 5 requirements will be investigated, the chart will be complete.
Relevant benefit (≥3) Benefits
4.1 – Understanding the organisation and its context
4.2 – Understanding the needs and expectations of interested parties
5.1 – Leadership and commitment
6.1 – Actions to address risks and opportunities
Improved financial results Advantages with tax/banks/insurance Achievement of strategic objectives Creation of new market opportunities Providing a competitive advantage Improving public image Ability to meet legal requirements Customer satisfaction/meet customer needs Better relations with authorities Identification/management of risks Top management commitment & engagement
Enhanced employee engagement Improved communication with stakeholders Improvement in management of suppliers
6
DNV GL ©
7.4 Communication
Insights from auditing management systems The chart below shows a complementary picture to the survey results. It shows statistics from Lumina™, based on audit findings by DNV GL. See where the shoe pinches for companies in being compliant to the new requirements. % of companies with non-conformities (ISO 9K)
% of companies with non-conformities (ISO 14K)
% of companies with non-severe findings (ISO 9K)
% of companies with non-severe findings (ISO 14K) % of companies with non-conformities (ISO 14K) 58% % of companies with non-severe findings (ISO 14K)
% of companies with non-conformities (ISO 9K)
60%
% of companies with non-severe findings (ISO 9K)
50% 27%
40%
▪ In general, requirement 6.1 is high in terms of audit findings. This can be explained due to the central importance and emphasis on actions to address risks and opportunities in a management system according to the new standard versions.
31%
30% 20%
17% 11%
10% 0%
3%
11%
8% 4%
4.1 – Understanding the organisation and its context
21% 31%
12% 12%
8%
18%
5%
7%
4.2 – Understanding the needs and expectations of interested parties
5%
4%
4% 1%
3% 1%
5.1 – Leadership and commitment
10%
6.1 – Actions to address risks and opportunities
▪ The data shows the percentage of companies where the audit (ISO 9001:2015 or ISO 14001:2015) resulted in one or more findings in the requirements in focus in this Espresso collection
7.4 Communication
▪ For environment, more than 1 out of 2 companies incur a finding in this requirement. For 1 out of 3 companies it is a non-conformity. ▪ Lumina™ is the DNV GL performance benchmarking tool for Management System certification. To learn more about Lumina ™, visit www.dnvgl.com/lumina
Statistics based on more than 30,000 companies audited worldwide Standard: ISO 9001 and 14001 Management Systems (2015 version) Time frame: Jan 2015 – Dec 2018 Industry Sector: All Non-conformities include CAT1 and CAT2 type of NC; non-severe findings include Observations and Opportunities for improvement
7
DNV GL ©
Methodology and Sample
January
2019
This Espresso survey was conducted in January 2019.
520
It involved 520 professionals in companies across different industries in Europe, North America, Central & South America and Asia.
▪ The sample consists of DNV GL-Business Assurance customers and does not claim to be statistically representative of companies worldwide. ▪ The questionnaire was administered using the CAWI (Computer Assisted Web Interviewing) methodology.
8
DNV GL ©
Thank You!
Want to access the results from other ViewPoint surveys? Read more here Not yet a Viewpoint member and want to join? Click here Interested in benchmarking the performance of your company Management System? Learn more here
www.dnvgl.com
SAFER, SMARTER, GREENER
9
DNV GL ©
The trademarks DNV GL®, DNV®, the Horizon Graphic and Det Norske Veritas® are the properties of companies in the Det Norske Veritas group. All rights reserved.