What is an Integrated Management System?

CEO Note: Creating and implementing an integrated management system is, in my opinion, the ultimate management consulting engagement and the best thing a management consultant can do for an organization.

Points to Remember

[check] The major ISO Standards are alike in many ways and impose the same requirements – many of which can be combined. Risk Management is a perfect example, followed by Internal Auditing, Documentation, and Management Review.

[check] When the ISO Standards are combined synergistically (i.e., integrated), the "value add" makes the Standards greater than if they were all independent of each other.

[check] Audits, like the inspections of old, can be nothing more than "snapshots" of a condition. The picture you get today may suggest something about yesterday, but nothing definite about tomorrow.

[check] If Management (not to mention the ISO Registrar) expects its people to conform simultaneously to the requirements of several Standards, it is not unreasonable that they be operating together; and that "simultaneous" audits and reviews be part of the strategy.

This book explains the concept, the strategy, and the implementation process for an effective integrated management system or "IMS".

Overview

Many members of the ISO family of International Standards are measurably effective when used individually, predictably valuable when used together, but synergistically dynamic when integrated.

An organization that is certified to three of the ISO International Standards (let's say ISO 9000, ISO 14000, and ISO 28000), if it complies with the letter of the Standards, faces three sets of:

• Internal audits and audit schedules

• Threat analyses

• Risk Management strategies and associated justifications

• Management reviews

• Documents and records

• Manuals and/or operating procedures.

That burdensome approach may prove conformity, but it may not prove control, and certainly does not prove management. In fact, it suggests an absence of management. It wastes fiscal and human capital and contributes to a tokenistic, perfunctory, implementation; until (like the Holy Roman Empire) the system eventually crushes under its own weight.

The seminal enhancement of ISO 9001:2000 over the 1994 version was that it took the focus from discreet functions (e.g. warehousing or assembly) to holistic processes, wherein all the organization's discrete functions are conducted as part of an overall process, and with due regard for their impact on each other. Simultaneous auditing of those mutually supporting functions to more than one ISO Standard is, accordingly, logical and appropriate. Moreover, it supplements the value of the internal audit, which is a "value add" function already, or it isn't worth the doing.

A Mindset is a terrible thing to waste

1. Process Approach and Mindset

A simple explanation of an Integrated Management System (IMS) would be that it is a logical uniting of multiple (otherwise stand-alone) ISO Standards. It is, however, more than that. To maximize their value, multiple ISO Standards should be merged synergistically; that is, combined so that the value of the (complete) IMS is greater than the sum of the individual Standards.

We define "synergy" and get into its technical aspects elsewhere. First, however, we need to examine the programmatic aspects. Creating an IMS requires not just being organized, and replicable to the point of certification, it requires a synergistic mindset that says:

• This is worth doing – thoroughly and sustainably

• The manuals, operating procedures, and/or flowcharts (i.e., what you want your people to do) must reflect the letter, spirit, and best practices of the Standards – that's what makes them credible

• There must be added value, as the established processes will be better than they would be had the requirements of the Standards been implemented separately.

With that in mind, the synergistic merging of the Standards into an IMS is a function of the mission and operations of the specific organization and the Standards selected, and every actual IMS implementation will be different.

Table 1-1 compares ISO 9000 (Quality), ISO 14000 (Environmental), ISO 27000 (Information Systems Security) and ISO 28000 (Supply Chain Security) Management Systems, plus the Corporate Responsibility Management Standard MVO 8000. You can see again how alike they are in their prerequisites. It follows that their strategies and approaches will also be alike.

2. The continuing role of Risk Management The major ISO Standards contain an implicit or an explicit requirement for the organization seeking certification to have an effective risk management program; one that (among other things):

• Identifies threats, criticalities, and vulnerabilities to the organization and its missions

• Assigns consistent (albeit subjective) values to reflect established metrics and measures of effectiveness

• Feeds the findings into the strategic planning and decision making processes.

The terms risk analysis, risk assessment, and risk management, often used interchangeably, can mean a variety of different concepts and/or metrics. In point of fact, there is no one single approach to Risk Management. The challenge to risk analysts is to frame the output of the analysis in a manner that makes sense to the decision makers and that clearly and concisely represents the present and predicts the future. Approaches and strategies can be as simple or complex as the processes they were made to assess. However, simpler is almost always better,...