Regulatory & Conformity Requirements for risk-driven organizations
…the convergence of regulatory compliance and management standards conformity
ISO 19011: 2018 states. ‘This document adopts the combined audit approach when two or more management systems of different disciplines are audited together. Where these systems are integrated into a single management system, the principles and processes of auditing are the same as for a combined audit (sometimes known as an integrated audit)’. This necessitates the different disciplines to be integrated as a system.
The COSO audit framework for Sarbanes Oxley (SOX) states,’ Control activities are actions generally described in policies, procedures, and standards that help management mitigate risks to ensure the objectives are achieved. Control activities may be preventive or detective in nature and may be performed at all levels of the organization’.
The ISO Standard Companies are risk-driven per the ISO 2015 standards. The evidence of this claim is found on the Introduction page of ISO 9001. ‘Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise
What are the mechanics of operating a Single Management System compared to traditional silo management? Does everything remain the same? Is the risk the same for each silo or different when the disciplines are synergistically integrated?
19011:2018 A 10 informs
An audit of an organization’s approach to the determination of risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of a management system, including when interviewing top management.
Having to satisfy the legal and management system standards requires The Single Management System to be a risk-driven strategy to support the regulatory compliance of Sarbanes Oxley, FSMA, and ISO Management Systems’ conformity requirements.
Risk is not for its own sake. It is to determine management controls to produce desired results universally over the operations, through the integrated disciplines.
The Business of Silo vs Single Management System
Apart from the legal and conformity requirements, there are business implications of changing from silo to integrated management. There is a long history of silo management from the beginning of industry with Frederick Taylor over 100 years ago. Silos still exist, as evidenced by individual discipline Management System Standards.
Over time controls were developed relative to each discipline –
Process Quality -SPC
Maintenance – Preventive Maintenance, Condition Monitoring, Planned overhauls
Occupational Safety – OSHA
Environmental Safety – EPA
However, there is a relationship between the disciplines. For example, GHG emissions or increased solid waste or water pollution can result from a decreased product quality. The reduced quality can be due to undermaintained equipment, which could also lead to occupational safety incidents.
The interdependence of the disciplines is demonstrated. Addressing each discipline individually means the connectivity between them is underdetermined. The results have potential financial consequences.
The risk strategy delivers the controls to organizations to meet their strategic, operational objectives across all disciplines. The measure of success for an organization is meeting its strategic plan. It is documented by An article in Inc By Maya Hu-Chan June 16 2017 quotes David Norton and Robert Kaplan, stating that 90% of companies fail at their strategic objectives. Meeting the strategic objectives is dependent on the disciplines. However, the determination was made on a silo format, in which risk may or may not have been applied – one silo at a time.
The organization needs to be reconfigured to operate holistically through acknowledged interdependence by evaluating the risk simultaneously across all disciplines – as a single management system provides a better opportunity to reach their strategic plans. The present method of managing the operations is only 10% effective. Reaching the strategic plan means an enhanced financial status.
Have you met your strategic plan numbers?
This website electronically provides the resources for risk-induced implementation, document modification, operational training, and internal auditing training to enable a change from managing by silos to holistically managed operations as a single management system.
We have developed a Franchise business model to support the reconfiguration of organizations, away from the silo model because to gain full operational benefits – risk has to be holistic across the operations.
Is your risk determined for each department silo or across the process? If you are not collaborating to determine controls of the operations, it is an indicator that you are silo-driven. The Chevron North America lubrication plants have been reconfigured according to these principles and have enhanced their collaboration and culture. See testimonials page. Chevron is both Sarbanes Oxley and ISO Certified, this also informs us that Sarbanes Oxley and companies may be in need of an alternative integrated Management System. The food industry is also risk-driven governed by regulations (FSMA) and voluntary (ISO 22000/ GFSI)
We offer Franchisees across the globe access to our materials to reconfigure organizations for their existing and new organizations. The professionals interfacing with the client has to be trained to meet our rigorous standards on our online program. The Franchisee can only utilize trained persons to our system. We receive auto-emails on the status of trained persons. We have set up a feedback survey on completion by the end client on this website.
US Interested Companies may also register here to avail themselves on a first come first serve basis of funded training, to determine if they qualify. Small and medium companies of help can contact https://www.nist.gov/mep/centers/quick-list for potential sources of funding.