Embed Size (px)
Citation preview
V215/01/15
1© Associate Enterprises Ltd
Risk Management
Annex SL
The Future of Management Systems
www.assentriskmanagement.co.uk
V215/01/15
2© Associate Enterprises Ltd
Risk ManagementIntro
• ISO/TMB has produced Annex SL with the objective of delivering consistent and compatible management system standards (mss) in an attempt to make this process easier.
• Annex SL describes the framework for a generic management system.
• Freely Available http://www.iso.org/sites/directives/directives.html#toc_marker-76
www.assentriskmanagement.co.uk
V215/01/15
3© Associate Enterprises Ltd
Risk ManagementKey Elements
1. high level structure, 2. identical core text, 3. common terms and core definitions.
In future all management systems standards will have these 3 elements.
High Level Structure can not be changed but sub clauses can be added.
Discipline-specific text can also be added;
Common Terms and Core Definitions can not be changed but can be added to.
www.assentriskmanagement.co.uk
V215/01/15
4© Associate Enterprises Ltd
Risk ManagementHigh Level Structure
Ten clauses used in all Management System Standards:
1. Scope 2. Normative references 3. Terms and definitions 4. Context of the Organisation5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement.
Note: As of July 2013 ISO22301 & ISO 27001:2013 are using HLS.Note: xxx used as placeholder to denote discipline of the standard i.e. enironmental/quality etc.
www.assentriskmanagement.co.uk
V215/01/15
5© Associate Enterprises Ltd
Risk Management
Clause 4. Context of the Organisation
• 4.1 Understanding the organisation and its context
• 4.2 Understanding the needs and expectations of interested parties
• 4.3 Determining the scope of the XXX management system
• 4.4 XXX management system
www.assentriskmanagement.co.uk
V215/01/15
6© Associate Enterprises Ltd
Risk Management
Clause 4. Context of the Organisation
• Expanded scope requirements for the management system.
• Consider ‘Interested Parties’ both inside and outside the organisation.
• Should be documented.
www.assentriskmanagement.co.uk
V215/01/15
7© Associate Enterprises Ltd
Risk Management
Examples of Interested Parties
MS
Customers
Employees
Suppliers
3rd Parties
• Visitors
• Contractors
Insurers
External
• Public/Neighbours
• The Media
Authorities
• Government
• Regulators
Emergency
• Utilities
• 999
www.assentriskmanagement.co.uk
V215/01/15
8© Associate Enterprises Ltd
Risk ManagementClause 5. Leadership
• 5.1 Leadership and commitment
• 5.2 Policy
• 5.3 organisational roles, responsibilities and authorities
www.assentriskmanagement.co.uk
V215/01/15
9© Associate Enterprises Ltd
Risk ManagementClause 5. Leadership
• Emphasis on Leadership not just management.
• Should communicate importance of system.
• Policy should be available to all interested parties.
www.assentriskmanagement.co.uk
V215/01/15
10© Associate Enterprises Ltd
Risk ManagementClause 6. Planning
• 6.1 Actions to address risks and opportunities
• 6.2 XXX objectives and planning to achieve them
www.assentriskmanagement.co.uk
V215/01/15
11© Associate Enterprises Ltd
Risk ManagementClause 6. Planning
• Risk is now prominent and replace Preventive action.
• ISO 31000 provides guidance on risk management.
• Objectives are more specific and in line with Policy.
• Objectives should be measurable (if practicable), monitored, communicated, and updated as appropriate. They have to be established at relevant functions and levels.
www.assentriskmanagement.co.uk
V215/01/15
12© Associate Enterprises Ltd
Risk ManagementClause 7. Support
• 7.1 Resources
• 7.2 Competence
• 7.3 Awareness
• 7.4 Communication
• 7.5 Documented information
• 7.5.1 General
• 7.5.2 Creating and updating
• 7.5.3 Control of documented information
www.assentriskmanagement.co.uk
V215/01/15
13© Associate Enterprises Ltd
Risk ManagementClause 7. Support
• Little new content here.
• Term Documented Information is used and includes
– Documents
– Records
– Forms
– Other
www.assentriskmanagement.co.uk
V215/01/15
14© Associate Enterprises Ltd
Risk ManagementClause 8. Operation
• 8.1 Operational planning and control
www.assentriskmanagement.co.uk
V215/01/15
15© Associate Enterprises Ltd
Risk ManagementClause 8. Operation
• The Specifics of what the organisation does.
• The bulk to the specific standard requirements will be here i.e. Environmental 14001, Quality 9001.
www.assentriskmanagement.co.uk
V215/01/15
16© Associate Enterprises Ltd
Risk Management
Clause 9. Performance Evaluation
• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal audit
• 9.3 Management review
Some useful common terms and core definitions from Appendix 2 of Annex SL follows:
www.assentriskmanagement.co.uk
V215/01/15
17© Associate Enterprises Ltd
Risk Management
Clause 9. Performance EvaluationCommon terms & core definitions from Appendix 2 of Annex SL
3.12processset of interrelated or interacting activities which transforms inputs into outputs
3.13performancemeasurable resultNote 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including services), systems or organizations (3.01).
3.14outsource (verb)make an arrangement where an external organization (3.01) performs part of an organization's function or process (3.12)Note 1 to entry: An external organization is outside the scope of the management system (3.04), although the outsourced function or process is within the scope.
3.15monitoringdetermining the status of a system, a process (3.12) or an activityNote 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
www.assentriskmanagement.co.uk
V215/01/15
18© Associate Enterprises Ltd
Risk Management
Clause 9. Performance EvaluationCommon terms & core definitions from Appendix 2 of Annex SL
3.16measurementprocess (3.12) to determine a value
3.17auditsystematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
www.assentriskmanagement.co.uk
V215/01/15
19© Associate Enterprises Ltd
Risk Management
Clause 9. Performance EvaluationCommon terms & core definitions from Appendix 2 of Annex SL
3.18conformityfulfillment of a requirement (3.03)
3.19nonconformitynon-fulfillment of a requirement (3.03)
3.20corrective actionaction to eliminate the cause of a nonconformity (3.19) and to prevent recurrence
3.21continual improvementrecurring activity to enhance performance (3.13)
www.assentriskmanagement.co.uk
V215/01/15
20© Associate Enterprises Ltd
Risk Management
Clause 10. Improvement
• 10.1 Nonconformity and corrective action
• 10.2 Continual improvement
Preventive action has been replaced by Opportunities to address risks.
www.assentriskmanagement.co.uk
V215/01/15
21© Associate Enterprises Ltd
Risk ManagementMore Info
• Annex SLhttp://www.iso.org/sites/directives/directives.html#toc_marker-76
• IRCA Briefing Notehttp://www.irca.org/en-gb/resources/Guidance-notes/Annex-SL-previously-ISO-Guide-83/
www.assentriskmanagement.co.uk
V215/01/15
22© Associate Enterprises Ltd
Risk ManagementContact Us
If we can help you implement any ISO standards & achieve certification, please contact us:
• www.assentriskmanagement.co.uk
• London & South East: 020 3432 2854
• Midlands: 01332 896 478
• Wales & West: 029 2000 4623
• Twitter: @assent1
www.assentriskmanagement.co.uk
