In adopting a management system standard/guidelines, the organization has to look at 2 exercises-
Adopting the management system standard itself - with an appropriate enterprise level governance framework
The BAU conduct of the newly implemented management system in conformance with the management system standard - with a governance process as prescribed in the standard and deriving from enterprise wide governance framework
On the 1st point, the enterprise is expected to do the below for the newly adopted standard(s):
· Set strategic G&Os to integrate management system and management system standard,
· Set strategic planning and directives.
· Conduct employee training/roll-out/adoption.
' Ensure continuous improvements.
On the 2nd point, any management system, when set against a framework/standard like ISO, is expected to do at least some of the following while establishing conformance:
· Define scope.
· Conduct a gap analysis with the standard and the as-is status..
· Adopt relevant policies, processes and guidelines.
· Assign roles and responsibilities.
· Conduct employee training/roll-out/adoption.
· Implement, execute and control.
· Perform corrective actions.
·
In this blog, I try to capture the various management system standards/frameworks, that help an organization to maximize their output while focussing on efficiency and effectiveness.
Before we adopt the best practices for our organizations, a bit of groundwork related to understand the right basic organization structure needed to execute our processes. I urge you to practice lean (trim waste) while designing and trimming these organizational structures. This is a continuous process since the nature of organizations and its processes can morph as time proceeds.
Please refer to these articles and the references for more information –
· 7 Organizational Structure Types (With Examples) – Forbes Advisor.
· The Ultimate Guide to Organizational Design | The Org
Now some parts of the organizations may develop their own bodies of knowledge like finance, HR, IT, audit etc., This is where we come across the popular management frameworks and that too sometimes are – harmonized!
Management Systems:
As per the definition found in the ISO site,
A management system is the way in which an organization manages the interrelated parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more.
As per the definition found in the FitSM site, a management system is -
Entirety of policies, processes, procedures and related resources and capabilities aiming at effectively performing management tasks in a given context and for a given subject Note 1: A management system is generally intangible. It is based on the idea of a systematic, structured and process-oriented way of managing. Note 2: While documentation (such as process definitions, procedures and records) and tools (such as workflow support and monitoring tools) can be parts of a management system, management system considerations are not limited to the questions of documentation and tool support.
Let us consider the ISO which is very popular for publishing several popular management system standards. There are 4 types of ISO documents present in the ISO website:
1. Management System Standards (MSS)
ISO standards that set out requirements or guidance to help organizations manage their policies and processes to achieve specific objectives. MSS are designed to be applicable across all economic sectors, various types and sizes of organizations and diverse geographical, cultural and social conditions.
Many ISO MSS have the same structure and contain many of the same terms & definitions and requirements.
Examples: ISO 9001:2015 QMS, ISO/IEC 27001:2022 ISMS, ISO 14001/2015 (Environmental Management Systems)
2. Sector Specific MSS
ISO management system standards that provide additional requirements or guidance for the application of a generic management standard in a specific economic or business sector.
Examples: ISO 13485:2016 Medical Devices/QMS, ISO 22613:2023 Railway applications QMS
3. Management System related standards and implementation guidelines
ISO standards that are intended to provide further guidance and/or requirements on:
1. specific aspects of an organization’s management system,
2. ISO management system standards, or
3. related supporting techniques.
Examples: ISO 45003:2021 OHS Psychological health and Safety at work, ISO 14004:2016 EMS, ISO 19011:2018 Guidelines for auditing management systems
4. Management Standards
ISO management standards that may support the implementation of specific aspects of an organization’s management system.
Examples: ISO 26000:2010 Guidance on Social Responsibility, ISO 31000:2018 Risk Management – Guidelines
What’s the difference between A 'Type A' and 'Type B' MSS?
A Type A MSS contains requirements against which an organization can claim conformance, whereas a Type B MSS does not.
Harmonized Structure - HS
Standards listed here as HS have the same structure [PDF] and contain many of the same terms and definitions. This is particularly useful for those organizations that choose to operate a single (sometimes called “integrated”) management system that can meet the requirements of two or more management system standards simultaneously.
Let us try to evaluate the management systems standards/frameworks for the cross-cutting functions. Since IT function is ubiquitous in any organization, let us start with that –
1. What are the popular management frameworks for managing IT services/functions and the related functions?
· ITIL - What is ITIL® | ITIL® Training | ITIL.org.uk
· FitSM - FitSM – A free standard for lightweight ITSM
· ISO/IEC 20000 ISO/IEC 20000 – An international standard for IT service management
· Application Services Library – A similar framework for application management
· Business Information Services Library (BiSL) – A similar framework for information management and functional management
· Tudor IT Process Assessment – A framework for assessment of IT service management maturity
· ISO/IEC 15504 (IT – Process Assessment)
· ISO/IEC 19770: 1:2017 Information technology — IT asset management — Part 1: IT asset management systems — Requirements
· ISO/IEC 20000: 1:2018 Information technology — Service management — Part 1: Service management system requirements
· ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system
2. What are the popular Cybersecurity frameworks/standards used by various organizations world over? Please note that these frameworks do not directly impact the organizational structure but can produce great influence on it.
· NIST – Cybersecurity framework (https://www.nist.gov/cyberframework/)
· COBIT: Control Objectives for Information and Related Technologies - a related framework from ISACA
· ISO/IEC 27001 and 27002 (Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
· ISO/IEC 15408 (Common Criteria - Wikipedia)
· CIS Critical Security Controls
· Payment Card Industry Data Security Standard (PCI DSS)
· MITRE ATT&CK
· HITRUST – CSF (Cyber Security Framework)
· NERC 1300
· NIST SP 800-53
· ANSI/ISA 62443
· HIPAA
· ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
It is common for companies to consider 1 or more frameworks that best suit their business and adopt them for their organization. Usually they also consider their maturity initially and hence may select a simple framework to start with.
Let us consider some popular ‘A’ (i.e, you can apply for conformance) type ISO management systems.
3. ISO 7101:2023 Healthcare organization management — Management systems for quality in healthcare organizations — Requirements
4. ISO 9001:2015 Quality management systems — Requirements
5. ISO 14001:2015 Environmental management systems — Requirements with guidance for use
6. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements
7. ISO/AWI 30201 Human Resource Management System — Requirements
8. ISO 30301:2019 Information and documentation — Management systems for records — Requirements
9. ISO 30401:2018 Knowledge management systems — Requirements
10. ISO/DIS 37001:2016 Anti-bribery management systems — Requirements with guidance for use
11. ISO/DIS 37002: 2021 Whistleblowing management systems — Guidelines
12. ISO 37101:2016 Sustainable development in communities — Management system for sustainable development — Requirements with guidance for use
13. ISO 37301:2021 Compliance management systems — Requirements with guidance for use
14. ISO/AWI 37401 Diversity management systems — Requirements with guidance for use
15. ISO 44001:2017 Collaborative business relationship management systems — Requirements and framework
16. ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use
17. ISO 46001:2019 Water efficiency management systems — Requirements with guidance for use
18. ISO 50001:2018 Energy management systems — Requirements with guidance for use
19. ISO/WD 53001.2 Management Systems for UN Sustainable development goals – Requirements
20. ISO 55001: 2014 Asset management — Management systems — Requirements
21. ISO/FDIS 56001 Innovation management system — Requirements
Most of the frameworks falls under HS (Harmonized Structure) – hence you can develop a single synchronized management system that can meet the requirements of 2 or more management system standards. Moreover, if you adopt any other frameworks, it should be possible to re-design a morphed HS for the new framework matching your existing organizational design.
References:
· ISO - Management system standards
· Management system - Wikipedia
· 7 Organizational Structure Types (With Examples) – Forbes Advisor
· 9 Organizational Design Models You Should Know - AIHR
· ISO - Management System Standards list
· ISO 9001 Certification - Quality Management | Citation ISO (qmsuk.com)
· The Integrated Use of Management System Standards (IUMSS)