ISO management Systems and your board

The other week I was trying to arrange a catch up with our local Institute of Directors branch to talk about opportunities to do presentations at their meetings about ISO management systems and the benefit of ISO systems within organisations. With the aim of helping directors understand their part of the ISO environment.

The response wasn't what I expected, it was that their focus was on areas with strong governance aspects, not this stuff. Which is a little concerning, how do we ensure that directors are involved in supporting and guiding organisations, that they can provide effective governance if they don't understand what it is they are supposed to be supporting or what their role within it is?

The IOD talk about 4 pillars of governance within their best practice manual (and it's 100% worth reading, its pretty good stuff) they are: 

• Determining Purpose – what type of company are you, what's your purpose, your strategy, how will you be sustainable, general governance.
• An effective governance culture – this is all around how your board works, due diligence, inductions, director development and evaluation, effective boards meetings and things like that.
• Holding to Account – this includes accountabilities, managing and appointing the CEO, risk management, internal audits, technology, Health & Safety, human rights, reporting to the board.
• Effective Compliance – this covers topics like directors duties, solvency, conflicts of interest, board committees but also covers things like company records and information, audit committees, insurance and indemnities, financial reporting and fun stuff like that.

ISO Standards and Governance 

When people think about ISO standards they think about the 'big 3' ISO9001 for Quality Management Systems, ISO45001 for Occupational Health & Safety and ISO14001 for Environmental Management systems, increasingly followed up with ISO27001 for Information Security. But there are others, and we'll touch on them one important one as well, but let's start with these 3.

All new standards are aligned to the same higher-level structure, this allows you to create one single compliance or management system to run your organisation. That's' handy as it makes explaining this bit simple.

Throughout each of these standards there are some key requirements which they all have, like understanding the context of the organisation, in other words who are you, why do you exist, who do you serve, what's your strategy, what are your strengths, weaknesses, opportunities and threats. That sounds remarkably like topics directors would care about under the determining purpose, doesn't it?

Continuing in clause 4 (so the very start of these standards) we want to understand who else has an interest in your organisation – the banks, your shareholders, employees, suppliers etc. Importantly it requires you to fully understand the risks within your business. 

Planning for Risks and opportunities

When we talk about risk it's not purely H&S risks and of course directors have a clear requirement and responsibility around this, where failings here can lead to prosecutions of directors. Risk extends beyond that to pure business risks for example, especially in ISO9001 here risks can be linked to the sustainability of the business, your suppliers – what is the risk profile there, what about your products, your customer, and the spread of your business across those customers and what if one folds or exits? What if you get a new opportunity and it means doubling your company size? Does your board care?... with the increasing focus on ESG (Environmental, Social & Governance) doesn't the board care about your performance in your ISO14001 Environmental Management System?

Clause 6 of the standards is all about planning and specifically around risk and opportunities to the organisation. Surely squarely in the holding to account and effective compliance area of the 4 pillars?

Your legal requirements 

All the ISO standards require you to have an active way of tacking and managing your 'legal and other requirements'. This is typically a list of all the legal elements you need to meet, your voluntary requirements, local ones, contractual ones and so on. You need to understand what these are and how you as an organisation are meeting them. Your board should be fully on top of this as part of meeting their requirements, if you aren't then you open yourself up to a whole bunch legal trouble, not just for the leadership team of the company but the board as well.

For example, you have a legal requirement around financial reporting and to not operate while insolvent, what are your controls around ensuring that this reporting and governance is happening? The result of a recent fairly high-profile case of a company operating while in a financially dubious position resulted in the directors all being liable for the $40 million in damages.

Business Performance and board reports 

We have all felt the pressure of getting the board reports done on time, some are frankly overkill and some well, let's just say they could do with a little more meat. The reports to the board are all about ensuring the business is on track, meeting its obligations. Things like performance with respect to the Quality, Environmental or H&S objectives that you set as part of your ISO requirements would certainly be reported back to the board.

Hopefully you would also report back your internal auditing results showing that you have a well-managed business that is meeting its requirements? If your internal audit results are all poor, you have a big compliance problem, if they are all perfect, you have a bigger compliance problem as they are just ticking the board and not delving down. Both require the CEO to be held accountable for the business processes not being used, that's a core function of the board.

One of the great metrics that a board can use to understand how engaged their people are on developing and improving the business is to understand how many changes have been made to the Management System documentation. Why? If the team are engaged then documents are updated on a regular basis as improvements are being made, if the documentation within the business isn't being changed it's either not being used or the people don't care, both should be a red flag for the board.

The Board and Leadership 

What about the leadership requirement of the standards? The standards all talk about senior leadership, this senior leadership doesn't stop at the CEO it also includes the board. If your board doesn't care about these compliance requirements then why would your CEO, if they don't care why would your leadership team or your managers? Under the Health & Safety laws in most countries board members are expected to spend time within the company (it's also the sign of a good board), if the board aren't showing leadership in H&S then you have real trouble, that's what ISO45001 is looking for, it's what the law is looking for!

When the board is looking at organisational sustain ability, they should be looking at who your key people are, have you got the right people, enough people, have you got the resources you need, the buildings, the infrastructure. All of this is a requirement of the leadership clause in all the key standards. If your board isn't looking here, then how are they acting as an effective board and how can they remotely provide guidance to your CEO or leadership team?

There are other obvious elements, control of documented information for example under the standard doesn't stop at the CEO the board documentation is included in this requirement. The requirements of adequate training and evidence that people are trained to be able to do the role also should encompass your board. Again, look at the 4 pillars and it's squarely in there and aligned. 

Have you met ISO37000:2021 – Governance of Organisations? 

If you think that's all there is then think again. In 2021 ISO released ISO37000 which is the international standard of governance of organisations. It provides a framework for what good governance looks like irrespective of the organisation. It wasn't written by a few people in a small room. It was developed by a worldwide, working group and then circulated to all member country representatives for review and updating. The final version received unanimous support for ratification, that's no small achievement!

The governance standard is made up of 4 areas which create 11 core principles, here's how it's structured: 

The standard is designed to provide an organisation of any size or type a clear understanding of what good governance looks like. It allows you to align your organisation at a local and international level in a meaningful way and provides a global benchmark on what good governance really looks like. It talks about governance requirements but also the need for delegation, as a board you can't do everything hence you need to delegate to the leadership team, how do you do that and how do you monitor it? How do you make sure those being delegated to have the skills? (See ISO 9001 competency requirements!)

It talks about defining organisational values, sustainability, value generation, accountability, competence, data driven decision making, risk governance, social responsibility and much more.

ISO and your Board 

When you look at all these various ISO requirements and think about what you expect and need from your board, if they aren't paying attention to them and using them then how can they be an effective board?

How can they ensure that your business is meeting the needs of its stakeholders, (that it even understands who its stakeholders are!), that it's sustainable for the long run, that it's meeting your legal requirements.

By having sound ISO management systems in place that are regularly audited internally and externally by 3^rd parties and ensuring that the directors are paying attention to how the business is really running via reviewing the performance of these systems and understanding the risks and underperforming areas you gain not just good governance but also a sound company foundation that will last.

Now doesn't that sound like something our directors should all care about, isn't it something that those helping to develop directors should care about?