Guidelines to Implementing Management Systems

This Project Programme applies to the implementation of a Management System such as:

Business Continuity (ISO 22301, BS 25999)
CE Mark (89/106/EEC, BS EN 1090)
Environmental (ISO 14001)
Food Safety (ISO 22000, BRC Global Food Standard)
Health & Safety (OHSAS 18001, HSG65)
Information Security (ISO 27001)
Quality Assurance (ISO 9001)
Technical (NERS, GIRS, WIRS)

Logistics can deliver 'turn key' certification including internal audits, management review and accompanying the external auditor
Alternatively Logistics can be tasked with implementing any of the 15 steps within the certification process.

Implementation Guidelines
What are 'Risk Assessments'?
Management systems (not just Health & Safety systems) require each hazard (danger) to be evaluated (identified & assessed), taking into account existing controls.

The formula often quoted is Risk = Hazard x Probability (likelihood of occurrence).

Where consequences (Hazard) range: Bruising (First Aid required) → Serious injury (medical treatment, effects reversible) → Fatality

And likelihood of occurrence (Probability) range: 1 in 1 million (extremely remote) → 1 in 10 (frequent)

Risk can affect People, Assets and Reputation/Brand

Risk is instinctively underestimated for activities that:

a) Are familiar eg People are content to cycle on roads (often high-risk), but some are nervous of air travel (which is relatively safe)

b) Have delayed consequences (eg smoking, tanning beds)

Stanford University quantifies the level of risk as 1 micromort defined as a 1 in a million chance of death:

6,000 miles by train (accident)
1,000 miles by jet (accident)
230 miles by car (accident)
17 miles by walking (accident)
10 miles by bicycle (accident)
6 miles by motorbike (accident)
1.4 cigarettes smoked, or living 2 months with a smoker (cancer, heart disease)

The Health & Safety Executive (HSE) quantifies the level of risk, at which an employer should consider action:

Below 1 micromort/ annum is broadly acceptable (eg business driving 230 miles/year)
Above 1,000 micromorts/ annum cannot be justified except in extraordinary circumstances (eg business driving 230,000 miles/year)

The Cambridge Professor for the Understanding of Risk quantifies a different unit: the microlife, defined as an activity which extends or reduces your life by 1 millionth, which equates to half an hour (30 minutes is equal to 1 millionth of 60 years):

The first alcoholic drink of the day adds 1 microlife to your life
The first 20 minutes of exercise adds 2 microlifes to your life
One SCUBA dive subtracts 5 microlifes from your life
one hang-glider flight subtracts 7 microlifes from your life

Risk Assessment is so called in Health & Safety & Information Security, but it is renamed:

Business Impact Analysis in Business Continuity Management;
Context of the Organization in Quality Management;
Data Protection Impact Assessment in Data Protection Management (GDPR);
Determination of Execution Class (EXC1-4) in the Construction Products Regulations;
HACCP (Hazard Analysis and Critical Control Points) in Food Safety Management;
Significant Environmental Aspects in Environmental Management.

Methodologies (of varying complexity) for analysing risk include:

FMEA (Failure Mode & Effects Analysis) qualitative exercise to analyse the reliability of a system (for example an automtive component)
FTA (Fault Tree Analysis) qualitative exercise incorporating Event Symbols & Boolean Logic to analyse the reliability of a system
HAZOP (Hazard & Operability Analysis/Study) qualitative technique aimed to stimulate the imagination of participants to potential hazards
LOPA (Layer of Protection Analysis) semi-quantitative tool for analysing and assessing risk on a process plant
PHA (Process Hazard Analysis) general name for qualitative risk assessment by, for example Checklist, What If? Analysis
RM³ (Risk Management Maturity Model) Office of Road & Rail use this model to assess risk management arrangements within the rail industry
SWIFT (Structured What If? Technique) qualitative technique to stimulate the imagination of participants by using a checklist of guide words

Are procedures/method statements just bureaucracy?
Management systems are required to be documented, but you will be pleasantly surprised how concise the wording can be, eg use bullet points instead of sentences or paragraphs.

Who writes the procedures/method statements?
We carry out the systems analysis & then document the procedure/method statement for you. Clear, concise documentation is essential to reduce the time/cost of internal & external audits.

Should we write our own the procedures/method statements?
If you wish to write your own manual, avoid unnecessary detail, we will gladly advise you on the required content.

We don't get any complaints, so I don't need a procedure for that?
Even the mildest suggestion is useful feedback, an opportunity to improve. Consequently all management systems require a procedure to address customer complaints. A single 'Problems & Suggestions Spreadsheet' should suffice.

How much?
The Certification Body's fee is based on company size, eg ISO 9001 starts at £800. Our consultancy fees are often grant assisted.

Grant assistance?
We can advise you on European funding, available in most areas.

How long does it take?
A comfortable time for an ISO implementation is 6 months. If urgent, it can be achieved within 2 months.

Project Plan

Step	What to do	Logistics can help	Examples
1	Research ISO standard	Present a case study of the ISO Standard as implemented by a company in your industry	Design Procedure Administration Procedure
2	Establish scope	Produce single page policy statement Determine exclusions to ISO standard	Quality Policy Health & Safety Policy Environmental Policy
3	Establish business objectives	Produce performance objectives Produce improvement objectives	Orders received before 3pm are despatched same day; ISO9001 certification by 31/12/14
4	Appoint certification body	Shortlist from 50 certification bodies UKAS accredited Coporate image:cost Relevant experience	BSI ISOQAR LRQA (Lloyds)
5	Establish responsibilities	Identify appropriate staff	Internal auditors
6	Identify existing controls	Interview departmental staff	Book, form, spreadsheet, database
7	Document existing procedures	Interview departmental staff Produce a concise Procedures Manual, summarising critical business processes Works Instructions (defined as non audited)	Control of documents & records Corrective & preventive action Design Internal audit Purchasing
8	Identify standards	Supply library of downloads in .pdf format Legislation Standards (Approved) Codes of Practice	Customer specifications Manufacturer's instructions Trade Association code of practice British Standards Health & Safety Executive guidance Environment Agency pollution prevention
9	Risk assessment	Audit facilities Checklist of common business hazards Hazard Analysis & Critical Control Points Method statements Business continuity (disaster recovery) Business risk analysis Residual risk report	Environmental (aspects) Financial (fraud, theft) Food Safety (HACCP) Health & Safety Human Resources (employment law) Information Security Marketing (SWOT) Quality Assurance (context of the organization) Technical (workmanship)
10	Action plan	Gap analysis & improvement plan Develop system improvements Healthcheck prior to assessment	Implement a customer complaints system (spreadsheet with a shortcut on every PC)
11	Internal audits	Select internal auditors Train internal auditors Carry out internal audits	Qualified Internal Auditors Cannot audit their own work Agree achievable audit programme
12	Internal communication	Staff presentation	Brainstorm hazards Explain ISO Explain changes to system
13	Management review	Chair management review meeting	Produce agenda & minutes
14	Certification	Attend (host) stage 1/ stage 2 assessment	Address any corrective action
15	Maintain management system	Helpline support for life	ISO & legislation updates