Integrating management
systems at Software Box
Two years ago Software Box decided to integrate ISO 14001, OHSAS 18001 and ISO 27001 into its existing management system. explains how
Software Box is a privately owned UK company employing 90 staff and specializing in software licensing and computer security. When the company decided to formalize its business and management processes in 1995, the objective was to produce a management system that:
- addressed all aspects of its current processes
- was readily available to all employees
- would easily accept improvements as the business developed
- would be internationally recognized
The BS 5750 model (now ISO 9001), and more specifically part two (manufacture), was chosen as the basis for the system as it was already an established, internationally recognized standard. However, it was obvious that creating a structure around part two would require considerable changes when the company upgraded to part one (design). As a result we created a company manual based on 20 sections of what was then BS 5750 part 1 and this provided the required expansion route.
At the time we did not fully appreciate the versatility this gave us. It allowed us to easily incorporate additional sections over time and in the end it was the most important decision we made in our path towards an integrated management system. In effect we had an integrated system from day one.
We gained certification to part two in 1996 and the addition of the design function followed in 1997. This was straightforward as we had the basic structure already in place. Natural improvements over time incorporated personnel, marketing, finance, health and safety and security into our existing system. All the existing processes and any new process that were developed, were required to address health and safety, security and environmental issues.
To further develop our systems and to demonstrate our commitment to the continual improvement of our business, in 2007 the board of directors made the decision to incorporate the requirements of ISO 14001, ISO 27001 and OHSAS 18001 into the formalized systemwith the company obtaining certifications for each of these standards. This buy-in from the top is crucial for any company considering implementation of these standards.
With an established system based on ISO 9001, we had a backbone in place. Management teams already existed for health, safety and security systems and a new team was created for environmental management. The teams were all coordinated by our quality manager, now our integrated management system manager.
A gap analysis was produced against each standard identifying what we had to do, how to do it, the division of responsibilities and a definitive timescale. Each new and altered requirement was reviewed to ensure there were positive business benefits in meeting the requirements of each clause. These were all coordinated by the integrated management system manager with final approval by the CEO.
The buy-in from our directors was replicated in our managers and employees, which made the identification and agreement to the changes of our existing procedures straightforward. The relevant staff were trained in the modified processes. In parallel, our internal auditors, who were already auditing procedures which addressed health, safety, security and environment, received additional training in the new standards.
The programme for certification was hectic – OHSAS 18001 in March 2008, ISO 27001 in June 2008 and ISO 14001 in November 2008. This was in addition to normal surveillance visits for ISO 9001 and the other standards as they came on board, including re-certification to OHSAS 18001 against the 2007 standard. We achieved our goal of a certified integrated management system to the four standards in November 2008. However, we did not stop there. We wanted a single certification for all four standards.
This was simpler than anticipated. We approached our certification body, explained what we required and they agreed to carry out an integrated assessment for us in November 2009. Everything is on schedule and we expect to have a single, certified, integrated system by mid-November. But this is not the end, we are already working on incorporating the requirements of ISO 20000, the customer service standard, and BS 25999, the business continuity standard, into our systems.
Our path to a certified integrated system was uncomplicated because we started with nothing in place and created the whole system from scratch. We were able to build an integrated system from day one rather than having to merge existing systems. For companies considering adopting any one of these standards I would recommend they build their system with the same versatility as we did as it will pay dividends in the end.
For those companies who are already certified to one or more standards, now is the time to consolidate processes. For example, develop a single combined policy rather than separate policies for quality and health and safety. Our policy includes business requirements, health, safety, environment, security and data protection. Develop this by doing the same for your policy manual and the core requirements, management review and document control. The remainder of your processes can then follow.
Software Box has grown over the last 15 years with the benefits of a single integrated management system. These benefits have increased with integrated certification by reducing the administration costs as a result of fewer surveillance visits and audit reports. It has also allowed a more efficient use of management time and, most importantly for us, we are seen by our customers as a progressive company.
About the author
John Symonds is the integrated management systems manager for Software Box. He has been working within the management system environment since 1988 and obtained a degree in Quality Management in 2003. He is a member of the CQI and an IRCA certified lead auditor.
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
