Governance, Risk and Compliance Blog

Energy Assets Opts for EQMS

Posted by Emily Hill on Thu, May 18, 2017

Metering, energy data and network services leader for Britain's energy and utilities market, Energy Assets, has procured electronic quality management system (EQMS) by Qualsys to centralise and control processes and critical business information. 


energy assets.png

Gavin Allan, Document and Compliance Administrator at Energy Assets said EQMS will help the company consolidate documents as the company continues to grow: 

"It's a really exciting time for Energy Assets as the company has grown enormously over the past few months. Not only have we won new business, we've also acquired Exoteric Metering Limited and Dragon Infrastructure Solutions, so we are welcoming a number of employees and office locations across Britain to the group and with that brings challenges ensuring we are all on the “same page”.

"Energy Assets made a strategic decision to introduce EQMS as it will ensure all of our different sites are accessing the right information and reduce duplication of effort. EQMS will provide a backbone for us to make sure everyone can access important information such as engineering manuals, order PPE and view quality procedures. "


Energy Assets-1.png

Last week, Assad Toor and Dave Beard went to Energy Assets to provide training to the EQMS system administrators.


dave.pngDave Beard , Service Implementation Manager at Qualsys, said:

"We are really excited to be working with Energy Assets. EQMS Document Manager is going to be rolled out across the organisation over the next couple of weeks.

"We are confident that EQMS is going to drive many process efficiencies and help improve communication across Energy Assets' many sites." 

Over the next few weeks, Gavin will be doing a training roadshow to all the sites to demonstrate to users how to log in and access documents.

After this, Energy Assets will roll out an additional EQMS module for an enterprise-wide, integrated process management system. 

 Learn more about how other businesses are using EQMS here. 




Tags: New Customers

Top 10 GDPR Resources You Can Access Now

Posted by Emily Hill on Tue, May 16, 2017


There's a lot of information out there about the new EU General Data Protection Regulation (GDPR). So where can you find the best information about what GDPR means for you? 

We asked Qualsys's Business Mentor, Mike Bendall, to share his recommended GDPR resources. 

#1 – EU General Data Protection Regulation 

A good place to start is by familiarising yourself with the European Union Data Protection Regulation requirements.

In this Official Journal of the European Union, you will find:

  • Why the EU have introduced the regulation
  • Details of the requirements for each article
  • 88 pages of the requirements.

Access here

#2 – GDPR Toolkit

Qualsys provides many free toolkits to help organisations manage their transition into new ISO and compliance standards. In the GDPR toolkit, you will find: 

  • Step-by-step guides
  • Advice from industry experts 
  • Quiz to get your stakeholders engaged with GDPR 

Download the toolkit for free

#3 – "EU GDPR: A Pocket Guide" (Alan Calder, Founder & Executive Chair at IT Governance)

Gain a clear understanding of the GDPR with this essential pocket guide, which explains:

  • The definitions used within the regulation in simple terms
  • The key requirements of the regulation
  • Advice of how to comply with the regulation
Buy for under £10 here

#4 – "The Missing Piece in the GDPR Puzzle" eBook

This eBook by Collibra details a best-practice approach to data governance: 

  • Why organisations need robust information management systems
  • How data governance is a vitamin for competitive advantage 
  • 3 building blocks of a data governance business case 

Read here

#5 – "Why GDPR should be at the top of your agenda" – CIO Trends Report (Computer Weekly) 

Computer Weekly has produced a CIO Trends report, which details: 

  • Why GDPR should be at the top of your agenda
  • How to ensure you're compliant
  • Insights from thought-leaders 

Access the report here

More articles from Computer Weekly you will find useful: 

#6 – "What your company should know and start doing now for GDPR" (Pedro Sa, Medium)

Medium post.png

This article is very useful for sharing with your team if they're not familiar with some of the terminology used in the standard. 

What your company should know and start doing now 

#7 – "How to manage risks and reputation within any data-driven company" – Brighttalk webinar (Ronald Van Loon)

GDPR Manage risks and reputation webinar.png

In this GDPR webinar, speaker Ronald van Loon discusses how to:

  • Maintain client trust with appropriate data management
  • Reduce risks and protect your reputation
  • Adopt a Protection by Design approach to data 
  • Implement technical infrastructures to protect and govern client data
  • Utilise a data protection officer to define how data is collected and stored
  • Handle the various data streams

How to manage risks and reputation within any data-driven company

#8 – "Preparing for EU GDPR" (Alan Calder, Founder & Executive Chair at IT Governance)

 This Slideshare by Alan Calder covers:

  • An overview of the regulatory landscape and territorial scope
  • Principles of the EU GDPR
  • Breach notification rules
  • Data subject rights
  • Changes to consent
  • Processor liabilities
  • Role of the Data Protection Officer

Access "First steps to GDPR Compliance" here

#9 – GDPR Stakeholder Workshop (Hans Demeyer, Data Protection Office) 

In this Slideshare, Demeyer uses "Sophie's Privacy" as a case study to show examples of what can and cannot be done under the new GDPR. There are some useful exercises you can run with your stakeholders to get them to understand their requirements. 

Access here 

#10 – "The EU GDPR and Third Party Risk" (Aravo blog) 

EU GDPR eye.jpg

Third parties are often the weakest link in a company's data security, and are implicated in about 63% of all data breaches.

In this article, Aravo explains why third parties are an important point of focus for GDPR: read here.

For more information about GDPR, access the GDPR Toolkit. 




Industry 4.0: Why it pays to be a smart factory

Posted by Marc Gardner on Tue, May 16, 2017

As we stand on the cusp of Industry 4.0, many organisations are facing down the challenge of digitisation and actively investing in new technologies. But for those businesses working in heavily-regulated industries, what might the revolution mean for quality management and compliance?

It's adapt with the times or face being left behind. Despite the uncertainty of Brexit, manufacturers have shown great resilience in coping with the demands of digitisation. And any business that chooses to embrace the opportunities provided by new and emerging technologies will reap the rewards when it comes to quality, productivity and compliance.

Below, we look at five organisations who have moved to get ahead of the game by building the latest technology into their business. 

#1 – Productivity gains – Ocado

Enter one of Ocado's enormous warehouses and you'll see robot pickers moving around a grid, retrieving items as needed and operated in real time via a carefully co-ordinated 4G radio-control system. By employing such ground-breaking automation, Ocado have been able to establish themselves as the world’s largest online-only grocery retailer, shipping more than 200,000 orders every week to customers around the UK.

#2 – Greater agility – Yazaki Europe Ltd

When auditing its many suppliers, sites and customer service centres, automotive parts supplier Yazaki Europe Ltd encountered a number of isolated systems and processes, and no method of recording data beyond manual spreadsheets. To eliminate this problem, Yazaki adopted an electronic integrated audit-management system that standardised the audit process and made complying to the numerous standards and regulations much more straightforward.

#3 – Lifecycle management – Briggs Automotive Company

For British supercar manufacturers Briggs Automotive Company, makers of the BAC Mono, a "Formula 1 car for the road", having access to the most cutting-edge design tools was vital if they were to continue revolutionising in their field. Using product lifecycle management (PLM) software, the company create fully customised specifications of their vehicles and visualise and simulate designs three-dimensionally before going into production.

Photo credit: Bryn Musselwhite

#4 – Enforced workflows – W.E. Rawson Ltd

W.E. Rawson Ltd has been manufacturing and distributing non-woven textiles from their site in Wakefield for 150 years. But the company was found wanting when it came to systems for recording and analysing data for continuous improvement. With that in mind, quality managers took steps to implement a quality management system that would give them greater control over documentation, better training provision, and more effective reporting tools for measuring trends in data. Integrated and connected event-based triggers within the system would ensure that any compliance and quality issues could not be overlooked.

#5 – Lower overheads – Sodexo

With nearly 425,000 employees operating in 80 countries worldwide, Sodexo are constantly battling to keep pace with ever-evolving standards in a heavily regulated market. With that comes documentation. Lots of it. Facing huge overheads and a heavy administrative burden, Sodexo implemented an electronic document management system, enabling them to communicate more effectively across sites and provide documents to their staff and clients much more promptly.

So, the question is not if you should become a smart factory, but when. Then consider which technologies you should adopt and how you should implement them.


What you should do now

For more information about how to integrate EQMS with your existing manufacturing processes, download Qualsys's ISO 9001:2015 toolkit.

ISO 9001:2015 Toolkit


Tags: ISO 9001:2015, Operational Excellence

How to prepare your employees for GDPR

Posted by Emily Hill on Fri, May 12, 2017

Chances are that if you asked your Leadership, Marketing, HR or IT Director what they're doing to prepare for the new EU General Data Protection Regulation (GDPR), you will open up a can of worms. 

Research shows:

  • 20% of IT decision-makers in the UK are still unaware that GDPR even exists. Trendmicro.
  • Almost one-third (32%) of people surveyed believe the chief information officer is responsible for GDPR-related changes, 21% the chief information security officer, 14% the chief executive officer, and 10% the chief data officer. Centre for Information Policy Leadership (CIPL).
  • Only 56% of directors confirmed that they "have a formal cybersecurity strategy", let alone a GDPR strategy. Institute of Directors (IoD).

Lack of awareness, transparency and clarity around GDPR is causing a lot of confusion.

Who is responsible for GDPR? Who does it impact? How does each employee need to approach the new requirements to stay compliant?  

GDPR series - how to prepare employees.png




GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation. It's the responsibility of every employee. 


To help you develop a plan for engaging your employees, we've separated your different stakeholder groups and set out their key requirements. Use this plan as a starting point, and develop it in any way to suit your own organisation.  


Stakeholder group  How you're affected What you must do

Fail to conform to GDPR and you could be fined up to 4% of your annual turnover and face considerable damage to your brand.

Invest in training your organisation and providing the time and resources needed to make the changes.

If you have 250 or more employees, you must keep auditable records of how you process personal data.

Ensure you keep reliable records of all your data-processing activities.

IT teams    

All your processes and procedures for managing data must include data protection by design.

Secure and encrypt all data, and track who's allowed to use or create new copies of data records.

Data subjects are entitled to see any data you have saved about them.

Ensure you can make all information available in a format that's clear and understandable. If a customer wants to move to another company, you should be able to give them their data in a portable format.

If your systems are hacked, data subjects have the right to know whether their data has been stolen, and when this happened.

If there is a personal-data breach, you must notify the supervisory authority (the main data-protection regulator yet to be determined) no later than 72 hours after becoming aware of the breach.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Implement a strong policy for how and when you will delete data. You may need to consider what data you need to keep for archiving purposes.

Marketing teams You can no longer send marketing emails without the recipient first having opted in to receiving them.

Every one of your data subjects must acknowledge that they're willing to be marketed to. You cannot accept silence as consent, pre-ticked boxes are banned and you need to specify cookies policies more clearly.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Avoid collecting data for unnecessary or frivolous reasons, and consider whether you really need to know phone numbers, income, working titles etc.

HR and customer
accounts teams
If you're a public authority, or a private company that regularly monitors or processes lots of sensitive data, you'll need to appoint a data protection officer.

Appoint a data protection officer to (1) advise on GDPR obligations; (2) monitor compliance; and (3) liaise with the data protection authority.


There are tighter restrictions on how you store and process data on your own employees, and employees can withdraw their consent to this processing at any time. Consider what data you store on your employees and how you obtain their consent, and have systems in place for employees to withdraw their consent.


What you should do now 

After your initial stakeholder meetings, we would recommend sending your stakeholders our GDPR Quiz which can be found on our toolkit to test how well they understand their GDPR requirements. 




GDPR explained: How to get started

Posted by Marc Gardner on Fri, May 12, 2017

The new EU General Data Protection Regulation (GDPR) includes some dramatic changes on how companies manage, process and delete data. It's no longer just about finding data and making sure it's secure. It’s about capturing the context of data and being able to prove everything's being done to protect the subject's data and the rights of the subject themselves.


In Part 3 of our GDPR series, Kate Armitage provides a simple and pragmatic guide to help you to get started. 



Step 1: Understanding the data you have

What constitutes as personal data, exactly?

The world of data collection has changed dramatically over recent years. We can collect and process huge amounts of customer data at the click of a button. This also means we're constantly on the brink of making a mistake. GDPR gives organisations an opportunty to get their data-protection policies into shape. 

This starts with knowing exactly what data you have. Under GDPR, whatever information you hold that can be used to personally identify an individual (or individuals) must be managed and controlled.

This includes data you keep on employees, customers, journalists and any other third-party contacts, and can include (but is not limited to) their:

  • Name, address and unique identifying numbers
  • Demographics – such as age, gender, income or sexual preference
  • Behavioural data –  web searches, purchase history, websitecookies and more
  • Social data – who your friends are, your emails etc.
  • Sensor data – biometrics, health tracking devices
  • User-generated content –  videos, photos, blogs or comments.

Step 2: Understanding how to collect and process that data

One of the key changes in data protection is that you can no longer assume that keeping someone's personal information is OK until they opt out. Instead, you need to ask that person for permission to keep their data. As Kate Armitage says:

"Consent is one of the fundamental aspects of the GDPR. Companies will now need to obtain consent from their customers for every usage of their personal data. For many organisations, there will need to be a shift in mindset to asking for permission to keep data, not for forgiveness." 

Your organisation will need to:

  • have a record for each contact, specifying what information they've requested and how 
  • make sure its policies are clear and up-to-date 
  • identify, assess and manage the potential risk associated with collecting, processing and managing the data, and
  • respect that contacts have a "right to be forgotten" and the right to ask for a record of their information at any time.

Step 3: Understanding who's responsible for managing the data

You then need to work out what your different stakeholders are responsible for doing. In Part 4 of our GDPR series, we explain How to prepare your employees for GDPR, and provide you with a simple guide to engaging your employees. 

Part 4 for our employee engagement guide



GDPR explained: What GDPR means for your business (Part 1)

Posted by Marc Gardner on Fri, May 12, 2017

Many regulatory and quality managers have contacted Qualsys recently about the new EU General Data Protection Regulation (GDPR) requirements, what it means for them, and how they can use EQMS to manage the changes.

This article is the first in a series to help you prepare for GDPR with confidence. 

Below, we've answered four GDPR FAQs. 

GDPR regulation 2.png

1) Why the new regulation?

The GDPR replaces the Data Protection Directive 95/46/EC, the regulation that determines how personal data should be processed and used within the EU. It's been designed to combine all data-protection laws across Europe, to strengthen data protection for all EU citizens, and to reshape the way EU organisations approach data protection.

The regulation aims to protect all EU citizens from privacy and data breaches in an increasingly mobile, data-driven world – one that's vastly different from the time in which the 1995 directive was established.

The GDPR will be enforced across the EU from 25 May 2018, regardless of what happens with Brexit. The changes will take many organisations a long time to implement, so we recommend that you get started right away!

2) What are the consequences if we get it wrong?

There's a lot at stake – fail to comply and you may be hit with fines of up to 4% of your global annual turnover! The level of fine will depend on the type of breach and any mitigating factors, but they're undoubtedly meant to penalise any employer's disregard for the GDPR.

3) What does the GDPR cover? 

The GDPR covers the data subject, the data controller and the data processor.

Data subject

Your customer, employee, user or any EU citizen who has entrusted you with their personal data.

Personal data means any information relating to an identified or identifiable individual – for example, their name, address, social data, history.

Data controller

Who data subjects entrust with their data. And the responsible party in deciding what happens to the data, what it's used for, and how it's handled.

The new GDPR extends the requirements for data controllers.

Data processor

Any entity that handles personal data on the data controller's behalf.

If your organisation was considered a controller under the old directive, it will most likely also be under the GDPR. Although the definitions of "controller" and "processor" haven't changed, their responsibilities have been extended. So where the old directive placed the main data-protection responsibility on the controller, the GDPR also gives the processor a direct obligation.

4) Who in my organisation does GDPR affect?

These new privacy agreements herald a new era in terms of how EU citizens' data are handled. With new obligations relating to:

  • data subjects' consent
  • making data anonymous
  • notifying the relevant people when data protection is breached
  • data transfers across borders, and
  • appointing data-protection officers,

the GDPR forces companies who handle EU citizens' data to reform their operations in a major way.

Getting to grips with the regulation can be a little more challenging if you are a global business. The regulation does not only cover organisations located in the EU, but the use of personal data about EU citizens by anyone in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you risk being prevented from trading with the EU. 

Most organisations will need to make lots of changes to policies, processes, strategies and even systems to ensure they comply with the GDPR. This poses many challenges for quality and compliance professionals.


In Part 2 of this series... 

...we explain How to prepare your team for complying with the GDPR, what GDPR means for different departments, and critical things regulatory managers should look out for.



New Quick-Start Guides Added to Help Desk

Posted by Emily Hill on Thu, May 11, 2017

Declan_Quality_Management_Software_Implementation_Manager.pngDeclan Webster, Service Implementation Manager at Qualsys, has produced new EQMS Quick-Start Guides to help EQMS end-users get off to a flying start when they first begin using the system. EQMS Quick Start.png

Declan said: "EQMS has lots of advanced functionality, compliance analytics and reporting options for administrators. However, we recognise that lots of end-users only need to log in to view their to-do list, approve a document or check a process. 

"Qualsys have created these Quick-Start Guides to sit alongside the EQMS Help Videos to help end-users get familiar with the basic functionality in EQMS. The guides contain useful tips, shortcuts and screenshots. We'll be producing more of these free printable guides over the next few weeks!"

Click here to access the Quick Start Guides from the Help and Knowledge Base

More ways Qualsys can help end-users adopt EQMS 

When rolling out any new software system, you need to:

  • gain insight into your users' activity
  • identify opportunities for improvement
  • get buy-in from your management team
  • maximise your ROI, and
  • measure operational excellence

EQMS customers are eligible for a free system health check: 

Tags: EQMS, Implementing EQMS

Defending from the front: Adopting the Three Lines of Defence

Posted by Marc Gardner on Wed, May 10, 2017

The three lines of defence

"Without the ball, we are a disastrous team, a horrible team. So we need the ball."

So said Pep Guardiola after guiding his Barcelona team to their second Champions League trophy in 2009. And it was a telling observation. Despite managing one of the world's greatest football teams, Guardiola could still see a weakness – that it was vulnerable when under attack. His solution? To implement a high-pressing style of play that emphasised defending from the front. Messi and his fellow forwards were expected not only to create and score goals but to win back the ball as far up the pitch as possible. Ensuring all 11 players understood the need to defend meant the team as a unit could be much, much stronger.

In business, the Three Lines of Defence model works on similar principles, allowing your organisation to identify, control and manage risk in line with a clear and robust process. In this blog, we explain the Three Lines of Defence and how your organisation can adopt it as a model of best practice.

The Three Lines of Defence model explained

Three Lines of Defence Model

The Three Lines of Defence model originates from an EU Directive which makes audit committees responsible for monitoring how effectively their organisations control and manage risk.

It looks to create an environment in which the overall direction for managing risk is set by the board and senior managers, then put into action and monitored by various mid-level managers and internal auditors. The model also aims to foster a culture of collaboration, communication and information-sharing.

Organisations that implement the model successfully find they can:

  1. better recognise risks as they arise
  2. respond to those risks more intelligently, consistently and flexibly
  3. protect their reputation
  4. avoid variations in performance and so increase share-price multiples and credit-rating scores, and
  5. deploy and use their risk and assurance resources much more efficiently.

While a Forrester Research report found that 63% of the organisations surveyed were either implementing – or had already implemented – the model, many others were struggling to get to grips with the idea. One of the biggest areas of confusion was how the various roles at each stage should be assigned, and who should be doing what.

With this in mind, let's take a look at each of the Three Lines of Defence more closely.

Consider the three lines of defence for your organisation

First line of defence – operational management (board, CEO, senior managers)

Operational management naturally serve as the first line of defence because controls are designed into systems and processes under their guidance. They direct how internal policies and procedures are developed and implemented and ensure these policies and procedures remain consistent with the company's goals. Part of their role is delegating responsibility to second-line managers within the organisation.


The board will:

  • work with senior management to set the organisation's risk appetite (the amount of risk it is willing to accept to meet its strategic objectives), and
  • receive reports on the most significant risks the organisation faces, and assess whether senior management are responding appropriately.

CEO and senior management

The CEO and their senior management team have ultimate responsibility for how the organisation manage and control risk, and will:

  • set the tone by promoting a positive risk culture within the organisation
  • assign responsibilities to second-line managers in specific areas or departments, and
  • monitor how the organisation is managing risk in relation to its risk appetite, and take any measures needed to correct any issues.

Board and senior management are the first line of defence

How technology can help

Governance, risk and compliance (GRC) technology allows the first line to more effectively keep its risk policies and procedures up to date. Risk registers can help to better manage threats and vulnerabilities, monitor the effectiveness of controls, and ensure the organisation is assessing and controlling risks as consistently as possible.

GRC technology also helps the first line of defence to communicate with the second and third lines, using real-time dashboards that document Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).


Second line of defence – risk management and compliance

The second line of defence is where many of the people associated with risk (quality, legal, compliance) are found, and it's there essentially to ensure the first line is properly designed and working as it should. They have some independence, and are responsible for making sure the business is complying with the law and for reporting directly to first-line managers.

Risk management

  • Make sure that operational management are putting effective risk-management practices in place.
  • Help assess risk in line with the organisation's risk appetite.
  • Help report risk-related information throughout the organisation.


  • Monitor risks of the organisation failing to comply with whatever laws and regulations apply.
  • Giving the first line of defence the help and information it needs to comply with those laws.
  • Reporting on compliance to management and the board.

Risk management and compliance form the second line

How technology can help

GRC technology helps the different second line of defence groups to collaborate and share information transparently and efficiently. Implemented here, it can be used to monitor all risk-management activities across the business, to generate reports for the first-line managers, and to identify laws and regulations that put the organisation at greatest risk of failing to comply.


Third line of defence – internal auditors

Internal audit forms the third line of defence. It works independently to provide assurance to the board and senior management (the first line) that the organisation is assessing and managing risks effectively, while also ensuring that the first and second lines of defence are operating properly.

As best practice, every organisation should have an internal audit function that:

  • acts in accordance with recognised international standards
  • reports to a sufficiently high level in the organisation to be able to perform its duties independently, and
  • can report effectively to the relevant governing body.

Internal audit forms the third line of defence

How technology can help

GRC technology can provide dedicated software that standardises the auditing process and helps auditors co-ordinate their risk assessments and collaborate between themselves. Perhaps more importantly, it can also allow auditors to access the information they need to monitor the effectiveness of the first and second lines of defence, then recommend any changes.


Why you should adopt the model

According to the Forrester Research report, 90% of the organisations surveyed will have adopted the Three Lines of Defence model by 2020. Some industries and businesses might catch on more quickly than others, but overall the model looks to be gaining traction.

And for good reason. Organisations that have a strong three lines of defence can more quickly identify and react to risk, more efficiently deploy resources to manage risk, and work more transparently and collaboratively to lessen the impact of risk.

GRC technology is vital in adopting the Three Lines of Defence model. Risk-management software helps each line of defence to work more efficiently and effectively, giving the organisation the confidence of knowing that the proper controls are in place to manage whatever risks may emerge.



What you should do now

What are the key priorities for Quality Leaders in 2017? The Global Quality Survey 2017 reveals all.

ISO Industry Analysis

photo credit: Got Credit Risk Key via photopin (license)

Tags: Quality Culture

Does your organisation have a true culture of quality? Questions to ask your department managers

Posted by Emily Hill on Wed, May 10, 2017

Improvements in culture.png

During the EQMS User Group, Professor John Oakland, founder of Oakland Consulting and author of best-selling book "Total Quality Management and Operational Excellence", said:

"In the past, quality was synonymous with control, compliance and cost; there was an excessive focus on internal capabilities and overly bureaucratic approaches.

"Quality is now a strategic force which is key to building a learning organisation.

"Your organisation must be quick to change, avoid excessive costs, and avoid reputational damage. The margin for error has decreased but the likelihood of error has risen. Managers must find a new approach to quality—one that moves beyond the traditional 'total quality management' tools of the past quarter century."


Watch the presentation and earn CPD points here

John Oakland 2.png


Does your organisation promote a learning culture?


Isabelle Pound, Head of Strategic Projects and Consultancy Services at Qualsys Ltd, says there is no "one-size fits all approach" when it comes to culture.

She has recommended asking your department heads the following five questions.

These questions are particularly useful if you are thinking of implementing an electronic quality management system. 



#1 – Does our leadership team promote active thinking?

High-performance organisations have management teams who will challenge data, reports and strategic plans. It is worth spending some time with your management team and asking them whether they feel there is an open culture which promotes discussion.

Management teams must feel confident that they can identify, communicate and appropriately manage risk and opportunity. 

If in conversations you find management are not stepping up, start with this article ISO 9001:2015 Leadership Battles, in which quality professionals share their experiences and advice for getting management teams engaged.


Leadership teams should promote active thinking


#2 – What are our company values?

Alignment is a challenge for most organisations. Even within departments, there can be different ideas about the organisation's strategic objectives.

Start by asking the leader of each department what they think are the attributes of the company culture, then note whether there are any gaps. 

If the company values haven't already been articulated, Qualsys recommends the Jim Collins Company Values framework, which you can access for free here. 


Qualsys company values

Qualsys' company values following the Jim Collins Workshop


#3 – Do the codes, words and actions of senior management align with the desired culture?

Each organisation's culture is unique. Culture is a mixture of the organisation's history, rituals, structure, industry and leadership. It combines ethics, values, risk appetite, structures, systems, leadership, controls, freedom, authority and accountability.

Ask your management team whether the codes, words and actions align with the desired culture? What has been their experience? Does the culture have any negative aspects to it?

Pockets of negative culture within an organisation may impact behaviour and increase risk. Find out from your management team if they believe there are any issues or gaps in certain areas of the business.


Cultural paradigm

Read the culture web workshop

#4 – Do employees raise issues and opportunities? 

Ask management teams whether they feel there is a sharing culture. Start by asking them whether employees raise issues or opportunities. 

The management team might say that there are no issues, but this is unlikely to be the case. Does there need to be a more formal process? How can you promote the sharing of knowledge and ideas? Does your organisation offer a confidential hotline to make it easier for employees to report issues, complaints and allegations? If so, is it effective in dealing with the issues and reporting the results?

Here are 10 tactics to drive engagement with quality 

#5 – Are staff at all levels treated in the same manner for their successes and failures?

Accountability is crucial for a culture of quality. Part of this is making sure employees at all levels of the organisation are responsible for their successes – and their failures. Do managers feel this is fair? 

Read our blog 'Changing QHSE Culture through Drama – Coca Cola'


What you should do now

A defective culture will subvert even the most rigorous systems and processes. As John Oakland says in Redefining Quality:

"What is quality? It is at the heart of good business. Quality still remains the most important competitive weapon we have. Putting the customer at the heart of everything we do, and meeting their needs time and time again in a consistent manner is key. It is a simple concept, but meeting those requirements, more than ever now, things go wrong. Quality can be hard to attain, it can be hard to maintain and in large and complex organisaitons, it can be very easy to loose." 

Watch John's presentation in full here or download our stakeholder engagement planner for a step-by-step guide to engaging your team with quality.


ISO 9001:2015 Toolkit



Tags: Quality Culture

ISO 31000: Monitor, Review and Report (Part #10)

Posted by Atheal Alwash on Wed, May 10, 2017

The final stage of a successful risk management strategy that follows the ISO 31000 framework is to continuously monitor and review the appropriateness of the risk criteria, analysis, treatment, and the framework itself.

A comprehensive risk strategy involves continuous evaluation as the organisation evolves. It could be that reviews are performed annually, monthly, or weekly – it’s up to the leadership to determine the review and reporting requirements of the accountable individuals involved in delivering and monitoring risk processes.




Clause 6.6: Monitor and Review

As with all Standards within the higher Annex SL framework, the concept of Plan, Do, Check, Act applies to the risk management strategy an organisation creates under ISO 31000. An integral part of ensuring continuous quality and improvement in process, efficiency, and output is to monitor strategic goals and performance on a regular basis.


Plan Do Check Act.png

When a risk has changed, for example, an external factor such as the exchange rate has impacted upon trade, the risk treatment needs review. But the whole risk strategy needs to be considered as a constantly evolving element as the objectives of an organisation change over time.

A review process should include all stakeholders, internal and external, to ensure a holistic input into the ongoing shaping of the risk management processes.

Clause 6.7: Recording and Reporting

The full risk management process needs to be recorded and reported to:

  • Ascertain the organisation’s stance on risk culture, appetite, and tolerance
  • Communicate effectively to all stakeholders at key stages
  • Deliver clear data on the effectiveness of risk treatment plans
  • Improve engagement with stakeholders and draw on feedback
  • Provide valuable information for decision making across the organisation

Reporting timeframes and performance metrics are to be determined at an early stage of the strategy development, to manage expectations of stakeholders and ensure timely and appropriate information gathering.

Reports should consider information such as the audience type, data sensitivity, and how the data relates to overall objectives and goals of the organisation.

That’s it! You’ve come to the end of your ISO 31000 Toolkit. Don’t worry – there are plenty more resources available here: Business Case Toolkit.

If you’d like to find out how EQMS Risk Manager can help you deliver ISO 31000, alongside several other Standards such as ISO 27001, request a free no-obligation demonstration here. 


Reducing business risk

Tags: ISO 31000