What you need to know about ISO 45001

Posted by Alex Pavlovic on Thu, Mar 15, 2018

ISO 45001, the world's first international occupational health and safety quality standard, was published on 12 March, replacing the previous OHSAS 18001 benchmark.

As with any new standard, it's vital for quality professionals to understand the requirements of ISO 45001, what the standard means, and how it will affect their business.

Here's what you need to know.

Image result for health and safety


1. You've got three years

Already compliant with OHSAS 18001? You have until 12 March 2021 to make the switch to ISO 45001. The good news is that you'll recognise most of the requirements of the new standard have been carried over from OHSAS 18001. But of course, in line with the requirements prescribed by other ISO standards, ISO 45001 contains several new areas of focus. You will need to be familiar with these as well if you want to work towards compliance.

Image result for calendar countdown

2. It makes some key changes

ISO 45001 adds to the requirements of OHSAS 18001 in several areas. Some common themes from other recent ISO standards are apparent here, as follows:

  • Increased focus on risk management - Companies must consider, identify and take the necessary corrective and preventative action to address any risks posed to the health and safety of their workforce.
  • Increased emphasis on business context -  Linked to the focus on risk is the emphasis on context-specific business risks seen in ISO 31000. Businesses need to consider the unique ways that the health and safety of their workers might be compromised - and act accordingly.

  • Increased commitment from senior management - Top management must actively engage in the health and safety management system of their business, and contribute to it. In many ways, this change has been a long time in motion- the number of directors jailed for H&S negligence tripled in 2016 alone - but ISO 45001 formalises and codifies the managerial responsibility for health and safety in a way that OHSAS 18001 did not.
  • Increased focus on objectives and KPIs - Businesses should set, monitor and evaluate health and safety performance objectives as drivers of continuous improvement in the workplace.

 iso 45001 health and safety workplace


3. It's compatible

ISO 45001 is designed for close integration with other ISO standards. So if you're already working to one or more other ISO benchmarks, you have a firm advantage for getting 45001-compliant as well.

It also means you can more easily build a holistic, ISO-compliant environmental, health and safety management system. The incorporation of Annex SL gives ISO 45001 the same top-line framework as other ISO standards, placing the same emphasis on leadership, planning, continuous improvement, and other key areas. Take the necessary steps prescribed by Annex SL, and your business is much closer to a resilient 'culture of quality'.


Image result for annex sl


What to do next

1. Read a breakdown of the key ISO 45001 clauses here

2. Making the change to the new standard? Download our free ISO 45001 transition toolkit.

3. Looking to build risk-based thinking into your EHS system? Join our risk workshop on 22 March. 

4. Qualsys's software modules are designed to simplify, streamline and automate your health and safety management procedures with powerful and user-friendly functionality. Read more here.


Read about ISO 45001 management software


The 3 ways every business should be managing risk

Posted by Alex Pavlovic on Tue, Mar 06, 2018

Risk lurks in every nook and cranny of a business - and there is increasing pressure from standards like ISO 9000 and 31000 for senior management teams to address it. 

Yet a 2017 Qualsys survey revealed that 67% of quality professionals believe that their leadership team is completely disengaged with governance, risk and compliance management. Worse still, most businesses aren’t currently using any formal risk assessment process.

Nothing grabs the headlines like a good business disaster - think of Volkswagen's $30 billion emissions scandal, Uber's hacker breach or KFC's chicken shortage.

So how can businesses embed the risk-based thinking they need into their daily operation? 

Risk management workshop - sign up today

1. Get everyone in the business to own risk

Identifying risk, of course, comes first, and it’s not something you can just know. Risk exists in every area, site and department of a company, from finance and production to information security and suppliers. Examples include:

  • Mergers and acquisitions
  • Liquidity
  • Reputational damage
  • Counter party risk
  • Market competition

As such, no one person can pinpoint risk on their own. Different areas of a business operate differently and can be stronger or weaker in their management of risk.

Nor should a risk assessment be a one-off: “our office is in a flood risk area, so if there is heavy rain it might flood, forcing us to shut down.” As business processes change, new risks are constantly being introduced - so looking at risk should be a routine.

Onboarding a new supplier? Introducing a new IT system? Updating a financial policy? They all bring risk, and every employee connected to those areas should consider how. Risk assessment should be a constant, flexible process encompassing everyone in your business.

Human error can strike anywhere, even in the largest and most complex of enterprises. In 1999, NASA's $125m Mars Orbiter probe entered the orbit of Mars 100 kilometres too close to its surface and was destroyed - because its attitude control system used imperial measurements, while its navigation software used metric. A costly, so-called 'schoolkid blunder' might have been averted had more eyes been on the case.

Implementing a robust system collating input from everybody is a valuable way of strengthening your risk assessment and gathering a comprehensive picture of the full gamut of risk - what mistakes might be made, what uncertainties can impact your objectives, and how to manage and minimise them. Just because a particular risk hasn’t happened yet, it doesn’t mean it won’t.


risk map.png

2. Implement an integrated risk management system

So you’ve asked your staff to consider and identify risk areas. But how do you quantify each risk and assess how to respond to them? You’ve probably seen a risk assessment matrix like this before, where risks are assessed by severity and likelihood:

 risk matrix assessment


The standard matrix is an effective, if simplistic, tool for risk assessment. Knowing what to do with risk information is another thing entirely; new standards and regulations are demanding increasingly sophisticated, specific and comprehensive risk programs, while giving businesses flexibility to determine their own processes.

The 2015 iteration of ISO 9001 prescribes 'risk-based thinking', with preventative actions and input from senior management, while the ICO mandates a privacy-risk-specific Privacy Impact Assessment (PIA) to comply with the EU’s upcoming GDPR regulation.

 Because of this, understanding how to assess and manage specific risks in compliance with various frameworks and the context of your organisation takes time and consideration.

Some businesses are more risk-averse than others and have a lower ‘risk appetite’. Some appreciate resources like gap analysis templates and risk management software as effective tools for risk management. Others employ methods like the Delphi technique or SWOT.

Take the opportunity to do your research and consider what external support you can draw on.

Whatever process you map out for risk control, some key elements include:

  • Auditing auditing auditing. 'Taking the temperature' of your business at frequent intervals with internal audits allows you to see how risks are being addressed and managed.
  • Fine-tuning responses. Don’t wait for a risk to mature - ensure CAPA processes are already in place. When something does go wrong, your team can respond quickly and intuitively.
  • Delegating responsibility and making sure skill gaps are plugged. Your staff should know what is expected of them, and how. An airtight workforce will have a lower incident rate and faster risk remediation time
  • Looking for standard commonalities. New ISO standards share the Annex SL high level structure, giving them similar risk management themes and values. Targeting these core areas avoids duplication of efforts and allows risk management to be rapidly implemented. One Qualsys customer, Aberdein Considine, used this approach to achieve four ISO standards in less than a year.

 Image result for  risk

3. Measure risk opportunities


Lastly, you should avoid seeing risk as a purely negative phenomenon. As well as asking, “what could go wrong?”, ask, “what uncertainties might present opportunities?” Risks and opportunities are really two halves of the same coin: uncertainty.


  • A project might be budgeted for - and come in above or below target.
  • An inbound marketing campaign might aim to increase website traffic - and bring in absolutely nobody, or so many people that your website crashes.
  • A new product might flop, or completely swamp production with high demand.

The common thread is the uncertain; the difference is that positive risk presents opportunity, while negative risk demands redressing. By planning for positive risk as well - what to do with those unspent funds, how to tweak your website to cope with more visitors, what production contingency plans you can put in place to cope with demand - you are not only encouraging optimism as well as caution, you are prepared for any eventuality. And your business will be stronger, healthier and more prepared because of it.


iso 9001 risk based thinking

What to do next

Unsure how to start tackling risk?

Our free ISO 31000 toolkit contains a range of resources to help you get to grips with the risk management standard.

Qualsys are also hosting a full-day interactive risk management workshop at our Sheffield office on 22 March. Delegates will learn how to:

  • Drive and embed risk-based thinking across their business
  • Apply risk standards like ISO 31000 to their processes and practices
  • Build a robust risk management system around core risk principles using tried and tested tools and templates 
  • Engage team members to identify and manage risk

Find out more here


Cloud GRC software vs On-Premise GRC software

Posted by Chris Webster on Tue, Mar 06, 2018

When selecting a new governance, risk and compliance software solution, one important decision you will need to make is whether you will be hosting your system on the cloud or on-premise. 

Cloud-based GRC systems have become much more popular in recent years - especially among small and medium sized businesses - but there are many reasons why you may decide a traditional, on-premise system is better for you.  

Qualsys can actually offer you three options - cloud-based software, on-premise or a hybrid deployment. Hybrid means cloud GRC software can be hosted on your private servers if you choose. 

To help you to make an informed decision, this article shares with you key considerations. 

 Chris w 1.jpg


The most frequently asked question we usually get asked is "Which is the most secure option?" 

Our systems are all hosted in an ISO 27001 data centre, and we have never had a major information security incident. 

Qualsys's cloud hosted system provides you with: 

  • High availability firewall
  • Anti-virus for file servers 
  • Managed to PCI DSS standard
  • Back ups every 15 minutes. 




The initial costs for on-premise are usually higher as you'll need to invest in a Virtual Machine (VM) or a physical server. The minimum server specification for our software:

  • Microsoft Windows 2008 Server/Windows 2012 Server
  • Microsoft Internet Information Server (IIS)
  • Windows Search Service
  • Microsoft SQL 2008 server or higher
  • Recommended 8 GB or higher
  • minimum Intel Xeon 2.4GHz processor or higher
  • A full EQMS system installation requires 1.5GB disk storage with no documents or data loaded
  • Recommended 100GB of disc space for document storage with room for expansion.

You'll also need to ensure you have allocated resource for internal IT time and system maintenance. 

Hosting with Qualsys's cloud solution starts from £120 per month and all of the technical work is completed for you with very little resource required from your internal technical teams. 


Time to set up

For client server systems, we usually recommend allocating 2 days of internal resource to install the software. For systems hosted with Qualsys, it takes 1.5 days to install a UAT and live system. 


Support and help

Whether you have a cloud hosted system by Qualsys or opt for on-premise, you'll still be entitled to an upgrade every year. These upgrades can be completed remotely. 



Both systems can be made availabile via browser (Firefox, Chrome etc) from any web enabled device, including smartphone and tablet applications (IOS and Android). Our software has passed stringent speed tests. 

Need more information about our hosting or technical information? 

Talk to a domain expert or schedule a call when you are next available.

Alternatively, read more about our technical product features by downloading our datasheets.

GRC Softwar datasheets


Tags: EQMS, Implementing EQMS

Types of quality management systems

Posted by Michael Ord on Mon, Mar 05, 2018

No matter what industry you're in, getting the right information to the right person at the right time is necessary for the success of your business. This is where quality management system (QMS) software comes into play. 

Different types of QMS software support your business goals in different ways. Choosing the best QMS for your company requires looking at your objectives and determining the main quality challenges you need to resolve.

Black LightGlow Party (2).png

What is a QMS? 

Short for quality management system, a QMS helps your business automate quality processes to improve efficiency, track the cost of poor quality (COPQ), and improve customer satisfaction. 

What are the benefits of using a QMS? 

A good QMS enables you to focus on building a culture of quality and mentoring / training employees, rather than scrambling to keep tabs on all your policies, processes and procedures, you can see your strengths, weaknesses, opportunities and threats from a centralised system. A QMS helps you make sense of large volumes of data, so you can focus on the most pressing issues. 

Whether you are looking to implement a QMS for the first time or want to switch to something that better suits your business needs, there are several types of QMS software solutions you may want to consider. 

List of the different types of quality management system 

Qualsys provides a modular quality management system. This means that you can 'pick-and-mix' the module or modules as you require. 

Click on each of the below to learn more about the solution. 

EQMS Modules.png

By module: 

  1. Document control 
  2. Change control
  3. Enterprise & operational risk management 
  4. Supplier management 
  5. Equipment and asset management 
  6. CAPA management 
  7. Policy management 
  8. Internal audit
  9. Training records management 
  10. Integrated BI / GRC Dashboard 
  11. Complaints management system
  12. Accident and incident reporting management system


By management system

  1. Governance, risk and compliance management system 
  2. Integrated business management system 
  3. ISO 9001 management
  4. Product life cycle management 
  5. Food safety management 
  6. Health and safety management 
  7. Environmental management
  8. Information security management   


What to do now

Not quite sure what you need? We love to help. So drop us an emailgive us a call on +44 (0) 114 282 3338, schedule a discovery call at a more convenient time, or drop in for a coffee. 

Alternatively, read more about the changing role of quality management systems here. 

New Call-to-action

Tags: Quality Management Software

Policy management best practices 

Posted by Emily Hill on Mon, Mar 05, 2018

Every governance, risk and compliance person, regardless of the type of business they work for, wants their policies to be read and understood by their employees, customers and suppliers. 

But let's face it - most employees probably aren't engaging with your policies. Afterall, you wouldn't be getting so many repeated mistakes and issues if they had really read and understood your policies. 

Kate Armitage, Product Quality Assurance Manager at Qualsys has earned a reputation for making even the driest of subjects interesting and thought-provoking. 

So when it comes to creating Qualsys's policies, she's always got a strategy for raising awareness, getting everyone onboard and making real business improvement. 

In this article, Kate has shared 7 top tips for creating policies that are effective and engaging.

 Kate armitage - quality manager-718280-edited.jpg

1) Establish a process for creating policies

Create a process for creating policies. You can do this within our Document Manager software (see image below). 

Policies within our software.png

Determine what policies are needed. Typical business policies: 

  • Electronic device policy
  • Flexible working policy
  • Risk management policy
  • Quality policy
  • Information security 
  • Business continuity and disaster recovery planning
  • Ethical policy
  • Equal opportunities policy
  • Data protection policy 
  • Health and safety policy

Standardise a template for the processes and procedures. This way there is a common look and feel to all the documentation. Here is our privacy policy example. 


2) Don't do it on your own

All of your policies should have an official owner. But that doesn't mean you have to do everything. For example, get relevant departments to be part of the approval cycle before the policy goes live. Below is an example of how this works in our software. 

Approval path example.png

Give employees ownership, assign responsibility and create the processes and procedures with the staff members who are doing the work. This way your team feel involved and empowered and more likely to share any ideas or risks. 


3) Link between policies

Create good links between different policies and documents where relevant. This will encourage users to read around and you can improve views of your policies by up to over ten times.

 Qualsys process interaction map.png

Image: Example of Qualsys's policy map 


4) Make your policies really simple

Good communicators make themselves look smart. Great communicators make their audiences feel smart.

First, read this. Now the rule is to keep your policies as simple as possible.



5) Cater for different learning styles 

When you're writing a policy, first and foremost you are becoming a teacher. Good teachers cater to different learning styles. For example, create process flow diagrams to support the written processes or a visual representation often aids understanding, or, if you have the time, create a video / webinar or audio recording to go with the written policy.  


6) PDCA 

Always remember that as well as planning and implementing the policies, that you are also discussing and reviewing the processes during your audit schedule. 

 auditing software and quality management.png

7) Use our software to manage all of your policies

Your policies should not be dispersed, nor should they only exist on paper. You need a system which provides a framework for managing and controlling your policies. Our software enables you to manage the entire life cycle of your policies. 

See our policy management module in action. 


What you should do now

Try our Stakeholder engagement template for a free step-by-step guide to getting your team engaged with quality. 

 Stakeholder Engagement toolkit


Tags: ISO 9001:2015, Policy management

How to find the best GRC software solution

Posted by Kate Armitage on Thu, Mar 01, 2018

Governance, risk and compliance (GRC) software was originally designed to keep your information controlled in an electronic format. It was often only accessed by quality teams to show external auditors and customers processes and procedures.

I found the day most useful. It’s great to see the materials that have been shared with us. I often go on learning events and have never experienced the same level of willingness to (2).png

Over time, however, GRC software has evolved to become a single source of truth for your entire business, underpinning every decision made. 

GRC software is now a robust tool that helps businesses to manage complex processes, assign roles and responsibilities, identify risks and opportunities, capture data from applications across the business, automate workflows, and create instant KPI dashboards.

From a quality perspective, GRC software provides visibility into performance across your business. It is used to plan, manage, monitor and optimise. Whether your quality objectives are to focus on reducing the cost of poor quality, nurturing customer satisfaction or fostering a culture of continuous improvement, a GRC software solution is essential for every modern business. 

With so much opportunity, it actually makes buying a GRC solution very difficult. Unsurprisingly, the scope of "GRC software" solutions has evolved in many different directions. Vendors now provide many different types of solutions. For a customer, you need to choose between hundreds of different solutions.

So how can you find the best GRC solution for your business? 

In this article, I’ve talked you through five key considerations to help you get the best grc solution for your business. These are:

  1. Defining what the 'best' solution looks like for your business
  2. Knowing what to spend
  3. Finding the right vendor for you
  4. Avoiding common mistakes
  5. Listening to feedback

I hope you’ll find this guide useful and actionable. If you have any questions, please give me a call on +44 (0) 114 282 3338 or drop me an email. 


1) Defining what the 'best' solution looks like

I mentioned earlier that GRC software has evolved a lot over recent years. GRC software doesn't just keep you compliant - it offers a bevy of tools to help you make your business more profitable, enhance your company culture and make your employees happier. Yes - I said it - GRC teams now have tools to make everyone from your shop floor to your top floor happier.

So how do you know what you want to achieve with your solution? 

I'd recommend creating a User Requirements Specification (URS). A URS is basically a list of all the features you want. Qualsys provide a template URS to help you get started. You can purchase it here for £29.99. 

Customise the template by going around your business and asking questions. What are the business's pain points? What works at the moment? What doesn't make any sense?

You'll get a lot more ideas by asking people early on in the process and it'll help you to avoid scope creep later on in the process. 

In this blog post you'll find an example survey you can send to your employees to understand more about their pain points

Once your URS is complete, send it to your vendors.

Some example features you may want from your GRC software solution: 

  • Instant KPI Dashboards: Get real-time insights into performance across your business. You can track sites / departments / individuals and share what is working well. Use these lessons and share it across your wider business. 
  • Documents / Policies: Systematically keep on track of document and policy life cycles - get the software to do this for you! No more searching through thousands of duplicated documents in SharePoint. 
  • Supplier management: Few businesses know who all their suppliers are and what they use them for. This results in duplicated purchases, and wasted revenue! Get a solution with a Supplier Management module and you can get control. 
  • Audits: Make the most of your subject matter experts across your business by requesting that they routinely voice their opinions, issues and ideas using auditing software. 
  • APIs and Integrations: Bring all your data together, instantly. No more chasing departments for data and waiting three weeks.  
  • Risks: Give employees the opportunity to speak up about risks they see and identify issues before they occur.
  • Equipment / data processing register / asset register: Wouldn't tackling regulations such as GDPR be so much easier if you knew exactly what equipment was in use and how it was being used?  
  • Training records: People are your most important assets. Keep their training up to date, keep them informed and properly record the training. 
  • CAPA / issues / complaints / change / workflows: So many businesses hope that their employees will always take responsibility and step up when there is either an issue, complaint or CAPA requirement. But most businesses are busy and encounter new issues, and this causes a number of issues. Assign roles and responsibilities, and you get rid of frustration and have a happier, more confident and aligned business. 

Buy URS template here 

EQMS Modules.png

Diagram: How Qualsys's modules integrate to make a complete GRC solution  


2) Knowing what to spend

There are so many ways GRC software can be priced. And if you aren't completely clear about how the pricing works, it can be easy to end up confused and make a bad decision. 

Pricing models tend to be annual plans. However, vendors will include different things within this price. For example: 

  • Hosting 
  • End users
  • Administrator licenses
  • Training costs
  • Support and maintenance 
  • What modules you'll get
  • Implementation costs 

If you're getting confused by pricing, calculate the price per employee over a 5-year period.  

My advice:

  • Have a budget. Stick to it. You don’t want to overspend and have a system which is too expensive in the long-haul.

  • Be realistic. You can’t expect the most feature-rich solution if your budget is £50 for the year. 

  • Align with your long term business strategy. If your business is planning to grow by 50% you'll need a system which will support your long term business strategy. 

  • Consider return on investment. Upfront costs might be higher because you require a thorough implementation or you may need to validate your software to meet regulatory requirements, but this could provide return on investment faster than a cheaper solution. Try our interactive ROI calculator for more information. 

  • List your top 3 most important criteria before you start. Do you want a system that you can roll out across your entire business? You need free end-users. Do you want a system which your suppliers can access? You need free supplier portals. 

We’ve got a more in-depth blog about costs and the factors which will influence the cost of your solution here or try our total cost of ownership calculator.

Calculate the total cost of ownership.png

Try our 4-year total cost of ownership tool here. 


3) Finding the right vendor for you

As previously mentioned, there are many different GRC software vendors, and they all specialise in different areas and can help you achieve different goals. 

So what do you want from your system? What does your business want to achieve? 

Below, I’ve listed the GRC software vendors my customers have come across and how I would define each of their strengths. These are listed without prejudice, we dont profess to be experts on the nuances of all offerings:


Strength / areas of expertise


For growing businesses who want a scalable, integrated GRC system.  Available via SaaS (cloud), on-premise (server) and/or mobile (iOS and Android).

RSA Archer

Risk management for financial businesses 

IBM Open Pages 

Highly bespoke solutions in larger enterprises.

ISO Tracker 

For businesses where compliance is managed in one department / by one person. 

BSI Entropy

For businesses with less than 10 employees. 


For businesses in hospitability, retail and construction. 


Heavy focus in the NHS and Aerospace sector. Wide portfolio of products.


Useful auditing tool for tablets, though not integrated into a wider EQMS (for aggregate data/trends analysis/findings etc).

ISM Xpress

For very small businesses. 


For managing documents.


We've provided some free templates and tools to help you select the best vendor for your business in our Business Case toolkit


Image: Use our vendor comparison tool in our Business Case toolkit

Tips for choosing a vendor: 

  1. Get a demonstration - It'll help you see the solution and understand how it could work for you.
  2. Send the vendor your URS - Give your vendor a week or two to complete your URS so you can score your vendors for your key criteria. 


4) Avoiding common mistakes

With so many different GRC software solutions available, choosing the right one can be really difficult. 

Here are some mistakes to avoid: 

  1. Underestimating the implementation process
  2. Choosing an inexperienced vendor
  3. Neglecting the employee engagement process
  4. Choosing a system which you will outgrow
  5. Making-do with a solution because it is cheaper
  6. Free solutions - put your business at risk
  7. Scope creep
  8. Choosing a vendor who is too big to care about you 

For more tips and advice from leading brands, read our Software Buying Guide.  


5) Listening to feedback

There are many different places where you might find reviews about GRC software.

Here are a few: 

At Qualsys, we always encourage you to call or visit at least one of our existing customers. We find this not only enables you to see our system in action, it provides an opportunity to learn, share and get ideas from others like you. 


What you should do now

Now you know how to find the best GRC solution, you'll need to build a business case to get internal buy in. Download our free business case template here. 

Governance risk and compliance management software


Money for nothing: the cost of poor quality

Posted by Alex Pavlovic on Tue, Feb 27, 2018

KFC's running supply chain débâcle is costing them £4.2m every week by one estimate.

A recent Deloitte quality report identified manufacturers spending up to $100,000 (£71,510) and 116 workdays per site per year to comply with overly complex, outdated and redundant quality management systems (QMS).

And after 25 May, fines of up to €20m (£17.64m) await businesses without GDPR-compliant information security processes in place. 

The cost of poor quality is getting increasingly eyewatering- and more and more businesses are investing in preventative measures to save themselves from serious financial jeopardy down the road. 

kfc crisis supply chain poor quality costColonel Sanders's supplier management processes leave something to be desired

The importance of being standardised


Deloitte's 'Quality 2020' survey revealed three key commonalities among respondents in the manufacturing sector:

  1. Standardisation was identified as the key goal for quality management, impacting on other quality areas such as operational efficiency and the cost of poor quality. 96% believed a moderate to extreme improvement in quality would arise from standardising quality management.
  2. The main problems contributing to the rising cost of poor quality were identified as: the rising complexity of standard requirements, having to maintain multiple quality systems for multiple standards, and the growing gap between certification and actual quality performance
  3. The overwhelming majority believed that 'significant effort' would be needed to effect the necessary changes 

In short: businesses are losing vast amounts of money to unstandardised, overly complex quality management processes, while quality standards themselves become more complex and numerous. This expenditure can be crippling and, even worse, is completely avoidable.

In the case of KFC, some businesses are neglecting to follow robust quality processes. KFC switched their supplier from Bidvest to DHL without the correct vetting, leaving themselves stranded with a logistical chain unable to cope with demand.

It's no surprise then that David Cau, Director of Business Risk at Deloitte, concluded that:

The GRC market seems to be thriving, as more companies realise that they pretty much have to invest in this area.


investment return grc software

More and more businesses are willing to 'spend £1 to save £2' with a GRC solution


Why GRC?


Survey respondents estimated an expenditure reduction from 116 workdays and $100,000 per site needed to comply with quality standards each year to 67 workdays and $51,000 per site if their quality management systems were standardised, simplified and centralised.

And the cost of poor quality (COPQ) from events like closures, complaints and non-conformances naturally falls as fewer of these events occur.

The financial advantages of achieving these goals by onboarding governance, risk and compliance software has contributed to an explosive growth of the sector, with between 15% and 20% annual growth predicted between 2018 and 2020. 

Does it really take the 'significant effort' predicted by the survey respondents to implement a GRC solution?

That depends.

Implementation, cultural fit, bespoke business requirements and internal engagement are all problems which need to be considered by any company looking for a GRC software solution.


If the basic requirements aren't met, nothing will be.

Close research is needed for any procurement project; many businesses seeking GRC software vendors use 'quadrant' analyses provided by Forrester or Gartner. But many vendors are left out by this approach - as David Cau recognises.


These quadrants lead companies to limit their GRC tool selection process only to the vendors mentioned in the quadrants, or even only consider players from the leader’s quadrant and initiate their choice only from an IT standpoint, rather than also considering the business needs.


There's really no way around it: if your business wants to save money with a leaner, more efficient quality backbone, careful GRC software research is the way forward. Find the vendor for you, and the effort will undoubtedly reap rewards.

What to do next


We've put together a GRC software vendor scorecard to help you evaluate prospects - access it here.

Putting together a business case for a GRC software investment has never been easier, thanks to the obvious financial advantages. Kickstart the process with our business engagement toolkit.


Governance risk and compliance management software



Tags: Operational Excellence

8 ways Training Records Manager makes managing training easy

Posted by Emily Hill on Thu, Feb 15, 2018

Our software is continually evolving. This is why the Qualsys team all undertake regular refresher training.  It is crucial that we know how to make the new features and enhancements work for our customers. 

Last week, Caroline Wilson, Service Implementation Manager at Qualsys, ran a training session on the module "Training Records Manager". 

In this article, I asked Caroline to share 8 of the best things about the Training Record Manager module. 



1) Use for all different types of training records 

You can use this module for all different types of training records. It's used for SOPs, internal training, induction, health and safety, FLT assessments, medicals, working at heights, health surveillance and lots more. 


Laptop Training & iPhone Auditor.png

2) It's automation at its best

I've worked in quality for 5+ years. In my previous roles, I would have loved to have had a system like this. It's a million times better than using spreadsheets. For example, all the training planning process takes place in one central system. Instead of having to email and book training in everyone's calendar, as an administrator you can automate this from the system. Notifications and due dates are set in the system, so you are not spending hours chasing people. 


training records sheet.png

3) Ratings

If as a business you invest in your employees and your training, it's a big risk for your business if the training provider isn't any good.

As an administrator, you can add a form field which ensures your employees rate their training. This is a really powerful tool. Getting this feedback is really useful when planning for the next year of training. 


Johnson and scholes cultural web.jpg

Johnson and Scholes: Business Cultural Web, http://wikireedia.net/wikireedia/images/5/53/Culturalweb.jpg 


4) Make the system work for your business

Many businesses have their own internal terminology. With Training Records Manager phrases can be updated centrally by administrators so you can make the system work for your business. It's a great way to get your users more engaged with the system. 


5) You get more information, in a format you can actually use

The Training Record Manager module is really flexible. When you are configuring the module, you can capture any information you want. For example you may want qualitative data about the training as well as quantitative, so you can adapt the forms to make it work for your business. 


Access Training Records Manager datasheet

Training records datasheet.png

6) Custom training reports

Most of the time, your leadership teams are not going to have the time to configure dashboards and widgets. The Training Manager module provides leadership with custom training reports. This can then be enforced on their screens, so they can see any outdated training records, drill-down into high-risk areas, and chase anyone who is not fulfilling their training requirements. 


7) Confidence you’re compliant:

When compliance training needs to happen on an annual basis, it can be really easy for it to get missed. This is where Training Records Manager is really helpful. You can automatically manage a retraining schedule. So when you have a new starter or someone changes their role, you can copy a training program. It saves weeks of your time.  

 EQMS Modules.png

8) Integrates with other modules 

This module is not only used for external training. When used with Document Manager you can send training and quizzes on a new document or policy prior to it going live. 


Download the Training Records Manager Datasheet to learn more about the technical features and benefits of this module.  >>> 


Tags: Training Record Software

The top 5 GRC certifications for the quality professional

Posted by Alex Pavlovic on Tue, Feb 13, 2018

Of course good governance, risk and compliance isn't just about getting certificates on the wall. But they don't hurt either!

GRC certifications showcase commitment to quality, demonstrate professional expertise and work wonders for the paycheck - the 2017 Global Knowledge Salary Report identifies governance as the most lucrative professional certification, bringing an average global salary of $92,766 (£66,911) for accredited individuals.

We've identified the top 5 GRC certifications that the modern quality professional should aim for. 

1. GRCP (Governance, Risk and Compliance Professional) 

Offered by non-profit think tank OCEG, the GRCP certification acts as a baseline for other GRC qualifications with its broad focus. It demonstrates:

  • Knowledge of the operation of the core GRC disciplines, from auditing to risk 
  • Understanding of the GRC capability model and its four elements: learning, alignment, performance and review
  • Competence in advising on key GRC controls and functions, and integrating GRC processes into a holistic strategy

Image result for grc certification


Participants prepare for the exam with OCEG's 'GRC Fundamentals' video course or a two-day training program. Best of all, the exam's free for OCEG All Access Pass members.


2. CGEIT (Certified in the Governance of Enterprise IT)

With its tighter focus, CGEIT is designed for professionals specifically managing IT governance for their business. A CGEIT certification demonstrates:

  • The necessary expertise to manage and advance an enterprise's IT governance 
  • Understanding of how to optimise enterprise IT system frameworks to boost efficiency and effectiveness
  • Competence in IT risk management to support information security processes

Image result for cgeit

The CGEIT certification is provided by global information systems association ISACA.


3. PMI-RMP (Project Management Institute - Risk Management Professional)

The Project Management Institute offers a risk management accreditation to IT professionals, which builds on the risk-centric elements of CGEIT with a project-based focus. PMI-RMP certification requires:

  • Confident knowledge in risk strategy, planning and processes
  • Competence in monitoring and reporting IT risk and engaging stakeholders
  • Understanding of IT risk analysis for projects and how to build effective mitigation plans

Image result for pmi-rmp

For any quality professional wanting to learn how to insulate their business's information technology systems from risk in large-scale, complex projects, look no further.


4. CGRC (Certified in Governance, Risk and Compliance)

The GRC Group and its two institutions, the SOX and GRC institutes, offers members with a minimum of three years' professional experience the opportunity to achieve its CGRC certification.

CGRC involves:

  • Understanding how the various roles and tiers of a business can contribute to robust and effective GRC
  • Gaining knowledge of the key GRC regulatory requirements and how to meet them
  • Understanding best practice in control frameworks, how to improve internal operation with focused investment, and how to track GRC process performance

Image result for cgrc grc group

GRC requires constant improvement and innovation. Understanding how to invest in a  business's GRC system is a crucial skill provided by CGRC certification. 


5. CRMA (Certified in Risk Management Assurance)

As its name suggests, the Institute of Internal Auditors focuses on quality professionals involved in the auditing process, providing educational material, certification and networking opportunities to its members.

Its CRMA certification aims to give participants the tools they need to:

  • Unlock the full potential of internal auditing to drive continuous improvement
  • Evaluate how risk relates to core business processes - and how to mitigate it
  • Understand how to effectively manage and analyse risk

Related image


CRMA is achieved by passing a 100-question multiple-choice examination. 


Business-wide benefits

These five certifications are all valued indicators of governance, risk and compliance professional excellence. Whether it's building core knowledge of GRC, improving control of IT systems or understanding and insulating against risk, achieving a GRC certification benefits the recipient and their business by laying the groundwork for robust, resilient GRC processes.


What you should do now

Looking to build your GRC expertise? Browse the standards and compliance section of our website for detailed breakdown of the key GRC standards.

How do you compare with your peers in the quality industry? Read our 2017 Global Quality Trends Report to gain insight from industry experts and learn how the quality industry is changing.

Finally, our Knowledge Centre provides a range of materials to support GRC professionals: access gap analysis and risk register templates, download standard toolkits and browse Qualsys's training courses.

Access Knowledge Centre

5 things you should know about GDPR

Posted by Alex Pavlovic on Mon, Jan 29, 2018

GDPR: four letters that you'll hear more and more over the next few months. 

You probably know that the EU's General Data Protection Regulation constitutes a dramatic change to the way businesses must handle and process their data - and it comes into force on 25 May.

But beyond that, most people scratch their heads. Here are five things you should know.

eu gdpr security

1.  It's got three aims

At its core, GDPR is really quite simple. Its three aims are:

  • To unify and strengthen the protection of personal data for EU citizens
  • To give EU residents greater control of how their data is stored and used
  • To control how personal data is exported outside the EU

Everything about GDPR boils down to these three guiding principles. Understanding how your business can fulfill these aims is the first step to compliance.

Personal data can be anything from name and address to race, religion, social media posts or even genetic and biometric data. Making sure businesses use the personal data that they possess in the right way is the crux of GDPR.


2.  It's tougher than the rest

GDPR replaces older legislation like the EU's Data Protection Directive or the UK's Data Protection Act and goes beyond them in a few important ways:

  • Unlike a directive, it's directly binding - so if your business is based in the EU or deals with it, you will have to comply from 25 May
  • It harmonises various sets of legislation into a single framework
  • It includes export of personal data beyond, as well as within, the EU

In short, there's no way of avoiding it and it has potentially worldwide reach. On the flip side, a single legislative framework simplifies compliance: nail GDPR, and your business has a compliant data management system that will build customer trust, strengthen reputation and image, and dodge financial penalties. Which brings us to the third point...


3.  It's got teeth

GDPR packs a serious financial punch for businesses found to be in non-compliance after 25 May. Fines of up to €20m (£17.56m) or 4% of annual turnover, whichever is greater, can be slapped on companies not managing personal data properly. Personal data must be:

  • Processed transparently and lawfully
  • Collected for legitimate purposes
  • Relevant, pertinent and necessary
  • Up-to-date and accurate
  • Stored only if necessary
  • Secure and confidential

If your business isn't complying with any of this - plan how to change it before May!

Some key steps to take include:

  • Creating detailed records of your data processing
  • Documenting your data policies and procedures
  • Training and informing staff about GDPR

We know how it is. You want to focus on the long term, but those short-term tasks stack up, get in the way and take up time. Trust us: setting aside some time for creating and actioning a plan now is the best approach to avoid nasty surprises further down the line.


4.  It will affect your business... even after Brexit

Every business with ties to the EU will be affected by GDPR. Yes, that includes British businesses after the Brexit date of 29 March 2019. 

The Queen's Speech in June 2017 highlighted the fact that GDPR, or something broadly identical to it, will remain in force once the UK leaves the European Union - so complying with GDPR is just as important for British businesses as those on the continent. 

gdpr brexit uk eu

5.  It affects everyone

The data protection officer (DPO) will be the main gatekeeper of GDPR, with tasks like monitoring compliance, cooperating with data protection authorities, and informing and auditing colleagues. But responsibility for data and information security compliance in a business falls on everyone. Let's take a look:

  • Marketing teams must get consent from those receiving marketing information
  • IT teams must guarantee electronic data security - and inform the supervisory authority within 72 hours if there's a breach
  • Customer account teams must make sure customer data is secure and relevant
  • HR must safeguard employee information
  • And so on!

Data touches all parts of a business. So getting questions answered, gathering information and putting together an action plan for GDPR compliance is absolutely vital.

Working Hard-1.jpg


What you should do now

GDPR will be the biggest overhaul of data protection regulation in twenty years - so get prepared.

Download our free GDPR toolkit for more information and guidance.




Tags: European Data Regulation, EU GDPR