Auditing Top Management
Some odd 15 years ago, I remember reading my first ISO management system standard, seeing the term ‘top management,’ and thinking someday I should figure out what that means. The reality of implementing and auditing management systems pressed that into my mind a lot sooner than I had thought in the moment.
For you, understanding the intended definition of ‘top management’ may have taken a different path, but why you need to understand it is similar. Part professional interest, and part necessity.
As I tell my implementation clients, “If you understand how you will have to evidence an ISO management system in a certification audit, you can better understand how you should implement the management system.” Throughout the various posts I make, that is probably one of the most important ‘take aways’ that you should embrace.
Before we begin, you should note that ISO believes that ‘top management’ uses a management system to achieve the intended outcomes for the organization. Top management is not a slave to the system; the management system enables top management to optimize the use of resources considering the long- and short-term consequences of their decision(s). It provides the means to identify actions to address intended and unintended consequences when providing of products and services. [ISO 9000:2015, Clause 2.2.2].
Top Management Defined
Here is how ‘top management’ is uniformly defined across the different ISO management systems, and then I will provide examples, clarifications, and audit considerations.
Top Management
Person or group of people who directs and controls an organization at the highest level.
NOTE 1: Top management has the power to delegate authority and provide resources within the organization.
NOTE 2: If the scope of the management system covers only a part of an organization, then top management refers to those who direct and control that part of the organization.
NOTE 3: Other terms used as a synonym within ISO standards include executive management, leadership, and top management implements necessary governance.
NOTE 4: Depending on the legal framework, size, and the resources of the organization, top management either reports to a governing body, or top management is the governing body.
NOTE 5: Management should be regarded as the function, not the activity.
NOTE 6: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to ISO/IEC Directives, Part 1.
If you look at other formal ISO terms that are the responsibility of ‘top management’ you get further insights into the importance and role of top management:
Policy
Intentions and direction of an organization as formally expressed by its top management.
Vision
Aspiration of what an organization would like to become as expressed by top management.
Mission
Organization’s purpose for existing as expressed by top management.
Common Mistakes
There are two common mistakes that I see with how top management is constituted during audits – wrong composition of members, and passive behavior.
Frequently, in audits, organizations represent top management as some sort of a steering committee, or whatever they call it. Committee members can be extraneous and do not align with the intent and definition of top management. They are not responsible, they don’t have authority, they do not control the resources, they do not own the risk, and they are not actually accountable for the outcomes. They are passive spectators.
NOTE: The steering committee may meet the definition of a governing body, which top management may report to, but the committee is not top management.
Top management is not a passive oversight entity. It is an active presence in the management system that ensures that the management system is properly established, evolves, and continuously improves to achieve the intended outcomes of the management system. When necessary, top management changes the management system. They don’t wait for a steering committee to opine.
Auditing Top Management
There will be a combination of documented information available, but I find the interview of top management generates the most relevant evidence during an audit, as evaluated against the following management clauses:
· 5.1 Leadership and Commitment
· 5.2 <Management System> Policy
· 5.3 Roles, Responsibilities and Authorities
· 6.2 <Management System> Objectives and Planning to Achieve Them
· 9.3 Management Review
NOTE: When possible, I try to interview top management near the end of the audit for two reasons. I usually see evidence that I want to ensure that top management is aware of, and to be considerate, top management tends to be busy. They do not want to be re-interviewed to clarify some anomaly in the evidence.
At the end of the interview, I can usually provide them an overview of audit findings and conclusions, which they are going to ask about. This helps to prepare the organization for the closing meeting of the audit.
You may have other thoughts, and there are reasons in an audit when top management needs to be interviewed earlier. As a German Field Marshall once said, “No battle plan survives first contact with the enemy.”
NOTE: ISO guidance standards for management systems can be leveraged to understand ISO’s intent for each of the management system clauses, and in other cases, like ISO 27007 for an Information Security Management System (ISMS), you will find clear audit criteria for each of the core clauses that state ‘top management’ responsibilities.
To be efficient, I generally want to interview ‘top management’ together. Some answers require a combined response given the division of roles and responsibilities. Here are a couple of the questions that I routinely ask:
· Can you identify actions taken to integrate the management system into the organizations processes? (Clause 5.1 and 8.1)
· Can you identify examples of how necessary resources are planned and allocated for the management system, to include an ongoing budget? (Clause 5.1 and 7.1)
· Explain the relationship of your management system’s intended outcomes and how you established your management system objectives? (Clause 4.1, 5.1, and 6.2)
· Clause 5.3 Roles, Responsibilities and Authorities requires that you establish relevant roles. Who is responsible within the management system to provide reporting to ensure you remain informed on an ongoing basis? (Clause 5.3, 9.1, and 9.3)
· Can you give me an example of a scenario or event that would trigger an update of the risk assessment and risk treatment plan. (Clause 4.3, 6.1, 8.X)
· Looking forward, what events may require a change of the management system? (Any of the management system clauses)
· Under which conditions would you be required to notify your certification body of a change? (ISO 17021-1, Clause 8.5.3 Notice of Changes by a Certified Client, which is usually restated in the certification agreement with an organization)
Of course, there are other questions that may be relevant for the organization, but I generally cover the topics above in all cases.
Summary
So, when we consider the above, we can summarize this article by stating that top management enables and ensures the:
- Provision of adequate human and other resources
- Monitors processes and results
- Determines and evaluates risks and opportunities
- Implements appropriate actions
Responsible acquisition, deployment, maintenance, enhancement and disposal of resources support the organization in achieving its objectives.
In many cases, I believe that top management actually meets the definition of the Risk Owner(s) role, which is defined by ISO as, “person or entity with the accountability and authority to manage a risk” or the risk owners should report (directly or by dotted line) to top management. Think about it, ultimately, top management is making the ongoing determination about current state, treatment, effectiveness, remediation, and acceptability of risk within the management system. If risk is not acceptable, top management should take necessary actions, and employ whatever resources are necessary to bring risk back into an acceptable state.
Too often, I see a plethora of risk owners, with fragmented and unpredictable communication channels to top management, and now we are headed towards an audit finding. If top management does not remain informed, they cannot act on the risks, and the risk owners may not have control over the resources necessary to treat the risk.
Understanding the definition, intent, and the role of top management makes it easier to understand whether your management system has properly established top management, and over time, when you need to update how top management is constituted.