If I Built an ISO System in 2025, I’d Do This

Show Notes

To learn more check out www.auva.com

Summary

In this conversation, Michael Venner and Ian Battersby delve into the intricacies of ISO systems, discussing the interconnectedness of standards, the impact of Annex SL, and the importance of context setting in management systems. They explore how risk assessments, operational controls, and management reviews play crucial roles in achieving intended outcomes. The discussion emphasises the need for clarity in documentation and the alignment of management systems with business strategies, ultimately advocating for a holistic approach to quality management.

Takeaways

• Implementing an ISO system requires a comprehensive understanding of interconnected clauses.
• The PDCA cycle is fundamental to effective management systems.
• Annex SL has significantly improved the integration of various management standards.
• Context setting is crucial for determining the scope and objectives of a management system.
• Risk assessments should be linked to context and opportunities for improvement.
• Measurement and monitoring are essential for evaluating the effectiveness of management systems.
• Auditing should be based on a risk assessment approach to ensure relevant areas are covered.
• Operational controls must align with compliance obligations and customer requirements.
• Management reviews are vital for assessing the adequacy of resources and achieving intended outcomes.
• Documentation should be structured to clearly reference and link different parts of the management system.

Chapters

00:00 Understanding Management System Standards

03:10 The Importance of Context in Standards

07:15 Interconnectedness of Clauses in Standards

11:22 Risk and Opportunity Assessment

16:11 Measuring Success in Management Systems

18:29 Connecting Shop Floor Control to Standards

20:08 Operational Control and Risk Management

21:50 The Importance of Auditing and Management Review

25:03 Assessing Resource Adequacy and Management Review

26:43 Interconnectedness in Operational Processes

28:00 Environmental Considerations in Operational Control

30:10 Aligning Risk Assessments Across Standards

31:31 Common Causes and Streamlined Auditing

33:16 Structuring Documentation for Clarity

35:08 Conclusion and Future Discussions

Key Links

Auva Website: www.auva.com

Apple Podcast:  https://podcasts.apple.com/gb/podcast/by-all-standards/id1771677594

Spotify: https://open.spotify.com/show/79OUNj3vY9dmESR3okwHJa?si=871837f56dc149b6

Youtube: https://www.youtube.com/@auvacertification/podcasts

LinkedIN: https://www.linkedin.com/company/auva-certification-ltd 

Instagram: @auvacert

Michael Venner:  https://www.linkedin.com/in/michaelvenner-isocertificationexpert/ 

Ian Battersby:  https://www.linkedin.com/in/ianthomasbattersby/

Blackmores UK:  https://blackmoresuk.com/

Blackmores Linkedin Page:  https://www.linkedin.com/company/blackmoresuk/posts/?feedView=all

Chapters

• 0:00: Understanding Management System Standards
• 3:10: The Importance of Context in Standards
• 7:15: Interconnectedness of Clauses in Standards
• 11:22: Risk and Opportunity Assessment
• 16:11: Measuring Success in Management Systems
• 18:29: Connecting Shop Floor Control to Standards
• 20:08: Operational Control and Risk Management
• 21:50: The Importance of Auditing and Management Review
• 25:03: Assessing Resource Adequacy and Management Review
• 26:43: Interconnectedness in Operational Processes
• 28:00: Environmental Considerations in Operational Control
• 30:10: Aligning Risk Assessments Across Standards
• 31:31: Common Causes and Streamlined Auditing
• 33:16: Structuring Documentation for Clarity
• 35:08: Conclusion and Future Discussions

Transcript

0:00

If I had to implement an ISO system again in 2025, I'd do it completely different. Why? Because most people treat each clause like it's separate and that's exactly why systems can fail. There's a smarter way to connect everything and our next guest will show you how. Thank OK, Ian, so what is the interconnectedness of clauses? Oh, right. Well, Michael, thanks for having me. I want to go back to the sort of the high level structure of the standards really the management system standards, which was really invented about 10 years ago. I'll talk about the standards in general, but I'll refer to 9001 quite a lot because I see that as the daddy of the standards. It's about running your business 9001, not just quality management. And on the face of it, people look at 9001 and other management system standards, it can appear to be slightly frustrating because it looks repetitive when you read the detail. But underlying that is quite a good reason, you know, that the cycle within the standards has been developed in order to lead to continual improvement. and way it refers back and forth within them is really important in that. So what I want to talk about is what that cycle is like and why different parts of the standard do talk to each other basically throughout. So that's my intent today anyway. Hopefully I can get that across to everybody. so what's your what's your background Ian? How long you been doing this? my background's varied. I've been with Blackmores for just over 18 months, a bit more. I joined at the end of August, 2023. I've had a little bit of time out of work before that. I'd previously worked for Department for Work and Pensions. uh I'd only worked there for a short period of time because I worked on a contract with an organisation called Sodexo, which is a big FM contractor who had mobilized a new form of estate management for DWP. So I spent five years or so with them on that. And my background is FM construction. But prior to that, I've been in health, I've been in government, I've been in all sorts of different things. So my background goes back to really one. you would have been very young, not even here, when I first began in manufacturing with British Aerospace as an undergraduate in 1984. So I've been through many things, including owning a curry house for a short period in that time. yeah, I decided the NHS was too difficult and opted out and bought a restaurant. but that was quite very difficult in fact so I ended up back in the standards world again. But I've worked in standards of risk, quality, health and safety, environment and all relates to energy management. I've worked in standards since the late 1990s so either in creating. Yeah, indeed, quite a variation. healthcare standards on risk management through to currently on energy and environment and the like. So yeah, seen a lot in that time in a lot of different sectors. Okay, interesting. Okay, yeah, so interconnectedness, just how the clauses all fit together from the different standards then, yeah. Yeah, well, the clauses now that this is 10 clauses, the real meaningful bit that certainly to your clients when it comes to certification, who was everything from clause 4 to clause 10. They are context, leadership, planning, support, operation, performance evaluation and improvement. Now, the whole idea of this and forgive me if I'm teaching. anybody in your listenership to suck eggs but the whole idea is that the Plan Do Check Act cycle PDCA So plan, establish what it is you want to do, the objectives and the resource needed to do that. And quite importantly, which underpins the standards is assess the risks and the opportunities to delivering what you want, then do it basically implement what you said you're going to do. Check. So monitor against your objectives, your policies, your processes and any other requirements. And then act upon that. If you find once you've checked that things need to change to improve, take actions to do that. But then again, you come back to planning. If you're going to take any action, you plan to perform that action and it's this virtuous cycle of doing things. So because of this cycle, Everything is linked. Nothing sits in isolation. Things refer back and forth in the standard. Sometimes quite explicitly. Sometimes it's implied and you can read it in the wording that it means that it refers to something else. But you can't do one without the other. You can't do one piece of the standard in isolation. So that, yeah. easier when they done the Annex SL. Always the PDCA cycle was always there, but I suppose with Annex SL introduction, it kind of just brought that together a little bit better, didn't it? It did. I I think Annex SL is a master stroke in the the in the world of standards. Prior to Annex SL standards, mainly system standards that say they were quality, famously, or health and safety or environment, they grew from different sectors, they grew from different working groups, different approaches, different styles of management management system. And they all did things in different ways. And if you look at prior to 2015, it'd be quite difficult, I think, to create what we now call integrated management systems, because the common elements didn't exist. So Annex SL was there to try and bring together the approach across different sectors, different topics, different risk areas. But also, think Annex SL was created as a sort of tacit recognition by standards bodies that it wasn't necessarily working that well. I'd certainly had experience in management systems where, and this is, I allude to this all the time, a quality management system back in the day will be some chap or chapess in overalls sitting in a little office at the end of the shop floor with a room full of manuals. and the certifying assessor would come once a year and look at those manuals and say, that's lovely. Tick, tick, tick, tick, tick. You've got all the right things written down and go away and say, there's your cert for the next three years. That didn't affect the bottom line of any company whatsoever. don't think back then it didn't change the way we operate. didn't lead to companies meaningfully adopting a management system which changed what they do and improve. So think Annex SL was a response to that sort of tick box wishy-washiness that I could recognise anyway. And I think it's done wonders in that. I think there's still a long way to go in making sure that people who are management systems embrace them fully and improve as an organisation. But that's for another day, I think we could probably chat at length on that. So yeah. yeah so when you're sort of talking about the interconnectedness then you sort of just trying to sort of say how go and just elaborate on that for me a little bit. Right. I can't explore every link that's in, say, 9001, but here's a good one. And forgive me, I will read words from the standards at times. Clause four is about the context of the organisation. This is really important to me. I bang on about this to people all the time because this drives what you do. And the words in the standard say that you'll determine the external and internal issues relevant to your purpose and strategic direction that affect your ability to achieve intended results. Now that's really important. The scope of your management system depends entirely on that. It's the world in which you operate. And that goes back to what I was just saying a minute ago. you now have to think of your management system, whether it's environment or information security or business continuity or quality, you have to think about the management system in the context of the world in which you operate. so Clause 4 is underpinning all of that. So it's about what you buy your supply chain. It's about the people you employ. It's about what you make and sell to people. It's who you sell to. It's about the laws that you follow. So if you think about it in that context, I've already referenced in those words, multiple parts of the standard, because they talk about people and resource. They talk about the processes of delivery. They talk about legislative requirements and compliance obligations. They talk about customer requirements. So in establishing the context of the organisation, you're already laying the groundwork to talk about how you deliver to those people further down in the standard. then the clause four then talks about interested parties who are those very people. So you can already see that right from the outset, the standard is referring to things later in itself. uh And it does, it actually does. Yeah. And if you look at the way it's written, They're quite clever. They're not very prescriptive at times, the standards, And clause four doesn't say to you, do your context setting exercise by following this, this, this step. But it does have two notes to it, which are really quite excellent. The first note is issues, as it describes them, can include positive and negative factors. So they're already introducing the concept that good and bad things happen and therefore risk is something that you need to be aware of. And then they say you can understand your external context by looking at things like legal, technological, market, cultural, social. So they're not saying how you're going to do things. They're saying consider these things. But in our world, that says, about doing a SWOT and PESTLE Because through a SWOT and PESTLE, you're looking at positive and negative factors. strengths, weaknesses, opportunities, threats. Through doing a PESTLE, you're looking at legal, technological, political, economic things as well. So I'm yet to find somebody who does a context setting exercise, which avoids doing a SWOT and PESTLE, but I'm all ears. If somebody comes back with a way of doing this, which doesn't do it the way we tend to do it in an organisation, I'd love to learn it. So I've just touched on something there then. because strengths, weaknesses, opportunities and threats lead you to risk. If you've got a weakness, it's a risk. If you've got a threat, that's a risk. You've already got the word opportunity in SWOT. So again, you're laying the foundations. So by moving from a structured approach to context setting, you then lead yourself into addressing risk and opportunity, which is an essential underpinning part of all of risk-based approach is really fundamental to management system elements. So that gives people an idea of what I mean by connection. Hmm, yeah, definitely. Do you find people overlook this part where they're setting up the management systems? To be fair, I've worked in a world where we have. Because many of us worked in a world where we'd already been certified to 9001 prior to 2015. And there was that, I think, three year window of adopting the new standard. So I think I was in an organisation at 2016, 2017 when we were recertified to the new version. I don't think assessors necessarily were pressing as hard. Hmm. to go through context setting. if you're beginning at the beginning, if you're saying, right, let's adopt a management system approach and let's start on our certification journey, to me, it's essential. Why are you in business? What will your management system do to improve that business? Not what nice documents you're going to put in place to satisfy an auditor. Yeah, what you're trying to achieve, what's your end goal, you know, it's, yeah. yeah, that's exactly it. And you give him something there. What are you trying to achieve? So that whole idea of context through to risk, you then establish through that risk and opportunities exercise, the things which might go wrong in your business, therefore need additional control through either addressing individual risks through a control, document, a process, whatever that might be, all by grouping together big issues, you know, which might then in themselves become an objective over time. So that then ties into your policy. What do you want to do over the coming years as an organisation? If it's say health and safety, do you want to minimize harm by reducing your accident rates? If it's environment, do you wish to cut your Energy consumption rates your water usage those sorts of things over a period of time So from the risks of we use too much power. We use too much water you then can establish what it is as an organisation You wish to do all the time and that links into the next part of it, you know that the standard clause 6.2 Well, I could I could talk all day about clauses, which probably will have people at switching off. But unfortunately, that's the world in which we work. Yeah, I think you hit a good point there and the bit that I find people miss quite often is the risks and opportunity. Right at the start it says consider 4.1 and 4.2 your context and I find a lot of people will do maybe a PESTLE or they might do a SWOT or something of that and then they'll do a risk assessment but none of it talks to each other. They're all three separate documents and it's like no, no, no there's a key bit right here that says about 4.1 or 4.2 it all links. How do you demonstrate that you've considered 4.1 and 4.2 in your risk and opportunity assessment? There's not some direct correlation between them. And I like to, if I do a SWOT and PESTLE, I like to put in reference numbers basically, a reference between a SWOT and a PESTLE if they talk to each other, then a reference between the SWOT and PESTLE and the risk, and then a reference between the risk and the objective. So you can see a link all the way across from beginning to end. And then that leads into measurement. the standards. In a way, find I've got one criticism that the clause and you get to clause nine, 9.1 , I think it is on monitoring and measuring really should be embedded in clause. I think it's 7.1 , which is about the resources for monitoring and measuring. So I'll leave. ISO alone for that one because that's my only criticism. But that's again the way the standards flow. If you've put in place procedure or process, the best way of ensuring success in that is to build in some measure within that of what you expect it to achieve. So further down in the standard, you can look at what people are doing with operational control with that process. And then you can measure whether that process works because all management reviews ask you to assess the effectiveness of process and the nonconformity against process. And I think that people don't view people look at nonconformity as an audit outcome. We'll talk about that. But what you should be doing through your building of your system is in the generating of controls and objectives. is putting in place a way of measuring with whether those controls and objectives achieve the desired outcomes. And the standards talk about intended outcomes and intended results quite often. So how do you know what the intended results should be without proper measures? And that's around building processes with measures in them, KPIs, whatever that might be. And it's around building objectives where you assign responsibility. you assign time scales, assign resource, and you assign some way of measuring whether you've been successful in verifying that. So again, they're all mixed up, they're all linking back and forth right to the end of the standard at clause 10, where it says, improvement. How would you assess whether you've improved your organisation? Well, we've built measures into these all the way through. So yeah, I've jumped right to the end of the standard there, haven't I? that so much more meat in the middle. yeah, there's quite a lot to it. Yeah, there's a bit in the aerospace standard. don't know if you do the aerospace standard that I really like. It's in the nonconformity bit. And actually what it says is, as a result of a nonconformity, in not so many words, go back and look at your risk assessment to see if you've missed something. So it kind of loops it all the way back, which... know, feeding back into the system, which I think a lot of people miss as well. Yeah, I like that. There are bits in the standards where with reference to clause 6.1, and the like, they say measure what you've done. Well, clause 6.1 is risk. If you touch on an interesting thing there, that sort of set to specific standards, which have become quite popular, they are very specific in what they're asking. I've just this week been asked to look at well, a document called British Standard, it's not an international British Standard, 99001 which is for the built environment. So people involved in construction, fit out architecture, that sort of thing. And it's, it's additional requirements for documentation, for verification of things is really quite specific. I see that the world is going down this road. If you look at various standards, environmental ones and the like, they are being extended into different areas with more requirements in them. I think this linking back and forth is going to be very important because you just took a perfect example of where a standard says you must explicitly refer back to that. So I think from the outset, when you're building, you should be mindful that at the end you're going to be measuring what you've built. Hmm, yeah definitely. So how can you sort of, sort of jumping around a little bit, so section 8, of shop floor control and things like that, where does that connect then back? How can you connect that back? it's funny, you should say short-flawed, we're working with tech firms, people using online cloud services, legal profession, all sorts of people. And Clause 8 is exactly the same for them. They may not do design work in the traditional sense of a manufacturing organisation or a construction organisation, but they do have to design the out- puts it to the client in some manner. So it's all, it's different risks, it's different design, it's different build of the output, but all the clauses tend to apply except for calibration, know, sort of thing. But what's important for clause eight is that the risk assessment side is key and compliance obligations in certain standards are key. And even 9001 refers to the fact that you must follow legal requirements as well as customer requirements. So what you do through your risk assessment and your legal compliance work is establish where you know you need to put in place a control mechanism. That really then is the basis for your procedural documentation. So 7.5 is about documentation. So the underpinning part of 7.5 is that You know what the organisation needs to address through its risks and opportunities. And its objectives, of course. You write the documentation that supports achieving those outcomes. Operation, then, is the do, isn't it? It's the take this document, give it to the right people, ensure they're aware of it, they're competent to do it, they are resourced to do it. the environment for operation, importantly, know, and the infrastructure are appropriate to the delivery of that. And then they do it. They take that written procedural document or whatever type of procedural or process document it is. And they are the people who do the operation. That's why it's called operation. And then if it's right, they do it successfully. it's wrong, we find out through nonconformity process through Audit and nonconformity and that sort of thing. So again, you see the flow you've gone from context to risk You've gone from risk to control You've gone from control to the documentation which is required to demonstrate you control it You've gone to actual operational control the people in doing it and then you go to the measuring of whether they've done that effectively So that flow is you know, the beauty of the standards of PDCA in action. And when you're looking at operational control, like you audit people, quite difficult because you can't really audit all of it. There's masses of In a manufacturing organisation, if you look at operational control through understanding the client requirements, through initial design, through verification of design, through design changes, through production, through project management of that production. through the verification that the product is right to deliver, through post delivery, checking and all that. Audit processes have to be really, really extensive to be able to do all of that. So organisations again need to consider in audit risk. What is risky? If you've got legal requirements, are they the big risk? If you looked at a risk assessment right at the beginning in the building of the system and then the controls needed, are you going back to those risks to determine whether your audit program is addressing the risks that you have identified and need the control score? So the risk based approach to auditing, and it is very explicitly written into the standards, you will risk assess what you need to audit. How have you done that? I don't see that very often. No. see people write down how they've achieved an assessment of the processes they're going to audit based on a risk approach. So again, risk raises ugly head. we see a lot where everyone just does the internal audit just once a year. Straight, we're going to cover all clauses, but they haven't really sort of looked back at their risks and sort of, hang on, there's a risky area here. We should do this more often and this one less often. yeah. I don't see that necessarily as wrong. The risk-based approach allows you to have more minimal auditing because your organisation isn't large, doesn't do many service offerings or product offerings, because it's low risk in terms of safety or environment. So it's not, I don't see that A day of audit per year is necessarily the wrong thing and the standards don't say you must do X number of audits at this frequency so that's fine. But you have to justify why you've done that. That's the thing. No. That then comes to management review. Your management review should then look at whether you've achieved your intended outcomes. Whether the risks you've identified have been mitigated by the actions you've taken. whether the objectives you've set have been met effectively, whether the processes you have in place conform, whether the delivery to the customer is what you want. So your management review is then an opportunity. If you're conducting one less than once a month, if you're doing it once a year or twice a year, that's the opportunity to say, okay, we've looked at all the inputs to management review. Here's the output. Our audit program of one audit per year on this standard. is adequate because the management system is achieving its intended outcomes. And that's then perfectly acceptable. And again, that's linking things back and forth. Management review is there to link everything right from the context setting through to the improvements. But it's also a way of demonstrating that you have assessed risk, planned your checking regime through audit, checked that the audit regime achieves the intended outcomes for your management system and continue with that approach. Or if you're not finding the right outcomes, changing that approach. So that's, you know, that's the standard in essence. And I think management review, again, is an area where I think people need to improve a little bit. It's, it's, read the standard in detail, and it says, is it achieving its intended outcomes? Can your senior management, hand on heart, say that management review has given them confidence in their system to achieve what they want? Yeah, that's actually the discussion we had last week on the other podcast, actually. Yeah, exactly that subject. Exactly that subject. it's yeah, it's yeah. So it was quite it was quite interesting. And I agree. People don't read that clause enough and understand it and know what the intended purpose is. Yeah, definitely. it's easy to come up with some minutes which have some clauses A to G and then and then you say we've done this. Here's the audit results. Here's the risk assessment registered. La la la la la. It's not quite as easy to say, does this do what we need it to do? And that's what you want, because that then leads on again. There's a really important aspect in it, which gets a bit of lip service and gets a bit of a glib entry in the minutes of management review is about the adequacy of resource. It goes back to clause seven. Clause seven is about resourcing your management system. How would you assess that? In audit it can be quite difficult. You can see people who struggle by working off the edge of their desk, but how do you evidence that in an audit? And how do you bring that up in management review? Yeah, I see the lines on the forehead, you know, that sort of thing. Exactly. of going back to the internal audit one thing I do When I'm doing my third party audits is I actually work backwards to test that interconnectedness So I'll go to dispatch and I'll pick pick a two or three jobs that being dispatched Then I'll work back into manufacturing See that and then I'll look at the records for those jobs. I saw dispatched and then it goes all the way back to the training records of the people that doing all those activities. And I think the key bit is going back to the contract. I saw what was shipped. Is this what the contract asked for? And that's how I check all that interconnectedness across that process. Yeah. So I actually do it backwards. Not every time. It doesn't work for every organisation, but a lot of manufacturing. That's what I do. you've literally picked up the entire chain of the interconnectedness, but right back to customer requirement, understanding customer requirement, but also that goes back to context as well. The interested party is your customer. And when it talks about legal and other requirements, your contract is other requirements. know, do you satisfy those? And contracts are quite dull in most parts, but they're actually really quite useful for many people in determining how to build a management system, particularly if it's a contract driven management system. So when I worked as a contractor to DWP, we built an entirely new contract quality management system based on the requirements of that contract. And we delivered based on the, not based on how we did things with the other 40,000 people in UK and Ireland. based on how that client wanted that job doing under these specific terms. And that's important to understand, isn't it? Yeah, yeah, definitely. Because at the end of the day, it's about customer satisfaction and does the customer get what they want? Absolutely. And does the chap in his overalls off the shop floor with his manuals affect that? That's it, yeah, definitely. So how about then environmental? How does that sort of link work, I suppose, if you're doing the operational control? I suppose that links back to the legislation identification being correct, is that? Well, it does does theres an added layer? So in ISO 14001 , you've got the standard parts which are around risk and opportunity, the context risk and opportunity and your compliance obligations as 14001 calls it. I think I like that phrase better. But also it comes to aspects and impacts. So aspects are basically the things that you deliver as an organisation. you build something. So putting up brickwork is an aspect or using water may be an aspect. Then the impact you then have to assess the significant aspects and their impacts on whether that's positive or negative again. And you then drive your controls from that. So if you put up brickwork, what are your controls? make sure that you put up brickwork without additional risk, for instance. Okay. Plus the legislative requirements around that, plus the risks. So what you do is you try and meld, there are ways of doing this through an aspects and impacts register, which builds into it traditional risk analysis techniques. So you look at your aspects and impacts, and then you judge the impact in a maybe a five by five matrix. It may be another type of uh risk assessment technique. But you try then to judge risk similarly across different subjects. So you again, the principle is exactly the same, but you're just using this terminology of aspect and impact to judge what you do as an organisation and how it impacts the world around you environmentally. It's just an added layer really I suppose, but following it through in exactly the same manner as we talked about before. Structured, linking, measuring, know, that sort of thing. So ultimately, your operational controls should diminish your impact and you should be able to measure that and audit against that. And it just flows background through, doesn't it? Yeah, keeps going through the cycle. Circle of death. And I think sometimes as well, people don't, people don't, picking risks, for example. So if they've got all three standards, they've got quality, environmental health and safety, they'll do one type of risk assessment for quality, a different type that looks quite different for environmental and then something totally different for health and safety. I'm kind of like it's the same principle in the process why have you got three different it all gets really confusing so I'm like just align them together. if you do a context setting exercise for three different things, you'll get different outcomes. What you need is the people who run a business, people who sit at different levels, different strata within the business, who understand from strategic to operational level, people with different professions to talk about what's meaningful to the business. You don't just want an environmental professional to do it or health and safety. professional to do it or a quality manager to do it. You want the business perspective on what you do because it says you must align with the strategic direction of the business. Your system should align with it, your policy should and your objectives should. And that's what it's all about at end of the day. But also you then you lead yourself. You lead yourself down the route of audit programs which go on audit risk. One week on one subject and audit risk another week on another subject. You end up with different continual improvement logs. You end up with different root cause analysis techniques across different subject matters. And that drives me mad because one underlying cause can manifest itself in so many different outcomes. If you say there's a man who runs a woman who runs a machine on the shop floor lacks competence in that operation. Well, firstly, that could manifest itself in a product nonconformity and that hopefully might not get out the door and you'll catch it. It might end up with a nonconformity which isn't captured, which ends up at the client's desk, which then leads to a warranty claim or even a liquidated damages claim. You could have an accident because you're not using it safely. So you've got a health and safety issue come from that. You may not. know how to operate it and end up discharging lubricant to drain that you shouldn't. That's an environmental issue. You've got from this quality, health and safety environment, but you've also got commercial considerations. You've got HR and competence considerations within this. Unless you put them all together in one place, how do you understand the root cause of it in order to remove it? because its outcomes may have been recognised in different places which would have people running off as hares down their own particular route in order to do an analysis of it in a different manner. Common systems, that's what I like about the terminology, the structure, the way standards are written means that you can use those common elements to get common cause and find common ways of and common ways of checking, which make it more streamlined for everybody. Is there a specific technique or method you'd sort of advise for how to make sure you're flowing everything back and forth or checking the interconnectedness? there a specific way of doing it that people can use or? I might roll out a management system standard. Well, we the way we operate is we break into distinct phases. So we start with a gap analysis, like where are you with this? Then we go and then determine the context side of things. So we get them to go back to the beginning and do all of that. I think it's the way you structure your documents. What you talked about earlier is people with a SWOT and PESTLE here, a risk analysis there, objectives over there, never the twain shell meet It's about referencing back and forth. So that you as an organisation could understand the flow and an auditor can understand the flow. also auditors can help them. They're not there to necessarily advise, but they can uncover evidence for you that helps you to understand why that flow works or doesn't. So I think Be explicit in how you reference the different parts of your system. Be explicit. If you are putting in place a control measure, what is it for? What risk is it addressing? What legal compliance? Yeah, exactly. What are the measures to determine whether you have achieved that? And in your monitoring and measuring plan, list all of the things which you are measuring to demonstrate that the things you did at the beginning of work. It is about neat documentation. It's about being explicit. It's about when you do refer back to something previously, be very, very precise and clear about what it is you're doing. I suppose it comes back to planning it and being not rushing into it. Just come back to planning and think about it and what you're trying to achieve. Yeah, documents and information as well. Excellent, excellent. So is there anything else you wanted to add or we can wrap it up? I mean, I could go on forever. I really can. But maybe we'll chat another day, Michael, perhaps. uh But no, no, think we've gone through the whole cycle. We've jumped back and forth a little bit. But I think we've covered enough to give people a flavor of why the standards are as they are and why it's important for us all to acknowledge that structure to them. in order to understand how to apply them better and achieve the best outcome. Yeah, that's been good. That's been good. Very interesting. So really appreciate it. So yeah, it's been good. So how can people sort of get in touch with you or Blackmores obviously thats who you work for. What's the best way? Blackmores UK Limited, simple web search on Blackmores UK Limited will bring you to our website. We offer all sorts of services from setting you up in a number of different standards from beginning to the gap analysis through to certification. We offer consultancy services according to specific needs. We have a number of clients where we are invited back. every year to do their internal audit program, to assist with management review. So yeah, there are many different facets of what we do across the certification world and across the different types of standards, quality environment, health, safety, energy, facilities, management, business continuity. So yeah, there's all sorts and certain. sector-specific standards as well. So, yeah, we can help many people in many ways, hopefully. We'll put some links in the show notes anyway, so that's good. No, that's brilliant. Okay, appreciate your time Ian. Thank you, it's been great. See you again. Cheerio. Bye.