The deming cycle, risk management and the ISO suite

THE DEMING CYCLE, RISK MANAGEMENT AND THE ISO SUITE

Written by Andy Pochin, Director and Commercial Manager.

The International Standards Organisation (ISO) sponsors and publishes a series of interrelated standards and guidance notes on organisation management. These, taken individually or collectively, are designed to indicate a framework within which companies and other organisations can take a consistant approach to process and performance. ISO 9001 describes the essential qualities of a quality management system which takes a customer-centred approach to maintaining quality of outputs and all the reputational benefits that go with it. ISO 27001 does a similar thing for information security management systems. ISO 14001 sets the frame for environmental management systems and ISO 31000, while not a standard in the same way as some of the others, helps organisations to frame their approach to managing risk. These are just a few examples of the suite of ISO standards and guidance that place the Deming Cycle, or “Plan Do Check Act” at the heart of their approach.

In ISO speak, the “Plan” phase is often about understanding the context within which the organisation operates and exists, as well as the size and purpose of the organisation, as the basis for the development of appropriate systems. These are then implemented in the “Do” phase and the virtuous circle of continuous improvement is attended to in the “Check” and “Act” phases.

Small companies like ours are often daunted by the idea of attaining certification under one or more of the standards that are relevant to them. It’s one thing to have semi-decent systems for running a business, quite another to open up to an external auditor and get an objective view on one’s own performance.

In our case, we were half attracted and half driven (by client requirements) towards attaining ISO 9001 accreditation and it was hard work getting there. For me, there were two elements to the difficulty. The first was the work required to create auditable and repeatable systems for the management of the quality of products and services we create for clients. Every new training course, project or corporate client is unique and creating a common and repeatable approach to looking after them all was taxing in the first place and is still constantly challenging us to improve. More interestingly, however, it was getting my head round the philosophy of the standard that was the most difficult aspect. Many times, I would read, discuss and debate the ideas of PDCA and the context of QM and logically I would “get” them, but behaviourally I would soon revert to old, limiting, programmed ways of thinking and habits.

Fast-forward to today and we are a third of the way through developing a new offering to market – training in and provision of risk management for projects. This has led me to look at ISO 31000 and wonder about a couple of related questions:

Should we be using the ISO management suite as a prism through which to assess the maturity and intervention needs of our clients?
Is there a place for integrating management systems and attempting to broaden compliance with the ISO suite within small companies like ours?

Two years ago, I would have said a moderately emphatic “no” in response to both questions. Now, I’m not so sure.

ON USING ISO APPROACH AS A PRISM TO ASSESS CLIENT MATURITY

Standard cyclical risk management processes, whether for projects or other applications tend to major on the procedural steps and, while they often advocate context consideration, they tend to relegate it to the status of “almost taken for granted”.

The ISO approach, by contrast, puts the context front and centre. It asks (and answers) the “why” questions providing reminders to teams, change investors and stakeholders to think, check and confirm their own, and each other’s beliefs in what the purpose of a project are and where they are most important.

I have never worked on a major project (and I challenge to think of one you’ve worked on) where any of the key leaders and stakeholders share top priorities. The most successful ones nonetheless, tend to be those where they key players take the time to understand each other’s drivers and develop, through mutual respect and compromise, a common set of key objectives. These in turn provide the context for the risk assessment, analysis and response endeavour. Taking time to focus in on identifying context then provides operational leadership with the ammunition it needs to provide piercing clarity to the project delivery team(s). A clear and consistent vision throughout a project team leads to a happier and more effective bunch of people who are far more likely to achieve planned outcomes.

ON WHETHER SMALL FIRMS LIKE PLP SHOULD DEVELOP AND USE INTEGRATED MANAGEMENT SYSTEMS

No doubt, systems are painful, difficult and relatively expensive to introduce and maintain. The smaller a business, the more it relies on the energy, time and goodwill of its principals and the less bandwidth it has to consider, never mind implement, structural changes to its way of working. Small businesses like ours may also look across to their lumbering, cumbersome competitors and wonder how they ever manage to get anything done and still make a profit when they seem to spend hundreds of hours and thousands of pounds on tortuous meetings and non-fee-earning staff to run them, all in the name of (apparently) creating friction through governance and creating tick list cottage industries. So, a non-starter!

Well, yes and no. Having once attained ISO 9001:2015 accreditation status, we have already been through the intellectual pain barrier of switching from the cult of the burning out individual to the benefit of the self-renewing ecosystem. PDCA has found its way into our company DNA and, as new as it is, feels like it has always been there. Accepting that this way of thinking should prevail in other areas of the business need not be a great burden. In fact, a little like imbuing a company with safety culture by just developing the habit of regular safety conversations, I think we can start to infuse our activities with ISO thinking just by allowing a couple of minutes at the end of each meeting/ session/ activity to ask a few basic questions:

Did we do what we just did with consideration of the context in mind?
Are we getting any better at X?
Can we make improvements?
Are the systems we devised when the company was micro still suitable now it is small?

We won’t necessarily want to radically overhaul IT, HR, QMS, BD etc all in one week, but by persistently chipping away at our assumptions, pride and perceptions, I believe we can create a culture within which positive change evolves through internal demand, leading ultimately to a more sustainable and satisfying company to work for and to be a client of.