Another blog, another “c word” – compliance this time!
What do you think of when you hear “audit and compliance”?
Oh, I’m sorry, is that the time, I have to go, I think there’s somebody at the door…
It’s not a thriller, is it?
No business or organisation can get away from it entirely, whether you’re bound by regulatory requirements, internal processes or external accreditations… However there are ways of approaching audit and compliance as a positive experience. Honestly – bear with me!
At PowerON, we know that certain accreditations give our customers peace of mind. Our ISO27001 accreditation tells our customers that we take information security seriously – we know how to look after our data, protect our systems, and (of course) look after their data. Our ISO9001 accreditation shows that we have defined what we do, and that we take pride in delivering great quality to our customers. Both are quite new to us – we gained ISO27001 in 2018, and ISO9001 during lockdown this year! Here are a few of our tips and learning which might help anyone else facing a similar task…
Start from the standard
For me, the first step is always to locate the actual standard or regulation that we will be measured against. It will invariably be a fairly dry document, but this should always be your starting point. Read it, understand it, get to know it inside out, and this will help save you wasted effort implementing processes and controls that aren’t required.
Recognise what you’re good at
Once you understand the requirements, run a gap analysis – work out what you’ve got, clause by clause, and therefore the gaps you need to fill. You will not need to build everything from scratch, but you may need to document or record it in a different way. Tweak what you have, and then create what you need to fill the gaps that are left.
Use it to support your business goals
Accreditations often used to be primarily a paper exercise. Now, they are much more focused on supporting your organisation to achieve improvement. Pick a good accreditation partner, use them as a critical friend, and shape your accreditation goals & objectives to support what the business needs to achieve. This makes it 100% easier to make compliance part of your organisation culture, rather than working to processes which seem to distract from your core purpose and aims.
Our ISO9001 project felt pretty tough – we were implementing a new quality management system during a pandemic, with everyone working from home, many people also balancing challenges such as home schooling, and whilst also coordinating an office move under lockdown to enable us to support customer requirements. We pulled together as a team, adjusting our approach as we went, to make sure the right person for a task was the owner.
We also (and I can’t recommend this highly enough!) worked hard to build a relationship with our external auditor – by viewing it as a partnership rather than a confrontational relationship, we were able to hold open and productive conversations with him, giving him a better understanding of our management system and how we’d implemented it. The audit didn’t feel like a test, but a joint piece of work. Which is good, as I conducted my part of the audit from home whilst supervising a child in a paddling pool.
And finally: compliance audits will always be stressful if the regulations or accreditation is mainly ignored until the next audit time.
We’ve mapped out the annual cycle, and incorporated areas such as objective and risk reviews, and internal audits, into our standard business process. That way, we can address our audits confidently, and without a nagging worry that the auditor will look too closely at any one area!
They’re never fun, but they don’t have to be as stressful as my first ever ISO9001 audit (which I went into without ever having seen the standard that we were being assessed against). Be prepared, know you’re ready, and work with your assessor, and you should be able to breeze through!