High Level Structure – Policy requirements
The High Level Structure (HLS) for management systems (which could be ISO 9001:2015, ISO 14001:2015 and ISO 45001), states the following requirements for clause 5.2;
Top management shall establish a management system policy that:
- Is appropriate to the purpose of the organization
- Provides a framework for setting management system objectives
- Includes a commitment to satisfy applicable requirements
- Includes a commitment to continual improvement of the management system
The management system policy shall:
- Be available as documented information
- Be communicated within the organization
- Be available to interested parties, as appropriate
How have specific standards addressed these requirements?
ISO 9001:2015 Quality management systems have introduced sub clauses to separate establishment and communication:
5.2.1 Establishing the policy
5.2.2 Communicating the policy
The quality policy is also to support the strategic direction of the organization and as well as being communicated within the organization, it is to be understood and applied.
ISO 14001:2015 Environmental management systems have included that the policy is to be appropriate to the purpose and context of the organization, including the nature, scale and environmental impacts of its activities, products and services. The policy is also to include a commitment to the protection of the environment, including prevention of pollution and other specific commitment(s) relevant to the context of the organization.
ISO 45001:2018 OH&S management systems includes additional commitments to:
- provide safe and healthy working conditions for the prevention of work-related injury and ill health and is appropriate to the purpose, size and context of the organization and to the specific nature of its OH&S risks and OH&S opportunities.
- Eliminate hazards and reduce OH&S risks
- consultation and participation of workers, and, where they exist, workers’ representatives.
How to communicate a policy?
Top Management’s commitment to a management system policy should be visible, current and communicated.
Communication of the Quality policy could be by:
- Displaying the policy on notice boards
- Employee induction training, other training and awareness sessions
- Internet or Intranet
The policy is to be appropriately reviewed to ensure it remains relevant to the purpose of the organization. This review could be through management reviews, internal audits and/or the document control/review process.
What would a policy look like?
Here is an example of a management system policy we use for our online courses. There is no one-size fits all policy, as the policy is to be appropriate to the purpose and context of each individual business, relevant to the varying activities, products and services of any business.
This is an ongoing process also, as when the business context changes, there’s a flow on effect for the purpose and intent documented in the policy.
This policy is NOT perfect by any means, we use it in our training so that our auditors can identify any areas not conforming or areas for improvement. What can you see that could be improved or added to this policy?
What an auditor looks for:
- Is ‘written down’, meaning its documented which can either be in hard copy or electronic or both of course (and the same versions)
- is meaningful and relevant to the activities and direction of the organization
- includes commitment to continual improvement as well as commitments as required by an EMS and an OH&S management system – which should be prevention of pollution/protection of the environment and prevention of injury and ill-health amongst others stated
- a commitment to relevant compliance obligations, as identified by the QMS, EMS or OH&S system
- communicated to all workers, including a level of understanding relevant to their own roles and responsibilities
- is current and reviewed, reflecting changes in the context of the business as they occur
- the system objectives should reflect the commitments in the policy
The issues that I normally find are:
- different versions printed out on display across the same site or at different locations
- the framework for setting the objectives is not clearly documented. Most of the time it is not there at all.
- Workers are not aware of the Policy or even where they would go to find it
- It has not been reviewed for many years and is no longer aligned to the organisations scope or activities
- There is no consistency between the policy’s intent and the objectives set
And my biggest tip here is:
That a Policy is the organisations high level intent and commitment. The key words being ‘high-level’!
Policies are normally just one page long and DO NOT tell us WHAT is to be done. We can turn to policies to see what the overarching intent is and the supporting documents, procedures, manuals and so on will then break down the WHAT and the HOW. You should be able to follow the story from the policy down.