ISO Clauses: – “The needs and expectations of interested parties”

Jan 17, 2019

Archived Blog & News

The content in this blog was accurate at time of publishing, however as standards (and the understanding of their application) change, some of this information may no longer be applicable.
If you have any questions on this or the other topics we’ve covered; please get in touch and we can discuss any queries you may have.

The introduction of the common format for ISO 9001, 14001, 45001, 27001 has saved much time in the whole process of creating management systems. However, one of the ISO clauses seems particularly challenging. Early in the system construction process, there is a requirement to define “the needs and expectations of interested parties”.

Is This A Kind of SWOT Analysis?

Close, but not quite. Read the notes under this section of 9001 and you’ll see that a SWOT analysis doesn’t really address all that the standard asks. However, some certification bodies seem to have told their auditors it’s an acceptable solution.

The standards ask you to determine the risks, opportunities and requirements of parties having an interest in your activities. This is not simply a customer/supplier profile. It should include everyone with an interest – employees, regulatory or compliance organisations etc. (i.e. everyone who could make the company’s life difficult, or lend it a hand).

My Initial Shock…

When I first read this clause in one of the standards, my initial response was “So, you’ve got to identify everybody involved or with influence – they must be mad!” I quickly started re-reading to reassure myself.

Huge Lists?

Despite having worked in the industry for some time, I am not alone. Over the last 18 months I’ve been invited to a couple of companies who’ve tried to respond to this clause without advice. They have generated an enormous list of all their suppliers, and customers. Also county councils, MP’s, the bloke who runs the sandwich van and the cleaning lady (who is still trying to avoid signing your GDPR security agreement).

The list is usually on a spreadsheet as it then identifies what each person needs, whether they are internal or external, what their need is etc. etc. All very thoroughly and diligently-compiled, but completely unnecessary.

What’s Needed. The Big View.

I sympathise with those who have addressed the clause this way (and whose certification body haven’t stopped them!). However, you really don’t need to create an exhaustive list. The standards are pointing organisations to take a broad view, independent of the subject. It’s a kind of “step back and take a look from a different perspective” activity. They are hoping to inspire a little strategic planning, consideration of what your business is, what your market is, who your customers are etc. Hence, the management system is meant to serve this holistic, broad vision, steered by this planning exercise.

You need to identify those who are going to be affected and those who could have an influence over your business. However, that doesn’t mean listing them. A relatively simple, summary and consolidated list of employees, customers, suppliers and legislators/regulators is probably a good place to start. The key objective is to define categories of those who have an interest or influence. Therefore, avoid specifically naming each one. Think “football teams”, rather than “individual players” (and the linesmen, referees, groundsman, bloke who cleans the dressing room, etc, etc)

A Very Good Place To Start

Having done this, identifying the types of problems, risks and opportunities which each broad “audience” presents is a sound foundation for progress. From here, the action you take to mitigate risks, as well as maximise opportunities, isn’t that difficult.

To reiterate, the standards are mostly concerned with generic risks which always face the business. They don’t need a focus on a single specific customer or order. Hence grouping them together and working out how you deal with each group is a perfectly acceptable solution.

But What About Specifics?

Of course, the standards have not degenerated into just wanting a corporate vision statement, mixed together with a vague and cuddly wish list. They do want specifics, and these are in sharper contrast than in the past. However, a risk related to a specific customer or product (Acme chemicals only want their deliveries on Mondays, the nuclear warheads must be delivered in pink packaging etc.) must be best addressed in the specific documentation relating to that order. It does not to be in a generic listing covering the company’s ongoing business.

What's Next?

We’re on a mission to make the apparently complex and unattainable, simple and relevant to real-life daily business activities. This includes challenging ISO clauses.

Standards only truly work when they have a root in your specific business. Staff “buy in” is vital.
We love making this happen.  We know that it has a profound effect on businesses, large and small. Drop us a line or give us a call if you think we might me able to do the same for you.