Companies are burden with multiple compliance regimes. Different project teams dealing independent and not using an integrated approach, where the enterprise could benefit from reusing information and saving cost by having a central repository.

There are plenty of books helping you to understand GRC from different angels, here my recommendations:

This video explaining first tackles the continuous improvement based on the PDCA cycle from Deming, afterwards I explain the theoretical approach on how to implement an integrated compliance regime with the C3 approach (Construct, Compliance, Control).

Construct -- C3
As the centre of a compliance regime is the the process description the presentation and the practical exercise is focusing on process flow and their POLDAT objects (Process, Organisation Unit, Data, Application and Technology).

Compliance -- C3
This part of the presentation is dealing with harmonizing multiple compliance regimes, e.g. ISO 20000, SOX, MiFID, Basel II,..
This is not always an easy task as multiple stakeholders and project teams are involved, but the benefit of having a centralized repository is huge for the whole enterprise.

Control -- C3
T he control topic is dealing with assigning tasks, audit questions to people in order to ensure your compliance assessment will be performed. This is explained based on ISO/IEC 20000.

Hopefully you found my video informative and if you need the presentation material please Login or Register below.

Looking forward to your comments.

Since many years I am implementing compliance regimes and the most common one is ISO/IEC 9001 and ISO/IEC 14001 as an Integrated Management System (IMS).
The system described in this article was implemented over 60 times in different organizations all with passing the initial certification audit in the first run!

1.0 Objective

The clear goal was to implement and achieve the certification of ISO/IEC 9001 (Quality Management) in all branches and ISO/IEC 14001 (Environmental Management) in the UK office until the end of 2007.
As there was no formal management system in place we had to start from scratch; completely from scratch? Of course not we used Best Practice Frameworks and different Casewise Software components to accelerate our implementation in order to achieve this challenging goal within 3 months.
Because we needed more guidance we have used the ISO/IEC 9004 and ISO/IEC 14004 standard requirements, it’s the same set of requirements as the ISO/IEC 9001 and ISO/IEC 14001 but has more explanations and examples of how to implement. Of course both Frameworks have associated audit question to support our initial assessment and surveillance assessment as well.

2.0 Challenges

The initial time scale was 2 months but because of the Christmas break we couldn’t get a date for our certification in 2007 so we had to extend to 3 months
Geographical spread – All offices (USA, France, UK) should be certified against ISO/IEC 9001 and UK office against ISO/IEC 14001. Time differences and differences in performing specific processes differently made the project even more challenging.
As it was the end of the year the
• business shouldn’t be distracted too much as end of year business needs to be closed
• Christmas holiday break needs to be considered in project plan

No formal management system was in place, so we had to start with our IMS System from scratch.
We decided that during the implementation we need to assign and train our IMS Manager as part of the implementation. A formal internal auditor training should be performed later.
Get the whole company up to speed with the ISO/IEC requirements. Train people, document and improve processes, assess the whole company.

3.0 Solution

3.1 Preparation

Like any project we have started to outline the IMS implementation in a project plan to make sure we haven’t forgotten any important tasks

IMS Project Plan

Every management system needs a certain amount of forms to show evidence of certain approvals, reviews or Audits.

Further preparations needed to be done
• We created a shared folder on our Server and assigned access right to its sub folders, so that manager could update their own forms.
• We installed different Casewise Software components
• We created Word template saved them on our Server and linked these documents to Corporate Modeler and to our process descriptions.
• We started with importing the APQC model, afterwards we imported the ISO/IEC 9004 and the ISO/IEC 14004 into the same model.
• We created new styles or adopted existing ones; we also defined the diagram levels and the different object palettes.
• Our managers got write access to the model to ensure each manager (process owner) can adapt, change and improve their processes after the initial process workshop has finished.

3.1 Select the certification body

There are plenty of those companies around, and it depends entirely up to your organization to choose a certification body and an appropriate auditor that suits you or that has specific knowledge in your industry.
We have spoken with two different auditors and have chosen Lloyds register afterwards. The contract is for 3 years and contains a certification audit and two surveillance audits.
As we have an IMS we have two auditors one for our Quality Management System and one for our Environmental management System. As there are huge similarities between those systems our auditors haven’t audited the same requirements twice, e.g. Management Review, IMS-Policy and so on.

3.2 QMS / EMS Forms

We used existing forms from my previous ISO implementations and updated them according to our requirements. We saved them all on our Server and linked them to Corporate Modeler repository where we are managing the version control that is necessary for both management systems.

IMS Documents

Some documents are listed twice as they are represented as document and as record.
The big advantage of linking documents to the process is that the process owner or new starters can explore the process and get the relevant forms straight away out of the system.

The necessary system documents are also cross referenced to the standard requirement which makes the maintenance easier.

Another advantage is the centrally stored documents, so none gets lost when we updated them in between the different audits (internal/external)

After the documents were completed and cross referenced we started to fill the forms out, e.g. Audit Plan, Management Review Form, ..

Other forms were transformed directly into Corporate Modeler, e.g. Business Continuity Plan/Assessment. So we have tried to reduce forms as much as we can and embed this information within Corporate modeler.

3.3. Process Modeling

IMS Process Map

As a high level “entrance” diagram we have chosen a value chain differentiating the core- and support processes of Casewise. All other processes and diagrams are accessible from this page.

We haven’t started from scratch as we used the AQPC Framework. Based on this framework we went through their framework during our process modeling workshops and we identified similarities and gaps, which we have modeled straight away during the workshops.

After the workshop people have added more description to the processes or associated documents or other information to their process maps.

Some of our departments have already drawn process maps or written procedures in Word and to embed this information we have chosen two approaches
• If it was an important process we have modeled it in Corporate Modeler.
• If the process was just “nice to have” we have linked the document to a higher level process.

After visualizing our process maps we could now start to link the ISO requirements to the appropriate processes. This shows us and our auditors how we fulfill the different compliance requirements. In addition to this we have also cross referenced the audit questions to the

IMS 9001 Requirements

different processes to make sure we can schedule the Audit Questions/Controls to the responsible people.

In the screen shot above you can see the visualized ISO 9004 requirements, on the left hand side you see the properties of requirement “6.2.2 …” and also the associations to processes, external documents and Audit Questions.
We ended up with consistent process model, clear responsibilities and transparency regards the compliance requirements.

Obviously there were a few iterations in quality check, of the modeled processes, especially if they are fulfilling system requirements such as “audit process”, “Management Review process” and so on.

3.4 IMS Optimization

As part of the continuous improvement you need to make sure you get feedback from your colleagues regarding process improvements, customer problems, supplier issues and so on.
Because of our tight time scale we started with a paper based system but we got already new ideas of how this could be embedded better in our IMS.
A very good source for process improvement is the starter process, as new starter needs to be introduced to their process we found possible improvement which we have done in our IMS.

3.5 IMS external revision and certification (audit)

A very valuable source for improvements is the internal and external audit. One reason why it’s so valuable is the fact that you can actually block some time from your normal job responsibility and focus only on the audit process itself. Just focusing on other processes opens your mind and let you ask the right questions, e.g. why are we doing this in this way?
After the external audit we got an audit report that acts as task list for our next audit and we got at the end the certificate for ISO/IEC 9001 and ISO/IEC 14001.

4.0 Lessons Learned

• Implementing a Management System or even two of them as in our IMS is NOT rocket science
• Following a structured, systematic approach reduces implementation time and guarantees a consistent documentation
• Having a collaborative solution helps to overcome resistance to change and get peoples buy-in
• Working in a repository based tool makes the maintenance extremely easy as you can easily share responsibilities with your process owners without losing control of the overall model.

2 years after the first certification audit the system is still in place and helps the organization to improve their efficiency and effectiveness by keeping the overhead of maintaining a standard as low as possible.