Talk to one of our ISO Consultants on 020 3018 0026

Building an (ISO) Management System That Works

Kicking off with a slightly contentious comment (and despite the name of this article), we have to acknowledge that sometimes an organisation just needs to get ISO certified at pace.

However… once you are over that first hurdle, or if you have a little more time to implement, it is really important for your management system to be(come) a fully embedded tool for your organisation.

We’ve been implementing and evolving systems for nearly 10 years, both as consultants and in a fractional role for clients where we have specific responsibility for running their (ISO) management system.

Although implementing an ISO 9001, ISO 27001, ISO 14001, ISO XX001 system seems like a big hurdle to cross when you are standing at the start, the real challenge is making it part of how people actually think and operate rather than something bolted on that gets dusted off before an audit.

The difference between these two realities is tangible. On one side, you could have a procedure generated in AI or written by a consultant that sits unread, not reflecting reality. On the other, you have something people actually use because it was built with them, communicated properly, and refined over time. The first is implementation. The second is embedding. And the gap between the two is where most of the value either materialises or gets lost.

The theory of this is easy to state, but it is useful to consider how this actually looks and feels in practice. The following five points are by no means the whole solution, but ideas that can help lay the path for progress.

Idea 1: Stop calling it “the ISO system”

This is a small thing that makes a surprisingly large difference. The moment you label something as “the ISO system,” it gets separated from the business. It becomes a parallel universe. Something the quality manager, or environmental manager or IT lead worries about, rather than something everyone owns.

Instead, consider framing it as “The [Your Company] Way” or as “[Your Company] Operating System”. Not as a branding exercise, but as a reflection of how you operate. Your procedures, workflows, standards, and ways of working are exactly that, how you work. The ISO certification is an output of doing things well. It’s not the input and the reason to do things.

By removing the tag of ‘ISO’ and describing it as ‘“[Your Company] Operating System” or similar, you can encourage principal driven behaviours and cultural embedment more easily.

Idea 2: Steer centrally but encourage team ownership

There’s a natural temptation, particularly early on, to produce beautifully crafted processes from the centre. They look professional, they’re consistent, and there’s a satisfying sense of order to it all. The problem is that unless the teams who actually use those processes keep them current, they become stale remarkably quickly… and the moment someone opens a document and suspects it’s out of date, they’ll never open it again.

The currency of documentation matters enormously. People need to trust that what they’re reading reflects how things are actually done today.

One practical approach, common in ISO 27001 implementations, is to separate ownership of policies from ownership of procedures. A central person, often the system manager or information security lead can maintain the policies (which guide), whilst the teams responsible for delivery, e.g. developers, product managers etc. own and maintain the procedures that put those policies into practice.

In other contexts, it might mean assigning heads of teams as process owners, with the central ‘system manager’ checking in periodically to ensure alignment and offer support. The key principle is the same: the people closest to the work should own how it’s documented and be held accountable for keeping it up to date.

Idea 3: Leadership have to care

This one is non-negotiable, and it’s worth being blunt about it. If the senior team don’t visibly place value on the management system, whether the focus is quality, information security, environmental management, health and safety, or service delivery; it won’t be valued anywhere else in the organisation. People take their cues from the top, and if there is a lack of value or emphasis placed on working environmentally, securely or safely for example, it is very hard to keep the topic prioritised.

When you are leading a business or team, and have a huge work load, it is really hard to make time for everything. Placing value on how different aspects of the business operate (whether it is security, processes or other) doesn’t require enormous amounts of time, but it does require discipline and consistency. A standing item on the management meeting agenda that is actually visited. A quarterly review that actually happens. Asking the right questions when things go wrong, and recognising when things go right. Small, disciplined, ongoing attention signals that the various elements of a management system matter, and these signals can travel surprisingly far.

Idea 4: Make risk registers earn their keep

Risk registers are one of the most commonly underutilised tools in a management system. In many organisations, they can become a once-a-year activity brought out before an audit, then filed away until next time.

We think part of this comes down to the classic 5×5 matrix (although there is a time and a place), the types of risks documented and the sheer length of some registers. Most people do not find risk registers engaging, the review of the register can suck hours out your day, and often the discussion doesn’t result in tangible improvements.

But risk can be approached differently. In an ISO 9001 context, for smaller organisations where the quality risk register is the business risk register, you can for example create a different structure. Throw away the 5×5 and instead consider a risk register that tracks the ten or so plates you need to keep spinning (i.e. buckets of risk) – pipeline, invoicing, marketing, delivery quality, profitability, client feedback, team moral, recruitment etc… whatever applies to you. RAG-rate each aspect once monthly, attach actions where something is slipping, and review it as a leadership team. It can become a genuinely useful operational tool rather than a compliance artefact.

Idea 5: Encourage questioning and iteration

It is genuinely rare to get a process or workflow right first time… the best ideas on paper generally fail when they actually meet the real world… competing with everything else for peoples time and attention. The best procedures, workflows, and documents in any management system only got that way through iteration, through people using them, finding the gaps, feeding back and refining.

The discipline is in creating the feedback loop. Checking with teams regularly: what’s working? What’s clunky? What do you actually ignore because it doesn’t reflect reality?

One example that sticks with us is a document designed to carry project information from business development and design teams through to the delivery teams in a construction business. The intention was sound, a single source of truth that followed a project through its lifecycle. But the first version only partially landed, as did the second one. It took multiple iterations, both in content and in the way the tool works, before it became something people genuinely find useful and a key central project knowledge tool. We don’t think this shows failure, rather it is how the embedding process actually works.

Where to start

None of these ideas require a wholesale overhaul. If anything, trying to fix everything at once is a reliable way to fix nothing. Instead, pick one area where the (ISO) management system feels like an afterthought, where the documentation doesn’t match reality, or the process exists on paper but not in practice, and focus there first.

Get that one thing working properly. Then move on to the next.

Management systems that genuinely work aren’t built in a single implementation project, and even the best implementations will still require the system to be continually refreshed. High value management systems are built through the accumulation of small, deliberate improvements made by people who remain disciplined in making improvements.