Imagine a small, family owned corner shop. It sells sweets, greeting cards, telephone sim cards, and flowers, and has been in business for the last 50 years as it is passed down the family tree.
It serves its customers from 8 am to 5 pm every day, except Sundays. As the local florist, it also provides a flower delivery service and customers can place orders on its website.
In order for the shop to continue to be profitable and to build its reputation over the years, it must consider and manage many issues; and as we know, things are always changing.
For example, the shop’s owners must ensure that they continue to comply with all applicable legal and regulatory requirements. This could entail the need for good accounting practices to ensure correct and accurate information is reported for tax purposes (information security management) and that fire systems are maintained and tested regularly (health and safety management).
Customers will share personal information, including credit card information, that must be kept confidential when orders are placed either with staff in the shop or through the shop’s website (information security management).
When flowers are delivered, customers expect that they will be in exceptional condition, i.e. not wilting or dead. And deliveries, especially for birthdays and occasions, are on time (quality management).
The shop’s owners will also want to build a degree of resilience into their business model, and have confidence that they can recover the business in the event of a disruption. It would be a sad day if the family business was forced to close its doors prematurely due to being ill-prepared to respond to a major incident, such as a life-threatening fire. Or if the shop was to loose its hard earned reputation as a reliable local supplier, by regularly making poor excuses about late deliveries due to “delivery staff calling in sick” (business continuity).
We could go on, but I think you get the idea. Whether you realize it or not, your business surely has management processes in place already, and you are already addressing issues relating to information security, business continuity, quality, health and safety, and other fundamental topics that are relevant to the running and operation of any successful business.
As we can see from the scenario, in a successful business, everything works together. Process are coordinated and are interacting with each other, and that includes dependencies on external third-parties, such as suppliers.
Management system standards are not written to be used in isolation (i.e. in a single department), but to be integrated into business processes throughout the organization. Each provides expert consensus on a specific topic, such as security or quality – things that an organization’s leadership are ultimately accountable for, given that any major failing could have detrimental consequences on the achievement of an organization’s strategic goals and objectives.
In summary, management system standards can help organizations to continually improve the way in which they operate and manage their business in order to consistently achieve objectives. These processes should be integrated and not be seen as being something ‘separate’. I.e. it is not the quality department’s sole responsibility to ensure customer satisfaction!
What this means for our corner shop is that in addition to selling sweets and chocolate, our cashier’s job description should also include responsibilities for protecting the confidentiality of customer delivery addresses and credit card details, and for reporting daily sales figures accurately to management (information security); for ensuring that customers are happy with the service that they receive and that deliveries arrive on time (quality); for adhering to health and safety regulations, and for being alert to any risks that have the potential to cause harm to staff or customers visiting the shop (health and safety); and in the event of an unexpected business disruption, act swiftly in accordance with pre-planned procedures (business continuity).
As we often hear from our experts on the subject of information security: “security is everyone’s responsibility” – but so is quality, health and safety, business continuity, environmental protection, etc. etc.
Integrate, don’t isolate.