IMS: Continual Improvement Through Auditing Integrated Management Systems Series The Integrated Management Systems (IMS) series of books provides practical guidance and advice on integrating the systems operating within an organization The IMS series provides a framework into which additional management systems can be incorporated Each volume is written by an acknowledged expert in the field The series editor is David Smith of IMS Risk Solutions Ltd, who has been involved in writing management system standards since the early 1990s and is himself the author of a number of BSI books on the subject IMS: IMS: IMS: IMS: IMS: IMS: IMS: IMS: IMS: The Framework Implementing and Operating Customer Satisfaction Creating a Manual Information Security Managing Food Safety Risk Management for Good Governance The Excellence Model Continual Improvement Through Auditing I n tegrated M an agem en t System s Seri es IMS: Continual Improvement Through Auditing IMS Risk Solutions Ltd IMS: Continual Improvement Through Auditing First published by BSI 2004 © IMS Risk Solutions Ltd, 2004 ISBN 580 44448 BSI reference: BIP 2011 The right of IMS Risk Solutions Ltd to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988 A catalogue record for this book is available from the British Library Copyright subsists in all BSI publications Except as permitted under the Copyright, Designs and Patents Act 1988 no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior written permission from BSI If permission is granted, the terms may include royalty payments or a licensing agreement Details and advice can be obtained from the Copyright Manager, British Standards Institution, 389 Chiswick High Road, London W4 4AL Great care has been taken to ensure accuracy in the compilation and preparation of this publication However, since it is intended as a guide and not a definitive statement, the authors and BSI cannot in any circumstances accept responsibility for the results of any action taken on the basis of the information contained in the publication nor for any errors or omissions This does not affect your statutory rights Typeset by Monolith – www.monolith.uk.com Printed by PIMS Digital Contents The requirement of continual improvement Measuring improvement The function of auditing 13 Organizing the audit 24 Planning the audit 34 Doing the audit 45 Checking the results 59 Acting to improve the system 65 Improving the audit 75 10 Meeting specific standards 79 Appendix IMS framework 86 Appendix Process mapping 94 References 98 v Figures 1.1 Continual improvement in a process-based system 1.2 Continual improvement in relation to the PDCA model 3.1 A simple example of process mapping 21 5.1 A simple example of risk analysis 42 A.2.1 A simple example – making a cup of tea 96 A.2.2 Symbols used in process mapping 97 vi The requirement of continual improvement Any organization of any kind should seek to improve its performance all the time No business can plan to stand still just as it is, because if it does it will inevitably decline Everyone should try to reduce their costs, improve their performance, increase their sales, make more profits or satisfy more customers or clients That is obvious, and nothing new What is new is that some management system standards now specify continual improvement as a requirement, not just an intention; and it is the system itself that has to be improved, not merely some aspect of the operation of the business The integrated management system (IMS) framework (see Appendix 1) states that ‘The organization should establish, document, implement and maintain a management system and seek to continually improve its effectiveness’ (section 0) It continues ‘The organization should … implement actions necessary to achieve planned results and continual improvement of these processes’ That is a statement of intent, but elsewhere continual improvement is a mandatory requirement ISO 9001:2000 includes the following requirement: ‘The organization shall continually improve the effectiveness of the quality management system …’ (8.5.1) and ISO 9004 is entitled ‘Guidelines for performance improvements’ ISO 14001:1996 requires that ‘Top management shall define the organization’s environmental policy and ensure that it … includes a commitment to continual improvement …’ The same applies in the field of occupational health and safety OHSAS 18001:1999 requires that an organization’s policy ‘shall include a commitment to continual improvement’ (4.2) It may well be asked how one can undertake to achieve continual improvement in anything Surely if something is working as well as can be imagined, further improvement is not possible, let alone continual improvement? The old adage ‘If it ain’t broke don’t try and fix it’ suggests that it is not always sensible to try to improve things That is only partly true IMS: Continual Improvement Through Auditing No matter how good something is, it is always sensible to consider how it might be improved – in terms of efficiency or cost or performance However, change for change’s sake is never a good idea unless you are a politician trying to leave your mark on the world and changes need to be controlled sensibly One large engineering company, mass producing consumer goods, was almost brought to a standstill by the flood of changes implemented – design office instructions coming out of the design department made life almost impossible for the production engineers Similarly, it is not uncommon to hear complaints from the National Health Service, schools and almost every public service of how they are handicapped by the constant stream of ‘new initiatives’ imposed on them by government departments desperately anxious to show the public that they are doing something But that is not to say that looking for ways to improve is wrong – improving products, services and systems by which a business is managed It is how to achieve these improvements in practice which is the subject of this book If a goal is to improve a product or service, an obvious start point is to look at the ways in which the existing product is failing to meet the needs of the customer, and how these shortcomings can be remedied It may be that the product is too expensive, or too unreliable; that hospital waiting lists are too long; that school exam results are unsatisfactory; or that the clearup rate of crimes is unacceptably low All these things can be measured, and performance indicators compiled, so that improvement can be measured To be able to demonstrate that improvement has taken place, some kind of measurement is essential if the judgement is not to be entirely subjective, but defining meaningful performance indicators is not always easy The task may be particularly difficult when one is considering improvement in a management system Clearly one can look at failures in the system, and their elimination, just as a production system can be improved by reducing the numbers of rejects, but that will provide only a small part of the answer Improvement should also be sought in a system that is working well, but could work better, which is less easy to measure As will be seen, this is best achieved by an audit system which not only looks for failures, in a negative fashion, but looks proactively at how things could be improved Any control system requires feedback if it is to work properly, and auditing provides that feedback I m provi n g th e processes So how does one get to grips with improving a business? (We use the term ‘business’ rather than ‘organization’ for a number of reasons It is shorter It serves as a reminder that a hospital or school or a government department The requirement of continual improvement are all businesses in the sense that they are all seeking to satisfy customers or clients and other stakeholders.) It is the processes in the businesses that we are seeking to improve A process is any activity carried out within the business where value is added to an input to produce an output At its simplest, it can be answering the telephone or opening a letter Often, or indeed usually, the output from one process forms the input to another Having opened the letter, perhaps it is acknowledged and then passed to the person who will deal with it Processes are normally planned, carried out under controlled conditions (ie there are rules or procedures) and add value to the input The quality standard ISO 9001:2000 requires that the business shall ‘identify the processes needed for the quality management system and their application throughout the organization’ (4.1) A model of a process-based management system is illustrated in Figure 1.1 This is based on a diagram in ISO 9001 where it is used to illustrate continual improvement in relation to a quality system, but it is by no means peculiar to product quality As will be seen, it is equally applicable to environmental systems, to health and safety or indeed to any management system Continual improvement is a requirement for all of them Continual Improvement Management Responsibility for Risk Interested Parties Input Key Satisfaction Monitoring, Analysis and Improvement Resource Management Requirements Interested Parties Risk Control Measures Output Value adding activities Information flow Figure 1.1 Continual improvement in a process-based system Appen d i x Section I M S fram ework Elements M an agem en t system Th e o rgan i zati o n an d m n tai n i m p rove Th e a) i ts d eterm i n e th e c) d eterm i n e c ri te ri a an d o p e rati o n e n s u re th e to s e q u en c e s ee k to c o n ti n u al l y fo r th e m an agem en t s ys te m an d an d c o n tro l n eed ed o f th e s e avai l ab i l i ty o f re s o u rc e s e) m o n i to r, m e as u re an d f) i m p l em en t ac ti o n s an d an al ys e o f th es e to p ro c es s e s an d p ro c e s s e s ; e n s u re are th e s e th at b o th effec ti ve; i n fo rm ati o n m o n i to ri n g o f th e s e n e c es s ary to an d o rgan i zati o n ; i n te rac ti o n m e th o d s s u p p o rt th e o p erati o n c o n ti n u al 86 n eed ed th ro u gh o u t th e b) d) an d sh ou l d : p ro c e s s e s th e i r ap p l i c ati o n th e e s tab l i s h , d o c u m en t, i m p l e m e n t e ffe c ti ve n es s o rgan i zati o n i d en ti fy th e sh ou l d a m an age m e n t s ys te m n e c es s ary p ro c es s e s ; p ro c es s e s ; an d ac h i eve p l an n e d i m p rove m e n t o f th e s e p ro c e s s es res u l ts an d Appendix IMS framework Section Elements Policy Po l i c y an d p ri n c i p l e s To p m an agem en t s h o u l d a) is b) i n c l u d es ap p ro p ri ate o f th e th e e n s u re an d th at th e s tate d p o l i c y: o rgan i zati o n ; a c o m m i tm en t to req u i rem en ts c) to c o m p l y wi th c o n ti n u al l y to al l i m p rove re l evan t th e e ffe c ti ve n e s s m an age m e n t s ys tem ; p rovi d es a fram ewo rk fo r es tab l i s h i n g an d revi ewi n g o b j e c ti ve s ; d) is c o m m u n i c ated , wh e re ap p ro p ri ate , an d wi th i n e) is th e is u n d ers to o d o rgan i zati o n ; an d revi ewe d fo r c o n ti n u i n g s u i tab i l i ty 87 IMS: Continual Improvement Through Auditing Section Elements Planning I d e n ti fi c ati o n an d o f as p e c ts ri s ks Th e o rgan i zati o n th o s e as p ec ts sh ou l d o f i ts an d /o r i m p rove d p arty(i e s ) Th i s 2 S el e c ti o n as p ec ts o f s i gn i fi c an t to 2 b e ad d res s e d O b j e c ti ve s an d targe ts i n cl u d es sh ou l d n e ed ed s er vi c e , are th e o f re s o u rc e s e s tab l i s h for trol to th e Th e o rgan i zati o n d eterm i n e to an d b) I d e n ti fi c ati o n of o rgan i zati o n al s tru c tu re s , ro l es , re s p o n s i b i l i ti es to e n s u re an d p rovi d e i m p l em en t an d e n h an c e as au th o ri ti e s far as To p an d th e sh ou l d th e th e an d l eve l s wi th i n m e as u rab l e an d avai l ab i l i ty o f ad e q u ate n e ed e d : m an age m e n t s ys te m an d e ffe c ti ve n e s s ; an d by m e e ti n g req u i re m e n ts i d en ti fy th e ro l e s , res p o n s i b i l i ti e s , e n s u re e ffe c ti ve m an age m e n t s h o u l d ac c o u n tab i l i ti e s be res o u rc es I t s h o u l d re s o u rc e s m n tai n sh ou l d to o b j e c ti ves , i n c l u d i n g fo r p ro d u c t an d /o r th e i r i n terre l ati o n s h i p s n ee d e d fo r p ri o ri ti zi n g i ts a s i gn i fi c an t i m p ac t are th at th e fi n an c i al s ati s fac ti o n Th e o rgan i zati o n au th o ri ti es an d h ave p o l i c y c o n ti n u al l y i m p rove i ts c o n tro l l e d b e i d e n ti fi e d at re l evan t fu n c ti o n s sh ou l d h u m an , i n fras tru c tu re a) be d e s i gn Wh ere a p ro c e s s m e et req u i re m e n ts es tab l i s h e d fo r i d e n ti fyi n g to m easu res wh ere th i s i s appropri ate en s u re o rgan i zati o n Th e o b j ec ti ves c o n s i s te n t wi th I d e n ti fi c ati o n an d sh ou l d th at th o s e th at wo u l d m an age m e n t s h o u l d th o s e re s earc h Th e o rgan i zati o n To p n e ed s ati s fy th e re l evan t i n te re s ted req u i rem en ts as p e c ts , s o o rd e r to a p ro c e s s wh i c h ap p ro p ri ate , l e gal read i l y i d en ti fi ed in e s tab l i s h o p e rati o n en s u re are d efi n e d an d wi th i n an d th e th e o rgan i zati o n effi c i e n t o p erati o n res p o n s i b i l i ti e s c o m m u n i c ated an d wi th i n th e o rgan i zati o n Pl an n i n g o f o p e rati o n al c o n tro l Th e o rgan i zati o n th at are wi th i ts sh ou l d C o n ti n gen c y p re p ared n es s fo r fo res e eab l e eve n ts wi th p o l i c y, o b j e c ti ve s p l an an d i m p l em en tati o n sh ou l d as s o c i ated 88 an d e s tab l i s h re s p o n d i n g to sh ou l d o f an y s u c h an d ac ti vi ti e s s i gn i fi c an t as p e c ts targets Th e o p erati o n al sh ou l d s i tu ati o n Th e p ro c e s s c o n s e q u en c e s i d en ti fi ed d evel o p th e p ro c e s s o f th e Th e o rgan i zati o n i d en ti fyi n g an d i d en ti fy th o s e o p erati o n s th e in line o rgan i zati o n n e c es s ary fo r e ffe c ti ve c o n tro l an d an y p o te n ti al s e ek to m eas u res m n tai n a p ro c es s p reven t an d o c c u rre n c e fo r e m e rgen c y m i ti gate th e Appendix IMS framework Section Elements I m pl em en tati on an d operati on O p e rati o n al c o n tro l Th e o rgan i zati o n th e o p e rati o n al a) b) sh ou l d l eve l th e o b j e c ti ve s are b ei n g m e t; e n s u re arran ge m e n ts an d re q u i re m e n ts c) th e p ro d u c t/s e rvi c e th e an d in p l ac e at fo r th e p ro d u c t/s ervi c es th e n e c es s ary p ro c e s s e s , d o c u m e n ts , an d to are th at e n s u re th at: are re s o u rc e s s p ec i fi c p rovi d ed ; n ec e s s ary veri fi c ati o n , val i d ati o n , m o n i to ri n g, i n s p e c ti o n tes t ac ti vi ti e s s p e c i fi c to th e p ro d u c t/s er vi c e are i n s ti gated ; d) th e rec o rd s p ro c e s s e s M an age m e n t o f h u m an re s o u rc e s Th e o rgan i zati o n o u t ac ti vi ti e s ap p ro p ri ate th em Th e n e ed e d to to p rovi d e on sh ou l d i ts u n d ertake b e h al f s h o u l d o rgan i zati o n eval u ate b) en s u re al l M an age m e n t o f o th e r 3 re s o u rc e s Th e D o c u m e n tati o n c o n tro l i ts Th e effec ti ven e s s th at i ts o f th e ac ti o n s p ers o n n e l o rgan i zati o n sh ou l d n eed ed are aware to of e n ab l e an d take n ; o f th e re l evan c e an d h ow th ey c o n tri b u te to d eterm i n e , p rovi d e an d to ac h i eve i ts m n tai n th e o b j e c ti ve s I n fras tru c tu re ap p l i c ab l e : b u i l d i n gs , wo rks p ac e an d b) p ro c es s c) s u p p o rti n g s e rvi c e s D o c u m en tati o n a) d o c u m e n te d b) a m an u al s ys te m as s o c i ated e q u i p m e n t (b o th (s u c h as u ti l i ti es ; an d s o ftware ) ; an d tran s p o rt o r c o m m u n i c ati o n ) d o c u m e n tati o n s tatem en ts d e s c ri b i n g th e (s e e h ard ware req u i rem en ts m an age m e n t s ys tem c) th e b as i s exp e ri e n c e th ei r d u ti e s a) an d sh ou l d : th e i n fras tru c tu re an d c arryi n g ac h i eve m e n t o f th e o b j ec ti ve s i n c l u d e s , as p ers o n n el b e c o m p e te n t o n i m p o rtan c e o f th ei r ac ti vi ti e s 3 are p ro d u c ed e n s u re th at th e e d u c ati o n , trai n i n g, s ki l l s a) th e evi d e n c e o f th e real i zati o n m ee ti n g re q u i rem en ts sh ou l d o f th e p o l i c i e s i n cl u d e: an d wo rki n g o f th e o b j e c ti ve s ; m an age m e n t ) ; d o c u m e n te d p ro c e d u re s th at are req u i red by s p ec i fi c s tan d ard s ; d) d o c u m e n ts n ee d ed by th e o rgan i zati o n effecti ve pl an n i n g, operati on e) N o te re c o rd s Wh ere m ean s re q u i re d th e th at th e te rm ‘ d o c u m e n ted p ro c ed u re is an d o n e o rgan i zati o n p ro c ed u re ’ ap p ears , th i s m n tai n ed to d o c u m e n tati o n an o th er d u e a) th e s i ze th e c o m p l e xi ty o f p ro c es s e s th e c o m p e te n c e c) th e e s tab l i s h ed , d o c u m e n te d , b) N ote o f o rgan i zati o n en s u re of i ts processes; an d s tan d ard Th e e xte n t o f th e m an age m e n t s ys te m d i ffe r fro m to trol by an y s p ec i fi c i m p l em en ted , c o n tro l l e d N o te an d an d typ e an d c an to : o f ac ti vi ti e s ; th ei r i n te rac ti o n s ; an d o f p e rs o n n e l Th e d o cu m en tati o n c an be i n an y form or type of m ed i u m 89 IMS: Continual Improvement Through Auditing 3.4.2 Integrated management system manual The organization should establish and maintain a manual that includes: a) the scope of the management system, including details of and justification for any exclusions; b) the documented procedures established for the management system, or reference to them; and c) a description of the interaction between the processes of the management system 3.4.3 Control of documents Documents required by the management system should be controlled Records are a special type of document and should be controlled according to the requirements of those specific standards covered by the IMS A documented procedure should be established to define the controls needed: a) to approve documents for adequacy prior to issue; b) to review and update as necessary and re-approve documents; c) to ensure that changes and current revision status of documents are identified; d) to ensure that relevant versions of applicable documents are available at points of use; e) to ensure that documents remain legible and readily identifiable; f) to ensure that documents of external origin are identified and their distribution controlled; and g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose 3.4.4 Control of records Records should be established and maintained to provide evidence of conformity to requirements and of the effective operation of the management system Records should remain legible, readily identifiable and retrievable A documented procedure should be established to define the controls needed for the identification, storage, protection, retrieval, retention and disposal of records 3.5 Communication 3.5 The organization should determine and implement effective arrangements for communication: a) between the various levels of the organization as appropriate to their needs; b) for receiving, documenting and responding to relevant communication from external interested parties 3.6 Relationship with suppliers 3.6 The organization should formalize its arrangements for those and contractors who supply and contract their services, both internal and external, which have an impact on the organization’s performance 90 Appendix IMS framework Section Elements Performance assessment General 4.1 Monitoring and measurement 4.2 Analysing and handling nonconformities 4.3 Management system audit The organization should establish and measure the characteristics of the product and/or services, to verify that requirements have been met This should be carried out at appropriate stages of the process in accordance with the planned arrangements 4.1 The organization should establish and maintain arrangements to monitor and measure, on a regular basis, the key characteristics of its operations and activities that can have a significant impact This should include the recording of information to track performance, relevant operational controls and conformance with the organization’s objectives and targets The organization should establish and maintain a process for periodically evaluating the performance against the requirements of relevant interested parties 4.2 The methods used for analysing performance should demonstrate the ability of the processes to achieve planned results When planned results are not achieved, corrective action should be taken Evidence of conformity with the acceptance criteria should be maintained and recorded 4.3 The organization should establish and maintain an audit programme for periodic management system audits to be carried out in order to determine whether or not the management system: a) conforms to planned arrangements for the management system; b) has been properly implemented and maintained, and is being adhered to The audit programme, including any schedule, should be based on the results of risk assessment of the organization’s activities, and the results of previous audits The audit arrangements should cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results Wherever possible, audits should be conducted by personnel independent of those having direct responsibility for the activity being examined 91 IMS: Continual Improvement Through Auditing Section 5.1 Corrective action 5.2 Preventive action 5.3 Continual improvement 92 Elements I m provem en t 5.1 The organization should establish a process for defining responsibility and authority for implementing action to eliminate the cause of nonconformities in order to prevent recurrence Corrective actions should be appropriate to the effect of the nonconformities encountered A process should be established to define requirements for: a) reviewing nonconformities (including stakeholder comments); b) determining the causes of nonconformities; c) evaluating the need for action to ensure that nonconformities not recur; d) determining and implementing the action needed; e) recording the results of action taken; and f) reviewing corrective action taken 5.2 The organization should establish a process for defining responsibility and authority for implementing action appropriate to the risk 5.3 The organization should continually improve the effectiveness of the management system through the use of the policy, objectives, audit results, analysis of data from monitoring and measurement, corrective and preventive actions and management Appendix IMS framework Section Elements Management review G e n e ral To p m an agem en t s h o u l d s ys tem at p l an n ed revi ew th e o rgan i zati on ’s i n terval s ad eq u ac y an d effecti ven es s Th i s revi ew sh ou l d o ppo rtu n i ti es for i m provem en t an d th e n eed m an agem en t sys tem , i n c l u d i n g po l i cy an d Revi ew i n p u t Re c o rd s fro m m an age m e n t revi ews Th e i n pu t to m an agem en t revi ew sh ou l d Revi ew o u u t a) re s u l ts b) s takeh o l d e r fee d b ac k; c) s tatu s d) fo l l ow- u p e) c h an ges f) re c o m m en d ati o n s Th e a) i n cl u d e as s es s i n g fo r ch an ges to th e o bj ec ti ves sh ou l d be m n tai n e d i n cl u d e i n form ati on on : o f au d i ts ; o f p reve n ti ve ac ti o n s an d an d fro m th at c o u l d o u u t fro m d ec i s i o n s m an agem en t to en s u re i ts co n ti n u i n g s u i tabi l i ty, c o rre c ti ve p revi o u s affe c t th e m an age m e n t s ys te m ; an d fo r i m p rove m e n t th e m an agem en t revi ew s h o u l d ac ti o n s rel ate d an d i ts i n cl u d e an y to : i m p rove m e n t o f th e e ffe c ti ve n es s s ys te m ac ti o n s ; m an age m e n t revi ews ; o f th e m an age m e n t p ro c es s es ; b) i m p rove m e n t re l ate d c) re s o u rc e to s take h o l d e r re q u i rem en ts ; an d n ee d s 93 Appendix Process mapping Most modern management systems are now constructed around processes rather than procedures A process is often defined as the mechanism whereby an input is converted into an output More specifically, the objective is to add value to its inputs to meet the needs of its customers, and a process is any activity that forms part of that sequence of adding value A procedure on the other hand describes how an activity is to be carried out; it is concerned with means and methods rather than inputs and outputs Procedures or operating instructions may still be needed to describe how a process is carried out, but they not define the process There are various ways in which processes can be identified and recorded, but process mapping is the most frequently used, employing activity sequence flow charts A simple example – of making a cup of tea – was included in an earlier book in this series, and is reproduced below Whilst this may be regarded as a trivial example, it serves to illustrate some important points Process maps should be kept as simple as possible Normally only three or four different symbols will be needed to show the activities and their relationship The symbols commonly used are shown in Figure A.2.2 The example also serves to demonstrate the difference between a flow chart and a critical path diagram Clearly if you were going to make a cup of tea you would put the kettle on to boil before you put the tea bag in the cup However, if critical path diagrams are in existence they can be helpful in creating the process map – as indeed can procedures and work instructions as long as the distinctions between them are kept clearly in mind In this example the process is complete in itself In a business organization there will be few stand-alone processes – most will receive output from a previous process and after the process has been carried out pass the output on to another There will need to be link symbols to show where one process 94 Appendix Process mapping connects with another until, at least conceptually, the whole organization will have been mapped For businesses where the number of processes is not great (and this depends on the complexity of the business, not its size) a simple manual system of process mapping may be sufficient If this proves difficult, a computer-based system may be needed – there are a number of packages available It is important, however, that the processes should be identified and mapped by the people actually carrying them out Not only they know what really happens, but they will appreciate how their work contributes to the total activities of the business, and this encourages the development of a team attitude The staff concerned will need some training in how to identify and map processes, but this is not usually a source of difficulty It will take longer if computer systems are used The identification of processes is a requirement of ISO 9001 and is helpful in almost any situation Process mapping is not obligatory, but offers many advantages over purely written process descriptions It shows the interrelationship of processes, which in turn enables consequences of changes to be identified, and helps to spotlight unnecessary processes It also provides a useful framework not only for identifying the resources necessary for each process but also for identifying the risks associated with each and the consequences of those risks on subsequent processes in the sequence 95 IMS: Continual Improvement Through Auditing The Process Map Resources needed Equipment: cup Want a cup of tea electric kettle spoon Materials: Get a clean cup water tea bag Put a tea bag in cup (milk) (sugar) Services: Put water in kettle electricity Personnel: someone to make the tea Boil water in kettle Pour boiling water in cup Remove tea bag Add milk? No Yes Add sugar? No Yes Stir Drink tea Figure A A simple example – making a cup of tea 96 Appendix Process mapping In constructing process maps the following symbols will be sufficient for most purposes: Activity Connector Documentation Data storage Decision point Start/finish Figure A.2.2 Symbols used in process mapping 97 Referen ces B SI I n tegrated M an agem en t System s Seri es Smith, D (2003) IMS: Creating a Manual , London: BSI Nowacki, G (2003) IMS: Customer Satisfaction , London: BSI Hinch, H (2003), IMS: Managing Food Safety, London: BSI Kelly, JM (2004) IMS: The Excellence Model , London, BSI IMS Risk Solutions (2003) IMS: Risk Management for Good Governance , London: BSI Stan d ard s pu bl i cati on s BS 7799 Information security management Code of practice for information security management BS 7799-2:1999 (BS ISO 17799) Information security management Specification with guidance for use BS 8600:1999 Complaints management systems Guide to design and implementation BS EN ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing ISO 9001:2000 Quality management systems – Requirements ISO 9004 Quality management systems – Guidelines for performance improvements ISO 14001:1996 Environmental management systems – Specification with guidance for use ISO 15161:2001 Guidelines on the application of ISO 9001 :2000 for the food and drink industry 98 References ISO 17799 Information technology – Code of practice for information security management ISO 19011:2002 Guidelines for quality and/or environmental managing systems auditing ISO 22000 (not yet published) OHSAS 18001:1999 Occupational health and safety management systems Specification OHSAS 18002:2000 Occupational health and safety management systems Guidelines for the implementation of OHSAS 8001 European Directive European Medical Devices Directive 99