In the
previous post I started a formal review of the requirements established in Subclause 4.1
of the ISO 22000:2018 standard.
I identified
eight requirements in this sub-clause, and as you may have noticed, this identification was achieved by
thoroughly breaking down the two paragraphs of this sub-clause. In this way, I could identify, according to the referenced standard, this first group of requirements as presented below:
 |
| Source: Ernesto Palomares Hilton, adapted from ISO 22000:2018 standard. |
However, if the concepts considered by this standard are carefully analyzed, it is highly recommended, or rather necessary, to include two additional requirements to those already mentioned, that are not included in this document. Since from my personal consideration, in this and other management system standards it is a small but important gap, which curiously is not the case with the ISO 9001:2015 standard. These requirements are already incorporated in the following table, but I identify them with the number of the previous requirement, and with an asterisk, so as not to lose the sequence of the requirements established by the standard.
 |
| Source: Ernesto Palomares Hilton, adapted from ISO 22000:2018 standard. |
I mention this point for anyone who wishes to consider it.
Now, I would like to mention, as support to those who wish to properly comply
with these requirements, a couple of methodologies that can be of great
use to organizations to identify the mentioned issues, both external
and internal, and in this way they
could comply with those first two (or four, if you decide that) requirements.
In order for the organization to be able to determine the external issues that are pertinent both for its purpose and, where
applicable, its strategic direction, it is recommended that it use a methodology equivalent
to the so-called PESTEL, through which
the organization will be able to analyze the different factors that
are out of its control (external issues),
which are the political, economic, social, technological, environmental and legal. By joining the initials of all these factors the name of this
method is formed: PESTEL.
This analysis can help a work group selected by the organization, to better understand both the markets and the competitive position of
the organization itself, to plan strategically and carry out market
studies in new or existing markets. In relation to Subclause 4.1 of ISO 22000:2018 standard, what is intended to be achieved with the
application of this method is that the group identifies, prioritizes and
selects the external issues that are
relevant to the organization and are considered in the establishment of the objectives of its food safety management system.
Now, in relation to the possible determination of internal issues, which are relevant both to its purpose and also to
its strategic direction, it is important that the organization uses a methodology equivalent to the so-called "7S" of McKinsey. This method is named like this, because
I believe it was developed by some expert employed for McKinsey & Company,
Inc., which is a global strategic consultancy firm, and it involves the
analysis of 7 factors that are under
the control of the organization (internal
issues) and that all of them begin with the letter "S" (in English language), which are the following: strategy, structure, systems, shared values, skills, staff and style.
In relation to this Subclause 4.1 of ISO 22000:2018, what is intended to be achieved with the
application of this "7S"
method is that the selected work group identifies, prioritizes and selects
the internal issues that are
relevant to the organization and that they are considered in establishing the objectives of its food safety management system.
In the particular case of the ISO 22000
standard, it is
important to include the issues considered in NOTE 2 of that Subclause, related to cyber security, food fraud and the
so-called "food defense". We can understand these concepts as
follows:
Cyber security is about preventing, detecting and responding to
cyber attacks that could affect people, organizations, communities and countries. Cyber attacks are
malicious attempts to access or damage a computer system or network. They are a
set of offensive actions against information systems. These can be databases,
computer networks, etc. The objective of these attacks is to damage, alter or
destroy organizations or people. In addition, they can override the
services they provide, steal data, or use it for spying.
According to the European Union, food
fraud refers to “any suspicious intentional action by companies or
individuals with the aim of deceiving buyers and obtaining an undue advantage
thereby”.
“Food Defense” is a collective term used in the federal
agencies of the U.S.A., FDA, USDA and DHS, to encompass activities related to
the protection of the food supply against intentional or deliberate acts of
contamination or alteration. Other similar terms are included in this term,
such as bioterrorism (BT), or counterterrorism.
About those issues, an organization should identify the related factors that are external to it, and the related factors internal to it.
If the subject of these methodologies mentioned above, the PESTAL and McKinsey "7S" methods is of interest to you, in a next post I will present a deeper description of how these two methods can be applied by an organization, as well as an analysis of the why pertinent issues should be incorporated into the organization's strategic direction, in addition to those pertinent to its purpose, as stated in the standard.
In this sense, in order to comply with these first identified requirements, whether two in the first table, or four in the
second, it will be important for the organization to identify the methodology that it will be
applying to determine these issues,
both external and internal, as well as the records, or retained
documentation, about the actions taken, such as brainstorming sessions,
analysis of the information presented, identification, prioritization and
selection for the determination of external
and internal issues relevant to
the organization, as well as the information used for their
analyses.
Now, regarding the last six requirements of this subclause 4.1, in addition to the difference in terms of external and internal issues, we find other three terms: identification, revision
and update, which we should also
separate in terms of their meaning, since they refer to different activities,
and therefore correspond to different requirements.
If we consider the identified requirement No. 3, in order to comply with this requirement, the organization should identify all the relevant information on external issues considered to its purpose, through the
compilation or listing of the information used for the analysis and
identification of these external issues.
In order to demonstrate compliance with this requirement, the organization should retain and preserve all information that
was considered in the analysis and determination of those relevant external issues.
Similarly, with respect to requirement No. 4 mentioned above, the organization should identify all the relevant information on internal issues considered to its purpose, by
compiling or listing the information used for the analysis and identification
of this kind of internal issues. In
the same way, in order to demonstrate compliance with this requirement, the organization should retain and preserve all the information
that was considered for the analysis and determination of those relevant internal issues.
As you surely know, the ISO 9000: 2015 standard can be used as a reference for other management systems standards. This standard defines the term review as follows:
Regarding the requirement No. 5, previously mentioned, in order to achieve proper
compliance, the organization should review all the information identified and analyzed on external issues. This review should be through a formal
evaluation of each of the supporting documents, publications or data for identification, prioritization and selection
of external issues, as well as the
analysis carried out, to verify the validity and relevance of those external issues determined by the organization, or, where appropriate, promote the necessary adjustments. To
demonstrate compliance with this requirement, the organization must generate, retain and preserve all information
related to the review process of the information that was considered for the
analysis and determination of those relevant external issues, as well as the results of said review.
In consideration of requirement No. 6, the organization should
review all the information identified
and analyzed on internal issues.
This review should be through a
formal evaluation of each of the supporting documents and data for the
identification, prioritization and selection of internal issues, as well as the analysis carried out, to verify the
validity and relevance of those internal
issues determined by the organization, or where appropriate, promote the necessary
adjustments. In a similar way as with the previous requirement, in order to demonstrate compliance with it, the organization should generate, retain and preserve all the information related to the
review process of the information
that was considered for the analysis and determination of those relevant internal issues, including information
regarding the actions taken by the organization in relation to these issues, their results, if applicable, the corrective actions taken,
as well as the results of said review.
The ISO 22000: 2018 standard defines the term update as:
To comply with requirement No. 7, the organization should update
the information previously identified
and reviewed, to compare it with the
original publications, reports or data, to corroborate that these external issues determined by the organization, are still valid in terms of the relevance identified originally, or if
necessary make the necessary adjustments. In order to demonstrate compliance
with this requirement, the organization should generate, retain and maintain all the updated
information, records of disparities between the original and current
assumptions, as well as those external issues
whose relevance should be analyzed again.
Similarly, to comply with requirement No. 8, the organization should update the information previously identified and reviewed, to compare it with the original internal publications,
reports or data, to corroborate that these internal
issues determined by the organization are still valid in regarding the relevance
originally identified, or if necessary, make the necessary adjustments. In
order to demonstrate compliance with this requirement, the organization should generate, retain and maintain all the
information related to the updated information, the disparities between the
original assumptions and the current ones, as well as those internal issues whose relevance should
be analyzed again.
In future posts I will continue analyzing other sub-clauses of this standard. Stay in touch with this blog.
Author:
Ernesto Palomares Hilton
Comments
Post a Comment
Nombre:
País:
Comentarios: