- A quality management system which has been operating certified since 2014 and is constantly being improved. It was rebuilt in accordance with ISO 9001:2015 standard so that the risk management system became its core. In addition, the context definition activities were unified to bring together external and internal factors affecting the company;
- An information security management system (ISMS) meeting the requirements of ISO 27001 standard;
- An internal operational control system meeting the requirements of SSAE 18 standard;
- A management system for projects, suppliers, documents, sales, infrastructure, etc.
The main problem with Russian companies is the lack of good managers19 October, 2018
By Ekaterina Bryukhova with comments from Andrey Kozlov Organizational Development and Quality Director at Intercomp
Intercomp, a provider of financial and HR outsourcing services, has long been using an integrated management system (IMS). In addition to a basic quality management system, this IMS also includes an information security management system (ISMS) and an internal operational control system, which are not so common in Russian companies. A social responsibility system is also currently under construction. We asked Andrey Kozlov, Organizational Development and Quality Director at Intercomp, who was directly involved in the setting up of an integrated management system in his company, to describe the features of the abovementioned and other systems.
ProKachestvo: ISMS is part of the integrated system in place in your company. Not all companies have one although information security is a very relevant topic at the moment (especially in light of the law on protection of personal data). Companies usually state that they are committed to keep safely the data received from their clients, but can this be done without ISMS?
A.K.: Companies usually do not just pay lip service when they state that they do protect customer data. Many have good technical means and competent management in this area. But there is not always a consolidating superstructure allowing the harmonious development of both areas, such as an ISMS set up in conformity to ISO 27000 standard.
This standard is indeed not so popular in Russia although information security was very well developed in the Soviet Union, especially in defense enterprises. Today, this matter has once again become relevant due to the development of IT. This is especially true for outsourcing companies which are deemed to be operators of personal data under Federal Law No. 152-FZ.
The system automatically scores in accordance with the methodology developed by the company the vulnerability and probability of risk occurrence and possible related damage. Based on the received assessment, we devise response measures and appoint a person in charge of information security. As a rule, this person is the head of the division in which risk may arise. Then checks are conducted, and this is already within the responsibility of the quality management system.
ProKachestvo: You have raised the important issue of division of responsibility. This is a major problem in many organizations where several management systems are used. Disputes often arise, for example, when it is necessary to determine to which system a particular risk should be attributed and who makes decisions on various aspects of activity (including quality assurance). How are such issues resolved in your company?
A.K.: This problem is relevant in organizations where different managers are responsible for each individual system. And, in my opinion, this is not right.
There is no universalization, global understanding and common vision as the problems in “one’s own” system are usually resolved at the expense of another system and, in the end, the organization as a whole loses out.
That is why our company’s management initially focused on the management of all systems in the department of organizational development and quality, using a quality management system as platform which was used as the basis to form second-level systems such as information security management, health and safety management, and project management. The personal data protection system is within the information security management system so this is already a third-level system (see fig.) IMS maintains consolidated records, conducts analysis of irregularities and prepares proposals for improvement. The main objective is to ensure service quality and customer satisfaction.
It has to be said that quality assurance issues are particular. Please note that our IMS is treated as a management rather than technical unit.
A technical specialist (production engineer, supervisor, etc.) rather than a manager heads such subsystem. At best, this guarantees that verification, calibration, technical supervision, input, output, intermediate control processes will be in place in production sites, storage areas. But other areas such as recruitment, motivation, development, budgeting, IT, safety, etc. will not be addressed. This is not a comprehensive system: such system is like a bird with one wing that cannot fly. This will allow maintaining production perhaps for some time, but problems will accumulate in ancillary processes, and sooner or later they will cancel out all best efforts.
ProKachestvo: And yet there is a kind of Quality Control Department in your company, too. This is a system of internal operational control based on SSAE 18 standard that proposes to assess the quality of reporting on outsourcing projects managed by your company.
A.K.: This system of internal operational control can only partly be compared with a Quality Control Department. This system does conduct audits entailing an analysis of the completeness of documentation and its compliance with certain standards. The most qualified accountant-auditors and methodological consultants from our examination and methodology department conduct such analysis. Their work goes hand in hand with internal audit according to ISO 9001 standard and is one of the two components of quality control.
However, a facultative Quality Control Department is only a small part of this system. An equally important element is the methodological support provided by managers in each area. This support entails sending newsletters about changes in legislation, advising, etc.
Be that as it may, it is crucially important that quality control not be confined only to this. I have already mentioned that quality control management (processes) is the duty of organizational development, management specialists so accountants and methodology consultants in the field of financial outsourcing do not have the appropriate skills to audit business processes.
The system is harmonious only when it combines quality control and products and management.
However, many companies encounter a serious problem when they build such system, namely the lack of good managers. And this is typical for both commercial and state organizations. It is assumed that specialists – be they a production engineer, financial expert, etc. – can be involved in management or organizational development. Yes, specialists may know production or supporting processes, but we must focus on the details to resolve management problems, and as a result, organizational development comes down to grading and regulating business processes.
ProKachestvo: And what skills should a real manager have?
A.K.: A real manager needs to have a strategic vision and should not focus on one area, but should consider the bigger picture. A good manager also must understand that it is not possible to develop the company without allocating resources.
If all the juice is squeezed out from an enterprise, all its resources will be exhausted over time until it collapses and eventually ceases to exist. The same is true for certification. For example, a QMS manager is appointed just to check the box, from the beginning with neither trust nor authority from top management. Or internal audits are assigned to specialists of structural divisions in addition to their main duties. Setting up a special department does indeed require resources, but it turns out that no one is seriously dealing with the preparation for certification, and any attempt to resolve this issue is only formal.
Many managers and business owners are not really aware of the possibilities and benefits of having systems in place conforming to ISO standards. Possibly due to wrong organizational decisions, “fake” certification and a dismissive attitude toward ISO standards are flourishing in Russia. And we end up with a vicious circle: distrust of ISO due to a lack of understanding of its value and benefit, and vice versa.
ProKachestvo: What is unacceptable for companies that are aware of their social responsibility and even apply ISO 26000 standard?
A.K.: Businessmen in Russia focus more on improving performance, and social responsibility is, in my opinion, perceived as something abstract, and thereby strange. This is probably why ISO 26000 is more popular in Europe and the United States or in Russian companies with western roots, all the more so that it is not mandatory and there is no certification for it. It is a guide in which various aspects of the organization’s existence in society are considered: interaction with related parties and state, accountability, etc.
There is no comprehensive social responsibility management system in our company, only some elements of it. Some of these elements are necessary to meet the requirements of Russian law, namely observance of human rights, anti-corruption policy, etc. Others help shape and maintain corporate culture, for example, ethical business conduct.
This issue is not considered in all companies, and there are companies where employees fail to respond to queries and calls for a long time, and colleagues disrespect each other. I think this is a legacy of the Soviet bureaucracy. I do not criticize the Soviet era which offered a lot of useful things, in particular, work organization, HR management and staff training. All this should be retained and used.
Nevertheless, as far as ethical business conduct is concerned, it is more useful to draw from European experience and ISO 26000 standard. Based on this standard, we have developed rules for discussions and response timing, and not only for client queries but also for emails from colleagues.
Conflict of interest is another important notion gleaned from ISO 26000. A conflict of interest may arise when interacting with clients, suppliers, inspection authorities or, for example, when divisions audit themselves. In some companies, employees of the company’s IT department conduct internal audits of the company’s information security system. There is virtually no control in such case so the first serious audit will identify and record this as a critical deficiency.
A special division has been assigned in our company to conduct internal audits. This allows conducting comprehensive audits, duly preparing documentation and avoiding conflicts of interest.
ProKachestvo: A conflict of interest may also arise when setting goals and assessing performance. A KPI system is in place in your company. Are goals sometimes duplicated or indicators rigged?
A.K.: Managers and employees do not set goals themselves: line managers set KPI, while the company’s shareholders set those for the company’s director. Division managers link the company’s strategic objectives with the goals of their department and convey this information to their staff. All indicators are monitored by the Financial Control Service so they cannot be rigged.
It is true that it used to be the case in some regional offices. For example, the details of concluded contracts used to be entered in the system too soon, i.e. all agreements were reached, but documents had not been signed at the time of the audit. Such situations were always interpreted as follows: no supporting document, no event. So such cases were recorded as deficiencies.
ProКачество: Were the offenders punished?
А.К.: There was no point instructing punishment. Standards provide for corrective actions dependent on the causes of deficiencies such as, for example, a change of plans. Employees might not have enough resources. As a result, they perform tasks quickly but poorly because they understand that there will be no time later. Or funds are not allocated for another full-time position. The issue of lack of resources should always be addressed by those who allocate them.
Another reason may be that a particular employee was unaware of certain tasks such as, for example, mandatory registry keeping. This is a sign of a breakdown in communication, on the one hand, and insufficient training on the other.
It is therefore always necessary to find out the true cause of any deficiency. This is indeed the key to the successful operation of any management system, including integrated system.
A company’s integrated management system includes:
A social responsibility system is also in the making based on ISO 26000:2010 guidelines.