If we can address gap 1 and be confident the directors are setting the appropriate direction through their policies, these then need to be translated into the management system. The task of documenting this often falls to QA (or one of the many flavours of QHSE) but how often is it really led by policies from the top?
How often are management systems documented on the basis of what is being done, on the assumption that this is already right? Documenting a system bottom-up will certainly stand the best chance of having system that will pass a compliance audit but, to coin a phrase, it’s putting the cart before the horse. There are good reasons why the first requirements of ISO9001 are to have management lead but, other than in small organisations (at the lower end of the SME range), it’s often led from the middle. The managing director may sign-off on policies but did he/she actually write them or decide what should go in? Do the policies provide a clear lead or are they too generic? Are the policies there to plug a gap in the management system documentation or do they direct?
To take a common example, the “Quality Policy” is not part of the QMS (quality management system) – it is the standard that defines what the management system should deliver. It should be setting direction and delegating responsibilities. A quality policy written by the quality manager and presented to the managing director for signing is being led from the middle. Leadership must come from the top and the management system must be aligned to that leadership. And gap 2 won’t be picked up in audits (those address gap 3) – this is where the “management review” comes to the fore, but only if the most senior management take part and are engaged. A management review without the directors is little more than a desktop system audit – not a tool to determine if the management system is set out to deliver what it should.