Once again fellow Compliance Professionals, during this unprecedented time of lockdowns, quarantines and social distancing, it's time to look at those jobs you almost never get around to.
This time, you need to review your interested parties register.
This idea comes from an ongoing series of blogs that originated from "26 Ideas for Working from Home for Compliance Professionals".
Not only do we discuss when to review your interested parties register but we also discuss the purpose of the register and how to create the register.
Purpose of an Interested Parties Register
What's the purpose of having interested parties register? Why would you want to list your interested parties in a register?
There are two things there:
- What's the purpose of interested parties?
- And why do you want to have a register?
Starting with the second one, having a register is the same logic goes with anything else:
- You want things to be recorded so you can have that business continuity for organisational knowledge.
- You want to have defined responsibilities on what you need to do.
- You have to think about the processes that you've put in place to manage those interested parties.
- You want to record those.
And so having a register is essential for maintaining that organisational knowledge.
Putting that aside, why do we need to have organised interested parties list?
A list of interested parties is who can have an impact on our company?
Now, whether that's quality, environmental, health and safety or a wider picture, which is just as a business who can have an impact on us? And who can we have an impact on?
The quality of our work would, have an impact on our clients and our customers.
The quality of our suppliers and products and services would have an impact on us delivering good quality products and service on our clients.
So on every single one of those categories, you have to think about, who can have an impact on you, and the domino effect of you having an impact on someone else, which as a result, then their products and services would be impacted for their clients.
And so, this is essentially what you need to think about.
You know who those interested parties are, and it could be your:
- Clients (internal or external)
- Internal stakeholders
- Team Leaders
- Management team
- Regulatory bodies
- Certification bodies
All of these can have an impact on quality of your organisation, or health and safety, environmental or as a wider picture just on your business.
How to Create an Interested Parties Register
What's the best way of creating an interested parties register? You get your management team together and talk about it? Is that the best way? What's the most efficient way?
The most efficient way is to actually put the categories in place.
This is something that if you want to start from scratch, it may take days and weeks because people just want to get their head around it.
The best way is for someone to actually put a list together. Then talk about the logic of how you manage every individual interested parties and also the practical side of things.
If you discuss this with your Procurement Manager or Purchasing Officer, they'll say, “How do you manage these suppliers?” He can write a book about it.
But if you take a step back, what are the impacts that interested parties have on us?
Someone needs to actually put this list together and say, "Okay, so we need to have a list of our interested parties and then:
- What is their impact on us?
- What is our impact on them?
- What processes and procedures have we put in place to actually manage or mitigate those risks or maximize those opportunities?
- Who’s responsible for it?
- How frequently shall we review this?"
With all the new ISO standards, you no longer need to review things for sake of reviewing them, everything is risk based.
If you've got a supplier, as an example from China. With all the COVID-19 cases, that now we have, you need to change the frequency of your review, because that may have an impact on the delivery of your product. Then as a management team agree on, shall we review this every month?
Or if it is a low impact, it might be something that you might be in a certain type of business that you wouldn't impact the public as much, or public doesn't have a huge impact on your business. And then you may want to review that every few years or it will just become a tick box.
In my experience, what you want to spend that management time on is: -
- what processes we put in place
- who's responsible for it
- how frequently we should review it
Rather than getting everyone to actually develop that register, because not everyone would, be able to contribute to that because everyone's in their silo or on their part of the business. They are specialised and expert in what they do.
Someone needs to take a step back and look at the whole organisation and all interested parties and then utilize everyone's time on:
- how we're managing them
- what the processes are that would have an impact on them.
So, if you ask a CEO, for example, how do you control or manage the executives team or management team, then they will tell you, "we have executive meetings and reports that I get from them. And we have one-on-one catch-ups".
But if you say, "so what are the interested parties? What are our internal interested parties?" Then that's sometimes you need to be careful about the terminology. People may not know what interested parties are. The ISO terminology can sometimes be confusing.
How to Review Your Interested Parties Register
How often do you review interested parties registers?
The review of them are risk based and it needs to be practical.
The good thing about all the new ISO standards, as I mentioned, is you don't review things for sake of reviewing.
This is why people think that compliance would cost them money.
The reality is, no one has asked you that you need to review that every month.
Whereas I know some companies that put that on their management agenda that every month you want to review this and it's perceived as ISO have asked them that they need to do it, but no ISO haven't asked you, you have defined that you need to review it.
So if you think a risk register, for example, talking about management of risk, if you think your risk register needs to be reviewed every month, you decide that you need to review that and assign those responsibilities to people.
If you think that the risk register needs to be reviewed every year, then review it every year.
Obviously, the logic of risk-based thinking is based on the number of accidents you have based on the risks you have.
As an example, if you have lots of contractor issues and supplier issues, whether quality, health and safety, delivery, then you can say, "ah, we thought there's not much risk and we'll review it every year." Because then the auditors will challenge you to say why do you think the risk is quite low when you have this many accidents? When you have this many late deliveries or quality issues or environmental issues?
So, one is what the business thinks the review should be.
Another one is that logic needs to be justified based on the number of your audit findings, number of incidents that you have, number of quality issues and delivery issues that you have, the risk that those interested parties are exposing you to.
So there needs to be a justification for what you decide the risk base review is.