ISO 22458 Clause 4
Clause 4 sets the foundations for an inclusive service - top management commitment, the nine guiding principles, an outcomes-focused strategy, named responsibility and four required policies.
ISO 22458 Clause 4 - Organizational Commitment, Principles and Strategy
Clause 4 is where the standard establishes the cultural and strategic foundations that everything else rests on. The technical requirements in later clauses on inclusive design, identification and response will not deliver good outcomes unless top management has signed up to the principles, an outcomes-focused strategy is in place, someone in the organisation owns the agenda, and the right policies are written down. Clause 4 is short but it is the clause that an auditor will look at first because it sets the tone for everything that follows.
Commitment from Top Management - ISO 22458 Clause 4.1
Top management must demonstrate a clear commitment to improving outcomes for consumers in vulnerable situations and to minimising the risk of consumer harm. This is not a matter of signing off a policy and moving on. The standard requires the commitment to be embedded across the organisation through ongoing engagement and communication with staff, which means it has to show up in board reports, in management review, in induction and in day-to-day decisions about service design.
In practice, organisations evidence this through a publicly shareable code of conduct, named accountability for the inclusive service strategy, a recurring slot in management review, and visible engagement of senior leaders with the relevant data and trends.
The Nine Principles - ISO 22458 Clause 4.2
The standard sets out nine principles that top management must demonstrate at all stages of service design and delivery, and which must be communicated to staff at all levels.
- Accountability - take responsibility for organisational actions and the outcomes they produce for consumers.
- Empathy - treat consumers in vulnerable situations with kindness, without judgement or assumption.
- Empowerment - give consumers the tools to make informed decisions, and give staff the tools to support them.
- Fairness - treat all consumers fairly, do not discriminate, mislead or exploit.
- Flexibility - adapt service provision to suit individual needs and abilities.
- Inclusivity - design services so they are accessible to and usable by a diverse range of individuals.
- Innovation - use new technology and processes creatively, while watching for unintended exclusion.
- Privacy - treat personal information respectfully and confidentially.
- Transparency - be clear and open about the inclusive service intent, the support available, the policies and the risks.
These nine sit naturally inside a code of conduct and a consumer vulnerability policy. They are also useful as a framework for staff training and as a checklist against existing service journeys - if any aspect of the customer experience would fail one of these tests, the standard expects that gap to be identified and addressed.
Outcomes-focused Strategy - ISO 22458 Clause 4.3.1
The strategy required by ISO 22458 is outcomes-focused, not process-focused. The aim is positive outcomes for consumers in vulnerable situations, and the standard sets out six things the organisation must achieve:
- Consumers in vulnerable situations can be confident of fair treatment and outcomes as good as those for other consumers.
- Services are designed inclusively for a wide range of needs and abilities, and do not create or increase the risk of harm.
- Consumers can obtain, understand and make informed decisions based on the information and support provided.
- Information, advice and support are suitable for the consumer's needs and personal circumstances.
- Consumers do not face unreasonable barriers to accessing services, communicating, switching, complaining or obtaining redress.
- Services do not unfairly disadvantage or penalise people in vulnerable situations.
The phrase that often catches organisations out is "outcomes as good as those for other consumers". Equal effort is not enough - if a complaints process produces good outcomes for confident, articulate complainants but consistently leaves vulnerable consumers without resolution, the strategy is not delivering.
Designated Responsibility - ISO 22458 Clause 4.3.2
The standard requires the organisation to designate a specific member or members of staff with overall responsibility for the inclusive service. In alphaZ documentation this person is called the Vulnerable Consumer Representative (VCR) and the role covers advocacy and coordination of the strategy, implementation of policies and procedures, identifying and allocating resources, collecting data on vulnerability risk factors, staff awareness and training, performance monitoring and reporting back to top management on complaints, systemic issues and trends.
All staff need to know who the responsible person is, what they do and how to contact them. This is easy to evidence through the organisational chart, induction materials and the IMS1 responsibilities section.
Proactive Approach - ISO 22458 Clause 4.3.3
A proactive approach means the organisation seeks to understand, anticipate and meet the needs of consumers in vulnerable situations before problems arise, rather than reacting after harm has occurred. The standard sets out three mechanisms - collecting and responding to data and insight about customers, seeking and acting on feedback from customers and staff, and engaging effectively with relevant stakeholders such as consumer organisations and groups representing people with lived experience of vulnerability.
Required Policies - ISO 22458 Clause 4.3.4
Clause 4.3.4 names four policies that the organisation must have as a minimum. These are the structural backbone of the management system.
- Consumer vulnerability policy - how the organisation plans to design and deliver an inclusive service, including whether a specialist internal vulnerability team is needed and the rationale for that decision.
- Data protection policy - how privacy and security of personal information will be maintained.
- Third-party representatives policy - how frontline staff deal with people acting on behalf of consumers in vulnerable situations.
- Interruptions to essential services policy - where the organisation considers any of its services to be essential, how it deals with vulnerable consumers affected by planned or unplanned interruptions.
Processes and procedures supporting these policies should be flexible and easily adaptable so they can respond to social or market changes. A policy that has not been reviewed since it was first issued is unlikely to satisfy this requirement.
When auditing this clause I look for evidence that top management commitment is real rather than written. The code of conduct on the website is a starting point, but it is not enough on its own. Beyond that I want to see consumer vulnerability discussed in management review minutes, the Vulnerable Consumer Representative named on the org chart, trend data being reviewed regularly, and clear evidence that decisions have actually flowed from the data rather than the same outputs being received and filed.
I also check that the four required policies exist and are current. Where the organisation has decided it does not need a specialist internal vulnerability team, I expect the rationale for that decision to be recorded somewhere, usually in the consumer vulnerability policy itself, and ideally with a recent review date showing the decision has been revisited.
The cleanest evidence I have seen pulls all of this together at the front of the procedure document so the auditor does not have to hunt.
The four required policies are not as scary as they sound. Two of them you probably already have if you have any kind of management system - data protection and equal opportunities. The third, the consumer vulnerability policy, is the one you write specifically for this standard. The fourth, interruptions to essential services, only applies if you provide essential services.
If you are not sure whether your services are essential, the standard gives the test - vital to consumer health and wellbeing, with high risk of harm if access is lost. If that does not describe what you provide, you do not need that policy.
Practical Compliance Guidance
Where IMS1 is in use, Clause 4 is reflected in the front cover (standard listed), Section 1.2 (scope), Section 1.6 (relevant standards), Section 2.2 (the Vulnerable Consumer Representative responsibilities) and Section 4.4 (management of change includes the inclusive service design step). The four required policies sit alongside IMS1 as referenced documents.
The alphaZ documents below cover the policy, procedure, code of conduct and responsibilities setup that Clause 4 requires.
| alphaZ document | How to use it |
|---|---|
| ISO 22458 Toolkit | Full document set for setting up an ISO 22458 inclusive service management system, including the procedure, policies, registers, forms and audit checklists. |
| P-115 Consumer Vulnerability Policy | Standalone consumer vulnerability policy covering the nine principles and the management system arrangements that support them. |
| CC-CV1 Code of Conduct - Vulnerable Consumers | Publicly shareable code of conduct that sets out the organisation's commitment, the nine principles and the supporting policies including third-party representatives and interruptions to essential services. |
| PP-1-17 Vulnerable Consumer Procedure | Internal procedure setting out roles and responsibilities including the Vulnerable Consumer Representative, and referencing the supporting documents. |
| ISO 22458 Implementation Checklist | Step-by-step checklist for setting up Clause 4 commitments alongside the rest of the management system. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation is directly relevant to ISO 22458 Clause 4. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.
