The Process Approach

What is the Process Approach?

The process approach is one of the foundational ideas in modern ISO management system standards. It says that the best way to understand and manage an organisation is to view it as a system of interconnected processes, each with defined inputs, outputs, owners and controls. Managing the processes, rather than just the outputs, is what delivers consistent results.

ISO 9001 calls this out explicitly in Clause 4.4, which requires the organisation to determine the processes needed for the quality management system, their sequence and interaction, the criteria and methods needed for their operation, the resources they require, responsibilities, risks and opportunities, and the methods for monitoring and improving them. The other Annex SL standards - ISO 14001, ISO 45001, ISO 27001 and the rest - all take the same view in their own Clause 4.4.

The process approach sits alongside Plan-Do-Check-Act and risk-based thinking as the three core concepts underpinning these standards. PDCA is the cycle through which the system improves; the process approach is the way the system is organised in the first place; risk-based thinking is how the organisation decides where to focus attention. They all work together.

What Counts as a Process

A process in ISO terms is any set of activities that takes inputs and transforms them into outputs. Order fulfilment is a process. Staff recruitment is a process. Internal auditing is a process. Management review is a process. A process is not a department or a team - it is the flow of work that produces something useful.

A well-defined process has the following elements:

Inputs - the information, materials, requests or resources that start the process. For order fulfilment, the input is a confirmed customer order.
Outputs - what the process produces. For order fulfilment, the output is the delivered product and an invoice.
Activities - the sequence of things done to turn inputs into outputs. Pick the stock, pack the order, arrange despatch, raise the invoice, update the records.
Owner - the person accountable for the process working as intended. For order fulfilment, that might be the Operations Manager.
Resources - the people, equipment, information and infrastructure the process needs.
Controls - the procedures, checks and approvals that keep the process on track. Quality checks before despatch. Credit approval before shipping large orders.
Measures - the indicators used to know whether the process is working. On-time delivery percentage. Order accuracy rate. Customer complaints.
Interactions - the other processes this one depends on, and the processes that depend on it. Order fulfilment depends on purchasing to have stock available, and feeds into invoicing and customer communication.

An organisation that has thought through these elements for each of its significant processes has most of what an ISO management system asks for. An organisation that has not is building its system on sand.

Why the Process Approach Works Better Than a Functional View

Most organisations are structured into functions - sales, operations, warehouse, finance, HR. The functional structure is useful for managing people and resources but it is a poor way to understand how work actually flows, because almost every meaningful outcome involves several functions working together.

Take the order fulfilment example again. A customer order touches sales (who took it), finance (who credit-checked the customer), operations (who produced or picked the goods), warehouse (who packed and despatched them), logistics (who arranged the delivery) and finance again (who raised the invoice). If any one of those steps goes wrong the customer experience fails, regardless of how well each individual department is performing against its own targets.

A functional view of the organisation makes it easy to optimise each department in isolation and miss the interactions. A process view follows the work across the departments and focuses attention on the hand-offs between them - which is where most problems actually arise.

The process approach does not replace the functional structure. Organisations still need departments, managers and budgets. What it adds is a second lens: alongside the organisation chart, there is a process map showing how work flows through the business and who is accountable for each process end-to-end.

Mapping Processes

Documenting a process in a form useful to the organisation is not the same as writing a lengthy procedure. The aim is to capture the key elements - inputs, outputs, owner, controls, measures, interactions - concisely enough that anyone reading the document can understand how the process works.

A common format is a one-page summary for each significant process, covering:

Process name and purpose
Process owner
Inputs and where they come from
Outputs and where they go
Key activities (usually as a short numbered list or flowchart)
Resources, competences and documented information needed
Controls and decision points
Measures and how they are monitored
Risks and opportunities specific to the process
Links to supporting procedures, forms and records

Not every activity in the organisation needs to be mapped at this level of detail. The focus should be on the processes that directly produce products and services, the processes that control quality and risk, and the processes that interact with customers or regulators. Low-impact administrative activities can be described in less depth.

Some organisations use visual tools like the turtle diagram - a four-sided diagram with inputs on one side, outputs on the other, and resources and controls above and below - to capture process information. Others prefer a written summary. Either way, the goal is the same: to have a clear picture of what the process does, who runs it and how it is controlled.

Process Interactions and the Process Map

The process approach does not stop at documenting individual processes. Clause 4.4 also requires the organisation to understand how processes interact with each other - which processes depend on which, where outputs from one become inputs to another, where problems in one process propagate into another.

A process interaction diagram, sometimes called a process map or an interaction of processes diagram, shows these relationships at a glance. At its simplest it can be a box for each process with arrows showing the flow of information and outputs between them. At its most developed it can include customer-facing processes, operational processes and support processes grouped and colour-coded, with the critical interactions highlighted.

The value of this map is strategic. It forces the organisation to think about the system as a whole rather than each process in isolation. It highlights where hand-offs between processes need explicit controls. It helps identify which processes have many dependencies and therefore warrant more management attention.

The IMS1 manual includes an interaction of processes section and a correlation table that ties the ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301 and ISO 37001 clauses back to the relevant process areas of the manual. This keeps the process view visible rather than letting the system drift into clause-by-clause documentation.

Risk-Based Thinking and the Process Approach

Risk-based thinking and the process approach are deliberately linked in ISO 9001. Clause 4.4.1(f) requires the organisation to address the risks and opportunities for each process. Clause 6.1 requires a wider review of strategic risks and opportunities for the whole management system. Together they mean risk is considered at two levels: the risks to each individual process, and the strategic risks facing the organisation overall.

In practice this means each significant process has its own short risk review as part of its documentation - what could go wrong, what controls are in place, how the residual risk is monitored. The strategic risks are then captured separately in an opportunities and risks register like F-IMS23, reviewed annually during management review.

Risk-based thinking does not require a heavy formal risk management methodology. It requires the organisation to think systematically about where things could go wrong and where opportunities could be exploited, and to direct effort accordingly. Processes with high risk get more controls and closer monitoring. Processes with low risk get less.

Using the Process Approach in an IMS

An integrated management system built on the process approach organises its manual around the processes that run the business rather than around the clauses of any particular ISO standard. This is how IMS1 is structured. Section 1 covers the management system overall. Section 2 covers leadership and planning. Section 3 covers resources and support. Section 4 covers operational processes. Section 5 covers monitoring and improvement. Within each section, the content describes how the organisation actually runs, not what an ISO clause requires.

The clause-level compliance is handled separately through ISO correlation documents that map each clause of each standard to the relevant part of the manual. An auditor working through ISO 9001 Clause 8 can use the correlation to jump to Section 4 Operational Processes and find the evidence. An auditor working through ISO 14001 Clause 8 does the same. The processes themselves do not need to be re-documented for each standard.

This is the practical payoff of the process approach combined with integrated management: one system that describes how the organisation works, with correlation documents that demonstrate compliance with whichever standards the organisation is certified against.

We have around fifteen significant processes in our operation. Each one has a one-page summary covering what the inputs are, what the outputs are, who owns it, what the key controls are and what measures we track. When we introduced the process approach we started seeing problems that had been invisible before - usually at the hand-offs between departments.

The order-to-despatch process was a good example. Sales were hitting their targets, warehouse were hitting theirs, logistics were hitting theirs, but customers were still complaining about late orders. When we mapped the process end-to-end we found a two-day gap between sales confirming the order and warehouse seeing it on their system. Each department was doing its job but the process was broken. Fixing that single hand-off cut our late-order complaints by two thirds.

The process approach sounds like consultant-speak until you try the alternative. If you organise your management system by department, you end up with a quality manual that mirrors your org chart instead of describing how your business actually runs. And every time you reorganise, you have to rewrite the manual.

Organise around processes and the manual stays stable. Departments come and go. The process of fulfilling a customer order stays roughly the same whether you have three staff doing it or thirty.

When I audit against Clause 4.4 I am looking for evidence that the organisation has actually thought about its processes - not just written a generic procedure and called it done.

I want to see process owners who can tell me what their process does, what the inputs and outputs are, what the measures are, what the risks are. If I ask the process owner for the order fulfilment process and they look blank, something is wrong.

The interaction of processes is the second thing I look at. A diagram helps but what matters more is that the process owners understand their dependencies. The best test is to ask about a specific hand-off and see whether both sides describe it the same way.

Practical Compliance Guidance

The IMS1 manual is built around the process approach. Its sections map to how a business actually runs rather than to the clauses of any single ISO standard, and an interaction of processes overview shows how the key process areas connect. Correlation documents then handle the clause-by-clause mapping for each ISO standard the system covers.

The alphaZ toolkits bundle IMS1 together with the forms and registers that make the process approach practical to operate. The documents below are the ones most directly relevant to defining, controlling and monitoring processes.

alphaZ document	How to use it
ISO 9001 Management System Toolkit	Starting point for a quality management system built around the process approach. Includes IMS1, process-oriented policies, procedures and registers.
ISO 9001, 14001, 45001 IMS Toolkit	Extends the process approach across quality, environmental and health and safety in a single integrated system. The three sets of process-level risks and controls live in one register rather than three.
F-IMS20 Document Register	Central register of the controlled documents that describe each process. Used to keep procedures, work instructions, forms and records in sync across the management system.
F-IMS23 Opportunities and Risks Register	Strategic-level register of risks and opportunities across the whole management system. Process-level risks are reviewed within each process; strategic risks are captured here and reviewed annually at management review.
F-Q23 Change Review	Used when processes change - new suppliers, revised procedures, organisational changes - to plan and review the change and keep process documentation up to date.
ER1 Issues and Actions Register	Running log of issues, non-conformities and improvement actions. Patterns in this register often point to process problems that need the process definition or controls to be revised.
F-Q3 Management Review	Where top management review process performance across the system - the key measures, the trends, the significant risks and opportunities - and set priorities for the next cycle.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How many processes should a management system have?

There is no required number. Small organisations typically have between five and ten significant processes; larger or more complex organisations may have twenty or thirty. What matters is that the set covers how the business actually delivers its products and services, and that each process is defined in enough detail to be run consistently. Defining too few processes loses useful detail; defining too many makes the system hard to maintain.

Do processes need to be documented as flowcharts?

No. ISO requires processes to be defined and understood but does not specify a format. Written summaries, turtle diagrams, flowcharts and swimlane diagrams are all acceptable. The best format is whichever one the organisation will actually maintain. A clear one-page written summary is usually more useful than an elaborate diagram that nobody updates.

What is the difference between the process approach and the functional structure?

The functional structure is about how people and resources are organised - departments, teams, managers, budgets. The process approach is about how work flows through the organisation - inputs, activities, outputs, owners. Both are needed. Processes cut across functions, which is why focusing only on departmental performance can miss problems that arise at the hand-offs between departments.

Is the process approach the same as business process management?

They overlap but they are not identical. Business process management (BPM) is a broader discipline with its own tools, notations and software. The ISO process approach is a simpler set of expectations about understanding the organisation as interconnected processes. An organisation that practises BPM will find the ISO process approach easy to meet. An organisation that applies the ISO process approach is not obliged to adopt BPM tooling.

UK Legislation

No UK legislation specifically mandates the process approach, but the legal requirements for management arrangements in areas like health and safety assume the organisation has thought through who is responsible for what and how activities are controlled. The process approach is the standard way of meeting these expectations.

Further Resources