What is the PDCA method?
When considering how to successfully implement ISO 42001 within the organisation, the regulator has structured the standard so to favour the use of the “PDCA method”. Although never explicitly mentioned, ISO/IEC 42001:2023 follows the Plan, Do, Check, Act model which, combined with a Risk-based thinking, allows Lead Implementers to successfully build, monitor and improve an artificial intelligence management system (AIMS).
In this presentation we are going to explore how to effectively apply this method in 4 Key Steps:
- Plan – Clauses 4, 5, 6 and 7 – Context, Leadership, Planning and Support
- Do – Clause 8 – Operation
- Check – Clause 9 – Performance evaluation
- Act – Clause 10 – Improvement
Step 1: Plan
Clause 4: “Context of the organisation” – Requires an understanding of risks and opportunities, internal and external that could have an impact on the AIMS. It’s also important to determine the needs or requirements of the organisation and finally the objectives. Risks, Opportunities, Needs and Objectives help us determine the Scope of the AIMS or the boundaries of the management system. Remember: boundaries doesn’t necessarily mean geographical. The AIMS can also cover only a function or a department of the organisation.
Clause 5: “Leadership” – This clause is all about involving “Top Management” which, in Clause 3.3, the regulator defines as: the person or group of people who directs and controls an organisation. Involvement of the company’s leadership is essential as it can support with the implementation and also because a regular management review is one of the requirements of ISO 42001.
Clause 6: “Planning” – As mentioned, a key element of the whole process (and not just step 1) is Risk. During the planning phase, the organisation should prepare a risk assessment, a risk treatment plan and an impact assessment. As per clause 3.7, risk is the effect of uncertainty which means risks don’t necessarily have to have a negative connotation. Once the risk assessment has been completed, the organisation should prepare a treatment plan, however, not all risks can be mitigated, some risks need to be taken into consideration even if they are outside the sphere of control of the organisation.
Clause 7: “Support” – The final clause of the Plan phase concerns the necessary support to implement the AIMS. Ask yourself: what resources are going to be necessary to implement and maintain the management system? Take this opportunity to run a GAP analysis: who is going to be responsible and take ownership for which risks and do they have the skills necessary to cover this role? If not, they might need training or tutoring. Included in here is also another requirement: documentation. This means the lead implementer will have to make sure all the documents deemed necessary for the operation of the AIMS will have to be kept up to date and readily available.
Step 2: Do
The second phase of the implementation process is complete and we now need to walk the walk. The Controls in Annex A can help you understand what policies need to be drafted, what processes need to be put in place, what records need to be kept to remain compliant.
Step 3: Check
The organisation’s stakeholders need to determine what needs to be monitored, the methods and the metrics. They have to plan so that these review take place at regular intervals. In other words the organisation needs to plan for internal audits that will then be submitted to the Top management.
Step 4: Act
Now that we what works and what doesn’t with our management system, it’s time to act on those non-conformities. Not only we need to address the issue, it’s mandatory to also put measures in place so that it doesn’t happen again.
As we have seen, the ISO 42001 has been structured by the regulator following the PDCA method because it’s a simple and yet effective way to successfully implement a management system within an organisation. On top of that, Its cyclical nature also covers another requirement: the necessity for continuous improvement as it demands that we act upon the non conformities that we spot after checking what we have done.
Remember: The PDCA method can also be used for the numerous processes and records that make up the management system itself.
Implementing ISO/IEC 42001:2023 doesn’t have to be a burden. Simply follow the 4 steps of Planning, Doing, Checking and Acting, and even you can get it done!
