Requirements management is a topic that comes up often during our management consulting. This is partly because we rely on it in our toolkit of solutions to common client challenges, and partly because we use it routinely ourselves.

Requirements management is the practice of, and methodology for:

  • documenting, analyzing, tracing, prioritizing and negotiating requirements and objectives,
  • managing change, and
  • communicating actionable information and context to relevant stakeholders.

Requirements management is a continuous activity, run iteratively and routinely to maintain compliance and performance.

The requirements being managed may be:

  • Requirements imposed on a product or system — that is, a set of design and fabrication requirements that guide product development and manufacturing, and allow verification and acceptance by customers
  • Requirements related to service delivery, typically defined in contracts and service level agreements, and implemented through service controls and audits
  • Requirements related to quality or compliance, typically defined in contracts and regulations, and implemented using an organizational management system.

Requirements are often managed using a dedicated IT-based requirements management system (RMS) — a database, or a full-scope requirements management tool that integrates a database with a specialized browser and/or management interface.

The use of an RMS to support and implement requirements within an organizational management system typically addresses:

  • external requirements (for example, external regulatory or other non-negotiable requirements)
  • internal requirements (for example, mission objectives, business directives, and corporate policies)
  • derived requirements — that is, requirements arising from organizational decisions about how to satisfy other requirements
  • constraints (for example, existing system constraints, or even constraining physical phenomena), which are refactored as requirements (that is, as mandatory requirements to accommodate the constraints)
  • enablers (for example, existing system capabilities, or even enabling physical phenomena), which are refactored as requirements (that is, as requirements to apply enablers)
  • flags or designators used to identify or declare requests, objectives, enablers and constraints.

A key goal of requirements management is traceability — the ability to demonstrate how requirements will be or have been met, and to identify why specific elements of system design exist. This traceability supports compliance planning, auditing, change management, configuration management, and design authority.

Requirements decomposition

Requirements management is a crucial element of any organizational management system used to assure or maintain quality or compliance. It has particular importance in complex engineering and technology projects, and in high-risk, high-consequence environments.

How NOCTURNE can help

Requirements management can be challenging to plan and implement, particularly since many “off the shelf” systems and solutions for requirements management are designed for niche industries or large-scale software and engineering projects.

When it comes to implementing requirements management within an organizational management system in order to better control quality or to support compliance strategies, the challenge is balancing the depth and robustness of requirements traceability against the usability and efficiency of the system you use to capture and connect those requirements. The solution needs to be tailored to your unique objectives, capabilities and constraints.

NOCTURNE can help your organization decide whether and how to implement requirements management. Is this something you really need to do now? Is it something that can be done in stages as your business grows? Can off-the-shelf products be cost-effectively tailored to meet your needs, or do you need a custom solution? We can help you make those decisions, and support your planning and implementation of an appropriate requirements-management solution. Tell us about the opportunity or problem that brought you here — we’d love to help!



Information in a modern organization takes many forms — most of them electronic. Today, even the smallest organizations will find themselves with gigabytes of digital information used to perform business activities, or generated as a result of those activities. Companies large and small run the risk of drowning in their own data.

A number of solutions address this challenge. Electronic discovery, which means setting systems up so personnel can find the information they need. Archiving and backup, used to protect organizational data and store it responsibly. Content management systems, which help keep information current and usable. Electronic forms and workflows, which guide personnel through the creation and use of information.

Technological solutions such as these improve workers’ ability to create, protect, find and use the soup of unstructured data found within many organizations. But for organizations in highly regulated industries, or organizations dealing with exceptional risk, the adoption of a formal management system typically forces the organization to control the information it uses to manage risk and ensure compliance.

Controlled information

The formal control of information includes measures such as approval and authorization of information for use, reviews and verification of information, process-based revisions and deletions of information, unique addressing (numbering) to allow unambiguous referencing and retrieval, and a range of other quality-management features intended to ensure that information is appropriate, accurate, complete, and available.

The formalized control of information is important for the following reasons:

  • Prevents inappropriate, inconsistent, incomplete or incorrect inputs to work activities
  • Ensures information will be discoverable, retrievable and usable when needed
  • Reinforces authority and accountability throughout the organization — through approvals and workflows
  • Prescribes how organizational activities will be conducted, implementing quality assurance
  • Ensures and demonstrates compliance
  • Documents evidence of organizational activities and outcomes
  • Demonstrates application of quality control.

These goals are achieved by ensuring that controlled information is created, revised, distributed and destroyed in accordance with prescribed processes, procedures, standards and other controls that protect the integrity of information.

Implementing this level of control typically forces an organization to think about its information in a more structured way. And that structure starts by differentiating between information in documents, and information in records.

Controlled documents versus controlled records

When an organization takes its first steps to manage quality and control its information, a common question is the difference between documents and records.

People may naturally think of Word files as documents, and spreadsheets as places where things are recorded, but the nature of the information contained in an electronic file — and not the file format — should be the key factor when deciding whether a file is a document or a record. In fact, many digital files don’t naturally fall into either category — think about photographs and videos, audio files, configuration files, models, etc.

The definition of documents and records can also depend on the nature of the organization’s activities, its industry, and its regulatory obligations.

But as a general rule, documents prescribe and records describe. That, in a nutshell, is the most important difference between controlled documents and controlled records:

  • Documents prescribe how something is to be done. Records capture how something was done. 
  • Documents prescribe how or what something must be. Records capture how or what something was. 

Another key difference is the lifecycle of the information:

  • Documents may be revised. In fact, they may be revised and re-issued repeatedly.
  • Records on the other hand should never be altered once issued. (Although they can be appended with additional information or corrections. And newer records may make older records irrelevant.)

How documents and records are addressed is also different:

  • Records have a unique number or address identifying that specific record, assigned on the day the record is registered. That unique number is not used for any future records, and will always “point” to that one record. Other records about the same topic, customer, component, etc. will have different addresses or record numbers. This ensures that a record can be unambiguously referenced and retrieved without being mistaken for other related or unrelated records.
  • Documents have a unique number or address identifying the most current, “in force” revision of that document. That unique number will always point to the most current authorized version of the document, no matter how often the document is revised. This ensures that workers retrieving a document will always work from the currently authorized version, and not a historical revision that is no longer valid.

Finally, the authority needed to create information can differentiate documents from records:

  • Documents typically require review and approval.
  • Records can typically be issued by anyone, without review and approval (although there can be exceptions). 

How controlled documents and records work together

While distinct from each other, records and documents combine to make up the information “fabric” of the organization, supporting its activities and quality management: 

  • Each issued revision of a controlled document is also a record of that document having been issued and being in force.  (This is very important when it comes time to audit the organization, demonstrate compliance, participate in legal proceedings, and perform root cause analysis.)
  • Records can refer to documents, and vice versa, and personnel may use both controlled documents and controlled records to perform tasks.
  • Controlled records are often generated through the use of controlled documents — for example, the creation of records during the execution of a controlled procedure.

Uncontrolled documents and records

In contrast to controlled information, an organization may have a large cache of information generated or collected during business activities, but not critical to quality, safety, compliance etc. and thus not controlled under its management system. This less important information often sits in working repositories or individual workspaces, and doesn’t need the rigor or structure described above.

In these uncontrolled information spaces, documents and records may be interchangeable.

  • Uncontrolled documents may be containers for the creation, management and communication of working information (for example, processes and designs used within a project) that does not have quality implications or controls.
  • Uncontrolled records may be containers for the storage of working information (for example, entries in a requirements database or a project spreadsheet). 

Workers creating and using uncontrolled information don’t have to differentiate between documents and records, and can create and store information in whatever form most suits the individual worker and task.

Document and records control under ISO 9001

ISO 9001, which is a very widely adopted quality-management standard used in many industries, provides its own detailed requirements regarding documents and records control:

ISO 7.5.2 Creating and Updating

Documents are created as a part of the organization’s planning. Therefore, ISO requires that these planning documents are approved prior to use to ensure they are adequate (appropriate). Documents need to be reviewed and updated to ensure the content is accurate. If changes are made to plans then it is imperative that the changes are identified and communicated to anyone that uses those planning documents.

Users need legible, up-to-date, and readily available documents to do their job.

Documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. 

ISO 7.5.3 Control of Information

Records are not the plan; records are created by plans. Records are data collected by operating the quality management system, but data is not information. Data must be converted into information through the use of charting or trend analysis. Thus, the requirements for records are different. Records need to be identifiable (labelled), stored, protected (uncorrupted), retrievable (you need to use the data), retained (backed-up), but disposed of when obsolete.

Documents are created by planning what needs to be done and records are created when something is done. Documents can change, and records don’t change. Documents need to be reviewed, approved, legible, up-to-date, communicated, and readily available. Records need to be identifiable, stored, protected, retrievable, retained, but disposed of when obsolete. 

This function is now referred to as documented information control rather than documents and records.

How NOCTURNE can help

Planning and implementing appropriate information control for your organization can be daunting. Your information structure and information-management processes must be robust enough to address your risk, compliance and quality requirements, but efficient enough to protect the “bottom line”. Your information-management strategy should be customized to your organization’s unique needs, reflecting your goals, capabilities and constraints. Mapping out a solution that will support the full scope of your organizational activities can be a challenge.

And if you have a wealth of legacy information that must be brought under control, that adds to the challenge. You need to decide what information needs to become controlled, when that control must be achieved, and how to “bless” historical documents and records to bring them under your management system.

You don’t have to do this alone. NOCTURNE can help by:

  • Analyzing your objectives and requirements and developing an effective but streamlined information-management strategy
  • Designing an information structure that allows adequate control while maximizing usability for your workforce
  • Implementing processes and standards for the control of information
  • Implementing content management systems or information libraries within your IT infrastructure
  • Establishing rules and guidelines for the conversion of legacy information into controlled information
  • Change-managing both process changes and changes to legacy information
  • Training personnel regarding documentation and records control, the creation of documents and records, information retrieval, etc.
  • Providing interim documentation and records support to ensure your organization gets up and running and succeeds in its evolution to a more effective, compliant information solution.

For more information about how we can help you make this transition, or even about whether this is something your organization should be considering at this time, tell us about the opportunity or problem you’re trying to tackle. We’d love to help!



High-performance organizations (HPO)

HPO is a concept that evolved in the 1950s in response to the failings of scientific management. The HPO approach is absolutely essential to small organizations and especially to technology companies and startups. 

An HPO is an organization that achieves and sustains high performance, when compared against peers. HPOs are flexible and are able to quickly change their operating structure and practices to meet changing needs. They actively seek out gaps and risks and adapt to close those gaps and to control risk. 

HPOs focus on long-term success while defining and achieving actionable short-term goals. They focus on customer needs and relationships, safety, reliability, sustainability, and quality. They use formalized, explicit management systems to manage objectives, quality, and risk, and to support both management and line functions. 

Thus, HPOs tend to have flatter hierarchies with reduced bureaucracy and less-authoritarian management models. They rely on teamwork and leverage diversity. And they invest in the continuous improvement of their core capabilities and in workers – in order to increase performance, build human capital, reduce turnover, and grow. 

HPOs also rely on individual accountability and transparency, providing incentives to promote:

  • Integrity
  • Self-evaluation
  • Self-identification and reporting of errors, exceptions, adverse events and near misses. 

To enable this, HPOs treat human error and human-performance issues as inherent elements of human systems, rather than as issues of discipline or individual value. 

HPOs rely less on direct supervision, and more on leadership, self-directed teamwork, and mission-based decision-making. The concept of “trust but verify” is important in HPOs and is integrated into their management systems to allow the delegation of responsibility without a loss of overall control. 

Note: HPOs are sometimes called “high-commitment organizations”. 

The HPO concept has a range of interpretations as organizations customize it to fit their missions, so one will see a lot of PowerPoints and explainers that don’t seem to align. Despite the fact it’s been around for decades, there is no formal ’standard’, and HPO is more a philosophy/methodology rather than a prescriptive solution. 

High-reliability organizations (HRO)

A concept related to but not entirely consistent with HPOs is the high-reliability organization (HRO). HROs are organizations that successfully prevent catastrophes in operating contexts where normal accidents would be expected due to risk factors and complexity. 

Adverse events that have led to a focus on HROs include nuclear accidents (for example, Windscale, Three Mile Island, Chernobyl, and Fukushima), aerospace accidents (for example, the Challenger and Columbia disasters, and the Tenerife airport collision), and industrial disasters (for example, the Bhopal chemical disaster, and the Deepwater Horizon accident). 

HROs are of particular interest in the nuclear power sector, strategic military contexts, naval operations, aviation and air traffic control, and petroleum industries. 

HROs tend to share many of the following characteristics:

  • Extreme hierarchical differentiation – multiple levels, each with its own elaborate control and regulating mechanisms (in opposition to the typical model for HPOs) 
  • Strong coupling – that is, tight interdependence across functional areas 
  • Hyper-complexity – large range of components, structures, systems, and levels, and a high degree of interaction between them 
  • Large numbers of decision makers in complex communication networks – supported by redundant control and information systems 
  • Unique levels of accountability (substandard performance or deviations from standard procedures result in severe consequences for personnel, which also differs from how HPOs treat human performance) 
  • Frequent, immediate feedback regarding performance and decisions 
  • Many critical outcomes that must happen simultaneously 
  • Short timelines (with the duration of significant activities measured in minutes or seconds) 
  • Lack of reversibility (errors cannot be practically corrected, and/or there is no way to withdraw or change operational decisions)
  • Focus on risk, treating anomalies as problems even in the absence of adverse effects, and reporting and resolving errors and anomalies promptly 
  • Reluctance to simplify, embracing the complexity of systems and problems in order to fully understand risks and system behaviours, and ignoring explicit system boundaries during analysis 
  • Valuing diversity with respect to experience and opinions 
  • Situational awareness regarding unanticipated and varying conditions that could affect operations, monitoring safety and security barriers and controls to ensure integrity
  • Focus on resilience, including the detection, containment, and recovery from errors and adverse events
  • Deference to expertise – in exceptional situations and during upsets, HROs delegate authority to individuals with the expertise needed to solve a problem, and during crises the decision making shifts to the “front line”, regardless of hierarchical rank.

HROs and HPOs in high-consequence contexts

HROs share some characteristics with HPOs:

  • Highly sensitive to context, and adaptive to changing needs 
  • Major focus on risk.

However, if considering the adoption of the HPO model, organizations in high-consequence contexts have to balance the benefits of HPO against those of the HRO model. HROs are the more traditional approach to organizational performance in high-consequence contexts, but a pure HRO focus without HPO elements doesn’t work well for small, nimble, disruptive organizations such as tech innovators and startups. This can be a challenge for organizations taking a tech startup approach to innovation in high-consequence fields, such as nuclear power generation.


  • 2020-04 BBC: Why we find it difficult to recognise a crisis.
    • Sutcliffe and her colleagues have identified five characteristics of the best-prepared “high-reliability” organisations, which rarely experience disasters.
    • First, such organisations are “preoccupied with failure”, says Sutcliffe. “What I mean by that is they understood what they wanted to achieve, but they also thought a lot about the ways in which they could get sidetracked and the ways in which things could go wrong.” This includes taking near misses seriously. “When you say ‘preoccupied with failure’, people jump to the conclusion that you’re not very positive and can’t celebrate successes. That’s not at all what we’re saying,” she emphasises.
    • High-reliability organisations also encourage their employees to avoid simplification and embrace complexity, even if that means abandoning appealing positive narratives. They spend most of their time focusing on the here and now, rather than on big-picture strategy. They build resilience, mostly by ensuring that their staff have the time and encouragement to tackle problems rather than sweeping them under the carpet.
    • And finally, they have flexible decision-making structures, meaning decisions can variously be made by low-ranking people on the ground and upper management, depending on the nature of the crisis.
  • High Commitment High Performance: How to Build A Resilient Organization for Sustained Advantage, by Michael Beer. 2009.
  • Lean Enterprise: How High Performance Organizations Innovate at Scale, by J. Humble, J. Molesky, and B. O’Reilly. 2015. 
  • What Makes a High Performance Organization: Five Validated Factors of Competitive Advantage that Apply Worldwide, by André de Waal. 2019. 


Safety management is a specific form of risk management that focuses on risk to “life and limb”.

A brief history of safety management

Safety management first arose as a formal discipline in response to chronic worker safety and public safety issues that arose in capitalist societies during the industrial revolution, when commercial interests and the exploitation of vulnerable workforces led to highly dangerous workplaces and work practices.

Paralleling the rise of politically active labour union movements in the UK, and then in Europe and North America, legislation began to impose requirements on organizations to protect the health, safety and welfare of workers. The discipline of occupational medicine also evolved to the point where an evidence-based approach to worker safety was possible, particularly in industries such as mining, manufacturing and construction.

Safety management became more formalized and effective in the industrialized world throughout the 20th Century, although commercial interests often continued to challenge worker protection. Generally, safety management evolved “tombstone by tombstone”, driven by a long series of industrial mishaps and disasters that forced adoption and improvements. Today, in historically industrialized countries, safety management is a mature and accepted (if not always effective) body of practice.

However, even today, safety management in non-industrialized and newly industrialized nations often lacks an underpinning of effective legislation and cultural expectation, and may be ignored outright or trumped by commercial priorities. Since the globalization that drives those commercial priorities also promotes a gradual normalization of practices and expectations, the hope is that safety management will eventually become accepted, expected and normalized in all industrial settings.

Another important transition that took place throughout the 20th Century was a broadening of the scope of safety management to include public safety as well as workforce safety. This transition was also driven by legislative changes that instituted public and consumer protections against unsafe industrial activities and products. Modern safety management now addresses domains such as food safety, pharmaceutical safety, safety of healthcare products and services, environmental safety, and transportation safety, to name only a few.

A more recent but important evolution is the inclusion of environmental safety in overall safety management, with the recognition that environmental safety is public safety.

Role of an organizational management system

Safety Management System (SMS)

An SMS is a specific form of management system designed to control safety risk in the workplace and safety issues arising from work and business activities. The primary goal of an SMS is to ensure that safety risk is kept as low as is reasonably practical (ALARP).

A typical model for an SMS includes the following elements:

  1. Policy
    • Establish requirements for adequate resources.
    • Define top management commitment.
    • State occupational and public safety targets.
  2. Organization
    • How is the organization structured?
    • How is responsibility and accountability defined?
    • How does the organization communicate internally and externally?
    • What documentation is required and how is training and competency defined?
  3. Planning and Implementation
    • How does the organization plan for, develop and implement its approach to risk management?
    • How are hazards identified and risk effectively managed?
    • What goals and objectives are set to drive safety performance and measure progress?
    • What arrangements are made for contingency and emergency situations?
  4. Evaluation
    • How is safety performance measured and assessed?
    • What is the processes for the reporting and investigation of accidents and incidents?
    • What internal and external audit processes are in place to review and verify the system?
  5. Action for Improvement
    • How are corrective and preventive action created, managed and closed out?
    • What processes are in place to ensure continuous improvement?

Integrated management system

Organizations operating in regulated environments or facing significant quality, operational or other risk with respect to business activities and/or products typically control that risk and ensure compliance by implementing an integrated organizational management system, which governs how the organization conducts its activities. In high-consequence environments, the integrated management system typically includes a particular focus on safety, making Safety Management a top-level management domain rather than a separate SMS.

How safety is implemented and where responsibility for safety assurance lies within an integrated system depends on the nature of the organization and its activities.

Traditional organizational safety management – including workplace safety – may fall under the direction of a Risk Manager and/or specialized safety managers, such as site safety or health, safety and environment (HSE) managers. Safety expectations are communicated to the workforce, and appropriate specialists ensure that processes, procedures, practices and compliance adequately protect workplace safety. Specific safety-related responsibilities are imposed on roles throughout the organization in order to implement and support safety controls.

For organizations operating high-consequence facilities or systems (such as nuclear facilities, aerospace and space operations, and critical infrastructure), safety management goes beyond worker and workplace safety to include a greater focus on the protection of the public and the environment. In these organizational systems, safety assurance begins with cultural indoctrination to ensure that the workforce and management consider safety constantly and automatically, that the workforce is empowered to protect safety, and that safety is prioritized over all other interests. Responsibility for defining how the organization maintains safety, and to monitor safety performance, lies with appropriately qualified top-level managers, but the assurance of safety is woven throughout the organization’s roles and responsibilities, processes, procedures, practices, standards, training, and most importantly, cultural and behavioural reinforcement.

For organizations responsible for the design of safety-critical systems, safety management is achieved through control over the design of the organization’s products. In these organizations, the function of safety management establishes design requirements and provides expert oversight of third-party design processes and products. The related function of vendor management establishes and verifies requirements and quality across the design supply chain.

In all cases, while the responsibility for the governance, oversight, measurement and assurance of quality rests with qualified, top-level managers, all personnel throughout the organization have a standing responsibility to protect and prioritize safety.

Key elements of safety assurance


The prevention of events and conditions that could create safety risk is the most important and obvious strategy for assuring safety.

Analyze systems, processes and the operating environment in order to recognize what harm could result from normal operation and atypical events, and take steps to prevent adverse outcomes that could injure workers, consumers, the public, and the environment.


When prevention fails, mitigation measures can reduce the resulting harm. Mitigations may reduce the scope and reach of safety failures and incidents, and/or reduce the effect on people and the environment.

Consider the types of failures that are possible, and identify ways to limit the harm that would occur. Implement barriers, controls and contingencies to mitigate the adverse outcomes that could result from failures to prevent breakdowns, outages, releases and other harmful events.


Where mitigations require active intervention (for example, through emergency response, evacuation, aid, etc.), prepare to deliver the response capabilities needed to minimize harm and aid in recovery.

Preparation could include measures such as:

  • Emergency first response
  • Transportation capabilities
  • Key messaging and informational resources
  • Site security
  • Environmental containment and cleanup
  • Search and rescue
  • Medical response
  • Financial aid
  • Housing and social support.

Preparation typically involves:

  • Stakeholder engagement
  • Response planning and contingency development
  • Emergency planning
  • Obtaining and/or assuring prompt access to resources
  • Delivering training
  • Performing drills and exercises
  • Assessing and auditing capabilities and performance.

Preparation is not limited to preparing to respond to an event; it is also about ensuring that the organization will quickly recognize both the latent conditions that could lead to an event, and the onset of an adverse event.


Depending on the types of events that could occur, response may need to be prompt and/or robust. During response, the organization executes the appropriate contingencies and/or emergency plans, but may also have to respond tactically to address issues or conditions that plans did not anticipate. Thus, response relies on capable leadership able to adapt quickly to new situations and challenges.

The first step in response is recognition that a safety hazard is emerging or that an adverse event has occurred. Rapid recognition and response may prevent an adverse event, or allow more effective mitigation once one occurs.

The time needed to launch an effective response can often mean the difference between a trivial abnormal operating event, and outright disaster. Thus, all parties involved in response must maintain a readiness to respond even when affected by the adverse event themselves.

Response must also be sustained for the full time needed to protect affected parties from an ongoing event, and to support recovery of affected parties back to normalcy.

Since most adverse safety events arise after a pattern of near misses and close calls, the trending of safety incidents can be of great help in preventing serious events and prioritizing mitigating measures. Trending involves the surveillance of organizational activities and recognition of conditions, actions and events that either caused minor harms, or could have caused significant adverse outcomes. Increasing trends trigger greater attention and help identify opportunities for preventive action.

Trending begins with the identification of compliance and performance indicators relevant to safety: what can be measured, how to measure it, and what criteria will be applied. Processes are then established and applied to measure, analyze, and trend indicators. 

Adverse trends then trigger analysis by appropriate specialists and stakeholders, who rank the importance of the trend with respect to safety, and prescribe actions to re-establish or protect safety.

Root-cause analysis (RCA)

Root cause analysis is used to ensure that fundamental issues that could challenge safety are identified, rather than focusing on the symptoms of those issues. 

RCA includes the following steps:

  • Identify and describe the problem clearly.
  • Establish a timeline from the normal situation up to the time the problem occurred.
  • Distinguish between the root cause and other causal factors (for example, using event correlation).
  • Establish a causal graph between the root cause and the problem.

A typical approach to root cause analysis is to “keep asking why”. Each time an event or condition is recognized as a cause, ask why that event or condition arose. Continue this process until the answers become trivial or stop yielding useful insights.

Defence in depth

Defence in depth is a strategy used to ensure that single points of failure and foreseeable combinations of failures don’t result in adverse safety events. Defence in depth relies on layers of independent protection against safety threats and failures.

Human performance

Management of human performance helps to prevent challenges to safety. This includes:

  • Qualification, to ensure that workers are competent to perform activities 
  • Prevention of human error through the use of human-performance tools 
  • Procedural control, having workers perform critical activities by following prescribed processes or step-action procedures that have been designed to control risk. 

Auditing and observation

Observation of critical activities helps to ensure that activities are being and will be performed appropriately to control risk, and that the outputs of those activities have met and will meet requirements. 

Auditing is the review of policies, processes, and procedures, and the confirmation of compliance, adherence, and outcome, used to ensure that those Management System elements are effective in controlling risk. 

Auditing is also used to apply quality management to third-party providers of products and services, including design products and services. 

Review, or testing and inspection

Reviews, testing and/or inspection of the outcomes and outputs of critical activities can identify safety issues. 

Spot testing/review of samples can help to identify trends and assess overall safety. Mandatory review, testing and/or inspection may be used to provide positive control over outputs that create high safety risk. Review, testing and inspection can also be used to apply safety management to third-party providers of products and services, including design products and services. 


Workers may report (or self-report) issues with the performance of activities or the outputs of those activities. Self-reporting expectations must be communicated and reinforced through expectations documentation and training.

Corrective action

When safety deficiencies are identified, corrective actions are performed to:

  • Reject, discard, and replace the deficient work product or input, or correct or mitigate the deficiency 
  • If appropriate, correct or mitigate the deficient conditions, processes, procedures, or other elements that led to the safety deficiency, in order to reduce the likelihood or severity of recurrence. 

Corrective action must also be supported by appropriate processes and procedures, including processes and procedures for ensuring the correction of deficiencies in work products and services received from third parties. 

Vendor management and vendor quality assurance (VQA)

In organizations that rely on third-party services, products and inputs, the function of vendor management is very important. The identification of requirements, negotiation of contracts, and oversight of contract performance is critically important to an organization’s ability to meet customer needs, ensure safety in design, services and products, and exercise control over its offerings. Thus, vendor management is typically a top-level management domain. The VQA function coordinates vendor management, safety management, and quality management to ensure that work products and services received from third parties have adequate safety and quality.

Culture and behaviour

Culture is critical to safety, since your workforce’s automatic behaviours are the most effective, reliable defence against safety risks and failures. Culture begins with leadership and positive modelling, but it also requires formal indoctrination, communication, reinforcement, recognition and reward for safe behaviours.

Workforce empowerment

Workers must be empowered to identify safety risks and make safety decisions, regardless of their role and position in the corporate hierarchy. This means not only reinforcing the message that workers should take individual responsibility for safety, but also incentivizing safety reporting and appropriate safety decisions, protecting workers from peer pressure and sanctions arising from operational priorities, and providing positive recognition when workers take responsibility for safety.

How NOCTURNE can help

Implementing or improving safety management within your organization can be challenging. While safety management should be led by professionals with safety qualifications appropriate to your industry, NOCTURNE can help by doing much of the heavy lifting needed to implement or revise safety documentation and records systems, processes and procedures, job aids, training, etc. throughout your management system. We work with your safety leaders to ensure that safety information and process controls have the appropriate quality and scope needed to keep your workers, customers, assets and the general public safe.

When implementing and supporting safety elements in organizational management systems, NOCTURNE focuses on:

  1. Engagement. Safety is a general objective everyone understands, but many organizations have stakeholders with unique or particular interests in safety and/or specific safety risks. NOCTURNE starts by identifying and understanding stakeholders and stakeholder interests.
  2. Constraints. What resource and operational constraints must be accommodated. A “Cadillac” system is of no use if the organization lacks the capability to apply it properly.
  3. Simplicity. The system must be kept as simple as possible. Complex systems impose unnecessary burdens on organizations, but also tend to be less effective. Complexity should be limited to specific procedures or roles where it is required, and the overall system should be simple enough for all workers, managers and stakeholders to understand.
  4. Relevance. Safety relies first and foremost on worker performance. Workers must take safety seriously. For that to happen, workers have to understand why safety matters, and why specific safety measures and controls are needed.
  5. Maintainability. The safety system needs to evolve as the organization grows, its activities change, and its regulatory environment evolves. Thus, the system must be easily maintainable by the organization as a whole, and by the personnel assigned responsibility for safety management.
  6. Robustness. Safety systems can become ineffective in the face of organizational or operational challenges. Thus, the system needs to be designed to operate effectively even when operations and organizational activities are disrupted by internal or external challenges. This means the system needs redundancy, defence in depth, surge capacity, and the ability to “fail gracefully” when challenges become extreme.
  7. Measurability. Safety controls must be designed to be measurable, so that safety managers and stakeholders can assess performance and capability before a safety challenge arises.

NOCTURNE considers all these factors when designing and examining management-system elements, including systems designed to assure safety. The end goal is to ensure that stakeholders recognize, understand and trust in the organization’s commitment to safety, and that the organization will fulfill that trust.

Tell us about the safety objectives or risks you’re trying to address. We’d love to help!


What is CSR?

Community Sustainability requires a balance of three essential pillars: environment, society, and economy. In its simplest form, Corporate Social Responsibility (CSR) refers to an organizational initiative with a goal to improve the environment and/or society (possibly through an economic initiative). CSR is about a corporation acting as a socially responsible citizen.

CSR is no longer a nice-to-have, it’s a must have. Today’s customers expect businesses of all sizes to “do good” in their community.

A 2015 study exploring CSR’s impact on consumer behaviour found that:

  • 84% of respondents said they tried to purchase products and services that were socially or environmentally responsible whenever possible;
  • 90% were likely to switch brands to one associated with a good cause;
  • more than 50% had boycotted a company after learning it had behaved irresponsibly, and;
  • over 90% of consumers polled expected companies to do more than make a profit.

Beyond opening markets and securing relationships with customers, CSR is a powerful recruitment and retention tool. This is especially true for the Millennial generation (although all generations now prioritize these issues); both Gen Y and Gen Z want to work for companies that actively cultivate their communities.

An extensive 2015 report reviewing 300 studies on the ROI of CSR projects found they:

  • Increase employee productivity up to 13%;
  • Reduce employee turnover rate by up to 50%;
  • Save up to 90 to 200% of the salary of each employee that is retained, and;
  • Make recruiting more competitive; workers are willing to take up to a 5% pay cut to work at companies with strong CSR initiatives.

CSR programs can take many forms – for example, an employee volunteerism program, a waste-reduction initiative, or a formal charitable giving partnership – and the best CSRs are ones that are customized to the unique needs and challenges of the community.

Other examples of CSR solutions include:

  • Pollution reduction processes
  • Community risk reduction
  • Educational and social programs
  • Corporate philanthropy

Orchard Group can help you find the right CSR solution to benefit both your business and your community. Contact us today to get started!


CSR services and solutions

Orchard Group can help you help your community by implementing Corporate Social Responsibility (CSR) solutions.

size = affordability

Orchard can do everything the big engineering firms do, but at a price that’s affordable for small and medium-sized companies.

genuine change agents pick us

Because of our unique approach and our multi-disciplinary team, we can design CSR projects that have real impact on the problem; the companies we work with want to be part of real change.

competitive recruiting

People want to work for employers that are helping to make the world better, and they are much less likely to leave those employers. With our background in workforce issues, we can help you develop a CSR initiative that supports your efforts in hiring the best, and keeping them.

accessible entry to CSR

We specialize in community level CSR programs that are impactful and of a scope that’s within reach for smaller organizations. We’re small, smart and quick; we’re the entry point to corporate sustainability for SMEs.