Determining external and internal issues - PESTEL and McKinsey 7S Methods (Part 1)


I wrote this post as a complement of the previus ones dedicated to analizse the requirements of Sub-clause 4.1 of the management system standards.

I have devoted some posts, plus some to come, to reviewing the various clauses and sub-clauses of different management system standards. In relation to Sub-Clause 4.1 of these standards, which establishes as initial requirements that the organization shall determine the external and internal issues that are relevant to its purpose and that affect its ability to achieve the expected results of its management system. In the particular case of ISO 9001 standard, it is established that in this determination of external and internal issues those that are relevant for its strategic direction are included.


The intention of preparing this post is trying to help understand this requirement, why it is part of these standards and what it is for organizations. Also, for describing, and that can serve as a support, both PESTEL and McKinsey “7S” methods, which are recommended to meet this common requirement of all management system standards (MSS).


However, in this first part I would like to present a proposal on a characteristic of this requirement considered in those MSS.


As I mentioned in the first paragraph of this post, practically all standards on management systems establish, in their first paragraph and as first requirements, that organizations shall determine  external and internal issues that are relevant to their purpose and that affect its ability to achieve the intended results of its management system. Only ISO 9001 standard indicates that the organization shall also determine the external and internal issues relevant to its strategic direction.


In this sense, curiously all these management system standards establish, in their Sub-Clause 5.1, derivated from Clause 5. Leadership, that top management shall demonstrate leadership and commitment with respect to the corresponding management system, (…) ensuring that it is established the policy and objectives of the management system, and that these are compatible with the strategic direction and the context of the organization.


That is why I consider as a deficiency of these standards that, obviously with the exception of ISO 9001, establish as a requirement of 4.1, the determination of the issues (external and internal) relevant only for their purpose, when it should be reasonable for them to also be relevant for its strategic direction. For this reason, I always suggest that when applying the method selected by each organization to determine these issues, it also includes the relevant issues for its strategic direction.


Allow me to make this recommendation, which would be like adding one more requirement within Subclause 4.1 to these standards (with the exception of ISO 9001), for the following reason:


Some MSS, among them ISO 9000: 2015 and ISO 21001: 2018 standards, present definitions of the following terms:

Additionally, the ISO 22316: 2017 standard contains the following definition:


And the ISO 30400: 2016 standard contains the following:


With this basis that I am presenting here, we can identify, as a whole, as Purpose of the organization, the following elements:


In addition, ISO 21001: 2018 standard, already mentioned, indicates another important definition:


Finally, I mention as a reference what ISO 24513: 2019 standard defines, among other standards, the following term:


In this way, I show you the following image, which I have previously presented in another post, to reflect the concept of the “context” of the organization with respect to ISO standards of management systems:


Source: Palomares, Ernesto

What can be seen in this image is that, based on the elements that make up the purpose of the organization, the top management must carry out a series of activities to establish its strategy and strategic plan, that is, establish with the order presented, its policies, general objectives, specific objectives, goals and plans, which set the course, from the most general sense to the most particular one, towards where the efforts of all the organization's personnel should be focused.


If we go back to ISO 24513: 2019 standard mentioned above, we find two complementary definitions on this theme:


Tactical plan

document identifying objectives to be pursued by an organization over the medium term, on the basis of priorities derived from influencing factors/indicators on performance, costs, risk and failure probability and scale of failure.


Operational plan

Documented collection of procedures and information that is developed, compiled and maintained in readiness for the conduct of operations.


However, in order to establish these elements in the most appropriate way, the organization will need to determine all the relevant issues and additional aspects of its context, to contrast and screen its planning activity and establish more precisely those strategic elements.


As you can see, determining external and internal issues must consider relevance to both the purpose and strategic direction of the organization for this analysis to make sense.


Now, you are most likely familiar with the way Sub-Clause 4.1 of the management standard of your interest is drafted. If not, I suggest you consult some of the articles that I have uploaded to this blog in which I analyze the requirements established in this subclause as it is presented in several of these management system standards.


I have already explained in those posts how we should identify, analyze and understand these requirements. However, so that you do not believe that I am taking these recommendations only from my feverish imagination, I would like to mention that we have two supporting documents to try to understand these requirements, which have been published by the International Organization for Standardization itself. (ISO), and are the following:


The first one is Appendix 2 of Annex SL (normative) - Harmonized structure for management system standards with guidelines for their use. It derives from the ISO / IEC Directives, Part 1 - Procedures for technical work - Consolidated ISO Supplement - Specific procedures for ISO.


This document contains the guidelines for those who develop the different management system standards within the Harmonized Structure or High Level Structure, and it explains that the intention of presenting the requirements of Sub-Clause 4.1 - Understanding of the organization and its context[is to make sure the organization has an understanding of the issues that can affect, either positively or negatively, the organization and its ability to achieve the intended results of its XXX MS (where those XXX represent the discipline from which it is about, quality, environmental, food safety, among others). The knowledge gained is then used to guide the planning, implementation, operation, evaluation and improvement of the management system.


The determined issues represent the main inputs for several other requirements of the management system standard, including determination of the scope, risks and opportunities and inputs to management review, among others.]


The second supporting document that we can count on is also published by ISO, together with the International Accreditation Forum (IAF), through their ISO 9001 Auditing Practices Group, and is the document called "Guidance on: Context."


This document, although it was prepared as a guide for auditors of the ISO 9001 standard, is an important reference for all auditors of any other disciplines, as far as it applies, in relation to Sub-Clause 4.1, This document tells us that [in order for an organization to have an effective quality management system (QMS), the QMS should be aligned with its strategic direction and take into account the internal and external issues that are relevant, when planning to achieve its objectives.


For the purpose of effective planning the organization needs to understand:

• its status,

• what it wants to achieve, and

• its strategy on how to achieve it.

(If you don’t know clearly your starting point for your journey it will be difficult to achieve the desired destination.)

Auditors need to evaluate whether the organization has addressed these issues.


1. Understanding the organization and its context


There are many ways and supporting techniques for organizations to observe and analyse their context. The output from this activity should be evident in the determined risks and opportunities. Although there is no requirement for documented information in this section (ISO 9001:2015, clause 4.1), most organizations will find it useful to retain documented information to help understand the rationale and level of understanding of their challenges  (e.g. “known knowns, known unknowns and unknown unknowns”).


The information which might be helpful in this process could include:

• Business plan

• Review of strategy plans

• Competitor analysis

• Economic reports from business sectors

• SWOT analysis

• Minutes of Meetings

• Action lists

• Diagrams, Spreadsheets, Mind mapping diagrams

• External consultant’s reports


The auditor should approach this area through an interview with members of the organization’s top management. It should be evident whether top management have adequately considered their organization’s context; the evidence of this may be adequately demonstrated by showing how the review outputs became the inputs into the QMS planning process (risk based thinking). However, in exploring the nature of the risks and opportunities, the auditor should be able to understand the adequacy of the organization’s review of its context.]


These texts are important to help you understand these concepts. However, the latter, although it has very valuable elements, shows a bit of confusion on the part of this group of auditors, although they are all experts and qualified, as happens throughout the world, and unlike what is explained in this text, what is important in order to demonstrate compliance with these requirements is not that the organization has determined its risks and opportunities, as mentioned here, but as the text of these standards says, that it has determined the issues, both external and internal, that are relevant for the purpose (and for the strategic direction of the organization).


Let us remember that ISO 9000: 2015 standard presents the following definition, which is important for us to know:


3.11.1 Determination

Activity to find out one or more characteristics (3.10.1) and their characteristic values.


This leads us to consider that in order the organization can determine external and internal issues, it must carry out a deep analysis of all factors, both positive and negative, outside or within the control of the organization itself, as well as its characteristic values, to be determined as pertinent matters both for the purpose as well as it should be, for the strategic direction of the organization.


In the second part of this post, I will analyze the PESTEL Method, as a support to determine the pertinent external issues.




Ernesto Palomares Hilton