Why is clarifying roles and responsibilities important and what are the typical roles?
The Roles and Responsibility Policy defines the critical roles and responsibilities relating to your Management system whether this is an Integrated Management System (IMS) or specifically for one area such a Quality Management System (QMS), Information Security Management System (ISMS), Environmental Management System (EMS) or Artificial Intelligence Management System (AIMS).
It is important that roles and responsibilities are clearly defined and allocated so everyone is clear who is responsible.
Information Security
It is important that roles and responsibilities are clearly defined and allocated. These may be outlined within procedural documents or through ownership of tasks in eg Adoptech or a ticketing system. The following are areas that should be considered:
- protection of individual assets – within an asset inventory
- information security risk management activities and in particular for acceptance of residual risks
- incident management
- change control
- the maintenance of each company policy
- the implementation of controls designed to mitigate information security risks as outlined in the company policies
- the execution of information security tasks that are required to fulfil control objectives
- the information security risks associated with suppliers
- external information security communications, such as those with authorities or special interest groups e.g. The National Cyber Security Centre (NCSC) or Information Commissioner’s Office (ICO)
- threat intelligence - analysis and communication
- Documentation and compliance of the Information Security Management System
- Setting Information Security objectives and report on progress
- Information security risk assessment
- Overseeing and approving changes to the ISMS
- IT operational change
- Staff information security awareness training
- Defining and controlling staff access rights
- Asset management
- Supplier management
- Internal audit scheduling
- Monitoring the risk register / action log
- Background screening
- Threat Intelligence - analysis and communication
- Incident management
Quality
For Quality Management, it is important that roles and responsibilities are clearly defined and allocated. These may be outlined within procedural documents or through ownership of tasks in eg Adoptech or a ticketing system. The following are areas that should be considered:
- Maintaining the integrity of the QMS
- Monitoring QMS performance
- Promoting customer focus
- Quality assurance
- Quality improvement
Example roles and responsibilities that might be defined for Quality in the Roles and Responsibilities Policy include:
- Documentation of the Quality Management System
- Setting Quality objectives and report on progress
- Maintain QMS business process documentation
- Overseeing and approving changes to the QMS
- Review quality assurance
- Client service management
- Reporting of QMS performance
- Monitor the action log
Environment
For Environmental Management, it is important that roles and responsibilities are clearly defined and allocated. These may be outlined within procedural documents or through ownership of tasks in eg Adoptech or a ticketing system. The following are areas that should be considered:
- Maintaining the integrity of the EMS
- Monitoring EMS performance
- Promoting environmental initiatives
Example roles and responsibilities that might be defined for Environment in the Roles and Responsibilities Policy include:
- Documentation of the Environmental Management System
- Set Environmental objectives and report on progress
- Maintain the Impacts and Aspects Register
- Monitor the action log
- Overseeing and approving changes to the EMS
- Reporting of EMS compliance