DraftInternalISO 9001ISO 14001ISO 27001

SW-IMS-MAN-010

IMS Manual - Clause 10: Improvement

Version

1.0

Owner

IMS Owner

Effective Date

TBD

Review Date

TBD

IMS Manual - Clause 10: Improvement

Document ID: SW-IMS-MAN-010-v1.0
Effective Date: [TBD]
Review Date: [TBD]
Owner: IMS Owner
Approved by: [TBD]

Purpose

This section of the IMS Manual describes how Swedwise AB continually improves the suitability, adequacy, and effectiveness of the Integrated Management System. It addresses Clause 10 (Improvement) requirements for ISO 9001, ISO 14001, and ISO 27001.

Continual improvement is embedded in Swedwise's culture and operations, aligned with the company's tagline: "Make Time For The Good" – by working smarter and continuously improving, we create capacity for value-adding activities.

10.1 General - Commitment to Improvement

10.1.1 Improvement Culture

Swedwise is committed to continually improving the effectiveness and efficiency of the Integrated Management System. This commitment is demonstrated through:

Leadership commitment:

Management establishes and communicates improvement objectives
Resources allocated for improvement initiatives
Improvement recognized and celebrated
Learning from both successes and failures

Staff empowerment:

All staff encouraged to identify and suggest improvements
Improvement suggestions welcomed and evaluated fairly
Staff empowered to implement improvements within their authority
No-blame culture for reporting issues and mistakes

Learning organization:

Aligned with "The Machine" framework (agility, autonomy, continuous learning)
Knowledge sharing through discipline forums
Lessons learned captured and disseminated
Innovation and experimentation encouraged

Data-driven improvement:

Decisions based on facts, data, and analysis
Performance metrics drive improvement priorities
Trends analyzed to identify systemic opportunities
Effectiveness of improvements measured

10.1.2 Improvement Objectives

Swedwise establishes specific improvement objectives across all IMS disciplines:

Quality improvement objectives (examples):

Reduce customer complaint rate by 20% year-over-year
Increase customer satisfaction score from 4.0 to 4.3
Improve project on-time delivery rate to 95%
Reduce project rework hours by 15%

Environmental improvement objectives (examples):

Reduce business travel carbon emissions by 10% annually
Increase proportion of virtual meetings to 80%
Reduce office energy consumption by 5% per employee
Achieve 95% e-waste recycling rate

Information security improvement objectives (examples):

Reduce security incident response time to <10 minutes (average)
Achieve 100% security training completion (annual)
Reduce phishing simulation click rate to <5%
Automate 80% of routine security controls

IMS efficiency improvement objectives (examples):

Reduce average corrective action closure time by 25%
Achieve 100% on-time internal audit completion
Implement 20+ documented improvements annually
Reduce document approval cycle time by 30%

10.1.3 Improvement Opportunities - Sources

Swedwise identifies improvement opportunities from multiple sources:

Source	Description	Frequency	Owner
Management Review	Strategic improvement decisions from management review (SW-IMS-PRO-004)	Quarterly	Management Team
Internal and External Audits	Audit findings, observations, best practices identified	Per audit schedule	IMS Owner, Auditors
Nonconformities and Incidents	Root cause analysis revealing systemic issues (SW-IMS-PRO-005)	Continuous	Process Owners, CISO
Customer Feedback	Complaints, suggestions, satisfaction survey themes (SW-QMS-PRO-002)	Continuous	Quality Lead, CSM
Employee Suggestions	Staff improvement ideas via suggestion process	Continuous	All Staff
Data Analysis	Performance trends, KPI gaps, benchmarking insights	Monthly/Quarterly	IMS Owner, Department Heads
Risk Assessment	Risks and opportunities identified in risk assessment (SW-IMS-PRO-002)	Annually, or as needed	Risk Manager, CISO
Benchmarking	Comparison with industry best practices, standards updates	Annually	Quality Lead, CISO
Innovation and R&D	New technologies, methodologies, tools	Ongoing	Technical Leads, Discipline Forums
Supplier Feedback	Suggestions from partners and suppliers	Ad-hoc	Procurement Lead

10.2 Nonconformity and Corrective Action

10.2.1 Purpose and Scope

When a nonconformity occurs (including from customer complaints or incidents), Swedwise:

Reacts promptly to control and correct the nonconformity
Evaluates the need for action to eliminate root causes
Implements corrective actions to prevent recurrence
Verifies effectiveness of corrective actions
Updates the IMS if necessary

Nonconformity = Non-fulfillment of a requirement (ISO, legal, customer, internal).

Corrective action = Action to eliminate the root cause of a nonconformity and prevent recurrence.

See SW-IMS-PRO-005 (Nonconformity and Corrective Action Procedure) for complete process.

10.2.2 Reacting to Nonconformity

When a nonconformity occurs, Swedwise takes immediate action:

1. Control and correction (containment):

Take immediate action to contain the nonconformity
Fix the immediate problem (the symptom)
Prevent further impact on customers, environment, or security

Examples:

Service outage: Restore service, notify affected customers
Project deliverable defect: Rework and resubmit
Security incident: Contain breach, revoke compromised access
Environmental spill: Contain, clean up, notify authorities

2. Deal with consequences:

Assess impact on customers, environment, security, compliance
Customer notification and recovery actions
Service credits or compensation (if contractual)
Regulatory notification (if required by law)

Responsibility: Process Owner, Department Head, or person identifying the nonconformity

Timeline: Immediate to within 24 hours (depending on severity)

10.2.3 Evaluating the Need for Corrective Action

Swedwise evaluates whether corrective action is needed to eliminate root causes:

Evaluation criteria:

Severity: How significant is the impact? (Critical, Major, Minor)
Recurrence risk: Is this likely to happen again?
Systemic vs. isolated: One-time error or systemic issue?
Cost-benefit: Does benefit of corrective action justify effort?

Decision:

Corrective Action Required: For major nonconformities, systemic issues, high recurrence risk, legal violations
Correction Only: For minor, isolated issues with low recurrence risk
Observation/Monitor: For borderline issues; track for trends

Examples:

Major NC requiring corrective action: No risk assessments conducted in 18 months (systemic failure)
Minor NC requiring corrective action: Missing training records for 3 employees (pattern if recurring)
Correction only: One-time typo in document (isolated, low risk)

10.2.4 Implementing Corrective Action

Corrective action process (8 steps):

1. IDENTIFY → 2. RECORD → 3. CONTAIN → 4. ANALYZE ROOT CAUSE →
5. PLAN CORRECTIVE ACTION → 6. IMPLEMENT → 7. VERIFY EFFECTIVENESS → 8. CLOSE

Step 1: Identify Nonconformity

Recognize that a requirement has not been met
Gather evidence

Step 2: Record Nonconformity

Create Corrective Action Request (CAR) with unique ID
Document: description, evidence, requirement not met, classification
Assign CAR Owner (responsible for managing CAR to closure)

Step 3: Contain (Immediate Correction)

Fix the immediate problem
Prevent further impact
Assess scope (are other areas affected?)

Step 4: Analyze Root Cause

Investigate why the nonconformity occurred
Use root cause analysis techniques:
- 5 Whys: Iteratively ask "why" to drill down to root cause
- Fishbone Diagram: Identify potential causes across categories (People, Process, Technology, Environment, Management)
- Timeline analysis: Reconstruct sequence of events
Distinguish between symptoms and root causes
Validate root cause with evidence

Example Root Cause Analysis (5 Whys):

NC: Quarterly access reviews not performed for 6 accounts
Why? Reminders not set up
Why? IT admin who set reminders left the company
Why? Knowledge not transferred before departure
Why? No documented handover procedure
Why? Role responsibilities not clearly defined
ROOT CAUSE: Lack of documented role responsibilities and handover procedures for IT admin

Step 5: Plan Corrective Action

Develop corrective action plan addressing the root cause
Define specific actions, responsibilities, deadlines, resources, success criteria
Obtain approvals:
- Minor NC: CAR Owner approval
- Major NC: Department Head + IMS Owner approval
- Critical NC: Management Team approval

Example Corrective Action Plan:

Action	Responsible	Deadline	Resources	Success Criteria
Document IT Admin role with access review responsibilities	CISO	2025-03-15	4 hours	Role description published (SW-ISMS-ROLE-002)
Create IT Admin handover checklist	CISO	2025-03-15	2 hours	Checklist available
Implement automated access review reminders	IT Admin	2025-04-01	8 hours	Reminders auto-generate quarterly
Knowledge transfer session with IT Admin	IT Lead	2025-03-30	2 hours	Session documented

Step 6: Implement Corrective Action

Execute corrective action plan
Update procedures, work instructions, forms
Communicate changes to affected personnel
Provide training if needed
Collect evidence of implementation

Timeline:

Critical NC: 7 days
Major NC: 30 days
Minor NC: 60 days
Extensions granted by IMS Owner with justification

Step 7: Verify Effectiveness

Review evidence that corrective actions were implemented
Assess whether nonconformity is prevented from recurring
Effectiveness check timing:
- Immediate verification (within 30 days): Implementation complete?
- Sustained effectiveness (3-6 months): Still working? No recurrence?
Determine: Effective / Partially Effective / Ineffective

Effectiveness verification methods:

Document review (updated procedures, records)
Interviews (staff awareness, compliance)
Observations (process in action)
Data review (KPIs improved?)
Follow-up audit (targeted re-audit)

Step 8: Close Nonconformity

Confirm all corrective actions implemented
Confirm effectiveness verified
Update CAR status to Closed
Record closure date and approver
File CAR and evidence
Communicate closure
Share lessons learned

If ineffective: Reopen CAR; require revised corrective action plan; restart from Step 5.

10.2.5 Reviewing and Updating the IMS

If corrective actions reveal need for changes to the IMS:

Update documented information:

Revise policies, procedures, work instructions
Update forms or templates
Amend process documentation

Update risk assessment:

Add new risks identified
Adjust risk treatments

Communicate changes:

Inform affected personnel
Provide training on updated processes
Cascade through organizational units

Examples:

Corrective action for missing training records → Update Competence and Training Procedure (SW-IMS-PRO-014) to include automated tracking
Corrective action for security incident → Update Incident Management Procedure (SW-ISMS-PRO-002) with new response playbook

10.2.6 Retaining Documented Information

Records maintained:

Nature of nonconformities
Actions taken (correction, corrective action)
Results of corrective actions (effectiveness verification)
CAR forms and supporting evidence
Root cause analysis documentation

Retention: 7 years (for CARs and nonconformity records)

Location: Nonconformity register and CAR repository (SW-IMS-FRM-007, SW-IMS-FRM-008)

Responsibility: IMS Owner maintains register; CAR Owner maintains evidence

10.3 Continual Improvement

10.3.1 Commitment to Continual Improvement

Swedwise continually improves the suitability, adequacy, and effectiveness of the IMS, considering:

Suitability: Is the IMS appropriate for our organization's purpose, context, and strategic direction?

Adequacy: Is the IMS sufficient to meet requirements and achieve objectives?

Effectiveness: Does the IMS enable us to achieve intended results?

Continual improvement focuses on:

Enhancing customer satisfaction
Reducing environmental impact
Strengthening information security
Improving process efficiency and effectiveness
Reducing waste and errors
Increasing employee engagement and competence
Optimizing resource utilization

10.3.2 Continual Improvement Methodology

Swedwise uses the Plan-Do-Check-Act (PDCA) cycle for continual improvement:

┌──────────────────────────────────────────────┐
│  PLAN                                         │
│  - Identify improvement opportunity           │
│  - Analyze current state and root causes      │
│  - Set improvement objective and target       │
│  - Develop improvement plan                   │
└──────────────────┬───────────────────────────┘
                   │
                   ▼
┌──────────────────────────────────────────────┐
│  DO                                           │
│  - Implement improvement actions              │
│  - Pilot or test on small scale if possible   │
│  - Collect data during implementation         │
└──────────────────┬───────────────────────────┘
                   │
                   ▼
┌──────────────────────────────────────────────┐
│  CHECK                                        │
│  - Measure results against objective/target   │
│  - Analyze effectiveness of improvement       │
│  - Identify gaps or unexpected consequences   │
└──────────────────┬───────────────────────────┘
                   │
                   ▼
┌──────────────────────────────────────────────┐
│  ACT                                          │
│  - If successful: Standardize and communicate │
│  - If not successful: Adjust and re-plan      │
│  - Identify further improvement opportunities │
└──────────────────────────────────────────────┘
        │
        └───────► Back to PLAN (continuous cycle)

10.3.3 Continual Improvement Process

See SW-IMS-PRO-009 (Continual Improvement Procedure) for detailed process.

Summary of improvement process:

1. Identify Improvement Opportunity

From sources listed in Section 10.1.3
Capture in improvement suggestion form (SW-IMS-FRM-002)

2. Evaluate Improvement Suggestion

IMS Owner or Quality Lead reviews suggestion
Assess: Impact, feasibility, resource requirements, alignment with objectives
Decision: Approve, Reject, Defer, Request More Information

3. Plan Improvement

Define improvement objective (what do we want to achieve?)
Set target (how much improvement? by when?)
Develop improvement plan (actions, responsibilities, timeline, resources)
Identify success criteria (how will we know it worked?)
Obtain approvals and resource allocation

4. Implement Improvement

Execute improvement plan
Update procedures, tools, systems as needed
Communicate changes to affected personnel
Provide training if required
Pilot on small scale if high-risk or complex

5. Measure Effectiveness

Collect data before and after improvement
Compare results against target
Assess: Did we achieve the improvement objective?
Document outcomes (quantitative and qualitative)

6. Standardize and Communicate

If successful: Embed improvement into standard practice
- Update documented information (procedures, work instructions)
- Train all relevant staff
- Monitor to ensure sustained improvement
If not successful: Analyze why; adjust and retry, or abandon

7. Share Lessons Learned

Document improvement case study
Share success stories with organization (recognition)
Present best practices in team meetings or forums
Input to knowledge base

8. Identify Next Improvement

Continuous cycle: What can we improve next?
Build a culture of incremental, ongoing improvement

10.3.4 Types of Improvement

Incremental improvement (Kaizen):

Small, continuous improvements
Empowered teams and individuals
Low cost, low risk
Examples: Process tweaks, waste reduction, efficiency gains

Breakthrough improvement:

Major, transformational changes
Typically management-driven
Higher investment and risk
Examples: New technology platform, major process redesign, organizational restructuring

Swedwise emphasizes incremental improvement (aligned with learning organization culture) while also pursuing strategic breakthrough improvements when warranted.

10.3.5 Improvement Tools and Techniques

Swedwise employs various tools and techniques for improvement:

Tool/Technique	Purpose	Use Case
PDCA Cycle	Structured improvement methodology	All improvement initiatives
Root Cause Analysis (5 Whys, Fishbone)	Identify underlying causes	Problem-solving, corrective action
Benchmarking	Compare against best practices	Identify performance gaps and opportunities
Process Mapping	Visualize and analyze processes	Identify bottlenecks, waste, handoffs
Lean Thinking	Eliminate waste, add value	Process efficiency, waste reduction
Brainstorming	Generate ideas	Improvement ideation sessions
Piloting/Testing	Test improvement on small scale	Reduce risk of large-scale changes
Data Analysis and Trends	Identify patterns and opportunities	Performance analysis, trend spotting
Customer Journey Mapping	Understand customer experience	Improve customer satisfaction
Before-and-After Metrics	Measure improvement impact	Effectiveness verification

10.3.6 Improvement Metrics and Targets

Swedwise tracks improvement activity and impact:

Improvement activity metrics:

Metric	Target	Purpose
Improvement Suggestions Submitted	≥ 30 per year	Gauge engagement and culture
Improvement Suggestions Implemented	≥ 20 per year	Actual improvement activity
Implementation Rate	≥ 60%	Quality of suggestions and evaluation
Average Time to Implement	≤ 90 days	Responsiveness and efficiency
Staff Participation	≥ 50% of staff submit at least 1 suggestion/year	Broad cultural engagement

Improvement impact metrics:

Measured per improvement objective (see Section 10.1.2)
Before-and-after comparison
Cost savings or revenue gains (where applicable)
Customer satisfaction improvement
Environmental impact reduction
Security risk reduction
Process efficiency gains

Reporting:

Improvement metrics reported quarterly in Management Review
Annual improvement summary shared with all staff
Success stories highlighted (recognition and learning)

10.3.7 Recognition and Rewards

Swedwise recognizes and celebrates improvement contributions:

Recognition methods:

Public acknowledgment in team meetings or company communications
"Improvement of the Quarter" or "Innovation Award" (if formalized)
Management appreciation and feedback
Feature improvement case studies in internal newsletter or intranet
Input to performance reviews (improvement contributions valued)

Culture of appreciation:

Focus on learning and improvement, not blame
Celebrate small wins and incremental improvements
Recognize effort and creativity, not just results
Encourage experimentation (safe to fail)

10.3.8 Improvement Examples

Examples of continual improvement at Swedwise (illustrative):

Improvement	Problem/Opportunity	Action Taken	Result
Automated Training Tracking	Manual training tracking time-consuming; low completion visibility	Implement automated training dashboard in HRIS	100% visibility; 30% reduction in admin time; 95%→100% completion
Virtual Meeting Culture	High business travel carbon emissions; consultant fatigue	Promote virtual-first meetings; invest in better collaboration tools	25% reduction in travel; 15% CO2 reduction; improved work-life balance
Proactive SaaS Monitoring	Reactive incident response; customer-reported issues	Implement proactive monitoring with alerting	50% reduction in customer-reported incidents; faster MTTR
Customer Onboarding Checklist	Inconsistent onboarding experience; missed steps	Standardized checklist for SaaS onboarding	Consistent experience; 20% faster onboarding; higher satisfaction
Access Review Automation	Quarterly access reviews manual and time-consuming	Automate access review report generation	70% time savings; 100% on-time completion
Incident Response Playbooks	Inconsistent security incident response	Develop incident playbooks for common scenarios	Faster response; reduced stress; better documentation

10.4 Improvement Governance

10.4.1 Roles and Responsibilities

Role	Improvement Responsibilities
Management Team	- Approve strategic improvement initiatives - Allocate resources for improvement - Champion improvement culture - Review improvement metrics in management review - Recognize and reward improvement contributions
IMS Owner	- Coordinate continual improvement process - Evaluate improvement suggestions - Track improvement initiatives to completion - Report improvement metrics - Facilitate sharing of lessons learned - Maintain improvement register
Quality Lead	- Identify quality improvement opportunities - Support quality-focused improvement initiatives - Analyze customer feedback for improvement themes - Benchmark quality performance
Environmental Lead	- Identify environmental improvement opportunities - Support environmental improvement initiatives - Track environmental performance improvements - Promote sustainability initiatives
CISO	- Identify information security improvement opportunities - Support security improvement initiatives - Track security performance improvements - Stay current on security innovations
Department Heads	- Identify improvement opportunities in their areas - Support and resource improvement initiatives - Implement improvements in their departments - Encourage staff to submit improvement suggestions
All Staff	- Identify and suggest improvements - Participate in improvement initiatives - Implement improvements within their authority - Adopt standardized improvements - Share lessons learned

10.4.2 Improvement Register

All improvement initiatives tracked in Improvement Register (SW-IMS-FRM-009):

Improvement ID	Title	Submitted By	Date	Status	Owner	Target Date	Outcome
IMP-2025-001	Automate training tracking	HR Manager	2025-01-15	Completed	HR Manager	2025-03-31	100% completion visibility
IMP-2025-002	Virtual-first meeting policy	Environmental Lead	2025-02-01	In Progress	CEO	2025-06-30	[TBD]

Status values: Submitted, Approved, In Progress, Implemented, Verified, Closed, Deferred, Rejected

Location: [TBD - Document management system or improvement tracking tool]

Responsibility: IMS Owner maintains register and tracks progress

10.5 Integration with Risk and Opportunity Management

Improvement and risk management are closely linked:

Opportunities from risk assessment:

Risk assessment (SW-IMS-PRO-002) identifies opportunities as well as risks
Opportunities to improve performance, customer satisfaction, environmental performance, security
Opportunities captured and evaluated like other improvement suggestions

Preventive action:

Addressing risks before they materialize is a form of preventive improvement
Example: Trend analysis identifies potential issue → implement improvement to prevent nonconformity

Risk treatment as improvement:

Implementing risk treatments often improves processes
Example: Implementing MFA reduces security risk AND improves authentication process

Improvement as risk reduction:

Process improvements often reduce risks
Example: Automating manual process reduces human error risk

Integrated approach:

Risk assessment and improvement planning coordinated
Management review considers risks and improvement opportunities together
IMS Owner coordinates risk and improvement activities

10.6 Innovation and Learning

10.6.1 Learning from Experience

Swedwise systematically learns from:

Project retrospectives:

Post-project review: What went well? What could be improved?
Lessons learned documented and shared
Best practices identified and disseminated

Incident post-mortems:

Blameless post-incident review for significant incidents
Focus on system and process improvements, not individual blame
Findings shared to prevent recurrence across organization

Audit findings:

Internal and external audit recommendations evaluated for improvement opportunities
Positive findings (best practices) shared as examples

Benchmarking:

Compare performance against industry standards, peers, competitors
Identify gaps and improvement opportunities
Adopt best practices from external sources

Industry developments:

Monitor standards updates (ISO revisions)
Stay current on technology innovations
Engage with professional communities and interest groups

10.6.2 Knowledge Management

Swedwise captures and shares knowledge to enable learning and improvement:

Knowledge repositories:

Document management system (procedures, guidelines, templates)
Knowledge base (FAQs, troubleshooting guides, how-tos)
Lessons learned database (project and incident insights)
Training materials (on-demand learning resources)

Knowledge sharing mechanisms:

Discipline Forums: Regular meetings of technical communities (OpenText, Salesforce, etc.) to share expertise
Team Meetings: Sharing updates, lessons learned, best practices
Lunch & Learns: Informal knowledge sharing sessions
Onboarding and Mentoring: New staff learn from experienced colleagues
Documentation: Written knowledge accessible to all

"The Machine" framework alignment:

Autonomous teams empowered to learn and improve
Decentralized decision-making with centralized knowledge sharing
Psychological safety to admit mistakes and learn from them
Continuous learning as a cultural value

10.7 Improvement Records

Records maintained:

Record	Retention Period	Location	Owner
Improvement Suggestions (SW-IMS-FRM-002)	5 years	Improvement register	IMS Owner
Improvement Register (SW-IMS-FRM-009)	Permanent (current + 5 years archived)	Improvement tracking system	IMS Owner
Improvement Plans and Evidence	5 years	Improvement project files	Improvement Owner
Lessons Learned	5 years	Knowledge base	Process Owner, Project Manager
Benchmarking Reports	3 years	Analysis repository	Quality Lead, CISO
Management Review Improvement Decisions	7 years	Management review minutes	IMS Owner

Procedures:

SW-IMS-PRO-002: Risk Assessment Procedure
SW-IMS-PRO-003: Internal Audit Procedure
SW-IMS-PRO-004: Management Review Procedure
SW-IMS-PRO-005: Nonconformity and Corrective Action Procedure
SW-IMS-PRO-009: Continual Improvement Procedure
SW-QMS-PRO-002: Customer Feedback Procedure

Policies:

SW-IMS-POL-001: Integrated Management System Policy
SW-QMS-POL-001: Quality Policy
SW-EMS-POL-001: Environmental Policy
SW-ISMS-POL-001: Information Security Policy

Forms:

SW-IMS-FRM-002: Improvement Suggestion Form
SW-IMS-FRM-007: Corrective Action Request (CAR) Form
SW-IMS-FRM-008: Nonconformity Register
SW-IMS-FRM-009: Improvement Register

ISO Standards:

ISO 9001:2015 - Clause 10 (Improvement)
ISO 14001:2015 - Clause 10 (Improvement)
ISO 27001:2022 - Clause 10 (Improvement)

Document Control

Version	Date	Author	Changes
1.0	[TBD]	[Author]	Initial release

Approval

Role	Name	Signature	Date
IMS Owner
CEO