The process approach is one of the seven quality management principles that underpin ISO 9001, and it shapes the way auditors assess management systems. Yet despite appearing in nearly every ISO training course, it remains one of the most misunderstood concepts in practice. Organisations either treat it as a documentation exercise or confuse it with simply having procedures. Neither gets it right. This article explains what the process approach actually means, why ISO standards require it, and how it plays out in real audits across quality, environmental, and safety management systems.
On this page
What the Process Approach Actually Means
A process is a set of interrelated activities that transform inputs into outputs. That definition sounds simple, but the process approach goes further. It asks organisations to manage these activities as a connected system rather than as isolated functions.
ISO 9001:2015 Clause 4.4 requires organisations to determine the processes needed for the quality management system, understand how they interact, and manage them in a way that achieves intended results. This is the process approach in a nutshell: you identify your processes, understand what feeds into each one, what comes out, who is responsible, how performance is measured, and where risks sit.
The same logic runs through ISO 14001 and ISO 45001. Every management system standard built on the High Level Structure expects you to think in processes, not just clauses.
Why It Matters More Than Having Procedures
Procedures describe how tasks are done. The process approach asks something bigger: does the whole chain of activities actually deliver the intended outcome, and do you know when it is not working?
A company might have a documented purchasing procedure, a supplier approval form, and a register of approved suppliers. Tick, tick, tick. But if no one is measuring whether purchased materials actually meet specification, if incoming inspection results are never reviewed, and if the same suppliers keep delivering late without consequence, the process is not being managed. It is just being documented.
That distinction is exactly what auditors are trained to look for. Documented conformity is not the same as process effectiveness.
The Key Elements of a Well Managed Process
When you apply the process approach properly, each process in your management system should have the following elements defined and working in practice.
Inputs and Outputs
Every process receives something and produces something. For a product design process, inputs might include customer requirements, regulatory specifications, and engineering constraints. Outputs would include design drawings, specifications, and test results. Defining these clearly prevents the common problem of processes starting or finishing in ambiguous territory.
In an audit, if you ask someone what the inputs to their process are and they cannot answer, that tells you the process is not really being managed as a process. It is being managed as a set of tasks.
Process Owner
Someone needs to be accountable for the process performing as intended. Not just responsible for doing the tasks, but accountable for the overall outcome. This is the process owner concept. In smaller organisations, one person might own several processes. In larger ones, process ownership can be spread across departments. Either way, the accountability needs to be clear.
A common finding in audits is that everyone knows who does the work but no one can say who is responsible for whether the process actually works. That gap is a process approach failure.
Resources
People, equipment, infrastructure, and information are all resources that processes depend on. The process approach requires you to identify what resources each process needs and ensure they are available. This connects directly to Clause 7.1 of ISO 9001, which covers resources in detail.
Risks and Opportunities
ISO 9001 integrates risk based thinking with the process approach. For each process, you should be asking: what could go wrong here, what is the likelihood and impact, and what controls are in place? This is not about creating a separate risk register for every process. It is about building risk awareness into how processes are designed and monitored.
For a practical look at how risk based thinking works alongside the process approach, see our article on risk based thinking with practical examples.
Performance Indicators
You cannot manage what you do not measure. Each process should have at least one indicator that tells you whether it is delivering its intended output. The indicator needs to be meaningful, not just easy to collect. Measuring the number of purchase orders raised tells you activity. Measuring on time delivery performance from suppliers tells you process effectiveness.
Sequence and Interaction
Processes do not operate in isolation. The output of one process becomes the input of another. Understanding these interactions is critical because that is where things most often go wrong. Problems at the handover point between processes are common, and they are often invisible until something fails downstream.
The Process Approach in ISO 9001: A Worked Example
Let us take a concrete example from a manufacturing business. The company makes custom steel components for the construction industry. Their key processes might include:
- Sales and contract review
- Design and engineering
- Procurement
- Production and fabrication
- Inspection and testing
- Delivery and customer feedback
Under the process approach, each of these is mapped with its inputs, outputs, responsible owner, key risks, and performance measures. More importantly, the interactions are understood. Sales passes customer requirements to design. Design passes specifications to procurement and production. Production passes completed components to inspection. Inspection results feed back into both production (for correction) and management review (for trend analysis).
When an auditor walks through this organisation, they are not just checking whether each process has a procedure. They are following the chain. They might start with a customer order and trace it through design, procurement, production, and delivery, asking at each stage: what were you given, what did you produce, did it meet requirements, and how do you know?
This is process based auditing in action. It is more revealing than checking clauses one by one because it exposes gaps at the interfaces between functions.
The Process Approach in ISO 14001 and ISO 45001
The process approach applies equally to environmental and safety management systems, though the processes look different.
ISO 14001 Example
For an environmental management system, a key process might be waste management. Inputs include waste generated from operations. Outputs include disposed or recycled waste. The process owner might be the site manager or environmental officer. Risks include incorrect segregation, illegal disposal, or contractor non compliance. Performance indicators might include waste diversion rate, number of environmental incidents, or compliance with licence conditions.
The process approach here asks: is waste management actually being managed as a system, or is it just a bin collection arrangement? Are the interactions with procurement (buying products that generate less waste), operations (segregation at the point of generation), and contractors (licensed waste transporters) understood and controlled?
ISO 45001 Example
For a safety management system, consider the hazard identification and risk assessment process. Inputs include workplace inspections, incident reports, job task analyses, and regulatory requirements. Outputs include the hazard register, risk ratings, and control measures. The process owner might be the WHS manager. Risks include incomplete hazard identification, outdated risk assessments, or controls that exist on paper but not in practice.
Performance indicators might include the percentage of hazards with reviewed controls, the frequency of workplace inspections, or the time taken to close out corrective actions after incidents.
An auditor checking this process is not just asking whether a hazard register exists. They are asking whether the process of identifying hazards is ongoing, whether it covers all work activities, whether the risk ratings are credible, and whether the controls are actually implemented and effective.
How Auditors Assess the Process Approach
When auditing against Clause 4.4 of ISO 9001 or the equivalent clauses in other standards, auditors look for evidence that the process approach is genuinely embedded, not just documented.
What Auditors Ask
Typical questions an auditor might use include:
- Can you walk me through this process from start to finish?
- What are the inputs to this process and where do they come from?
- What happens if the input does not meet requirements before you start?
- How do you know this process is performing as intended?
- When did you last review the performance of this process?
- Who is responsible if this process is not delivering the right outputs?
- What are the main risks in this process and what controls are in place?
What Auditors Look For
Beyond the answers to those questions, auditors look for consistency between what people say and what the records show. If a process owner describes a robust review process but there are no records of it ever happening, that is a finding. If a performance indicator is tracked but the results have never prompted any action despite poor trends, that is another finding.
Auditors also look at the interfaces. If the sales team says they always pass complete customer requirements to the design team, the auditor will check with the design team whether that is their experience. Discrepancies at the handover points reveal where process management breaks down.
For a deeper look at how auditors approach process based auditing in practice, the article on auditing the process approach under ISO 9001 Clause 4.4 goes into the audit evidence in detail.
Common Mistakes Organisations Make
After hundreds of external audits across different industries and countries, the same process approach failures come up repeatedly. Here are the most common ones.
Treating Process Maps as a One Off Exercise
Many organisations create process maps during their initial certification preparation and then never update them. Processes change. People change. Systems change. A process map that reflects how things worked three years ago is worse than no map at all because it creates a false sense of control.
Measuring Activity Instead of Outcomes
Training hours completed, procedures reviewed, audits conducted. These are activity measures. They tell you something was done but nothing about whether it worked. Effective process measurement focuses on outcomes: did the training improve competence, did the procedure change reduce errors, did the audits find real issues?
Ignoring Process Interactions
Organisations often manage each process in isolation, with different teams, different meetings, and different reporting lines. When something goes wrong at the interface between two processes, no one owns the problem. The process approach specifically requires you to understand and manage these interactions.
Having Process Owners in Name Only
Assigning a process owner in a document without giving them the authority or information to actually manage the process is a common gap. A process owner who does not receive performance data, cannot allocate resources, and is never consulted when the process changes is not really a process owner.
Using Turtle Diagrams to Visualise Processes
One practical tool for applying the process approach is the turtle diagram. It structures a process around six questions: what goes in, what comes out, what resources are used, what methods or procedures apply, what competencies are needed, and how performance is measured.
Turtle diagrams are popular in auditing because they give auditors a structured way to explore a process in conversation with the process owner. They are also useful for organisations building their process documentation because they force the right questions to be answered.
The key is to use them as a thinking tool, not just a template to fill in. A completed turtle diagram that nobody refers to adds no value. A turtle diagram that the process owner reviews quarterly and updates when things change is genuinely useful.
Connecting the Process Approach to Continual Improvement
The process approach does not exist in isolation. It connects directly to the PDCA cycle (Plan, Do, Check, Act) that underpins all ISO management system standards. You plan the process, execute it, check whether it is delivering intended results, and act on what you find.
Without the process approach, continual improvement becomes reactive. You fix problems after they occur but you have no systematic way of knowing whether your processes are trending in the right direction. With the process approach properly implemented, improvement becomes proactive. You are monitoring process performance, identifying trends, and making adjustments before problems escalate.
This is why certification auditors spend significant time on Clause 9.1 (monitoring and measurement) and Clause 10 (improvement). They are checking whether the process approach is generating the information needed for genuine continual improvement.
Getting the Process Approach Right in Your Organisation
If you are responsible for a management system and want to strengthen the process approach, start with these practical steps.
- List your processes. Not your procedures, your processes. Think about the end to end activities that deliver value to your customers or stakeholders.
- Define inputs and outputs for each process. Be specific about what is needed to start and what a successful output looks like.
- Assign genuine process owners. Give them access to performance data and the authority to make changes.
- Identify the interactions. Draw a simple process map that shows how outputs from one process feed into another.
- Choose meaningful performance indicators. Outcome focused, not activity focused.
- Review process performance regularly. Monthly or quarterly, depending on the process. Do not leave it until the management review.
- Update your process documentation when things change. Do not let process maps become historical artefacts.
Understanding the process approach at this level is also foundational to auditor training. Whether you are preparing for an internal auditor role or working towards lead auditor certification, the ability to audit processes rather than just clauses is one of the most valuable skills you can develop. Audit Workshop's ISO 9001, ISO 14001, and ISO 45001 training courses cover the process approach in depth, with practical exercises that build real auditing capability rather than just theoretical knowledge. If you are ready to develop that skill, explore the available courses and find the level that suits where you are in your auditing journey.
