AI risk management is not like other risk – this is how ISO 42001 approaches it

AI risk management is not like other risk – this is how ISO 42001 approaches it

AI risiko

Many organisations already have established risk management processes. They identify risks, assess likelihood and impact, implement actions and follow up through audits and management reviews.

But artificial intelligence challenges several of the assumptions that traditional risk management is built on.

It is precisely for this reason that ISO 42001 places such emphasis on AI risk management. The standard builds on familiar principles from management systems, but also acknowledges that AI introduces risk factors that many organisations have not previously had to manage.

Why is AI risk different?

Traditional IT systems generally do what they are programmed to do. If a rule or process is defined, the system will follow it.

AI systems work differently.

They are typically built on statistical models that learn patterns from large volumes of data. The result is that the outcome is not always as predictable as in traditional software. The system can produce different answers to the same question, change behaviour over time or draw conclusions that are difficult to explain fully.

This does not mean that AI is necessarily dangerous. But it does mean that the risk must be assessed differently.

Risk is not only about technology

When leaders think about technology risk, it tends to focus on availability, security and data protection.

For AI, these remain important, but the risk landscape is broader.

Organisations must also consider questions such as:

  • Can the AI model produce incorrect or misleading responses?
  • Can it introduce bias or discrimination?
  • Could employees become overly reliant on AI-generated recommendations?
  • Is it clear who is accountable when AI is used in decision-making processes?
  • Can the system be used in ways it was not originally intended for?

These are risks that often affect people, business processes, reputation and regulatory compliance at least as much as the technology itself.

AI risikostyring

AI risk is dynamic

Another important difference is that AI risk is rarely static.

A machine on the factory floor works much the same way tomorrow as it did yesterday. Many AI solutions, on the other hand, evolve continuously.

Underlying data changes. Suppliers update models. New use cases emerge. Employees begin using tools in ways that differ from what was originally planned.

ISO 42001 therefore emphasises continuous monitoring and evaluation, not just a one-off assessment before the system is deployed.

Risk management becomes an ongoing activity.

Focus on context and use

A central principle in ISO 42001 is that risk lies not only in the technology, but in how the technology is used.

The same AI model can represent very different levels of risk depending on its purpose.

A chatbot that helps employees draft emails presents an entirely different risk profile from a system used as decision support in recruitment, credit assessment or healthcare.

This means that effective AI risk management requires the organisation to understand:

  • Where AI is used
  • Who is affected by its use
  • Which decisions AI influences
  • What the consequences of errors could be

This perspective runs throughout the whole of ISO 42001.

Human oversight remains essential

A recurring theme in the standard is the importance of human oversight.

Many organisations introduce AI to streamline work processes, but streamlining must not lead to accountability becoming unclear.

Leaders must be able to answer questions such as:

  • Who owns the process?
  • Who approves the results?
  • Who is accountable if something goes wrong?

ISO 42001 therefore requires the organisation to define roles, responsibilities and decision-making authority in connection with the use of AI.

Technology can support people. It does not relieve the organisation of responsibility.

From technology project to governance responsibility

One of the most common mistakes organisations make is treating AI as a purely IT project.

ISO 42001 takes a different view.

The standard places AI within the organisation’s existing governance model. AI should be assessed in the same way as other matters that affect the organisation’s objectives, risk exposure, compliance and reputation.

An AI management system therefore often involves functions beyond IT alone:

  • Leadership
  • Professional departments
  • Compliance and quality
  • Data protection and information security
  • HR
  • Risk management

The goal is not to control the technology itself, but to govern how the organisation uses it.

Risiko med AI

What does this mean for leaders?

For leaders already working with quality, internal control, information security or compliance, much of the thinking in ISO 42001 will feel familiar.

What is new is not necessarily the methodology.

What is new is that AI introduces risks that require different assessments from those applied to traditional systems and processes — and that systematic AI risk management therefore becomes a core competence for organisations in the years ahead.

Organisations that succeed with AI in the coming years will likely be those that manage to combine innovation with governance. Not because regulation demands it, but because trust, accountability and control become ever more important as artificial intelligence is adopted in business-critical processes.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

Organisations have an AI strategy – but do they have AI governance?

Organisations have an AI strategy – but do they have AI governance?

Norwegian organisations AI strategy

Many organisations have developed AI strategies in recent years. They have identified opportunities, defined ambitions and pointed to areas where artificial intelligence can create value. But a strategy alone does not govern the use of AI.

The question leaders should be asking is therefore not whether the organisation has an AI strategy. The question is whether the organisation has control over how AI is actually being used.

From ambition to governance

An AI strategy tends to be about where the organisation wants to go. AI governance is about how the organisation gets there in a safe, responsible and controlled manner.

In many organisations, AI adoption is happening far faster than the governance surrounding it. Employees are picking up new tools, departments are experimenting with their own solutions, and AI is gradually becoming part of work processes and the basis for decisions.

Often without leadership having full visibility.

Do you know where AI is used?

If you are a leader, can you answer these questions:

  • Which AI tools are being used in the organisation today?
  • Which data is being shared with these solutions?
  • Who is responsible for approving new AI tools?
  • How is AI-generated content quality-assured?
  • Which decisions are influenced by AI?
  • How do you document your use of AI to customers, owners and authorities?

Many leaders find they do not have good answers to all of these questions.

That does not necessarily mean the organisation has a problem. But it may mean the organisation lacks governance.

AI tools on PC

AI governance is about control

AI governance is the framework that ensures AI is used in line with the organisation’s objectives, values, risk appetite and regulatory requirements.

It covers, amongst other things:

  • roles and responsibilities
  • guidelines for AI use
  • risk assessments
  • control over data and models
  • documentation and traceability
  • compliance with legislation and standards

In short: AI governance turns AI into a governed organisational capability, rather than simply a set of tools employees use on their own initiative.

The AI Act raises expectations

With the EU AI Act, it is becoming increasingly difficult to treat AI as a purely technology initiative.

Organisations must be able to document how AI is used, which risks have been assessed and which control mechanisms are in place. For many, this will require far more than a strategy or a general AI policy. It requires governance.

AI documentation

The most important question leaders should be asking now

Many organisations spend considerable time discussing what AI can do for them. Perhaps it is time to spend just as much time discussing how AI should be governed.

Because when AI becomes part of the organisation’s work processes and decisions, having a strategy is no longer enough. What you need is AI governance.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

Who is responsible for AI in the organisation?

Who is responsible for AI in the organisation?

Responsible AI leaders

As AI is adopted in an ever-growing number of work processes, the same question arises in many organisations: Who is actually responsible for AI?

Is it the IT department? HR? The quality manager? Senior leadership?

The challenge is that AI rarely fits neatly within a single department.

An AI tool can simultaneously affect data protection, information security, quality, work processes, customer handling and decision-making. This quickly makes it unclear who should own the risk, the guidelines and the follow-up.

AI cannot be owned by IT alone

Many organisations start by placing responsibility with IT. This is understandable, but often insufficient.

IT can take responsibility for the technology and security, but rarely has the position to assess how AI affects the professional areas that use it.

If HR uses AI in recruitment, HR must understand the risks and own the process. If the marketing team uses generative AI for content production, the marketing team must take responsibility for how the tool is used. If the finance department uses AI for analysis or decision support, they must own their part of the usage.

Just as departments own their own systems and work processes, they must also own the AI solutions they use.

Why we are seeing new roles and steering groups

Large organisations are now beginning to establish AI steering groups, AI governance functions and dedicated leads for coordinating AI work.

The goal is not necessarily to control all use of AI, but to create visibility and ensure the organisation has shared guidelines and risk assessments.

For smaller organisations, dedicated AI roles are rarely necessary. There it is often more realistic to distribute responsibility between leadership, IT, quality functions and the departments that actually use the technology.

Working with AI

The EU AI Act makes the question even more important

One of the challenges many organisations are now discovering is that they do not have a full overview of how AI is being used internally.

EU AI Act sets out different requirements depending on how AI is used. Before an organisation can assess which requirements apply, it must first map which AI systems are actually in use.

This is difficult for one person to do alone.

To gain an overview, the organisation must involve multiple professional areas. Each department must contribute information about which tools are in use, what they are used for and which processes they form part of.

The most important thing is not a single AI lead

Many organisations are looking for one person who can own AI.

In practice, good AI governance is often less about finding a single accountable individual and more about establishing clear roles and responsibilities across the organisation.

Someone must coordinate the work. Leadership must own the governance. But those who use AI day to day must also own the risk and the responsibility for how the technology is used in their own processes.

It is only when these roles are clearly defined that the organisation gains the visibility and control that both leadership, ISO 42001 and the EU AI Act call for.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

What is document management?

What is document management?

Document control Certain QMS

The terms document collection, document storage and document management are often used interchangeably. In practice, they describe very different ways of managing an organisation’s documentation. The difference is not primarily about technology, but about governance, responsibility and trust.

Document collection and document storage

A document collection is exactly what it sounds like: documents gathered in one or more locations, organised in folders or libraries. The purpose is storage and sharing.

Document storage provides a common place to find files, easy access and flexibility in how content is organised. However, few requirements are placed on who owns the content, how changes should be handled, when documents should be reviewed, or which document actually applies.

This works well as an archive and a sharing platform — but provides limited support for managing the organisation’s practices over time.

What document management is really about

Document management is the systematic management of governing documentation throughout its entire lifecycle — from creation through use, review and eventual withdrawal.

The core is not where documents are stored, but how they are governed. This requires clear frameworks for ownership and responsibility, review and approval, versioning and change history, access and availability, and compliance in practice.

Where document storage answers the question of where documents can be found, document management answers the question of how the organisation ensures that documentation is correct, up to date and actually used.

Document management requirements in ISO standards

Document management is not merely good practice — it is an explicit requirement in the most widely adopted management system standards. ISO 9001, ISO 14001, ISO 45001 and ISO 27001 all place requirements on document management — that is, control of documented information: ensuring that documents are available where needed, that they are fit for purpose, and that they are adequately protected against unintended alteration or loss.

For organisations that are certified — or working towards certification — document management is therefore not optional. It is a prerequisite for meeting the requirements of the standards and for being able to demonstrate this to an external auditor.

When does the difference become visible?

The gap between storage and control typically becomes apparent when someone questions the documentation. Employees are uncertain about which version applies. Multiple versions are circulating simultaneously. Practice varies between departments. An audit demands traceability.

In these situations, it is rarely a lack of documents that is the problem. It is a lack of governance around them.

The consequences can be more serious than they first appear. Employees following outdated procedures increase the risk of errors and non-conformities. Internal audits uncover gaps that require resource-intensive remediation. External inspections can, in the worst case, result in non-conformities against the standard — with loss of certification as a possible outcome. And in organisations experiencing high turnover or growth, inadequate document management is often what causes knowledge to disappear when experienced employees leave.

Trust in a document does not build itself

What actually makes us trust a document? The question is rarely asked explicitly, but the answer is crucial.

Trust is not about the title or the location. It is built on certainty that this is the last approved version, that someone has held clear responsibility for the content, that changes have been made in a controlled and deliberate manner — and that what you are reading is what currently applies.

When this confidence is absent, informal workarounds emerge: local copies, personal notes, ‘the way we usually do it’. Over time, this undermines shared practice and genuine governance.

Change control: the underestimated element

One dimension of document management that is often underestimated is the role it plays when people leave or new employees join. In organisations without effective document management, much of the practice is bound up in individuals — in experience, memory and informal routines that have never been written down, or that have been written down but never maintained.

When an experienced employee leaves, this knowledge often goes with them. Good document management is what prevents the organisation from starting from scratch each time — enabling a new employee to find out how things are actually done, and ensuring that training is built on something more solid than colleagues’ personal notes.

Document management and knowledge transfer

A central but often overlooked aspect of document management is visibility of changes. It is not enough to know that a document has been updated. Equally important is knowing who made the changes, when they were made, and what specifically has changed since the previous version.

When changes are clear and traceable, trust in the documentation increases. Employees no longer need to re-read entire documents to find out what is new. Management gains better oversight of how practice is actually developing over time.

This is one of the clearest distinctions between document management and simple document storage — and a core principle of document management as understood in the ISO standards.

From archive to management tool

Document management only becomes valuable when documentation is used actively in day-to-day work — not merely as a reference, but as a governing framework for how work is carried out.

Organisations that succeed in this are typically characterised by employees having a single, clear source of current practice, roles and responsibilities being clearly defined, documentation being perceived as relevant and trustworthy, and review and follow-up being a natural part of operations — not a last-minute effort.

Document control Certain QMS

Document management in Certain QMS

In Certain QMS, document management is built around the same principles: clear responsibility, controlled publishing and full traceability of changes. The solution makes a clear distinction between the work of drafting and revising documents, and what is at any given time the organisation’s official, approved practice.

Drafting, revision and quality assurance take place in controlled workspaces. Employees who use the documentation in their day-to-day work only ever encounter what has been approved and published. This reduces uncertainty and creates a documentation foundation that can genuinely be used for governance.

For employees, this means that the latest approved version is always the one available, that it is clear who owns the content and when it was last reviewed, and that documentation feels safe to rely on in practice. When employees no longer need to check version numbers or compare alternative documents, the threshold for actual use is lowered — and compliance improves across roles and departments.

For the organisation as a whole, the approach delivers better oversight and governance: clearly defined ownership per document, full traceability of who has revised and changed what and when, a clear change history where previous and new versions can be compared directly, and a stronger basis for audits, document management and systematic improvement work — including documentation that stands up to external audit scrutiny.

Document management, properly implemented, transforms documentation from an archive into something more. It becomes an active management tool that supports shared practice, reduces the risk of errors and provides a solid foundation for quality work in the organisation’s day-to-day operations.

Marte Sunde

Marte Sunde

Business Consultant

Marte Sunde is a Business Consultant for Certain QMS, specialising in quality management and HSE systems. She works at the intersection of operational practice and digital solutions, helping organisations implement and improve management systems that ensure compliance, structure, and continuous improvement.

7 AI-specific controls in ISO 42001 that distinguish it from ISO 27001

7 AI-specific controls in ISO 42001 that distinguish it from ISO 27001

Discussion about AI and ISO standards

Many organisations working with ISO 27001 find that ISO 42001 feels familiar. Both standards are built on the same principles of management commitment, risk management and continual improvement.

Nevertheless, ISO 42001 is more than an AI version of ISO 27001. The standard introduces several controls developed specifically for the challenges that artificial intelligence creates. It is not only about information security, but also about consequences for people, data quality, transparency and the responsible use of AI.

Here are seven of the most important control areas that distinguish ISO 42001 from traditional management systems.

1. Impact assessments of AI systems

A central requirement in ISO 42001 is that the organisation must assess the consequences AI systems may have for individuals, groups and society as a whole.

An AI system can function technically as expected whilst simultaneously creating unintended consequences. For example, it may affect recruitment processes, customer handling or the basis for decisions in ways the organisation had not foreseen.

This perspective is far less prominent in ISO 27001, where the primary focus is on protecting information and reducing security risk.

2. Responsible development of AI systems

ISO 42001 places significant emphasis on how AI systems are developed.

The organisation must define objectives and processes for responsible development, so that considerations such as quality, reliability, security and ethical factors become an integral part of the development work.

This is an important distinction from traditional IT systems. For AI, risk is not only about the technology itself, but also about how the system is designed, trained and deployed.

3. Verification and validation of AI systems

Traditional software is tested to ensure it functions as expected. For AI, this is not sufficient.

An AI system can be technically correct and still produce misleading or undesirable results. ISO 42001 therefore requires verification and validation throughout the entire lifecycle.

The organisation must be able to document how the AI system has been tested, which criteria have been used and how the results have been assessed.

Working with ISO

4. Monitoring AI systems in operation

A common misconception is that AI risk is assessed once at the point of implementation.

In practice, AI systems can change in character over time. The underlying data can evolve, usage patterns can shift, and results can deteriorate below expectations.

ISO 42001 therefore requires the organisation to establish processes for ongoing monitoring of AI systems’ performance and behaviour.

This is an area in which many organisations currently have limited experience.

5. Data quality and data provenance

The quality of an AI system is closely linked to the quality of the data it is built on.

ISO 42001 therefore includes several controls relating to data collection, data quality, data management and documentation of data provenance.

For many organisations, this will be one of the most demanding areas. It is often easier to procure an AI tool than to document the quality of the data used to train, configure or operate it.

Poor data rarely produces good AI results.

6. Transparency and information for stakeholders

Users and other stakeholders must understand how AI systems affect them.

ISO 42001 therefore emphasises documentation, information for users and reporting of unintended consequences.

This is not necessarily about explaining every technical detail, but about providing sufficient information for users to understand the system’s purpose, limitations and risks.

Transparency is becoming increasingly important as AI is adopted in more business-critical processes.

7. Intended use of the AI system

An AI system should be used for the purpose for which it was developed or assessed.

This may seem self-evident, but in practice many organisations find that employees start using AI tools in new areas without the risks having been assessed in advance.

A tool approved to assist with content production suddenly gets used as a decision-support tool, analytical tool or source of professional judgements.

ISO 42001 addresses this challenge by requiring the organisation to maintain control over what AI systems are actually being used for.

Certain QMS

AI governance is about more than security

Organisations already working with ISO 27001 will recognise many of the principles in ISO 42001. Both standards are concerned with governance, accountability and risk management.

At the same time, ISO 42001 introduces several new perspectives specific to artificial intelligence. Impact assessments, data quality, transparency and responsible use are areas that rarely receive the same degree of attention in traditional management systems.

It is precisely these controls that make AI governance something more than information security. The goal is not only to protect the organisation against risk, but also to ensure that AI systems are developed and used in a responsible, verifiable and trustworthy manner.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

eHandbook for document control in the healthcare sector

eHandbook for document control in the healthcare sector

eHandbook document control in the healthcare sector

The document module in Certain QMS is the core of the quality management system, bringing together the organisation’s internal procedures, guidelines, routines and other governing documentation in one place.

For many years, the solution has been used by large organisations in the healthcare sector, where it is referred to as the eHandbook — a term with a long history in the sector. The eHandbook in Certain QMS serves as the organisation’s digital reference for both practical working routines and other governing documentation that forms the basis for operations, internal control and systematic quality work.

Key features of the eHandbook

To support the requirements for document control, internal control and quality in the healthcare sector, the eHandbook in Certain QMS covers the entire lifecycle of governing documents — from drafting, internal consultation and approval through to publishing, use and revision. The solution offers, amongst other things:

  • Flexible and customised document templates for different types of procedures, guidelines and instructions, making documentation more consistent and easier to maintain.
  • Approval workflows and clearly defined roles for who can edit, quality-assure, approve and publish documents.
  • Advanced role and access management, which can be integrated with the organisation’s AD/Entra ID, so that employees are automatically granted access to the right content based on their role and department.
  • Restriction of sensitive information, ensuring that certain content is only accessible to defined roles or user groups.
  • HTML-based and searchable documents, combined with the ability to upload various file formats and link to external resources.
  • Change summaries, giving users a quick overview of what is new or changed in a document.
  • Reading lists with acknowledgement, where managers can require employees to read selected documents and have confirmation of completion recorded.
  • Review deadlines and automatic notifications, ensuring that documents do not remain outdated without responsible parties being followed up.
  • Public document portal for external publishing of selected documents, so that procedures, guidelines and other information can be shared online — without requiring a login.

Scope and use of the eHandbook in the healthcare sector

Figures from the large healthcare organisations using the eHandbook in Certain QMS show that the solution is not a passive document archive, but a reference tool that is actively used by employees on a daily basis.

Usage data shows high levels of activity, with thousands of document views each day and a large number of unique users over time. This confirms the eHandbook’s role as a central working environment for governing documentation — for clinical staff, managers and support functions alike.

Examples of document scope and publishing:

Organisation Internal documents Public documents
Oslo University Hospital HF approx. 33,000 approx. 8,000
Vestre Viken HF approx. 18,000 approx. 8,000
Helse Fonna HF 8,000+ approx. 500
Lovisenberg Diaconal Hospital approx. 3,500 0*

 

eHandbook healthcare sector

Public document portal – controlled sharing of governing documentation

Many organisations need to make parts of their documentation available to external users, whilst retaining full control over content, versions and publishing. With the public document portal, selected documents from the eHandbook can be published in a dedicated, open eHandbook portal that is accessible via a browser, with no login required. The documents continue to be maintained, approved and revised within the same solution before being published to the public portal.

In the healthcare sector, this is used, amongst other things, to share patient-facing procedures, information about services, collaboration routines with GPs and other stakeholders, and guidelines that are required to be publicly available. When documents are updated in the eHandbook, they are also updated automatically in the public portal, reducing the risk of outdated information being accessible externally.

The public document portal in Certain QMS thus enables secure public access to and sharing of documents, with full traceability and revision control maintained within Certain QMS.

Experiences from Oslo University Hospital

Oslo University Hospital (OUS) was established in 2009 through the merger of Rikshospitalet, Ullevål University Hospital and Aker University Hospital. The hospital is the largest in Europe, with 24,000 employees.

The eHandbook in a large and complex organisation

OUS has used Certain QMS for effective document control since 2010, and demonstrates a mature and considered approach to the use of the eHandbook. With a document base running to tens of thousands of internal documents and daily use by many thousands of employees, the solution functions as a central knowledge platform across disciplines, roles and locations.

Usage is high throughout the year, with continuous lookups of documents that are directly integrated into both clinical and administrative day-to-day work.

Training and role understanding as the key to effective system use

At OUS, considerable emphasis has been placed on training in the use of the eHandbook, and a dedicated internal support function has been established to build user competence over time. Experience shows that the way in which support and guidance are provided has a significant bearing on whether employees become confident and independent in their use of the system.

Rather than completing tasks on behalf of users, the focus has largely been on explaining how different roles should work within the solution and how tasks are carried out correctly. This has contributed to a strong understanding of roles, higher quality in system use and a clear reduction in the number of support requests over time.

Active use and high engagement with content

Usage statistics show that the eHandbook is used by many thousands of employees, with daily views of thousands of documents. Data from OUS also shows that the solution is not merely visited, but actively used throughout the year.

The figures indicate a high degree of engagement with the content, with employees navigating between pages, opening documents, using search and following the structure of the handbook — rather than retrieving individual documents in isolation.

When training supports quality compliance in practice

Training is not, however, solely about learning to use the system itself — it is about ensuring that quality work is genuinely put into practice across the entire organisation. At OUS, the eHandbook is closely linked to e-learning courses and competence plans associated with different roles, so that employees receive training in both their responsibilities and work processes — not just in the features of the solution.

To maintain quality in document work, employees who are to be granted write access must complete mandatory training before access is granted. In addition, checklists within documents are used to support the correct completion of key tasks in day-to-day work, and a refresher shortly after training is recommended to ensure that knowledge is translated into practice.

OUS's public document portal: a national reference for procedures and professional practice

The public document portal at OUS is not only used internally, but is also actively used by other actors in the healthcare sector. Healthcare professionals across the country can look up how OUS approaches various procedures, treatments and interventions, and use this as guidance in their own work. In this way, OUS effectively serves as a national reference for the design of procedures, the content of routines and professional practice across a wide range of areas.

This is closely connected to the role Oslo University Hospital plays in medical research and the training of healthcare professionals in Norway. As a university hospital, OUS contributes significantly to the development of professional standards, and through publicly available documentation this knowledge can be shared broadly across the sector — in a structured, quality-assured and up-to-date manner.

View OUS’s public eHandbook here: ehandboken.ous-hf.no

Taken together, the experiences from OUS demonstrate how the eHandbook can be used as an active tool for building competence, ensuring quality and enabling efficient operations — not merely as a place where documents are stored.

From documentation to quality in practice

In complex organisations, effective document control is a prerequisite for good and efficient management.

Experience from the healthcare sector shows that the true value of the eHandbook is realised when it becomes a natural part of day-to-day work — where employees can easily find current routines and training is closely linked to the governing documentation.

Over time, this contributes to shared practice, fewer errors and a stronger basis for improvement — and experience from Oslo University Hospital and others demonstrates that the right structure, clearly defined roles and active use deliver lasting benefits for the organisation as a whole.

Marte Sunde

Marte Sunde

Business Consultant

Marte Sunde is a Business Consultant for Certain QMS, specialising in quality management and HSE systems. She works at the intersection of operational practice and digital solutions, helping organisations implement and improve management systems that ensure compliance, structure, and continuous improvement.