How to implement competency management in your business

An auditor asks who on your shop floor is currently signed off to run a specific machine, and you have an hour to prove it. For most businesses the honest answer lives in a spreadsheet that someone last touched in March, half the names have left, and three of the certifications expired without anyone noticing. That gap between what you think your workforce can do and what you can actually evidence is the problem competency management exists to solve.

This guide walks through how to put competency management in place from a standing start. It is written for the people who usually carry the work: training managers, L&D leads, and quality or compliance professionals in manufacturing, pharmaceuticals, aerospace, automotive, logistics, and food production. The steps are sequenced, but they are not rigid. A 60-person food site and a 4,000-person aerospace group need the same logic and a very different amount of it. Take what fits.

What competency management actually isCopied

Competency management is the practice of defining the skills and qualifications each role requires, measuring who currently holds them, and keeping that picture accurate as people, equipment, and regulations change. This is not an annual appraisal, nor a training calendar. Rather, it is the live link between a regulatory or operational requirement and a named person who can demonstrably meet it today. If you want the fuller definition and where it sits alongside skills management, start with our guide to what competency management is.

The distinction matters because it sets the standard for everything below. If you cannot point at a role, a required competency, a proficiency level, and the evidence behind it, you do not have competency management. You have a list.

Step 1: Decide what you are actually solvingCopied

Most competency programmes fail because they start with the framework instead of the reason. Before you define a single skill, name the pressure that put this on your desk.

There are usually three. The first is audit and compliance: ISO 9001 clause 7.2 requires you to determine the competence necessary for work affecting quality, ensure people are competent on the basis of education, training, or experience, and retain documented evidence of it. ISO 45001 carries the same demand for anything safety-related, AS9100 adds qualification records for special processes, IATF 16949 does the same for automotive, and GMP requires operators to be assessed against standard operating procedures before they work unsupervised.

The second pressure is risk: an unqualified operator on the wrong task is a recall, an incident, or a line stoppage. The third is scale: you are growing, opening a second site, or losing institutional knowledge as experienced staff retire, and the heads holding the information are walking out of the door.

Write down which of these is driving you, and be specific. “Improve our training” is not a goal. “Be able to prove allergen-handling competence for every operator on lines 3 and 4 within 30 seconds of an auditor asking” is a goal. The second one tells you exactly what to build and when you are done.

The driver you name here decides your scope, your sequence, and how you will know it worked.

Step 2: Build the competency frameworkCopied

A competency framework is the library of skills your business needs, organized by role. This is the foundation, and it is the step where teams most often overreach.

Start with the roles in scope, not every role in the company. For each one, list the competencies that genuinely gate the work. Keep two types separate. Technical or functional competencies are the specific, assessable abilities a role demands: operate a five-axis CNC machine, perform a sterile fill, carry out a dye-penetrant inspection, drive a counterbalance forklift. Behavioral competencies cover how people work, such as communication or problem-solving. Both have a place, but in regulated environments the technical competencies are what an auditor checks and what a wrong answer harms, so weight your effort there. If you are structuring competencies for management or leadership roles, our management competency model is a useful starting point.

Then define proficiency. A skill is not binary. Someone can be in training, able to work under supervision, able to work alone, or able to teach others. A four-level scale is enough for most operations, and you should resist the urge to invent eight. Tie each level to observable evidence, not to a feeling. A scale that works in practice looks like this:

That four-level model answers the questions that actually matter: who can do the work, who can do it unsupervised, who can improve the process, and who can develop others. “Independent, signed off by a qualified assessor on 12 March, valid for 24 months” can be defended. “Pretty good” cannot. It is also worth being clear internally about the difference between competency and proficiency, because the two get used interchangeably and they are not the same thing; our note on competency versus proficiency covers it.

A practical warning here. The first framework you write will be too big. A pharmaceutical client mapping a single packaging hall will happily generate 400 competencies before lunch, most of which never get assessed. Build the smallest framework that covers the requirement you named in step one, then expand. A framework no one maintains is worse than no framework, because it looks like control while providing none.

Your framework is right when every competency in it maps to a real requirement and a real way to prove it.

Step 3: Map where you stand todayCopied

With the framework defined, the next step is to record who currently holds each competency and at what level. This is your baseline, and it is usually the moment a business discovers it knows far less than it assumed.

This is the work a skills matrix does. A matrix puts roles or people down one axis and required competencies across the other, and shows the proficiency level in each cell. Build it for the scope you set, populate it from your real records, and accept that the first version will have holes. If you want a head start, AG5 publishes free skills matrix templates you can populate by hand before deciding on anything more. The holes are the point. An empty or amber cell is not a failure of the exercise, it is the exercise working.

Be honest about your sources. Training completion is not competence. A certificate from 2019 is not current competence. Where your only evidence is “We think Maria knows how to do this,” mark it as unverified rather than green. The temptation to color the matrix optimistically is strong, and it is the single fastest way to make the whole programme worthless.

A clean baseline tells you, for the first time, the true distance between where your workforce is and where the work requires it to be.

Step 4: Find the gaps that matterCopied

A populated matrix surfaces every gap at once, which is overwhelming and unhelpful. The skill in this step is triage. A structured competency gap analysis is the method for turning a wall of amber cells into a ranked list of actions.

Sort the gaps by consequence. A missing competency on a task governed by a regulation, or one where failure carries safety or recall risk, is not the same as a nice-to-have cross-training opportunity. In an aerospace supplier, an operator whose AS9100 special-process qualification lapsed last month is a stop-work issue. In a logistics operation, a forklift certification that expires next week is a planning issue. Both are gaps. Only one stops the line tonight.

Map your critical gaps against three things: regulatory exposure, single points of failure, and expiry. Single points of failure deserve particular attention, because a competency held by exactly one person is a risk disguised as a strength. When that person is on holiday, off sick, or gone, the capability leaves with them.

A food production site that relies on one trained allergen-control lead across three shifts does not have allergen control, it has a coincidence that has not failed yet. The flip side is what happens when the coverage is visible: when Intersnack hit a production stop, a live skills matrix across its three sites turned a potential shutdown into a two-minute job of finding the nearest qualified operator.

The gaps that threaten compliance, safety, or continuity are the ones you fund first. Everything else waits.

Step 5: Close the gapsCopied

Now the programme produces value rather than just visibility. Each prioritized gap gets an action, an owner, and a date.

The actions are not all training courses. Some gaps close through formal training and assessment. Others respond better to structured on-the-job coaching from a level-four colleague, which is often faster and more relevant than a classroom. In other cases, deliberate cross-training closes the gap and removes a single point of failure. And some close through hiring, when the capability is not realistically developable in your timeframe. Match the action to the gap rather than defaulting everything to “book a course.”

This is where competency management earns its place alongside your L&D function. Your training plan stops being a generic calendar and becomes a targeted response to evidenced, prioritized gaps. You train the people who need it, for the work they actually do, in the order the risk demands. McKinsey has found that organizations which realign development around real skill needs rather than job titles can cut training costs by half and raise productivity by 40%, and targeting is the reason why.

A closed gap is only closed when the new competence is assessed and recorded at the right level, not when the course attendance is logged.

Step 6: Embed it in how the business runsCopied

A competency programme that depends on one person updating a file once a quarter has a shelf life measured in weeks. To survive, it has to become part of normal operations.

That means assigning clear ownership. Someone owns the framework, and line managers or qualified assessors own the assessments for their area. It means setting a review cadence that matches your risk, so a high-turnover production line is reviewed more often than a stable office function. It means wiring competency into the events that already happen: onboarding sets the initial baseline, role changes trigger a reassessment, and an incident prompts a check on whether the people involved were signed off. Most of all, in regulated environments, it means tracking expiry automatically. Certifications for welding, first aid, dangerous-goods handling, and machine operation all lapse, and an expiry that nobody is watching is a finding waiting to happen. Lenzing, a chemical manufacturer, moved every safety certification into one system for exactly this reason, so an automatic alert fires before a certificate lapses rather than after an auditor finds it.

The programme works when it updates itself through normal work, rather than surviving on the goodwill of one diligent administrator.

Step 7: Move off spreadsheets when you outgrow themCopied

A spreadsheet is a reasonable place to start, and it is an honest place to start. For a single team and a few dozen competencies, it works. The trouble begins at scale.

A spreadsheet cannot tell you, on its own, that a certification expires in 14 days. It cannot show a line manager only their team while a quality lead sees the whole site. It does not keep a defensible audit trail of who changed what and when. Once you are tracking hundreds of people across multiple sites, with version-control problems and no one certain which copy is current, the spreadsheet stops being a tool and becomes the risk. A dedicated competency management system exists for exactly this transition: live matrices, automated expiry alerts, role-based access, and audit-ready records pulled in seconds rather than assembled in a panic. If you are weighing up options, our roundup of the best competency management software compares the main approaches.

The decision is not about features, it is about consequence. When the cost of your matrix being wrong is a failed audit or an unsafe task, the spreadsheet has already become more expensive than the software that replaces it.

The pattern shows up across AG5’s own customers. Busch, a machinery manufacturer, replaced 16 spreadsheets spread across 20 departments with a single skills platform and cut administrative time by 40%. GKD Group had been carrying real compliance risk in macro-ridden spreadsheets, until it centralized every certificate and restored its audit readiness. The common thread is not the software itself, it is the moment the spreadsheet quietly becomes the largest risk in the room.

Step 8: Prove it worksCopied

Implementation is not finished when the matrix is built. It is finished when you can show it makes a measurable difference, and when you can defend it.

Pick a small number of measures tied to the driver from step one. Competency coverage on critical roles, the number of open critical gaps, the count of expired certifications, and the time it takes to produce evidence for an audit are all concrete and all defensible. Track them, review them on your cadence, and act on them. The audit-readiness measure tends to be the one executives feel most directly, because the difference between an hour of frantic searching and a 30-second export is the difference they will remember the next time an auditor visits.

Real numbers make the case better than any projection. Renewi lifted its compliance rate from 22% to 71% while centralizing 40,000 training certificates across 120 locations. Cérélia cut the time it spends on audits by 75%, and Adient brought qualification and training admin down to around 15 seconds. Pick the measure that matches the driver you set in step one, then hold the programme to a number like these.

Measurement closes the loop, turning a one-off project into a system that gets more accurate every quarter.

Worked example: a precision components supplierCopied

To show the eight steps working together, here is an illustrative example. The numbers are representative rather than drawn from a single named client.

A precision components supplier employs 180 people across two sites and is audited against AS9100. A surveillance audit flags that special-process qualification records are incomplete, and that one non-destructive testing (NDT) operator has been working on a lapsed certification. That finding is the driver (step one), and it sets a clear scope: the special processes first, heat treatment, welding, and NDT, covering roughly 45 operators, not all 180 roles.

The quality manager builds a framework of about 25 technical competencies for those processes on a four-level scale (step two), and deliberately leaves the office and commercial roles out of the first pass. Populating the matrix against real records (step three) turns up six amber cells where the only evidence is word of mouth, two red cells where certifications have lapsed, and one process across both sites held by a single qualified operator. The triage (step four) is obvious: the two lapses and the single point of failure go first, because all three are live AS9100 exposure.

Closing the gaps (step five) takes a mix of actions. The two lapsed operators are recertified, and a second operator is cross-trained on the single-point process over six weeks of supervised work, then assessed as independent. The programme is then wired into operations (step six) with a monthly review of special processes, automated expiry alerts set 90 days out, and a rule that any role change triggers reassessment. The shared spreadsheet, which had already produced two conflicting versions between the sites, is retired in favor of a live system (step seven), and audit evidence that used to take half a day to assemble now exports in minutes. At the next surveillance audit (step eight), the special-process competencies close with no findings.

The point of the example is the order. The supplier did not map the whole business, it mapped the thing that was on fire, proved the approach, and widened from there.

What you’ll hear, and what to say backCopied

Implementation is rarely blocked by the method. It is blocked by people, and the same three objections come up almost every time.

“The floor will think it’s surveillance.” This is the most common, and it is fair. The answer is to be honest about the purpose: the matrix protects people from being put on tasks they are not signed off for, and it shows them a visible path to the next level and the training that comes with it. Framed as development rather than monitoring, and shared openly rather than kept in a manager’s drawer, resistance usually drops.

“Managers don’t have time to assess everyone.” They don’t, and you should not ask them to assess everyone at once. This is why scope and triage exist. Assess the critical, regulated competencies first, spread the rest across the review cadence, and use level-four colleagues as assessors so the load does not sit on one person.

“We tried this before and it died.” Almost always, what died was a spreadsheet that one person maintained until they got busy or left. That is a maintenance failure, not a method failure. The fix is step six, ownership and cadence, and step seven, tooling that does the chasing for you. A programme that depends on heroics will fail again. One that runs through normal work will not.

Naming these out loud, before someone else does, is usually what gets the programme over the line.

Adapt it to your sizeCopied

The eight steps hold at any scale. The weight changes.

If you run a single site with a few hundred people, you can move through this in weeks. Start with a pilot in your highest-risk area, one production line or one regulated process, prove the approach, then widen it. A pilot earns the credibility and the budget for the rollout, and it surfaces the practical snags while they are cheap to fix.

If you run a multi-site or multi-country operation, the framework is the hard part, because consistency across sites is what lets you compare and report. Define the core competencies centrally, allow each site to extend them for local equipment and regulation, and standardize the proficiency scale so “independent” means the same thing in Rotterdam and in Ohio. Roll out site by site rather than everywhere at once.

Either way, do not wait for the perfect framework before you start. A working programme covering your critical risks, expanded steadily, beats a comprehensive one that never launches.

Where it usually goes wrongCopied

Three failure modes account for most stalled programmes, and they are worth naming plainly.

The first is the framework that is too big to maintain, covered in step two. The second is the optimistically colored matrix, where green means “probably fine” instead of “evidenced and current,” which gives leadership false confidence right up until an audit removes it. The third is treating implementation as a project with an end date rather than a system with a cadence. The matrix you build this quarter is accurate this quarter. Without ownership and review, it is fiction by the next one.

If you avoid those three, the rest is mostly discipline.

The short versionCopied

Implementing competency management comes down to a sequence: name the real driver, build a deliberately small framework, baseline honestly, triage the gaps by consequence, close them with the right action rather than a default course, embed the whole thing in normal operations, move to software when scale demands it, and measure against the driver you started with. Do that, and the next time an auditor asks who is signed off to run the line, the answer takes 30 seconds and you are certain it is right.

Author Copied

Rick van Echtelt

Rick van Echtelt is the Co-Founder and CEO of AG5, where he leverages over two decades of experience in entrepreneurship and developing skills management software.

Read author profile