Objective Auditing Meets ISO 9001:2015

Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits.

To better meet customer expectations, fundamental changes have been introduced to the standard to address current business realities and advancements in technology. Much of the responsibility of meeting the new requirements falls on leaders, and a careful, objective audit to the standard can help them.

It’s human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions. This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing risk-based thinking throughout the management system. What’s the best way to audit this?

The starting point for corrective action (CA) is the non-conformance report (NCR).

A well-written NCR clearly states the standard’s requirement, the objective evidence for citing the non-conformance, and a description of the failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen instead of sticking to the requirement, management ends up with a subjective input.

A closed NCR provides data that management can analyze for possible trends, which can then be addressed by preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management system: Basically, data drove trends and preventive action.

With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic role for leaders. They must understand and continuously assess risks at every stage, mitigating them and considering opportunities for improvement (OFI). This is important to do even before the planning stage of the plan-do-check-act (PDCA) cycle, by first understanding the context of the organization.

Leaders’ understanding of the context of the organization, as well as their ability to assess risk and consider opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to providing objective NCRs and allow management to make the decisions.

Understanding the Organization in Context

Per clause 4 of ISO’s Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership to understand the context of the organization when determining key management system elements such as the scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives, risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002—“Quality management systems—Guidelines for the application of ISO 9001:2015.”

So what, then, is this “context of the organization?” Put simply, leaders must thoroughly understand the relevant internal and external issues, both positive and negative, that can affect their organizations’ ability to achieve intended results. Consequently, they must monitor and review these issues regularly.

Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An understanding and appreciation of the context of the organization can help with this, particularly if it’s undertaken before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This is vital in the success of the organization.

When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change their products, the context of the organization changes. The internal and external factors change. Leadership must understand the implication of these changes in the context of the organization. Doing this will also allow them to see the risks and perhaps opportunities for improvement.

It’s like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be considered. If the risk is too great, then perhaps the nation’s diplomats should first reach out to surrounding countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better relations with these states. The risk might also require intelligence agencies to assess conditions on the ground. Thus prepared, the military leadership can best ensure the mission’s success.

By CEO and President, Captain Inderjit Arora

WHAT CAUSES PROCESSES TO FAIL WITHIN QUALITY MANAGEMENT SYSTEMS?

Some processes may be proactively designed and updated, but many just evolve.  In either case, when leaders allow the systems (in which the processes operate) not to deliver the necessary direction, information, resources and controls, these “starved” processes fail to add value. This article examines how process failure impacts quality management systems.

Process Failure = Leadership Failure

The modes of a quality management system’s process failure are many, but we should start with leadership. Authority figures may (implicitly or explicitly) undermine requirements. Consequently, employees are not incentivized to help each other to understand and meet the requirements of their quality management systems. Employees are essentially let down by their organization when faced with a system that may be confusing, boring or expose them to unsafe or unproductive working situations. All work is a process, and process failure benefits no one involved. In fact, many do not ascribe often common problems to poor process implementation such as:

  • Improper recruiting and training processes result in employees being ill-suited or ill-prepared for their work.
  • Individuals in work teams may not be coordinated, resulting in misaligned work priorities and self-serving behavior
  • Incoming items (to which the intended work adds value) are unavailable, nonconforming or late
  • Late or inaccurate information would also undermine processes directly or indirectly controlled by the organization’s quality management systems
  • Incapable, unavailable equipment, software or tools are indications of larger process failure, even if the problems may seem unrelated or sporadic

Many processes fail because they are not monitored and corrected as necessary. Process failure an also be the result if documented procedures required by quality management systems are ignored, inaccurate, too detailed or too vague, or not based on the facts that would fulfill the needs of stakeholders. The result? the now “uncontrolled” procedures may be forgotten or remembered in critically different ways. There are countless ways that organizations may fail to provide the required support effective processes, but they all result in the same failed state, primarily because none had a workable process, supported by management and implemented by their workforce.

An Improved Model for Creating Processes that Work

As an antidote to process failure, our clients and other organizations have used the QMII Process Model (QMP) for nearly thirty years in order to enhance their quality management systems. QMP helps them quickly determine the root causes of system, process and product failure. This facilitates removal of the root causes of failures from the quality management systems for more successful processes.

Our whitepaper describing the QMP is available here for download. It explains key points of failure that often occur in less balanced (or absent) processes including:

  • Learn the critical importance of analyzing and defining key business processes from an external auditor’s point of view
  • Save time and lower risk by formalizing “as-is procedures” first before designing new ones to fill gaps in the system
  • Learn and apply new skills (auditing, environmental management, quality management techniques, etc.) with total organizational buy in and support
  • Avoid the often-made error of confusing corrective and preventive actions by controlling key processes first before widening preventive actions
  • Audit and manage to initiate corrective actions and prove system integrity by correctly managing continual improvement

By CEO and President, Captain Inderjit Arora