“Building an effective quality culture- The key to sustaining system improvements”

Management systems should enable the continual improvement of an organization. Even with a well-documented and resourced system, managers find it challenging to gain buy-in from the workforce. Users are looking for the answer to “what’s in it for me?” It is only when this question is answered that the workforce will raise non-conformities, audits will not be perceived as policing and people will connect with the policy and vision of where the company is going.

QMII President & CEO, Dr. IJ Arora will cover the common system failures that prevent buy-in and hamper the quality culture as well as how to address them. Learn how to add value to your system and how to gain buy-in from the workforce.

QMII President & CEO – Dr. IJ Arora presented on the topic “Building an effective quality culture- The key to sustaining system improvements.”

The Free Webinar was positively received by participants from various industries.

Click here for the full presentation.

System Documentation-How Much is Enough?

Overwhelmed by the amount of documentation within your organization. Don’t worry, you are not alone! As organizations and their systems grow so does the amount of system documentation to include procedures, instructions, checklists, SOPs etc.

At times, the documentation is not created because it is needed. It is created to resolve a non-conformity, to ensure a process error does not occur again, to reduce organizational liability and to appease an inspector/auditor. Under these circumstances the need of the hour is to make the problem go away quickly, not to invest time in identifying a long-term sustainable solution. We see our systems grow from 30-page manuals to over 400 pages as time passes. Ineffective reviews perpetuate the problem as duplicated information goes unaddressed.

How much is enough then?

Organizations need to recognize that the documented system is created to enable to users. Too much of it may actually impair the operator rather than enable them. How many of the processes in your house are documented? Now I know some of you are wishing they were and everyone was on board with it! To determine how much is enough companies may be guided by the following:

  1. The competency of the personnel – When the personnel within the organization are well training and competent in what they do and do it well there may be no need for too many of the processes to be documented. However as turnover increases or the organization grows in size additional documentation may be needed to allow for control where needed or to capture knowledge or to simply give confidence that the processes are being carried out as planned.
  2. The structure of the organization – A company with multiple sites, remote sites, or large enough in size, may use documentation to create a system that is uniformly implemented across the breath of the organization. Further documentation may be used to provide clarity on company policy, guidance on what can or cannot be done and/or to allow for decentralized decision making.
  3. The criticality of the process – Where processes are complex and critical and the consequences of failure high the organization may opt for documentation as a means of control to prevent the possibility of human error. Despite the competency of personnel a “zero-trust” environment is adopted to ensure that the process is consistently carried in the way it is intended to be.

Review your system

QMII recently worked with two separate companies to review their existing management system documentation and identify opportunities for reducing the amount of documentation without comprising the quality of operations. In one case we reduced the size of the quality manual from approx. 120 pages down to 30 pages. Information needed by the users was removed form the manual, reviewed and then created as instructions that were more accessible to the users who needed them. Wordy procedures were converted to flowcharts and images used to clarify requirements where needed.

With the other client QMII helped them reduce the number of procedures from approx. 30 to 12. The client realized that a number of procedures could be combined into one and the operator specific information combined in one easy to read document.

A regular review of the documented system is a critical step in ensuring that the documentation does not overburden the user or stop being useful to the user. People change, competencies change, organizations change. The change could be a downsizing or growth. Similarly, our management system documentation too may at times need to be ‘downsized’. Make sure that the documentation is kept relevant and easy to use. The tool used to do this is not as important as the intent and effectiveness of the process. A good review will additionally benefit the organization by allowing for more buy-in by the users and make the system more effective.

Audits VS. Inspections

There is often confusion about the difference between audits and inspections. The purpose of each may seem the same, but they are slightly different.  Audits focus on why, while inspections focus on what. The purpose of an audit is to get the confidence that processes are working well.  An audit involves various layers to answer a “why” question. It involves exploratory reviews involving documentation, risk assessments, and nonconformities, etc.  While an audit may need more effort in finding an answer, an inspection is less complicated. The answer to an inspection question will involve a straightforward yes or no answer.

Inspections focus more on the action, while audits are about the process.  Inspections review a single point in time, but an audit follows a process from start to finish.  An inspection simply looks at the product or service. The process of an inspection is quite simple, it either clears the project if it meets the requirements specification or rejects it. If it is rejected, its loss can be reworked at an extra cost. Inspections must be conducted at every step to minimize the chances of product failure.

Why are audits and inspections important to an organization?  Inspections deal with things that cause immediate accidents or other issues. Inspections protect the customer, so the customer is not harmed by a non-conforming product yet from an organization’s point of view that they are too late.  The audit is to cover the root cause of these problems. The audits provide the input and ensure continuous improvement and it is where we take on nonconformities.

Here at QMII, we provide valuable information when it comes to our auditing services. We can give insight on where your system is working well as well as the risks and suggest opportunities for improvement. QMII’s audit services reduce the fear of an audit. Some individuals fear being blamed for non-conformities and often dread the idea of an audit. Our services are to ensure auditees are put at ease while QMII auditors look to find the effectiveness of controls in the system.

Although there is often confusion when differentiating audits and inspections, it can be easier to think of it as the Plan-Do-Check-Act cycle. Inspections are a “do” while audits are a “check.”  Inspections are required to do, and the audits are the process of checking and making sure inspections have been done.

 

 

Three Steps to Reducing Human Error in Your System

Reducing Human Error in Your System

As believers in the process-based system approach to management systems, QMII encourages organizations during their root cause analysis to not ask “who” but “how” and “why” the system failed the individual. Human errors primarily occur because the system has failed. Sure, there is a human element to the process, but it is only when the system is assessed that the organisation will look beyond merely training the individual yet again or firing them. This has the added benefit of truly imbibing a no-blame culture because blaming an individual is not going to change the results.

The individual in question may be replaced but unless you assess the system for adequacy, which deemed the person competent, the change of personnel may not lead to improvements.
Where the potential for human error is identified as a risk, the organisation can also choose to put systems in place to mistake-proof in order to reduce the possibility of the individual making errors. In conclusion, when human error occurs, organisations should try to address both aspects of identifying the system failure and mistake-proofing the system.

QMII President & CEO – Dr. IJ Arora presented on the topic “Three Steps to Reducing Human Error in Your System”. The Free Webinar was positively received by participants from various industries.

Click here for the full presentation.

Read more: Implementation of management systems

Follow the official YouTube Channel: QMII

Why Safety Management Systems Fail-The Cost of Non-Compliance

Quality Management International President and CEO, Dr. IJ Arora presented on the topic “Why Safety Management Systems Fail-The Cost of Non-Compliance” at the Passenger Vessel Association MariTrends. The presentation was well received and applauded by the packed room.

The PVA Annual Convention was held at Northern Kentucky Convention Center this year on March 4-7. The convention featured a variety of intriguing sessions with various guest speakers that are leaders in the passenger vessel industry.

Click here for the full presentation.

I Don’t See Nothing Wrong

How often have we heard these words within our organization? Often the evidence is right before the persons eyes and they fail to see it. Perhaps in the hope that the failure to acknowledge it will cause it to go away. Across industries “non-conformities” have come to be recognized as something negative, to be done away with quickly. ISO 9001 2015 training teaches us that a non-conformity is the non-fulfillment of a requirement. It is the system that has failed to meet the requirements and not the individual. Admitting to something being wrong takes courageA well-implemented system can reduce the amount of courage it takes to admit to a mistake or an incorrectly implemented process. 

Why fix it if it ain’t broke 

Another common phrase you may hear across your organization. Yet another “this is how its always been done”. Humans resist change. It causes them to break out of their comfort zone. A common result of completing an ISO 9001 2015 training is personnel returning to their companies to start the mapping of their processes. In this, they may get to hear comments such as those above. Personnel does not want to capture the knowledge in their heads onto a price of paper as it puts their job security at risk. They perceive ISO 9001 as an alien document and the clauses make no sense to them. They do not see the value in audits as auditors are merely seen as policemen out to find fault in what they are doing.  

Is everything really good? 

Non-conformities that are not reported when they occur do not get effective corrective action taken on them and they “magically” occur again and again. Often times a smaller non-conformity unaddressed may lead to a larger non-conformity down the road. ISO 9001 in clause 10.2 asks organizations to implement systemic corrective action by identifying if similar non-conformities can occur in other areas of the system. It asks organizations to assess the root cause(s). ISO 9001 2015 training provided to personnel will educate them on how to interpret the requirements of the system to tailor it to their organization so the changes can be minimal. Organizations can do this by capturing the system as the work is done and not a fictional one. It helps training to be provided to personnel, so they understand their role in the system.  

In conclusion, ISO 9001 2015 training is not a means to complicate the way work is done but by understanding and implementing a system that captures the “as-is” of the organization the changes can be kept to a minimum and small. Once personnel sees how the system benefits them they will learn to admit to things that are going wrong and use a systematic approach to correct them.

 

How Did September 11th Affect Security?

Two decades ago, the United States was involved in a horrendous tragedy on September 11th, 2001. On September 11th (9/11) four planes flying over the eastern US were seized simultaneously by small teams of hijackers. They were used as giant missiles to crash into well-known landmark buildings in New York and Washington, DC. This attack changed America forever.

The next terror attack will not be perhaps via airplanes, but cyber-attacks. The Department of Homeland Security has geared its focus towards cyber threats and domestic terrorism. A recent Presidential Executive Order has asked all agencies to focus on securing the cyber networks of our nation. Although the United States is more secure than twenty years ago, it is important that we keep track of our cybersecurity. The majority of security risks today are viewed as targeting the networks and hardware that planes and airlines rely on.

The most common cyber threats that we have encountered are phishing, ransomware, and supply chain attacks. It is important to make sure that your organization has a strong cyber security system. Taking an ISO 27001 lead auditor training will provide many benefits to an individual that is seeking to keep information assets secure. This standard is the only auditable international standard that defines the requirements of an information security management system. ISO 27001 contains a set of policies, procedures, and systems that manage information risks such as cyber-attacks, hacks, data leaks, or theft. This specific lead auditor training can help improve your organization’s cybersecurity strategy. Big companies, as well as small and medium firms, should be interested in the ISO 27001 standard.

At QMII, we offer an ISO 27001 (information security) lead auditor training course. Information Security is important to any business. It helps protect companies’ data which is secured in the system from malicious purposes. The goal of information security management is to ensure businesses have balanced protection of confidentiality, integrity, and availability of data. It is important to identify all potential risks to information security in your ISO 27001 risk assessment. Terrorist attacks are one of these threats. By enrolling in an information security course with QMII, students will be given an understanding of the requirements on ISO 27001 as well as how to relate those requirements to an Information Security system. Lead Auditor training gives students an understanding of the requirements of this standard and how to relate it to an Information security management system. Organizations need an effective information security management system in order to effectively manage challenges. To learn more information about ISO 27001 lead auditor training, visit our website and join us in our next course.

Quality Without Question

 

As I was driving home from work, I noticed the following on the back of a vehicle, “Quality without question”. This got me thinking about the message that was being conveyed. Did the organization mean to convey that their quality was great and should not be questioned? That a customer should take their word just because they say so. For many of us that is exactly what we do when we purchase goods off a grocery shelf. We trust the certified organic and non-GMO ratings that we observe on the packaging. But should one question these and how should an organization decide when to?

To check or not to check

ISO 9001 is an internally accepted standard that sets out the requirements for companies looking to implement a quality management system. While ISO 9001 allows an organization to self-declare many organizations choose to go ahead and pursue certification. This is because it demonstrates to the customer an external independent validation by a subject matter expert of the organization’s ability to manage risks and enhance customer satisfaction.

In many cases though, these companies are often audited by customers especially in highly critical industries where the margin for error is very small. ISO 9001 does not require companies to audit their suppliers but asks organizations to determine the type and extent of control they intend to apply. In determining the type and extent of control, consideration should be given to the perceived effectiveness of controls by the supplier. Essentially can the system controls be trusted to effectively manage risks and deliver? This becomes the basis for the need to check or not.

But we don’t have the resources to audit

This is often the case for many small businesses and perhaps even for some governmental organizations that are limited to one or a few suppliers. In these cases, the organization is still obligated to control the externally supplied process, product, or service. Companies can do this by monitoring metrics such as on-time delivery, sampling incoming items for conformity, and in some cases accepting the external organization certification. No matter the approach used, it does not ever absolve the company of ensuring control of the outsourced process/product/service.

In the case of critical items or a single supplier, they may choose to sample 100% of all items coming in and decide over time based on the results if to continue with a large sample size or to reduce to a smaller one. Here also the aspect of resources plays a part. In cases where the resources cannot be made available, the leadership must acknowledge and accept the risk.

In conclusion

Quality must always be questioned, first internally by the organization itself and checked through its processes. It must also be questioned by the customers on a case-by-case basis. Quality and systems that are left unchecked and unmonitored will over time deteriorate and perhaps result in a major incident/accident. To learn more about the requirements of ISO 9001 join QMII’s next lead auditor training.

Is your organization ready for MDSAP?

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.  

As your company prepares for this new audit scheme perhaps the easiest thing to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In the conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are the priorities that need to be addressed immediately.  

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit, the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.  

Make sure personnel are trained and understand well the expectations. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.  

How will ISO 22301 Benefit you?

What is ISO 22301?

ISO 22301 is an international standard for Business Continuity Management Systems. This standard is designed to protect, prepare for, respond to, and recover from unexpected incidents when they arise. When your organization has a Business Continuity Management System, it is prepared to detect and prevent unforeseen threats.

ISO 22301 applies to all organizations no matter the size or industry. In 2012, when this standard was first developed, it was the world’s first international standard for implementing and maintaining effective business continuity plans, systems, and processes. It was revised in late 2019 to bring it up to date with current best practices and is based on the High-Level Structure (HLS).  Consequently, it aligns well with many other internationally recognized management system standards including ISO 9001 (quality management) and ISO 14001 (environmental management).

What are the benefits of being ISO 22301 certified?

There are many possible threats that organizations face including supply chain issues as we saw in the recent pandemic, or natural disasters such as earthquakes, floods, hurricanes, and tornadoes, and even cyber-attacks such as the recent news with the ransomware attacks on the oil and gas and food industries. These are major threats, but there are even other types of risks, such as the loss of skilled labor, power outages, and IT breakdowns that can cause disruption to a business.

How is a certification in ISO 22301 beneficial to an individual?

With a certificate in ISO 22301, you will be able to help your organization meet its business objectives and gain the necessary knowledge to manage a team in the implementation of this standard.

If your organization does not have a Business Continuity plan, then they may be at risk.  It is important to take these plans seriously or your business could suffer consequences. Some impacts of not having a plan include business failure, damaged reputation, loss of data and clients, and business interruption.

 What will students learn about ISO 22301 from QMII?

During ISO 22301 five-day training at QMII, students will understand how to respond effectively based on the procedures that apply before, during, and after an event. It is important for an organization to implement a Business Continuity plan because it shows that you are prepared for the unexpected. This assures that your business will continue to operate without any major impacts or losses. Our training enables you to develop the necessary expertise to perform a Business Continuity Management System (BCMS) audit by applying widely recognized audit principles, procedures, and techniques.