ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.

ISO 14001 – Environmental Management System Auditing

With the HLS (high-level structure) common to all standards ensuring the ten-clause structure an organization can ensure the best results to its management system by having an integrated management system. A divided approach to managing an organization based on several standards can often result in environmental and quality policy being in conflict. If occupational health and safety (ISO 45001) are also to be integrated, it enables the management to consider the risks in the combined context of the organization. When these are separated the combined risks can be mixed. Further, if security is to be also part of the management system (ISO 28000 – still not in the HLS format), integrating the system would ensure a functional management system.

Environmental management system based on ISO 14001, has integral it the consideration of aspects, their impacts, recognition of significant impacts, and prioritization of the same. Experience shows that implementing ISO 14001 is easier and simpler and more readily accepted by the employees when the organization already has a functioning Quality Management System (QMS) based on ISO 9001 in place.

A well-implemented EMS, EMS ensures cost savings by recycling, reduction in consumption, and cost savings in waste. This gives tremendous advantages over competitors for projecting the organization as a responsible company but when tendering for business. Managing risks is more comprehensive, as the leadership is able to see combined risks to the organization in quality, safety, occupational health, and security. The demonstration of commitment to improving the environment in a socially responsible manner is more systematically implemented by interpreting the ISO 14001.

Auditing the integrated management system, if that be the choice (recommended), or just the EMS based on ISO 14001 requires the auditors to first interpret the standard based on company policy, the organization’s goals based on consideration including expectations of the interested parties and the external and internal issues aligned to statutory requirements. Auditors, particularly internal auditors must ensure the interpretations of ISO 14001 are aligned per guidelines for the industry. ISO 14001 certification can improve an organization’s reputation and result in improved relationships to the mutual benefit of stakeholders and the organization.

Auditors must not forget that internal auditing is not to judge the legal compliance of the processes. Legal compliance is a requirement and is best judged by compliance auditors. Internal auditors audit to see that the organization has the processes to ensure compliance. Internal auditors look at the plans of the organization to ensure processes monitor environmental aspects and mitigate as required, systematically address them.

QMII (www.qmii.com) has for 30 plus years integrated management systems and training lead auditors for various standards including ISO 14001. With our vast consulting experience in ISO 14001, we reinvest our field experience into the content development of our courses. The real-world experiences back our instructors and training material in ensuring auditors understand ISO 14001.

A good internal audit process, for any standard, particularly the ISO 14001, should start with a good plan. Good QMII training ensures, auditors prioritize audits, and allocation of time-based on risks, previous results, the importance of the process. The audit cycle is often one year (can vary), and so depending on the environmental importance of the process and past performance-critical environmental aspects can be audited.

Effectiveness of the ISM Code

The ISM (International Safety Management) Code, in itself, is not a magic wand, that will bring safety or prevent pollution. It depends on the organization on how it implements the Code. Safe operation of ships and the prevention of pollution should have been any organization’s objective. Yet all over the world owners to save money compromise these objectives. Did not the Titanic on April 15, 1912, sink, trying to create a record of crossing the Atlantic, by going North to cut distance, run into the iceberg?

The sinking of the Titanic, with a loss of nearly 1500 passengers and the crew was an eye-opener. It led to the SOLAS (Safety of Life at Sea) convention. Did the negligence and continued operation of ships compromising safety stop with SOLAS? Sadly not. The investigation by Justice Sheen into the sinking of the Herald of Free Enterprise, on March 6, 1987, looked at why SOLAS had not helped prevent the tragedy. It brought out the necessity for a process-based management system, and the SOLAS Chapter IX was updated to authorize the ISM Code. It provides the guidelines for the implementation of a system to ensure the safety of vessels at sea.

The Flag State Administrations whose flag the ships sail under, legitimize the use of the code making it mandatory for internationally trading vessels. If any company is bent upon not implementing it in the spirit of it, then of course the objectives of the code as also the functional requirements will not be met. Owners and Operators of the vessels often look to short term gains wherein they compromise the standards and bypass the rules. They have to understand that behind every casualty at sea are many detentions and behind them indicators like Major NCs (non-conformities) and near misses.

The Flag States who do not strictly inspect and audit vessels to the ISM Code and issue SMC (safety management certificates), are actually, to retain the business of ship owners, jeopardizing the same ships! Even some responsible Flag States, due to shortage of manpower outsource their duties to ROs (recognized organizations), often represented by class societies. This results in diluted control, as an outsourced process needs strict monitoring of the process to ensure the performance is not affected. Not managing an outsourced process is as good as not taking responsibility. Authority can be delegated, bot the responsibility.

NCs (non-conformities) drive correction and CA (corrective action), and as such should be welcome as inputs to ensure continual improvement of the system based on the ISM Code. Yet, there are every day common examples of Masters of ships negotiating to somehow get the auditors to not give NCs. This is because the management ashore is not mature to realize, that keeping the master’s pressurized and performance being judged by NCs reported is creating an environment of fear and hiding of NCs. A good SMS (safety management system) based on the ISM Code, if correctly implemented should welcome NCs. The DP (designated person) should know that the “only bad NC, is the one which the organization does not know about.”

For domestic vessels, and for that matter towing and small vessels, and perhaps in due course of time for domestic passenger vessels, one would think a new standard would be required? Sub Chapter M for the towing industry in the USA, is nothing else but the ISM Code domesticated. The ISM Code is a useful well thought of document which provides strong fundamentals based on hundreds of years of sea experience, loss of life, cargoes, ships, and fortunes. The process-based management system it propagates would systematize operations. However, for an effective management system, the implementers have to be motivated and committed. The Flag States have to be strict and vigilant in their issue of certificates. When they outsource the certification to Ros, they must not wash their hands of their responsibility. The strict monitoring of the ROs by ensuring good clear concise MOUs (memorandums of understanding) with clear provisions to audit the ROs must be put in place. The owners and operators through their organization should put in place a robust internal auditing program that gives the objective inputs on the implementation of the ISM Code.

– by Dr. IJ Arora

What is a Quality Management Systems (QMS)?

Quality Management Systems (QMS) are today extensively a part of an organization. If the TM (top management) is committed, it uses the ISO 9001 based management system to meet customer requirements, ensure customer focus and provide desired outputs. Where the TM/ leadership is immature, they often may implement a quality management system to get the ISO 9001 certification. This decision to have a QMS certification without effective implementation is a waste of money and resources. It is not worth the paper the certificate is on. Or perhaps it is, because having that ISO 9001 certificate may be the passport to win a contract or run a business.

Failed management systems (MS) invariably have a lack of management commitment or worse a leadership who do not understand the cost of not having quality. Such quality management systems are aligned to ISO 9001, but for easy auditing written to the clause structure of the standard. Such systems are written for auditors, who then audit it effortlessly as they can see the system written to the clause structure of the ISO 9001. Leaders forget that MSs should be designed for implementation by their employees.

Organizations do not work to clauses of the ISO 9001. They use the clauses to design a better MS. The organizational structure of any organization takes its direction from the policy (clause 5.2 of the ISO 9001). The policy leads the organization and its functional departments to convert the policy into measurable objectives (clause 6.2 of ISO 9001). These functional division of the organization work to achieve their objectives by functioning per their key and support processes. A quality management system based on ISO 9001 requires the system to work using a process-based management system approach. The idea is to be systematic about working so that customer requirements and expectations are analyzed before being accepted. Once accepted, the organization with the efficient interaction of its processes produces the desired outputs meeting the requirements and specifications as the case may be, and also ensures, where applicable that the statutory directions are met.

ISO 9001:2015 emphasizes customer focus not only in clause 5.1.2 but throughout the standard to ensure that the Quality Management System based on ISO 9001 appreciates the risks in the context of the organization and consistently produces confirming products and services. It is important that customer focus is maintained throughout, integrity of the quality management system always maintained and if for any reason a non-conforming product is produced then such non-conforming product or service is handled in a manner that the customer is never sent such a product.

For this reason QMSs based on ISO 9001 or for that matter any ISO standard, or an industry specific standard like AS 9100 or say a MS based on ISM Code (for maritime safety) and so on, should work using the accepted PDCA (Plan Do Check Act) cycle. Processes are designed, documented or undocumented to ensure that a good preparation is made at the Plan Stage. Any good QMS interprets the clauses of ISO 9001 for its QMS using clauses 4, 5, 6 & 7 to appreciate the risk and make a good plan before going to the do stage. The implementation of executing the inputs to convert them into desired outputs is done using ISO 9001 clauses under 8.

Any quality management system based on ISO 9001 has to sustain its processes delivering the final product or service by designing them well, resourcing them and monitoring them. Therefore, a strong objective check stage is required to conduct internal audits and to analyze data so that the information provides inputs for better resourcing. Clauses 9 and 10 of ISO 9001 address the check and act phases synonymous with monitoring and decision making by leadership before the next cycle of the PDCA cycle is implemented. The act stage is a vital stage associated with the leadership wherein a management review of the performance of the quality management system is conducted.

For the quality management system to deliver what ISO 9001 is designed around, is only possible if the leadership is genuinely committed to not just have a QMS based on ISO 9001, but uses it to make decisions. The business system and the QMS should be married in a strong unbreakable bond.

 

Subchapter M is a positive Regulation from the USCG to improve safety

Introduction. Industry maturity is essential in the implementation of any regulatory requirements. The reluctance of the industry toward implementation of the Subchapter M requirements is short-sighted.

Based on the analysis of casualties, tragedies and near misses, statutory bodies at the insistence of the executive (Congress as the representative of the citizens) propose regulations for compliance; to ensure the safety of the marine environment. The USCG is a premier internationally respected maritime authority and they have taken a lot of time to come out with Subchapter M, incorporating the best practices and lessons learned from years of implementation and enforcement of the ISM Code (toned down as required for the domestic towing industry in the US). Owners often, especially small businesses, see the initial investment as an expensive inconvenience. They perhaps fail to recognize the long-term benefits of safe operations using a system approach. An incident, accident, loss of life or marine pollution will be far more expensive than the initial investment. Not only to them but to the entire industry on the inland waters.

Appreciating Risks in the Context of the Maritime Environment. [1]This regulation may initially seem to many like another ‘policing’ activity by statutory bodies. When driving a car, people don’t wear a seatbelt to avoid being caught by the police. It is to keep the passengers in the car safe. The industry too must implement the Sub M regulations in the spirit of ensuring safety, mitigating risks in the context of the maritime environment and systematizing their operations. It is all about the PBMS (process-based management system) approach.

ROI (Return on Investment). Even without pollution or injuries estimated costs for the towing and barge industry are greater than $3 million. The cost of a closed waterway can amount to millions of dollars per day.[2] The NTSB concluded the probable cause of the grounding of the MODU Kulluk was, inadequate assessment of the risk for the planned tow of the Kulluk and implementation of a tow plan insufficient to mitigate that risk. As part of the Kulluk[3] team responsible for recommending safety measures, following the USCG & NTSB report them core reason for the incident is not surprising.  After all, “A bad system will let down a good person every time”.

Correct Implementation. This non-implementation of maritime safety regulations typically leads to tragedies. Every organization endeavors to produce a conforming product/service. Inspection before releasing the product to customer results in either clearing or rejecting the product or service. This dependence on inspection is a cost raiser. After all, rejection means delays and off-hire in the maritime industry. The intent should be to improve the auditing of the procedures comprising the management system so that processes result in a conforming product/service. The USCG has come out with the Subchapter M to provide that framework to create the management system, monitor it, inspect and audit it; thereby ensuring safety and in effect prevent loss in every way, including the loss of a vessel to a casualty. The industry must understand this aspect of the intended.

Learning from Tragedies. The tragic sinking of the Titanic a century ago is still teaching us lessons that we often neglect in implementing in the international maritime industry. I bring this international example as it has a lesson for the domestic industry. The SOLAS convention which was the outcome of the tragedy, investigations, and introspection by the maritime industry, further led to MARPOL, the ISM Code and later the STCW convention. The implementation of all these was dependent on the Flag States, then the issue came up, about the Flag States doing their job. Ships had the SMC[4] and other trading certificates; the maritime companies maintained some standards by them maintaining a DOC[5]. However, Flag States had no check. So, more regulations now, to bring the Flag States under the preview of the IMO with the IMSAS Audits to the III Code. More regulations are not the answer but are essential when implementers are reluctant to implement in the spirit of the regulation.

Lessons from the Sinking of the Herald of Free Enterprise. The example of the Titanic is essential as Sub Chapter M is implemented. The ISM Code is a good safety initiative to be implemented. The learning in its clauses has been at the cost of precious seafarers’ blood. One of the primary lead-ups to the ISM Code was the sinking of the Herald of Free Enterprise, a British RoRo[6] car passenger ferry on 7 March 1987 killing 193 passengers in near calm seas, when the vessel put to sea with the bow door open. A public inquiry into the sinking lead by Lord Justice Sheen castigated the ship’s owners when Lord Sheen “identified disease of sloppiness and negligence at every level of the corporation’s hierarchy”. This was almost the first time that instead of blaming just those at sea, those ashore were held responsible. It was this need for the operators and owners of seagoing vessels to have a management system with well-designed procedures that were to be resourced and monitored that necessitated the ISM[7] Code.

Role of TPOs. It is this ISM Code then which has been studied by the USCG and converted into the Sub Chapter M with all their expertise and wisdom. USCG is following the pattern of monitoring based on ROs[8] for international shipping by decentralizing and approving TPOs[9] for monitoring and controlling the implementation of Sub M. The purpose and objectives of these TPOs is not to interpret the Sub M to the convenience of the industry, but to implement the USCG intend to ensure safety.

This simple P-D-C-A, Plan-Do-Check-Act cycle is the magic in ensuring the TSMS[10]  or the MS as per USCG direction, works to ensure safety on board and for the others. A good plan based on company policy wisely converted into measurable objectives to drive the procedures, work instructions and the personnel on board and ensure leading to good implementation. The competence of the crews and top management motivated to understand this is essential for them and others who ply in our waters. The Check Stage should be all-encompassing with primarily getting inputs from objective auditing, enabling better decision making by the leadership based on objective inputs. The check stage is mainly the audits, but it should consider any other inputs as failed inspections, near misses, industry inputs and new emerging risks. This stage also includes reports from the USCG and so on. This stage is vital and requires good training of auditors[11]. Auditors and management who understand that “the only bad nonconformity is the one which is not known to the organization.”[12] The Act stage is often very neglected, where top management leaves the review to their second-tier management. If they are committed to the management system (TSMS), it is essential that the leadership conduct a management review at regular intervals, soon after a mishap and any time they are in doubt about the state of the system functioning. At each stage of the PDCA cycle risk must be considered.

The TPOs will be cleared by the USCG as per USCG procedures. A lot is dependent on them, as they will implement the Subchapter M requirements on behalf of the USCG. The Statutory USCG requirements are created to provide, the required oversight, to maintain stakeholder focus, to protect the interests of the customer when tow boats & services are certified. USCG has outsourced this to TPOs who should perform to expectations, be well resourced, have the infrastructure and create the environment for compliance in the spirit of the regulations. The TPOs should maintain organizational knowledge levels as also maintain competent personnel and take accountability for the effectiveness of the TSMS.

Options for Compliance to Sub M. The USCG has provided options to the towing industry to choose from to ensure compliance. In Option A -the “Coast Guard Option” per (46 CFR 136.130(a)(1)) offers the best for small towing companies who own just two or three vessels. This option requires annual visitation by the CG for the inspections. In Option B wherein the “TSMS” Option (137.130) would be the more logical choice, for larger operators, for convenience, and for the cost. It requires, either Internal (first-party) surveys to be overseen by a TPO or external (TPO) surveys, where the TPO conducts independent verifications to assess compliance at the appropriate times in the cycle. The USCG Certificate of Inspection (COI)[13] is valid for five years and requires a valid TSMS issued by a TPO.

Whichever option is selected by the company they have to see the value of their system. If it is a paper exercise, of course, it will not bring the results. The fear that this will increase paperwork is misplaced. The TSMS does mean a little more of system implementation and so a little increased paperwork is to be expected. Companies should not go overboard with paperwork. Refrain from over documenting your system or using a template that does not reflect how they operate. Increased operating & compliance costs are not necessary. There will perhaps be some initial costs to comply however, the cost of operating safely is much lower than the cost of an accident. Another fear owner may have could be the interference in their business. However, increased safety on the inland waterways benefits all including, boat owners and other leisure craft operators, crew members, the environment and the economy (ensuring waterways not shut down).

Conclusion. In summing up, based on my experience and involvement as also work with USCG, I can say this is a very well-intended, well-meant initiative to help the towing industry. The real joys will come from the correct implementation. Subchapter M is not only about compliance. It is about building a safety culture. It encourages the industry to streamline and reduce the paperwork that supports compliance/conformity, by greater use of technology, by identifying common areas and integrating documentation requirements as also motivating the workforce to use and improve the system. To use the reporting and monitoring systems, to build a culture of risk assessment / risk-based thinking and to explore measures to reduce the cost of compliance as also to improve monitoring and develop performance indicators. The early risk appreciation from data driving risks and NC[14]s driving Correction[15] and CA[16] will itself pay for the investment by providing confirming vessels as product and service of the industry.

 

 

[1] For the Context of the Organization guidelines refer to Clause 4 (4.1,4.2 & 4.3) read with Clause 6.1 of the Standard ISO 9001:2015.

[2] Transportation Statistics Annual Report 2017.

[3] https://maddenmaritime.files.wordpress.com/2016/10/tsac-1401-recommendations-kulluk-grounding.pdf

[4] Safety Management Certificate per the ISM Code.

[5] Document of Compliance as Per ISM Code.

[6] Roll-on roll-off.

[7] International Safety Management Code.

[8] RO: Recognized Organization representing a Flag State as per role defined in SOLAS.

[9] Third Party Administrators.

[10] Towing Safety Management System.

[11] https://www.qmii.com/iso-9001-training/

[12] Quote original by Dr. IJ Arora President and CEO QMII. www.QMII.com

[13] Coast Guard Certificate of Inspection.

[14] Non-Conformity.

[15] Correction is a quality term describing the immediate actions taken to address a NC.

[16] Corrective Action. CA is based on RCA-root cause analysis.

Subchapter M: Bane or a Boon?

Request a free copy of IJ's Subchapter-M Presentation 


Stop the Firefighting: Use Effective Root Cause Analysis

Root Cause Analysis (RCA) or Causal Analysis when applied correctly should help to prevent the recurrence and occurrence of similar issues within the organization. Why then is such little time, money and or effort afforded to it?

Heroes save the day! Yet again! How often have we come across news articles that laud those who manage the crisis, stop the plane from crashing or save the patient. The reality in any casualty is that, a system failure has resulted in a non-conforming product/service, including failed inspection. Organizations should laud and appreciate those who prevent incidents/ accidents/non-conformities and those who perform effective root cause analysis. Those who recognize near misses and perform CA  should receive equivalent if not more praise.

The root cause of many diseases is lack of a healthy lifestyle. Presumably, annual medical check-ups would show the flaws and enable risk appreciation to prevent a disease or illness from manifesting itself. This data however may not be enough to provide an accurate diagnosis or prevent a serious medical condition. Perhaps some may see the regular check-ups as a waste of money and time! This may help to explain why companies are reluctant to do root cause analysis when non-conformities arise. Their instincts are to do the firefighting when something goes wrong. This basic firefighting often appears to be less expensive, quick and seemingly more convenient. However, as has been proved again and again in various fields (quality, safety, security, etc.) prevention is better and more cost effective than the cure.

Why Problems Persist?

There are many methodologies for root cause analysis (RCA). It is not the intent of this article to educate its readers on the various RCA methodologies. Before we delve into why problem persists let us considers why problems occur. Problems usually occur because of the lack of a functional well implemented management system. This includes the lack of management commitment, timely identification of risks and lack of controls/adequate resources for the processes. Despite repeated warnings from their doctor, patients choose to continue living their current lifestyle. During incident investigation interviews this comment is often heard ‘this is the way we always did it’. Humans are not always accepting of changes and ‘if it ain’t broke then why fix it?’ Management of change is never easy. The larger the organization the more difficult it is to enable the change. Often in management systems, problems are ‘fixed’. This makes the issue go away albeit temporarily. Everyone likes a good score card and ‘fixing’ the issue makes everything look good again. However, when the root cause(s) are not addressed this dragon will raise its ugly head again.

When root cause analysis points toward leadership or top management, the job security aspects may prevent the middle managers from completing the RCA process. This political limitation, to avoid exposing process issues within the ranks of leadership are counterproductive, and yet a reality. As preposterous as it may sound, in some cases leadership may opt for paying the fine when things go wrong and then proceeding as is. This is seen as the ‘less expensive’ option than resourcing actions to prevent the recurrence/occurrence of problems. Conflicts of interest in the workplace, can often be a reason for a lack of effective root cause analysis.

Stopping the Firefighting.

With all due respect to firefighters and other emergency personnel, organizations want to solve the problem, so they do not have to call them back! This means getting to the root cause(s) of the incident. Very often when identifying the root cause(s), the work group or practitioners often stop short of finding the actual “root cause.” These may be the immediate direct or indirect causes. The root case may lie in another part of the organization and often gets missed. Root Cause Analysis when done correctly drives systemic changes to prevent similar issues from cropping up again. As with everything else the RCA team needs the backing of the leadership including the needed resources to be effective.

In conducting effective root cause analysis, the inputs of customers and other stakeholders may be needed. For effective root cause analysis is of interest to all organizations that are integral to the successful implementation of a management system. The element of social responsibility in the defined duties of leadership need to be audited and have consequences when customer focus is lost. The new root cause analysis model should have an element of responsibility attributable to the top management. The intent, not to encourage a blame culture, but a responsibility culture. As a part of QMII’s management system implementation we train selected candidates as a problem-solving team to enable and empower continued success of the system. To sit in the fire house and focus on other initiatives such as innovation, social responsibility etc. an organization has to proactive rather than be responsive.

Conclusion

Leadership often questions why money spent on management systems, particularly when based on ISO Standards do not work? Why a conforming product or service is not constantly delivered by an organization? Mature organizations recognize that the only bad nonconformity (NC) is the one that they do not know about. Once the NC is identified, the system must drive Correction and CA (corrective action, based on RCA). Closed NCs added to the database, along with the proper analysis of the information, will allow system users to appreciate risks and trends to identify the opportunities for improvement (OFI). However, all this will fail if the MS (management system) users do not understand the value of RCA.

For the success of a Management System, its outputs based on inputs must deliver conforming products and services.  When the Management System does not achieve this, all stakeholders should be interested in the root cause analysis and corrective action.

Myth: Management system implementation – documentation must align to the ISO standard

Companies use different management system implementation methodologies to understand the requirements / inputs of their customer and then plan to deliver outputs meeting requirements as a conforming product / service. The International Organization for Standardization (ISO) publishes standards which when correctly interpreted enables companies to systematically and consistently provide desired outputs while addressing risks. Using the framework/methodology provided by ISO, companies design systems / processes to work together to deliver desired outputs.

The endeavor of the organization should be to define the outputs (products/services) accurately, after understanding customer requirements, both stated and unstated. ISO standards allows companies of any size and industry to implement them. Hence a lot is left open to interpretation. Despite this, certification of these systems delivers confidence to potential and existing customers that the company is implementing a process with the intent of continual improvement. Across the globe, an ISO certification gives confidence of a certain basic framework being implemented and followed.

The risks are appreciated in the context of the organization. The core process of the organization has its objectives directly derived from the company policy. The Key and Support procedures ensure the objectives of the core procedure are met and deliver a confirming product and or a confirming service.

Why ‘ISO-ized’ systems fail?

This understanding of how a management system works and delivers products and services must be understood in the spirit of the ISO standard. The use of the standard is not like a magic wand which will guarantee excellence or success. The Standard needs careful interpretation to design the processes necessary to meet stakeholder requirements. Many an ‘ISO-ized’ management system implementation do not deliver sustained success because, when written around the clauses of the standard the system is not actively used and therefore does not deliver the feedback that a good system should.

The process needs to be documented around what the users do. These processes then need to be resourced, controlled, monitored, audited and reviewed for continuing suitability, adequacy and effectiveness. Organizations blunder into believing that ‘ISO-izing’ their system is the panacea to all their problems. It is not. These systems documented to the clauses only benefit the external auditors of the system. The system should be documented for easy use by the users of the system. Auditors and auditing are an integral part of the system; meant to provide objective inputs for improvements and not to dictate how the system functions.

The process approach to management system implementation

The process-based approach is the fundamental to management system implementation. The success in ISO standard implementation (be it for efficiency, managing risk, security, environment, aerospace quality or food safety etc.), lies in a good plan that accounts for system risks given the organizational business context. Management system implementations should ideally capture the “as-is” of the system, compare it to requirements and identify the gaps enabling design of new procedures and an update of existing procedures. These procedures are designed to meet measurable objectives, that are based on the policy of the leadership. Users of the system do the work to meet the objectives and the procedures must capture the ‘how’ of what they do.

The chain from understanding requirements, risks and inputs to creating the policy should be systematically considered in designing the management system prior resourcing it. The system approach as prescribed by ISO standards allows for involvement of the leadership from cradle to cradle i.e. from the planning to implementing to monitoring and reviewing of performance for improvement. This approach gets Top Management (TM) to take personal ownership of their management systems.

Conclusion

ISO standards are not prescriptive and need interpretation by the users of the system. Using the Plan-Do-Check-Act (PDCA) cycle approach leaders convey their policy to the users of the system. The system ensures adequate controls and resources, so outputs meet the inputs and the measurable objectives as set. Management system implementation, when done correctly, allows for feedback to be captured so risks and opportunities for improvement are identified and addressed in a timely manner. As for the auditors let us have them use their innovative approaches to identify how the system meets the requirements and intent of the standard. To make it easy we could provide them with a cross-reference matrix to demonstrate where the requirements of the system are met within the documented procedures. Bottom line: Embrace your system when developing it to meet requirements, including those per ISO standards, and you will see the benefits of ‘De-ISO-ized’ system.

Defining Measurable Objectives/ Metrics to Drive Continual Improvement

Measurable objectives are an essential input for all levels of the management and come from the top management (TM). These objectives guide personnel at the work level to help ensure the success of a management system. The need for a set of value-based metrics is met by looking carefully at the company policy (based on the strategic direction) and then drawing the measurable objectives from it.

My thought is for any organization giving more than the desired value is a challenge! Values in today’s business world are often related solely to the ROI (Return on Investment). Providing value to the customer is a goal. The question is at what cost? Due to budgetary concerns, no organization wants to do more than what is required. Availability of funds is input to the design of the final product and or service. Consequentially, the values that an organization sets for itself must be based on trying to meet the objectives and expectations of the customers, or the statutory bodies (if relevant) within the constraints of the resources. Where a statutory body is involved, it is the vital responsibility of that body to precisely define expectations and what metrics they will accept.

My opinion is that the statutory bodies such as the FAA, FDA, EPA, and USCG, would have concerns about continual improvement by the external service providers. It is therefore critical to conduct an analysis and conduct management reviews internally to achieve the intended purpose of Clause 10.3 of ISO 9001:2015. However, it all starts with defining, providing and monitoring these clear expectations. This means that the statutory body should provide guidelines for stated requirements, as the IMO does in the ISM Code, within Resolution A.1118(30) & MSC-MEPC.7/Cir8. In a similar manner, the USCG could provide clear guidelines for TPO (Third Party Organization) and for the towing companies for the Subchapter M.

Statutory bodies, understandably, may struggle with defining their policy in the initial stages and clearly converting it to a set of measurable objectives (Value based metrics) for external providers. The need for the Leadership (TM) is to spend time and resources well at the plan stage of the PDCA cycle (Plan-Do-Check-Act) by understanding the context of the organization (Clauses 4.1 and 4.2 of the ISO 9001) and appreciate the various risks (Clause 6.1 of ISO 9001) keeping the customer focus in mind. The Standard here provides useful clauses to make the decision. An objective audit of the internal procedures of the statutory body (Clause 9.2 of ISO 9001) would provide the inputs for the Management Review (Clause 9.3) and ensure a robust decision-making process. This then should be followed by regular audits of the organization to which the processes have been outsourced (meeting the requirements of Clause 8.4.1 and 8.4.2 of ISO 9001). The organization which provides the outsourced service or product needs the information in terms of clause 8.4.3 to perform to the total satisfaction of the statutory body. As such providing clear requirements is a vital role of the statutory body.

Once requirements are clear, then the organization providing a product or service will use these inputs to design their Policy (Clause 5.2 of ISO 9001) 5.2.1d. This policy would then ensure that the feedback loop will help to drive continuous improvement efforts of the QMS. This policy would then provide the framework for the “value-based metrics” which in Quality terms would be the measurable objectives in terms of clause 6.2. Both 6.2.1 and 6.2.2 would put the organization on the correct path to success. The statutory body would vigorously and regularly audit the correct implementation itself or by using an independent professional service provider.

In effect, what this means is that just being certified to e.g. ISO 9001:2015 is not enough for any organization. What is required is a functioning PBMS (process-based management system) based on the chosen standard and other criteria implemented by committed leadership and motivated manpower.

(The author Dr. IJ Arora, is the President and CEO of QMII)