P-D-C-A with a Christmas Tree

As a QMII employee, I can sit and observe classes whenever I want, more so since they are virtual instructor led these days. It allows me to get a refresher on the clauses, even though it is so hard to get them. It gets me every time. When the time comes to interview auditees, I smile like a Cheshire cat; not a confident grin but one that hopefully does not betray my nervousness.  Often, I am nervous as a long-tailed cat in a room full of rocking chairs. However, my QMII ISO lead auditor training has prepared me well. I am nervous as the auditee too, even though I know audits are not about pass or fail.  While I call myself a writer and researcher my greatest struggle perhaps lies with Audit Report writing. Oh, man! QMII lead auditor training, however, well prepared me to gather all notes during an audit to present a valuable report to the auditee. Smile.

The aspect of Lead Auditor training I like is the P-D-C-A cycle because I can use that analogy anywhere in my life. I have the responsibility of putting up the tree, however, currently, my application of the P-D-C-A is not going so well. Perhaps a re-plan is needed?

So from the Lead Auditor classes that I have attended, P-D-C-A stands for the following and the task next to it is what I have to do:-

P – Planning: We have to put the tree. Also, the objective of my mission. Considerations include where are the decorations kept, do we have enough, do we need a ladder, what should be the first step, then the next (like testing the lights before we put them on the tree), and more. Most important plan the time to do it in my busy schedule!

D – Do: Now to put my plan into action! Locate the boxes, get them out, unpack, and, get my team to help me even if they don’t want to (just to cheer me on perhaps). Yay! Thanks guys, for your help! Thumbs up for that. Basically, everything else that needs to be completed before the tree is finally up and lit up and everyone is happy. The DO stage can be extremely exhausting. How about that drink to cool me down?

Note – From my Lead Auditor training and also when I am auditing my clients, I know that the ‘DO’ section of the process is where a lot of the “action” happens. Just because “you gotta do it, man, get on with it!” I feel the pain of the “Do’s” as it is easy sometimes to plan but more taxing to put the plan into action. Now getting back to my tree.

C – Check: Once the tree is up and you think the job is over, it is not. You have to wait for the others to “check” the tree out and give their opinions. Pass comments, critique your effort while you are bickering away that they didn’t do anything, but they get to analyze it. What was that? Oh yes, I agree it is just an opportunity for improvement and we love our non-conformities.

A – Act: The verdict is out. The tree looks great. Beautiful decorations. However, the lights seem to flicker at some places, we need better lights for next time. Get more decorations. Good job!

VERDICT

Plan it better next time. Stop bickering when you are doing the job. Be patient and stop being

grumpy when they are “checking” and analyzing your work. Continually Improve this process till you get your Act together – words of a wise Yoda who is enjoying the view of the Christmas tree and listening to the Christmas songs.

Can I get that drink now? Long Island, please. Merry Christmas!

ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.

Integrated Management Systems AKA ‘A balanced lifestyle’

Integrated Management Systems (IMS) when well implemented enable improvement across various facets of the system. Management system implementation reminds me of the orientation that my gym instructor gave me when I first enrolled at my local health club:- “Losing weight doesn’t happen just in one day and with crash diets: you gotta workout, gotta sleep the right amount, have a little fun in life and yes, food is the most important factor, but everything is in moderation. A combination of all that will give you a satisfying result and you’ll be a happier person. No shortcuts.”

When I look at the anatomy of an organization, I remember these words and know they are applicable to those looking to implement management systems, especially Integrated Management System (IMS). With IMS, they are looking to address multiple concern areas such as quality, environmental protection, safety, security, and overall happier stakeholders.

What is an Integrated Management System?

These days search engines like Google are the go-to source for all the answers, angles, interpretations and everything else. As I thought about the IMS and its benefits, I too turned to the ‘Google’ for insights! This is what I understood: “A management system is a set of policies, processes and procedures used by an organization to ensure that it can fulfill the tasks required to achieve its objectives. These objectives cover many aspects of the organization’s operations including financial success, safe operation, product quality, client relationships, legislative and regulatory conformance, and worker management.” (Source: Wikipedia)

Another applicable example that I can give is how a country runs? There is politics, religion, economics, business all in a blender with a spoonful of “science” and “logic” to it, which is rarely used (winking). A successful balance is needed and the country well-managed for it to be successful and have happy citizens.

There has been an increased demand for integrated management systems in recent years. Organizations are beginning to recognize how these systems enable improvement across various facets of the business. For organizations looking for continual improvement and efficiency as also ensuring the security of information, the question is: why to implement two different systems when one can meet both requirements. Think of a cocktail – If you want Vodka and Tequila together, why not order a Long Island Iced Tea instead of two separate drinks.

The International Organization for Standardization (ISO) has, since 2013, been aligning its standards to the new High-Level Structure in which all ISO requirement standards are published with 10 clauses and identical sub-clauses. The High- Level Structure allows for easier integration of management systems into our existing system and ensures that the policies and objectives for each standard do not conflict with those of another. ISO standards use the basic Plan-do-check-act cycle to achieve continual improvement through vigorous use of the system.

Benefits of Integrated Management System

Integrated management systems allow organizations to identify and address various and different kinds of risks to their system: financial, strategic, competitor, security, safety environmental and others. All this while ensuring continual improvement of the organization. This approach enables organizations to meet the needs of its stakeholders and to adjust to the changing needs through systematic and planned changes.

Back in the good ol’ days, we did not have to worry about computer hackers, though there were other means by which our security was threatened. An information security breach can be a large liability for many organizations these days. How do we ensure that our organization is prepared for such potential breaches? We do not want a cyber-security system operating outside of our business system. We want it integrated into it.

Integrated management systems also are more cost-effective in the long run. There are cost savings in implementation, training, and auditing. Why spend on two/three different system audits in order to meet with the requirements of each Standard, when an integrated audit can assess the common requirements of each standard at the same time. These include competence, control of documented information, system measurement and analysis, etc. For the users of the system, benefits include objectives that align with the integrated policy, reduced duplication of effort and no conflict in the expectations of the management with respect to each policy. This makes the system more efficient, effective and very progressive. It also makes the system more flexible and adaptive in nature to the changing context of the organizations and needs of the relevant interested parties.

Conclusion

Integrated Management Systems can help the organization align its existing system to the requirements of multiple international standards using a single common factor in lieu of discrete systems. Hence, reducing duplication or redundancies. This includes its scope, policies, objectives, programs, processes, protocols and many more. In the maritime field ISO 9001:2015 can easily be merged with ISM Code or in the aviation industry, aerospace requirements along with requirements for occupational health and safety. To meet the growing demand of stakeholders for environmental sustainability, you can also add on the requirements of ISO 14001. Add Security to it, and you got your self a perfect Long Island Iced Tea, I mean your perfectly integrated system.

A lot of time and money is saved in implementing integrated management systems. It also helps in maintaining accountability and consistency for one perfect integrated system. Once your management system is integrated, you will notice reduced bureaucracy along with a reduction in duplication of efforts, redundancy, and expense. It will optimize resources and streamline the process. Integrated management systems will also help with the following: –

  • Curbing conflicting objectives
  • Eliminates conflicting responsibilities and relationships
  • Improves Internal and External communication
  • Harmonizes practice for each Standard in one
  • Business focus is unified to maintain its objective/goal
  • Customer focus is one and not for various tasks

Oh and continuing my health analogy, a well-integrated management system will give you the desired outputs and satisfaction as does those number reducing on the weighing scale! Lastly, remember that there are no shortcuts. Templates come with many promises but do not enable the long-term gains that a well-implemented system will afford. Refer QMII’s time tested approach here.

AUDITING RISK-BASED THINKING

 

As we work with clients, we find increasing examples of certification bodies requiring risk to be documented within an organization. This despite ISO 9001 specifically not requiring so!

This then brings up the question, “How should we audit the requirements of risk-based thinking within an organization when the same has not been documented using a formal risks management system or methodologies such as FMEA?”.

Let us start with the intent of including ‘risk-based thinking’ in the standard, replacing the previous requirement for ‘preventive action’. Risk-based thinking has been included as a preventive measure with the intent of making an organization more proactive to identifying and addressing potential non-conformities (NCs) than to be reactive to NCs. Additionally, rather than limit preventive action to the end of the PDCA cycle it is now addressed throughout the standard with the concept of risk-based thinking. To therefore answer the question posed above auditors need to evidence risk-based thinking throughout the system starting with the management down through the operator/service provider.

Before we begin to discuss the process for doing this let us for recall how many times a preventive action has been raised within our organization when the requirement did exist under ISO 9001:2008. In my auditing experience the answer is rarely! This in essence defeats the purpose of what the standard was trying to achieve.

Before we begin to audit risk based thinking the auditor should get an understanding from management of the context of the organization and the needs of the interested parties relevant to the organization as identified by them. Keep in mind the requirement of Clause 4.1 and 4.2 also need not be documented. Further what are the risks that management has associated with the organization achieving its strategic direction. We can also evidence the records of the management review to assess the inputs provided to management per Clause 9.3.2 e.

Once we have the above understanding from leadership, we then look for evidence on how the organization has addressed the risks as identified by leadership. These may include as an example risks to meeting business/process objectives, risks from loss of personnel, risks from new legislation that may impact the organization etc. As we audit the organization, we are looking to assess how the processes have been resourced and controlled in order to manage the risk of not meeting the process objective or customer/regulatory requirements. Risk based thinking is inherent in the clauses for design where organizations are asked to consider the potential causes of failure, in the purchasing process where the organization is asked to select external providers based on their ability to provide products/services meeting requirements, in the planning of audits, in the determination of customer requirements (intended use & unstated requirements), in the resourcing of the system, in the fitness for purpose of monitoring and measuring equipment and in the determination of potential similar non-conformities when taking corrective action.

The above is but a sample of where the application of risk-based thinking can be evidenced. Further information from analysis of data per clause 9.1.3 is further sued as a source for improvement as per clause 10.1 and all of this can be evidenced in the system.

So then why are certification body auditors seeking a documented risk-management system? Auditees too often do not push back when such a “requirement” is brought up. It does make the audit easier if everything is documented including risk but then are, we really ensuring the effective application of the standard. The organization could meet this “requirement” for documentation of risk by just documenting two or three risks and monitoring the effectiveness of actions taken to address them. This would meet the auditors requirement but then what about other applicable risks? These would then do unaddressed as the organization will tend to focus on the documented ones, killing the system!

Let us determine the need to document the risks within our system or NOT and not be pressured into documenting our system to meet the needs of auditors.

Eight Steps for a Successful Audit

ISO standards such as ISO 9001, ISO 14001 and ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations, certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or yet the evidence may not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the jng the organization in the art of getting audited? In well-functioning systems the organization should never have to prepare for an audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven . The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps an organization can take to build employee confidence in the system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given.

 

Here are eight steps an organization can do to have its employees get that confidence:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility and compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.

 

By CEO and President, Captain Inderjit Arora

UPDATE ON STANDARDS

In the past year there has been a lot of activity in the development and revision of ISO standards. Highlighted below are a few key updates:

ISO 41001 – Facility Management

This new standard applies the concept of the Plan-Do-Check-Act cycle to the discipline of Facilities Management. This standard provides the requirements for a facility management system where an organization needs to demonstrate effective and efficient delivery of services. The standard is aligned with the High Level Structure adopted by ISO thus ensuring easier integration with other standards. Benefits of implementing this standard, per ISO, include improved productivity, communications, service consistency and costs benefits.

ISO 19011 – Guidelines for Auditing

ISO 19001 has become the primary guideline for all audits conducted globally. The FDIS was recently cleared and the updated revision is due to be published in July 2018. One of the main changes lies in the new auditing principle “Risk-based approach: an audit approach that considers risks and opportunities. The risk-based approach should substantively influence the planning, conducting, and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit program objectives.” This approach is evident in all the clauses of the standard which not follows the High level Structure. We will further update our readers as the standard is published.

ISO 9004 – Guidance to achieve sustained success

The standard has been updated to reflect the guidelines to achieve sustained success of and ISO 9001:2015 QMS. Per ISO, factors affecting an organization’s success continually emerge, evolve, increase or diminish over the years, and adapting to these changes is important for sustained success. The document addresses systematic improvement of overall performance and includes a self-assessment tool for reviewing the extent of conformity by the organization.

To Err is Human- React or Correct?

The only bad nonconformity it the one we do not know about. Understanding this fact is the key for leaders and their managers being careful not to create a culture that hides nonconformity.

Even so it is common for managers to demand no mistakes and to react badly to errors.

Leading organizations provide employees with management systems that help them to understand and fulfill the requirements. And servant leaders provide a management system to help their employees to eliminate the causes of nonconformity. They do this gradually, according to the 80:20 (or 50:4) rule, so they always start with the vital few nonconformities that cost the most.

Zero Defects (zero nonconformity actually) has to come with humble managers who take responsibility for their management system causing the nonconformity. Care and respect remain to most powerful parts of such management systems. It should not require courage for employees to talk about problems in doing the right work right.

These organizations welcome nonconformity reports to show where the management system needs further improvement to prevent failures to fulfill requirements. They know the only bad nonconformity is the one that remains hidden.

Month of May is International Internal Audit Awareness Month

The International Institute of Internal Auditors (IIA) is encouraging Internal Auditors around the world to actively promote internal auditing’s value during Internal Audit Awareness Month .

IIA is recognizing Internal Auditing.

QMII has over 30 plus years propagated the importance of internal auditing and the need to have competent internal auditors. Any tragedy can be connected back to a nonconforming product, which in turn is invariably the outcome of a failed procedure. Internal Auditors play a vital role in recognizing NCs (Non Conformities), and thereby enabling Correction and CA (Corrective Action) to NCs. Managements have to maturely understand the importance of recognizing internal NCs as an integral part of improving process improvement and continual improvement of the system. Internal auditors have a vital role in providing objective inputs at the C-check stage of the P-D-C-A cycle.

Share a video on your social media accounts about Internal Audit Awareness Month!

We want to hear from you—Comment below a way you have showcased Internal Auditing this month!

Risk-Based Thinking: Is This Something New?

Not really, but it does require a new way of planning.

Risk-based thinking can be considered the fundamental change in ISO 9001:2015. Compared to ISO 9001:2008, where preventive action (PA) held a spot in the “act” phase of the plan, do, check, act (PDCA) cycle, risk now appears in the “plan” phase and at each stage thereafter. This change formalizes an idea that has been around since at least 1546, when John Heywood coined the proverb, “Look before you leap.”

er clauses 4.1 and 4.2 of ISO 9001:2015, it is therefore reasonable that the context of an organization should be considered during the planning phase, as well as before it, together with the needs of interested parties. Based on these inputs, risk also should be considered, per clause 4.4.1 f: “address the risks and opportunities as determined in accordance with the requirements of 6.1.”

This makes me wonder: Has the standard previously not addressed risks posed to quality management systems (QMS)? Risk was always considered, but inferred and inadequately interpreted by organizations. Only now has it been systematized as a requirement. Throughout ISO 9001:2015, in clauses related to each stage of the PDCA cycle, there is a requirement to address the risk.

Can you imagine a general planning a war strategy without appreciating the risks involved, per clause 9.1.3, which requires analysis and evaluation? Perhaps this is an opportunity for the rest of the world! In real life do we not consider various risks as we send children to school, select toys, and plan expeditions? The details we go into are based on the context of what we are doing and the parties involved. Therefore, if an organization manages a simple production line to manufacture toilet rolls, the context and risk would be different than those involved in operating a nuclear plant.

But why call it “risk-based thinking” and not risk management?

ISO 9001:2015 has to be applicable across industries and to organizations of various sizes. It remains a process-based standard. Should an organization need a formal risk-management system, the standard refers to ISO 31000:2009—“Risk management.” Risk-based thinking asks that everyone in the organization think about the risk of doing, or not doing, their assigned tasks. This concept was implicit in earlier versions of ISO 9001, too, but now organizations are systematically required to understand the context (clause 4.1) and then determine risks before planning (clause 6.1).

Although the revised standard does not mention preventive action, a QMS is a preventive tool. With risk replacing preventive action, the QMS has become more effective as a philosophy. Moreover, risk no longer has a strictly negative connotation. It simply must be addressed, and where applicable, it should be taken as an opportunity for improvement. Risk input may lead to a positive and innovative idea.

As organizations transition to ISO 9001:2015, or seek to become newly certified, they must not go into “panic mode.” It’s helpful to remember that risk has always been considered in the standard, but companies are now required to be proactive rather than reactive in their considerations. With its high-level structure (HLS), ISO 9001:2015 is actually more logical, simple, user friendly, customer-focused, and aligned with modern technologies. And it’s applicable to both manufacturing and service industries.

At a very basic level, all that an organization has to do is consider these six steps:
1. Make a list of the organization’s hazards. These should be identified in various processes by process owners. Where an organization is departmentally organized, the department heads should consider these.
2. Having listed the risks, the impacts or potential harm should be listed against each risk.
3. The departmental lists can be consolidated into an organizational list under the direction of top management or a designated quality manager.
4. Evaluate each risk and its associated impact or potential hazard to assign a priority or significance number.
5. With top management’s involvement, decide how to isolate, minimize, accept, transfer, or eliminate the risk.
6. These risk-minimizing decisions then require a specific plan. Come up with proposed actions for each risk, including assigning responsibility and a completion date for them. Process owners must also agree with top management on the frequency of monitoring the progress.
7. This can be further expanded, if necessary and within the context of the organization, by considering the likelihood of detection.

The standard asks organizations to plan to address risks but does not specify the need for a documented plan. However, a well-documented plan to address risks can only benefit an organization and add value.

 

By CEO and President, Captain Inderjit Arora