Looking Ahead at ISO 9001

ISO 9001 has proactively kept up with various industry expectations, over the years, to allow

application by a broad spectrum of industry including the defense forces. The 2015 revision was

a thoughtfully planned giant step. It defined risk (ISO 9001 Clause 6.1) in the context of the

organization (ISO 9001 Clause 4.1 & 4.2) and removed exclusions provision from certification by

redefining what an organization does not do or outsources in the scope (ISO 9001 Clause 4.3). It

also removed preventive action, a reactive concept, and introduced proactive risk appreciation

(Clause 6.1 of ISO 9001 & Clause 8.1 in industry specific standards as AS9100).

This took preventive action from the delayed “Act” stage of the PDCA (Plan-Do-Check-Act) stage

to the more logical sensible “Plan” stage. After all, “look before you leap”, as the historical

fundamental, could not be left as a preventive action decision. It had to be at the look – plan

stage! Risk also needed not just mitigation, but also acted as an input, to be used to bring in

innovation in terms of OFI (opportunity for improvement).

These were all positive steps in keeping with technical advancements and computerization and

AI (artificial intelligence) tools. The HLS (high level structure), later updated to HS (harmonized

structure), recognized the need to enable ease of implementation of integrated management

systems. This in turn leading to efficiency, ROI (return on investment) and where applicable

environmental protection, security of the global supply chain, business continuity, cyber

security and health and safety.

The differentiating of knowledge (ISO 9001 Clause 7.6) from competence (ISO 9001 Clause 7.2)

was also a clever needed change. Organizations needed to define their corporate knowledge

aspects and differentiate it from the individual knowledge of personnel. Knowledge and

competence needed merging and a healthy marriage but needed recognition that they were

different. Removal of the reference to Quality Manager (QM) and Quality Manual from the

standard, took away the narrowness of thinking in quality, and brought the clarity to leadership

to remain accountable and to differentiate authority delegation from retaining the

accountability.

I am a member of the TAG-176 group, and yet have not really contributed much to the next

expected changes to ISO 9001. I am sure the TC-176 is working on this. Nevertheless, it is time

to debate and consider updating the standard.

Since the 2015 version was a major fundamental change, I doubt there would be a significant

departure from this 2015 version in the next major update. Unlikely that the next version may

have revolutionary updates. The emphasis, I think would be to clarify and strengthen the

present thoughts in the 2015 version. I would consider the following:

1. Two Standard Concept: I have over the years thought about the two prongs:

manufacturing and service, approach. Both the service and the manufacturing industry

have been using the standard. Some may consider the need for a separate

manufacturing and a service standard as the next step. However, over the years I have

feared too much bureaucracy which the two standards approach brings. I think the two

standard approaches may actually cause more issues than to resolve them. Might I

opine that Clauses under 8.3 for D&D can, if needed, be strengthened, clarified or more

useful notes as applicable to service version incorporated to assist implementers,

consultants and auditors?

2. Risk be better defined and OFI be clarified, to avoid auditors using it as a tool to sneak in

recommendations. OFI is the outcome of considering risk as an input for innovation. It is

not a recommendation.

3. The knowledge clause needs meat to strengthen it, and to better make it inclusive to

systematizing the requirements for organizations to systematize lessons learnt.

4. An annex added to bring clarity and ease to designing and implementing a combined

management system for an organization.

5. Clause 4.3 Scope, in defining scope requires consideration of the context of the

organization, which is based on Clauses 4.1 and 4.2. However, while the scope has to be

available as documented, 4.1 and 4.2 do not require documentation. I would suggest

both clauses 4.1 & 4.2 to have context as a documented requirement.

In conclusion, I think, updating the standard ground up is not a wise idea at this stage. Perhaps

slight tweaking to include some minor changes would give stability in implementation of an

already robust standard.

How to Alleviate Common Management System Pain Points

Implementing ISO standards is not mandatory, however a management system conforming to a standard can have numerous benefits. Some benefits include increased efficiencies, proactive risk management, better interaction among departments and alignment with the needs of interested parties. However, once you are actually in the process of implementation, you may experience the following pain points: 

  1. Lack of top management commitment 
  1. Limited resources to effectively implement the program 
  1. Lack of buy-in from the workforce  
  1. Over documented systems  
  1. Lack of measurable objectives driving improvement  
  1. Teams lack adequate interaction and alignment  
  1. Company is focused on keeping certification at all costs  

Quality Management International, Inc (QMII), having over 37 years of providing sustainable solutions for our clients, recognized how these hurdles can impact an effective management system. QMII has developed and provided solutions to address and alleviate these pain points that continue to benefit our clientele. 

A management system consulting project cannot start without top management present to map the process of what they do (core process) and to identify the core objectives for the system. Policies, objectives, and motivation must be demonstrated from the top-down and evidenced by all the team players. To further reinforce commitment, we get top managers to develop a presentation to launch the system and that will then be used for awareness training as the system progresses. This is done using our Awareness Leaders Workshop. Without authority, responsibility, and resources, middle management and individual contributors cannot improve the business management system.  

We understand that companies have financial restrictions. With a mission to get organizations to appreciate the benefits of a process-based management system, we provide multiple options to work around this challenge. 

(1) We provide free information on our website so you can carry out ISO implementation at your organization.  

(2) Attending a lead auditor training course is a relatively minimal cost. You and your team will gain a comprehensive understanding of the desired ISO standard and gain the skills necessary to implement requirements and conduct audits to determine conformity.  

(3) If you need a little more guidance, we provide scalable consulting services. Our consultants are here to assist you with exactly what you need. You will not have to pay for the full package.  

(4) Our alumni have free email and phone support, for life, to get over average hurdles.  

As far as reluctance among employees, it’s human nature to be reluctant towards change. Keeping this in mind, QMII consultants get key process owners to evidence top management’s commitment and ensure that they are involved in QMS (Quality Management System) development. We analyze with them to capture the system AS-IS and what-should-be. It is essential to get the team buy-in during this process and get their input on the process’s actualities. Teams must also interact and be aligned. We provide team-building workshops where we align objectives to the vision and processes to meet objectives. 

ISO implementation is not an overnight process, it may even seem daunting. QMII’s Action Plan Checklist is readily available, and it focuses on the big picture to simplify the process. If you need more assistance, our consultants would be happy to work with you through the checklist. We appreciate the system you already have; we are simply helping you enhance it to meet requirements and set objectives. Documentation is a significant part of ISO implementation. To remove complexities, we incorporate existing documentation and use a format that works best for you. 

At the end of the day, ISO certification is primarily a marketing decision. QMII strives to help you develop a resilient, integrated management system so that you receive actual benefits. Once set up, your system will work independently and continue to improve while managing risk proactively.  

I Don’t See Nothing Wrong

How often have we heard these words within our organization? Often the evidence is right before the persons eyes and they fail to see it. Perhaps in the hope that the failure to acknowledge it will cause it to go away. Across industries “non-conformities” have come to be recognized as something negative, to be done away with quickly. ISO 9001 2015 training teaches us that a non-conformity is the non-fulfillment of a requirement. It is the system that has failed to meet the requirements and not the individual. Admitting to something being wrong takes courageA well-implemented system can reduce the amount of courage it takes to admit to a mistake or an incorrectly implemented process. 

Why fix it if it ain’t broke 

Another common phrase you may hear across your organization. Yet another “this is how its always been done”. Humans resist change. It causes them to break out of their comfort zone. A common result of completing an ISO 9001 2015 training is personnel returning to their companies to start the mapping of their processes. In this, they may get to hear comments such as those above. Personnel does not want to capture the knowledge in their heads onto a price of paper as it puts their job security at risk. They perceive ISO 9001 as an alien document and the clauses make no sense to them. They do not see the value in audits as auditors are merely seen as policemen out to find fault in what they are doing.  

Is everything really good? 

Non-conformities that are not reported when they occur do not get effective corrective action taken on them and they “magically” occur again and again. Often times a smaller non-conformity unaddressed may lead to a larger non-conformity down the road. ISO 9001 in clause 10.2 asks organizations to implement systemic corrective action by identifying if similar non-conformities can occur in other areas of the system. It asks organizations to assess the root cause(s). ISO 9001 2015 training provided to personnel will educate them on how to interpret the requirements of the system to tailor it to their organization so the changes can be minimal. Organizations can do this by capturing the system as the work is done and not a fictional one. It helps training to be provided to personnel, so they understand their role in the system.  

In conclusion, ISO 9001 2015 training is not a means to complicate the way work is done but by understanding and implementing a system that captures the “as-is” of the organization the changes can be kept to a minimum and small. Once personnel sees how the system benefits them they will learn to admit to things that are going wrong and use a systematic approach to correct them.

 

Integrated Management Systems AKA ‘A balanced lifestyle’

Integrated Management Systems (IMS) when well implemented enable improvement across various facets of the system. Management system implementation reminds me of the orientation that my gym instructor gave me when I first enrolled at my local health club:- “Losing weight doesn’t happen just in one day and with crash diets: you gotta workout, gotta sleep the right amount, have a little fun in life and yes, food is the most important factor, but everything is in moderation. A combination of all that will give you a satisfying result and you’ll be a happier person. No shortcuts.”

When I look at the anatomy of an organization, I remember these words and know they are applicable to those looking to implement management systems, especially Integrated Management System (IMS). With IMS, they are looking to address multiple concern areas such as quality, environmental protection, safety, security, and overall happier stakeholders.

What is an Integrated Management System?

These days search engines like Google are the go-to source for all the answers, angles, interpretations and everything else. As I thought about the IMS and its benefits, I too turned to the ‘Google’ for insights! This is what I understood: “A management system is a set of policies, processes and procedures used by an organization to ensure that it can fulfill the tasks required to achieve its objectives. These objectives cover many aspects of the organization’s operations including financial success, safe operation, product quality, client relationships, legislative and regulatory conformance, and worker management.” (Source: Wikipedia)

Another applicable example that I can give is how a country runs? There is politics, religion, economics, business all in a blender with a spoonful of “science” and “logic” to it, which is rarely used (winking). A successful balance is needed and the country well-managed for it to be successful and have happy citizens.

There has been an increased demand for integrated management systems in recent years. Organizations are beginning to recognize how these systems enable improvement across various facets of the business. For organizations looking for continual improvement and efficiency as also ensuring the security of information, the question is: why to implement two different systems when one can meet both requirements. Think of a cocktail – If you want Vodka and Tequila together, why not order a Long Island Iced Tea instead of two separate drinks.

The International Organization for Standardization (ISO) has, since 2013, been aligning its standards to the new High-Level Structure in which all ISO requirement standards are published with 10 clauses and identical sub-clauses. The High- Level Structure allows for easier integration of management systems into our existing system and ensures that the policies and objectives for each standard do not conflict with those of another. ISO standards use the basic Plan-do-check-act cycle to achieve continual improvement through vigorous use of the system.

Benefits of Integrated Management System

Integrated management systems allow organizations to identify and address various and different kinds of risks to their system: financial, strategic, competitor, security, safety environmental and others. All this while ensuring continual improvement of the organization. This approach enables organizations to meet the needs of its stakeholders and to adjust to the changing needs through systematic and planned changes.

Back in the good ol’ days, we did not have to worry about computer hackers, though there were other means by which our security was threatened. An information security breach can be a large liability for many organizations these days. How do we ensure that our organization is prepared for such potential breaches? We do not want a cyber-security system operating outside of our business system. We want it integrated into it.

Integrated management systems also are more cost-effective in the long run. There are cost savings in implementation, training, and auditing. Why spend on two/three different system audits in order to meet with the requirements of each Standard, when an integrated audit can assess the common requirements of each standard at the same time. These include competence, control of documented information, system measurement and analysis, etc. For the users of the system, benefits include objectives that align with the integrated policy, reduced duplication of effort and no conflict in the expectations of the management with respect to each policy. This makes the system more efficient, effective and very progressive. It also makes the system more flexible and adaptive in nature to the changing context of the organizations and needs of the relevant interested parties.

Conclusion

Integrated Management Systems can help the organization align its existing system to the requirements of multiple international standards using a single common factor in lieu of discrete systems. Hence, reducing duplication or redundancies. This includes its scope, policies, objectives, programs, processes, protocols and many more. In the maritime field ISO 9001:2015 can easily be merged with ISM Code or in the aviation industry, aerospace requirements along with requirements for occupational health and safety. To meet the growing demand of stakeholders for environmental sustainability, you can also add on the requirements of ISO 14001. Add Security to it, and you got your self a perfect Long Island Iced Tea, I mean your perfectly integrated system.

A lot of time and money is saved in implementing integrated management systems. It also helps in maintaining accountability and consistency for one perfect integrated system. Once your management system is integrated, you will notice reduced bureaucracy along with a reduction in duplication of efforts, redundancy, and expense. It will optimize resources and streamline the process. Integrated management systems will also help with the following: –

  • Curbing conflicting objectives
  • Eliminates conflicting responsibilities and relationships
  • Improves Internal and External communication
  • Harmonizes practice for each Standard in one
  • Business focus is unified to maintain its objective/goal
  • Customer focus is one and not for various tasks

Oh and continuing my health analogy, a well-integrated management system will give you the desired outputs and satisfaction as does those number reducing on the weighing scale! Lastly, remember that there are no shortcuts. Templates come with many promises but do not enable the long-term gains that a well-implemented system will afford. Refer QMII’s time tested approach here.

Monitoring Outsourced Processes is a Primary Responsibility of Every Organization

The international standards provide a world of wisdom enabling robust planning to achieve results by the organizations. In this global economy, often doing all the work in-house is not a cost-effective solution. Moreover, with super-specialized industry requirements, perhaps a lot of quality products and services can be procured at reasonable prices. Yet it seems organizations fail to act in the spirit of the standard when putting in place requirements for monitoring outsourced processes. Clause 8.1 of ISO 9001:2015 in operational planning and control has a sting in the tail with a clear whip requiring that “the organization shall ensure that outsourced processes are controlled.”

Statutory requirements are created to provide the required oversight, maintain customer focus and protect the interests of the customer when products and services are cleared for use. The caveat is that the statutory body should be well resourced, have the infrastructure, maintain organizational knowledge levels (Clauses 7.1.5.1, 7.1.3 & 77.1.6 of ISO 9001) with competent manpower (Clause 7.2). This often is not possible or with time not sustainable due to budgetary constraints, knowledge level dropping with time, Leadership forgetting their primary role (Clause 5.1.1) of taking accountability for the effectiveness of the QMS (Quality Management System). As such, the resources (5.1.1 e) needed for the QMS are not provided or budgets not available. The statutory bodies rationalize it by their helplessness since the government does not provide the funding and budgetary support for this.

Whatever the reasons, the question is who suffers? A ship is sunk, and aircraft with all on board has crashed, dangerous drugs are in use. It is the customer who suffers. In helplessness on their ability to do their duties, the statutory bodies outsource the work to contracted parties or worst to the manufacturer itself! The whole logic of creating a statutory body is lost with this.

What then is the remedy? The essential rulemaking that implements compliance requires competence, resources, and infrastructure with a committed Leadership ensuring continuing suitability, adequacy and effectiveness of the system. When budgetary constraints do not allow this role to be fulfilled, the risk to the system along with the products and services it provides must be assessed and mitigated or the opportunity for improvement taken (Clause 6.1 of the ISO 9001).  This would require the authority to appreciate the FMEA (Failure Mode Effect and Analysis) and take measures to remedy this. If this risk is not appreciated as NC (Non-conformity) the CA (Corrective Action) will not take place nor will the government know of the consequences of underfunding or of recognizing the failure and finding alternatives/ considering options. If the manufacturer has the resources, the government may consider this an asset and avoid duplication of resources, thinking in national terms. Outsourcing to the manufacturer as has been seen can mean losing customer focus and is strict counter to the very philosophy of statutory work. It would call for aggressive, proactive and strict monitoring of the outsourced processes.

In my opinion, monitoring the outsourced processes diligently, as clearly prescribed in the standard is the answer. New options may not be necessary, if the existing clauses of ISO 9001 and related industry-specific standards, where applicable, are understood in the spirit of the standard and vigorously implemented.

  • Dr. IJ Arora

AUDITING RISK-BASED THINKING

 

As we work with clients, we find increasing examples of certification bodies requiring risk to be documented within an organization. This despite ISO 9001 specifically not requiring so!

This then brings up the question, “How should we audit the requirements of risk-based thinking within an organization when the same has not been documented using a formal risks management system or methodologies such as FMEA?”.

Let us start with the intent of including ‘risk-based thinking’ in the standard, replacing the previous requirement for ‘preventive action’. Risk-based thinking has been included as a preventive measure with the intent of making an organization more proactive to identifying and addressing potential non-conformities (NCs) than to be reactive to NCs. Additionally, rather than limit preventive action to the end of the PDCA cycle it is now addressed throughout the standard with the concept of risk-based thinking. To therefore answer the question posed above auditors need to evidence risk-based thinking throughout the system starting with the management down through the operator/service provider.

Before we begin to discuss the process for doing this let us for recall how many times a preventive action has been raised within our organization when the requirement did exist under ISO 9001:2008. In my auditing experience the answer is rarely! This in essence defeats the purpose of what the standard was trying to achieve.

Before we begin to audit risk based thinking the auditor should get an understanding from management of the context of the organization and the needs of the interested parties relevant to the organization as identified by them. Keep in mind the requirement of Clause 4.1 and 4.2 also need not be documented. Further what are the risks that management has associated with the organization achieving its strategic direction. We can also evidence the records of the management review to assess the inputs provided to management per Clause 9.3.2 e.

Once we have the above understanding from leadership, we then look for evidence on how the organization has addressed the risks as identified by leadership. These may include as an example risks to meeting business/process objectives, risks from loss of personnel, risks from new legislation that may impact the organization etc. As we audit the organization, we are looking to assess how the processes have been resourced and controlled in order to manage the risk of not meeting the process objective or customer/regulatory requirements. Risk based thinking is inherent in the clauses for design where organizations are asked to consider the potential causes of failure, in the purchasing process where the organization is asked to select external providers based on their ability to provide products/services meeting requirements, in the planning of audits, in the determination of customer requirements (intended use & unstated requirements), in the resourcing of the system, in the fitness for purpose of monitoring and measuring equipment and in the determination of potential similar non-conformities when taking corrective action.

The above is but a sample of where the application of risk-based thinking can be evidenced. Further information from analysis of data per clause 9.1.3 is further sued as a source for improvement as per clause 10.1 and all of this can be evidenced in the system.

So then why are certification body auditors seeking a documented risk-management system? Auditees too often do not push back when such a “requirement” is brought up. It does make the audit easier if everything is documented including risk but then are, we really ensuring the effective application of the standard. The organization could meet this “requirement” for documentation of risk by just documenting two or three risks and monitoring the effectiveness of actions taken to address them. This would meet the auditors requirement but then what about other applicable risks? These would then do unaddressed as the organization will tend to focus on the documented ones, killing the system!

Let us determine the need to document the risks within our system or NOT and not be pressured into documenting our system to meet the needs of auditors.

Use PDCA to Meet ISO 9001:2015 Revision Deadlines

Ensuring that the system positively contributes to the organization’s bottom line is important.

With the cutoff date of Sept. 15, 2018, looming for transitioning to ISO 9001:2015 and ISO 14001:2015, there will be organizations chasing certificates. However, certificates can’t improve the system, guarantee better products, or render better service. The fundamental changes to the ISO standards will positively affect business outputs if implemented correctly. However. There’s the possibility that the pressure of deadlines hanging like the sword of Damocles over leaders may result in hurriedly obtained but ultimately worthless paper certificates. Leaders may want to give this a thought as they manage their organizations’ transition or first-time implementation of the standards.

It’s the organization’s well-implemented management system that will enable employees to perform well and produce conforming outputs. The changes in ISO 9001, ISO 14001, as well as the 2016 high-level structure (HLS) revisions to the AS9100 family of aerospace standards, need timely and correct implementation. The changes in these new revisions involve a fundamental rethink of the approach to implementation. There is a call to make ISO standards’-based management systems more proactive by considering risks within the context of the organization, keeping the priorities of interested parties in mind, and managing the internal issues that need planning and thought. Organizational knowledge, per clause 7.1.6 of ISO 9001, needs deliberation to determine how that knowledge can propel the organization to better performance and risk management, and lead to innovation. A robust quality management system (QMS) is an asset that should deliver.

This transition phase requires expertise in correctly interpreting the standard and identifying gaps in the system while respecting the “as-is” of the system. This must be followed by systematic incorporation of the changes within the context of the organization. Using the plan-do-check-act (PDCA) cycle can help. The (good) plan stage must be followed by orientation, motivation, and correct implementation during the do stage, followed by an audit during the check stage to ensure that the system is not only functionally aligned but also meeting the requirement of clause 5.1.1 b and c (i.e., that the QMS is compatible with the strategic direction of the organization). Per clause 5.1.1, there is a tremendous amount of responsibility for top management to ensure a customer focus throughout the organization.. The act stage of the PDCA cycle come about through the management, which is require per clause 9.3 of the standard. This review must be done soon after the transition audit to give confidence to top management that the system will work.

This additional emphasis in the revised standard to ensure the system positively contributes to the organization’s bottom-line is important. Nonconforming outputs must be reduced and not leave the organization as defective product or services. To do this, it’s important to consider the following:

Risk based thinking must become second nature to the organization so that risks are managed and analyzed to consider opportunities for improvement. Outsourced procedures and services must perform to expected standards to meet customer requirements. The work environment, per clause 7.1.4, should ensure that processes achieve product and service conformity to requirements. The combination of competence (clause 7.2), awareness (clause 7.3), a knowledgeable workforce (clause 7.1.6) that can ensure controlled production and services (clause 8.5.1) is a responsibility of top management.

By CEO and President, Captain Inderjit Arora

The Cost of Certification: A deterrent to system implementation?

Certifications often drive the implementation of a system approach, based on ISO standards. The primary implementation demand is for ISO 9001.

Certifications do have initial costs and then recurring costs for surveillance and re-certification visits. This is a responsive approach to business requirements, invariably driven by a forthcoming contract that mandates the system approach. Prudent businesses appreciate the risk of not having a process-based system.

When budgets are tight, supply chains are challenging, and retaining employees is difficult, it is all the more essential that organizations invest in a good management system. As W. Edwards Deming said, “A bad system will let down a good person every time.”

An efficient management system should be an essential asset of any good organization. Certification should not be the primary driver of this requirement. The optimum return on investment is by effective process performance based on objective information analysis, which in turn is based on data from within the organization or an appreciation of inputs publicly available. Organizations’ leaders should look beyond certifications to implementing and maintaining systems that drive continual improvement. Continual improvement drives organizations to find cheaper and quicker solutions while improving the quality of their products and services. After all, is that not what customers expect? The best quality for the cheapest price point?

Organizations can, and should, consider the option of self-declaring their conformity to ISO 9001, without incurring the added expense of certification, especially when customer requirements do not mandate it. Meeting customer requirements, ensuring continual improvement, and leading the organization to innovate cannot be achieved without a system in place. Effectiveness and efficiency is achieved when employees use system processes to achieve objectives. Customers’ confidence in the organization comes from trusting that they will receive conforming products/services consistently. The cost of not following a system approach can lead to work performance that is not optimized and results in losses.

ISO 9001:2015 requires an appreciation of the context of the organization, as well as the risks and expectations of the interested parties. This enables the organization’s leaders—in fact, requires them in clause 5.1.1 b—to define quality policy and objectives for the quality management system (QMS) that is aligned to the strategic direction of the organization. The QMS now is not an add-on to the business strategy but is integrated with it.

Experience has repeatedly shown that the lack of customer focus is the major cause of businesses failing or not performing, of governmental agencies overshooting budgets, and sensitive organizations (e.g., nuclear facilities, military bases, hospitals) making fatal errors. The cost of not having a system is so high and the consequences so dangerous that it would be almost suicidal not to have a management system in place.

Once the decision to implement the system has been made, why reinvent the wheel?

The well-tried, regularly updated ISO 9001 standard, which encompasses years of global wisdom, is the correct choice. Once the system is implemented and the organization’s leaders have confidence in the system’s performance based on objective inputs (such as audits, inspections, feedback, and other inputs), top management can self-declare the system as conforming to ISO 9001. There is no cost to this except the minor investment in using a competent consultant who comes in respecting the existing system and then identifies and addresses any gaps. After all, every functioning organization has a system.

The next stage, requiring investment in the certification, is a decision to be made by top management when a business requirement necessitates this. When it does, then the work will pay for it.

Risk-Based Thinking: Is This Something New?

Not really, but it does require a new way of planning.

Risk-based thinking can be considered the fundamental change in ISO 9001:2015. Compared to ISO 9001:2008, where preventive action (PA) held a spot in the “act” phase of the plan, do, check, act (PDCA) cycle, risk now appears in the “plan” phase and at each stage thereafter. This change formalizes an idea that has been around since at least 1546, when John Heywood coined the proverb, “Look before you leap.”

er clauses 4.1 and 4.2 of ISO 9001:2015, it is therefore reasonable that the context of an organization should be considered during the planning phase, as well as before it, together with the needs of interested parties. Based on these inputs, risk also should be considered, per clause 4.4.1 f: “address the risks and opportunities as determined in accordance with the requirements of 6.1.”

This makes me wonder: Has the standard previously not addressed risks posed to quality management systems (QMS)? Risk was always considered, but inferred and inadequately interpreted by organizations. Only now has it been systematized as a requirement. Throughout ISO 9001:2015, in clauses related to each stage of the PDCA cycle, there is a requirement to address the risk.

Can you imagine a general planning a war strategy without appreciating the risks involved, per clause 9.1.3, which requires analysis and evaluation? Perhaps this is an opportunity for the rest of the world! In real life do we not consider various risks as we send children to school, select toys, and plan expeditions? The details we go into are based on the context of what we are doing and the parties involved. Therefore, if an organization manages a simple production line to manufacture toilet rolls, the context and risk would be different than those involved in operating a nuclear plant.

But why call it “risk-based thinking” and not risk management?

ISO 9001:2015 has to be applicable across industries and to organizations of various sizes. It remains a process-based standard. Should an organization need a formal risk-management system, the standard refers to ISO 31000:2009—“Risk management.” Risk-based thinking asks that everyone in the organization think about the risk of doing, or not doing, their assigned tasks. This concept was implicit in earlier versions of ISO 9001, too, but now organizations are systematically required to understand the context (clause 4.1) and then determine risks before planning (clause 6.1).

Although the revised standard does not mention preventive action, a QMS is a preventive tool. With risk replacing preventive action, the QMS has become more effective as a philosophy. Moreover, risk no longer has a strictly negative connotation. It simply must be addressed, and where applicable, it should be taken as an opportunity for improvement. Risk input may lead to a positive and innovative idea.

As organizations transition to ISO 9001:2015, or seek to become newly certified, they must not go into “panic mode.” It’s helpful to remember that risk has always been considered in the standard, but companies are now required to be proactive rather than reactive in their considerations. With its high-level structure (HLS), ISO 9001:2015 is actually more logical, simple, user friendly, customer-focused, and aligned with modern technologies. And it’s applicable to both manufacturing and service industries.

At a very basic level, all that an organization has to do is consider these six steps:
1. Make a list of the organization’s hazards. These should be identified in various processes by process owners. Where an organization is departmentally organized, the department heads should consider these.
2. Having listed the risks, the impacts or potential harm should be listed against each risk.
3. The departmental lists can be consolidated into an organizational list under the direction of top management or a designated quality manager.
4. Evaluate each risk and its associated impact or potential hazard to assign a priority or significance number.
5. With top management’s involvement, decide how to isolate, minimize, accept, transfer, or eliminate the risk.
6. These risk-minimizing decisions then require a specific plan. Come up with proposed actions for each risk, including assigning responsibility and a completion date for them. Process owners must also agree with top management on the frequency of monitoring the progress.
7. This can be further expanded, if necessary and within the context of the organization, by considering the likelihood of detection.

The standard asks organizations to plan to address risks but does not specify the need for a documented plan. However, a well-documented plan to address risks can only benefit an organization and add value.

 

By CEO and President, Captain Inderjit Arora

Objective Auditing Meets ISO 9001:2015

Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits.

To better meet customer expectations, fundamental changes have been introduced to the standard to address current business realities and advancements in technology. Much of the responsibility of meeting the new requirements falls on leaders, and a careful, objective audit to the standard can help them.

It’s human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions. This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing risk-based thinking throughout the management system. What’s the best way to audit this?

The starting point for corrective action (CA) is the non-conformance report (NCR).

A well-written NCR clearly states the standard’s requirement, the objective evidence for citing the non-conformance, and a description of the failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen instead of sticking to the requirement, management ends up with a subjective input.

A closed NCR provides data that management can analyze for possible trends, which can then be addressed by preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management system: Basically, data drove trends and preventive action.

With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic role for leaders. They must understand and continuously assess risks at every stage, mitigating them and considering opportunities for improvement (OFI). This is important to do even before the planning stage of the plan-do-check-act (PDCA) cycle, by first understanding the context of the organization.

Leaders’ understanding of the context of the organization, as well as their ability to assess risk and consider opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to providing objective NCRs and allow management to make the decisions.

Understanding the Organization in Context

Per clause 4 of ISO’s Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership to understand the context of the organization when determining key management system elements such as the scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives, risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002—“Quality management systems—Guidelines for the application of ISO 9001:2015.”

So what, then, is this “context of the organization?” Put simply, leaders must thoroughly understand the relevant internal and external issues, both positive and negative, that can affect their organizations’ ability to achieve intended results. Consequently, they must monitor and review these issues regularly.

Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An understanding and appreciation of the context of the organization can help with this, particularly if it’s undertaken before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This is vital in the success of the organization.

When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change their products, the context of the organization changes. The internal and external factors change. Leadership must understand the implication of these changes in the context of the organization. Doing this will also allow them to see the risks and perhaps opportunities for improvement.

It’s like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be considered. If the risk is too great, then perhaps the nation’s diplomats should first reach out to surrounding countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better relations with these states. The risk might also require intelligence agencies to assess conditions on the ground. Thus prepared, the military leadership can best ensure the mission’s success.

By CEO and President, Captain Inderjit Arora