Looking Ahead at ISO 9001

ISO 9001 has proactively kept up with various industry expectations, over the years, to allow

application by a broad spectrum of industry including the defense forces. The 2015 revision was

a thoughtfully planned giant step. It defined risk (ISO 9001 Clause 6.1) in the context of the

organization (ISO 9001 Clause 4.1 & 4.2) and removed exclusions provision from certification by

redefining what an organization does not do or outsources in the scope (ISO 9001 Clause 4.3). It

also removed preventive action, a reactive concept, and introduced proactive risk appreciation

(Clause 6.1 of ISO 9001 & Clause 8.1 in industry specific standards as AS9100).

This took preventive action from the delayed “Act” stage of the PDCA (Plan-Do-Check-Act) stage

to the more logical sensible “Plan” stage. After all, “look before you leap”, as the historical

fundamental, could not be left as a preventive action decision. It had to be at the look – plan

stage! Risk also needed not just mitigation, but also acted as an input, to be used to bring in

innovation in terms of OFI (opportunity for improvement).

These were all positive steps in keeping with technical advancements and computerization and

AI (artificial intelligence) tools. The HLS (high level structure), later updated to HS (harmonized

structure), recognized the need to enable ease of implementation of integrated management

systems. This in turn leading to efficiency, ROI (return on investment) and where applicable

environmental protection, security of the global supply chain, business continuity, cyber

security and health and safety.

The differentiating of knowledge (ISO 9001 Clause 7.6) from competence (ISO 9001 Clause 7.2)

was also a clever needed change. Organizations needed to define their corporate knowledge

aspects and differentiate it from the individual knowledge of personnel. Knowledge and

competence needed merging and a healthy marriage but needed recognition that they were

different. Removal of the reference to Quality Manager (QM) and Quality Manual from the

standard, took away the narrowness of thinking in quality, and brought the clarity to leadership

to remain accountable and to differentiate authority delegation from retaining the

accountability.

I am a member of the TAG-176 group, and yet have not really contributed much to the next

expected changes to ISO 9001. I am sure the TC-176 is working on this. Nevertheless, it is time

to debate and consider updating the standard.

Since the 2015 version was a major fundamental change, I doubt there would be a significant

departure from this 2015 version in the next major update. Unlikely that the next version may

have revolutionary updates. The emphasis, I think would be to clarify and strengthen the

present thoughts in the 2015 version. I would consider the following:

1. Two Standard Concept: I have over the years thought about the two prongs:

manufacturing and service, approach. Both the service and the manufacturing industry

have been using the standard. Some may consider the need for a separate

manufacturing and a service standard as the next step. However, over the years I have

feared too much bureaucracy which the two standards approach brings. I think the two

standard approaches may actually cause more issues than to resolve them. Might I

opine that Clauses under 8.3 for D&D can, if needed, be strengthened, clarified or more

useful notes as applicable to service version incorporated to assist implementers,

consultants and auditors?

2. Risk be better defined and OFI be clarified, to avoid auditors using it as a tool to sneak in

recommendations. OFI is the outcome of considering risk as an input for innovation. It is

not a recommendation.

3. The knowledge clause needs meat to strengthen it, and to better make it inclusive to

systematizing the requirements for organizations to systematize lessons learnt.

4. An annex added to bring clarity and ease to designing and implementing a combined

management system for an organization.

5. Clause 4.3 Scope, in defining scope requires consideration of the context of the

organization, which is based on Clauses 4.1 and 4.2. However, while the scope has to be

available as documented, 4.1 and 4.2 do not require documentation. I would suggest

both clauses 4.1 & 4.2 to have context as a documented requirement.

In conclusion, I think, updating the standard ground up is not a wise idea at this stage. Perhaps

slight tweaking to include some minor changes would give stability in implementation of an

already robust standard.

How to Alleviate Common Management System Pain Points

Implementing ISO standards is not mandatory, however a management system conforming to a standard can have numerous benefits. Some benefits include increased efficiencies, proactive risk management, better interaction among departments and alignment with the needs of interested parties. However, once you are actually in the process of implementation, you may experience the following pain points: 

  1. Lack of top management commitment 
  1. Limited resources to effectively implement the program 
  1. Lack of buy-in from the workforce  
  1. Over documented systems  
  1. Lack of measurable objectives driving improvement  
  1. Teams lack adequate interaction and alignment  
  1. Company is focused on keeping certification at all costs  

Quality Management International, Inc (QMII), having over 37 years of providing sustainable solutions for our clients, recognized how these hurdles can impact an effective management system. QMII has developed and provided solutions to address and alleviate these pain points that continue to benefit our clientele. 

A management system consulting project cannot start without top management present to map the process of what they do (core process) and to identify the core objectives for the system. Policies, objectives, and motivation must be demonstrated from the top-down and evidenced by all the team players. To further reinforce commitment, we get top managers to develop a presentation to launch the system and that will then be used for awareness training as the system progresses. This is done using our Awareness Leaders Workshop. Without authority, responsibility, and resources, middle management and individual contributors cannot improve the business management system.  

We understand that companies have financial restrictions. With a mission to get organizations to appreciate the benefits of a process-based management system, we provide multiple options to work around this challenge. 

(1) We provide free information on our website so you can carry out ISO implementation at your organization.  

(2) Attending a lead auditor training course is a relatively minimal cost. You and your team will gain a comprehensive understanding of the desired ISO standard and gain the skills necessary to implement requirements and conduct audits to determine conformity.  

(3) If you need a little more guidance, we provide scalable consulting services. Our consultants are here to assist you with exactly what you need. You will not have to pay for the full package.  

(4) Our alumni have free email and phone support, for life, to get over average hurdles.  

As far as reluctance among employees, it’s human nature to be reluctant towards change. Keeping this in mind, QMII consultants get key process owners to evidence top management’s commitment and ensure that they are involved in QMS (Quality Management System) development. We analyze with them to capture the system AS-IS and what-should-be. It is essential to get the team buy-in during this process and get their input on the process’s actualities. Teams must also interact and be aligned. We provide team-building workshops where we align objectives to the vision and processes to meet objectives. 

ISO implementation is not an overnight process, it may even seem daunting. QMII’s Action Plan Checklist is readily available, and it focuses on the big picture to simplify the process. If you need more assistance, our consultants would be happy to work with you through the checklist. We appreciate the system you already have; we are simply helping you enhance it to meet requirements and set objectives. Documentation is a significant part of ISO implementation. To remove complexities, we incorporate existing documentation and use a format that works best for you. 

At the end of the day, ISO certification is primarily a marketing decision. QMII strives to help you develop a resilient, integrated management system so that you receive actual benefits. Once set up, your system will work independently and continue to improve while managing risk proactively.  

P-D-C-A with a Christmas Tree

As a QMII employee, I can sit and observe classes whenever I want, more so since they are virtual instructor led these days. It allows me to get a refresher on the clauses, even though it is so hard to get them. It gets me every time. When the time comes to interview auditees, I smile like a Cheshire cat; not a confident grin but one that hopefully does not betray my nervousness.  Often, I am nervous as a long-tailed cat in a room full of rocking chairs. However, my QMII ISO lead auditor training has prepared me well. I am nervous as the auditee too, even though I know audits are not about pass or fail.  While I call myself a writer and researcher my greatest struggle perhaps lies with Audit Report writing. Oh, man! QMII lead auditor training, however, well prepared me to gather all notes during an audit to present a valuable report to the auditee. Smile.

The aspect of Lead Auditor training I like is the P-D-C-A cycle because I can use that analogy anywhere in my life. I have the responsibility of putting up the tree, however, currently, my application of the P-D-C-A is not going so well. Perhaps a re-plan is needed?

So from the Lead Auditor classes that I have attended, P-D-C-A stands for the following and the task next to it is what I have to do:-

P – Planning: We have to put the tree. Also, the objective of my mission. Considerations include where are the decorations kept, do we have enough, do we need a ladder, what should be the first step, then the next (like testing the lights before we put them on the tree), and more. Most important plan the time to do it in my busy schedule!

D – Do: Now to put my plan into action! Locate the boxes, get them out, unpack, and, get my team to help me even if they don’t want to (just to cheer me on perhaps). Yay! Thanks guys, for your help! Thumbs up for that. Basically, everything else that needs to be completed before the tree is finally up and lit up and everyone is happy. The DO stage can be extremely exhausting. How about that drink to cool me down?

Note – From my Lead Auditor training and also when I am auditing my clients, I know that the ‘DO’ section of the process is where a lot of the “action” happens. Just because “you gotta do it, man, get on with it!” I feel the pain of the “Do’s” as it is easy sometimes to plan but more taxing to put the plan into action. Now getting back to my tree.

C – Check: Once the tree is up and you think the job is over, it is not. You have to wait for the others to “check” the tree out and give their opinions. Pass comments, critique your effort while you are bickering away that they didn’t do anything, but they get to analyze it. What was that? Oh yes, I agree it is just an opportunity for improvement and we love our non-conformities.

A – Act: The verdict is out. The tree looks great. Beautiful decorations. However, the lights seem to flicker at some places, we need better lights for next time. Get more decorations. Good job!

VERDICT

Plan it better next time. Stop bickering when you are doing the job. Be patient and stop being

grumpy when they are “checking” and analyzing your work. Continually Improve this process till you get your Act together – words of a wise Yoda who is enjoying the view of the Christmas tree and listening to the Christmas songs.

Can I get that drink now? Long Island, please. Merry Christmas!

ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.

ISO 14001 Management System Certification – Cost versus Value

The most popular type of management systems used today often depends on the type of organization, and how they run their operations.  ISO 9001:2015 Quality Management Systems is the most popular for companies selling products to the military, along with AS9000:2016 Rev D for aviation, space, and defense organizations.  Food processors lean toward ISO 14001:2015 Environmental Management Systems (EMS) and ISO 45001:2018 Occupational Health and Safety (OH&S).  The size of the organization can have a significant bearing on whether they get certified or claim to conform.  It cost less to state you conform than to conduct the number of audits needed to become, and stay, certified.

Agricultural oriented small and medium enterprises (SMEs) will often opt for EMS.  Vineyards, vegetable farms, and livestock farms like ISO 14001.  Therefore, it depends a lot on the percentage of SMEs that are in those businesses.  In many cases, the percentage of organizations conforming to ISO 14001 depends on the amount of local or government pressure to conform.  In Europe and China, ISO 14001 is much higher than in the USA, in part due to government and environmentalist pressure.

Agricultural businesses and those that are getting pressure from socially responsible groups are the types of organizations that become ISO 14001 certified.  Meat packaging companies like Smithfield Ham in Virginia (now owned by a Chinese company), is ISO 14001 certified.  Only four major Ports in the USA are ISO 14001 certified (Port of Virginia is one) but many countries require the certification.  Partly due to all of the food coming into the Ports, but also due to the amount of pollution generated by boats, trains, and trucks that service the Ports. Ports are also now looking at ISO 50001 Energy Management Systems in conjunction with ISO 14001 certification.

One of the key drivers is the desire to meet ISO 14001 Standard requirements in the markets that they want to operate in or sell to.  It is difficult to open facilities in most of Europe, the Middle East, and China without having an ISO 14001 certification.  Environmental impact, energy efficiency, pollution reduction, and sustainability are considered by government permitting organizations.  This is more important for large organizations, but many SMEs also want to sell internationally.

Like other ISO Standards, it takes about a year of internal audits to be ready to claim conformity or get certified to ISO 14001.  SMEs, due to their smaller size, could take less time.  Medium-size businesses, with multiple locations, may elect to just have their headquarters certified, and state conformity for branches and suppliers.  An organization may elect to get its headquarters operation certified and use second-party audits to confirm that its other facilities and suppliers conform to the Standard.

The major cost of becoming certified involves training and multiple audits to get ready for certification.  Once ready, a third-party audit is required.  Most SMEs could be ready within a year.  The actual cost would vary depending on the number of employees trained, and the number of audits conducted before certification.

With good training and responsible staff, most SMEs can become certified.  All processes need to be in line with the goal of using environmental best practices.  In some cases, the cost of changing current processes can become a barrier.  Organizations can consider out-sourcing some processes in order to become more environmentally friendly.  Internal and second party audits can help an organization determine what, if any, processes need to be modified or out-sourced.

There are many reasons why organizations decide to become certified, but over time, reasons have changed for both small and large organizations.  With the new high-level-structure (HLS), EMS is now more similar to other standards.  Organizations that use to be ISO 18001 are now considering ISO 45001, which has OSHA embedded in it.  SMEs, like larger organizations, appreciate the value of being certified to popular standards and promote their conformity in their promotional material.  Many companies that are certified to ISO 9001 have to get the certification to sell to government agencies.  Many of the companies that get ISO 14001 certification, feel their end-users appreciate the company for having it.

To be sustainable, an organization needs to consider many factors.  These factors typically fall into one of the three pillars of Sustainability – Social, environmental and economic categories.  All organizations want to be socially responsible and do minimal damage to the environment, but they have to address the economics of operation.  The key is to strike a balance and establish a management system with processes that can be defended in the light of internal and external audits.

– by Peter Burke

Management review: A Necessity or Improvement driver

The management review is a critical step to ensure sustained success of the management system, yet this is often left to the relevant manager to document to meet the system standard requirements. A myriad of reasons is given for a management review not being done within the timeframe as defined by the organization. These include unavailability of senior management due calendar conflicts, waiting on inputs from department heads and sometimes just a lack of commitment by leadership.

Even when conducted ‘timely’ the review is often done purely out of necessity of meeting the requirements of the standard. The review, however, is a critical step for the success of the system and enables the continual improvement of the system. Leadership may, at times question, why money invested in a Quality Management System; that certification to ISO is not delivering the intended ROI. The answer often lies in their lack of commitment to the system as perceived by the users of the system.

Why are my reviews not driving improvement?

Management reviews when done out of necessity become a documentation exercise. The responsible manager collects all the data and analyzes/evaluates it for presentation to management. They proudly share these presentations with whomsoever asks about the management review. The ISO standards (e.g. ISO 9001, ISO 14001 and others) in clause 9.3 give the requirements for what shall be included in a management review. However, the review need not be limited to just these topics.

In consulting, QMII has often heard, “But we do daily reviews with our team and weekly updates with the managers”. Why not record these as a part of your management review? Do keep in mind that ISO standards ask organizations to conduct management reviews at planned intervals. It does not say it has to be a meeting or be held in a boardroom or the planned intervals need to be equally spaced. When the system is incorrectly implemented, or the standard incorrectly interpreted it often leads to a weak foundation of the system. Soon users of the system are complying and doing what has been documented rather than asking “is this really correct for us?”

With the passage of time, the lack of commitment percolates through the system to where the person tasked with championing the system, such as a quality or environmental manager, is fighting a lone battle. This lack of commitment may be apparent from the lack of decisions by management to issues presented in the review.  At times the concerned departments are trying to drive their own agendas, and this creates conflict and disconnect. Also, in recording the outputs of the review, the decision and actions from management must be recorded. QMII, often finds these missing.

How do I improve my management reviews?

To do so the organization must first understand the intent of this clause in the ISO standards. Clause 9.3 (under the high-level structure) asks management to review their systems to ‘ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the system.’ This, in essence, must be the guiding principle for the management reviews.

This is the reason why these reviews must be done holistically. It is this guiding principle that will determine the intervals for the review. Clause 5.1 of the ISO standards (those aligned per the HLS) asks leadership to take accountability for the effectiveness of their systems. The management review is the platform via which they can assess if the system is effective in meeting their policy as set. The management review is also where management reviews the system and determines the required changes in the context of the organization, the needs of the interested parties to determine new risks,  if any changes to the policy / strategic direction needs to be made and resourcing needs.

Engaging Leadership and the rest of the team

There is no mantra that will deliver sure-shot success. I wish there was one, for I know many an organization that would willingly invest in it! However, educating management on the WHY of the management review has often helped. If need be consider external consultants to deliver the message. Additionally, you can consider these three steps to get more engagement:

  1. Gather review inputs from management team: This is a good method to get everyone involved. Pass around a draft meeting agenda so all system users can prepare for the review (should you be having a meeting) and can provide their inputs /items that they need management’s decision on. It is also an opportunity for them to gather opportunities for improvement from users of the system.
  2. Use a review format that works for leadership: Document how your reviews are done exactly the way they are done within your organization. Perhaps some agenda items are discussed on a quarterly basis and others on a weekly basis. The intent is not to please an auditor but to use this tool to drive improvements through the system, as needed. Remember, the guiding principle discussed above.
  3. Communicate the outputs of the review …. including leadership’s decisions. While the standard does not require this, it is implicit in ensuring continual improvement. Communication is important but the outputs of the review need not to be communicated to the entire organization. Perhaps relevant parts to the concerned managers and their teams. It demonstrates to the users of the system that management is involved, is aware of the problems and has provided decisions on various matters presented.

Management Reviews ….  Improvement Driver

When done correctly management reviews become the springboard for improvement throughout the system. It comes at the end of the ‘Check’ stage of the PDCA cycles leading into the ‘Act’ stage for continual improvement. It enables leadership to assess how well their system is doing. It delivers, in the long run, the engagement needed from users of the system and the ROI that leadership are seeking in their quality management system.