How Auditors can help organizations understand context and risk
|Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits. To better meet customer expectations, fundamental changes have been introduced to the standard to address current business realities and advancements in technology. Much of the responsibility of meeting the new requirements falls on leaders, and a careful, objective audit to the standard can help them.
It’s human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions. This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing risk-based thinking throughout the management system. What’s the best way to audit this?
The starting point for corrective action (CA) is the nonconformance report (NCR). A well-written NCR clearly states the standard’s requirement, the objective evidence for citing the nonconformance, and a description of the failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen instead of sticking to the requirement, management ends up with a subjective input.
A closed NCR provides data that management can analyze for possible trends, which can then be addressed by preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management system: Basically, data drove trends and preventive action.
With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic role for leaders. They must understand and continuously assess risks at every stage, mitigating them and considering opportunities for improvement (OFI). This is important to do even before the planning stage of the plan-do-check-act (PDCA) cycle, by first understanding the context of the organization.
Leaders’ understanding of the context of the organization, as well as their ability to assess risk and consider opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to providing objective NCRs and allow management to make the decisions.
Understanding the organization in context
Per clause 4 of ISO’s Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership to understand the context of the organization when determining key management system elements such as the scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives, risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002—“Quality management systems—Guidelines for the application of ISO 9001:2015.”
So what, then, is this “context of the organization?” Put simply, leaders must thoroughly understand the relevant internal and external issues, both positive and negative, that can affect their organizations’ ability to achieve intended results. Consequently, they must monitor and review these issues regularly.
Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An understanding and appreciation of the context of the organization can help with this, particularly if it’s undertaken before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This is vital in the success of the organization.
When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change their products, the context of the organization changes. The internal and external factors change. Leadership must understand the implication of these changes in the context of the organization. Doing this will also allow them to see the risks and perhaps opportunities for improvement.
It’s like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be considered. If the risk is too great, then perhaps the nation’s diplomats should first reach out to surrounding countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better relations with these states. The risk might also require intelligence agencies to assess conditions on the ground. Thus prepared, the military leadership can best ensure the mission’s success.
Similarly, business leaders have to understand the context of their organizations clearly when they develop a quality management system and before proceeding to the “act” stage of PDCA. This understanding will provide the foundation for determining key QMS elements.
Information about internal and external issues affecting the outcome of the QMS in the context of the organization should be collected from all sources. These may be from internal documents and meetings, national and international press, various websites on the subject, publications from national statistics offices and other government departments, and professional and technical publications, conferences, and meetings. Other resources include think tanks, professional associations, and independent subject matter experts. Many sources are available, and leaders need to consider all relevant ones to make the best assessment of potential organizational risk.
Internal issues to consider are resources such as infrastructure, the environment for operations, and organizational knowledge. Competence of employees, organizational culture, and perhaps the relationship with unions should be included. There are also delivery capabilities, customer evaluations, and management issues such as decision making and organizational structure.
External issues that might affect the organization include macro-economic factors such as money exchange rates, the economic situation, inflation forecast, and availability of credit. Then there are social factors such as local unemployment rates, safety perception, education levels, work ethics, and political factors. Existing international trade agreements, including sanctions, might affect the outcome of the organization’s performance in meeting objectives. Competition as it relates to market share might require study. Relevant legislation also must be considered.
An organization that understands “what it does,” and how various internal and external issues affect how well its QMS meets requirements, is better placed for success. Auditors can best help organizations by establishing, through objective auditing, that these requirements are met.
ISO 9001:2015’s clause 7.1.6 has introduced a new requirement: organizational knowledge. When auditing this, auditors must keep in mind not only the existing context of the organization but also the changing context, if relevant. The organization when addressing changing needs and trends must consider its current knowledge and determine how to acquire or access any necessary additional knowledge or required updates. Going forward with changes, mergers, acquisitions, or moving operations globally without assessing the risks introduced by lack of knowledge can mean the difference between success and failure. Both internal and external sources for knowledge as mentioned above are relevant here. Future needs and their relationship to innovation is also mentioned in the standard’s introduction.
Evidence-based decision making
When determining conformity of a management system to ISO 9001:2015, auditors will need to ascertain that all aspects of the management system adopt both the PDCA cycle and risk-based thinking. Per the standard’s introduction, auditing should reveal that the processes have been adequately resourced and managed, and opportunities for improvement are determined and acted on. Auditors must also confirm that the organization’s leadership has considered risks and encouraged risk-based thinking to determine the factors that could cause the system (i.e., processes) to deviate from planned results.
The first phase of a system audit, during which the auditor interviews top management with systematic and well-thought-out audit questions, is vital to establish that management clearly acknowledges its role in understanding the context of the organization and how it influences the required customer focus. Employees must also understand the expectations of management. To successfully engage employees in a customer focus, company policies must smoothly flow into measurable objectives. Auditors must prepare well to audit top management and determine its commitment to the process approach and continual improvement. A system that doesn’t require management reviews periodically to establish that the PDCA cycle is in place even at this level means that leaders are at risk of making subjective decisions. During their interview of top management, auditors must be able to establish conformity to evidence-based decision making.
There is much more to auditing than looking for nonconformities. Auditors must also understand how the context of an organization relates to quality management principles. If they do, then they will look for conformities in the management system to ISO 9001:2015 requirements. If during this audit they do find nonconformities based on requirements, they must provide well-written NCRs to encourage a process-based management system. An objective audit will enable management to better use the system to consistently meet requirements, and the processes themselves will add value, help mitigate risks, and create opportunities for improvement.