The Cost of Certification: A deterrent to system implementation?

Certifications often drive the implementation of the system approach, based on ISO standards. The primary implementation demand is of ISO 9001. Certifications do have initial costs and then recurring costs for surveillance and recertification visits. This is a responsive approach to business requirements invariably driven by a forthcoming contract which mandates the system approach. Prudent businesses appreciate the risk of not having a process based system.  In the economy today when budgets are tight, supply chains challenging and retaining employees difficult, it is all the more essential that organizations invest in a good management system. A bad system will let down a good person every time.[1]

An efficient management system should be an essential asset of any good organization. Certification should not be the primary driver of this requirement. . The optimum ROI is by effective process performance based on objective information analysis based on data from within the organization or appreciation of inputs publically available. Organizations’ leadership should look beyond certifications to implementing and maintaining systems that drive continual improvement. Continual improvement drives organizations to find cheaper and quicker solutions while improving quality of the product and services. After all is that not what customers expect? The best quality for the cheapest price point!

Organizations can, and should, consider the option of self-declaring their conformity to ISO 9001, without incurring the added expense of certifications; especially when customer requirements do not mandate it. Meeting customer requirements, ensuring continual improvement and leading the organization to innovate cannot be achieved without a system in place. Organizations effectiveness and efficiency is achieved by the employee using the system processes to achieve objectives. It is not a one time achievement to meet requirements, the organization needs to understand and consistently meet requirements. The customer confidence in the organization comes from this trust of receiving conforming products/services consistently. The cost of not following a system approach can lead to work performance which is not optimized and result in losses. The revised ISO 9001:2015 requires appreciation of the context of the organization, appreciation of the risks and expectations of the interested parties. This then enables the leadership of the organization, in fact requires the leadership (in clause 5.1.1 b of ISO 9001:2015) to define quality policy and objectives for the QMS aligned to the strategic direction of the organization. The QMS now is not an add-on to the business strategy but to be integrated with it.

Experience has repeatedly shown that the lack of customer focus is the major cause of businesses failing or not performing, of governmental agencies over shooting budgets, sensitive organizations (nuclear facilities, military, hospitals et al) making fatal errors. The cost of not having a system is so high and the consequences so dangerous that it would (in the author’s view) be almost suicidal not to have a management system in place.

Once the decision to implement the system has been made, why re-inventing the wheel? Therefore the well tried, regularly updated ISO standards encompassing the global wisdom of years are the correct choice. ISO 9001 is the first fundamental standard to then opt for. Once the system is implemented and the leadership has confidence in the performance based on objective inputs (audits, inspections, feedback and other inputs) the TM can self-declare the system as conforming to ISO 9001. There is no cost to this except the minor investment in using a competent consultant who comes in respecting the existing system and then identifies/addresses gaps. After all every functioning organization has a system.

The next stage requiring investment in the certification is a TM decision to be made when a business requirement necessities this. When it does, then the work will pay for it!

[1] Dr. Deming

Risk Based Thinking. Is this something new?

 

I was thinking about this fundamental change in the ISO 9001:2015 standard , comparing it to the 2008 version, wherein the Preventive Action (PA) has moved from being only at the ‘A’ stage of the P-D-C-A (Plan Do Check Act) cycle to the ‘P’ stage as Risk and then at each stage thereafter. It has formalized something perhaps first stated circa 1546 when John Heywood coined the proverb “look before you leap.”[1] It is therefore naturally intuitive that not just at plan stage, but also at the pre-plan stage that the context of the organization should be considered together with needs of interested parties (Clause 4.1 & 4.2 of ISO 9001:2015). Based on these inputs risk should be appreciated (Clause 4.4.1 f). Has the standard previously not addressed the risks posed to a QMS?

Risk was always considered but inferred and inadequately interpreted by organizations. Risk has only now been systematized as a requirement in the new revision of the standard. Throughout the standard, in clauses related to each stage of the P-D-C-A cycle, there is a requirement to address the risk.  Can you imagine a General planning a war strategy without appreciating the risks? Hitler did not learn from Napoleon’s disastrous winter campaign in Russia in terms of apparent risks based on lessons learned from available information (Clause 9.1.3 requiring analysis and evaluation)? Perhaps an opportunity for the rest of the world!

In real life do we not consider various risks as we send children to school, select toys, and plan expeditions? Of course the detail we go into is decided in the context of what we are doing and the parties involved. Therefore if it is a simple production line to manufacture toilet rolls the context and risk would be different than compared to operating a nuclear plant. But why risk-based thinking and not risk management?

ISO 9001:2015 has to remain applicable across industries and various sizes of organizations. ISO 9001 continues to remain a process based standard. Should an organization need a formal risk management system the standard refers to ISO 31000 the Risk Management Standard. Risk-based thinking asks that everyone in the organization think about the risk of doing or not doing their assigned tasks. This concept of based thinking was implicit in the ISO standards earlier too. After all the requirements for planning, then review and continual improvement were integral to the P-D-C-A cycle. It has now been better put as a requirement to be established systematically by requiring the organization to understand the context (Clause 4.1 of ISO 9001:2015) and then determine risks before planning (Clause 6.1 of ISO 9001:2015). Though the revised standard does not mention preventive action, a QMS is a preventive tool. With risk replacing preventive action the preventive tool has become more effective philosophy. Moreover now risk does not always have a negative connotation. It must be addressed and where applicable it should be taken as an opportunity for improvement. Risk input may lead to a positive new innovative idea.

QMII has developed its expertise and reputation over thirty plus years as the foremost consultancy in the PBMS (Process Based Management System) approach. We specialize in this system approach and take very seriously our  responsibility of assisting our clients and alumni to use the appropriate standard as the basis for implementation to show the system effectiveness results. As organizations seek to be newly certified or are transiting to the 2015 version, they must not go into ‘panic mode’. The new standard with its HLS (High Level Structure) is actually a lot more logical, simple, user friendly, customer focused and current with modern technologies as also applicable to manufacturing and service industries. In summing up this thought I would say risk has always been considered. All that the standard has done is asked companies to be pro-active rather than reactive. At the very basic level, all that the organization has to do is consider these few steps:

  1. Consider the aspects or some may prefer to call them hazards. These should be identified and listed in various processes by process owners. Where an organization is departmentally organized the department heads should consider these.
  2. Having listed the risks the impact or potential harm the hazard could do is listed against the risk.
  3. This departmental list can then be consolidated as the organization list under the TM (Top Management) direction by a responsible manager/ person, or if there is a designated QM (Quality Manager) by him.
  4. Evaluate each risk/ hazard/ aspect and the associated impact/ potential hazard to assign a priority/ significant number.
  5. Take a decision with TM involved to isolate, minimize, accept, transfer or eliminate the risk.
  6. This paper exercise then requires a specific plan! Call the column Hazard Controls or Impact Controls and come up with proposed action details including assigning responsibility and completion date. Process owners must also agree with TM on the frequency of monitoring the progress.

This can be further expanded if necessary in the context of the organization to not only give priority number/ severity of risk number but to also consider the likelihood of detection. A multiple so obtained could be a good guide.

The standard asks organizations to plan to address risks but does not specify the need for a documented plan. However, a well-documented plan to address risks can only benefit an organization and add value.

 

[1] I always thought look before you leap came from horse riding as an intuitive warning in horse jumping. However I realize from Google search that Heywood recorded it in relationship to marriage:

“And though they seeme wives for you never so fit,  Yet let not harmfull haste so far out run your wit:
But that ye harke to heare all the whole summe
That may please or displease you in time to cumme.
Thus by these lessons ye may learne good cheape
In wedding and all things to looke ere ye leaped

Optimum SW solution from QMII to your QMS (and SMS) needs

With the implementation date for ISO 9001:2015 hanging like the sword of Damocles over organizations, the need to implement a risk based system is stressing. To have a Risk Based System it is essential that Risk Based Monitoring (RBM) be incorporated at each step of the organization. The leaders must particularly be conscious of this. RBM cannot be effective or provide the objective inputs based on casual analysis. The source data must be correct so the information it provides is useful. Data analysis of risks and trends is now integral to the system approach. The standard does not require a formal risk management system in all cases, but in general a well laid out system would not only be cost effective but would also contribute to the bottom line, encourage innovation and bring opportunities for improvement. 

The use of a simple, user friendly RBM system with dashboards is now a felt need. These systems assist in optimal planning of resources for subsequent P-D-C-A cycle improvements and as inputs to Management Reviews. QMII has kept itself ahead of the curve and appreciated this requirement even as the ISO 9001:2015 and related standards were still in the draft stage. We now offer a cost effective, user friendly and intuitive integrated management software solution to manage aspects of your QMS (as well as Maritime SMS) and your business. The towing industry too would find this most useful as they move to compliance with Sub Chapter M. 

Please enjoy reading the first Newsletter of this year and do check our QMII Face Book page as also reach out to us. Don’t forget QMII alumni and clients have lifelong support from the expert QMII Team throughout their lives. A promise we make because we “appreciate your management system” and are stakeholders in your success.

Communities are showing Interest in Environmental Management Systems

As the debate over global warming continues, more and more communities are looking inward to see what they can do to reduce their environmental impact.   ISO 37101:2016 was released in July of this year with the same ten clause High Level Structure (HLS) as ISO 14001:2015 – Environmental Management Systems.   ISO labels ISO 37101 as “Sustainable development in communities – Management system for sustainable development – Requirements with guidance for use”.

The Foreword to the standard makes reference to other related standards like ISO 50001:2011 – Energy Management Systems, ISO 14046:2014 – Environmental management – Water Footprint, ISO 26000:2010 – Guidance on social responsibility, ISO 45001 – OHSAS Management Systems System (scheduled for release in early 2017) and ISO 20121:2012 – Event sustainability management systems — Requirements with guidance for use.  All of these standards will be updated to the new HLS in the next few years, which will make it easier for communities to have an integrated management system with multiple standards.

The Foreword also makes reference to the 3 pillars of sustainability – social, environmental, and economic, just like ISO 14001:2015.    By identifying and focusing on all three pillars, a community can try to reach a sustainability balance for their community and surround communities.   When operating in areas with limited water, ISO 14046 may be a good standard to consider along with ISO 37101 and ISO 14001.  If the community uses a lot of energy, ISO 50001 should be considered. 

While ISO 37101 is not certifiable, it can be considered and implemented, by small and large cities that want to conform to a sustainable ISO standard.  Communities may want to have people trained to meet both ISO 14001 and ISO 37101 standards, to win favor with EPA and government officials.  EPA recommends ISO 14001 for communities, and implementation of the standard could help prevent occurrences like what happen to the water systems in several cities over the last few years.  And, since both standards have the ten clause HLS, it is easier to adapt to the existing management system in place.  Communities can use all or part of ISO 37101 standard to improve their Carbon Footprint and reduce their environmental impact. 

QMII can help an organization decide which ISO standards would work best for their community, and whether they would be more comfortable being compliant to ISO 37101, or want to be certified to ISO 14001, or both.

 

More Tips for ISO 9001:2015 Auditors

Over these last nine months the inputs provided by QMII, on the changes in the 2015 version of ISO 9001, have been very well received by our alumni and clients. As such, we continue this discussion in the editorial to the April issue of the Globe we would like to suggest some thoughts on specific areas of the standard which an auditor should look at, to see the compliance to ISO 9001:2015. As the system is updated it should definitely consider that the implementation of the standard is aligned with and integral to the business management. The revised standard, in defining Policy requirements in clause 5.2.1a, specifically requires the policy to be based on the context of the organization and supportive of the strategic direction of the business. This is further emphasized in clause 5.1.1b where the need to align policy and objectives to the strategic direction of the business is a requirement. 5.1.1c requires integration of the QMS to the business processes.

Documented evidence removes doubts between records and documents in 2008 version. The term exclusion is removed. As such, the organization has to now further determine what is applicable to them, making it necessary for the organization to remain responsible and keep the promises to customers. Organizations do not have to meet the quality manual requirements if they already have the information elsewhere, perhaps on their websites. This does not mean you have to throw away your quality manual if you have one! All the standard is asking organizations to do is to incorporate quality in all they do and not let quality become a separate entity. Some organizations, already certified to ISO 9001:2008, have concerns about transiting to the 2015 version.

I think in the overall perspective these organizations will find it valuable to transit sooner, rather than wait for the 2018 cutoff. After all if a risk exists, it must be assessed, mitigated or used as an opportunity for improvement quickly. Waiting for preventive action which is data driven under the 2008 version at the Act stage of the P-D-C-A (plan-do-check-act) cycle is not responsible of the organization or to the customers.

Appreciating the context of the organization and understanding the risks is the right way to go about meeting requirements. Auditors must audit to see correct understanding and successful implementation of clause 4.1 of the ISO 9001:2015. Understanding the needs and expectations of interested parties (clause 4.2 of ISO 9001:2015) has to be successfully implemented by organizations. This should be an item on the audit to be well established.

For further information on this refer to the blog

Adoption of risk based thinking is emphasized throughout the revised standard and auditors must see proof of implementation. There is greater emphasis on the process approach used to achieve intended objectives. Continual improvement has been replaced by improvement. The organization must see overall benefits in the business achieving set results.

These and many more benefits of the revised standard should be the objective of auditors auditing the organization to ISO 9001:2015. Good luck with the implementation of revised ISO 9001 and stay tuned for more tips.

Measuring the ROI of your system

Weighing the value of a product against the perceived value in terms of ROI (return on investment) is fair. However, where the client is opting for a process based management system consultancy, and is starting at a stage of near zero level understanding of the product and or service, price unfortunately, often dictates the decision. ISO 9001:2015 Clause 8.4.1 clearly and categorically requires that external providers of products, processes and services, to be selected based on their ability to perform and meet requirements; implying not based on the lowest price!

In this 30th year of service to our clients and alumni my introspection and analysis brings me to look critically at what we are celebrating. QMII is celebrating the success of our clients. If the client is not successful we have failed. Successful clients have enabled QMII to reach this 30 year milestone. If the client does not use the system or simply is left with a certificate hanging on the wall I do not consider it value added or call it success. Perhaps, it met the client’s immediate requirement of winning a contract because the certificate was a prerequisite. But beyond certification the investment becomes lost money. The system must work.

As President and CEO, leading the QMII Team, I have always thought of the value we provide in meeting client objectives; stated or unstated. It can at times be difficult to predict what the client considers of value. However, with our experience and a methodology developed over 30 years QMII knows how to deliver more in specific terms:

Functional gains in achieving efficiency, time saving, waste reduction, and overall effect to the bottom line of the client business – what QMII coined as “Cash in the Bank.”

The reduction in the tension and stress on the client leadership by reducing anxiety about the outcome of the system implementation.

QMII has very consciously avoided templates. Templates in effect throw away the existing management system! Our belief has been to “Appreciate your Management System”. The QMII Team works with the client to capture the “As-Is” of the system and proceed forward from there.

Corporate Social Responsibility (ISO 26000) is still not a requirement and understandably has a cost value to it. The gains of being socially responsible are often not tangible or immediately visible in the short run. We have assisted organizations, to adopt these values in a manner which does not affect productivity and as a result, in the long run these organizations are respected by their clients.

It worth re-emphasizing Dr. Deming’s “A bad system will defeat a good person every time.” The endeavor of the QMII Team in these 30 years has been to understand and appreciate the client’s needs; assisting with development and implementation of successful management systems in varied discipline. Meeting client objectives.

So while the ROI may not be apparent to some at the outset, we can say with confidence that those we have worked with have gone from success to success.

What came first – the DATA or the DECISION?

In today’s digital world, collecting data has almost become second nature in any organization. After all, in the end, it is only a few gigabytes on a cloud or local server. Not much thought is given to the usefulness or purpose of a data collected. The basic thought is ‘who knows when we may need it?’ Large organizations are leaders in this data collection obsession. In our line of work, we work with numerous clients. One thing in common that we often find is the organizations collecting data with no objective of where, how or when the data will be used.

As a result of this obsessive, compulsive, purposeless data collection, leaderships are now driven to draw conclusions and trends from the data collected; without the data in the first place being aligned to a purpose. At times, we hear ‘the data is not helping us make a decision’ or ‘we are not sure why we are collecting the data … we just have to’. Data collection should lead to it being converted to information. Information should then be analyzed and enable informed decision making and improvement of the system.

The human mind is a great data storage center and we can probably learn a few things from it. We use the memory space allocated very carefully; selecting what we collect as data for future use or for making an informed decision. However, let’s take a step back and a moment to think on how we are able to do this. It being a second nature it may not be readily apparent to us. In essence, we start with a decision we need to make and based on this decision we decide on the kind and quantity of information we require for analysis, which would give us the ‘confidence’ to either proceed ahead or maintain a neutral position. This confidence is based on statistics (this includes inputs based on our personal experiences). It should always be that the decision drives what data we assimilate and not the other way around. It may be argued that some of this data we store may be based on previously collected inputs that we at the time did not have use for but collected. Nevertheless, even when we do, our brain sees a possible use for it in the future resulting in us storing it.

So, as you look at the data you have or, are beginning to collect, ask yourself ‘what is the purpose, the end result, the objective for which the data is being collected?’ Once the objective is defined, then only will the correct data be collected and be useful, informative and productive enabling objective cost effective decisions. Starting with the objective is critical in all that we do; and we already do it subconsciously. So going forward, make a ‘conscious decision’ to get data that is useful.

Objective Auditing Meets ISO 9001:2015

How Auditors can help organizations understand context and risk

Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits. To better meet customer expectations, fundamental changes have been introduced to the standard to address current business realities and advancements in technology. Much of the responsibility of meeting the new requirements falls on leaders, and a careful, objective audit to the standard can help them.

It’s human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions. This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing risk-based thinking throughout the management system. What’s the best way to audit this?

The starting point for corrective action (CA) is the nonconformance report (NCR). A well-written NCR clearly states the standard’s requirement, the objective evidence for citing the nonconformance, and a description of the failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen instead of sticking to the requirement, management ends up with a subjective input.

A closed NCR provides data that management can analyze for possible trends, which can then be addressed by preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management system: Basically, data drove trends and preventive action.

With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic role for leaders. They must understand and continuously assess risks at every stage, mitigating them and considering opportunities for improvement (OFI). This is important to do even before the planning stage of the plan-do-check-act (PDCA) cycle, by first understanding the context of the organization.

Leaders’ understanding of the context of the organization, as well as their ability to assess risk and consider opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to providing objective NCRs and allow management to make the decisions.

Understanding the organization in context

Per clause 4 of ISO’s Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership to understand the context of the organization when determining key management system elements such as the scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives, risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002—“Quality management systems—Guidelines for the application of ISO 9001:2015.”

So what, then, is this “context of the organization?” Put simply, leaders must thoroughly understand the relevant internal and external issues, both positive and negative, that can affect their organizations’ ability to achieve intended results. Consequently, they must monitor and review these issues regularly.

Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An understanding and appreciation of the context of the organization can help with this, particularly if it’s undertaken before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This is vital in the success of the organization.

When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change their products, the context of the organization changes. The internal and external factors change. Leadership must understand the implication of these changes in the context of the organization. Doing this will also allow them to see the risks and perhaps opportunities for improvement.

It’s like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be considered. If the risk is too great, then perhaps the nation’s diplomats should first reach out to surrounding countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better relations with these states. The risk might also require intelligence agencies to assess conditions on the ground. Thus prepared, the military leadership can best ensure the mission’s success.

Similarly, business leaders have to understand the context of their organizations clearly when they develop a quality management system and before proceeding to the “act” stage of PDCA. This understanding will provide the foundation for determining key QMS elements.

Information about internal and external issues affecting the outcome of the QMS in the context of the organization should be collected from all sources. These may be from internal documents and meetings, national and international press, various websites on the subject, publications from national statistics offices and other government departments, and professional and technical publications, conferences, and meetings. Other resources include think tanks, professional associations, and independent subject matter experts. Many sources are available, and leaders need to consider all relevant ones to make the best assessment of potential organizational risk.

Internal issues to consider are resources such as infrastructure, the environment for operations, and organizational knowledge. Competence of employees, organizational culture, and perhaps the relationship with unions should be included. There are also delivery capabilities, customer evaluations, and management issues such as decision making and organizational structure.

External issues that might affect the organization include macro-economic factors such as money exchange rates, the economic situation, inflation forecast, and availability of credit. Then there are social factors such as local unemployment rates, safety perception, education levels, work ethics, and political factors. Existing international trade agreements, including sanctions, might affect the outcome of the organization’s performance in meeting objectives. Competition as it relates to market share might require study. Relevant legislation also must be considered.

An organization that understands “what it does,” and how various internal and external issues affect how well its QMS meets requirements, is better placed for success. Auditors can best help organizations by establishing, through objective auditing, that these requirements are met.

Organizational knowledge

ISO 9001:2015’s clause 7.1.6 has introduced a new requirement: organizational knowledge. When auditing this, auditors must keep in mind not only the existing context of the organization but also the changing context, if relevant. The organization when addressing changing needs and trends must consider its current knowledge and determine how to acquire or access any necessary additional knowledge or required updates. Going forward with changes, mergers, acquisitions, or moving operations globally without assessing the risks introduced by lack of knowledge can mean the difference between success and failure. Both internal and external sources for knowledge as mentioned above are relevant here. Future needs and their relationship to innovation is also mentioned in the standard’s introduction.

Evidence-based decision making

When determining conformity of a management system to ISO 9001:2015, auditors will need to ascertain that all aspects of the management system adopt both the PDCA cycle and risk-based thinking. Per the standard’s introduction, auditing should reveal that the processes have been adequately resourced and managed, and opportunities for improvement are determined and acted on. Auditors must also confirm that the organization’s leadership has considered risks and encouraged risk-based thinking to determine the factors that could cause the system (i.e., processes) to deviate from planned results.

The first phase of a system audit, during which the auditor interviews top management with systematic and well-thought-out audit questions, is vital to establish that management clearly acknowledges its role in understanding the context of the organization and how it influences the required customer focus. Employees must also understand the expectations of management. To successfully engage employees in a customer focus, company policies must smoothly flow into measurable objectives. Auditors must prepare well to audit top management and determine its commitment to the process approach and continual improvement. A system that doesn’t require management reviews periodically to establish that the PDCA cycle is in place even at this level means that leaders are at risk of making subjective decisions. During their interview of top management, auditors must be able to establish conformity to evidence-based decision making.

Conclusion

There is much more to auditing than looking for nonconformities. Auditors must also understand how the context of an organization relates to quality management principles. If they do, then they will look for conformities in the management system to ISO 9001:2015 requirements. If during this audit they do find nonconformities based on requirements, they must provide well-written NCRs to encourage a process-based management system. An objective audit will enable management to better use the system to consistently meet requirements, and the processes themselves will add value, help mitigate risks, and create opportunities for improvement.

http://www.qualitydigest.com/inside/statistics-article/030316-auditing-revised-standards-challenge-auditors.html?utm_source=MadMimi&utm_medium=email&utm_content=QDD+3-15-16+MicroRidge+Proof+2&utm_campaign=20160314_m13024#

 

Auditing to the Revised Standards – Are You Ready?

With the revised HLS standards auditors face a new challenge in auditing aspects that were not previously addressed by ISO 9001 and other standards. Even the concept of risk until recently, only addressed the negative aspects of it and not the opportunities for improvement that arose out of taking a risk. Managements and organizations often face the challenge of selecting objective auditors that do not have a tendency to use their experience to add subjectivity to their audit reports. With the new changes auditors we teach often ask how they can address the clauses in the new standard. The fundamental base of a successful management system was a closed non-conformity that provided the data point, which over time constituted the data base providing information that the management team used to analyze and provide trends and potential NC. The management with time then took preventive action.

With the revised ISO 9001:2015 fundamental changes have been introduced. First the concept of preventive action has been replaced by addressing risks, though in essence they are similar; except preventive action was previously interpreted and applied as an afterthought.  Dynamic leadership appreciates and assesses the risk(s) all the time; at every stage, mitigating risk and considering Opportunities For Improvement (OFI). Not just at the Plan stage of the P-D-C-A cycle (Plan-Do-Check-Act), but even at the pre-plan stage by first understanding the context of the organization. A risk when appreciated can be avoided, mitigated or may present alternatives or bring out ideas for innovation as such presenting opportunities for improvement.

The understanding of the context of the organization and the management’s ability to assess risk and consider OFI needs to be audited. OFI tends to open an area for auditors to jump in confuse the leadership of an organization by bringing in their opinions! That is not the intent of the standard. The revised standard has strengthened the leadership role not weakened it. Auditors could jeopardize this by subjective NCs. This is an area for concern. Managements need to be all the more cognizant of their responsibility and ensure the management role is not usurped by auditors. Auditors in their wisdom have to be sure of their role in assisting the system to run with its own leadership by providing objective NCs to enable management to make decisions.

Clause 7.1.6 of ISO 9001:2015 has introduced a new requirement: Organizational Knowledge. Auditors will have to audit this keeping not only the existing context of the organization in mind but also the changing context if relevant. The organization when addressing changing needs and trends must consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates. Going forward with changes, merger, acquisitions or moving operations globally without assessing the risks introduced by lack of knowledge can mean success or failure. Both internal and external sources for knowledge as mentioned in the clause ibid are relevant.

Auditors in looking for conformity of the system to the standard will need to see carefully that all aspects of the process based management system adopt both the P-D-C-A cycle and the risk based thinking. Auditing should show that the processes have been adequately resourced, managed and the OFI are determined and acted on.  Further auditors will need to assess that the leadership has considered risks and encouraged risk based thinking to determine the factors that could cause the system (processes) to deviate from planned results. Future needs and their relationship to innovation is mentioned in the introduction to the standard.

The first phase of a system audit where the auditor interviews the TM is vital to establish by systematic well thought of audit questions, perhaps a good check list to see that the leadership of the organization clearly understands its role in understanding the context of the organization to be able to have the required customer focus.  The employees in any organization need to understand the expectations of the management. To be able to engage people to the customer focus the policy must smoothly flow into measurable objectives. Auditors must prepare well to audit the TM to see the commitment to the process approach and continual improvement. A system lacking in the P-D-C-A cycle working with TM not conducting the MR (management reviews) periodically will end with leadership making subjective decisions. Auditors in their interview of the TM must be able to establish conformity to evidence based decision making.

There is more to auditing than for an auditor to go looking for non-conformity! If the auditors understand the relationship management aspect of the quality management principles they will look for conformity.If they do find NCs based on requirements and provide well written NC statements the PBMS (process based management system) approach will enable management to better use the system; providing consistency in meeting requirements. Further the processes will add value to achieve set objectives, mitigate risks and/or use the OFI for better performance with time.

Understanding the ‘Context of the Organization’

ISO 9001:2015 and other standards per the new High Level Structure (HLS) format require the organization and its leadership to understand the context of their organization in determining key Management System elements such as the scope of the system (clause 4.3), the processes (clause 4.4), the quality policy (clause 5.2), planning, objectives, risks and opportunities (in terms of Clause 6). So what then is this ‘context of the organization’ as per the new ISO standards?

Leadership has a tremendous responsibility in fully and comprehensively appreciating the risks to the organization. As the P-D-C-A Cycle (Plan-Do Check-Act) is used as the tool to bring efficiency using the Quality Management System (QMS), it is not just the Plan stage which is important but also the pre-Plan stage that is vital in the success of the organization. Sometimes the leadership even before formulating a plan at the very conceptual level may benefit the organization and make more robust plans if the context of the organization is understood and appreciated. The context when fully appreciated will bring out the inherent risks as also then provide opportunities for improvement and innovation.

In addition and in conjunction with this requirement organizations also need a good understanding of the relevant internal and external issues that can adversely or positively affect the organization’s ability to achieve the planned results. The leadership must be cognizant of both the internal and external issues that can affect this intended outcome. Consequentially it must monitor and review these on regular basis.

When organizations go in for mergers and acquisitions, or change their product or make other major organizational changes or perhaps outsource large parts of their business or relocate, the context of the organization changes. The internal and external factors change. The leadership needs to understand the implication of these changes in the context of the organization. As they do this they would see the risks and also perhaps opportunities of improvement and innovation.

In battle, the deployment of the troops comes much later. The internal and external factors; the logistics for example of deploying them in harsh terrain surrounded by hostile countries and the chances that they may fail have to be considered. If the risk is above acceptable limits, then the nation’s diplomats may consider reaching out to neighboring countries to create a safe corridor for logistics. This diplomacy may present opportunities for better relations with these littoral states. The risk may require intelligence agencies to gather realities on ground. Thus armed, the military leadership can best ensure the success of the mission.

The same logic would apply to a surgery. The surgeon needs to know that it is an open heart surgery! Among those factors to be considered would be the hospital facilities available and working, the fitness of the patient, the location, reliability and availability of ancillary services among others. In a similar manner every organization has to understand the context of the organization clearly as it makes its plans to use the quality management system and proceed to the implementation stage of the P-D-C-A cycle.

This understanding will provide the foundation for determining key QMS elements such as the scope of the system (clause 4.3), the processes (clause 4.4), the quality policy (clause 5.2), planning, objectives, risks and opportunities (in terms of Clause 6). The technical committee when revising the ISO 9001:2008 to the 2015 version was very aware of the changing world and the easily available data and information as also in some case analysis on the internet. There was no reason not to consider such inputs available and pointing to risks already considered in any part of the world. Therefore information about internal and external issues affecting the outcome of the QMS in the context of the organization should be collected from all sources. These may be from internal documents and meetings, national and international press, various search websites on the subject, publications from national statistics offices and other government departments, professional and technical publications, conferences and meetings. Then there are the think tanks and professional associations and independent subject matter experts. Many sources are available and the leadership needs to understand this to make the best appreciation of the risk.

As such, why would leadership not consider the overall performance of the organization, including its financial information, when it may already be publicly available? Some of the other internal issues to be considered could be resource factors including infrastructure, environment for operations and the organizational knowledge. Another factor would be the competence of the employees, the organizational culture and perhaps relationship with unions. Then there are the delivery capabilities, customer evaluations, factors in the governance of the organization such as the decision making and organizational structure.

External issues which may affect the organization may include macro-economic factors such as money exchange rates, the economic situation, inflation forecast, and availability of credit. Then there are the social factors such as local unemployment rates, safety perception, education levels, work ethics, and political factors. Existing international trade agreements including sanctions and so on may affect the outcome of the organization’s performance in meeting objectives. Competition as related to the market share may require a study. Then legislation and other factors need to be considered.

Management which understands “what it does” and how various internal and external issues will affect the outcome of the QMS meeting requirements is better perched for success. It can assess the risks in the context of the organization and from that understanding either mitigate the risks, avoid them or come up with opportunities for improvement. Innovation could be an outcome.

QMII has been meeting client requirements for over 30 plus years now. Our expertise in correctly assessing the issues and assisting You understand the context of the organization in a systematic manner, as you transit from ISO 9001:2008 to ISO 9001:2015 will be valuable. If you are considering aligning your system to the ISO 9001:2015 for the first time, please call us. This could be the most valuable call you have made!