Transition to the new version of ISO 9001:2015 is upon us. Many have put it off for a whole host of reasons, and we are now at a point where we all need to act. Differing opinions exist about how easy or how hard the changes will be, but many factors determine that degree of difficulty.
While it is possible to interpret the changes simply — or perhaps your auditor has always made your audit easy — by implementing the letter of what is included in the standard or taking the simpler shortcut, you still have to consider that this year, you might get a tough auditor. And, frankly, that’s a good thing. You are making an investment in quality, you should get a return. No one wants to fail their audit, but it would be useful to know where there are opportunities for improvement. It would be useful to get pressure to be disciplined and organized in a meaningful manner.
Regardless of whether your certification auditor tells you how easy it is or your quality manager tells you it means a whole new solution, the goal of getting through the audit still exists. Transition problem number one is that any decent ISO resources are going to already be booked. If you haven't reserved your help, you may be too late.
So, as we progress internally through the transition process, we need some quick and simple ideas to place the project on track and to navigate to a successful solution.
Focus on quality, not requirements. The standard has changed significantly. The newer areas include the concept of allowing the organization to demonstrate conformance rather than dictating how that is done. The standard includes strategy, risk and knowledge. Significant changes were made to the objectives, change and communication sections. There are a lot of new requirements.
One of the more visible signs of the changes is the restructuring of the standard to adopt the annex SL approach. In some quarters it’s a little controversial but probably overall a good idea for consistency going forward, a whole new standard to learn. You can’t argue the need to learn the new requirements if you want to become or remain certified.
The standard has been generally consistent since its inception in 1987 (31 years ago); ISO is about QMS and QMS is about quality. This has not changed. If you designed your ISO solution to be a QMS that is all about quality then you probably have a good solution and your basic solution can stay. Yes, some new ideas (which because you focused on quality originally, you probably already address to some degree) and some changes (to help focus and improve discipline perhaps) are necessary, but the fundamentals are already there. Ensuring the focus is on quality and not directly on requirements will ensure your solution evolves through transition in a meaningful way. It’s a lot easier to get support and resources for something that makes sense.
Focus on outcomes. It is very common to insist on a gap analysis. Technically, in most project management situations, this is an important step in determining where you are versus where you want to be. In this instance, less so. So much so that a gap analysis should not be required. You have a reasonable system. You have implemented ISO 9001:2008 and you meet those requirements well — and your certification body confirms that that. You audit your processes, thoroughly and effectively, and your certification body confirms that, too, for you. Bottom line is that you fundamentally know where you are. That is part of what having a QMS is about.
The next step is to determine where you want to be. You already know that — ISO 9001:2015. The gaps are defined by the differences between 2008 and 2015. But what does that mean specifically to you? Same answer. The gaps are identified. Solutions are another matter. The purpose of a gap analysis is not to determine solutions.
The main function of transition is knowing where you want to be. Solutions require review, thought and pondering. You need to put some time into determining what the best solution will be based on all the inputs. This might require analysis, brainstorming and consultation, a little time and effort.
For instance, in 2008, we had preventive action. In 2015, a risk process is required. It’s a clear gap. There is nothing to explain what the solution should be. Your solution might have a weighted colored risk matrix with defined criteria and definitions of each characteristic. Or it might require a simple list. The solution needs to be appropriate and effective for you.
Don’t waste time quantifying gaps. Invest in a comprehensive, solutions-based project plan.
ISO removed the need for many (any?) documents. So, what?
The standard changed in a really valuable way. It never made sense to require a procedure for internal audit but not for engineering. Why should ISO say what documents are needed in an organization?
But by not insisting on any particular documents, the standard created a lot of confusion. “Now I don’t need any documents,” you may think. Well, that’s not what the standard says, and it’s not what it means. First, quite rightly, the standard should not tell anyone how to demonstrate their system. It is not a standard’s place to say how an organization’s documents and records should be kept. Remember the famous “six mandatory ISO procedures?” They weren’t all mandatory and were not what the standard states, but people interpreted them that way. This alone lead to poorly-structured and inoperable solutions.
“But the new standard is worse or at least more confusing,” you complain. No, it clearly says you must be able to operate your system and demonstrate it. While it is possible to do this without documentation, getting the operation and demonstration right is really difficult without records. The documentation describes what we define will be the process (and system); without that “documented” description, it is not possible communicate the process for clarity, training, reliability, or to verify or audit it. You can achieve this without documents but it is not easy. Bottom line is you need all the procedures, documents and records. Everything should be documented (to an appropriate level and with appropriate controls). This has little to do with ISO and is all about operating a successful organization (and being able to demonstrate it).
Our ISO programs have forever been expertly led by a dedicated professional — the ISO management representative. In some quarters, there has been noticeable confusion over the management representative. Often the ISO guy is not the rep. They do all the work but a VP covers the official role, for better or worse. This standard removes the requirement for a management representative, and that implies getting rid of the role.
Actually, there is no suggestion in the standard of getting rid of the role. The title is not discussed, but it equally doesn’t say you can’t have one. It’s your call. More importantly, you need to make sure the responsibilities — all the responsibilities — for quality are properly determined and communicated. If you change this role (or title or activity), then ensure the responsibilities are managed correctly. All too often, the ISO guy is tasked with keeping or getting certification but it is not one quality guy’s job.
Let’s look at this point from a positive perspective. Management representatives may lose a title but they are still going to oversee the system. And now, the system includes the organizational purpose and strategic direction for quality, formally included in ISO. They are obviously important to quality and essential in ensuring everything makes sense. It will not be possible to achieve certification if purpose and direction are not part of the solution. This gives access to strategic and business planning and very high-level processes in the organization. Management representatives now get access to top management and becomes part of top management.
Yes, there is. ISO has introduced some new, sensible and important processes. But most, if not all, organizations already do these things. New requirements bring new processes and new controls. As discussed earlier, it is likely that if it’s important in an organization, then it’s already being done, perhaps informally, but still getting done. And that is true of the big new areas brought into this new standard.
Business planning, strategy and purpose — the standard is very specific and requires us to start our quality systems with reference to organizational purpose and strategic direction. This helps us appreciate that the context is about understanding the environment and influences that affect quality so that planning can be completed, in context. In larger organizations, they already have a strategic or business planning process. Often, quality is not explicitly included but that can be achieved easily by adding simple controls to the process, not reinventing it.
In small organizations, it happens just the same way. Perhaps the owner goes to dinner once a year with the accountant and discusses how things went, and what should happen next year. Perhaps the owner has ideas for new products and new markets that should be pursued. At the moment, it’s informal, without structure, but planning is occurring. It just needs controls added, some discipline and organization instilled, to reap the benefits. And let’s be clear about this. We are not doing this for ISO. We NEVER do any of this for ISO. We plan because it’s a great thing to do for the organization. That is why it goes on all the time. QMS helps us ensure it is deliberate, meaningful and valuable to the organization. Nothing new, just a little more disciplined.
Never forget what we are doing here. The most important thing about ISO is that it is about QMS. And QMS is about being successful. To be successful, you have to be effective, efficient, improvement-oriented and profitable, and every good characteristic about an organization that you care to choose. Whenever you are writing procedures, designing solutions, looking at controls, and implementing ISO, you need to proactively ensure you always apply that principle. Everything you do in ISO is good. If it’s not, stop it.
Colin Gray has been working as a management system consultant at Cavendish Scott for 30 plus years and in that time, has been consulting, training and auditing in QMS management systems design and implementation. He has been involved with thousands of companies at various levels and specifically designed and implemented ISO management systems in hundreds of companies.
While Gray has worked with many different management system standards/models including Baldrige, ISO 17025, ISO 14001, ISO 27001, etc., the bulk of his experience is with the ISO 9000 series of standards (and derivatives like AS, TS, Medical, etc.). His focus has always been on practical solutions that systemically assure quality and improvement, while minimizing cost and driving towards adding value.
Gray has an MBA from Middlesex University, a management diploma in administrative management from the Institute of Administrative Management and a diploma in international marketing from the Chartered Institute of Marketing.
He is a professional auditor and performs audits for ISO registrars, and internal audits for a wide variety of organizations and second party supplier audits. Gray is a trainer for the IRCA ISO 9001:2015 lead auditor and ISO 9001:2015 and ISO 14001:2015 transition training classes. He is a certified principal lead auditor with the IRCA for quality, environmental a certified EG QMS lead auditor, and a member of the ASQ.