ISO 9001 certification decline – Does quality still matter?

ISO 9001 certification have seen a decline in the past two years per data from ISO. Some say that the standard has gotten too complicated with the introduction of organizational context, risk-based thinking and the removal of mandatory documented procedures. Even a few of QMII’s clients had considered letting their certification lapse as conformity to the new standard was perceived as too complex.

To certify or not

Let us begin by looking at the purpose of ISO 9001. ISO 9001 provides a framework for organizations looking to put in place a system that will enable them to consistently deliver products/services to customers that meet their requirements and enhance customer satisfaction. ISO 9001 certification is external validation that the system meets the requirements of ISO 9001. However, ISO 9001 allows organizations to use the standard and self-declare conformity without incurring the cost of certification. Many argue that there is no value in doing this. This is probably correct if you are implementing a system to meet a contractual or customer requirement. In these cases, certification is a requirement.

Waning trust in the system

Organizations that implement ISO 9001 for the benefits it will deliver in improved productivity, reduction in process waste and management of risks have seen the bottom line improve with time [1]. If implementing the standard enables consistent quality, why then the reluctance? Perhaps the trust in the ISO 9001 certification process has declined over time. Often have we heard from quality managers of the challenges faced when they raise non-conformities in internal audits. These are often viewed as “finger pointing” exercises since the certification body has already audited and “cleared” (certified) the system.

We have also heard from clients of certification bodies and auditors wanting to view documented evidence of organizational context, stakeholder needs and risks. The standard however does not require these to be documented and leaves it up to the organization to determine the risk of not doing so. Some auditors, however, struggle with auditing undocumented systems and auditing to the new standard [2]. As a result, organizations start documenting their system for the auditors and certification bodies resulting in a system tailored for auditors and  forced down on the organization by auditors. The auditors were to provide inputs to TM (top management) to make better decisions, instead now the auditors and audits have become the product. The system must be designed for the employees not for the auditors. The intent of the standard to act as a preventive tool gets lost in this compliance process.

Supplier audits

Over the past two decades there have been several mergers and acquisitions leading to larger multi-site organizations and perhaps as a result a reduction in certifications. As these organizations have grown, and maybe in part owing to the declining trust in the certification system, they have decided to conduct their own supplier audits. As such suppliers have chosen to let their certification lapse since they are nevertheless being audited by the customer and that is the audit that really counts for them.

Supplier audits are more focused on the customer contractual requirements. Organizations who perceive ISO 9001 as a documentation burden will then only document the parts of the system to meet contractual requirements rather than document the system to meet the organization’s requirements based on ISO 9001. They fail to see that ISO 9001 leaves the extent of system documentation up to the organization and often perceive it as everything needs to be documented.

Conclusion

While quality does matter and customers are still looking to receive a quality product, oft incorrect interpretation of the standard leads many to choose against ISO 9001 certification. At times other certification requirements like CE marking may be more desired and certification to two standards be burdensome. Also methodologies like Six Sigma and Lean have gained prominence. So, ISO 9001 certification gets the boot.

Those looking to gain the benefits of a quality management system need not re-invent the wheel. ISO 9001 provides the framework that essentially reflects business 101. If you do not need ISO 9001 certification then you can self-declare and let the doubters come and assess for themselves. In the meantime, you will still gain from a well implemented management system. Remember, you already have a system that has brought you thus far, align ISO 9001 to your system and not your system to ISO 9001.

[1] Guasch, Luis J.; Racine, Jean-Louis; Sanchez, Isabel; Diop, Makhtar. 2007. Quality systems and standards for a competitive edge (English)

[2]Quality Progress October 2017, Article: The results are in…

ISO 45001 Transition: Change is coming to health and safety

Organizations currently certified to BS OHSAS 18001 have until March 21, 2021 for their ISO 45001 transition. Those who are currently implementing management system conforming to BS OHSAS 18001 will notice some similarities and some differences. Those who are certified to other ISO standards such as ISO 9001 will notice the similarities in the standard owing the use of the High-Level Structure in the new ISO 45001 transition standard. This article discussed the key changes to the standard over the BS OHSAS 18001 requirements. It also highlights certain key aspects for those undertaking an ISO 45001 transition.

Keeping with the High-Level Structure, ISO 45001 in clause 4.1 and 4.2 asks organization to consider the context of their organization or the aspects of their business environment that may impact their operations. The business environment includes both internal and external issues such as new regulatory requirements, new technologies, cultural issues and company values to name a few. Companies need to consider the needs of different relevant stakeholders that may impact their system including the needs of their workers. Organizations are asked to have workers participate in the system development as they complete their ISO 45001 transition.

ISO under the high-level structure has removed the need for preventive action as now the entire standard is designed as a preventive tool. Further to support this is the introduction of risk-based thinking’ both from a strategic perspective and from an operational health and safety perspective. Risk-based thinking and the awareness of personnel of this is key to ISO 45001 transition. There is now a stronger stress of leadership’s role in the system. Leaders must take accountability for the effectiveness of the system and cannot wash their hands of the system. Leaders must not only engage in the system themselves but also engage others as the ISO 45001 transition takes place.. The Clauses under 5 also have a requirement for the consultation and participation of workers. They have to remove the barriers to participation and include even non-managerial workers.

Documents and records are not controlled under the common clause for control of documented information and based on the risk-based thinking there is more freedom allowed with the documentation. Outsources contractors will also need to be controlled within the scope of the system.

Organizations undergoing an ISO 45001 transition, will need to incorporate all these aspects into their system. Care must be exercised when setting up the system to design it around the user and not around the auditor or certification body for the system to be useful in the long run and to drive continual improvement.

Gain more value from your Internal Audit with these five steps


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

 

ISO 9001 internal auditors play a critical role in the success of the system. ISO 9001 internal auditors provide inputs to Top Management for continual improvement of the system. Internal audits, given the nature, can be more detailed and as such usually go into depth considering the limited scope of the audit. For audits to add value internal auditors should be trained in identifying the adequacy of resources and controls in a process to meet the objectives as defined. The five steps as listed below are inputs to enhancing your internal audit program as also supplementing the ISO 9001 internal auditor training.

Step 1 – Include risk in audit planning and preparation

In scheduling process audits, not all processes need the same amount of time allocated. Processes that are more complex and or have more problems may need more time to assess conformity. Processes which perform well could perhaps have their internal audit requirements met by auditing perhaps once a year. However, critical processes should be audited more often as also processes where customer complaints are received or where frequent issues are identified. There is no requirement per ISO 9001 to audit all processes within the timeframe of a year. Of course, in special industries like the maritime industry there is a requirement for annual audits.

In preparing for the audit the ISO 9001 internal auditor should determine priorities for the audit and select personnel they want to interview, the items they want to sample and quantity, as well as the questions they want to ask. All this will be based upon meeting of the audit objective and may change should there be a risk to meeting the audit objective. In interviewing of personnel auditors should choose a representative sample.

Step 2 – Use custom checklists

Checklists are a great tool for an auditor to go prepared for an audit. However, the purpose of checklists is not to limit the auditor. When standard checklists are used to audit a process over time the same areas of the process get identified while other areas get left out. Auditors may feel compelled to stay within the confines of the checklist unless advised otherwise. Auditees focus on “preparing” the areas of the process limited to the those that the checklist will touch upon.

Getting your ISO 9001 Internal Auditor to prepare checklists each time helps them to think outside the box and to perhaps change the sample and sample size selected. The auditee too now ensures that the entire process is working well and are not limiting themselves to perfecting to the “checklist” areas.

Step 3 – Choose your internal auditors from different departments

QMII recommends choosing and training internal auditors from different departments of the organization. At least 10% of the workforce should be trained as internal auditors. It is a small investment given that the company will now have a large pool of auditors to choose from. Choosing internal auditors from different departments enables cross-pollination of ideas and solutions. It also allows a better understanding of challenges being faced by the departments. Internal auditors from a different department using a custom checklist produce questions that are not normally asked, and the entire process is looked at from a fresh perspective.

Step 4 – Train your auditors in problem solving techniques

Training your ISO 9001 internal auditors in problem solving / root cause analysis is a unique skill that will allow them to see the big picture when conducting audits. Internal auditors when newly trained tend to focus on the minor issue not realizing that the issue may lie elsewhere. Problem-solving training gives them perspective into how the root cause of an issue may lie elsewhere and accordingly gets them to ask different questions and assess a process effectively. It also enables them to identify the problem (non-conformity) well to enable effective corrective action.

Step 5 – Evaluate both auditors and the audit program regularly

This is an important step that is often overlooked. Nearly all organizations will provide ISO 9001 Internal auditor training to their auditors, but rarely do they evaluate the effectiveness of the auditors or the effectiveness of the audit program. An organization needs to determine if its auditors are being too strict, too lenient, identifying the right non-conformity requirements, selecting the right sample, etc. Additionally, is the audit program as set up based on identified risks working well or do changes need to be made to the audit program. In our experience, companies follow the same audit program year after year. Auditors are rarely evaluated because there are only one or two trained and designated auditors. This step however plays an important role if the internal audit process is to be successful.

 

Authors Note: While the article is written from a perspective of ISO 9001 internal auditors the steps above are applicable to any internal auditing program.

What is ISO 14001 Lifecycle Perspective?


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

ISO 14001 Lead Auditor training introduces students to the ISO 14001 standard and its interpretation as well as the skills needed to assess the effectiveness of the environmental management system. ISO 14001 in its 2015 revision introduces the lifecycle perspective. In essence, the standard asks organizations to use a lifecycle perspective when designing/manufacturing their products/services. This means that instead of a cradle to grave concept organizations need to think of a cradle to cradle concept.

Cradle to Grave

ISO 9001 ‘Requirements for Quality Management Systems’ ushered in a new era of process-based management systems that could be used to improve the quality of products/services being delivered to customers as well as when well implemented to increase efficiency and productivity. However, as productivity, efficiency and quality were being improved; the by-products of the system were not addressed. During the 1980s there were some regional efforts to address the impact of organizations on the environment and ISO 14001 was ISO’s effort to lay down the requirements for a management system that addressed the aspects and their associated impacts. Organizations were expected to take action on these impacts to reduce them. Auditors undergoing ISO 14001 Lead Auditor training were now ready to assess the effectiveness of these systems.

In its initial publication and subsequent revision in 2004 ISO 14001 asks organizations to take a ‘cradle to grave’ approach to managing their impacts on the environment. This meant reducing the immediate impact on the environment. However, with time we learned that this does not address the growing landfill issues being faced by countries globally. To address this issue as well as to align with international efforts to address climate change, rapid depletion of the planet resources and encourage sustainable operations the ISO 14001 standard introduced the concept of ‘cradle to cradle’ in its 2015 revision.

Cradle to Cradle

ISO 14001 defined lifecycle as “consecutive and interlinked stages of a product (or service) system, from the raw material acquisition or generation from natural resources to final disposal.” Life cycle stages can include the acquisition of raw materials, design, production, transportation/delivery, use, end-of-life treatment, and final disposal. A great example of a lifecycle perspective in manufacturing is the recycling of Lead-Acid Car Batteries. Nearly 99% of these batteries are recycled/reused. Major battery manufacturers have programs in place to encourage the recycling of car batteries.

While ISO 14001 does not call for a formal life cycle assessment ISO 14044 provides the guidelines for a life cycle assessment should an organization wish to do so. In determining the end of life disposal organizations may choose products that are recyclable, sustainable and even perhaps biodegradable. ISO 14001 lead auditor training provided by QMII, highlights the concepts of a lifecycle perspective and how to incorporate it into your environmental management system.

Conclusion

ISO 14001 Lead Auditor training enables participants to go back and implement environmental management systems that will benefit their organization, the environment, and stakeholders. It also enables participants to conduct value-adding audits of their systems. The intent of the audit is to identify opportunities for improvement. With the skills, ISO 14001 Lead Auditor training by QMII and the knowledge of a life cycle perspective participants are ready to hit the ground running in implementing and auditing environmental management systems.

 

Obtaining Top Management Commitment

Who cares about the system? 

Management systems need top management commitment to work well, and yet many systems lack the necessary commitmentYou may recognize some symptomsPolicy – ignoredObjectives  are barely alive. Corrective actions remain open. Managers seem not to appreciate the value of the requirementsEmployees are unsure about the system’s requirementsProactive identification and addressing of risks/opportunities is rareRoot causes of failure remain in the system. Consequently, the system is not improved. Employees are unaware of what the system should do for themManagement reviews are embarrassingLeaders either do not show or do not contribute. Top Management Commitment is lacking. Audits may temporarily energize the playersManagement representatives ask, Am I the only person who really cares?” 

Who trained the leaders? 

Many leaders do not explain their management systemsThey may know the importance of certification, but they rarely explain why their system is vital for survival and growthWhy is this? Examine your internal audit program; is it driven by top management’s objectives?  Audit your training recordsDo they show that leaders are competent and confident to show their top management commitment? Who trained the leaders in their organizational management systemCompetent leaders take responsibility for their systemThey explain how their system works and why its requirements are so important to themUnaware leaders blame employees for mistakes caused by their system. 

Your system, is it perceived as worthy? 

Even if your system is certified, do not expect leaders to support it Every organization is a systemDoes the documented part of this system describe how it converts stakeholder needs into cash (or continued funding)?  Is this the management system that was certified or was it some new ISO system built on templates?  

Is your system irresistible to the leaders?  If notshow how your system converts needs into cash so top managers would not want to lead without itTry our methodology to appreciate how others have developed systems and gained top management commitment beyond certification. Everyone should fulfill their objectives and earn their bonuses by using and improving  the system.  

Awareness Leaders Workshop 

Engage us to design and facilitate your one-day Awareness Leaders Workshop™Select attendees who are leaders by job title and those who are leaders by personalityInclude the skeptics! 

We listen to your objectives and design your workshop to fulfill your required outcomesThis may need  system analysis to result in a diagram that explains how the system converts needs into cash. This  workshop is facilitated by our senior management system consultant and auditor, who for over 20 years  has helped many willing and reluctant managers to understand and commit to their systems. 

Prepare for action 

Remove the root causes of what ails many management systemsYou want your top management commitment  to the requirements of their management systemClear the backlog of stale CARs  and pending actions on identified risks to prepare for the surge of improvements flowing from the renewed leadership of your system 

When you are ready, please email IJ Arora or call 888.357.9001 with your requirements.

What is SMEA and FMEA?


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Success Modes and Effects Analysis

An organization is likely to succeed if it understands the system that runs its business. It can then identify where it needs to make improvements and use its system to succeed. QMII help clients to develop their process-based management systems by using success modes and effects analysis (SMEA). SMEA conversely to FMEA focuses on the success areas (opportunities) the organization is trying to achieve and determining what are the potential risks to achieving them. They then taken action to address these risks. While all risks cannot be eliminated based on resource constraints, SMEA provides an opportunity for organization to prioritize the risks and take appropriate action.

To implement SMEA, top management need to analyze and document what their organization does to convert customer needs into cash (success modes). This enables them to see where waste can be eliminated by applying lean principles to achieve lean design, lean manufacturing, lean administration and lean service.This determines the key processes in the system that runs the business. The next step involves working with the process owners to analyze each of the key processes for the fulfillment of process objectives (effects analysis). This results in a flowcharted procedure for each key process.  If you’re not fond of flowcharts then any other method of documentation will do. These procedures refer to the interacting processes and supporting documents.

Competent employees, from the recruiting and training processes, are coached by their leaders to use their system to eliminate causes of waste and succeed. These systems include procedures for creating new products and new processes with inputs from successful designs (see FMEA below).

Organizations can use SMEA to build and grow the success of their organizations.

Failure Modes and Effects Analysis

FMEAs during product and process design prevent failures of products and processes. A team, representing customers, designers, manufacturers, installers, users and suppliers agrees upon the rules for evaluating risk. The team works through each of the ways in which the process or product could fail (potential failure modes) and assign a score per the rules to signify the frequency and impact of each type of failure (effects analysis).

Failure modes that potentially are the most frequent or could have the biggest impact (or both!) are the highest priority. Teams remove the root causes of such failure modes to prevent their occurrence. These preventive actions make processes and products much more reliable from the beginning.

As you might expect the entire automotive industry now uses FMEA to improve reliability. Yes, not one car maker considered the sudden loss of global financing; a rare failure mode with dire consequences! Organizations that fail to use FMEA have to suffer the many losses due to incapable processes and poor products. Repeated failure may enable them to learn the hard way if they remain in business.

FMEA works best as a preventive action tool within a process-based management system (see above).

QMII facilitates failure modes and effects analysis (FMEA) and success modes and effects analysis (SMEA) for our clients.

Management review: A Necessity or Improvement driver

The management review is a critical step to ensure sustained success of the management system, yet this is often left to the relevant manager to document to meet the system standard requirements. A myriad of reasons is given for a management review not being done within the timeframe as defined by the organization. These include unavailability of senior management due calendar conflicts, waiting on inputs from department heads and sometimes just a lack of commitment by leadership.

Even when conducted ‘timely’ the review is often done purely out of necessity of meeting the requirements of the standard. The review, however, is a critical step for the success of the system and enables the continual improvement of the system. Leadership may, at times question, why money invested in a Quality Management System; that certification to ISO is not delivering the intended ROI. The answer often lies in their lack of commitment to the system as perceived by the users of the system.

Why are my reviews not driving improvement?

Management reviews when done out of necessity become a documentation exercise. The responsible manager collects all the data and analyzes/evaluates it for presentation to management. They proudly share these presentations with whomsoever asks about the management review. The ISO standards (e.g. ISO 9001, ISO 14001 and others) in clause 9.3 give the requirements for what shall be included in a management review. However, the review need not be limited to just these topics.

In consulting, QMII has often heard, “But we do daily reviews with our team and weekly updates with the managers”. Why not record these as a part of your management review? Do keep in mind that ISO standards ask organizations to conduct management reviews at planned intervals. It does not say it has to be a meeting or be held in a boardroom or the planned intervals need to be equally spaced. When the system is incorrectly implemented, or the standard incorrectly interpreted it often leads to a weak foundation of the system. Soon users of the system are complying and doing what has been documented rather than asking “is this really correct for us?”

With the passage of time, the lack of commitment percolates through the system to where the person tasked with championing the system, such as a quality or environmental manager, is fighting a lone battle. This lack of commitment may be apparent from the lack of decisions by management to issues presented in the review.  At times the concerned departments are trying to drive their own agendas, and this creates conflict and disconnect. Also, in recording the outputs of the review, the decision and actions from management must be recorded. QMII, often finds these missing.

How do I improve my management reviews?

To do so the organization must first understand the intent of this clause in the ISO standards. Clause 9.3 (under the high-level structure) asks management to review their systems to ‘ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the system.’ This, in essence, must be the guiding principle for the management reviews.

This is the reason why these reviews must be done holistically. It is this guiding principle that will determine the intervals for the review. Clause 5.1 of the ISO standards (those aligned per the HLS) asks leadership to take accountability for the effectiveness of their systems. The management review is the platform via which they can assess if the system is effective in meeting their policy as set. The management review is also where management reviews the system and determines the required changes in the context of the organization, the needs of the interested parties to determine new risks,  if any changes to the policy / strategic direction needs to be made and resourcing needs.

Engaging Leadership and the rest of the team

There is no mantra that will deliver sure-shot success. I wish there was one, for I know many an organization that would willingly invest in it! However, educating management on the WHY of the management review has often helped. If need be consider external consultants to deliver the message. Additionally, you can consider these three steps to get more engagement:

  1. Gather review inputs from management team: This is a good method to get everyone involved. Pass around a draft meeting agenda so all system users can prepare for the review (should you be having a meeting) and can provide their inputs /items that they need management’s decision on. It is also an opportunity for them to gather opportunities for improvement from users of the system.
  2. Use a review format that works for leadership: Document how your reviews are done exactly the way they are done within your organization. Perhaps some agenda items are discussed on a quarterly basis and others on a weekly basis. The intent is not to please an auditor but to use this tool to drive improvements through the system, as needed. Remember, the guiding principle discussed above.
  3. Communicate the outputs of the review …. including leadership’s decisions. While the standard does not require this, it is implicit in ensuring continual improvement. Communication is important but the outputs of the review need not to be communicated to the entire organization. Perhaps relevant parts to the concerned managers and their teams. It demonstrates to the users of the system that management is involved, is aware of the problems and has provided decisions on various matters presented.

Management Reviews ….  Improvement Driver

When done correctly management reviews become the springboard for improvement throughout the system. It comes at the end of the ‘Check’ stage of the PDCA cycles leading into the ‘Act’ stage for continual improvement. It enables leadership to assess how well their system is doing. It delivers, in the long run, the engagement needed from users of the system and the ROI that leadership are seeking in their quality management system.

Re-thinking the ISM Code


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

The ISM code, when implemented in 1998, was meant to encourage organizations to take ownership for the safe operations of their ship and the safety of the environment they operate within. Many years hence and the benefit of the ISM code is still being debated. Has it been a boon or a burden to the maritime industry?

Given the number or maritime accidents and loss of lives, most would opine that safety would be second nature to those at sea. Something like wearing a seatbelt when driving a car where the person does it for their own safety and for those travelling with them. It is not done out of fear of the enforcement authorities. So then why has the ISM code not driven a similar safety culture within the maritime industry?

Boon or Burden?

In many companies, the ISM code implementation has become a paperwork drill; where it is seen as a means of demonstrating to regulators that the requirements have been met. The reasons for this culture are many, including but not limited to:

  • Lack of effective communication between ship and shore staff (one of the key issues the ISM code aimed to address)
  • Fear of reporting of non-conformities / near misses (lack of job security)
  • Hierarchical structure of companies
  • Authoritarian leadership (my way or the highway)
  • Systems not customized to the vessel (generic to the fleet)
  • Poor system implementation

The ISM code provides a system approach to continual improvement but only when the code is implemented in the right spirit. Personnel often do not understand the ‘WHY’ for implementing an SMS and their need to do the right thing. Often conformity/compliance is stressed even when the actions may not be the right thing to do. Measures such as Bridge Resource Management are add-ons to ensure effective communication of risks and challenging of group thinking. However, often the training is not sufficient to enable challenging a senior officer unless they are encouraged to do so. Most mariners today view the SMS on board as a burden. Over-documentation is slowly killing the system and once incorporated into the system, requirements rarely get removed. SMS reviews done by the Master do not truly evaluate how the SMS is adding value to the effectiveness of the system.

The Case for Risk-Based Thinking

ISO 9001 in its revision in 2015 introduced the concept of risk-based thinking, wherein organizations shall assess the risks to their system given the changing environment they operate within and then plan to take actions to address these risks. This concept of risk-based thinking is driven down to awareness of the entire staff of the need to contribute to the effectiveness of the system. While the ISM code in its objectives requires companies to identify and safeguard against all risks this has in many cases become a paperwork exercise of completing a risk assessment form and filing it. The ISM code in essence has encouraged companies to identify potential emergencies, prepare contingency plans for them and the drill in these. Often these are limited to the same 10 or 12 scenarios such as grounding, oil spill, man overboard etc. Many maritime companies are ISO 9001 certified but often the scope of this certification only extends to the shore-based offices. While the certification scope may be limited, there is nothing stopping companies from extending the system to vessels or at the least the concept of risk-based thinking.

The safety culture must start with the commitment of the leadership and then be reinforced throughout the organization. The fear of reporting non-conformities must be eradicated. This can only be achieved when personnel are confident that there will be no repercussions. Regardless of the safety culture of organizations however, given the contractual nature of employment at sea, it is often difficult to inculcate a sense of commitment to the SMS. Mariners in general tend to work safely and watch out for safety of their shipmates. At times though, the culture of “follow the procedure” leads to actions being taken even when they may not be the best, given external influences and circumstances.

Consultation and Participation

ISO 45001, a standard for occupational health and safety management systems, introduces the need for ‘organizations to maintain a process for consultation and participation of workers at all applicable levels and functions, and, where they exist, workers’ representatives, in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system’. Getting inputs from the entire workforce enables quicker and easier buy-in to the system. The SMS while capturing the various requirements should be designed for easy use by the users of the system. Often SMS manuals on board are bulky and rarely referenced. Personnel choose to follow the practices they have learned over the years from other ship mates and mentors rather than reference the SMS.

When asked for feedback on how to improve the system, many mariners have ideas but the system at times does not provide an avenue for this feedback to be captured and formally implemented within the SMS. Best practices often remain limited to a vessel as a result. Following the concept of risk-based thinking, organizations need to consider the risk of barriers to participation and take measures to reduce these. Many accidents/incidents and near misses could be addressed if mariners could have asserted themselves in the situation and alerted someone to the problem/potential non-conformity.

Conclusion

Some in the industry are calling for increased regulation to improve the maritime industry in ensuring ships are operated safely. However, regulators can only do spot checks. They are not on board 365 days of the year. Operational pressures play a major role in how risks are assessed. The grounding of the Torrey Canyon is a prime example of this as is perhaps the Titanic.

As the use of technology increases and reliance on electronic systems, consequently new risks will be introduced to the maritime industry. This new era will benefit from a re-think of the ISM code to encourage the inclusion of risk-based thinking (beyond just a documentation exercise) and the participation of mariners to actively improve the SMS and embrace safety. In conclusion, maritime companies (with or without a change to the ISM code), in the interest of their mariners and the maritime industry at large need to rethink their approach to implementation and maintenance of the SMS.

SECURING THE MARITIME IoT FRAMEWORK


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

As technology advances, there are a growing number of providers that are developing products and services based on the IoT (Internet of Things) framework. In the maritime industry, it is increasingly common for vessel containers to be tracked from ashore and even machinery performance metrics, providing remotely automated readouts, to those ashore. With the increased use of technology, the risk of these networks being compromised also increases. There are a growing number of incidents in the maritime industry where systems were compromised leading to losses in millions of dollars.

On an average when these breaches occur it may take over 100 days before they are even detected! Various maritime organizations and associations have published guidelines on measures to be taken to prevent/deter such a compromise, but history has shown that the maritime industry tends to be more reactive than proactive. Even the ISM code now includes as an appendix a circular on guidelines for maritime security. As part of the implementation of the ISM Code measures for cybersecurity should be included in the system. From the security of networks to machinery to contingency plans in case of breaches occur.

The implementation of cyber-security measures includes the need for protection of three aspects of the system; the IT aspect, the human aspect, and the physical aspect. Organizations need to consider the cyber-security risks at the planning stage of the system and determine where vulnerabilities lie and how to address them. Instead of reinventing the wheel organizations may consider the implementation of an information security management system based on ISO 27001. ISO 27001 lays the framework for the IT security of the system. Once implemented and used, based on industry feedback the standard includes an annex of controls for implementation to secure the system. ISO 27001 has a total of 114 controls split across 35 control categories.

If an organization already has an ISO management system framework in place, for example, an ISO 9001 based system, integration of ISO 27001 into the existing management system would be a simple exercise. This integration has been made easier by ISO through the use of the High-Level Structure across standards. QMII has over 30 plus years encouraged its clients to “appreciate your management system”. As such we build upon your existing measures and documentation to fill the gaps for requirements set by the standard. This ensures continuity in system acceptance by the users, the changes to the system are minimal and easier to implement. For successful implementation of your system beware of templates that promise conformance to the requirements. They may enable you to gain certification but will not ensure any long-term success least of all cybersecurity.

Learn more about how you can improve your management system and integrate the requirements of ISO 27001 into your existing management system.

AUDITING RISK-BASED THINKING

 

As we work with clients, we find increasing examples of certification bodies requiring risk to be documented within an organization. This despite ISO 9001 specifically not requiring so!

This then brings up the question, “How should we audit the requirements of risk-based thinking within an organization when the same has not been documented using a formal risks management system or methodologies such as FMEA?”.

Let us start with the intent of including ‘risk-based thinking’ in the standard, replacing the previous requirement for ‘preventive action’. Risk-based thinking has been included as a preventive measure with the intent of making an organization more proactive to identifying and addressing potential non-conformities (NCs) than to be reactive to NCs. Additionally, rather than limit preventive action to the end of the PDCA cycle it is now addressed throughout the standard with the concept of risk-based thinking. To therefore answer the question posed above auditors need to evidence risk-based thinking throughout the system starting with the management down through the operator/service provider.

Before we begin to discuss the process for doing this let us for recall how many times a preventive action has been raised within our organization when the requirement did exist under ISO 9001:2008. In my auditing experience the answer is rarely! This in essence defeats the purpose of what the standard was trying to achieve.

Before we begin to audit risk based thinking the auditor should get an understanding from management of the context of the organization and the needs of the interested parties relevant to the organization as identified by them. Keep in mind the requirement of Clause 4.1 and 4.2 also need not be documented. Further what are the risks that management has associated with the organization achieving its strategic direction. We can also evidence the records of the management review to assess the inputs provided to management per Clause 9.3.2 e.

Once we have the above understanding from leadership, we then look for evidence on how the organization has addressed the risks as identified by leadership. These may include as an example risks to meeting business/process objectives, risks from loss of personnel, risks from new legislation that may impact the organization etc. As we audit the organization, we are looking to assess how the processes have been resourced and controlled in order to manage the risk of not meeting the process objective or customer/regulatory requirements. Risk based thinking is inherent in the clauses for design where organizations are asked to consider the potential causes of failure, in the purchasing process where the organization is asked to select external providers based on their ability to provide products/services meeting requirements, in the planning of audits, in the determination of customer requirements (intended use & unstated requirements), in the resourcing of the system, in the fitness for purpose of monitoring and measuring equipment and in the determination of potential similar non-conformities when taking corrective action.

The above is but a sample of where the application of risk-based thinking can be evidenced. Further information from analysis of data per clause 9.1.3 is further sued as a source for improvement as per clause 10.1 and all of this can be evidenced in the system.

So then why are certification body auditors seeking a documented risk-management system? Auditees too often do not push back when such a “requirement” is brought up. It does make the audit easier if everything is documented including risk but then are, we really ensuring the effective application of the standard. The organization could meet this “requirement” for documentation of risk by just documenting two or three risks and monitoring the effectiveness of actions taken to address them. This would meet the auditors requirement but then what about other applicable risks? These would then do unaddressed as the organization will tend to focus on the documented ones, killing the system!

Let us determine the need to document the risks within our system or NOT and not be pressured into documenting our system to meet the needs of auditors.