Can We Trust AI? 

We see the use of Artificial Intelligence or AI all around us in uses that may be visible to us as also in uses not directly visible to us. It is here to stay and as we learn to live with it, however, there remains a concern about whether we can totally trust AI. Hollywood may have painted a picture of the rise of machines that may instill fear in some of us. Fear of AI taking over jobs, of AI reducing intelligent human beings, and of AI being used for illegal purposes. In this article we discuss what actions can be taken by organizations to build trust in AI, so it becomes an effective asset. The idea is as old as 1909, EM Foster’s “The Machine Stops”. 

What does it mean to trust an AI system? 

For people to begin to trust AI there must be sufficient transparency of what information AI has access to, what is the capability of the AI and what is the programming that the AI is basing its outputs on. While I may not be the guru in AI systems, I have been following its development over the last seven to eight years delving into several types of AI. IBM has an article that outlines the several types of AI that may be helpful. I recently tried to use ChatGPT to provide me with information and realized the information was outdated by at least a year. To better understand how we can trust AI, let us look at the factors that contribute to AI trust issues.  

Factors Contributing to AI Trust Issues 

A key trust issue arises in the algorithm used within the neural network that is delivering the outputs. Another key factor is the data itself that the outputs are based upon. Knowing the data that the AI is using is important in being able to trust the output. It is also important to know how well the algorithm was tested and validated prior release. AI systems are run through a test data set to determine if the neural network will produce the desired results. The system is then tested on real world data and refined. AI systems may also have biases based on the programming and data set. Companies face security and data privacy challenges too when using AI applications. Additionally, as stated earlier there remains the issue of misuse of AI just as cryptocurrency was in its initial phases.  

What can companies do to improve trust in AI? 

While there is much to be done by organizations to address the issues listed above and it may take a few years to improve public trust in AI, companies developing and using AI systems can use a system-based approach to implementing these systems. The International Organization for Standardization (ISO) recently published ISO/IEC 42001 – Management System Requirements for Information Technology AI systems. The standard provides a process-based framework to identify and address AI risks effectively with the commitment of personnel at all levels of the organization.  

The standard follows the harmonized structure of other ISO management system requirement standards such as ISO 9001 and ISO 14001. It also outlines 10 control objectives and 38 controls. The controls based on industry best practices asks the organization to consider a lifecycle approach to developing and implementing AI systems including conducting an impact assessment, systems design (to include verification and validation), control of quality of data used and processes for responsible use of AI to name a few. Perhaps one of the first requirements that organizations can do to protect themselves is to consider developing an AI policy that outlines how AI is used within the ecosystem of their business operations.  

Using a globally accepted standard can deliver confidence to customers (and address trust issues) that the organization is using a process-based approach to responsibly perform their role with respect to AI systems. 

To learn more about how QMII can support your journey should you decide to use ISO/IEC 42001, or to learn about our training options, contact our solutions team at 888-357-9001 or email us at info@qmii.com.  

-by Julius DeSilva, Senior Vice-President

Are Medical Audits Improving Systems Or Only Driving Fixes? 

Is there a potential downside to medical audits wherein the audits are focused on finding and fixing problems? A recent discussion with a medical professional piqued my interest in the value of Medical Audits given that QMII, a subject matter expert in auditing, has ventured into the medical auditing field. This led to a conversation with a few additional healthcare professionals to understand a little more about medical audits, their findings and how organizations address them. My additional reading outlined a lack of effective systemic corrective action. In this article, I discuss some aspects of the medical audit process and what organizations can do to improve the process of audits and of implement corrective action.  

There are various types of medical audits including clinical audits, billing/coding audits, financial audits, operational audits and compliance audits. While there are regulations, protocols and standards against which these audits are conducted, in many cases, industry-best practices are also used as audit criteria. This brings subjectivity into the audit as ‘best practices’ knowledge may vary from auditor to auditor based on their experience. Auditing to an auditor’s experience has a major drawback not just in the medical industry but in all industries. It takes the auditors away from requirements which then results in biased inputs to the leadership that may be inaccurate.  This also leaves the auditee (the organization being audited) on the receiving end of findings for which there are no certain requirements. That is, they may make changes to their system based on the finding of one auditor only to find that another auditor objects to the very actions they implemented based on the previous auditor. 

Medical Audits and Recommendations 

In medical audits, it is common practice for auditors to provide recommendations to address findings. These recommendations are based on experience and industry-best practices. In ISO audits this is not allowed. In most industries, including the healthcare industry, there is no obligation to act upon any of the recommendations of an auditor. However, if auditors are perceived to be in a position of authority, then there is an underlying implication that the audit recommendation must be implemented. This is for fear of the nonconformity occurring again only for someone to say, “the auditor told you what to do and no action was taken”. This then also implies, audits do not delve deeply enough to identify systemic weaknesses within the processes or the workflow. 

In speaking with the medical professionals within my professional circle of friends, it was surprising to hear that in many cases the personnel being asked to address the audit findings are unaware of any root cause analysis methodologies nor have they been given any formal training in the subject. Further, they are not clear about what a CAPA is but do know that they need to provide some action to close out the finding. In such cases, is it then fair to expect effective corrective action? Perhaps, the lack of effective corrective actions perpetuated the need for auditor recommendations! 

Without proper training, it is but natural for personnel responding to audit findings to default to the recommendations of the auditor and implement those actions prescribed by the auditor as the corrective action in and of itself. Sadly, in such cases the root cause of the issue goes unaddressed. Sometimes such cases may lie in inadequate resources, technology or even lack of guidance/policy from leaders. While the aim of the audits is to identify where the process may require additional controls, all for providing better healthcare for the patient, the outcome may only be a band-aid. 

What can be done to change this? 

While change may not come overnight, there are a few key steps that can be taken to improve the audit process overall right up until corrective action and meet the end goal of providing better healthcare.  

Auditor training – Auditors must be trained to remain objective through the audit process, to focus on the requirements (criteria) of their audit, to focus on factual evidence and objectively assess it (yes, no experience!). Further they must understand the implications of providing recommendations and thus not provide any recommendations. The auditors are but to focus on assessing the effectiveness of the corrective action plan submitted and verifying the effectiveness of actions taken.  

Root Cause Analysis Training – Healthcare organizations must invest in providing their personnel with training in the different root cause analysis methodologies and how to apply it to identify the root cause(s) of a problem.  

Reinforcing that Recommendations need not be accepted/addressed – Organizations must be professional to build the courage to stand up to auditors and not accept recommendations. Auditors do not know all facets of the process from the short sample of the organization they witness. If their “advice” in the recommendations is wrong/ineffective, who then pays the price? 

Auditor Selection – ISO 19011 provides guidance on the behaviors and skills that an auditor should exhibit, and these are applicable to an auditor selected to conduct any type of audit. Auditors must be evaluated periodically to ensure they are remaining objective through an audit and working to identify the effectiveness of controls and adequacy of resources in assessing if the overall objectives have been met. To learn more about how QMII can support your organization’s audit process, click here

Julius DeSilva, Senior Vice-President

Responsibly Implementing Artificial Intelligence

Artificial Intelligence (AI) entered our lives stealthily and not before long has become an integral part of all we do. From choosing a playlist, to self-driving cars, to providing service desk support to name a few. Some people have openly embraced AI while others approach it more cautiously afraid of the domination and ‘rise of the machines. Along with the opportunities that AI presents, also come risks and therefore responsibility. ISO in December of 2023 published a management system standard, ISO/IEC 42001, that provides a framework for organizations looking to use a process-based approach to managing risks and opportunities associated with use of Artificial Intelligence.

What is AI system?

As defined by ISO/IEC 22989 and artificial intelligence system is and engineered system that generates outputs such as content, forecasts, recommendations, or decisions for a given set of human-defined objectives. Artificial intelligence can then further be broken down into various subcategories from weak AI to strong AI. There are also various associated terms that are used within the industry that wall within the realm of Artificial Intelligence systems. These include Autonomous AI system, Machine Learning, and Cognitive Computing to name a few.

An integrated standard approach

In structuring the standard ISO/IEC follows the harmonized 10 clause structure that is applicable to standards such as ISO 9001 and ISO 45001. This will make it easy for organizations seeking to integrate the requirements into their existing management system. Like other ISO management system standards, ISO/IEC 42001 is not prescriptive within the standard clauses. It does however, similar to ISO/IEC 27001 include an Annex of controls that must be considered and that must be justified when not applicable. Annex A has a total of 38 controls that are split among the 10 control objectives. As a risk-based standard it requires organizations to conduct an impact analysis, conduct a risk assessment and then implement controls to treat the risk to an acceptable level.

ISO/IEC 42001 control areas

The 10 control areas of Annex A intend to:

  • Provide management commitment and direction
  • Establish organizational accountability
  • Determine and provide resources
  • Assess the AI system impacts
  • Provide a framework for managing the AI system life cycle
  • Control data used within AI systems
  • Provide a framework for communication with interested parties
  • Ensure responsible use of AI systems
  • Mange relationships

ISO/IEC 42001 also makes reference to the NIST Risk Management Framework, developed to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI).

Next Steps for Companies seeking to align to ISO/IEC 42001

If your organization is seeking to demonstrate a responsible use of AI systems and choosing to align with the ISO /IEC 42001 framework, the next steps would be to:

  1. Conduct as “As-Is” assessment – Identify what controls and resources are already in place within the existing management system.
  2. Conduct an Impact Assessment – Annex A controls provide a structure of how to achieve this and Annex B provides further guidance. This requirement supports the requirements of the EU AI Act. Inputs to the assessment will come from an understanding of the organizational context and the needs of the interested parties.
  3. Conduct a Risk Assessment – to identify potential risks and opportunities for users and society. The assessment should include the implication for deploying AI systems.
  4. Develop Risk Treatment Controls – Identify measures that the organization will implement to mitigate the risks to an acceptable level and then a plan to ensure the effectiveness of controls implemented.
  5. Implement and monitor the controls and system, with an aim to driving continual improvement and ensuring the responsible use of AI.

To learn more about how QMII can support your implementation of ISO/IEC 42001 reach out to QMII solutions team at info@qmii.com or call us at +1 (888) 357-9001.

-By Julius DeSilva, Senior Vice-President

How to Alleviate Common Management System Pain Points

Implementing ISO standards is not mandatory, however a management system conforming to a standard can have numerous benefits. Some benefits include increased efficiencies, proactive risk management, better interaction among departments and alignment with the needs of interested parties. However, once you are actually in the process of implementation, you may experience the following pain points: 

  1. Lack of top management commitment 
  1. Limited resources to effectively implement the program 
  1. Lack of buy-in from the workforce  
  1. Over documented systems  
  1. Lack of measurable objectives driving improvement  
  1. Teams lack adequate interaction and alignment  
  1. Company is focused on keeping certification at all costs  

Quality Management International, Inc (QMII), having over 37 years of providing sustainable solutions for our clients, recognized how these hurdles can impact an effective management system. QMII has developed and provided solutions to address and alleviate these pain points that continue to benefit our clientele. 

A management system consulting project cannot start without top management present to map the process of what they do (core process) and to identify the core objectives for the system. Policies, objectives, and motivation must be demonstrated from the top-down and evidenced by all the team players. To further reinforce commitment, we get top managers to develop a presentation to launch the system and that will then be used for awareness training as the system progresses. This is done using our Awareness Leaders Workshop. Without authority, responsibility, and resources, middle management and individual contributors cannot improve the business management system.  

We understand that companies have financial restrictions. With a mission to get organizations to appreciate the benefits of a process-based management system, we provide multiple options to work around this challenge. 

(1) We provide free information on our website so you can carry out ISO implementation at your organization.  

(2) Attending a lead auditor training course is a relatively minimal cost. You and your team will gain a comprehensive understanding of the desired ISO standard and gain the skills necessary to implement requirements and conduct audits to determine conformity.  

(3) If you need a little more guidance, we provide scalable consulting services. Our consultants are here to assist you with exactly what you need. You will not have to pay for the full package.  

(4) Our alumni have free email and phone support, for life, to get over average hurdles.  

As far as reluctance among employees, it’s human nature to be reluctant towards change. Keeping this in mind, QMII consultants get key process owners to evidence top management’s commitment and ensure that they are involved in QMS (Quality Management System) development. We analyze with them to capture the system AS-IS and what-should-be. It is essential to get the team buy-in during this process and get their input on the process’s actualities. Teams must also interact and be aligned. We provide team-building workshops where we align objectives to the vision and processes to meet objectives. 

ISO implementation is not an overnight process, it may even seem daunting. QMII’s Action Plan Checklist is readily available, and it focuses on the big picture to simplify the process. If you need more assistance, our consultants would be happy to work with you through the checklist. We appreciate the system you already have; we are simply helping you enhance it to meet requirements and set objectives. Documentation is a significant part of ISO implementation. To remove complexities, we incorporate existing documentation and use a format that works best for you. 

At the end of the day, ISO certification is primarily a marketing decision. QMII strives to help you develop a resilient, integrated management system so that you receive actual benefits. Once set up, your system will work independently and continue to improve while managing risk proactively.  

Reducing Your Carbon Footprint with ISO 14001

In today’s world, the issue of climate change and environmental sustainability has become increasingly important. As individuals and businesses, it is crucial to take responsibility for our actions and strive to minimize our impact on the environment. ISO 14001, a part of the ISO 14000 series standards, provides a comprehensive framework for managing environmental impacts, to include where applicable reducing carbon footprint. In this blog article, we will explore what ISO 14001 is, explain the concept of a carbon footprint, highlight other related ISO 14000 series standards that apply to reducing carbon footprint and how ISO 14001 may be used to reduce carbon footprint.

What is ISO 14001?

ISO 14001 is an internationally recognized standard developed by the International Organization for Standardization (ISO). It sets out the framework and requirements for an effective Environmental Management System (EMS), which enables organizations to manage and improve their environmental performance. The standard provides a systematic approach to identify, prioritize, and address environmental aspects and their associated impacts.

Understanding Carbon Footprint

A carbon footprint is the total amount of greenhouse gas (GHG) emissions, specifically carbon dioxide (CO2) and other GHGs, produced directly or indirectly by an individual, organization, product, or activity. It is a measure of the impact human activities have on the environment in terms of climate change. The carbon footprint encompasses emissions from various sources, such as energy consumption, transportation, waste management, and manufacturing processes.

ISO 14000 Series Standards for Reducing Carbon Footprint

ISO 14001 is just one of the many standards in the ISO 14000 series that can help organizations reduce their carbon footprint. Some of the other standards include:

  • ISO 14064: This standard provides guidelines for quantifying, monitoring, and reporting GHG emissions and removals. It helps organizations measure their carbon footprint accurately, establish baselines, and set reduction targets.
  • ISO 14067: This standard focuses on the quantification and communication of the carbon footprint of products. It provides guidance on calculating the lifecycle GHG emissions of a product and encourages organizations to consider environmental impacts throughout the entire product lifecycle.
  • ISO 14069: This standard offers guidance on the use of GHG emission scenarios in climate change assessments. It assists organizations in evaluating different strategies and technologies for reducing their carbon footprint by considering potential future scenarios.
  • ISO 14044: This standard provides guidelines for conducting life cycle assessments (LCA). LCA is a comprehensive approach to evaluate the environmental impacts of a product or service throughout its life cycle, including raw material extraction, manufacturing, distribution, use, and disposal. By conducting LCAs, organizations can identify areas for carbon footprint reduction and make informed decisions to improve sustainability.

Benefits of ISO 14001 for Reducing Carbon Footprint

Implementing ISO 14001 and related standards offers several benefits for organizations committed to reducing their carbon footprint:

  • Improved environmental performance: ISO 14001 provides a structured approach to identify and manage environmental aspects, including carbon emissions. It enables organizations to develop strategies, set targets, and implement initiatives to reduce their impact on the environment.
  • Cost savings: By implementing effective environmental management practices, organizations can identify opportunities to optimize resource usage, reduce energy consumption, and minimize waste generation. This can result in cost savings through improved operational efficiency.
  • Enhanced reputation: Demonstrating a commitment to reducing carbon footprint through ISO 14001 certification can enhance an organization’s reputation among stakeholders, including customers, suppliers, investors, and the public. It showcases responsible environmental stewardship and may create business opportunities and competitive advantages.
  • Regulatory compliance: ISO 14001 helps organizations align with environmental regulations and legal requirements related to carbon emissions. Compliance with such regulations is becoming increasingly stringent, and ISO 14001 provides a framework to stay ahead of evolving.

In Conclusion, embracing ISO 14001 is a proactive approach towards a greener and more sustainable future. While reduction of carbon footprint is one of the achievable goals of an EMS there are many other benefits. To learn the requirements of ISO 14001 and how they can benefit your organization consider one of QMII’s ISO 14001 training options for your team.

ISO 27001:2022 – what are the changes?

ISO 27001:2022, the international standard for information security management systems (ISMS), was updated in October of 2022 to reflect the latest developments in the field of cybersecurity. These changes are aimed at helping organizations better manage their information security risks and protect their sensitive data.

What are the key changes?

The majority of changes to the standard were in the Annex A controls which went through a re-structuring to include a change to how the controls were organized and the controls in total were reduced from 114 to 93.

Of the old 114 controls, 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added. The controls are split into the following domains: Organizational (37 controls), People (8 controls), Physical (14 controls) and Technology (34 controls).

ISO 27001:2022 introduced new requirements for managing the risks associated with emerging technologies such as cloud computing and Internet of Things (IoT). These technologies bring significant benefits to organizations but also introduce new risks that must be managed.

The updated standard also has a new control on threat intelligence that will enable organizations to remain proactive in their approach to information security as also controls to address data masking and web filtering.

The order of the main mandatory clauses remains the same with clauses from 4 through 10 and the structure aligning with the harmonized structure of other ISO management system standards. The clauses with significant changes include those to:

  • Clause 4.2 requires the ISMS to conduct an analysis of which of the interested party requirements are relevant to the system and will be addressed by it.
  • Clause 4.4 aligns with that of ISO 9001 to require the organization to identify necessary processes and their interactions within the ISMS. As such, those essential for the organization to achieve ISMS objectives.
  • Clause 6.2 provides further clarity about planning to achieve objectives and documenting them.
  • Clause 6.3 was added to reflect the need to systematically plan for system changes.
  • Clause 8.1 now requires the ISMS to establish criteria for mitigating action for risk identified in Clause 6 and to implement control in accordance with the criteria set.

There are a few more minor changes to the wording of some of the mandatory clauses

How can you upgrade your system to conform?

The first step would be to gain an understanding of the changes and the new requirements. Consider taking an updated Lead Auditor training or transition course that has been recognized by a personnel certification body. In choosing your training provider consider their reputation, the experience of the instructor, as also virtual course options.

With the new knowledge conduct a gap analysis of your existing system against the requirements of ISO 27001:2022 and draw up a list of priorities and owners for each. Assign deadlines for the items to be completed and conduct at least one internal audit and management review before approaching a certification body.

Update your existing SoA, should one exist, to reflect the new/updated controls. Train all system personnel in the changes to the system and drive awareness of information security among all personnel.

In conclusion, the changes to ISO 27001:2022 reflect the changing context in the field of information security. The QMII team would like to understand your system needs and support your goals of attaining conformity to ISO 27001 and a competent workforce trained in the requirements.