Obtaining Top Management Commitment

Who cares about the system? 

Management systems need top management commitment to work well, and yet many systems lack the necessary commitmentYou may recognize some symptomsPolicy – ignoredObjectives  are barely alive. Corrective actions remain open. Managers seem not to appreciate the value of the requirementsEmployees are unsure about the system’s requirementsProactive identification and addressing of risks/opportunities is rareRoot causes of failure remain in the system. Consequently, the system is not improved. Employees are unaware of what the system should do for themManagement reviews are embarrassingLeaders either do not show or do not contribute. Top Management Commitment is lacking. Audits may temporarily energize the playersManagement representatives ask, Am I the only person who really cares?” 

Who trained the leaders? 

Many leaders do not explain their management systemsThey may know the importance of certification, but they rarely explain why their system is vital for survival and growthWhy is this? Examine your internal audit program; is it driven by top management’s objectives?  Audit your training recordsDo they show that leaders are competent and confident to show their top management commitment? Who trained the leaders in their organizational management systemCompetent leaders take responsibility for their systemThey explain how their system works and why its requirements are so important to themUnaware leaders blame employees for mistakes caused by their system. 

Your system, is it perceived as worthy? 

Even if your system is certified, do not expect leaders to support it Every organization is a systemDoes the documented part of this system describe how it converts stakeholder needs into cash (or continued funding)?  Is this the management system that was certified or was it some new ISO system built on templates?  

Is your system irresistible to the leaders?  If notshow how your system converts needs into cash so top managers would not want to lead without itTry our methodology to appreciate how others have developed systems and gained top management commitment beyond certification. Everyone should fulfill their objectives and earn their bonuses by using and improving  the system.  

Awareness Leaders Workshop 

Engage us to design and facilitate your one-day Awareness Leaders Workshop™Select attendees who are leaders by job title and those who are leaders by personalityInclude the skeptics! 

We listen to your objectives and design your workshop to fulfill your required outcomesThis may need  system analysis to result in a diagram that explains how the system converts needs into cash. This  workshop is facilitated by our senior management system consultant and auditor, who for over 20 years  has helped many willing and reluctant managers to understand and commit to their systems. 

Prepare for action 

Remove the root causes of what ails many management systemsYou want your top management commitment  to the requirements of their management systemClear the backlog of stale CARs  and pending actions on identified risks to prepare for the surge of improvements flowing from the renewed leadership of your system 

When you are ready, please email IJ Arora or call 888.357.9001 with your requirements.

Stop the Firefighting: Use Effective Root Cause Analysis

Root Cause Analysis (RCA) or Causal Analysis when applied correctly should help to prevent the recurrence and occurrence of similar issues within the organization. Why then is such little time, money and or effort afforded to it?

Heroes save the day! Yet again! How often have we come across news articles that laud those who manage the crisis, stop the plane from crashing or save the patient. The reality in any casualty is that, a system failure has resulted in a non-conforming product/service, including failed inspection. Organizations should laud and appreciate those who prevent incidents/ accidents/non-conformities and those who perform effective root cause analysis. Those who recognize near misses and perform CA  should receive equivalent if not more praise.

The root cause of many diseases is lack of a healthy lifestyle. Presumably, annual medical check-ups would show the flaws and enable risk appreciation to prevent a disease or illness from manifesting itself. This data however may not be enough to provide an accurate diagnosis or prevent a serious medical condition. Perhaps some may see the regular check-ups as a waste of money and time! This may help to explain why companies are reluctant to do root cause analysis when non-conformities arise. Their instincts are to do the firefighting when something goes wrong. This basic firefighting often appears to be less expensive, quick and seemingly more convenient. However, as has been proved again and again in various fields (quality, safety, security, etc.) prevention is better and more cost effective than the cure.

Why Problems Persist?

There are many methodologies for root cause analysis (RCA). It is not the intent of this article to educate its readers on the various RCA methodologies. Before we delve into why problem persists let us considers why problems occur. Problems usually occur because of the lack of a functional well implemented management system. This includes the lack of management commitment, timely identification of risks and lack of controls/adequate resources for the processes. Despite repeated warnings from their doctor, patients choose to continue living their current lifestyle. During incident investigation interviews this comment is often heard ‘this is the way we always did it’. Humans are not always accepting of changes and ‘if it ain’t broke then why fix it?’ Management of change is never easy. The larger the organization the more difficult it is to enable the change. Often in management systems, problems are ‘fixed’. This makes the issue go away albeit temporarily. Everyone likes a good score card and ‘fixing’ the issue makes everything look good again. However, when the root cause(s) are not addressed this dragon will raise its ugly head again.

When root cause analysis points toward leadership or top management, the job security aspects may prevent the middle managers from completing the RCA process. This political limitation, to avoid exposing process issues within the ranks of leadership are counterproductive, and yet a reality. As preposterous as it may sound, in some cases leadership may opt for paying the fine when things go wrong and then proceeding as is. This is seen as the ‘less expensive’ option than resourcing actions to prevent the recurrence/occurrence of problems. Conflicts of interest in the workplace, can often be a reason for a lack of effective root cause analysis.

Stopping the Firefighting.

With all due respect to firefighters and other emergency personnel, organizations want to solve the problem, so they do not have to call them back! This means getting to the root cause(s) of the incident. Very often when identifying the root cause(s), the work group or practitioners often stop short of finding the actual “root cause.” These may be the immediate direct or indirect causes. The root case may lie in another part of the organization and often gets missed. Root Cause Analysis when done correctly drives systemic changes to prevent similar issues from cropping up again. As with everything else the RCA team needs the backing of the leadership including the needed resources to be effective.

In conducting effective root cause analysis, the inputs of customers and other stakeholders may be needed. For effective root cause analysis is of interest to all organizations that are integral to the successful implementation of a management system. The element of social responsibility in the defined duties of leadership need to be audited and have consequences when customer focus is lost. The new root cause analysis model should have an element of responsibility attributable to the top management. The intent, not to encourage a blame culture, but a responsibility culture. As a part of QMII’s management system implementation we train selected candidates as a problem-solving team to enable and empower continued success of the system. To sit in the fire house and focus on other initiatives such as innovation, social responsibility etc. an organization has to proactive rather than be responsive.

Conclusion

Leadership often questions why money spent on management systems, particularly when based on ISO Standards do not work? Why a conforming product or service is not constantly delivered by an organization? Mature organizations recognize that the only bad nonconformity (NC) is the one that they do not know about. Once the NC is identified, the system must drive Correction and CA (corrective action, based on RCA). Closed NCs added to the database, along with the proper analysis of the information, will allow system users to appreciate risks and trends to identify the opportunities for improvement (OFI). However, all this will fail if the MS (management system) users do not understand the value of RCA.

For the success of a Management System, its outputs based on inputs must deliver conforming products and services.  When the Management System does not achieve this, all stakeholders should be interested in the root cause analysis and corrective action.

AUDITING RISK-BASED THINKING

 

As we work with clients, we find increasing examples of certification bodies requiring risk to be documented within an organization. This despite ISO 9001 specifically not requiring so!

This then brings up the question, “How should we audit the requirements of risk-based thinking within an organization when the same has not been documented using a formal risks management system or methodologies such as FMEA?”.

Let us start with the intent of including ‘risk-based thinking’ in the standard, replacing the previous requirement for ‘preventive action’. Risk-based thinking has been included as a preventive measure with the intent of making an organization more proactive to identifying and addressing potential non-conformities (NCs) than to be reactive to NCs. Additionally, rather than limit preventive action to the end of the PDCA cycle it is now addressed throughout the standard with the concept of risk-based thinking. To therefore answer the question posed above auditors need to evidence risk-based thinking throughout the system starting with the management down through the operator/service provider.

Before we begin to discuss the process for doing this let us for recall how many times a preventive action has been raised within our organization when the requirement did exist under ISO 9001:2008. In my auditing experience the answer is rarely! This in essence defeats the purpose of what the standard was trying to achieve.

Before we begin to audit risk based thinking the auditor should get an understanding from management of the context of the organization and the needs of the interested parties relevant to the organization as identified by them. Keep in mind the requirement of Clause 4.1 and 4.2 also need not be documented. Further what are the risks that management has associated with the organization achieving its strategic direction. We can also evidence the records of the management review to assess the inputs provided to management per Clause 9.3.2 e.

Once we have the above understanding from leadership, we then look for evidence on how the organization has addressed the risks as identified by leadership. These may include as an example risks to meeting business/process objectives, risks from loss of personnel, risks from new legislation that may impact the organization etc. As we audit the organization, we are looking to assess how the processes have been resourced and controlled in order to manage the risk of not meeting the process objective or customer/regulatory requirements. Risk based thinking is inherent in the clauses for design where organizations are asked to consider the potential causes of failure, in the purchasing process where the organization is asked to select external providers based on their ability to provide products/services meeting requirements, in the planning of audits, in the determination of customer requirements (intended use & unstated requirements), in the resourcing of the system, in the fitness for purpose of monitoring and measuring equipment and in the determination of potential similar non-conformities when taking corrective action.

The above is but a sample of where the application of risk-based thinking can be evidenced. Further information from analysis of data per clause 9.1.3 is further sued as a source for improvement as per clause 10.1 and all of this can be evidenced in the system.

So then why are certification body auditors seeking a documented risk-management system? Auditees too often do not push back when such a “requirement” is brought up. It does make the audit easier if everything is documented including risk but then are, we really ensuring the effective application of the standard. The organization could meet this “requirement” for documentation of risk by just documenting two or three risks and monitoring the effectiveness of actions taken to address them. This would meet the auditors requirement but then what about other applicable risks? These would then do unaddressed as the organization will tend to focus on the documented ones, killing the system!

Let us determine the need to document the risks within our system or NOT and not be pressured into documenting our system to meet the needs of auditors.

Eight Steps for a Successful Audit

ISO standards such as ISO 9001, ISO 14001 and ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations, certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or yet the evidence may not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the jng the organization in the art of getting audited? In well-functioning systems the organization should never have to prepare for an audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven . The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps an organization can take to build employee confidence in the system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given.

 

Here are eight steps an organization can do to have its employees get that confidence:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility and compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.

 

By CEO and President, Captain Inderjit Arora