Myth: Management system implementation – documentation must align to the ISO standard

Companies use different management system implementation methodologies to understand the requirements / inputs of their customer and then plan to deliver outputs meeting requirements as a conforming product / service. The International Organization for Standardization (ISO) publishes standards which when correctly interpreted enables companies to systematically and consistently provide desired outputs while addressing risks. Using the framework/methodology provided by ISO, companies design systems / processes to work together to deliver desired outputs.

The endeavor of the organization should be to define the outputs (products/services) accurately, after understanding customer requirements, both stated and unstated. ISO standards allows companies of any size and industry to implement them. Hence a lot is left open to interpretation. Despite this, certification of these systems delivers confidence to potential and existing customers that the company is implementing a process with the intent of continual improvement. Across the globe, an ISO certification gives confidence of a certain basic framework being implemented and followed.

The risks are appreciated in the context of the organization. The core process of the organization has its objectives directly derived from the company policy. The Key and Support procedures ensure the objectives of the core procedure are met and deliver a confirming product and or a confirming service.

Why ‘ISO-ized’ systems fail?

This understanding of how a management system works and delivers products and services must be understood in the spirit of the ISO standard. The use of the standard is not like a magic wand which will guarantee excellence or success. The Standard needs careful interpretation to design the processes necessary to meet stakeholder requirements. Many an ‘ISO-ized’ management system implementation do not deliver sustained success because, when written around the clauses of the standard the system is not actively used and therefore does not deliver the feedback that a good system should.

The process needs to be documented around what the users do. These processes then need to be resourced, controlled, monitored, audited and reviewed for continuing suitability, adequacy and effectiveness. Organizations blunder into believing that ‘ISO-izing’ their system is the panacea to all their problems. It is not. These systems documented to the clauses only benefit the external auditors of the system. The system should be documented for easy use by the users of the system. Auditors and auditing are an integral part of the system; meant to provide objective inputs for improvements and not to dictate how the system functions.

The process approach to management system implementation

The process-based approach is the fundamental to management system implementation. The success in ISO standard implementation (be it for efficiency, managing risk, security, environment, aerospace quality or food safety etc.), lies in a good plan that accounts for system risks given the organizational business context. Management system implementations should ideally capture the “as-is” of the system, compare it to requirements and identify the gaps enabling design of new procedures and an update of existing procedures. These procedures are designed to meet measurable objectives, that are based on the policy of the leadership. Users of the system do the work to meet the objectives and the procedures must capture the ‘how’ of what they do.

The chain from understanding requirements, risks and inputs to creating the policy should be systematically considered in designing the management system prior resourcing it. The system approach as prescribed by ISO standards allows for involvement of the leadership from cradle to cradle i.e. from the planning to implementing to monitoring and reviewing of performance for improvement. This approach gets Top Management (TM) to take personal ownership of their management systems.

Conclusion

ISO standards are not prescriptive and need interpretation by the users of the system. Using the Plan-Do-Check-Act (PDCA) cycle approach leaders convey their policy to the users of the system. The system ensures adequate controls and resources, so outputs meet the inputs and the measurable objectives as set. Management system implementation, when done correctly, allows for feedback to be captured so risks and opportunities for improvement are identified and addressed in a timely manner. As for the auditors let us have them use their innovative approaches to identify how the system meets the requirements and intent of the standard. To make it easy we could provide them with a cross-reference matrix to demonstrate where the requirements of the system are met within the documented procedures. Bottom line: Embrace your system when developing it to meet requirements, including those per ISO standards, and you will see the benefits of ‘De-ISO-ized’ system.

Defining Measurable Objectives/ Metrics to Drive Continual Improvement

Measurable objectives are an essential input for all levels of the management and come from the top management (TM). These objectives guide personnel at the work level to help ensure the success of a management system. The need for a set of value-based metrics is met by looking carefully at the company policy (based on the strategic direction) and then drawing the measurable objectives from it.

My thought is for any organization giving more than the desired value is a challenge! Values in today’s business world are often related solely to the ROI (Return on Investment). Providing value to the customer is a goal. The question is at what cost? Due to budgetary concerns, no organization wants to do more than what is required. Availability of funds is input to the design of the final product and or service. Consequentially, the values that an organization sets for itself must be based on trying to meet the objectives and expectations of the customers, or the statutory bodies (if relevant) within the constraints of the resources. Where a statutory body is involved, it is the vital responsibility of that body to precisely define expectations and what metrics they will accept.

My opinion is that the statutory bodies such as the FAA, FDA, EPA, and USCG, would have concerns about continual improvement by the external service providers. It is therefore critical to conduct an analysis and conduct management reviews internally to achieve the intended purpose of Clause 10.3 of ISO 9001:2015. However, it all starts with defining, providing and monitoring these clear expectations. This means that the statutory body should provide guidelines for stated requirements, as the IMO does in the ISM Code, within Resolution A.1118(30) & MSC-MEPC.7/Cir8. In a similar manner, the USCG could provide clear guidelines for TPO (Third Party Organization) and for the towing companies for the Subchapter M.

Statutory bodies, understandably, may struggle with defining their policy in the initial stages and clearly converting it to a set of measurable objectives (Value based metrics) for external providers. The need for the Leadership (TM) is to spend time and resources well at the plan stage of the PDCA cycle (Plan-Do-Check-Act) by understanding the context of the organization (Clauses 4.1 and 4.2 of the ISO 9001) and appreciate the various risks (Clause 6.1 of ISO 9001) keeping the customer focus in mind. The Standard here provides useful clauses to make the decision. An objective audit of the internal procedures of the statutory body (Clause 9.2 of ISO 9001) would provide the inputs for the Management Review (Clause 9.3) and ensure a robust decision-making process. This then should be followed by regular audits of the organization to which the processes have been outsourced (meeting the requirements of Clause 8.4.1 and 8.4.2 of ISO 9001). The organization which provides the outsourced service or product needs the information in terms of clause 8.4.3 to perform to the total satisfaction of the statutory body. As such providing clear requirements is a vital role of the statutory body.

Once requirements are clear, then the organization providing a product or service will use these inputs to design their Policy (Clause 5.2 of ISO 9001) 5.2.1d. This policy would then ensure that the feedback loop will help to drive continuous improvement efforts of the QMS. This policy would then provide the framework for the “value-based metrics” which in Quality terms would be the measurable objectives in terms of clause 6.2. Both 6.2.1 and 6.2.2 would put the organization on the correct path to success. The statutory body would vigorously and regularly audit the correct implementation itself or by using an independent professional service provider.

In effect, what this means is that just being certified to e.g. ISO 9001:2015 is not enough for any organization. What is required is a functioning PBMS (process-based management system) based on the chosen standard and other criteria implemented by committed leadership and motivated manpower.

(The author Dr. IJ Arora, is the President and CEO of QMII)

Monitoring Outsourced Processes is a Primary Responsibility of Every Organization

The international standards provide a world of wisdom enabling robust planning to achieve results by the organizations. In this global economy, often doing all the work in-house is not a cost-effective solution. Moreover, with super-specialized industry requirements, perhaps a lot of quality products and services can be procured at reasonable prices. Yet it seems organizations fail to act in the spirit of the standard when putting in place requirements for monitoring outsourced processes. Clause 8.1 of ISO 9001:2015 in operational planning and control has a sting in the tail with a clear whip requiring that “the organization shall ensure that outsourced processes are controlled.”

Statutory requirements are created to provide the required oversight, maintain customer focus and protect the interests of the customer when products and services are cleared for use. The caveat is that the statutory body should be well resourced, have the infrastructure, maintain organizational knowledge levels (Clauses 7.1.5.1, 7.1.3 & 77.1.6 of ISO 9001) with competent manpower (Clause 7.2). This often is not possible or with time not sustainable due to budgetary constraints, knowledge level dropping with time, Leadership forgetting their primary role (Clause 5.1.1) of taking accountability for the effectiveness of the QMS (Quality Management System). As such, the resources (5.1.1 e) needed for the QMS are not provided or budgets not available. The statutory bodies rationalize it by their helplessness since the government does not provide the funding and budgetary support for this.

Whatever the reasons, the question is who suffers? A ship is sunk, and aircraft with all on board has crashed, dangerous drugs are in use. It is the customer who suffers. In helplessness on their ability to do their duties, the statutory bodies outsource the work to contracted parties or worst to the manufacturer itself! The whole logic of creating a statutory body is lost with this.

What then is the remedy? The essential rulemaking that implements compliance requires competence, resources, and infrastructure with a committed Leadership ensuring continuing suitability, adequacy and effectiveness of the system. When budgetary constraints do not allow this role to be fulfilled, the risk to the system along with the products and services it provides must be assessed and mitigated or the opportunity for improvement taken (Clause 6.1 of the ISO 9001).  This would require the authority to appreciate the FMEA (Failure Mode Effect and Analysis) and take measures to remedy this. If this risk is not appreciated as NC (Non-conformity) the CA (Corrective Action) will not take place nor will the government know of the consequences of underfunding or of recognizing the failure and finding alternatives/ considering options. If the manufacturer has the resources, the government may consider this an asset and avoid duplication of resources, thinking in national terms. Outsourcing to the manufacturer as has been seen can mean losing customer focus and is strict counter to the very philosophy of statutory work. It would call for aggressive, proactive and strict monitoring of the outsourced processes.

In my opinion, monitoring the outsourced processes diligently, as clearly prescribed in the standard is the answer. New options may not be necessary, if the existing clauses of ISO 9001 and related industry-specific standards, where applicable, are understood in the spirit of the standard and vigorously implemented.

  • Dr. IJ Arora

Avoid These 3 Common TSMS Implementation Pitfalls3

Do you face any of these symptoms with your TSMS:

  1. It does not add any benefit to the work you do
  2. You spend more time filling out paperwork than doing the actual work
  3. It does not reflect your work – the way you do it

If you answered YES to any of the above, then read ahead to see how QMII can assist you in simplifying your system to one that works for the inspector …. and YOU! 

Historically, 99% of towing vessels were never required to have a Certificate of Inspection (COI) commensurate with that of cargo ships, tankers and passenger vessels (including small passenger vessels).  All towing vessels are now required to be “in compliance with” the new inspection requirements when Sub Chapter M became effective July 20, 2018 (46 CFR 136.172).   Despite the new requirement, there are towing vessels that are not fully in compliance. 

In this age of Safety Management Systems, the working definition of “being in compliance” might best be thought of as having “documented evidence” of the requirements being in place (physically on the vessel) and being done hands-on (routine and emergency drills). Non-conformities must be documented.  Audits and other quality checks must have evidence.  Think of a cop show on TV where the detective says to the suspect, “I’ll believe the evidence.”

It stands to reason that the “evidence” has to be “Ready for Inspection” at the request of the Coast Guard.  The records and other documents that vessels need to have readily available are the heart of the matter in any Safety Management Program.  This has been the case with vessels that have been required to have a Document of Compliance issued by a classification society in accordance with International Safety Management.  The idea of an SMS is nothing new.  QMII experts have over 50 years of combined experience in helping regulated industries (afloat and ashore) pass their inspections. 

More importantly, QMII has experience in implementing management systems that work for the organization. Why spend money implementing a system for the inspector/auditor and get no benefit out of it? Sure, it is easy to take a template (easily available on the internet) and fill in the blanks to have a ‘compliant’ system. However, the common pitfalls with this are the same as those faced during the early years of ISM Code implementation:

  1. Overly documented management systems – Perhaps you do not need some of the procedures in the template given the nature of your work. Perhaps you already have existing documentation that meets the requirement.
  2. Lack of buy-in of personnel – This is because personnel has not been explained the benefits of having a TSMS in place. The question “What’s in it for me?’ must be answered.
  3. Template system – These are systems built of a template that do not meet the requirements of the organization or reflect the “as-is” of what they do.

At the end of the day, the shortcomings always fall on the shoulders of the “Industry Afloat.”  Take, for instance, the lack-of-communications syndrome.  We cannot overemphasize the idea of clear communication between these three stakeholders, the CG OCMI, the vessel owner (or managing operator) and the TPO.   

Based on our experience, QMII is committed to working with the maritime industry, so that we can help the industry segment that is regulated by the sub-chapter.   

What Makes A System Work?

What Makes A System Work And Successfully Meet Objectives, Expectations And Requirements?

Successful companies have visionary leadership, are able to understand the changing context of their businesses, look ahead and adapt. The 20th and 21st century has been fertile with innovation. Many history-defining breakthrough inventions have been developed. Innovation is growing at a pace never known before.  The inventors and innovators are naturally accepted as leaders for their ability to clearly define their vision. These leaders can at times be harsh taskmasters; nearly dictatorial in pursuit of their passion (invention/vision). However, where the innovators are part of the team as a group and the leaders of the organization separate the leadership challenges are different. A professionally lead organization without a system cannot be only driven by the passion of its leader and this is certainly not a recipe for prolonged success.  

The need to put a system in place is but, of course, the result of a decision made by the leadership/ top management (TM). TM must have the desire to operate in a systematic manner to achieve desired results and outputs. That desire is indeed key to the motivation of the rest of the organization and crucial to gaining their involvement.  The PDCA (Plan-Do-Check-Act) cycle has to be understood and correctly aligned to the desired standard. There is also a need for commitment from the leadership to the unrelenting pursuit of their policy being systematically converted into measurable objectives and implemented throughout the organization, the implementation monitored and reviewed to ensure continual improvement. 

As experienced consultants, QMII has over 32 plus years, been implementing management systems to achieve results. Consultants never hold the recipe for success but can facilitate and guide the leadership and the organization in the right direction. The key to success is a motivated leadership. Trusting consultants to perform miracles using the perfect templates is a medicine for disaster in the making. A commitment to excellence starts with the leadership and needs the organization’s team to build a system ensuring consistency in meeting the requirements of the customer, stated or unstated. Then alone can an organization attain the success it seeks.  

As the year ends and reminiscing on my experience, education and learning from association with numerous varied organizations, my conclusion in differentiating between successful and not so successful organizations take me to the intent and determination of the TM to be committed to the system approach.  

To Err is Human- React or Correct?

The only bad nonconformity it the one we do not know about. Understanding this fact is the key for leaders and their managers being careful not to create a culture that hides nonconformity.

Even so it is common for managers to demand no mistakes and to react badly to errors.

Leading organizations provide employees with management systems that help them to understand and fulfill the requirements. And servant leaders provide a management system to help their employees to eliminate the causes of nonconformity. They do this gradually, according to the 80:20 (or 50:4) rule, so they always start with the vital few nonconformities that cost the most.

Zero Defects (zero nonconformity actually) has to come with humble managers who take responsibility for their management system causing the nonconformity. Care and respect remain to most powerful parts of such management systems. It should not require courage for employees to talk about problems in doing the right work right.

These organizations welcome nonconformity reports to show where the management system needs further improvement to prevent failures to fulfill requirements. They know the only bad nonconformity is the one that remains hidden.

Use PDCA to Meet ISO 9001:2015 Revision Deadlines

Ensuring that the system positively contributes to the organization’s bottom line is important.

With the cutoff date of Sept. 15, 2018, looming for transitioning to ISO 9001:2015 and ISO 14001:2015, there will be organizations chasing certificates. However, certificates can’t improve the system, guarantee better products, or render better service. The fundamental changes to the ISO standards will positively affect business outputs if implemented correctly. However. There’s the possibility that the pressure of deadlines hanging like the sword of Damocles over leaders may result in hurriedly obtained but ultimately worthless paper certificates. Leaders may want to give this a thought as they manage their organizations’ transition or first-time implementation of the standards.

It’s the organization’s well-implemented management system that will enable employees to perform well and produce conforming outputs. The changes in ISO 9001, ISO 14001, as well as the 2016 high-level structure (HLS) revisions to the AS9100 family of aerospace standards, need timely and correct implementation. The changes in these new revisions involve a fundamental rethink of the approach to implementation. There is a call to make ISO standards’-based management systems more proactive by considering risks within the context of the organization, keeping the priorities of interested parties in mind, and managing the internal issues that need planning and thought. Organizational knowledge, per clause 7.1.6 of ISO 9001, needs deliberation to determine how that knowledge can propel the organization to better performance and risk management, and lead to innovation. A robust quality management system (QMS) is an asset that should deliver.

This transition phase requires expertise in correctly interpreting the standard and identifying gaps in the system while respecting the “as-is” of the system. This must be followed by systematic incorporation of the changes within the context of the organization. Using the plan-do-check-act (PDCA) cycle can help. The (good) plan stage must be followed by orientation, motivation, and correct implementation during the do stage, followed by an audit during the check stage to ensure that the system is not only functionally aligned but also meeting the requirement of clause 5.1.1 b and c (i.e., that the QMS is compatible with the strategic direction of the organization). Per clause 5.1.1, there is a tremendous amount of responsibility for top management to ensure a customer focus throughout the organization.. The act stage of the PDCA cycle come about through the management, which is require per clause 9.3 of the standard. This review must be done soon after the transition audit to give confidence to top management that the system will work.

This additional emphasis in the revised standard to ensure the system positively contributes to the organization’s bottom-line is important. Nonconforming outputs must be reduced and not leave the organization as defective product or services. To do this, it’s important to consider the following:

Risk based thinking must become second nature to the organization so that risks are managed and analyzed to consider opportunities for improvement. Outsourced procedures and services must perform to expected standards to meet customer requirements. The work environment, per clause 7.1.4, should ensure that processes achieve product and service conformity to requirements. The combination of competence (clause 7.2), awareness (clause 7.3), a knowledgeable workforce (clause 7.1.6) that can ensure controlled production and services (clause 8.5.1) is a responsibility of top management.

By CEO and President, Captain Inderjit Arora

The Cost of Certification: A deterrent to system implementation?

Certifications often drive the implementation of a system approach, based on ISO standards. The primary implementation demand is for ISO 9001.

Certifications do have initial costs and then recurring costs for surveillance and re-certification visits. This is a responsive approach to business requirements, invariably driven by a forthcoming contract that mandates the system approach. Prudent businesses appreciate the risk of not having a process-based system.

When budgets are tight, supply chains are challenging, and retaining employees is difficult, it is all the more essential that organizations invest in a good management system. As W. Edwards Deming said, “A bad system will let down a good person every time.”

An efficient management system should be an essential asset of any good organization. Certification should not be the primary driver of this requirement. The optimum return on investment is by effective process performance based on objective information analysis, which in turn is based on data from within the organization or an appreciation of inputs publicly available. Organizations’ leaders should look beyond certifications to implementing and maintaining systems that drive continual improvement. Continual improvement drives organizations to find cheaper and quicker solutions while improving the quality of their products and services. After all, is that not what customers expect? The best quality for the cheapest price point?

Organizations can, and should, consider the option of self-declaring their conformity to ISO 9001, without incurring the added expense of certification, especially when customer requirements do not mandate it. Meeting customer requirements, ensuring continual improvement, and leading the organization to innovate cannot be achieved without a system in place. Effectiveness and efficiency is achieved when employees use system processes to achieve objectives. Customers’ confidence in the organization comes from trusting that they will receive conforming products/services consistently. The cost of not following a system approach can lead to work performance that is not optimized and results in losses.

ISO 9001:2015 requires an appreciation of the context of the organization, as well as the risks and expectations of the interested parties. This enables the organization’s leaders—in fact, requires them in clause 5.1.1 b—to define quality policy and objectives for the quality management system (QMS) that is aligned to the strategic direction of the organization. The QMS now is not an add-on to the business strategy but is integrated with it.

Experience has repeatedly shown that the lack of customer focus is the major cause of businesses failing or not performing, of governmental agencies overshooting budgets, and sensitive organizations (e.g., nuclear facilities, military bases, hospitals) making fatal errors. The cost of not having a system is so high and the consequences so dangerous that it would be almost suicidal not to have a management system in place.

Once the decision to implement the system has been made, why reinvent the wheel?

The well-tried, regularly updated ISO 9001 standard, which encompasses years of global wisdom, is the correct choice. Once the system is implemented and the organization’s leaders have confidence in the system’s performance based on objective inputs (such as audits, inspections, feedback, and other inputs), top management can self-declare the system as conforming to ISO 9001. There is no cost to this except the minor investment in using a competent consultant who comes in respecting the existing system and then identifies and addresses any gaps. After all, every functioning organization has a system.

The next stage, requiring investment in the certification, is a decision to be made by top management when a business requirement necessitates this. When it does, then the work will pay for it.

Risk-Based Thinking: Is This Something New?

Not really, but it does require a new way of planning.

Risk-based thinking can be considered the fundamental change in ISO 9001:2015. Compared to ISO 9001:2008, where preventive action (PA) held a spot in the “act” phase of the plan, do, check, act (PDCA) cycle, risk now appears in the “plan” phase and at each stage thereafter. This change formalizes an idea that has been around since at least 1546, when John Heywood coined the proverb, “Look before you leap.”

er clauses 4.1 and 4.2 of ISO 9001:2015, it is therefore reasonable that the context of an organization should be considered during the planning phase, as well as before it, together with the needs of interested parties. Based on these inputs, risk also should be considered, per clause 4.4.1 f: “address the risks and opportunities as determined in accordance with the requirements of 6.1.”

This makes me wonder: Has the standard previously not addressed risks posed to quality management systems (QMS)? Risk was always considered, but inferred and inadequately interpreted by organizations. Only now has it been systematized as a requirement. Throughout ISO 9001:2015, in clauses related to each stage of the PDCA cycle, there is a requirement to address the risk.

Can you imagine a general planning a war strategy without appreciating the risks involved, per clause 9.1.3, which requires analysis and evaluation? Perhaps this is an opportunity for the rest of the world! In real life do we not consider various risks as we send children to school, select toys, and plan expeditions? The details we go into are based on the context of what we are doing and the parties involved. Therefore, if an organization manages a simple production line to manufacture toilet rolls, the context and risk would be different than those involved in operating a nuclear plant.

But why call it “risk-based thinking” and not risk management?

ISO 9001:2015 has to be applicable across industries and to organizations of various sizes. It remains a process-based standard. Should an organization need a formal risk-management system, the standard refers to ISO 31000:2009—“Risk management.” Risk-based thinking asks that everyone in the organization think about the risk of doing, or not doing, their assigned tasks. This concept was implicit in earlier versions of ISO 9001, too, but now organizations are systematically required to understand the context (clause 4.1) and then determine risks before planning (clause 6.1).

Although the revised standard does not mention preventive action, a QMS is a preventive tool. With risk replacing preventive action, the QMS has become more effective as a philosophy. Moreover, risk no longer has a strictly negative connotation. It simply must be addressed, and where applicable, it should be taken as an opportunity for improvement. Risk input may lead to a positive and innovative idea.

As organizations transition to ISO 9001:2015, or seek to become newly certified, they must not go into “panic mode.” It’s helpful to remember that risk has always been considered in the standard, but companies are now required to be proactive rather than reactive in their considerations. With its high-level structure (HLS), ISO 9001:2015 is actually more logical, simple, user friendly, customer-focused, and aligned with modern technologies. And it’s applicable to both manufacturing and service industries.

At a very basic level, all that an organization has to do is consider these six steps:
1. Make a list of the organization’s hazards. These should be identified in various processes by process owners. Where an organization is departmentally organized, the department heads should consider these.
2. Having listed the risks, the impacts or potential harm should be listed against each risk.
3. The departmental lists can be consolidated into an organizational list under the direction of top management or a designated quality manager.
4. Evaluate each risk and its associated impact or potential hazard to assign a priority or significance number.
5. With top management’s involvement, decide how to isolate, minimize, accept, transfer, or eliminate the risk.
6. These risk-minimizing decisions then require a specific plan. Come up with proposed actions for each risk, including assigning responsibility and a completion date for them. Process owners must also agree with top management on the frequency of monitoring the progress.
7. This can be further expanded, if necessary and within the context of the organization, by considering the likelihood of detection.

The standard asks organizations to plan to address risks but does not specify the need for a documented plan. However, a well-documented plan to address risks can only benefit an organization and add value.

 

By CEO and President, Captain Inderjit Arora

Objective Auditing Meets ISO 9001:2015

Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits.

To better meet customer expectations, fundamental changes have been introduced to the standard to address current business realities and advancements in technology. Much of the responsibility of meeting the new requirements falls on leaders, and a careful, objective audit to the standard can help them.

It’s human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions. This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing risk-based thinking throughout the management system. What’s the best way to audit this?

The starting point for corrective action (CA) is the non-conformance report (NCR).

A well-written NCR clearly states the standard’s requirement, the objective evidence for citing the non-conformance, and a description of the failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen instead of sticking to the requirement, management ends up with a subjective input.

A closed NCR provides data that management can analyze for possible trends, which can then be addressed by preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management system: Basically, data drove trends and preventive action.

With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic role for leaders. They must understand and continuously assess risks at every stage, mitigating them and considering opportunities for improvement (OFI). This is important to do even before the planning stage of the plan-do-check-act (PDCA) cycle, by first understanding the context of the organization.

Leaders’ understanding of the context of the organization, as well as their ability to assess risk and consider opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to providing objective NCRs and allow management to make the decisions.

Understanding the Organization in Context

Per clause 4 of ISO’s Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership to understand the context of the organization when determining key management system elements such as the scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives, risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002—“Quality management systems—Guidelines for the application of ISO 9001:2015.”

So what, then, is this “context of the organization?” Put simply, leaders must thoroughly understand the relevant internal and external issues, both positive and negative, that can affect their organizations’ ability to achieve intended results. Consequently, they must monitor and review these issues regularly.

Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An understanding and appreciation of the context of the organization can help with this, particularly if it’s undertaken before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This is vital in the success of the organization.

When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change their products, the context of the organization changes. The internal and external factors change. Leadership must understand the implication of these changes in the context of the organization. Doing this will also allow them to see the risks and perhaps opportunities for improvement.

It’s like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be considered. If the risk is too great, then perhaps the nation’s diplomats should first reach out to surrounding countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better relations with these states. The risk might also require intelligence agencies to assess conditions on the ground. Thus prepared, the military leadership can best ensure the mission’s success.

By CEO and President, Captain Inderjit Arora