Eight Steps for a Successful Audit


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

ISO standards such as ISO 9001, ISO 14001 and ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations, certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or yet the evidence may not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the jng the organization in the art of getting audited? In well-functioning systems the organization should never have to prepare for an audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven . The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps an organization can take to build employee confidence in the system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given.

 

Here are eight steps an organization can do to have its employees get that confidence:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility and compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.

 

By CEO and President, Captain Inderjit Arora

To Err is Human- React or Correct?

The only bad nonconformity it the one we do not know about. Understanding this fact is the key for leaders and their managers being careful not to create a culture that hides nonconformity.

Even so it is common for managers to demand no mistakes and to react badly to errors.

Leading organizations provide employees with management systems that help them to understand and fulfill the requirements. And servant leaders provide a management system to help their employees to eliminate the causes of nonconformity. They do this gradually, according to the 80:20 (or 50:4) rule, so they always start with the vital few nonconformities that cost the most.

Zero Defects (zero nonconformity actually) has to come with humble managers who take responsibility for their management system causing the nonconformity. Care and respect remain to most powerful parts of such management systems. It should not require courage for employees to talk about problems in doing the right work right.

These organizations welcome nonconformity reports to show where the management system needs further improvement to prevent failures to fulfill requirements. They know the only bad nonconformity is the one that remains hidden.

Use PDCA to Meet ISO 9001:2015 Revision Deadlines

Ensuring that the system positively contributes to the organization’s bottom line is important.

With the cutoff date of Sept. 15, 2018, looming for transitioning to ISO 9001:2015 and ISO 14001:2015, there will be organizations chasing certificates. However, certificates can’t improve the system, guarantee better products, or render better service. The fundamental changes to the ISO standards will positively affect business outputs if implemented correctly. However. There’s the possibility that the pressure of deadlines hanging like the sword of Damocles over leaders may result in hurriedly obtained but ultimately worthless paper certificates. Leaders may want to give this a thought as they manage their organizations’ transition or first-time implementation of the standards.

It’s the organization’s well-implemented management system that will enable employees to perform well and produce conforming outputs. The changes in ISO 9001, ISO 14001, as well as the 2016 high-level structure (HLS) revisions to the AS9100 family of aerospace standards, need timely and correct implementation. The changes in these new revisions involve a fundamental rethink of the approach to implementation. There is a call to make ISO standards’-based management systems more proactive by considering risks within the context of the organization, keeping the priorities of interested parties in mind, and managing the internal issues that need planning and thought. Organizational knowledge, per clause 7.1.6 of ISO 9001, needs deliberation to determine how that knowledge can propel the organization to better performance and risk management, and lead to innovation. A robust quality management system (QMS) is an asset that should deliver.

This transition phase requires expertise in correctly interpreting the standard and identifying gaps in the system while respecting the “as-is” of the system. This must be followed by systematic incorporation of the changes within the context of the organization. Using the plan-do-check-act (PDCA) cycle can help. The (good) plan stage must be followed by orientation, motivation, and correct implementation during the do stage, followed by an audit during the check stage to ensure that the system is not only functionally aligned but also meeting the requirement of clause 5.1.1 b and c (i.e., that the QMS is compatible with the strategic direction of the organization). Per clause 5.1.1, there is a tremendous amount of responsibility for top management to ensure a customer focus throughout the organization.. The act stage of the PDCA cycle come about through the management, which is require per clause 9.3 of the standard. This review must be done soon after the transition audit to give confidence to top management that the system will work.

This additional emphasis in the revised standard to ensure the system positively contributes to the organization’s bottom-line is important. Nonconforming outputs must be reduced and not leave the organization as defective product or services. To do this, it’s important to consider the following:

Risk based thinking must become second nature to the organization so that risks are managed and analyzed to consider opportunities for improvement. Outsourced procedures and services must perform to expected standards to meet customer requirements. The work environment, per clause 7.1.4, should ensure that processes achieve product and service conformity to requirements. The combination of competence (clause 7.2), awareness (clause 7.3), a knowledgeable workforce (clause 7.1.6) that can ensure controlled production and services (clause 8.5.1) is a responsibility of top management.

By CEO and President, Captain Inderjit Arora

The Cost of Certification: A deterrent to system implementation?

Certifications often drive the implementation of a system approach, based on ISO standards. The primary implementation demand is for ISO 9001.

Certifications do have initial costs and then recurring costs for surveillance and re-certification visits. This is a responsive approach to business requirements, invariably driven by a forthcoming contract that mandates the system approach. Prudent businesses appreciate the risk of not having a process-based system.

When budgets are tight, supply chains are challenging, and retaining employees is difficult, it is all the more essential that organizations invest in a good management system. As W. Edwards Deming said, “A bad system will let down a good person every time.”

An efficient management system should be an essential asset of any good organization. Certification should not be the primary driver of this requirement. The optimum return on investment is by effective process performance based on objective information analysis, which in turn is based on data from within the organization or an appreciation of inputs publicly available. Organizations’ leaders should look beyond certifications to implementing and maintaining systems that drive continual improvement. Continual improvement drives organizations to find cheaper and quicker solutions while improving the quality of their products and services. After all, is that not what customers expect? The best quality for the cheapest price point?

Organizations can, and should, consider the option of self-declaring their conformity to ISO 9001, without incurring the added expense of certification, especially when customer requirements do not mandate it. Meeting customer requirements, ensuring continual improvement, and leading the organization to innovate cannot be achieved without a system in place. Effectiveness and efficiency is achieved when employees use system processes to achieve objectives. Customers’ confidence in the organization comes from trusting that they will receive conforming products/services consistently. The cost of not following a system approach can lead to work performance that is not optimized and results in losses.

ISO 9001:2015 requires an appreciation of the context of the organization, as well as the risks and expectations of the interested parties. This enables the organization’s leaders—in fact, requires them in clause 5.1.1 b—to define quality policy and objectives for the quality management system (QMS) that is aligned to the strategic direction of the organization. The QMS now is not an add-on to the business strategy but is integrated with it.

Experience has repeatedly shown that the lack of customer focus is the major cause of businesses failing or not performing, of governmental agencies overshooting budgets, and sensitive organizations (e.g., nuclear facilities, military bases, hospitals) making fatal errors. The cost of not having a system is so high and the consequences so dangerous that it would be almost suicidal not to have a management system in place.

Once the decision to implement the system has been made, why reinvent the wheel?

The well-tried, regularly updated ISO 9001 standard, which encompasses years of global wisdom, is the correct choice. Once the system is implemented and the organization’s leaders have confidence in the system’s performance based on objective inputs (such as audits, inspections, feedback, and other inputs), top management can self-declare the system as conforming to ISO 9001. There is no cost to this except the minor investment in using a competent consultant who comes in respecting the existing system and then identifies and addresses any gaps. After all, every functioning organization has a system.

The next stage, requiring investment in the certification, is a decision to be made by top management when a business requirement necessitates this. When it does, then the work will pay for it.

Risk-Based Thinking: Is This Something New?

Not really, but it does require a new way of planning.

Risk-based thinking can be considered the fundamental change in ISO 9001:2015. Compared to ISO 9001:2008, where preventive action (PA) held a spot in the “act” phase of the plan, do, check, act (PDCA) cycle, risk now appears in the “plan” phase and at each stage thereafter. This change formalizes an idea that has been around since at least 1546, when John Heywood coined the proverb, “Look before you leap.”

er clauses 4.1 and 4.2 of ISO 9001:2015, it is therefore reasonable that the context of an organization should be considered during the planning phase, as well as before it, together with the needs of interested parties. Based on these inputs, risk also should be considered, per clause 4.4.1 f: “address the risks and opportunities as determined in accordance with the requirements of 6.1.”

This makes me wonder: Has the standard previously not addressed risks posed to quality management systems (QMS)? Risk was always considered, but inferred and inadequately interpreted by organizations. Only now has it been systematized as a requirement. Throughout ISO 9001:2015, in clauses related to each stage of the PDCA cycle, there is a requirement to address the risk.

Can you imagine a general planning a war strategy without appreciating the risks involved, per clause 9.1.3, which requires analysis and evaluation? Perhaps this is an opportunity for the rest of the world! In real life do we not consider various risks as we send children to school, select toys, and plan expeditions? The details we go into are based on the context of what we are doing and the parties involved. Therefore, if an organization manages a simple production line to manufacture toilet rolls, the context and risk would be different than those involved in operating a nuclear plant.

But why call it “risk-based thinking” and not risk management?

ISO 9001:2015 has to be applicable across industries and to organizations of various sizes. It remains a process-based standard. Should an organization need a formal risk-management system, the standard refers to ISO 31000:2009—“Risk management.” Risk-based thinking asks that everyone in the organization think about the risk of doing, or not doing, their assigned tasks. This concept was implicit in earlier versions of ISO 9001, too, but now organizations are systematically required to understand the context (clause 4.1) and then determine risks before planning (clause 6.1).

Although the revised standard does not mention preventive action, a QMS is a preventive tool. With risk replacing preventive action, the QMS has become more effective as a philosophy. Moreover, risk no longer has a strictly negative connotation. It simply must be addressed, and where applicable, it should be taken as an opportunity for improvement. Risk input may lead to a positive and innovative idea.

As organizations transition to ISO 9001:2015, or seek to become newly certified, they must not go into “panic mode.” It’s helpful to remember that risk has always been considered in the standard, but companies are now required to be proactive rather than reactive in their considerations. With its high-level structure (HLS), ISO 9001:2015 is actually more logical, simple, user friendly, customer-focused, and aligned with modern technologies. And it’s applicable to both manufacturing and service industries.

At a very basic level, all that an organization has to do is consider these six steps:
1. Make a list of the organization’s hazards. These should be identified in various processes by process owners. Where an organization is departmentally organized, the department heads should consider these.
2. Having listed the risks, the impacts or potential harm should be listed against each risk.
3. The departmental lists can be consolidated into an organizational list under the direction of top management or a designated quality manager.
4. Evaluate each risk and its associated impact or potential hazard to assign a priority or significance number.
5. With top management’s involvement, decide how to isolate, minimize, accept, transfer, or eliminate the risk.
6. These risk-minimizing decisions then require a specific plan. Come up with proposed actions for each risk, including assigning responsibility and a completion date for them. Process owners must also agree with top management on the frequency of monitoring the progress.
7. This can be further expanded, if necessary and within the context of the organization, by considering the likelihood of detection.

The standard asks organizations to plan to address risks but does not specify the need for a documented plan. However, a well-documented plan to address risks can only benefit an organization and add value.

 

By CEO and President, Captain Inderjit Arora

Objective Auditing Meets ISO 9001:2015

Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits.

To better meet customer expectations, fundamental changes have been introduced to the standard to address current business realities and advancements in technology. Much of the responsibility of meeting the new requirements falls on leaders, and a careful, objective audit to the standard can help them.

It’s human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions. This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing risk-based thinking throughout the management system. What’s the best way to audit this?

The starting point for corrective action (CA) is the non-conformance report (NCR).

A well-written NCR clearly states the standard’s requirement, the objective evidence for citing the non-conformance, and a description of the failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen instead of sticking to the requirement, management ends up with a subjective input.

A closed NCR provides data that management can analyze for possible trends, which can then be addressed by preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management system: Basically, data drove trends and preventive action.

With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic role for leaders. They must understand and continuously assess risks at every stage, mitigating them and considering opportunities for improvement (OFI). This is important to do even before the planning stage of the plan-do-check-act (PDCA) cycle, by first understanding the context of the organization.

Leaders’ understanding of the context of the organization, as well as their ability to assess risk and consider opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to providing objective NCRs and allow management to make the decisions.

Understanding the Organization in Context

Per clause 4 of ISO’s Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership to understand the context of the organization when determining key management system elements such as the scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives, risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002—“Quality management systems—Guidelines for the application of ISO 9001:2015.”

So what, then, is this “context of the organization?” Put simply, leaders must thoroughly understand the relevant internal and external issues, both positive and negative, that can affect their organizations’ ability to achieve intended results. Consequently, they must monitor and review these issues regularly.

Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An understanding and appreciation of the context of the organization can help with this, particularly if it’s undertaken before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This is vital in the success of the organization.

When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change their products, the context of the organization changes. The internal and external factors change. Leadership must understand the implication of these changes in the context of the organization. Doing this will also allow them to see the risks and perhaps opportunities for improvement.

It’s like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be considered. If the risk is too great, then perhaps the nation’s diplomats should first reach out to surrounding countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better relations with these states. The risk might also require intelligence agencies to assess conditions on the ground. Thus prepared, the military leadership can best ensure the mission’s success.

By CEO and President, Captain Inderjit Arora

WHAT CAUSES PROCESSES TO FAIL WITHIN QUALITY MANAGEMENT SYSTEMS?


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Some processes may be proactively designed and updated, but many just evolve.  In either case, when leaders allow the systems (in which the processes operate) not to deliver the necessary direction, information, resources and controls, these “starved” processes fail to add value. This article examines how process failure impacts quality management systems.

Process Failure = Leadership Failure

The modes of a quality management system’s process failure are many, but we should start with leadership. Authority figures may (implicitly or explicitly) undermine requirements. Consequently, employees are not incentivized to help each other to understand and meet the requirements of their quality management systems. Employees are essentially let down by their organization when faced with a system that may be confusing, boring or expose them to unsafe or unproductive working situations. All work is a process, and process failure benefits no one involved. In fact, many do not ascribe often common problems to poor process implementation such as:

  • Improper recruiting and training processes result in employees being ill-suited or ill-prepared for their work.
  • Individuals in work teams may not be coordinated, resulting in misaligned work priorities and self-serving behavior
  • Incoming items (to which the intended work adds value) are unavailable, nonconforming or late
  • Late or inaccurate information would also undermine processes directly or indirectly controlled by the organization’s quality management systems
  • Incapable, unavailable equipment, software or tools are indications of larger process failure, even if the problems may seem unrelated or sporadic

Many processes fail because they are not monitored and corrected as necessary. Process failure an also be the result if documented procedures required by quality management systems are ignored, inaccurate, too detailed or too vague, or not based on the facts that would fulfill the needs of stakeholders. The result? the now “uncontrolled” procedures may be forgotten or remembered in critically different ways. There are countless ways that organizations may fail to provide the required support effective processes, but they all result in the same failed state, primarily because none had a workable process, supported by management and implemented by their workforce.

An Improved Model for Creating Processes that Work

As an antidote to process failure, our clients and other organizations have used the QMII Process Model (QMP) for nearly thirty years in order to enhance their quality management systems. QMP helps them quickly determine the root causes of system, process and product failure. This facilitates removal of the root causes of failures from the quality management systems for more successful processes.

Our whitepaper describing the QMP is available here for download. It explains key points of failure that often occur in less balanced (or absent) processes including:

  • Learn the critical importance of analyzing and defining key business processes from an external auditor’s point of view
  • Save time and lower risk by formalizing “as-is procedures” first before designing new ones to fill gaps in the system
  • Learn and apply new skills (auditing, environmental management, quality management techniques, etc.) with total organizational buy in and support
  • Avoid the often-made error of confusing corrective and preventive actions by controlling key processes first before widening preventive actions
  • Audit and manage to initiate corrective actions and prove system integrity by correctly managing continual improvement

By CEO and President, Captain Inderjit Arora