ISO 9001: 2015—Things You Can Do Now

ISO 9001 continues to wend its way through the revision process, and as it does so there have been lots of discussions and prognostications over the impending changes. All the wringing of hands and ongoing debate will not hurry the process or change the outcome.

The standard is still on track to be issued before the end of 2015. In the meantime, it’s a bad idea to jump the gun and start making changes in anticipation of the standard—that is, in most instances.

Organizations should be wary of the changes in the standard that suggest that requirements, for example, for the quality manual and documented procedures are going away. That may indeed be the case, but any action on this and several other changes would be premature and might end up causing additional work and unnecessary confusion.

That having been said, there are a few things that you can do without waiting for the standard to be released. I’m going to discuss three changes that you can take action on now that will yield benefits, regardless of the ultimate language in ISO 9001:2015. These changes will enhance your system and assist you with strategic planning, risk mitigation, and improvement of your critical organizational objectives. Implementation of these proposed sections of ISO 9001 will not diminish conformance to existing requirements or create undue burdens, even if the requirements don’t make it into the final draft.

The three enhancements relate to the context of the organization, the introduction of risk-based thinking, and elaboration of how you manage quality objectives. In actuality, none of these concepts are completely new.

The first change, relating to the context of the organization, was introduced in ISO 9004:2009. This standard, which in the past made up the other half of the “consistent pair” along with ISO 9001, has always been intended to help organizations increase the benefit they derive from their ISO 9001 quality management system (QMS). In fact, with the 2009 version, the title of ISO 9004 was changed to “Managing for the sustained success of an organization—A quality management approach.” In ISO 9004 this concept was referred to as the organization’s “environment.” Other than that, the thought process is pretty much the same.

The second change, relating to risk, creates requirements for that which was always implicit in ISO 9001. In the introduction (0.1, “General”) the standard discusses risks associated with an organization’s environment and with such things as varying needs, particular objectives, products, processes, size, and structure. Additionally, the essence of preventive action is all about risk avoidance and mitigation. As we will see, this is well aligned with the intent in ISO 9001:2015.

The last change is the addition of requirements relating to responsibility, taking action, monitoring, and revising objectives. Frankly, it lays out what most organizations should already be doing to ensure that objectives aren’t just minimally relevant abstractions documented for the sake of fulfilling ISO 9001 requirements.

Let’s take a closer look at each of these requirements.

Context of the organization

Clause 4 is titled “The Context of the Organization.” ISO 9000:2015—“Fundamentals and vocabulary,” which is the normative reference for definitions and terms in ISO 9001, defines “context of the organization” as “...combination of internal and external factors and conditions that can have an effect on an organization’s approach to its products, services, investments, and interested parties.” Subsequent subclauses go on to articulate the requirements that are relevant to clause 4.

Subclause 4.2 deals with understanding the needs and expectations of interested parties, which will be further discussed later. The last two subclauses, 4.3 and 4.4, are aligned with the 2008 version of ISO 9001. They deal with defining the scope of the QMS and establishing and implementing the process of the system. They follow subclauses 4.1 and 4.2 because understanding the internal and external factors and the needs of interested parties has direct relevance to the scope of the QMS and the manner in which it is implemented. Overall, clause 4 requires that an organization determine and understand the internal and external factors that affect its ability to achieve its intended results. How will your organization fulfill this requirement?

Understanding those factors that affect your organization is an imperative that has never been clearly expressed in ISO 9001, but is a concept that is foundational to strategic and tactical planning. How will you know what actions to take if you don’t have a comprehensive understanding of these internal and externals factors? How will you best decide the most advantageous expenditure of resources to achieve results and mitigate risk? (Risk, as we will see, is another concept that requires greater consistency and vigilance).

Do you know what factors define your organization’s opportunities and constraints? Although some of the categories of factors we consider may be generic (e.g., people, infrastructure, product offerings, and process capabilities), the specific factors may have unique significance in your organization. For example, the workforce may be a general category of internal factors. However, in your organization, you may have an aging staff of engineers and must therefore plan on how to eventually address the foreseeable gap that will open when they retire. Actions might include capturing some of their knowledge, which is consistent with new requirements relating to organizational knowledge. Alternatively, the action might involve outsourcing design processes rather than attempting to hire and train new engineers. As another option, the company could decide to initiate a mentoring intern partnership with a local technical school.

The point is that an organization should understand all these factors and the unique effect they may have on planned outcomes. It’s important to remember that these factors will change over time. Some new ones will be added while others will diminish in their ability to adversely affect planned results.

Other internal and external factors, depending on the organization, could include:
• Turnover of personnel
• Aging infrastructure
• Challenges of new technology
• New product introductions
• Availability of raw materials
• Changes in financial regulations
• Increase in the amount of work

This is a very short list. What ends up on your list is dependent on the size of the organization, your market, the people who work for you, the complexity of your processes, and various other factors that ultimately constitute the context of your organization.

What tools will you use to identify and monitor these factors? Will you make use of the management review so that action plans can be developed with resources allocated and responsibilities assigned? What kind of records will you keep? How often will these factors be monitored? You get to decide how this clause is applied so that it is both workable and beneficial.

A lot of this can be tied into existing monitoring and data analysis activities. The most obvious repository for records and evidence would probably be those coming out of management review. It is quite likely that implementation of these requirements will result in a more robust and beneficial management review process. An auditor should be able to assess these records to verify that appropriate consideration has been given to these factors, how they are monitored for changes over time, and what actions top management has taken in response.

The other subclause in 4 is “Understanding the needs and expectations of interested parties.” There’s some overlap with the previous subclause in that some external factors are directly related to interested parties. For example, availability of raw materials relates to suppliers, which is a category of interested parties.

Because ISO 9001 is focused on fulfilling customer requirements, it’s important to point out that this subclause does not require an organization to meet the needs of interested parties. Not only would that often be impractical, in some cases it also would be impossible because some interested parties have needs that are diametrically opposed. The other reason that the standard’s developers want to ensure that the focus is on the customer is that any additional requirements would be inconsistent with ISO 9001 and outside of its scope. So, the strategy here is to understand the relevant interested parties and determine what effects (positive or negative), if any, they have on your ability to meet your organizational goals. The identified effects constitute the potential risk.

How will you apply this requirement in a manner that creates value for your organization? Again, this relates directly to upcoming requirements concerning risk. Who are your relevant interested parties? Typical examples include customers, suppliers, environmental agencies, financial institutions, the local community, and, in some cases, even your competitors. The extent to which your organization fulfills the requirements of clause 4 will have direct relevance on its ability to meet subsequent requirements relating to risk, objectives, and planning.

Risk-based thinking

Clause 6.1 is titled “Actions to address risks and opportunities.” This is under the general heading of planning and segues directly from the earlier requirements dealing with understanding the context of the organization.

The requirements under this clause deal with risk-based thinking. It does not carry requirements for a formal risk management program, for such a requirement would be too onerous for smaller companies. Additionally, there is an existing risk management standard—ISO 31000. Incorporating risk management into ISO 9001 would exceed the scope of TC 176 (the technical committee that works on quality management systems standards) and would impinge on the turf of TC 262 (the technical committee with responsibility for risk management standards).

Now that we’ve said what this clause is not about, we can talk about the requirement and the intent. The requirement is to understand the risks and opportunities inherent in the internal and external factors previously mentioned and the relationship with relevant interested parties.

Essentially, this is an improvement over the existing requirements for preventive action. Whereas subclause 8.5.3 of ISO 9001:2008 talks in general terms about what you should do, ISO 9001:2015 addresses the sources of these risks and opportunities. This allows for greater relevance in generating preventive actions and provides opportunities to mitigate or avoid risks that could have dire consequences for an organization.

How will you apply this requirement? The data that come out of management review is a great resource. There are some existing tools like failure mode and effects analysis (FMEA) that lend themselves well to this requirement. Depending on your industry there are other tools at your disposal.

It’s important for you to decide what methods you will use to consistently address risk at critical junctures within your organization. One of the best things you can do is to begin to foster a culture of risk-based thinking—one in which people can recognize both constraints and advantages. Get them into the habit of considering both the positive and negative consequences of change. Implementing actions to prevent catastrophes often leads to significant improvements and cost savings. It can even result in innovation.

As mentioned earlier, FMEA and records of management review will be two great resources for auditors to use to assess the effectiveness of your implementation of these subclauses.

Quality objectives

The last improvement you can make is to heed the guidance found in subclause 6.2.2 relating to quality objectives. The existing version of ISO 9001 had requirements for determining, measuring, monitoring, and reviewing objectives, but it lacks guidance on what to do with objectives. It doesn’t create the rationale or provide direction that will make quality objectives actionable and meaningful. Quality objectives end up like dead fish flopping inside the pages of management review with no purpose—except to make an auditor happy.

With ISO 9001:2015, there are requirements relating to what you do about objectives. Example: You’re monitoring on-time delivery. The status quo is 85 percent, and you would like it to be 99 percent. Every quarter you look at the numbers. Yep, still 85 percent.

Going forward, you will be required to say what will be done, what resources you will need, who will be responsible, when the action taken will be complete, and how you will evaluate the results. It’s a great addition. Now there’s a formal plan to move that 85 percent, and putting that plan together will probably involve having a better understanding of internal and external factors, requirements of relevant interested parties, and risks and opportunities engendered in a plan to improve the metric.

Although there are no requirements that specifically require an objective to be improved, there are requirements that actions be taken based upon the results of the monitoring of objectives. Auditors shouldn’t look to verify that the numbers have changed. What they should look for is evidence of plans to address the issues with the intent of experiencing improvement.

All three of these enhancements to ISO 9001 are currently available to you. Implementing them will allow you to reap benefits and get a head start on the 2015 transition process. There is no downside to adopting these improved requirements.

For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”

About The Author