ISO 9001:2015 – Dealing with Deadlines – Part 3

We have seen that ISO 9001 has changed significantly with this 2015 revision. With the addition of context, interested-party expectations, and risk-based thinking, one would think ISO 9001:2015 has changed the most, but actually, ISO 14001 has changed in the most dramatic fashion, requiring companies to rethink their EMS. I add EMS back in at this point for those of you who have or are considering an Environmental System or are thinking about “Planting Seeds” as I have recommended.

deadlines-3

 

One of the key changes in ISO 14001 is the concept of “strategic environmental management,” where the organization is asked to give more importance to environmental management in the strategic planning process. This idea is further expanded by calling for increased participation of the organization in the EMS.

This, along with life cycle thinking, protection of the environment, and environmental performance, have fundamentally changed the Standard. Organizations should give themselves a chance to rethink their management system.

Culture can be described as: ‘The way things are done around here.’ However, this culture will have to be reviewed and revised, if necessary, as a consequence of the adoption of Annex SL as the basis for ISO 14001:2015. This includes the behaviors of everyone connected with the environmental system, and in particular, of those operating at the most senior level within an organization.

The 2015 edition has been revised to meet the needs of today’s business world. Every organization is different, so the steps needed to adjust your management system are likely to be unique to your situation. However, here are some tips that will help you get started on the journey.

Tip 1 – Familiarize yourself with the new document(s). While some things have indeed changed, many remain the same. A correlation matrix is available from ISO/TC 176/SC 2, http://isotc.iso.org/livelink/livelink/fetch/2000/2122/-8835176/-8835848/8835872/8835883/ISO%209001Correlation_Matrices.doc which will help you identify if parts of the standard have been moved to other sections.

Tip 2 – Identify any organizational gaps which need to be addressed to meet the new requirements.

Tip 3 – Develop an implementation plan. Tip 4 – Provide appropriate training and awareness for all parties that have an impact on the effectiveness of the organization.

Tip 5 – Update your existing quality management system to meet the revised requirements.

Tip 6 – If you are certified to an ISO Standard, talk to your certification body about transitioning to the new version.

The next steps

It’s important to create an implementation leader and a steering committee for this important transition. When creating the leader and team, management should stress that both management systems are for the organization’s benefit overall, and not for a specific department. The steering and leadership teams, championed by top management, ensure the completion of the processes shown below.

Discuss and plan the approach to management system changes. The strategy must be determined before a gap analysis can be conducted. Key strategies include:

  • Implementing a strategy for addressing risk
  • Considering proactive preventive processes for risk during the product-realization processes
  • Determining how top management can be pulled into the planning and implementation ofthe QMS and EMS
  • Integrating QMS and EMS processes into the same process approach (as required by clause 5.1.1 in the HLS)
  • Integrating social responsibility, including “protecting the environment” to the EMS system

Following this strategic planning process, the next steps are:

  • Conduct a gap analysis to analyze where the organization is in relationship to the overall plan and strategy, including ISO 9001:2015 and ISO 14001:2015 management systems.
  • Create an implementation plan with a steering committee and process owners.
  • Develop the key strategies and initiatives.
  • Document the (new) processes and procedures.
  • Implement the new system.
  • Conduct internal audits.
  • Conduct a management review.
  • Conduct third-party audits.

To efficiently implement the changes required by ISO 9001:2015 and ISO 14001:2015, and to do so with a value-added focus, organizations must begin the process now. As the surveillance audit and final deadlines draw near, organizations should avoid waiting until the last minute to begin this process. Otherwise they will find themselves forced to focus only on conformance to the standards (at a minimum), rather than building true value into their management systems.

As usual, sincere hopes that you find our posts informative. TKG

ISO 9001:2015 – Dealing with Deadlines – Part 2

In Part 1 we discussed not putting off until tomorrow what we can do today. We introduced the concepts of Risk-Based Thinking and the Process Approach as it relates to an integrated business system. And, we re-addressed some additional requirements, I believe, will be on the horizon sometime in the future.

Now in Part 2 we’ll get into the details… Key Changes to ISO 9001:2015

High level changes to all management system standards – The most significant changes in the 2015 Standard are in Clauses 4, 5 and 6, i.e. Context of the organization, Leadership and Planning, but there are many others throughout the Standard.

The Standard is rewritten according to the HLS (High Level Structure) -The ISO 9001:2015 standard has been restructured: chapter and sub-chapter titles, as well as the order of clauses and paragraphs, were completely revised.

deadlines-2Overall, this restructuring does not affect the Standard’s content or requirements. When examining the text in detail, however, the structure has changed to comply with new composition guidelines and topic sequences.

This change reflects a strategic choice that will gradually be applied all ISO standards of management system. Initiated on ISO 55001 (Asset Management System), the new structure is consistent with Appendix SL to the ISO Directives, Part I.

With this new common structure, ISO aims to help businesses and organizations more easily integrate all or parts of their various management systems and ultimately achieve a truly unified management system.

This consistent common structure makes it easier for companies to include components of other standards that it deems relevant: parts of the environmental standard ISO 14001:2015, the asset management standard ISO 55001 and even the future ISO 45001 standard on occupational health and safety management.

CONTEXT OF THE ORGANIZATION – CLAUSE 4

This is a new concept and relates to the external factors and conditions that could affect an organization and its ability to provide products and services to customer requirements. Examples could include governance, regulation, sector, stakeholders and shareholders to name but a few.

Importance given to the context surrounding the certified organization and to its stakeholders – Two new clauses (4.1 and 4.2) require greater consideration of the context surrounding the organization. They require a context analysis, as well as the stakeholder identification and the understanding of their expectations.

A standard purposely open to the service industry – The context in which organizations evolve has changed and the revision of the standard takes into account the evolutions in the way organizations do their business or activities. Originally drawn up for manufacturing and industrial sectors, ISO 9001 has been a victim of its own success, and many organizations from other areas have made it their own.

The ISO 9001:2015 revision has taken these changes into consideration. Its choice of vocabulary and level of abstraction simplify implementation in all industries, including services.

Tip: The context will influence the type and complexity of management system needed.

LEADERSHIP – CLAUSE 5

There are enhanced requirements for top management to demonstrate leadership and commitment directly with the QMS.

Leadership – The commitment to quality through strong and visible leadership is strengthened:

  • The idea of a “management representative” disappears completely.
  • The quality policy and stated goals must be deeply in keeping with the strategic orientations.
  • QMS requirements must be merged into business processes.

Tip: Top management is expected to be “hands on” and to ensure that the quality policy and quality objectives are consistent with the overall strategy and context.

PLANNING – CLAUSE 6

Planning is a new term introduced to the high level structure, with a requirement to address risks and opportunities and to carefully plan changes within the quality management system.

Risk management becomes a foundation of the standard – Each major revision of the Standard introduces a concept that allows certified companies to reach a new level of maturity.

Risk management based on a “risk-based thinking” approach has become fundamental in the 2015 revision: risk identification, qualification and management. Quality results from proper management of these risks, which go beyond the strict scope of the product or service delivered. Quality cannot exist unless the organization can provide its client a conforming product or service over the long term.

Risk has its counterpart: opportunity. The ISO 9001:2015 standard also embraces this concept of positive uncertainty.

Of course, risk is an additional concept that in no way supersedes the concept already present in the standard. Risk is incorporated into the fundamentals and rounds out these notions. As such, the process approach and PDCA remain two essential pillars.

Managing risk also means working towards continuous improvement. Corrective action corresponds to an unidentified, wrongly qualified or mismanaged risk; preventive action addresses a risk of possible but un-occurred noncompliance.

Tip: Risks and opportunities, for example, could relate to the use of electronic systems within the management system. Introducing such systems would require change and transition arrangements, which should be planned within the management system.

SUPPORT – CLAUSE 7

This new section builds upon the 2008 requirements for competence and awareness (now extended to include persons under the organization’s control, not just employees) and communication.

Tip: With the increasing use of outsourced providers, this requirement reminds organizations that this resource must be managed effectively just as internal providers are managed.

Human Factors – ISO 9004:2008 section 6.6 Work environment advises: The work environment should encourage productivity, creativity and well-being for the people who are working in or visiting the organization’s premises (e.g. customers, suppliers, and partners). At the same time, the environment complies with applicable statutory and regulatory requirements and addresses applicable standards (such as those for environmental and occupational health and safety management). See previous post “The Touchy-Feely Employee” for more on this.

Knowledge is a resource like any other – In its 2015 revision, ISO 9001 is once again adapting to its times. Knowledge has become key to successful projects and business development. The new standard considers knowledge like any other resource to be managed:

  • Identify the knowledge necessary to carry out the activity in compliance with the QMS and to achieve the defined objectives.
  • Knowledge must be maintained, protected and made available where necessary.
  • Anticipate changes in knowledge needs and manage the risk of failing to acquire knowledge in due time.

This is my take on the Key Changes and with them, the importance of care and planning. But do not minimize the lesser changes, especially due to omission i.e. 9.2 Internal Audit – the concept that auditors must not audit their own work is no longer included (see ISO 19011:2011) or Management Representative and Quality Manual. Duties and documented information is still required.

Next time, Environmental Management – ISO 14001 in Part 3.

ISO 9001:2015 – Dealing with Deadlines – Part 1

The deadline for ISO 9001:2015 registration seems far off in the distance. But, we only have about 20 months left to get registered to the new revision but some related timelines are fast approaching. This post will attempt to address the steps necessary to achieve transition while maintaining your sanity (and that of your consultant, should you choose to use one.) The bottom line is don’t wait until the last minute. And, since all other management systems are based upon ISO 9001:2015, this post applies to all registered management systems.

Transition strategies for ISO 9001

deadlines-1Some organizations have already passed their surveillance audits since the Standard’s publication in September of 2015, but most audits have yet to take place. Many organizations will begin their re-certification cycle around the middle of 2017. This doesn’t leave a lot of time for updating management systems to comply with new requirements if you are planning on transitioning this go around.

There are several strategic changes to ISO 9001:2015. One of them, seen by many as the most important, is risk-based thinking which allows organizations to think beyond measuring risk and become proactive in preventing it. Risk-based thinking addresses multiple ISO 9001:2015 requirements, including but not limited to: planning of products and processes, changes, both planned and unplanned as well as positive and negative impacts to the customer and other interested parties.

Now, I am not aware of any successful organization that is devoid of risk consideration and I presume these same entities actively pursue opportunities but I would bet that many small ‘Mom and Pop Shops’ that only have limited risk management competencies.

There are always concerns with the product realization processes—project risk, design risk, manufacturing process risk, and shop floor control. Those of you who are familiar with other disciplines, Automotive, Medical, Aerospace or just have a basic knowledge of risk avoidance may be familiar with FEMA (Failure Mode Effects Analysis.) You can be sure that your auditor isand may be expecting to see how you have embraced this tool. But don’t make the mistake and FMEA(ing) everything – you won’t be compliant! FMEA only addresses negative risk, is for the most part, too subjective and will make your heads hurt.

Risk is seen as both a positive (opportunity) and a negative (loss) so it takes more than “one way to skin a cat” to fully realize this addition. ISO 31010 Risk Management – Risk assessment techniques, describes 30 or so of the most popular tools and how to use them. I highly recommend buying a copy to keep in your arsenal. It may be worth its weight in ‘Get Out of Jail Free’ cards.

With ISO 9001:2015, organizations will also be required to rethink their process approach. In previous revisions, ISO 9001 only required procedures (which were defined as processes, although not very well) and did not use any language similar to ISO 9001’s process approach. Clause 4.4, now specifically uses the word “process.” This, along with the requirement that top management integrate quality management system (QMS) requirements into the organization’s business processes (per clause 5.1.1 c), means that companies must integrate these systems’ requirements into one process approach. This is an important element of the 2015 revision that’s not getting enough attention.

Although not presently a requirement, I predict that other important opportunities should be considered by organizations transitioning to ISO 9001:2015. I believe, integrating concepts (planting the seeds if you will) for “protecting the environment” ISO 14001 and social responsibility (sustainability) ISO 26000 into their QMS would be a wise move. This is especially important with the new IATF 16949:2016 standard that requires a code of conduct for ethics in environmental and social responsibility. Additionally, many organizations have sustainability standards and are being required by their customers to create social responsibility-related initiatives. This is an organization’s chance to integrate all their requirements and standards into one system. I also believe that requirements for Occupational Health & Safety ISO 45001 and Information Security ISO 27001 & 2 will eventually creep into the mix, but that’s farther down the road – maybe the 2022 or 2030 revisions.

We’ll continue with the specifics in Part 2