The deadline for ISO 9001:2015 registration seems far off in the distance. But, we only have about 20 months left to get registered to the new revision but some related timelines are fast approaching. This post will attempt to address the steps necessary to achieve transition while maintaining your sanity (and that of your consultant, should you choose to use one.) The bottom line is don’t wait until the last minute. And, since all other management systems are based upon ISO 9001:2015, this post applies to all registered management systems.
Transition strategies for ISO 9001
Some organizations have already passed their surveillance audits since the Standard’s publication in September of 2015, but most audits have yet to take place. Many organizations will begin their re-certification cycle around the middle of 2017. This doesn’t leave a lot of time for updating management systems to comply with new requirements if you are planning on transitioning this go around.
There are several strategic changes to ISO 9001:2015. One of them, seen by many as the most important, is risk-based thinking which allows organizations to think beyond measuring risk and become proactive in preventing it. Risk-based thinking addresses multiple ISO 9001:2015 requirements, including but not limited to: planning of products and processes, changes, both planned and unplanned as well as positive and negative impacts to the customer and other interested parties.
Now, I am not aware of any successful organization that is devoid of risk consideration and I presume these same entities actively pursue opportunities but I would bet that many small ‘Mom and Pop Shops’ that only have limited risk management competencies.
There are always concerns with the product realization processes—project risk, design risk, manufacturing process risk, and shop floor control. Those of you who are familiar with other disciplines, Automotive, Medical, Aerospace or just have a basic knowledge of risk avoidance may be familiar with FEMA (Failure Mode Effects Analysis.) You can be sure that your auditor isand may be expecting to see how you have embraced this tool. But don’t make the mistake and FMEA(ing) everything – you won’t be compliant! FMEA only addresses negative risk, is for the most part, too subjective and will make your heads hurt.
Risk is seen as both a positive (opportunity) and a negative (loss) so it takes more than “one way to skin a cat” to fully realize this addition. ISO 31010 Risk Management – Risk assessment techniques, describes 30 or so of the most popular tools and how to use them. I highly recommend buying a copy to keep in your arsenal. It may be worth its weight in ‘Get Out of Jail Free’ cards.
With ISO 9001:2015, organizations will also be required to rethink their process approach. In previous revisions, ISO 9001 only required procedures (which were defined as processes, although not very well) and did not use any language similar to ISO 9001’s process approach. Clause 4.4, now specifically uses the word “process.” This, along with the requirement that top management integrate quality management system (QMS) requirements into the organization’s business processes (per clause 5.1.1 c), means that companies must integrate these systems’ requirements into one process approach. This is an important element of the 2015 revision that’s not getting enough attention.
Although not presently a requirement, I predict that other important opportunities should be considered by organizations transitioning to ISO 9001:2015. I believe, integrating concepts (planting the seeds if you will) for “protecting the environment” ISO 14001 and social responsibility (sustainability) ISO 26000 into their QMS would be a wise move. This is especially important with the new IATF 16949:2016 standard that requires a code of conduct for ethics in environmental and social responsibility. Additionally, many organizations have sustainability standards and are being required by their customers to create social responsibility-related initiatives. This is an organization’s chance to integrate all their requirements and standards into one system. I also believe that requirements for Occupational Health & Safety ISO 45001 and Information Security ISO 27001 & 2 will eventually creep into the mix, but that’s farther down the road – maybe the 2022 or 2030 revisions.
We’ll continue with the specifics in Part 2