The 2015 revision of ISO 9001 is thrust upon us (for over a year now) and it is Greek – gifts anyone?
- Changes in structure, expanding the number of sections to ten from the previous eight with additions in performance management and evaluation, to help with future alignments among different standards through the new High Level Structure (HLS) which provides a framework for drafting standards which can be applied concurrently (integrated management systems or multiple management systems) such as ISO 9001, ISO 14001 and ISO 27001. Hold This Thought!
- Movement away from the classical corrective/preventative action approach to more of a general risk management model based upon ISO 31000:2009, Risk Management-Principles and Guidelines, (but sugar-coating it by calling it Risk-Based Thinking.)
- Requiring systems which take into account the “context of the organization,” “identification of Interested Parties” and consideration of “Scope and Boundaries”which implies broader measurement, planning and implementation, perhaps taking into account areas such as “sustainability” (energy use, materials procurement, environmental impact, etc.), “corporate social responsibility” (social accountability) and “organizational resilience and health.” The latter seems to incorporate areas relating to business continuity and disaster recovery.
- Movement of “documents” (ISO 9001:2008 Clause 4.2.3) and “records” (Clause 4.2.4) to “documented information,” (ISO 9001:2015 Clauses of 7.5) seems to be more accepting of electronic documents and document control approaches. However, the new clause language, which more generally requires organizations to retain documented information as evidence of implementation, has opened up debate as to whether the Standard is mandating procedures as it did in the past. Don’t go there.
Now, it is my belief, although I have no proof, that all the inclusions are of greater interest to our brothers and sisters on the ‘other side of the pond’ and as such, makes me question their relevance to organizations here in the US – certainly inclusion of what we’ll refer to as ‘Fringe Topics,’ i.e. those related to business but not within the scope of ISO 9001, such as, Information Security and Energy Management, fall under scrutiny.
And are these bad things? In and of themselves, I have to say no… but yes.
The re-structuring to 10 clauses and reduction of foundational principles is neither a plus (in most cases – still holding that thought?) or a minus – It’s just different. The reduction of prescriptive requirements (i.e. documentation) on the other hand is a real plus but that’s where I have to draw the line.
Inclusion of ‘Fringe Topics,’ for Big Business, is good for the rest of us, in away, it will nudge them down a more socially responsible path, but we’ll pay for it through increases in goods and services due to the rising ‘cost of doing business.’The same is not true for the small businessman. Amidst the continual heaping of additional requirements on an already straining annual budget we’ll hear the cries for mercy – it’s a horny dilemma –“Should we continue to play or should we take our toys and go home?”
I see the 2015 revision as the beginning of the end for many of us, not able or willing to justify the additional expenses of this escalating pay to play ‘merry–go–round’ and growing reluctance to continue to fight the good fight only to risk confrontation with our customers.
For 2015, TC-176 introduces greater emphasis on: Leadership and Process Approach, then tosses in Risk, Knowledge and Supply Chain Management, all of which are not necessarily bad things but they foreshadow shapes of things to come – referencing standards like Environmental Management & (soon to be released) Occupational Health& Safety. These may be of great interest in countries with weaker or no legislative oversight but here in the US we have the EPA and OSHA both of which have the power to levy financial pain (fines) or even file criminal charges (prison time) for violation. And,with veiled threats, as seen in above references to Information Security, Energy Management, Business Continuity and Corporate Social Responsibility, one begins to suspect, if included – even as notes in ISO 9001 (the way Human Factors has been included), a plethora of obscure nonconformities looming ominously above our heads.
It would appear on the surface, that introduction of seemingly innocent concepts, like risk-based thinking, something I would expect most business people are not just familiar with but actively engaging in, are more so a recognition of existing practice rather than actual requirements. But I may be in the minority interpreting these as such and therefore worry that the other’s interpretations may open us up to serious threat from assessors whose competence in such disciplines would or should at least be challenged.
But wait, there’s more – Even as these Standards proliferate, the insidiousness of ISO remains hidden from all except those who know where to look!
The most innocent of references, like Organizational Knowledge (7.1.6) have an associated Standard (in draft – Reference SI 25006, AS 5037 & BS 2001 as guidance documents) or Lean (ISO 13053.) And, you start to get the picture.
So, what does this all mean? Still holding that thought? It means, if you want to play the game, you have to buy the Standards! Which Standards? Well… all of them! After all, ISO is nothing more than a book (Standards) publishing house and yes, each of the subjects listed above also has an associated Standard.
- ISO 14001 – Environmental Management,
- ISO 45001 – Occupational Health & Safety,
- ISO 27001 & 2 – Information Security,
- ISO 50001 – Energy Management,
- ISO 22301 – Business Continuity,
- ISO 26000 – Corporate Social Responsibility
Now consider this… you have just spent thousands of dollars for a library of standards ($500 alone for Information Security.) What do you think it will cost you to implement and maintain the program? Not an expert in all the above? Add the cost of a consultant!
So, now what?
We’ll take a closer look in part 2.