Cutting through the confusion
International standard ISO 9001: 2015 Quality Management Systems (QMS) was published in September 2015. While generally viewed as a positive revision bringing many benefits to QMS in response to technological advancements and global supply chains, it’s major changes and additions have caused some confusion among organisations transferring from the 2008 version of the standard. As a result, only a small number have made the transition to date.
With just over 12 months to go until the transition deadline, we ask Michael Venner, CEO at certification body IMS International, what are the issues and why are organisations leaving it so late?
As an overview, ISO 9001:2015 offers better integration with other standards, increased flexibility regarding use of documentation, the introduction of risk-based thinking, greater involvement from top management, higher emphasis on performance monitoring and measuring, enhancement of the process approach and a focus on stakeholder relationship management.
However, to realise the benefits of the 2015 version of the standard, the new requirements can be demanding of both time and resources if not planned efficiently. There are 18 changes when compared to the 2008 version and some of these are major high level structural changes. In addition, brand new clauses have been introduced that filter down and impact other requirements.
In particular, we have found that ‘Context’, ‘Interested parties’ and ‘Risk-based thinking’ are causing the most confusion.
Understanding ‘Context’ - communication is key
When determining the context of the organisation the 2015 revision requires the owners of the business and management team to identify what the business does, who their customers are, who their suppliers are, and what internal and external influences there are.The standard even suggests what those might be. Internal context needs to consider issues related to values, culture, knowledge, and performance and external context needs to consider issues from legal, technological, competitive, market, cultural, social, and economic environments.
No matter what the organisation is or what experience someone has of quality management systems, each owner or high level management team will have a firm understanding of their business and how it is impacted by the changing world around them. The challenge is to communicate their understanding to the auditor and the devil is in the detail.
It actually requires a different auditing approach. Many auditors in the past have been reading manuals, procedures, and working instructions to certify the context of a business, however all this documentation is no longer mandatory (although it is expected that some level of documentation will be in place). The emphasis is to communicate with the owners and high level managers to verify their understanding of the business so the auditors will also need to harness these skills to be effective communicators during the auditing process.
Understanding ‘Interested parties’ - Relevancy and risk are key
It is now a mandatory requirement of ISO 9001: 2015 that an organisation understands its interested-party needs and expectations. The main issue here is identifying who is relevant and how do they affect the QMS. They might be customers, trade bodies, influencers, local or national government organisations, staff and shareholders. Anyone that has a vested interest in how the QMS is performing.
Once they are identified, the process of understanding what their needs and expectations are becomes easier to define. For example, a customer purchasing parts for their fleet is an interested party that needs the goods to be delivered on time and expects good customer service. The aim of the organisation is to ensure their needs and expectations are met to retain their business. Understanding the level of risk each interested party poses to an organisation also helps the organisation in classifying and addressing their needs.
Understanding ‘Risk-based thinking’
Many owners will know exactly what the risks to their business are and will put in place mitigations to reduce these risks. Production managers will know what risks are within manufacturing processes and put in place training, checks and balances to ensure the risk of product failures are reduced. Marketing and promotional organisations will all know that they risk publishing incorrect information, if the information is not reviewed and approved by their customers before publishing, that is risk management. This is where some confusion creeps in, the new version of the standard is asking organisations to approach risk from a totally different angle.
The term risk-based thinking encompasses both risk management and preventative risk at a much higher strategic level than the 2008 version. Leaders will be tested for their awareness of the risks to the business and the mitigations they have put in place to manage these risks. More often than not it will only be the leaders of the business that has a grasp of the strategic risks to the business and not the quality manager. They will be asked a variety of questions that require strategic knowledge of the business such as; What situations can have an impact on the business internally and externally but also positive and negative? Are all your eggs in one basket? What happens when Brexit is completed? What are your competitors doing? Are your key suppliers risk free? For each, a detailed answer will be expected to exemplify their understanding.
Top management involvement
All the above have a common theme, owners and high level management teams need to get more involved with the auditing process. The sooner the standard is implemented at a strategic level, the easier it is to permeate through the organisation.
Where previously it may have been the quality manager’s responsibility to work with auditors, ISO 9001: 2015 demands that it’s the leaders of the organisation that will need to be involved in the entire process.
We are aware of mid-level managers who are trying to implement the changes but are still not getting the strategic information from the higher levels to support the implementation. This is one of the reasons why there has been a delay in transitioning. Leaders need to fully appreciate the requirements now being placed on them which means it can no longer be delegated. This could lead to non-conformances during the audit as it will become apparent very quickly if leaders have not been involved.
The imminent deadline
For all organisations planning to transition to ISO 9001: 2015, the impending date is 15th September 2018.
It is a strict deadline which specifically outlines that all QMS certifications that have not completed transition to ISO 9001: 2015 by this date, including the transitioned QMS certificate uploaded and published into the OASIS database, will no longer be valid and shall have a certification status of ‘expired’.
It also states that the organisation will no longer be eligible for transition and an initial certification audit will be required to establish conformance with the 2015 editions of the QMS standards.
Unfortunately, delaying the transition will be both expensive and time consuming to rectify.
Help is at hand
The objective of the certification body is to guide organisations through the transition, explaining the details of the regulation in real life terms, so ultimately, the organisation doesn’t risk losing their certification.
They too, are under pressure to change their internal systems to meet the regulation by June 2017. Internal training to the new requirements needs to have taken place, all auditor skills should be updated and all auditors are required to pass the ISO 9001: 2015 training course before performing audits to the new standard.
The requirements of the new standard are not new in terms of running and operating a business and they are not new concepts, however the lack of understanding of what the standards are actually asking organisations and leaders to demonstrate to auditors is preventing successful transitions.
Leaders need to appreciate that they cannot rely on quality managers or representatives to run and manage the system, they are not able to answer a lot of the strategic questions that will be asked during the audits and the system needs to align with those strategic visions and requirements. Failure to align the systems and processes with the strategic direction and overall business can result in organisations failing to transition in time. Leaving it to the last minute to transition increases the risk of missing the deadline and resulting in them losing their certification.
We advise that the leaders get more involved in the transition process and offer support to those persons within the organisation who will be preparing their systems in line with the new requirements.
Many other standards are impacted by the changes to ISO 9001 due to it being a core standard in industry specific quality management systems such ISO 14001: 2015 and AS 9100 revision D. Each of these standards have their own transition requirements but share the same deadline as ISO 9001: 2015.
The transition process:
- Inform the certification body when they would like to transition and on what type of visit; surveillance or reassessment
- Meet all new requirements of the standard
- Additional time will likely be required to any audit in order to allow the auditors to evaluate compliance against the new standard as well as the current
- All new applications will need to be made to ISO 9001:2015 version not 2008.
- Perform a staged assessment over the surveillance visits and auditors can assess parts of the requirements informally during those visits.
- Will maintain 2008 version until successful transition