Five Tricks and One Philosophy for Transition to ISO 9001:2015
Transition Time is Here
The time to transition to the new version of ISO 9001:2015 is upon us. Many have put off the transition for a host of reasons and we are now at a point where it is time to act. Differing opinions exist about how easy or how hard the changes will be, but there are many factors that come into determining that.
While it is possible to interpret the changes simply, or perhaps your auditor has always made your audit easy – implementing the letter of what is included in the standard or taking the simpler shortcut, you still have to consider that this year – you might get a tough auditor. Frankly, that’s a good thing. You are making an investment in quality, you should get a return. Nobody wants to fail their audit but it would be useful to know where there are opportunities. It would be useful to get pressure to be disciplined and organized, in a meaningful manner.
Irrespective of whether your Certification Auditor tells you how easy it is or your quality manager tells you it means a whole new solution, the goal of getting through the audit still exists. Transition problem number 1 is that any decent ISO resources are going to be already booked. If you have not reserved your help you may be too late.
As we progress internally, what is needed are quick and simple ideas to get the project on track and help navigate it to a successful solution.
Trick #1: Focus on Quality, not Requirements
The standard has changed significantly. The newer areas include the concept of allowing the organization to demonstrate conformance rather than dictating how it is done. This includes strategy, risk, and knowledge. There are also significant changes to Objectives, Change, Communication. As you can see, there are a lot of new requirements.
One of the more visible signs of the changes is the restructuring of the standard to adopt the annex SL approach. In some quarters a little controversial but probably overall a good idea for consistency going forward. A whole new standard to learn. Yes. You cannot argue the need to learn the new requirements if you want to get or remain certified.
One thing that has not changed; ISO is about QMS and QMS is about quality. This has not changed, not in the 31 years of its existence (since 1987). If you designed your ISO solution to be a QMS focused on quality then you probably have a good solution and your basic solution can stay. Yes, some new ideas (which because you focused on quality originally, you probably already addressed to some degree) and some changes to help focus and improve discipline perhaps) but the fundamentals are already there. Ensuring the focus is on quality and not directly on requirements will ensure your solution evolves through the transition in a meaningful way. It is a lot easier to get support and resources for something that makes sense.
Trick #2: Skip the Gap
Focus on outcomes. It is very common to insist on a gap analysis. Technically in most project management situations, this is an important step in determining where you are versus where you want to be. In this instance – less so. So much so that a gap analysis should not be required. You have a reasonable system. You have implemented ISO 9001:2008 and you meet those requirements well – your certification body has already confirmed. You audit your processes – thoroughly and effectively – and your certification body confirms it as well. Bottom line is you already know where you are. That is part of what having a QMS is about.
The next step is to determine where you want to be. You also already know that. You want ISO 9001:2015 certification. The gaps are defined by the differences between 2008 and 2015. But what does that mean specifically to you? Same answer. The Gaps are identified. Solutions are another matter. The purpose of a gap analysis is not to determine solutions.
The main function of transition is knowing where you want to be. Solutions require review, thought, and pondering. You need to put some time into determining what the best solution will be based on all the inputs. This might require analysis, brainstorming, consultation.
For instance, in 2008 we had preventive action. In 2015 we have to include a risk process. It’s a clear gap. There is nothing to explain what the solution should be. Your solution might have a weighted colored risk matrix with defined criteria and definitions for each characteristic. Or it might require a simple list. The solution needs to be appropriate and effective for you.
Don’t waste time quantifying gaps. Invest in a comprehensive, solutions-based, project plan.
Trick #3: Documents – You Need Them
ISO removed the need for many (any?) documents. So what? The standard changed in a really valuable way. It never made sense to require a procedure for internal audit but not for engineering. Why should ISO say what documents are needed in an organization?
By not insisting on any particular documents, the standard created a lot of confusion. With this change organization’s thought: “Now I don’t need any documents.” That is not what it says and it is definitely not what it means. First, the standard should not tell anyone how they demonstrate their system. By specifying mandatory documents and records it imposes tasks on organizations, to create and maintain the documents, this is something a standard has no business doing. Whether the documentation is good or not, it is not a standards place to say how. Further, by specifying, it implies that these are the only documents required and that if others were needed then they too would have been specified. Remember the ‘six mandatory procedures’? Not true and not what it says but that’s what happened. This alone led to terribly structured and impossible to operate solutions.
Now you may be saying: “But the new standard is worse or at least more confusing”. No. It clearly says that you have to be able to operate your system and demonstrate it. While it is possible to do this without documentation, getting this right is really difficult. The documentation describes how we define the process (and system) and without the documented description it is not possible to communicate it for clarity, training, reliability, or verify it or audit it. You can achieve this without documents but it is not easy. Bottom line: you need all the procedures, documents, and records. This has little to do with ISO and everything to do with operating a successful organization (and being able to demonstrate it).
Trick #4: Bring Quality into the Boardroom
Forever we have had our ISO programs led by dedicated professionals – the ISO Management Representative. In some quarters there has been noticeable confusion over the management representative. Often the ISO guy is not the representative. They do all the work but a VP covers the official role. This can be both good and bad. The 2015 standard removes the requirement for a management representative which many imply as getting rid of the role.
Let’s get one thing straight, there is no suggestion of getting rid of the role. The title is not discussed but it equally the standard does not say you cannot have one. This is up for the organization to decide. The important task here is making sure the responsibilities – all the responsibilities – for quality are properly determined and communicated. If you change this role or title or activity ensure the responsibilities are managed correctly. All too often the ISO guy is tasked with keeping or getting certification. But it is not the job of one quality guy.
Now, look at this point from a positive perspective. The management representative may lose a title but they still should oversee the system. Now the system includes the organizational purpose and strategic direction for quality formally included in ISO. They are obviously important to quality – essential in ensuring everything makes sense. It will not be possible to achieve certification if these elements are not part of the solution. This gives access to very high-level processes in the organization such as strategic and business planning. The management representative now has access to top management, and in a way has become a part of top management.
Trick #5: Identify the new ISO processes
ISO has introduced new, sensible, and important processes, however, we have found most if not all organizations already do these things. New requirements bring new processes and new controls. As discussed earlier, if it is important in an organization, then it is already being done, perhaps informally but still getting done. This is true of the big new areas brought into the ISO 9001:2015 standard. New to the standard…less so for the organization.
Business Planning, Strategy, and Purpose – the standard is very specific and requires us to start our quality systems with reference to organizational purpose and strategic direction. This helps appreciate that context is about understanding the environment and influences that affect quality so that planning can be completed…in context. Larger organizations already have a strategic or business planning process. Often quality is not explicitly included but can be achieved easily by adding a few simple controls to the process. In small organizations, it happens just the same. For instance, the owner goes to dinner once a year with their accountant and discusses how things went and what they want to happen next year or perhaps the owner has ideas for new products or new markets that should be pursued. At the moment this is informal, without structure, but it is being done and it just needs to add controls, some discipline, and organization. Let’s be clear about this, we are not doing this for ISO. We NEVER do any of this for ISO. We are doing this because it’s a great thing to do for the organization. That is why it goes on irrespective. A QMS helps us ensure these processes are deliberate, meaningful and valuable to the organization. Nothing new. Just a little more disciplined.
Philosophy: Keep it Real
Never forget what we are doing here. The most important thing about ISO is that it is about QMS. What is QMS about? It is about being successful. To be successful you have to be effective, efficient, improving, and profitable – every good characteristic of an organization that you care to characterize it with. Whenever you are writing procedures, designing solutions, looking at controls, implementing ISO you need to proactively ensure you apply that principle always. Everything you do in ISO is good. If its not….stop it.
Cavendish Scott, Inc has been working with ISO for over 30 years. We are process and management system experts and craft solutions that don’t ask organizations to change to meet ISO, We see how ISO meets what you already do. Our focus is on solutions that are meaningful, help management deliberately achieve success and also happen to get them ISO certified. Guaranteed in writing. We have never had a failure. It is this experience that allows us to identify 5 tricks and 1 philosophy. If you have questions? Just ask! email@example.com. Colin Gray has been consulting, training and auditing with Cavendish Scott for 30+ years. He has an MBA from the University of Middlesex, UK, and is a lead auditor for quality, environmental and information security.