ISO 9001:2015 Top Management Transition Sheet
While personnel with traditional responsibility for quality dive into the details of what the new ISO 9001:2015 requires, top management is looking for the executive briefing. Here’s what they need to know – in a nutshell.
New Inputs to Quality Management System Planning (4.1, 4.2, 6.1.1)
- Organizational Context and Requirements of Interested Parties – The standard now requires an organization to determine the external and internal issues that affect its purpose, strategic direction, and intended results. While customers and statutory/regulatory authorities were the only major constituency addressed by the 2008 version, the 2015 version requires an organization to identify the requirements of all interested parties relevant to the quality management system that affect, can affect, or perceive themselves to be affected by the decisions and actions of the organization. While these considerations are new to the requirements of ISO 9001, they represent the very essence of what top management already deals with every day.
- Addressing Risks and Opportunities – After determining organizational context and requirements of interested parties, the standard requires associated risks and opportunities relevant to the quality management system be determined, and actions taken to address these risks and opportunities. This is where “risk-based thinking” becomes explicit in the standard. It is also what top management focuses on as the major responsibility of their position.
- Evaluating Effectiveness of Actions Taken to Address Risks and Opportunities – This requirement closes the loop regarding risk-based thinking, and links risk-based thinking to the plan-do-check-act cycle of continual improvement. It is one matter to determine risks and take action to address them. The next important step is determining whether those actions were effective, and truly reduced the severity or occurrence of the risk coming to fruition. This makes sure the actions achieved the intended end in mind.
Reasonably so, all of these influencing issues, interested parties, risks and opportunities have to be considered throughout the quality management system, during planning and at appropriate points in the processes, including when evaluating performance and selecting opportunities for improvement. Consequently, while it can be thought of as straightforward to address each of these items in an isolated manner, they really need to be interdependent and integrated. In practice it’s even a little more complicated than that. In planning and operating the QMS, there are other areas that will be affected by and affecting these items, such as communications, knowledge, change management, nonconformance, etc. The need for interrelationships and integration covers the whole system and while not difficult, it is a little complicated to integrate everything in a coherent manner. Obviously this is where the benefits come from.
Be Prepared to “Demonstrate Leadership” (5.1.1)
ISO 9001:2015 has upped the ante for top management. The 2008 version of the standard required management be committed to quality management. The 2015 version now requires top management “demonstrate leadership and commitment” to the quality management system. The standard requires leadership be demonstrated by “taking accountability,” “promoting the use of the process approach and risk-based thinking,” and, “ensuring that the quality management system achieves its intended results,” among other important considerations. Furthermore, the requirement for a management representative has been eliminated, replaced by a requirement for top management to assign responsibility and authority for performing the activities previously assigned to the management representative.
These changes add up to expectations of top management’s personal active involvement in the quality management system. Auditors will require objective evidence of top management demonstrating leadership. Previously top management could get away with a good narrative of how the management representative is given the resources needed to guide the management system. Future audits will be focused on how top management leads the quality management system, takes accountability for the results of the quality management system, and ensures the quality management system achieves its intended results.
In many respects, top management had been excluded from ISO 9001 in the 2008 version. They were required to provide resources and participate in management review meetings (usually facilitated by the management representative), but otherwise they were most comfortable being kept at arm’s length. The 2015 version finally gives top management involvement and responsibility for the quality management system using tools and approaches that make sense to organizational leadership.
Promoting the Process Approach, Risk-Based Thinking, and Improvement (5.1.1)
Top management has been assigned roles of promoting specific aspects of the quality management system. Promotion is activity that supports or provides active encouragement for the furtherance of a cause, venture, or aim. Active encouragement of the process approach, risk-based thinking, and improvement is expected of top management as they demonstrate leadership and commitment to the quality management system.
Requirements associated with the process approach can be found in section 4.4 of the standard. Top management has been given the responsibility to promote the process approach. This is done best by structuring the quality management system around the organization’s processes, rather than around the requirements of the standard. Organizations with procedures titled, numbered, and organized to match the standard will provide auditors easy evidence that top management has not promoted the process approach. Promoting the process approach means structuring the quality management system and its procedures around objectives, inputs, controls, outputs, monitoring, measurement, and improvement.
Changes to Management Review Input (9.3.2)
The introduction of risk-based thinking has led to additional inputs to management review. The major additions include reviewing changes in external and internal issues relevant to the quality management system, and reviewing the effectiveness of actions taken to address risks and opportunities.
Many Requirements Moved Around, but Few Changes Regarding Requirements
In order to make the ISO 9001 standard align with other standards such as ISO 14001 (environmental management), ISO 27001 (information security management), and ISO 22301 (business continuity), many clauses have been moved, leading to new numbers for these clauses. Despite the new numbers, the requirements are fundamentally the same, and the effects on companies currently registered to ISO 9001 will be minimal (if any) in this regard. A correlation matrix identifying these changes is available at www.iso.org/tc176/sc02/public. So while there are some new requirements and major and minor changes, there are still many that really haven’t changed.
Must Upgrade by September 15, 2018
ISO 9001:2008 certificates will no longer be valid after September 15, 2018. Because of cost considerations, most organizations plan to upgrade to ISO 9001:2015 during their next triennial recertification audit (held a few months before the expiration date on your current ISO 9001 registration certificate). It is possible to upgrade before triennial recertification, but expect higher audit costs as a result. Plan the timing and resources of your transition project so your organization is ready before your certificate expires.
Transition Project of 9 to 18 Months Duration
Even if your organization already practices risk-based thinking with effective demonstration of leadership by top management, we expect transitioning to the new standard will take 9 to 18 months (which includes generating the necessary records to support conformity). Considerable effort will be involved in transitioning and it will be difficult to fit in with normal activities without help from external resources.
Important phases of the project will include gap assessment, project planning to allocate resources to address the gaps, designing and documenting solutions, leadership training, implementing and training on solutions, internal auditing to the new requirements, and management review to address whether the quality management system is suitable, adequate, and effective.
Organizations that wait too long to work on transition, or fail to allocate adequate resources will have a difficult time demonstrating conformity on audit day.
Must Maintain Conformity with 2008 Version Until Certification is Granted to 2015
Even though everyone will be c hanging their quality management system to address the new requirements, the 2008 version is what registrars will audit until it is time for the official upgrade audit. Accreditation agencies have issued specific guidance to registrars emphasizing the need to maintain conformity with ISO 9001:2008 while transitioning to ISO 9001:2015. It is important to understand which aspects of the quality management system address which version of the standard, and keep both standards in check while taking action to upgrade to ISO 9001:2015.
Help Is Available
Cavendish Scott has been providing expert services in management systems standards since 1985. This is not our first experience with major revisions to standards. We can provide all the support needed to effectively and efficiently upgrade your management system to the new version of the standard. Whether you need training (from half-day management overviews to five day custom courses), gap assessment, consulting, internal auditing, or customized service, we can address your needs. Please contact us to learn more about the expectations of the ISO 9001:2015 standard and how we can help you upgrade successfully.