Recap of “The Certification Body Perspective” Webinar
Our recent free webinar on May 12th, “The Certification Body Perspective,” describing a certification body’s perspective on interpretation and auditing of ISO 9001:2015, provided a ton of conversation and controversy.
There are really two big issues with this new standard. Of course there are many more discussions about the meaning of the new requirements but the more general topics are, how much documentation will be needed (procedures), and how much detail will be needed for these new systems (how far do we go?)
How Much Documentation
The new standard is excellent in the way it provides great flexibility for every company to demonstrate conformance how they want to. It is possible that for all or any specific process that there need not be a documented procedure. So what do you have if not a procedure. It is possible to ensure that a process is so clearly defined using forms, templates, tools and software, that there is no chance that anyone could be confused over how it was to operate. The process would be operated consistently and reliably based on all of the process controls put in place. An example might be to control documents by having structured computer folders, named accordingly, approval to be designated by a pdf being available in the folder, and revisions controlled into sub history folders. Technically the folders and the structure mean that no written description – a procedure, is needed. This works and so long as you can explain it to an auditor or a customer, then it will work. Unfortunately, it doesn’t address all of the ISO requirements for document control and control and distribution of documents of external documentation might be more difficult to achieve with forms and templates. And some of the other processes such as production and control of vendors might be difficult – even impossible to demonstrate without procedures. Thus this leaves you in the position that you have to be expert enough to devise a process that is reliable and repeatable without a procedure, and expert enough to be able to explain and justify the requirements to an auditor. You have to be more than just good. You have to be able to demonstrate it.
In practice it doesn’t make sense to not have procedures. If you want to make your management system completely clear and easy to demonstrate to an auditor then you need procedures describing how processes work and how you meet requirements. Some flexibility exists here – simpler procedures for simpler processes (but you still cannot ignore the importance of demonstrating conformance to an auditor).
You have the right in ISO to not have procedures – but you better be a process expert to make sure your processes are flawless and an ISO expert to be able to justify it to an auditor.
Bottom line – you need procedures – to cover all processes and all ISO requirements.
Records fall into exactly the same situation. ISO allows you to demonstrate conformance with “verbal” evidence. You have to “give confidence” to an auditor that this evidence represents an effective system but verbal is allowed. The argument is similar: verbal evidence is not as strong as documented evidence or observing activities. Verbal evidence has no longevity and does not give confidence. It can be confused, miscommunicated, misunderstood and even maligned. That is not, does not demonstrate a process. It does not demonstrate repeatability and it may also be person dependent. It is too easy to find non conformance. The person may not be around to give the evidence and a different story may be given by different employees. That does not make it easy to demonstrate ISO but worse still it is not a strong, effective internal process.
Bottom line is that you can only rely on verbal evidence as part of a process for the simplest, non-controlling, easy to repeat evidence. That is not the case with a list of issues, interested parties, risks, knowledge, etc. If you don’t have records and documents your systems will be unrepeatable and weak and you are going to struggle to provide adequate evidence to an auditor. You will fail.
Bottom line – you need clear documented records.
How Much is Enough
Accepting that records are needed for our key processes, how far do they have to go? How many issues do you have to capture? To what level of detail do you have to do Risks?
The answer is simple – All!. All that are important to your company. If they are not important…..you don’t need them. Truth is that these new processes are valuable to the organization and to miss a risk because the process wasn’t detailed enough does not make sense. Capturing risks that affect the organization is essential and beneficial and it does not make sense to have a system that does not capture everything, review it first and keep or dismiss it based on how important it is to the organization.
Bottom line – everything.
There are two other points here. First, it is possible, practical and often acceptable to auditors to implement a limited system that does not capture all. These situations tend to be where the situation is new and complicated and so small steps must be taken. There is no guarantee that an auditor would accept this but it can be discussed with them. Also it also certainly will have to grow and improve and cover more at the next audit.
Finally, note that you are required in ISO to consider things. That means you think about them but you don’t take action. You should maintain evidence of the things you considered – but dismissed, because if you don’t have evidence then auditors won’t believe you have “considered.” Worse, if you don’t have evidence something was considered, an auditor might bring it up as something “they think” should be included. Without evidence that you did consider and dismiss it, you may find yourself facing another nonconformance.
Click here to access a recording of the webinar and PDF files of the Q & A and the Certification Body ISO 9001:2015 Expectations.
Cavendish Scott, Inc has been working with ISO for over 30 years and with ISO 9001:2015 since the DIS in mid 2014. We have successfully designed, implemented and certified many ISO 9001:2015 management systems, we were the first in the US to have IRCA Approved ISO 9001:2015 Lead Auditor Training and Lead/Auditor Transition training and have given many training classes and presentation on ISO 9001:2015. We think it’s a fantastic standard. If you want any more information please contact us.