The Right Way To Do A ISO 9001:2015 Gap Analysis
We are frequently told that the first step in an ISO project is to conduct a gap analysis. Even though, with good solid knowledge of the standard and of organizational processes in general, it is possible to skip this step, common sense says that to maintain discipline and more certainly assure a successful outcome, it is important to understand the current state and document it. In practice it is the next step, project planning that is really what this first step is all about and it is generally accepted that the term gap analysis generally means: Determine the current state and plan the activities necessary to change it to the desired state.
In order to do a good job with a gap analysis project it really is important to have a strong understanding of the standard. You really need the same basic skills as an auditor to determine the current status and the same basic skills of an ISO consultant to complete a plan. With limited knowledge of the standard it is possible that you might misunderstand the intended application of some requirements of the standard and determine something you observe to be acceptable when it really isn’t or, worse still, think that something that is acceptable isn’t (and thus you are going to change something that is perfectly adequate.
Beyond a knowledge of the standard, it is ideal to have a broad understanding of organizational processes. When you identify a missing process, where you cannot see how requirements of the standard are addressed, it would be ideal if you were able to visualize how different solutions would affect the organization. Some solutions might involve the use of technology. Others can be effective with simple tools such as a whiteboard. There are different ways to bake a cake and it is important that the best option is selected for the organization.
The most common mistake made in gap analysis is to use a checklist of the standard. It is a frequently used approach, many/most certification bodies have these checklists and even promote their use. You can see it all over the internet where organizations are offering these checklists (for free) and advocating their use. It sounds right but it’s wrong. It sounds like a sensible approach that if I am to work out what of the standard exists and what doesn’t, I should start at the beginning and go through it. By the time I get to the end I will have my answer (and I will be an expert in ISO too).
If that approach is taken the project will start out in the wrong direction and then it will get worse from there. ISO advocates a process approach. It always has and now with the introduction of annex SL in ISO 9001, it is mandatory as implied by the statement “management are required to promote it”. So taking a process approach from the start is the way to go. The gap analysis should identify what processes exist within the organization and these should be investigated. They should be identified from the perspective of how well defined they are by the company procedures, what controls exist and how strong are those controls. Examples of controls include forms, software, whiteboards, and other items that cause the process to operate in a particular way. How strong the controls are in a process relates to how likely the process is to deviate from what is intended. Strong controls leave little chance of deviation and thus a great chance of success. Weaker controls leave a lot of flexibility in how things happen and may lead to failure to achieve the intended goal of the process. It is also important to understand the objectives for the process, what measurement or monitoring takes place to indicate that the process is performing correctly, and what resources are used in the process. Process theory and particular process techniques such as lean can provide more detail of what goes to make up a process and what is important in different situations. It is also important, and in the 2015 version of the standard, now mandatory, to take a risk based approach. For a really important process that has a significant impact on success and customer satisfaction, we should take a more thorough approach and we should expect stronger and more controls. For supporting processes that don’t have a direct impact we can be more pragmatic.
After all of this is understood about each process in the organization, now and only now can we get out a copy of the standard. Finally, we look for conformance to the requirements in the standard. For each process we look to the requirements and see which apply. Now this may be the point at which we find that many of the ISO requirements are not addressed. You identified the key processes in your organization (finance, sales, engineering, shipping, etc.) and you struggle to find where they are addressed in the standard (mostly section 8) but worse than that, there are a lot of ISO requirements unaccounted for. Typically what happens is that when you do the gap analysis, you forgot to consider the supporting processes in the organization. And worse it’s hard to guess which are important and which are not. But the standard has the answer. We can look at the standard and account for complete processes with specific clauses and requirements. For instance, the standard has section 7.5 Documented Information and this means document control and records control. You can now add them to your list and mark 7.5 against them. Of course you now need to go back out into your organization and see how document control really is achieved. While document control is an easy one. There are some more complex requirements in ISO that you need to find processes for. There is no substitute, you just have to know the standard at least well enough to know generally where to look. And importantly, you have to accept that there are some instances where the requirements are addressed in multiple processes and sometimes in many processes. Sometimes there are many processes that address one or more requirements. For instance, if you have two completely separate systems for controlling procedures in your organization versus engineering drawings, then there are two processes that are applicable to 7.5. Thinking more complicatedly, a production or service provision process may include many ISO requirements – such as those in 8.1, 8.5, 8.7, 9.1, etc. And to complicate it, if there are two separate production or service delivery processes – perhaps we manufacture plastic buckets but we also provide a window cleaning service then there are two processes which apply to all of these ISO requirements (except if the processes are subtly different – perhaps the service process doesn’t have nonconformance). All of this makes it very complex to achieve.
One situation to be careful of is that it is too tempting, with new requirements that don’t relate to any known existing process, to define a single process to address a single requirement. This comes down to experience. While this is possible (document control) there are instances where it is not appropriate. Nonconformance could be implemented as a single separate process with a single ISO requirement but is that really how it is addressed in the organization? Perhaps nonconformance is really customer complaints? Or perhaps it is actually discovered and addressed at receiving, in production and at final inspection. Three very different processes. The best configuration for the organization has to be defined. Perhaps another more troubling example is section 6.1 Risk and Opportunity. It is one section of the standard, but is it really one process? Are opportunities really like risks? Are they really handled the same way?
And so you progress to generate a list of processes in the organization and match ISO requirements to them. You add comprehensive notes to each of these processes to indicate how conforming they are to the standard and any changes that will be necessary to meet the standard. In some instances processes will be new and there will be a single requirement assigned to it. In other instances, that approach will be too simple. The final structure has to focus on the needs of the organization not as a means to meet the standard – or you’re likely to build a bureaucratic system that is not used for running the organization but only has value in conforming to the standard.
You then just need to make sure that you have captured all of the ISO requirements and you have defined a management system that is meaningful to the organization but which is in conformance with requirements of the standard.
All you have at this point is a roadmap. You still need to manage the success of this new structure and implement changes to processes and create brand new processes. These are two important elements of ISO success that warrant their own further discussion.
Cavendish Scott has been working with management systems, processes and ISO for over 30 years. We have very broad experience of different types and sizes of organizations in different industries with different technologies. We know how to optimize a management system for each individual organization so that it is meaningful, non-bureaucratic, easy to maintain, meaningful and (coincidentally) in conformance with the ISO standard. We guarantee ISO certification and have never had a failure.
Cavendish Scott can provide you with a gap analysis and project planning audit or a full turnkey consulting project with guaranteed certification. Our 25 years of experience have made us one of the best ISO consulting and internal audit companies in the ISO industry.