The Top Five Things that Can Go Wrong with ISO 9001:2015
The new ISO 9001:2015 standard is set to be a great development – the best and most important development ever – which is quite significant if you consider there are over 1.5 million ISO 9001 certifications out there.
While all of this is tremendously positive, the organizations in charge of the future of ISO may yet snatch failure from the jaws of victory. Here is what we need to watch out for:
Auditors and Certification Bodies allow Non-Process Based Management Systems
ISO 9001 is a standard for Quality Management Systems. Quality Management Systems are based on processes that exist in the organization. That is just how it is. You don’t need to create processes; they already exist in your organization. ISO 9001 management systems should reflect this and any procedures produced should be based on the organization processes and not the requirements in the standard. This approach was true of the 87 and 94 versions of the standard, just generally ignored, and was made more explicit in 2000. The new standard pushes the requirement for a process based system even further but there are a lot of organizations, consultants and trainers who don’t understand this approach and find it easier to define and document a system around the requirements in the standard. These systems are not integrated into the operations of the organization and are frequently maintained outside of and separately to normal operations. They don’t typically add value and generally they contribute to assuring quality but the maintenance adds cost. Some say that the DIS as it currently is written, still does not actually mandate a process based system and there is certainly some room for debate here. It is also very uncomfortable for an auditor to withdraw certification from an organization and that will create pressure for them to leave the status quo. If auditors and certification bodies certify these systems, customers will not be able to rely on them and ISO credibility will fall.
Watering Down the Requirements
The requirements in ISO 9001 have been made less and less explicit from the 1994 standard to the current standard and it appears this trend continues in the draft of the 2015 version. The approach seems to provide for the organization to implement a process and requires consideration of certain content but does not necessarily require content is included (at an appropriate level). Without explicitness in the requirements it is possible that certified companies may implement limited controls. Technically this is nonsense. Why would any organization weaken effective controls that it already has in place. There are many potential reasons ranging from pure ignorance of ISO, basic hostility to ISO in favor of a different quality scheme, and overcompensating from an over-bureaucratic system implemented incorrectly in the first place. Of course it doesn’t make sense. Surely organization, given a little more flexibility will generate an optimum system that helps, not a minimum system that just takes effort to maintain. Unfortunately if the organization doesn’t understand what QMS is and how ISO relates to that they are just as likely to only see ISO as a cost and greater flexibility as a way to cut effort. The control is certification auditors who should review systems and ensure they are appropriate and effective. However, if certified organizations argue with auditors, if auditors and certification bodies allow this and don’t test the effectiveness of the implementations, it will further weaken the perception of the value of ISO.
Failure of the Auditor Learning Curve
This new standard includes brand new requirements, changed requirements, new structure and new terminology. We saw with previous standards changes that it took a long time for auditors to grasp new requirements and often misinterpretations and misunderstandings percolated for years. Certification bodies want to minimize their training and setup costs and may cut corners. Accreditation agencies should control to ensure this doesn’t happen. Further the new standard implies the need for an understanding of the strategic and leadership elements in an organization. Some auditors have no concept of these elements and certification body provided training may struggle to achieve the quality of auditor needed. Bottom line is that to be successful, auditors have to be comprehensively trained and fully competent as quickly as possible to avoid certifying inadequate ISO management systems or rejecting effective and new management systems.
Minimum or No Documentation
The new standard does not include any requirements for specific procedures. Some items must be documented including quality objectives and management system scope, but there is not one procedural document mandated. We saw with the 2000 version of the standard that some consultants, trainers and organizations, documented only the mandatory 6 procedures and a quality manual. Their approach was for as little documentation as possible. That approach fails on many levels. Firstly, the standard required as much documentation as needed – never just six. Secondly, these mandated procedures were mostly aimed at supporting processes – things that were not in the value stream, and so the definition of a procedure had less of an impact than if the engineering process has been documented (to ensure consistent successful performance). Without a definition, there is no process. It’s just lucky that things work out. Often it’s because processes are run by a single person or by a strong manager. That’s acceptable until the manager is sick, leaves, etc.
The new standard makes it very clear that you have to be able to demonstrate that define your processes and that you demonstrate that you met that definition. If you can’t do that you don’t get certified. While there are a number of ways to define a process, it is almost impossible to do without writing it down somehow. And you have to write it down for ALL processes — documents and or procedures for ALL ISO requirements and for ALL parts of the organization. Without that you don’t have defined control over your organization. It is essential that you deliberately run your organization and that means defining and documenting it somewhat, how everything works in order to be successful. That doesn’t necessarily mean procedures although they have the advantage over other methods but it would still be possible to have no procedures, no flowcharts but have a well defined and controlled organization.
One of the major benefits of a common standard is common language. For good or bad, the new standard will introduce new terminology including many examples of terms that are not intuitive (even if they are accurate). Document and Record Control is to be replaced with Control of Documented Information. Purchasing will fall under Control of Externally Provided Products and Services. Any organization that doesn’t change their system to adopt at least the majority of this terminology will be recognized as having an out of date management system by their customers. That alone will provide some pressure for updating and change.
There is another danger here. It is important when making any changes to the management system, that while they should include adopting new terminology, they also avoid just mimicking the newly phrased ISO requirements. Changes must focus on the organizations own processes, appropriate process controls, and clearly defined objectives. New terminology needs can be addressed but effectively defined and documented processes is the most important goal and ISO requirements are secondary.
Why did I, in the introduction imply that the organizations in charge of ISO will be the cause of this? Companies who seek to be certified might unknowingly or deliberately apply ISO incorrectly. Their customers need to have confidence that they have applied it correctly. The certification is the assurance. The control is the auditors, the certification bodies, the auditor registration organizations and the accreditation agencies that have the control to influence how the standard is adopted. These organizations failed to do this with the 2000 version of the standard hence the current perception of ISO in the market. They are going to make the difference in the coming years.
Despite this, organizations can take the initiative and drive value out of their ISO projects. Effective quality management does not rely on auditors (good or bad) and certification bodies.