Professional Documents
Culture Documents
NOTE: I plan to pull together an actual example of a SWOT Matrix filled out, based on a
sampling from my Client sessions over the years. I hope to have this done for the next
Newsletter issue (in a few weeks time) so stay tuned for thatdownloadable example to
go along with this template.
to take advantage of an important opportunity that is presenting itself today, using a key
strength that you have. You will see that the top two quadrants represent offensive
Strategies while the lower two quadrants represent defensive Strategies, which you
want to keep balanced.
Keep in mind that the Template shows ten (10) potential Strategies, the key word here
being potential for this exercise, my experience has shown that less is better since
trying to keep 10 plates spinning (10 strategies) can overwhelm a Management Team.
Also note that each Strategy has a place in one of the quadrants and is not
sitting outside the SWOT Matrix. This is another important feature of this tool in that it
ensures that there are no rogue Strategies being pursued by well meaning
Managers. Each Strategy must address at least one pair of Top S-W-O-Ts, otherwise it
is not an action that the company should waste resources on.
This SWOT Matrix tool/approach lies somewhere between the extremes of
implementing a full fledged formal strategic planning process at one end of the
spectrum, to using a simple/informal/reactive method for setting company direction, at
the other end. The first year using this tool is usually the most challenging, with
subsequent years simply updating it to reflect the current reality, and either re-confirming
the previous years Strategies and/or establishing new ones.
As I said above, make sure to watch for our next Newsletter issue where you can obtain
an example of a completed SWOT Matrix
PS: Dont forget to look at the Q&A section below for some final thoughts
A: I suppose that depends on how your Management Team currently performs business
planning each year. If they do something in this regard then ask them if they do the
traditional SWOT Analysis. If they do, then show them the SWOT Matrix tool and
explain it to them in 2 minutes or less. As a business tool, its fairly self-evident how it
works and what it can achieve. Either way, suggest that they try it out at their next
annual planning session. If they dont do anything, then forward my Newsletter to
them and follow-up a few days later to answer any questions they might have, and
suggest that it could be a way to re-energize the current way they perform Management
Review meetings once a year. If youre not sure, or if your Management Team has
questions you cant answer, then feel free to contact me and Ill see if I can help.
Element 4.0 Context of the Organization consists of four (4) Clauses as listed below:
4.1 Understanding the Organization and its Context
4.2 Understanding the Needs and Expectations of Interested Parties
4.3 Determining the Scope of the Quality Management System (QMS)
4.4 Quality Management System and its Processes
all row in the same direction (i.e. getting alignment and clarity on goals for the business)
pretty powerful tool from the results Ive seen.
Once again, this can be drafted up in advance, reviewed by the Management Team,
finalized/approved and then re-visited by them once a year to keep this list up to date.
Clause 4.3 Determining the Scope of the QMS: Determining Scope should be a
natural next step after handling the previous two Clauses. Nothing much has changed
with the exception that Not Applicables need to be defined here and you are now
allowed to take an N/A from any section of the Standard (as opposed to being restricted
in the past). However, before you get too excited, the wording in Clause 4.3 basically
says that if it affects the Customer then you cant take an N/A on it, period. Im actually
a bit surprised that this change has not caused more discussion in blogs and internet
forums since essentially the last paragraph of this Clause, along with the use of the term
products and services throughout the Standard, implies that almost every
organization will now need to address Design activities (at least for services) within
their QMS.
Clause 4.4 QMS and its Processes: Needless to say, all of the preceding Clauses
need to be finalized in order to address the requirements within this one, which is for the
most part a repeat of the 2008 version but with much more prescriptive wording. For
instance, some of the requirements within this Clause include determining inputs &
outputs for each process, addressing risk & opportunities for each, and collecting
evidence to show that each process is working as planned.
The ISO 9001 Standard includes a diagram (see section 0.3.2, Figure 2 of ISO
9001:2015) that depicts how the main Elements connect to each other in a Plan-DoCheck-Act cycle. Many organizations will simply borrow this flowchart and call it their
own to address Clause 4.4 however by doing so they will miss an opportunity to finally
connect their real business activities to their QMS (instead of running it in a parallel
universe!). At the very, very least, developing your own business process flowchart
would give you something to show the Auditors (both internal and external) about how
your organization actually functions. What I am talking about here is a high level
diagram showing your main business processes (no more than 6 to 10), and how they
connect or flow from one to the other. Add in references to the main Elements of the
ISO 9001:2015 Standard and youve now connected the dots for the External Auditors.
Creating this document can be an eye opening (and fun) exercise. This is a great way
to engage upper management in taking more ownership of their QMS.
Make sure to watch for our next Newsletter issue where we will cover another section of
ISO 9001:2015
Q: Since ISO 9001:2015 no longer requires a Quality Manual, should I delete it from the
QMS?
A: I know the temptation may be to scrap the Quality Manual since it will need to be
revised to comply with ISO 9001:2015 but I recommend you keep it for a number of
reasons. One main reason for having a Quality Manual is that it provides the reader
(your employees) with a blueprint on how you manage Quality in your company. It helps
them navigate around all of the processes youve decided to implement to ensure you
deliver a Quality product and a Quality service to your Customers. Another potential
benefit I see is using it as a document to show how your company decided to
address/interpret the requirements within the ISO 9001 Standard, which is helpful for
both inside and outside readers (your Internal Auditors, your Customers, your Suppliers,
your ISO Certification Auditors). As Ive said before this 2015 revision is an opportunity
to connect your QMS much closer to your business so consider not just scrapping the
Quality Manual but rather re-building it into a more business/practical document by
using only a handful of main content pages, followed by a few Appendices as reference
material.
Clause itself. Normally youd expect the wording to be something like The organization
shall determine itscontext, etc, etc. Basically Clause 4.1 never really asks you to state
what your context is but rather asks you to determine what internal and external issues
impact your organization.
Here is another important fact, the phrase documented information does not exist
within Clause 4.1, so you are free to simply verbally describe how your Strategic
Planning process (or SWOT activity) functions. Even if some companies keep a record
of these activities they can state that this information is considered proprietary and
confidential. If the Auditor sees this as a gap and wishes to pursue this further, they will
be faced with demonstrating that a lack of documented information in this area
somehow makes this particular QMS process, ineffective (see Clause 4.4.2).
This is a good example of how this new Standard differs from the old one Auditors will
now need to swim upstream and downstream (and within) each process (with perhaps
only verbal evidence along with their own observations), in order to assess whether the
process is functioning, functioning as planned, and functioning effectively. Many
Auditors will find this to be a challenge, especially when sitting across the table from the
business leaders in the company.
Clause 4.1: Understanding the organization and its context So what does context
mean? Notes 2 and 3 try and help by making suggestions however I view context as a
statement made by top management that describes the business that the organization
is engaged in and also includes a description of the external and internal factors that
affect or impact how they operate.
If your company practices Strategic Planning then a lot of what Clause 4.1 requires will
be addressed within that process. Additionally, if your organization engages in SWOT
analysis (which was discussed back in Newsletter Issue #4), then the output from that
exercise covers the internal issues (Strengths & Weaknesses) as well as the external
issues (Opportunities & Threats) quite nicely. If your organization then develops action
plans (or Strategies) based on the SWOT analysis then that will become perfect
evidence for Clause 6.1 (Actions to address risks and opportunities).
However, many companies may not be able to make reference to any formal Strategic
Planning process, which makes complying with this Clause more challenging. The first
thing to do is determine if your organization has any type of meeting where they discuss
what the business challenges will be for the upcoming year and where goals/targets
might be set. If this type of meeting does occur then make reference to it either in your
Level 1 Quality Manual (which I suggest you retain revise it of course but still retain it)
or within a supporting Level 2 Procedure. Be sure to explain how this meeting covers
both internal and factors impacting your business for the year ahead.
If for some reason your organization simply does not conduct any type of business
planning meeting at the beginning the fiscal year then you will need another option or
alternative for handling context. This alternative approach first assumes that you will
not scrap your current Quality Manual (even though it is no longer an ISO requirement).
Secondly, you need to be prepared to re-write a portion of your Quality Manual so that it
includes a Business/Strategic Planning section which describes how your business
planning activities look at internal and external issues. An easy approach you can use
within this new section of your Quality Manual would be to create two tables, one listing
Internal Issues and one listing External Issues. Youll need to re-visit this new Quality
Manual section at least once a year (perhaps at a Management Review Meeting), so
that the information regarding context can be updated for the next year (or reconfirmed as is).
There can obviously be many other approaches that will work, since every company is
unique, with each performing various degrees of formal strategic planning. So as
always, how you address context depends very much on how your current annual
business planning process works (or doesnt).
PS: Dont forget to look at the Q&A section below for some final thoughts
To view all of our past Newsletters or to sign up to receive them click here
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Whats new in Clause 4.3? In our last Newsletter (ISO 9001:2015 Newsletter Issue
12) we discussed the term interested parties which was found in the previous Clause,
and now here in Clause 4.3 we are introduced to the topic called scope. The term
scope was previously found in the 2008 version, in Section 1.0, but in that case
scope was referring to scope of the document (the International Standard). In the
2015 edition, Clause 4.3 is brand new in the Standard since it deals with the scope of
your organizations quality management system (QMS). Although the 2008 version did
not have a shall requirement regarding scope, the ISO Certification Bodies required
that it be stated on the certificate they issued to you, so they mandated that you define
what your scope was within your QMS. This necessitated having the exact same
wording shown somewhere, and in most cases companies placed it within their Quality
Manual.
Let me start by making an observation regarding Clause 4.3 notice that this is the first
time where the term documented information surfaces. Since there is no specific
requirement for a document called the Quality Manual, organizations will need to decide
where to maintain this documented information. Once again, I suggest that you retain
your Quality Manual for many reasons as stated previously (see Newsletter Issue #3),
and that this be where your company defines the boundaries or scope of your QMS.
Clause 4.3: Determining the Scope of the Quality Management System Any
company that is currently registered to the 2008 version will have a scope statement
somewhere in their QMS. With that in mind, let me highlight what is new for 2015. First
of all, Clause 4.3 a) & b) asks your organization to consider what was stated back in
Clauses 4.1 (Context) and 4.2 (Interested Parties) when determining what your scope
statement will be. I believe this is somewhat backwards since it is simpler to start with
defining your Scope and then let that drive a determination of who
the relevant interested parties are, as well as what the internal context issues are, and
what the external context issues are. Secondly, the Standard now asks you to
specifically list the types of products and services that will be included within your
QMS. Developing a list of products, and also a list of services, will be an excellent
exercise to better understand what gaps exist within your current QMS. The expectation
is that each item listed (each product and each service) will be assessed and
addressed using the 400+ shalls within the 2015 Standard dont underestimate the
impact this will have. As a Customer why would you expect anything less?
Clause 4.3 also contains requirements regarding Not Applicables which I discussed
back in Newsletter Issue #3. What is different here is that you are allowed to take a NA
on any Clause within the Standard. However you will have to justify that by excluding a
Clause this will have no impact on your ability to provide conforming products AND
conforming services, AND it will have no impact on the enhancement of satisfaction
levels of your Customers. Another way to view this is if you decide to take a NA for a
particular activity that you currently do then that implies that the activity/process can
behave inconsistently/ erratically/ chaotically, and yet have zero impact on the quality of
your products, or the quality of your services and the Customer will never notice it.
Having said all of that, it will be interesting to read what justifications are stated within a
QMS, since this information must be maintained as documented information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Whats new in Clause 4.4? In our last Newsletter (ISO 9001:2015 Newsletter Issue
13) we discussed the topic of scope which was outlined in the previous Clause, and
now here in Clause 4.4 we cover the whole of the QMS, along with its processes.
Clause 4.4 Quality Management System and its Processes consists of two (2) SubClauses as listed below:
4.4.1 [no title] The organization shall establish, implement
4.4.2 [no title] To the extent necessary, the organization shall
Sub-Clause 4.4.1 This area was covered in the very first lead-off Clause previously
found in the 2008 version. In the 2015 edition, this Sub-Clause adds a few new
requirements, the first being Sub-Clause 4.4.1 a) which asks the organization to
determine the inputs and outputs of the processes needed for the QMS. The second
being Sub-Clause 4.4.1 c) where performance indicators need to be identified for these
processes. The third is Sub-Clause 4.4.1 e) which asks you to assign who is
responsible, and who has the authority over each of these processes. Finally, in SubClause 4.4.1 f) a new requirement asks how these processes will address the risks and
opportunities identified in Clause 6.1.
Sub-Clause 4.4.2 This is the sub-clause that provides you with the flexibility to decide
how much, or how little, documentation your QMS needs, to function effectively. SubClause 4.4.2 a) uses the term maintain documented information and Sub-Clause 4.4.2
b) says retain documented information, and these terms are translated for you in
Annex A.6 whereby maintain is equivalent to the old control of documents, and
retain is the same as control of records.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clause 5.1 Leadership and Commitment consists of two (2) Sub-Clauses as listed
below:
5.1.1 General
5.1.2 Customer Focus
Sub-Clause 5.1.1 General The first five words set the tone in this sub-clause: Top
management shall demonstrateleadership, and then they proceed to give you ten
(10) ways to demonstrate it, which is double the number from the 2008 version. In the
2015 edition of this Standard, this area adds some new requirements, the first being
Sub-Clause 5.1.1 a) which asks top management to take accountability for the
effectiveness of the QMS this word was not found anywhere in the 2008 version. The
second being Sub-Clause 5.1.1 b) where there is a requirement that top management
ensure that the quality policy and the quality objectives are compatible with the context
and strategic direction of the organization. The third is Sub-Clause 5.1.1 c) which asks
top management to integrate the QMS into its businessprocesses. These last two
additions clearly asks that top management view the QMS as an integral part of how the
business is run.
The fourth additional requirement (from 2008) is Sub-Clause 5.1.1 d) which asks top
management to promote the use ofrisk-based thinking. This is the one and only
shall requirement within the entire Standard that mentions risk-based thinking.
Nowhere else within Elements 4.0 through to Element 10.0, of ISO 9001:2015, is the
term risk-based thinking found. Interesting isnt it? Considering all the hoopla that has
been raised on this topic, in various webinars and online forums, one would have
thought there would have been multiple shalls requiring risk-based thinking (but no,
just once, in sub-clause 5.1.1 d). I will have more to say on the risk topic when I get to
Clause 6.1, so stay tuned when I will share more information on one approach
organizations can use to address risk, and risk-based thinking.
The fifth and sixth new requirements are found in Sub-Clauses 5.1.1 f) & g) which ask
top management to communicate the importance of effective quality management and
to ensure that the QMS achieves its intended results. It would be a good exercise for
every organization seeking to transition to this new ISO 9001:2015 Standard, to first
decide who is considered top management and then to ask them to express what they
see as the intended results for their QMS. Continuing on, Sub-Clause 5.1.1 h) is one
place where they have attempted to deal with eliminating the previous role of
Management Representative, by spreading this responsibility to others. Finally, in SubClause 5.1.1 j) they ask top management to support other relevant management roles in
providing leadership, in other areas of the business.
Sub-Clause 5.1.2 Customer Focus This requirement leads off by asking top
management to demonstrate leadership in this area of Customer focus by providing us
with three (3) ways to do it, two of which were found in the previous 2008 version. Sub-
Clause 5.1.2 b) adds a new requirement asking that top management ensure that risks
and opportunities that can impact Customer satisfaction with the organizations products
and services, are properly addressed. Although the Standard doesnt reference Clause
6.1 (Actions to address risks and opportunities), it should have, since that is where top
management needs to point, to demonstrate that theyve addressed this requirement.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sub-Clause 5.2.1 Establishing the Quality Policy The requirements within this subclause really didnt change much from the previous 2008 edition except in one area,
found in 5.2.1a). Here theyve added the words Top management shall establish a
quality policy that is appropriate to the context of the organization and supports its
strategic direction. Well as you know, context was covered back in Clause 4.1, and
strategic direction was also mentioned back in Clauses 4.1 and 5.1. These new words
are another example of how they have attempted to align the actual running of the
business with the ISO 9001 Standard, which in my opinion can only help the ongoing
management support needed for every QMS.
This sub-clause gives you a reason to get this topic back on the boardroom table. The
Quality Policy sets the tone as to how Top Management views quality. It is the goal that
the organization is trying to attain. Its the reason why you installed the QMS in the first
place so you can achieve the Quality Policy! Many Quality Policy statements have
become stale and outdated since the last major revision to the Standard back in the
year 2000. These new requirements regarding context and strategic direction should
initiate a discussion with Top Management to get their input on this key document.
Many companies also have developed Mission Statements, so here is a great
opportunity to see if it can be used in place of your Quality Policy, and satisfy the
requirements within this sub-clause.
Sub-Clause 5.2.2 Communicating the Quality Policy Within this sub-clause you
will find a number of new requirements starting with 5.2.2a) which asks that you make
your Quality Policy available to everyone whenever they wish to view it. Some
employees only get to see the Quality Policy during orientation training, and if it isnt
posted in multiple areas then is it really available to them?
Sub-clause 5.2.2b) asks that you ensure that the Quality Policy is applied within the
organization. First they ask that you make it available and now they want you to
apply it. As I said above, the Quality Policy is the goal of your QMS, and as such
should be applied by employees to help them make the right decisions for the business,
when quality is involved.
Finally, Sub-clause 5.2.2c) asks that you also make the Quality Policy available to
relevant interested parties, as appropriate. First off, interested parties were covered
back in Clause 4.2. Second, there is lots of flexibility in the word relevant so be sure to
go back to how you addressed Clause 4.2, what interested parties were involved, and
then determine how each of them will be able to view your Quality Policy if they wish to.
Whats new in this Clause is what is missing from it namely there is no longer a
requirement to appoint a QMS Management Representative. This situation is very
similar to the removal of the requirement for a Quality Manual, and once again I suggest
you carefully re-consider before eliminating this role.
As I mentioned back in an earlier Newsletter (ISO 9001:2015 Newsletter Issue 5), the
Management Representative role can provide an important focal point for many quality
related activities within an organization, such as taking ownership of the internal audit
process, coordinating audits with outside Customers, as well as handling external
regulatory/accreditation bodies, to mention just a few.
Keep in mind that your QMS could erode over time if no one is specifically identified and
assigned to look after it. Id recommend that the role of Management Representative
be maintained but that it become a rotating responsibility amongst the Top Management
team members, and that it is re-assigned every two years max. This provides a few
advantages, such as: a) it satisfies the intent of the ISO 9001:2015 Standard of
distributing QMS responsibilities; b) it recognizes that everyone shares the commitment
to Quality within the organization; and c) every member of Top Management eventually
gains a much better appreciation of all that is involved in maintaining a QMS.
Other wording that is new within Clause 5.3 is the phrase ...ensure that roles,
responsibilities and authorities areunderstood within the organization. This implies
that Top Management will ensure that it is understood who is responsible for what
within the Quality Management System. If this new requirement is not addressed
properly it will surface during audit interviews where conflicting responses are received
from auditees when asked about who makes the final decision on quality related issues.
Other then the above comments, Clause 5.3 is mostly a repeat of requirements from the
earlier 2008 edition.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ISO 9001:2015
Element 6.0 Planning
Whats new in Element 6.0? The term risk is new and as I mentioned in my last
Newsletter (ISO 9001:2015 Newsletter Issue 5), I gave a presentation to the ASQ
Toronto Section on Oct 14th where I reviewed the main changes within ISO 9001:2015.
There was record attendance (approx. 140 people) and they had lots of questions,
mostly about the topic of risk. There seems to be a lot of confusion on how to handle
the new risk requirements in the Standard. ClickHERE to download a copy of this
presentation.
The new Clause numbering
Section 4 Context of the organization
Section 5 Leadership
Section 6 Planning
Section 7 Support
Section 8 Operation
Section 9 Performance evaluation
Section 10 Improvement
Clause 6.1 Actions to address risks and opportunities: This Clause contains two
sub-clauses, namely 6.1.1 and 6.1.2 (with neither of these sub-clauses having titles).
We previously discussed Clause 6.1 back in an earlier Newsletter (ISO 9001:2015
Newsletter Issue 3), when we covered the topics of Business/Strategic Planning and
SWOT, where both of these approaches should generate actions to address risks and
opportunities, which is what is needed to comply with this Clause.
Sub-Clause 6.1.1 asks you to refer back to the issues in Clause 4.1 (Understanding the
Organization and its Context) and the requirements in Clause 4.2 (Understanding the
Needs and Expectations of Interested Parties) as part of your planning process, and
then continues on to explain why you need to address risks and opportunities, in subclause parts [a] through [d].
Sub-Clause 6.1.2 carries on and asks you to [a] plan actions for risks/opportunities,
and [b] plan how you will weave these actions into your QMS (and then check whether
these actions worked). They finish by reminding you that it is completely your decision
on how big or how small these actions will be.
Theyve also added a couple of NOTES at the end which attempt to clarify the words in
this Clause.
Clause 6.2 Quality objectives and planning to achieve them: This Clause contains
two sub-clauses, namely 6.2.1 and 6.2.2 (with neither of these sub-clauses having
titles). Sub-Clause 6.2.1 starts off being very similar to the requirements in the 2008
version but adds that these quality objectives should also be established for
processes, which is something new.
Sub-Clause 6.2.1 parts [a] through [e] outline requirements that are not really different
from 2008, however [f] and [g] asks that you communicate the quality objectives and
that you keep them updated. Finally they make sure that there is no confusion by telling
you to maintain them as documented information. These requirements add some
teeth to what Ive always said is a critical Clause within the ISO 9001 Standard because
it drives your quality performance.
Sub-Clause 6.2.2 parts [a] through [e] definitely add new substance to the topic of
Quality Objectives by asking Who, What, When and How. This level of detailed
requirements will ensure that you are clearly stating how you handle quality objectives
within your organization. This new ISO 9001:2015 Standard is attempting to achieve
more business alignment, and all of the Clauses within Element 6.0 are a good
example of that.
Clause 6.3 Planning of changes: This Clause has essentially the same requirements
as the 2008 version and therefore should have limited impact on an existing QMS that is
currently compliant with ISO 9001.
Make sure to watch for our next Newsletter issue where we will cover another section of
ISO 9001:2015
PS: Dont forget to look at the Q&A section below for some final thoughts
Q: How should Quality Objectives be developed? Are they the same as Business
Objectives?
A: Let me start with the second part of the question. Yes, Quality Objectives can be
identical to the Business Objectives, or they can be a sub-set of them. Business
Objectives are generated from the key words found within an organizations Mission
Statement. If you state that you want to be the market leader in your industry then you
need to set a measurable objective (and an action plan) that will get you there. This is
the same approach that you should use with your QMS by ensuring that your Quality
Objectives flow directly from the key words within your Quality Policy statement. So if
your Quality Policy says something like we make sure Customers are always
satisfied by being on-time every time then you would need two quality objectives, one
for the level of Customer Satisfaction you want to achieve, and another objective for the
on-time delivery performance that you are striving towards.
Note B: The content for these Newsletters comes from working in the field with my
Clients, and with their ISO Certification Bodies. I gain a lot of hands-on experience from
conducting numerous gap audits, where the requirements of the Standard have to be
interpreted and applied to each unique situation. Combining a Gap Audit with ISO 9001
Essentials Training, has become our most popular request from our Newsletter readers
(more details on this, as well as other training, can be found below).
Clause 6.1 Actions to Address Risks and Opportunities consists of two (2) SubClauses as listed below:
6.1.1 [no title] When planning for the quality management system
6.1.2 [no title] The organization shall plan
Sub-Clause 6.1.1 This sub-clause asks you to refer back to the issues in Clause 4.1
(Understanding the Organization and its Context) and the requirements in Clause 4.2
(Understanding the Needs and Expectations of Interested Parties) as part of your
planning process, and then continues on to explain why you need to address risks and
opportunities, in sub-clause 6.1.1 parts [a] through [d].
Lets take a moment and talk about risk I continue to see discussions (lots and lots
of discussion) in online forums debating the terms risk and risk-based thinking, what
they mean and what can be shown to an auditor as objective evidence.
Lets begin with some words taken directly from the ISO 9001:2015 Standard
From Annex A.4: One of the key purposes of a quality management system is to act
as a preventive tool. Consequently, this International Standard does not have a separate
clause or subclause on preventive action. The concept of preventive action is expressed
through the use of risk-based thinking in formulating quality management system
requirements.
Also, here are some additional facts derived directly from the ISO 9001:2015
Standard
Other than Clause 5.1.1 d), there are NO other shall requirements for risk-based
thinking in the ISO 9001:2015 Standard. Not one other shall period and Clause
5.1.1 d) simply asks top management to promote the use of risk-based thinking thats
it promote the use and NO documented information is required.
Let me continue
The single word risk (not risk-based thinking) shows up in only eight (8) sentences as
a requirement, but not one of these areas ask for documented information, which
means verbal-only evidence will have to be acceptable to an auditor.
Let me summarize then by saying that this new ISO 9001:2015 Standard has eliminated
the Preventive Action clause and replaced it with a concept called risk-based thinking.
I say concept because there is no teeth to it, no requirements exist other than to
promote the concept within the organization, and no requirement to show documented
proof that you have implemented risk-based thinking (even the old Preventive Action
clause required a controlled record to be kept!).
As an ISO 9001 Auditor, I fully recognize the predicament this places the Auditor in, and
two words come to mind, flexible and open-minded, because thats what it will take to
assess whether an organization has complied.
As an ISO 9001 Trainer/Consultant, my advice is to begin by understanding how your
organization currently deals with risks and opportunities, as an ongoing business issue
(i.e. business or strategic planning). Resist the urge to implement some new process or
activity since it will likely not last if the business process owners dont see inherent value
in doing it, year after year, after year. If your organization has weak business planning
practices then look to your existing Quality Management System (QMS) since it
primarily functions as a risk mitigating tool. Keep in mind that your QMS also has
ways of uncovering opportunities as well.
I recommend that once youve decided how you will address the terms risk, risk-based
thinking and opportunities, then document your interpretation of these words within
your Quality Manual. This is a good way to guide the Auditor (Internal or External) on
how your organization has chosen to address these topics, and doing so should help
prevent future disputes during subsequent audits of your QMS.
Sub-Clause 6.1.2 This sub-clause asks you to [a] plan actions for risks &
opportunities, and [b] plan how you will weave these actions into your QMS (and then
plan how to check whether these actions worked). They finish off in the last sentence
reminding you that it is completely your decision on how big or how small these actions
will be.
Depending on what you discovered when you investigated how your business currently
handles risks and opportunities, will dictate how you address the requirements within
sub-clause 6.1.2. If you have a Strategic Plan, or a Business Plan, and/or a SWOT
Analysis (ISO 9001:2015 Newsletter Issue 4), then make reference to that activity within
your Quality Manual. Otherwise, follow my advice above about using your existing QMS
as your risk & opportunity tool.
Finally, theyve also added a couple of NOTES at the end which attempt to clarify the
words in this Clause, and although they are nice sounding words, they dont really help
much and remember that a NOTE is not a requirement within the ISO 9001:2015
Standard.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note B: The content for these Newsletters comes from working in the field with my
Clients, and with their ISO Certification Bodies. I gain a lot of hands-on experience from
conducting numerous gap audits, where the requirements of the Standard have to be
interpreted and applied to each unique situation. Combining a Gap Audit with ISO 9001
Essentials Training, has become our most popular request from our Newsletter readers
(more details on this, as well as other training, can be found below).
Clause 6.2 Quality objectives and planning to achieve them consists of two (2)
Sub-Clauses as listed below:
6.2.1 [no title] The organization shall establish quality objectives
6.2.2 [no title] When planning how to achieve its quality objectives
Sub-Clause 6.2.1 The lead off sentence starts off by being very similar to the
requirements in the 2008 version but adds that these Quality Objectives should also be
established for relevant processes, which is something new. Many organizations
already have objectives in place for processes, in addition to measurements for
individual functions or departments. You can recognize these process objectives
because they are the metrics that not one single Manager can control, but rather
depends on various functional areas to perform effectively, an example of which would
be on-time delivery to the Customer.
Parts [a] through [e] within this sub-clause outline requirements that are not really
different from 2008, asking that the Quality Objectives: be consistent with the Quality
Policy; be measurable; that they take into account any applicable requirements; be
relevant to the conformity of products/services and to the enhancement of Customer
satisfaction; and be monitored. However parts [f] and [g] asks that you communicate
the Quality Objectives, and that you keep them updated. In many organizations this is
often accomplished during monthly or quarterly business scorecard review meetings.
Finally they make sure that there is no confusion by telling you to maintain your Quality
Objectives as documented information. All of the requirements found in Clause 6.2
add some teeth to what Ive always said is a critical section within the ISO 9001
Standard because it drives your quality performance.
The following was taken from a previous Newsletter and I think its worth repeating
How should Quality Objectives be developed? Are they the same as Business
Objectives? Let me start with the second part of the question. Yes, Quality Objectives
can be identical to the Business Objectives, or they can be a sub-set of them. Business
Objectives are generated from the key words found within an organizations Mission
Statement. If you state that you want to be the market leader in your industry then you
need to set a measurable objective (and an action plan) that will get you there. This is
the same approach that you should use with your QMS by ensuring that your Quality
Objectives flow directly from the key words within your Quality Policy statement. So if
your Quality Policy says something like we make sure Customers are always
satisfied, by being on-time every time then you would need two quality objectives,
one for the level of Customer Satisfaction you want to achieve, and another objective for
the on-time delivery performance that you are striving towards.
Sub-Clause 6.2.2 Parts [a] through [e] definitely adds new depth to the topic of
Quality Objectives by asking Who, What, When and How. They want to know
what will be done to achieve each Quality Objective (and what resources will be needed
to do it); Who is responsible for each Quality Objective; When each Quality Objective
will be achieved; and how the status of each Quality Objective will be tracked and
assessed. This level of detailed requirements will ensure that you are clearly stating
how you will manage to achieve your Quality Objectives within your organization.
This new ISO 9001:2015 Standard is attempting to achieve more business alignment,
and Clause 6.2 is another good example of that.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A good example of when this Clause applies would be for making the transition to this
new ISO 9001:2015 Standard, when your organization will upgrade its QMS to comply
with these new requirements!
SO 9001:2015
Element 7.0 Support
Whats new in Element 7.0? We covered the planning activities in my last
Newsletter (ISO 9001:2015 Newsletter Issue 6), and these plans now require support
to implement them, which is the focus of Element 7.0 (Support). This Element
combines a number of topics from the previous 2008 version with the biggest change
being the concept of organizational knowledge to address the potential loss of
knowledge which could impact Customer satisfaction, as well as the ability to run the
business effectively.
7.3 Awareness
7.4 Communication
7.5 Documented Information
work instructions). These types of documents are one way to capture knowledge
embedded within the organization and preserve it over time.
Clause 7.2 Competence: This Clause contains very few changes from the previous
2008 version.
Clause 7.3 Awareness: This Clause has a couple of changes within it, namely it is
asking organizations to make it clear to their employees the impact on the business if
they improve their performance, as well as the impact if they perform poorly.
Clause 7.5 Documented Information This Clause contains three (3) subclauses, Sub-Clause 7.5.1 (General), Sub-Clause 7.5.2 (Creating and Updating) and
Sub-Clause 7.5.3 (Control of documented information). This is the new Clause
combining the old control of documents and control of records. The requirements
appear to be much the same and it is not clear what theyve accomplished by combining
these two concepts, except perhaps confusion in the user community.
Be sure to watch for our next Newsletter issue where we will cover another section of
ISO 9001:2015
PS: Dont forget to look at the Q&A section below for some final thoughts
To view all of our past Newsletters or to sign up to receive them click here
Q: How should we address this new term called documented information and has
there been a reduction in documentation requirements in this new revision?
A: Let me start with the second part of the question. In the previous edition (2008) they
asked for 1 Quality Manual, 6 areas requiring a documented procedure and 19 records.
In this new revision they have used the term documented information 34 times. I just
dont see where theyve reduced the requirements for documentation. As always, its up
to you to decide how much, or how little, documentation you will create to satisfy
yourself and your Customers that you have an effectively functioning QMS period.
With respect to addressing documented information I would suggest that if your
current method of controlling documents and controlling records works, then leave it
as is and dont change it. Of course if it needs fixing then get on with repairing it for the
good of your business and not just because a revision was made to the ISO 9001
Standard.
Clause 8.1 Operational planning and control This Clause re-states similar
requirements for planning and control from the 2008 version but with a few key
differences. The first one being that these requirements now apply to all processes
identified within your QMS and not just the product realization processes. This was
implied in 2008 and now theyve made it much clearer. The other change deals with
managing the risks associated with changes you make to any of your QMS processes,
as well as action plans to mitigate any adverse effects from those changes.
Clause 8.2 Requirements for products and services: This Clause contains four (4)
sub-clauses, Sub-Clause 8.2.1 (Customer communication), Sub-Clause 8.2.2
(Determining the requirements related to products and services), Sub-Clause 8.2.3
(Review of requirements related to products and services), and Sub-Clause 8.2.4
(Changes to requirements for products and services). After a careful review of Clause
8.2, a few key items come to the surface. The first being that they use two separate
shall requirements to make it abundantly clear that you should not accept an Order
from a Customer unless you are convinced that you can deliver it (both the product and
the service) to their satisfaction. The number of nonconformances generated will be an
indicator of how often you break your promise to the Customer. The other key item in
this Clause is again the concept of services. You need to also review your ability to
make good on all of the services that you also promise to the Customer. As I said in
an earlier Newsletter, the best way to make sure that services are being addressed
properly within your QMS, is to develop a listing of all the services that your Customers
expect from your organization, then use that list to guide you as you dive into each of
the Clauses of this new Standard.
Clause 8.3 Design and development of products and services: This Clause
contains six (6) sub-clauses, Sub-Clause 8.3.1 (General), Sub-Clause 8.3.2 (Design
and development planning), Sub-Clause 8.3.3 (Design and development inputs), SubClause 8.3.4 (Design and development controls), Sub-Clause 8.3.5 (Design and
development outputs) and Sub-Clause 8.3.6 (Design and development changes).
Clause 8.3 has all of the previous requirements from 2008, along with some minor
changes, the most significant of which is the mention of Customer throughout, as well
as managing any risks associated from adverse effects of design changes. Of course,
Ive already mentioned above about handling design of services, which is now
expected within this Clause.
Clause 8.4 Control of externally provided processes, products and services: This
Clause contains three (3) sub-clauses, Sub-Clause 8.4.1 (General), Sub-Clause 8.4.2
(Type and extent of control) and Sub-Clause 8.4.3 (Information for external providers).
The biggest change here is the switch from the term supplier to external provider,
and so the word purchasing is no longer found within the ISO 9001:2015 Standard
(except in Annex A.8). Also, the 2008 version was product focused and as you can
see this has now grown to products, services & processes. So although the
requirements within Clause 8.4 remain essentially the same as 2008 (albeit there are
more of them and they are more prescriptive), the scope is much broader since it
encompasses many more activities, with many more players, regardless of whether
money actually changes hands (i.e. Vendors; Corporate Headquarters; Sister
Plants/Facilities; Shared Services; Other Depts; Joint Ventures; Associations; etc).
Clause 8.5 Production and service provision: This Clause contains six (6) subclauses, Sub-Clause 8.5.1 (Control of production and service provision), Sub-Clause
8.5.2 (Identification and traceability), Sub-Clause 8.5.3 (Property belonging to
customers or external providers), Sub-Clause 8.5.4 (Preservation), Sub-Clause 8.5.5
(Post-delivery activities) and Sub-Clause 8.5.6 (Control of changes). One of the
changes found here is in Sub-Clause 8.5.1 g) which asks you to include mistake
proofing as part of your control techniques. They do however use the wording as
applicable so it will be up to each organization to decide whether to make use of this
excellent tool. Another change is contained within Sub-Clause 8.5.3 which now includes
property supplied by external providers, and not just Customers. Sub-Clause 8.5.5 c)
is interesting in that it asks you to consider the life cycle of your products and services.
Finally, Sub-Clause 8.5.6 includes new requirements pertaining to managing changes
made in your Operations.
Clause 8.6 Release of products and services This Clause is essentially the same
as the previous 2008 version, with very few changes.
Clause 8.7 Control of nonconforming outputs This Clause starts off by using a
title that makes use of the term outputs, which ensures that you dont forget about
services being supplied to your Customers. In the past, this area of the Standard
typically only dealt with a limited number of nonconformance types or categories, and
they were primarily product related. Otherwise, the requirements found within this
Clause are similar to the 2008 version.
ISO 9001:2015
Element 9.0 Performance evaluation consists of three (3) Clauses as listed below:
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal Audit
9.3 Management Review
Clause 9.2 Internal audit: This Clause contains two (2) sub-clauses, Sub-Clause
9.2.1 and Sub-Clause 9.2.2, neither of which have titles on them. In my introductory
paragraph above I noted that there was really nothing new added to this Clause with the
exception that the internal audit process will now need to cover a much broader range
of QMS requirements than what auditors saw with the 2008 version. Although there is
still a Note referencing ISO 19011 as a guidance document, let me take this
opportunity to re-iterate that it still your choice how you train, and how you ensure
competency of your Internal Auditors. The requirements of ISO 19011 are not a part of
ISO 9001:2015 unless you make it so by including ISO 19011 within your QMS.
Clause 9.3 Management review: This Clause contains three (3) sub-clauses, SubClause 9.3.1 (General), Sub-Clause 9.3.2 (Management review inputs) and Sub-Clause
9.3.3 (Management review outputs). Sub-Clause 9.3.1 (General) includes a very direct
connection to your Business by asking you to make sure that your QMS is aligned with
the strategic direction of your organization. This is a new requirement but one that
makes good sense to implement properly. The other change here is the omission of the
term Quality Policy from being part of the management review process. Sub-Clause
9.3.2 (Management review inputs), item e) refers back to Clause 6.1 by stating
management review shall be planned and carried out taking into consideration the
effectiveness of actions taken to address risks and opportunities (see 6.1). The rest of
this sub-clause is much the same as found before in earlier versions. Finally, SubClause 9.3.3 (Management review outputs) eliminates the word any from this sentence
The outputs of the management review shall include any decisions and actions related
to. This removes the option of claiming that if no decisions were made during
management review then the old sub-clause called Review Output did not apply. Also,
items a), b) and c) of Sub-Clause 9.3.3 are similar yet less demanding then their
predecessors back in 2008.
Be sure to watch for our next Newsletter issue where we will cover another section of
ISO 9001:2015
PS: Dont forget to look at the Q&A section below for some final thoughts
To view all of our past Newsletters or to sign up to receive them click here
Q: Im the QMS Rep and I want to get started on making the transition to the new ISO
9001:2015, how should I begin?
A: I would suggest you schedule one week to get this initiative launched. You should
attempt to involve all of your internal auditors (as well as anyone else who is interested
in helping make this transition). Obtain a copy of the new ISO 9001:2015 Standard and
project it onto a big screen for everyone to see. Starting with Element 4.0 (Context of
the organization), review the requirements and highlight the obvious additions and
changes. I say obvious because otherwise your session will disintegrate into arguing
about the minutia. Once an Element is complete, perform a gap audit to assess and
document what needs to be done to comply. Try and get Elements 4, 5, 6, 7, 9, 10 done
in three days (half day each) and reserve a whole day for Element 8.0 (Operation). On
the fifth day, finalize your gap audit report and issue it to all attendees, as well as to top
management, so they get a sense of how much work will be involved in making this
transition. Ive had good success so far helping companies do exactly what Ive
described above. I simply combined my Essentials training with my Gap Audit
service. The added advantage is that all attendees received a training certificate
covering their education on the new ISO 9001:2015 Standard.
ISO 9001:2015
Element 10.0 Improvement
Whats new in Element 10.0? We covered performance evaluation of the Quality
Management System (QMS) in my last Newsletter (ISO 9001:2015 Newsletter Issue 9),
and now Element 10.0 (Improvement) focuses on raising the bar on the effectiveness
of your QMS. There really is not much new that has been added into this Element but
one term has been eliminated, that being preventive action. They explain in Annex A.4
that risk-based thinking replaces the concept of preventive action and therefore that
Clause from 2008 was no longer needed. I see it a little differently, I think they simply
took the old Preventive Action section from 2008 and sprinkled it throughout this
revised Standard and came up with a new term called risk-based thinking. Here in
Clause 10.1 item b) you see a good example of what I am referring to, where they use
this phrase These shall include correcting, preventing or reducing undesired effects.
If you do a word search of the word potential, (as in potential nonconformity or
potential problem or potential risk) youll find it occurs seven (7) times as part of a shall
requirement in ISO 9001:2015. The bottom line is that Preventive Action as a process
or activity is still very much a requirement within this new Standard.
Clause 10.2 Nonconformity and corrective action: This Clause contains two (2)
sub-clauses, Sub-Clause 10.2.1 and Sub-Clause 10.2.2, neither of which have titles on
them. Both of these are essentially a repeat from 2008, with a bit more detail added,
including a new requirement found in 10.2.1 item e) which states the organization
shallupdate risks and opportunities determined during planning.
Clause 10.3 Continual Improvement This Clause contains no sub-clauses and
includes nothing substantially different from what was found in the previous 2008
version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~