With more than one million certifications issued, ISO 9001 is the world’s most widely adopted framework for quality management systems, helping companies achieve conformity of products and services to meet customer expectations and regulatory compliance. The ISO 9001 standard has become synonymous with quality and confidence, so much so that many global organizations have made certification by suppliers, partners, and solution providers a prerequisite to doing business.
ADVERTISEMENT |
During the past three decades, ISO 9001 has undergone numerous revisions with the goal of making the standard extensible to the most current market and business conditions. In September, the 2015 edition of ISO 9001 was published with three timely considerations in mind: rendering the standard more applicable to globalization and service-based economies, better aligning quality management with core business management, and simplifying the standard’s implementation and integration with other international management standards.
While the scope and intent of ISO 9001:2015 stays true to that of its predecessors, the new version places even greater emphasis on optimizing performance using “risk-based thinking” for managing quality-related processes. The premise is that risk management should now be considered a systemwide component of quality management, serving as the cornerstone of quality management system design. The intended goal is to prevent undesirable outcomes and identify new opportunities for organizations to exceed expectations and improve business performance.
Manage risk using process-oriented models
In ISO 9001:2015, risk-based thinking enhances the standard’s process-oriented approach, with the understanding that different processes will have varying impacts on an organization’s ability to deliver consistent quality outcomes. Processes should be managed using the plan-do-check-act (PDCA) cycle, a repeatable four-step process of analyzing, prioritizing, and responding to potential risks in relation to key performance indicators. The PDCA method assists organizations in maintaining strict control over the quality of products and services, with an emphasis on continued process refinement and perfection. The process approach—still a very critical part of ISO 9001:2015—must now be implemented with an acute organizational awareness of risk.
As organizations build or adapt their existing quality management implementations for updated certification, they will need to identify, analyze, and prioritize all potential risks. To do so effectively, quality managers must acquire a deep understanding of organizational context and pinpoint the internal and external risk-bearing variables that can influence quality outcomes. For example, an enterprise information management (EIM) solution can be used to track risks for specific processes related to production, and a risk object class can be created specifically for tracking production risk factors along with related content and processes. Risks can then be assessed based on the likelihood they will occur, the likelihood that they can be detected, and potential impact should the risks occur. These risks are then processed via workflows and mitigated based on their importance. For example, the risks that have the most impact and will likely occur without corrective actions must be mitigated first. This helps facilitate a cultural shift centered on prevention and performance improvement in place of isolated problem solving and resolution.
Less prescriptive document controls lend greater flexibility
Early versions of ISO 9001 posed very specific requirements for documented procedures and records. As the standard has evolved, the emphasis has shifted away from stringent documentation controls and toward the management of processes. In the newest version of ISO 9001, there are virtually no prescribed document definitions or procedures, leaving companies free to define their own documentation rules based on their unique business processes and quality management standards.
Given the myriad of mandates placed on companies in heavily-regulated industries and considering the sheer amount of documentation that must be managed to support these initiatives, the practice of maintaining separate systems and repositories for both quality and compliance has become counterproductive. The management of documents, information, processes, and supporting templates can be centralized under an EIM solution, streamlining workflows and eliminating redundancy across quality and compliance practices. In short, the management systems for quality and compliance should no longer operate independent of each other, but rather be integrated using a centralized technology platform that is highly accessible, intuitive, controllable, and auditable.
A gradual transition to ISO 9001:2015
Certifications for the 2008 edition of ISO 9001 will expire after September 2018, meaning companies have three years to make the transition. This period represents the ideal opportunity for organizations to take advantage of next generation technology while modernizing their quality management systems.
To achieve ISO 9001:2015 certification, companies must specify the processes that are relevant to the scope of their quality systems, ensuring the ability to capture evidence to validate process adherence. For example, a quality objective for technical support (a process) might be customer satisfaction (sub-process). One key performance indicator of this sub-process might be customer satisfaction rate, which is measured annually, and capturing the satisfaction rate could be a recurring task in an EIM system that enables companies to verify these processes are followed.
Leveraging best-of-breed EIM platforms, organizations can intuitively link process structures to associated documents and objects, incorporating the capabilities to capture audit trails and electronic signatures. Let’s take a look at the following example of this:
1. IT realizes that server123 was not backed up last week
2. IT creates a deviation related to server123 in the system
3. The cause is analyzed and it turns out that the standard operating procedure (SOP) No. 123 document specifies that weekly backups must be taken from servers. However, the IT manager did not perform this because it was not formally set up as a maintenance task.
4. The following corrective actions are implemented:
• SOP No. 123 is updated to say that for each server, there must be a recurring maintenance task in the quality management system for server backup. Each person involved in server maintenance is required to read and learn the SOP, and sign off via an electronic signature.
• A recurring task is set up in the EIM solution that automatically sends an email reminder to the IT manager about backing up server123
5. The IT manager logs the risk object in the EIM system and assesses its impact severity, its likelihood, and if it’s detectable
6. The risk is mitigated and full audit trails of all processes are available
All of these steps are managed within the same system, and when others in the company need information about the deviation, they can immediately access any related object (which server was affected, how was the deviation fixed, etc.). In addition, they can see from the SOP No. 123 audit trails that the SOP was updated because of this one deviation. As a result, companies can better track enterprise risks, objectives, stakeholders, and process outcomes (as required by ISO 9001:2015).
For organizations competing in the global economy, ISO 9001:2015 certification is imperative. It not only instills customer confidence in a company’s products and services, but also maintains conformity across the supply chain. With so much at stake, EIM solutions can provide the seamless link that organizations need to better manage risk while updating their quality management systems for ISO compliance.
Add new comment