Quality management professionals focused their eyes on the big update to ISO 9001 in September, and changes in the standard will require top leadership to do the same moving into the new year and beyond.
Along with a new focus on risk-based thinking, among other changes, the standard has evolved to integrate quality management into the core of an organization with new leadership requirements. Organizations have a three-year window to reaccredit.
“The whole premise of the changes is really to bring management systems closer to boardrooms,” says John DiMaria, senior product manager for systems certification, BSI Group America. “I think it’s a great opportunity for management. The leadership part of that is really the foundation of top management being more hands-on involved in the processes and the management system, ensuring that the management system meets its intended outcomes and that they’re meeting the objectives, and that the processes are effective.”
The latest changes, released Sept. 24, continue the standard’s evolution from its first incarnation in 1987 as a manufacturing processes standard. In 1994, emphasis shifted to product assurance using preventive actions. Those changes were followed by a big update in 2000 that focused on quality management, which was further refined in 2008.
The latest evolution of the standard, ISO 9001:2015, uses the Annex SL structure, providing the same template as other standards, and places new contextual requirements on businesses to look at and evaluate inputs and outputs.
“You have to understand the internal and external context of the (organizations) you have relationships with and how what you do affects them and how they affect you as an organization, and society around you,” DiMaria explains.
When paired with the attention on risk-based thinking and new requirements on top management, the 2015 edition “is more focused on the entire organization, the strategic direction an organization is taking and how they fit this in to making sure quality is not just the parts they make, but that quality is about everything they do in the organization,” Di Maria continues.
How business leadership reacts to the new requirements will vary from organization to organization.
“It all depends on the culture of the organization, on how top management will respond to the emphasis on leadership requirements,” says Paula Garrett, LRQA, assessment manager for quality, aerospace and medical in North America. “Some will see their involvement and commitment as business as usual. For others where the ‘system’ is governed by a dedicated manager or external consultant and the top management has little interaction, there will be huge hills to climb, as this will have impacts throughout the management system where leadership is required.”
To that end, Prysm Director of Corporate Quality Praveen Gupta says quality management professionals will need to focus on good communication skills with top brass.
“I always said quality has two aspects, one is enforcement and one is influence,” says Gupta, who is also a past member of U.S TAG 176. “So quality and quality professionals must become good at influencing their stakeholders rather than enforcing compliance. I think we will have to sell it to them, and it will take a while. I always focus on making sure that the mindset of the company is aligned to the QMS, and that requires upfront work with the leadership team.”
Impact of Less Documentation
Previously, the standard was highly prescriptive regarding certain documented procedures. Going forward, the standard has some documented information requirements to demonstrate evidence, and to demonstrate maintenance of the system. But when it comes to an organization determining its level of documented info, it’s more flexible, according to Lorri Hunt.
Hunt was a member of the US technical advisory group (US TAG to ISO TC176) and was a co-convener to Working Group 24, the international group that edited ISO 9001, as well as head of delegation for ISO TC 176/SC2.
“One of the reasons for the change is that the way we do business is different from what it was 15 years ago,” she explains. “We have more sophisticated training programs. We have different ways of delivering info. So some organizations may have embedded instructions in their software tools. So, that written, documented procedure is no longer the way that most businesses operate.”
Reaction to ‘Risk-Based Thinking’
Medical devices manufacturers and the aerospace industry, among others, already use risk tools. And while the idea will require training for some companies, many already meet the requirement without recognizing it.
“Risk has always been an implied requirement within ISO 9001 and organizations have always applied this approach, probably in an informal manner with their existing processes – such as undertaking a feasibility review at a quoting stage for an order and then re-evaluating the feasibility or order placement,” Garrett adds. “This is taking a risk-based approach and not a formal ‘meets needs’ approach.
“We live in an ever more complicated world, and the business world is integral in that. Risk prioritization comes to the forefront and having demonstrable mechanisms to address risk will benefit all.”
Hunt agrees, while the words “risk-based thinking” might be new to the standard, the idea is not.
“There was certain language where the word risk was not used, but organizations made decisions based on the potential effect of a certain nonconformity in the organization, or about controls they would put in based on the potential effect if the control was not put in place,” she says. “Risk-based thinking allows you the philosophy to consider all of your processes and look at ‘what is the potential risk with this process not being performed correctly and what actions do we need to take to address it?’
“And so there are a lot of indications that people see this as a big change, when in reality it’s more of a structured change around a philosophy that was already inherent in the standard.”
Carmine Liuzzi, vice president of training and improvement solutions for SAI Global, said over the course of several webinars, the general feedback has been that about 30-40 percent of organizations think the new requirements are “kind of the next logical step in the evolution of what a management system is.
“For the other organizations, there’s going be some education that’s required.”
All the changes dovetail with an intention to steer organization’s quality management systems towards performance, and demonstrating evidence of such.
“There’s a much greater emphasis on the results of the organization, and the activities that it engages in, rather than simply reacting to it,” Liuzzi adds. “The leadership of the organization now has a requirement that they are supposed to promote risk-based thinking and how they run the business on a day-to-day business becomes part of the management system, as opposed to in the past it’s always been kind of considered something extra.”