ISO 9001:2015 Implementation: The Good, the Bad and the Trending
The future for ISO 9001 is strong.
The requirements of ISO 9001:2015 are viewed and implemented very differently by organizations, depending upon such variables as their size, resources, business sector, maturity, and external requirements.
This article is based primarily on feedback from Orion Registrar’s U.S. staff and auditors regarding clients who were certified to older versions of ISO 9001, prior to their certification to ISO 9001:2015. Some of the topics came up in multiple categories: good, bad and trending. For example, risk was the most common topic mentioned with over half of respondents mentioning it as either good, bad or trending.
The following are summarized comments. In order to present the full range of feedback, it is not possible to present each comment within its own unique context. If some of these comments are unexpected or challenging, please bear in mind that they may have been made from an unfamiliar perspective. The comments do not necessarily reflect Orion Registrar’s point of view but are offered here as a snapshot of what we have observed.
What “Good” Have You Seen in ISO 9001:2015 Implementation?
Risk was, by far, the most mentioned topic.
- The concept of risk-based thinking and risk assessment in everyday decision making.
- The use of formal tools for analysis of risks and opportunities, such as SWOT analysis, failure modes and effects analysis, and techniques described in ISO 31010.
- Under ISO 9001:2008, quality objectives would not change from year to year; for ISO 9001:2015, some clients have created quality objectives based on the result of their risk assessments.
- Clients have used some very clever risk-based thinking implementation with varied risk references in existing processes and some equally clever risk registers or risk assessment records. The other new requirement that has been addressed in different but very effective ways is integration of interested parties with communication and associated risks.
- Under ISO 9001:2008, preventive actions were the risk mitigation mechanism. However, it was an incomplete process, as there was no definitive input. Under ISO 9001:2015, we now have a much better structure of understanding context of the organization (4.1) and the related interested parties and their needs (4.2) as inputs into actions to address risks and opportunities (6.1). Some clients have gone an extra step and retained their preventive actions process and used their risk process as an input into it. This approach provides for the plan-do-check-act method of mitigating that risk, with the built in “check” step to measure effectiveness.
- In addition, the following comments were also made about positive aspects of ISO 9001:2015.
- Some clients are really pushing the notion of using a process (plan-do-check-act or other) approach to developing and improving their systems.
- Emphasis on process measures under Quality Objectives and Planning (6.2) and how to achieve them.
- Some clients are really embracing the loosened requirements for traditional procedures and manuals. From internal wiki pages to GitHub pages, just to name a few, they are exploring easier means of documenting their systems.
- Client use of customer surveys, employee surveys and supplier surveys to determine external and internal issues, as well as the needs of employees and suppliers.
- ISO 9001:2015 changed focus on the sustainability of the quality management system (QMS) to go beyond just a management representative, and to increase the roles and requirements for leadership (5.1).
What “Bad” Have You Seen in ISO 9001:2015 Implementation?
The most common responses to this question involved shortcomings in implementation, including the failure to:
- Link needs, expectations, risks and opportunities to objectives and action plans.
- Establish the plan to achieve quality objectives (6.2.2). A common response is “we already do that” but the planning activities are “implied” and not able to be demonstrated.
- Retain documented information that is required by ISO 9001:2015, both that which was formally referred to as records and also that which is necessary for the effectiveness of the management system. Some clients view the reduced requirements for documented procedures as a reduction in the requirements, without understanding that the focus is on the processes and improving them, and on being more data driven in their approach, rather than just following a procedure.
- Incorporate risk planning into their business practices, viewing it as an added burden.
- Determine how they will demonstrate the process and the results of their risk evaluation.
- Fully implement the requirements of:
- Understanding the organization and its context (4.1).
- Understanding the needs and expectations of interested parties (4.2).
- Organizational Knowledge (7.1.6).
- Realize that the requirements regarding communication have increased and become more detailed from ISO 9001:2008, and to adequately address them.
- Understand that under ISO 9001:2015, the management system is not solely a management representative’s responsibility, nor fully understand the revised requirements in this area, nor the requirements of leadership and commitment in section 5.1.
Additional comments involved the changes to ISO 9001:2015 itself, which auditors say make the audits more challenging. For example:
- It is difficult for some clients to understand and fulfill the requirements of 8.5.1 f), now that it has been reduced to a single line with less detail. A similar requirement was clearer in ISO 9001:2008 section 7.5.2, Validation of processes for production and service provision.
- It is hard for an auditor to evaluate if some things are taking place as required, when instead of a requirement for a record or documented procedure, the requirement is worded to say shall be “determined,” “monitored” or “planned.” Providing evidence of this can be challenging for clients. Examples can be seen in sections 4.2, 6.1.2, and 7.4.
- Since there is no criteria for risk in ISO 9001:2015, it may be difficult for a client to implement this requirement.
What are the trends?
The following information was presented by the ANSI-ASQ National Accreditation Board (the U.S. accreditation body for ISO 9001) about halfway through the three-year transition process for ISO 9001:2015. This information was gathered from numerous certification bodies’ ISO 9001:2015 audits of their clients, and which were witnessed by the ANAB.
NCRs were written to the clients against the following sections of ISO 9001:2015: 4.3, 4.4.1, 6.1.1, 7.1, 126.96.36.199, 7.1.6, 7.2, 7.5, 188.8.131.52, 184.108.40.206, 8.2.3, 8.3, 8.4.1, 8.4.3, 8.6, 8.7, 9.1.2, 9.2.1, 9.2.2, 9.3.1, 9.3.2, and 10.2.1. Also, multiple NCRs were written against the clients’ own procedures. The sections associated with the most NCRs are:
- 9.3.2 – Management review inputs
- 10.2.1 – Nonconformity and corrective action
- 9.2.1 – Internal audit
- 7.2 – Competence
- 8.4.1 – Control of externally provided processes, products and services
- 9.1.2 – Customer satisfaction
- 4.4.1 – Quality management system and its processes
In addition, the following areas of difficulty were noted during these audits:
- 4.1 Understanding the organization and its context
- 4.2 Understanding the need and expectations of interested parties
- 5.1.1(d) promoting the use of the process approach and risk-based thinking
- 6.1 Actions to address risks and opportunities.
Orion has noted the following trends:
- Some clients are not fully prepared for their ISO 9001:2015 upgrade audits and have not conducted internal audits to ISO 9001:2015, followed up on all their internal corrective actions, purchased the ISO 9001:2015 standard, nor provided training on ISO 9001:2015 requirements.
- Some multi-site clients are not addressing their corrective actions across all their applicable sites.
- Although a manual is not required, a large percentage of organizations have updated their manual to the new requirements and use the manual as a guide and training tool.
- Documented procedures required by previous revision(s) of the standard are often revised and retained.
- A number of clients have maintained their preventive action processes.
- There has been procrastination in implementing ISO 9001:2015. Some clients have stated that this stemmed from “fear of the unknown” and “we don’t know what we don’t know.” However, Orion has also heard “It wasn’t nearly as bad as we thought it was going to be” and that the 2015 version of ISO 9001 wasn’t much of a change and required minimal changes to clients’ management systems.
- Some clients like ISO 9001:2015 because it lets them develop their management system based on processes they understand. Several have stated that they find this new version to be easier to understand due to the way it is organized.
- Motivation for certification appears to remain relatively unchanged, it is being pursued for one of three main reasons: 1) A way of improving their overall management system, 2) to increase sales, 3) because it is required.
- An expansion of involvement by human resources with the certification has been seen, especially regarding the review, objectives and actions related to replacement programs for long term employees and maintaining Organizational Knowledge (7.1.6).
The Good: Organizations are rising to the occasion to both implement and benefit from even the most challenging aspects of ISO 9001:2015.
The Bad: Implementation of ISO 9001:2015 is still a work in progress for some companies.
The Trending: Most companies previously certified to ISO 9001 will upgrade to ISO 9001:2015. The future for ISO 9001 is strong.