ISO 9001:2015 – risk and opportunities

Below is an article I added to CQI’s blog in November 2015.

In the third instalment of our guest blog series in collaboration with PMI, Paul Simpson asserts that, just as there are risks and opportunities that we respond to in daily organisational life, quality professionals should focus on the opportunities for improvement presented in ISO 9001:2015.

One of the big new ideas in the 2015 edition of ISO 9001 is ‘Risk Based Thinking’ and if you are to believe the ‘Twitterati’ the concept is akin to the subject of Edvard Munch’s painting ‘The Scream’ as the quality management landscape turns vibrant orange behind them.

But before the hysteria needle hits ‘11’ let’s think back to the real world outside the quality manual.

Everyone involved in running an organisation looks at risk and opportunity – they are two sides of a coin. When an entrepreneur starts their business, risk and opportunity are always front and centre in their mind.

Wherever they have come from, they have identified an opening to start a business, make a living and grow it to the point where it gives them an income with the opportunity of a pot of gold for their retirement. This future is, however, not certain. There will be difficulties along the way and these risks, left unmanaged, could lead to a loss of income and, ultimately, to their business failing.

The entrepreneur recognises these risks come in many forms and many are related to quality:
• Do I have the right products and services for my target customers?
• Can I control production and service delivery to consistently meet those customer needs?
• Can my suppliers keep up with my demands and maintain the quality levels I need?

If I can manage those risks at that level then the business will succeed and I can grasp all the opportunities, including that elusive pot of gold.

Moving forward in time as the business continues to thrive and grow, our entrepreneur has moved upstairs to the boardroom as CEO and has managers and teams dealing with day-to-day business while they buy in high-priced consultants to lead some ‘blue sky’ strategy sessions. Strategic risks haven’t really changed – an incorrect strategy still has the capability to bring down our grown-up start-up.

Tactically the business can cope more easily with risk as it has multiple customers buying a range of products. On the downside, tactical errors can lead to an erosion of hard-earned brand reputation as all our customers inhabit the same system and talk to one another – see the earlier blog on organisational context, Context is King.

Moving out of the boardroom along to the shop floor and offices where ‘business as usual’ happens, ‘risk’ looks a little different but it is just as important it is recognised and managed.

With every order comes a risk the organisation will misunderstand its customers’ needs so, at this process level, there have to be checks and balances. Individuals working with their CEO’s delegated authority, accept orders and enter into contracts including the inherent risks that a legal contract carries.

At the same time on the shop floor, all employees are involved in managing risk. Some develop specifications and standards (perhaps in a separate design office), some manufacture products or deliver services that they believe meet those standards.

Throughout the process managing risks leads to delivered products and services meeting specification, satisfying customer needs and customers paying their bills, thereby allowing the organisation to realise the sales opportunity and contributing to our entrepreneur’s vision of a pot of gold.

If the above risks and opportunities are present in daily organisational life, why do we have concerns for the quality professional’s ability to inhabit this space? Why do we have concerns over what our certification body auditors are going to ‘do to us’?

The revised clauses of ISO 9001 create an opportunity for us to revisit and realign our processes to ensure our systems deliver what our customers and stakeholders want. There are, of course, risks with changes to the standard, but perhaps we can focus on the opportunities presented and maximise them instead.

50% time elapsed – does that equal 50% complete?

Generic transition plan
Generic transition plan

15 March 2017 has been and gone, it marked the halfway point for transition to certification to the latest edition of ISO 9001. If the project plan to have all certified organisations transition to the 2015 edition by 15th September 2018 is half complete then where are we compared with the gantt chart or resource plan?

Aside from the early adopters who went for ‘First to be certified’ on the very same day the standard was published there appears to be a huge bow wave building up in front of the 3rd party certification tanker. Do all those responsible for managing the transition project in their organisation have a plan? Have they updated their personal competence to cover those significant changes that the 2015 edition brings? Do they have buy in from all those ‘top management’ in 9001 called upon to demonstrate leadership and commitment? If the answer to any one of these questions is ‘no’ then there is a serious risk they will not be in the club of 1 million plus holding a certificate on the 16th September 2018.

As with all resource constrained systems the problem will become: ‘How to deliver transition audits in the 6 month period leading up to September 15th 2018 for those late adopters?’

At s2a2s our recommendation is in two parts: Get started on making any changes needed to your systems to demonstrate compliance with the new requirements, and; engage with your current CB and start to work on a programme of visits to cover transition and book those assessment dates in the diary.


Management Review – it’s all in the name

I was in a discussion with a very earnest young man a while back and one of the topics we covered was Management Review as part of the ISO 9001 quality management system he had responsibility for. Let’s just say the conversation was a little heated in places and that lead me to write an article for the Chartered Quality Institute’s Quality World magazine – published in 2011. I’ve been following a couple of threads on social media and was discussing terms with fellow standards developers and thought it might be interesting to revisit the subject.

My earnest friend was of the opinion that Management Review was something new and special – perhaps invented by those wise people in ISO – when it is in fact merely a term for planning – an activity that responsible businesses have been doing for years. Now I understand the need for standard terms and for ISO to define these terms so that users of these standards have a common understanding. But here’s the rub – it is not the place for standard users and in particular quality professionals to continue to use these terms in their daily life. The more we use terms like Management Review, Management Representative and, my personal favourite, Product Realization in both work conversations and management systems documents the further we take these systems away from the people that matter – the users. So once we understand the term we need to go back to our organisation and understand what process(es) we have in place that already satisfy the requirements.

You would expect the board to discuss the effectiveness of the organisation’s management system in ensuring it delivers products and services to meet customer requirements Customer feedback, internal quality measures and the status of improvement plans and programmes would be topics of interest to any managing director. All well and good so far – these topics should also address the requirements of ISO 9001:2015 clause 9.3.2. But, rather than get a regular slot on the board agenda where the responsible manager reports to the board the poor old quality manager generally calls a one off meeting called a ‘Management Review’ with a cut and paste agenda of the standard. The agenda is slavishly followed until the board is bored into submission and everyone can breathe a sigh of relief, go back to the ‘real’ job and drop quality until next year. Worse still the board avoids the meeting as a waste of time – sometimes to the extent that records of reviews are fabricated for meetings that either didn’t take place or where necessary participants couldn’t spare the time. I’ve lost count of the number of wry smiles seen when I float this seemingly ridiculous notion. It is easy to criticize top management commitment in these situations but the responsibility for making the review relevant to busy senior managers is ours. In a previous role as the new quality manager I presented the plan for management review to the board of my ISO 9001 certified company and was faced not with hostility but with blank looks. It took a full eight months of one to one discussions and translation of ISO terms into activities and ,measures they were familiar with before we completed our agenda but I am confident the outcome was much more relevant.

The real challenge for the quality professional is to keep it real and get quality up the agenda so that quality performance is seen to be a leading indicator for financial performance. Recent changes to ISO 9001 give us a real opportunity with the requirements for organization leaders to get involved in establishing meaningful objectives and for process measures to be part of regular quality monitoring – right up to board level. Until those objectives and measures are meaningful and can be seen to be the main route to a sustainable business then we are condemned to a check box approach to review.

Is your internal auditor role a dead end job?

This article was published on the 13th February on Bywater’s site

With this article I’m hoping to prompt discussion about the auditor pool we select from, particularly internal auditors. This started after a comment from a 3rd party certification body where I was told their issue was succession planning and how to deal with an auditor pool where the majority of individuals were well past ‘normal’ retirement age. Now, as a ‘seasoned’ quality professional, I’m all for opportunity at the end of my career and there is great logic in having a good selection of experienced people in your ranks but, as in all things, there has to be balance.

Mirroring the suite of Management System Standards coming out of ISO’s technical committees there seem to be endless ISO / IEC 17021 – xx documents describing 3rd party certification auditor competence and, in the brave new world of demonstrated ability, these documents don’t define auditor competence by a minimum length of stay in a particular technical sector. As a colleague described it: 20 years experience on a cv can be demonstrated progression in a chosen field or one year’s experience repeated 20 times. Nevertheless it takes time to understand sector context, industry tools and techniques, jargon used and regulatory requirements that apply, all things covered in the latest draft of ISO 19011 and 17021 – 3, and hence you need some mileage on the clock to pick them up.

What about internal auditors, do the same rules apply? I say no. Auditors should be selected based on personal capability and behaviours, in particular intelligence and curiosity. If you are lucky enough to be able to afford one, look no further than your graduate programme. These are the best of the new intake to the organisation, proven to have enthusiasm, perhaps tested on assessment days and identified as the ‘best of the best’.

When graduates join you on day 1 they are all desperate to get under the bonnet of your organisation and understand how it works. As an early part of their graduate scheme get them auditing your management system. They bring with them latest thinking and technologies in their field and an inquisitive nature. With the licence to follow their nose, communicate with people working at all levels in the process(es) you operate and to challenge current thinking they can provide a real ‘fresh eyes’ look at what you do.

Of course they’ll need some training in your audit process and as they go they’ll make mistakes and tread on some toes but my bet is that you will get some real nuggets from their insight and fresh thinking about your way of working including how your system is portrayed in systems including documents. The individuals will gain a great deal, too. Having to challenge senior colleagues if poor practices or ineffective controls are found and then to have to report back to function managers is character forming.

Give it a go, particularly if your current internal audit programme is seen as a check box exercise and results generally fall into the ‘And? So what?’ category. This way of holding a mirror up to your organisation is bound to give you value way beyond what you expend.

ISO 9001:2015 one year on book is selling well

One year on the book I co wrote with Jan Gillett and Susannah Clarke of business improvement consultancy PMI continues to sell well – top of the searches on the UK Amazon site for ISO 9001 and sitting at Number 4 in books on Productivity. If you’ve bought a copy please let me know what you think and if you haven’t yet looked at the preview on Amazon, please do!

The next edition of ISO 9001

You may have heard of it as ISO 9001:2015 but nobody knows when the next edition of ISO 9001 will be published. As with many things to do with the standards development process the publication date will depend on multiple factors, most of them invisible to the user  – you and I. Too much and, amazingly at the same time, too little has been said about the high level structure (HLS). Trawling around the bulletin boards and discussion groups you will have seen outraged expressions about the use of the word ‘risk’ in the committee draft (CD) and at the same time little debate about the sense in using an undemocratic / un ISO like process involving ISO’s TMB to come up with the HLS.

For me Risk is a no-brainier for anyone involved in quality. It is our raison d’être and has its roots in the evolution of quality control and quality assurance. I wrote a piece for the CQI’s Body of Quality Knowledge – here.

The HLS is another matter. National Standards Bodies were given a yes / no  vote without having seen it used in anger and the process to update the HLS is vague, to say the least.

As TC 176 goes about it’s business and the output leaks out I have to ask myself whether the output will be fit for purpose – or whatever your definition of quality is! 🙂

Quality blog

Welcome to the homepage of s2a2s. The purpose of this site is to provide free resources for those interested in quality, management systems and conformity assessment.

Quality has been evolving for as long as people have been on this earth and, to quote Isaac Newton a famous exponent of quality control, as quality professionals we are all ‘standing on the shoulders of giants’.
So 5 ½ millennia after some of the first examples of quality control how far have we really come? Almost on a daily basis our news is taken up with examples of poor quality. From recall of physical products including contaminated food, unsafe cars, spontaneously combusting TV sets and medical devices that are more likely to kill you than prolong your life to the brave new world of the service economy the same tell tale signs are there that we have failed to learn these same lessons and apply them.
From missold endowments in the 1980s to the latest announcements of banks being fined million for providing ‘inappropriate’ advice to the elderly and vulnerable control of the quality of financial services remains poor.
Our finance sector is largely charged with being responsible for the current recession, the worst crisis since the Great Depression as banks sought turnover and market share without considering the risk of lending money to people who did not have the ability to pay it back. The fallout from the initial collapse in 2008 is still with us and will, by all accounts, take another decade to resolve.
S2A2S are not here to provide easy solutions to complex problems. This ‘crash diet’ approach to quality does not work. Only re-education and a sustained quality programme will provide the results (or weight loss) that will last.
We will work with you protecting the principles of quality management and ensure managers don’t cherry pick the easy bits to do by convincing them that true change in quality performance is only achieved by hard work and sticking to the task.
We have to be able to see products and services with customer’s eyes and translate those into internal requirements for our organizations to meet. We then have to stubbornly champion these requirements and ensure they are consistently met throughout the functions. There is no hiding place. Control of quality is essential for sustainable success. We need to ensure that our organizations consistently deliver the products and services our customers pay for recognizing that we will be constantly under pressure for efficiency.
If you want to know more please feel free to contact Paul at