ISO 9001:2015 – risk and opportunities

Below is an article I added to CQI’s blog in November 2015.

In the third instalment of our guest blog series in collaboration with PMI, Paul Simpson asserts that, just as there are risks and opportunities that we respond to in daily organisational life, quality professionals should focus on the opportunities for improvement presented in ISO 9001:2015.

One of the big new ideas in the 2015 edition of ISO 9001 is ‘Risk Based Thinking’ and if you are to believe the ‘Twitterati’ the concept is akin to the subject of Edvard Munch’s painting ‘The Scream’ as the quality management landscape turns vibrant orange behind them.

But before the hysteria needle hits ‘11’ let’s think back to the real world outside the quality manual.

Everyone involved in running an organisation looks at risk and opportunity – they are two sides of a coin. When an entrepreneur starts their business, risk and opportunity are always front and centre in their mind.

Wherever they have come from, they have identified an opening to start a business, make a living and grow it to the point where it gives them an income with the opportunity of a pot of gold for their retirement. This future is, however, not certain. There will be difficulties along the way and these risks, left unmanaged, could lead to a loss of income and, ultimately, to their business failing.

The entrepreneur recognises these risks come in many forms and many are related to quality:
• Do I have the right products and services for my target customers?
• Can I control production and service delivery to consistently meet those customer needs?
• Can my suppliers keep up with my demands and maintain the quality levels I need?

If I can manage those risks at that level then the business will succeed and I can grasp all the opportunities, including that elusive pot of gold.

Moving forward in time as the business continues to thrive and grow, our entrepreneur has moved upstairs to the boardroom as CEO and has managers and teams dealing with day-to-day business while they buy in high-priced consultants to lead some ‘blue sky’ strategy sessions. Strategic risks haven’t really changed – an incorrect strategy still has the capability to bring down our grown-up start-up.

Tactically the business can cope more easily with risk as it has multiple customers buying a range of products. On the downside, tactical errors can lead to an erosion of hard-earned brand reputation as all our customers inhabit the same system and talk to one another – see the earlier blog on organisational context, Context is King.

Moving out of the boardroom along to the shop floor and offices where ‘business as usual’ happens, ‘risk’ looks a little different but it is just as important it is recognised and managed.

With every order comes a risk the organisation will misunderstand its customers’ needs so, at this process level, there have to be checks and balances. Individuals working with their CEO’s delegated authority, accept orders and enter into contracts including the inherent risks that a legal contract carries.

At the same time on the shop floor, all employees are involved in managing risk. Some develop specifications and standards (perhaps in a separate design office), some manufacture products or deliver services that they believe meet those standards.

Throughout the process managing risks leads to delivered products and services meeting specification, satisfying customer needs and customers paying their bills, thereby allowing the organisation to realise the sales opportunity and contributing to our entrepreneur’s vision of a pot of gold.

If the above risks and opportunities are present in daily organisational life, why do we have concerns for the quality professional’s ability to inhabit this space? Why do we have concerns over what our certification body auditors are going to ‘do to us’?

The revised clauses of ISO 9001 create an opportunity for us to revisit and realign our processes to ensure our systems deliver what our customers and stakeholders want. There are, of course, risks with changes to the standard, but perhaps we can focus on the opportunities presented and maximise them instead.

ISO 9001:2015 Context is King

Below is an article I added to CQI’s blog in October 2015.

In the second instalment of our guest blog series in collaboration  with PMI, Paul Simpson uses the example of a corner shop to set the challenge to larger organisations aiming to understand the importance of ‘context’ in ISO 9001:2015.

The 5th edition of ISO 9001 contains significant requirements for organisations to assess and take actions on information in their working environment.

In a small number of words the standard creates huge responsibilities for the organisation’s leaders and the only effective way to demonstrate those requirements are met is to look at the organisation as a system and understand the processes that interact with others in the operating environment.

So, what does that mean in practice?

Thinking of my local corner shop to test out a concept

I live in a village where my local shop owner has a very good idea as to who her customers are and their buying patterns. She knows her regulars and those who pop in once a month for a pint of milk late on Sunday. Each time a customer purchases something it is scanned and goes through the till and she gets sales reports as often as she wants. Her staff make a note when someone asks for something not in stock and, periodically, she sits down and decides whether the current stock holding needs to change.

She has supplier reps and multiple mail shots from suppliers to give options and alternative products to stock. Her stock deliveries take place twice a week and an emergency delivery can be called up if needed. She knows her regular sales team, their strengths and weaknesses and sickness patterns and meets each of them daily and talks about what is happening currently and what she plans to do.

In the village the Parish Council is fairly active and occasionally she meets one of the councillors and they talk about village traffic, problems with parking and litter. All in all the relationship is amicable. In surrounding villages there are similar shops and recently one of the majors opened an Express outlet.

In all of the above there are risks and opportunities that can affect the sustainability of her business so she has a plan that attempts to deal with the risks and maximise the opportunities. The plan is in her head and is occasionally discussed with her husband and some ideas are tested with selected customers. The plan adapts in the light of changes to the operating environment of the store.

In the spirit of ISO 9001:2015

So, in my example, we have a system (corner shop) operating in a range of wider systems (village, local area, grocery supply network). The shop is part of a range of processes that take food from farm to fork and news from event to the reader. Each process is operating in real time and competes for time from members of staff and space in the owner’s head in terms of developing plans and strategies.

I’ll put my neck on the line here and state that not only is my local shop owner doing a good job of running her business but her practices are in line with the Deming Cycle and meet the spirit and letter of the requirements in ISO 9001:2015.

For larger organisations context assessment is a much more complicated process, part of strategic management but, if done well, requires no further effort to comply with ISO 9001:2015.

If, however, you haven’t done this piece of work effectively, not only are you in serious danger of failing to meet your system objectives of being a sustainable, profitable business but you cannot hang your 2015 certificate on the wall in reception with a clear conscience.

Lessons learned

I know this qualifies as a moan and therefore apologize in advance. The reason this is topical is we are seeing business leaders and politicians on television in their droves talking about making sure they ‘learn the lessons’ from a recent disaster.

Whether it is election results, BA’s Bank Holiday disaster recovery fail, WannaCry rife in our NHS or the latest tragedy of Grenfell tower the mantra is always the same: ‘we will take some time to investigate how xxx occurred and we will learn the lessons to make sure it never happens again.’

Fast forward to the next surprise election result, passenger travel meltdown, cyber attack, tower block fire anda different Prime Minister, CEO, member of cabinet will be rolled in front of the camera and, without irony, repeat the ‘learn the lessons’ mantra.

At what point will those responsible take the results of the investigation, look at the lessons to be learnt and actually apply those lessons to prevent recurrence?

50% time elapsed – does that equal 50% complete?

Generic transition plan
Generic transition plan

15 March 2017 has been and gone, it marked the halfway point for transition to certification to the latest edition of ISO 9001. If the project plan to have all certified organisations transition to the 2015 edition by 15th September 2018 is half complete then where are we compared with the gantt chart or resource plan?

Aside from the early adopters who went for ‘First to be certified’ on the very same day the standard was published there appears to be a huge bow wave building up in front of the 3rd party certification tanker. Do all those responsible for managing the transition project in their organisation have a plan? Have they updated their personal competence to cover those significant changes that the 2015 edition brings? Do they have buy in from all those ‘top management’ in 9001 called upon to demonstrate leadership and commitment? If the answer to any one of these questions is ‘no’ then there is a serious risk they will not be in the club of 1 million plus holding a certificate on the 16th September 2018.

As with all resource constrained systems the problem will become: ‘How to deliver transition audits in the 6 month period leading up to September 15th 2018 for those late adopters?’

At s2a2s our recommendation is in two parts: Get started on making any changes needed to your systems to demonstrate compliance with the new requirements, and; engage with your current CB and start to work on a programme of visits to cover transition and book those assessment dates in the diary.


Change in the railway

Complex systems have inherent risk

Whichever one we think about – weather, eco-systems, financial markets or railways – each has hazards and risks that we are unable to control fully due to the number of factors involved and volume of activities that occur daily.

Changes to complex, man-made systems are managed to prevent catastrophic failures through formal and informal rules – and are captured in legislation and industry codes of practice. The UK rail industry has a long history of legislation and standards to control both railway operation and change management. Performance trends over recent years indicate a dramatic improvement in passenger safety. Indeed UK rail remains among the safest means of transport in Europe both in absolute terms and per kilometre travelled, according to the Office of Rail Regulation (ORR) and Eurostat data.

Sit up and take notice

So, how is ‘change’ changing? With evidence of improving performance, when the ORR announces changes to risk management across the UK rail system, it is time to listen. Since 2006 the Railway and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS) have required dutyholders, including infrastructure managers such as Network Rail or railway undertakings such as train or freight operating companies, to develop and maintain safety management systems. These systems include controlled change management of rail operations and infrastructure and ROGS-required competent, independent persons to verify safety before placing into service. From 2013 ROGS amendments required dutyholders to apply a risk-based approach to assessing significance of technical (structural assets such as buildings, track, signalling, vehicles) and operational (timetable, staffing, ways of working) changes in accordance with their safety management system. The amendments allowed dutyholders to apply significance testing to determine the scrutiny level required. When dutyholders want to make a change they assess significance based on six criteria:

  • Failure consequence: realistically what could go wrong taking into account existing controls?

  • Novelty: how new is the proposed change for both the industry and the company?

  • Complexity of the change: how many sub-systems and groups are involved in the change?

  • Monitoring: how easy will it be to monitor the effect of the change throughout the asset lifecycle (including maintenance)?

  • Reversibility: how easy is it to revert to previous systems?

  • Additionality: how could this change interact with other recent (and not so recent) changes to the asset and operations involved?

    A different track

A change to a piece of track, for example, is rarely assessable on its own. The impact includes the track itself, perhaps buildings and civil structures along the line, signalling and train operations (speed and volume), passenger volumes and traffic at stations nearby. All of this falls under risk assessment and evaluation.

Similarly operational changes involving significant variations on staffing or ways of working might affect safety. Historically the railways have relied on large numbers of standards mandating prescriptive working methods, but they are moving towards a risk-based system. This in turn relies on trained and competent staff making judgements on safety, based on key principles. This represents a significant safety-related change and should be assessed using the common safety method (CSM). Where the proposer determines the change is significant, they have to manage it through:

  • a code(s) of practice comparing it with similar (reference) systems

  • explicit risk estimation.

In each case they must use an independent assessment body (AB) for whichever risk management method is used to evaluate their change management. They must also provide ‘an independent assessment of the correct application of the risk management process’ and a safety assessment report as evidence.

The AB role is a new requirement under ROGS and the underpinning EU Directive. The proposer must decide whether to accept the change as safe for entry into service “based on the safety assessment report provided by the assessment body”. The regulations require several pieces of evidence: z Change description – including the system it relates to. Used as the basis for significance testing, the results of which are also recorded.

  • System definition – key information describing the system being changed.

  • Hazards identified associated with the change and evaluation and assessment of their risk.

  • Risk control measures to be applied for each risk using one or more of the three management methods above.

  • A system hazard record maintained along with the system definition as the project progresses.

  • Evidence that risk management has been applied throughout the change project.

  • For significant risks, the AB report.

The proposer retains responsibility for system safety and decides whether the system change is safe to enter service based on the report.

Legal separation

Change proposers may use any support they require to manage change and ensure risks are kept in check. The railways use consultants to advise and independently assess compliance but the new AB role requires independence from the parties involved with change. The United Kingdom Accreditation Service (UKAS) programme for accreditation of ABs assesses legal separation, impartiality and independence. The initial pilot was open to accredited railway notified and designated bodies and was then extended to others. The accreditation regime for ABs came into force in May 2015 when the last 2013 ROGS amendments come into force and the ORR maintains a watching brief to ensure accreditation is effective and change management remains controlled. In the meantime, dutyholders are expected to use existing safety management systems to verify the safety of changes to vehicles and infrastructure.

Industry bodies such as ORR and the Rail Safety and Standards Board have produced guidance on implementing new requirements, and conformity assessment bodies are working with new and existing clients to explain the new requirements. The overarching aim for managing change in the complex UK railway system is for “a better railway for a better Britain” and “everyone home safe, every day”.

This article is adapted from ‘Managing Change’ – published in the November 2014 edition of IIRSM’s Insight magazine.


Fallacy of human error

This article was published today on Bywater’s site

As professionals with responsibility for developing management systems and for auditing them we often come across instances where the service delivered isn’t what it should have been or we have problems with product quality. As good professionals we investigate and identify root cause as ‘human error’. How real is this and how can we deal with these errors and stop them from hurting us?

Firstly, it is too easy to come up with human error as a root cause for failure – so much so that some customer industries including automotive will not accept it as being a final cause for a supplier failure, the logic being: people only make mistakes because they are allowed to!

To understand real root cause you need to understand the nature of errors – often impossible in the heat of a customer complaint. People do make mistakes – rarely will you find an example of someone deliberately delivering a poor product or service – but there is normally a good reason why a mistake was made. An individual may be distracted or under pressure to keep up with delivery schedules. Process documents may be unclear or authority levels not sufficiently defined.

To resolve these issues needs further investigation and to do this you will have to have the confidence of the people involved. The area is huge and is a minefield. As with all complex systems to be able to understand how errors occur you need to look at a range of different aspects:

  • Leadership – how do your organisation’s leaders exemplify desired behaviours and the importance of satisfying customer requirements so people understand what is required of them?

  • Communications – how do you communicate organisation expectations, including customer requirements; how well do you listen to what employees are telling you about their jobs?

  • Competence – how do individuals within your system demonstrate they have the skills and knowledge required to do the job?

  • Empowerment – how are people authorized to develop and manage areas of their work?

  • Recognition – how are people’s efforts appreciated and good practice rewarded?

If you are able to answer the above questions satisfactorily then you will be a long way towards establishing a quality culture that seeks out and eliminates root causes currently undiscovered and assigned to human error. There is guidance available from ISO TC 176 on people aspects of management systems, a vital area and often neglected, in the form of ISO 10015 and ISO 10018 and they are both being revised as we speak. There are some great examples around of earlier work including quality circles and the more recent self directed work teams at the heart of Lean manufacturing and service.

W. Edwards Deming said that 85% of all quality problems are management problems – if you accept this then you are part way to accepting there is no such thing as human error.

Fail to control design = designed to fail?

I had a recent and very specific query recently about design process and effectiveness measures for Management Review in a Medical Devices environment.

The question was specifically about demonstrating that outputs of the design process match inputs and whether this was acceptable to present to the Top Management team? The question was also about ISO 13485, the quality management standard for Medical Device Manufacturers but for this article I have broadened the field to cover any organisation looking to implement effective design control measures and many of the points made read across to other sectors. In this article clause references are aligned with ISO 9001: 2015 instead of ISO 13485 but again that the principles apply wherever you use design control and can be applied to any core process.

Generally design control is one of the least understood areas of how organisations go about providing products and services to market. Design plays the fundamental role in determining how well products and services operate and whether they deliver customer satisfaction, both at the point of delivery and throughout their useful life. You only have to follow media stories for product recall and regulator intervention to see that product designers in the automotive, aerospace, consumer goods and other areas as well as service designers, particularly in the financial services sector, have ‘designed in’ risk and failure leading to huge liabilities for their organisations. Individuals involved did not create these liabilities deliberately but didn’t have effective controls implemented for their work.

So, to be able to report on effectiveness to the top team, first you have to be clear what the design process is and what it gives your organisation, all covered in clause 4.4 of the standard, with further detail in clause 8.3. By looking at the design process and identifying criteria and methods needed for effective operation (4.4.1 c) you should be able to identify critical success factors (CSF) for design – generally covering three areas of Quality, Cost, Delivery (QCD), as for any project management activity – but more of this later. You can do this as a quality specialist ‘looking in’ but it is far more effective if you work with those involved in designing products or services and gain their views of what ‘good’ design control looks like.

These CSF requirements are used by your organisation to monitor, measure and analyse the design process (9.1.1) and should help you to establish objectives (6.2.1) and design process measures to demonstrate the process is working effectively.

The original question suggested using the matching of design outputs to design input requirements, covered in clause 8.3.5 – a good starting point but what you actually report at a management review might need careful consideration.

Generally design effectiveness is measured by how well:

  • product meets requirements – covered in clause 8.3.5 of ISO 9001 – the ‘Q’ part of QCD

    Internal (design process) measures:

  • design review results

  • results of component and prototype testing (verification activities),

  • field (including clinical) trials (validation output)

Internal (company) measures but after design:

  • Manufacturing:

  • right first time measures – how easy is it to make the product / deiver the service,

  • scrap and rework at new product / new service introduction – a measure of how robust the new design is

External to the company:

  • Warranty

  • Complaints

  • Field data on product effectiveness (clinical use)

Design process efficiency could be reported by:

  • achievement of budget (The ‘C’ part)

  • on time delivery of new products to market against original timing plan (the ‘D’)

Altogether these measures would demonstrate how well the design process is working.

As far as presenting this to the management review, as for the initial question, with the best will in the world top management (as required by ISO 9001) have limited time to spend on reviewing subjects like quality (not seen by them as “sexy”). Somehow you need to produce an edited highlights version of design measures that will hold their attention, a dashboard using a traffic lights system but with the ability to drill down into the detail should help; if you can assign pound notes to any of the measures that should help even more!

Management Review – it’s all in the name

I was in a discussion with a very earnest young man a while back and one of the topics we covered was Management Review as part of the ISO 9001 quality management system he had responsibility for. Let’s just say the conversation was a little heated in places and that lead me to write an article for the Chartered Quality Institute’s Quality World magazine – published in 2011. I’ve been following a couple of threads on social media and was discussing terms with fellow standards developers and thought it might be interesting to revisit the subject.

My earnest friend was of the opinion that Management Review was something new and special – perhaps invented by those wise people in ISO – when it is in fact merely a term for planning – an activity that responsible businesses have been doing for years. Now I understand the need for standard terms and for ISO to define these terms so that users of these standards have a common understanding. But here’s the rub – it is not the place for standard users and in particular quality professionals to continue to use these terms in their daily life. The more we use terms like Management Review, Management Representative and, my personal favourite, Product Realization in both work conversations and management systems documents the further we take these systems away from the people that matter – the users. So once we understand the term we need to go back to our organisation and understand what process(es) we have in place that already satisfy the requirements.

You would expect the board to discuss the effectiveness of the organisation’s management system in ensuring it delivers products and services to meet customer requirements Customer feedback, internal quality measures and the status of improvement plans and programmes would be topics of interest to any managing director. All well and good so far – these topics should also address the requirements of ISO 9001:2015 clause 9.3.2. But, rather than get a regular slot on the board agenda where the responsible manager reports to the board the poor old quality manager generally calls a one off meeting called a ‘Management Review’ with a cut and paste agenda of the standard. The agenda is slavishly followed until the board is bored into submission and everyone can breathe a sigh of relief, go back to the ‘real’ job and drop quality until next year. Worse still the board avoids the meeting as a waste of time – sometimes to the extent that records of reviews are fabricated for meetings that either didn’t take place or where necessary participants couldn’t spare the time. I’ve lost count of the number of wry smiles seen when I float this seemingly ridiculous notion. It is easy to criticize top management commitment in these situations but the responsibility for making the review relevant to busy senior managers is ours. In a previous role as the new quality manager I presented the plan for management review to the board of my ISO 9001 certified company and was faced not with hostility but with blank looks. It took a full eight months of one to one discussions and translation of ISO terms into activities and ,measures they were familiar with before we completed our agenda but I am confident the outcome was much more relevant.

The real challenge for the quality professional is to keep it real and get quality up the agenda so that quality performance is seen to be a leading indicator for financial performance. Recent changes to ISO 9001 give us a real opportunity with the requirements for organization leaders to get involved in establishing meaningful objectives and for process measures to be part of regular quality monitoring – right up to board level. Until those objectives and measures are meaningful and can be seen to be the main route to a sustainable business then we are condemned to a check box approach to review.

Is your internal auditor role a dead end job?

This article was published on the 13th February on Bywater’s site

With this article I’m hoping to prompt discussion about the auditor pool we select from, particularly internal auditors. This started after a comment from a 3rd party certification body where I was told their issue was succession planning and how to deal with an auditor pool where the majority of individuals were well past ‘normal’ retirement age. Now, as a ‘seasoned’ quality professional, I’m all for opportunity at the end of my career and there is great logic in having a good selection of experienced people in your ranks but, as in all things, there has to be balance.

Mirroring the suite of Management System Standards coming out of ISO’s technical committees there seem to be endless ISO / IEC 17021 – xx documents describing 3rd party certification auditor competence and, in the brave new world of demonstrated ability, these documents don’t define auditor competence by a minimum length of stay in a particular technical sector. As a colleague described it: 20 years experience on a cv can be demonstrated progression in a chosen field or one year’s experience repeated 20 times. Nevertheless it takes time to understand sector context, industry tools and techniques, jargon used and regulatory requirements that apply, all things covered in the latest draft of ISO 19011 and 17021 – 3, and hence you need some mileage on the clock to pick them up.

What about internal auditors, do the same rules apply? I say no. Auditors should be selected based on personal capability and behaviours, in particular intelligence and curiosity. If you are lucky enough to be able to afford one, look no further than your graduate programme. These are the best of the new intake to the organisation, proven to have enthusiasm, perhaps tested on assessment days and identified as the ‘best of the best’.

When graduates join you on day 1 they are all desperate to get under the bonnet of your organisation and understand how it works. As an early part of their graduate scheme get them auditing your management system. They bring with them latest thinking and technologies in their field and an inquisitive nature. With the licence to follow their nose, communicate with people working at all levels in the process(es) you operate and to challenge current thinking they can provide a real ‘fresh eyes’ look at what you do.

Of course they’ll need some training in your audit process and as they go they’ll make mistakes and tread on some toes but my bet is that you will get some real nuggets from their insight and fresh thinking about your way of working including how your system is portrayed in systems including documents. The individuals will gain a great deal, too. Having to challenge senior colleagues if poor practices or ineffective controls are found and then to have to report back to function managers is character forming.

Give it a go, particularly if your current internal audit programme is seen as a check box exercise and results generally fall into the ‘And? So what?’ category. This way of holding a mirror up to your organisation is bound to give you value way beyond what you expend.

New role for TC 176

19th May update

The first significant piece of work for my new role was to attend the ISO CASCO plenary meeting in Vancouver, Canada from the 24 – 28 April 2017.

The main meetings I attended were:

At this stage there isn’t much news on how the role will contribute to effective third party certification of quality management systems, this will develop over time. What is apparent to me is there are lots of good people working hard to improve standards, processes and the system as a whole.

There is, however, a lot of misunderstanding of what good certification to ISO 9001 looks like and the best way of getting there.

With that little teaser I’ll leave you. 🙂

Original announcement

As announced earlier on LinkedIn I’m delighted to announce that, following a resolution at TC 176’s closing plenary in Rotterdam at the beginning of this month, I have been appointed as TC 176‘s liaison with ISO/CASCO to support improved assessment and certification to ISO 9001 by 3rd party certification bodies.

Lots of fascinating work ahead, I feel. Please feel free to register and comment.