The deadline for ISO 9001:2015 compliance is rapidly approaching. Organizations cannot afford to waste time with redundancy or inefficient full-system gap analyses. This blog provides a model you can use as a "How To" guide to quickly transition to ISO 9001:2015. The key to transitioning efficiently is having senior leaders, process owners, and internal auditors working concurrently as shown in Figure 1.
In this model, senior leaders have four discrete steps. Once the first is complete, the process owners and internal auditors can begin their activities. Although the activities are happening simultaneously in the model, for the purpose of this article, the activities will be described sequentially, starting with senior leadership’s four steps, then the activities of the process owners, and lastly the mini-gap analyses performed by internal auditors. These activities are typically facilitated by the role previous versions of ISO 9001 referred to as “management representative.”
Senior Leaders' Four Discrete Steps
Senior leaders need to define the organization's context, set objectives, understand (and use!) the organization's process for risk mitigation, and be able to provide objective evidence of their commitment.
Senior leaders need to scan their environment and define the "issues" that impact the organization. External issues may come from legal, technological, competitive, market, or economic environmental factors. Internal issues may come from the values and culture of the organization. Leadership needs to list those issues relevant to its business (potentially in the quality manual). For each issue identified by leadership, related information to track and review must be determined. The purpose of defining an organization’s issues and monitoring information related to them is to avoid surprises as the environment changes. Whatever information is tracked will be shared during management review (clause 9.3.2(b)) and relevant records retained.
Senior leaders need to determine who the organization's "interested parties" are. The list may include customers, end-users, suppliers, employees, owners, and/or regulatory bodies. Each interested party has its own needs and the organization must determine what those needs are (potentially by asking). Again, the organization must track and review information applicable to interested parties and their needs.
Although the scope of the system may not have changed, this is a good time to review and edit the scope statement, as necessary. Clarify the boundaries. Are there any requirements in ISO 9001 that are not applicable to the organization? If so, explain why.
How do key processes within the quality management system work together? Document the processes in a way that shows their sequence and interaction (clause 4.4.1(b)), such as a flowchart or business process map. Keep this diagram of the organization's quality management system at a high level. Avoid details. Maintain this diagram in the quality manual.
Once this first step is complete all three groups begin working concurrently (ref Figure 1).
A management system is a set of interrelated processes designed to achieve some objective(s). To know whether the system is effective, leadership determines what data to track, measure, and analyze. ISO 9001 requires results related to:
- product (or service) conformity,
- customer satisfaction,
- the effectiveness of the system,
- planning and whether it has been effectively implemented,
- the effectiveness of risk-mitigation activities,
- the performance of suppliers and subcontractors, and
- any need for improvements to the system.
This is the information leaders should keep in mind when reviewing or revising organizational objectives. The activities of the QMS will be working toward achieving the objectives, so they must be the organization's true objectives. Otherwise, the organization is inadvertently allocating resources to achieve goals that are not mission-critical.
"Risk-based thinking" is a new term in ISO 9001. The actual term is found in clause 5.1.1(d); it states that top management shall promote risk-based thinking.
But the primary clause that addresses risk is clause 6.1. For those risks identified that need action, the organization must assign, take, and evaluate action. The core steps in a risk-mitigation process are shown in Figure 2. Actions taken to address risk must be summarized for management review (clause 9.3.2(e)).
The last step for senior leadership is to ensure they meet the leadership requirements of ISO 9001. First, verify the quality policy: Is it appropriate for the organization's purpose and context? Does it support the organization's strategy and objectives? Does it show commitment to meeting requirements and continual improvement? Is it communicated? Senior leaders must update and communicate, as necessary.
Organizational roles, responsibilities, and authorities must also be reviewed. Again, if changes are necessary, those should be addressed by senior leadership.
Top management must demonstrate their commitment to the quality management system. Can the senior leaders answer "how" they demonstrate leadership as required by clause 5.1.1? For example,
- How do senior leaders ensure the integration of QMS requirements into the business?
- How do they promote the use of a process-based approach?
- How do they ensure the QMS achieves its intended results?
If the senior leadership team was involved in all the steps presented in this model, then it is unlikely they will struggle with demonstrating commitment. Alignment of the QMS with the business is often established when senior leaders create and communicate the organizational objectives.
Process Owners Define Processes With A Task Force
UNDERSTAND YOUR PROCESSES (Clause 4.4.1a, c, d, e, f, g, h) – Note that in this model clause 4.4.1(b) is addressed by leadership.
For a typical quality management system, key processes will include purchasing, designing, manufacturing, inspecting, etc. The “process owner” is the individual who has the greatest day-to-day authority for managing the process. For each key process, the process owner (or a facilitator) assembles a task force, consisting of those who do and supervise the process, internal customers and suppliers, and one person who lacks familiarity with the process. [Why include someone unfamiliar with the process at hand? They don’t share the same set of assumptions as the others and tend to ask the questions that often lead to breakthrough improvements.] The team (reference clause 4.4.1):
a) determines the expected inputs and outputs of the process;
c) determines or clarifies the criteria and methods used;
d) determines and provides the required resources;
e) assigns responsibilities and authorities within the process;
f) defines related risks and opportunities;
g) determines how the process is evaluated to ensure the process is meeting its intended results; and
h) determines how the process is improved.
These aspects of the organization’s key process should be documented in a table (where each row is a process and each column represents one of the aspects listed above) or something like a turtle diagram (you may find turtles don’t have enough legs to capture each element of the process). Another option is the beetle diagram shown in Figure 3.
Internal Auditors Verify Compliance
For the purposes of a gap analysis, internal auditors should be using checklist-style or compliance audits to find gaps between existing processes and the new requirements. Because several clauses will already be addressed by senior leaders (clause 4, 5, 6.1, 6.2, and 9.1), there is no need to perform a gap analysis against those clauses.
Any gaps identified can be addressed using the organization’s corrective action process. Clauses 9.2 and 10.2 (internal audits and corrective action) should be audited first because if you are going to use the internal audit and corrective action cycle to transition, you will want to ensure they are effective and compliant processes. Other clauses can be grouped and scheduled in most any order. For a table that shows a recommended grouping and prioritization of audits along with helpful tips, I am happy to send a copy. Just click below and request the Table of Recommended Gap Audits:
By having senior leaders, process owners, and internal auditors working concurrently toward transitioning to ISO 9001:2015, the organization will instill ownership in key players while avoiding an unnecessary full-system gap analysis.