The ISO 9001 requirements pertaining to preventive action would get a lot more attention if people grasped the very simple fact that this is all about managing risk—which is really about managing the consequences of change. Whenever we change something, even for the better, there are consequences—ripples across the waters through which we navigate our quality management systems. Failure to anticipate the consequences of those changes is how we end up with bad things happening. Like the hapless rafter who is surprised by the rapids, our craft is buffeted and tossed. We get banged against partially hidden rocks, we lose our bearings, our provisions get lost in the swirl, and sometimes our vessel capsizes and we’re left adrift, at peril of going under.
Let’s briefly go back to ISO 9001, the standard for quality management system requirements from the International Organization for Standardization (ISO) and investigate the misconceptions surrounding this process. This ISO standard, along with regulatory requirements like the Food and Drug Administration’s (FDA) 21 CFR Part 820, has perpetuated the notion that preventive action follows corrective action. They’ve done this (perhaps unwittingly) by locating the two requirements adjacent to one another in their respective documents. In fact, in both documents, cited preventive action is situated after corrective action in the text, further compounding the misconception. In actuality, these two processes are only related to the extent that each utilizes some of the same investigative and project management tools for implementation. Any other similarity is not only wrong, it is also counterproductive. It diminishes the effectiveness of both processes by confusing the users.
Preventive action is about risk. It is not a sequel to corrective action. It comes first. The better job organizations do when conducting preventive actions, the fewer corrective actions they will have to deal with. We manage the consequences of change in order to mitigate risk.
ISO 9001 talks about addressing potential problems and their causes. It has language about determining potential problems and their probable causes, evaluating the need for action, implementing the action and reviewing actions taken to assess effectiveness. This is all swell, except it still leaves a lot of folks confused about where the potential problems and their causes are coming from.
Where are the data that feed this beast? Do we just meander willy-nilly through our processes looking for problems? It begins to border on paranoia.
How then can we bring sanity to this requirement? And, bear in mind, this is a requirement; it is not optional.
One of the first places to look for help is in ISO 9004—“Managing for the sustained success of an organization—A quality management approach.” Its subclause 9.3.5—“Planning innovation and managing risk,” states: “The organization should assess the risks related to planned innovation activities, including giving consideration to the potential impact on the organization of changes, and prepare preventive actions to mitigate those risks, including contingency plans, where necessary.” It clearly makes the links between change, risk, and preventive action. Other references to preventive actions are scattered throughout the document. But there is one other section that does an even better job of providing helpful guidance, even though it doesn’t specifically mention preventive action.
ISO 9004 subclause 4.4—“Interested parties,” discusses meeting the needs and expectations of interested parties. The text illuminates the value of monitoring interested parties due to the impact they can have on the organization. Interested parties include: customers, owners/shareholders, people in the organization, suppliers and partners, and society.
ISO 9004 notes the fact that different interested parties may have concerns and expectations that conflict. For example, the modern consumer may pine for the days of large-finned, gas-guzzling automotive behemoths. But the environment will no longer tolerate millions of carbon monoxide-belching vehicles. Balancing the needs and expectations of both parties means assessing the risks inherent in whatever action is taken and proceeding accordingly. The organization must then assess the situation and determine how best to address the needs and expectations in a balanced manner. Failure to adequately address the needs and expectation will inevitably result in some unpleasant consequence: loss of market share or government penalty.
The other thing to consider is that the needs and expectations may change over time. Risk is inherent whenever change is not managed. This results in an inability to mitigate problems that may ensue due to lack of vigilance—or simple wishful thinking.
ISO 9004 provides still more guidance that can be used to anticipate risk. In ISO 9004 section 6—“Resource management,” there is discussion of managing a variety of different resources such as suppliers, infrastructure, money, raw materials, and people. Risk accompanies any change to the quantity, quality, availability or cost of resources. Therefore, monitoring your resources is another opportunity to mitigate risk.
The language in ISO 9004 provides a significantly more concrete and useful guidance when it comes to initiating preventive action. It repeatedly talks about change and its consequences. So, if an organization wishes to implement effective and valuable preventive actions within its ISO 9001 quality management system, it should consider the wisdom found in ISO 9004.