Featured Product
This Week in Quality Digest Live
Standards Features
Megan Wallin-Kerth
MasterControl’s Matt Lowe talks competition, data, and what quality does for a company
Using the CASCO Toolbox to repair and restore
Todd Hawkins
Good documentation is worth the effort you put into it
Rupa Mahanti
With data as the fuel of the digital economy, data governance is the much needed brake
Bryan Christiansen
Workplace policies that reduce accidents and enhance safety

More Features

Standards News
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Yotrio and SunVilla to provide interactive, 3D-enabled assembly via BILT app
KCP25C grade with KENGold coating sets new standard for wear and productivity in steel turning
Takes action to mitigate risk of medical devices shortage
Standards, testing help autonomous vehicles drive safely
Offering production versatility and throughput with increased detection sensitivity and low energy consumption
New lines improve software capability and analysis
Automotive cybersecurity on Feb. 9, and AS9145 on Feb. 28

More News

Denise Robitaille


ISO 9001: 2015—Things You Can Do Now

Focus on context, risk, and objectives

Published: Monday, February 9, 2015 - 13:31

ISO 9001 continues to wend its way through the revision process, and as it does so there have been lots of discussions and prognostications over the impending changes. All the wringing of hands and ongoing debate will not hurry the process or change the outcome.

The standard is still on track to be issued before the end of 2015. In the meantime, it’s a bad idea to jump the gun and start making changes in anticipation of the standard—that is, in most instances.

Organizations should be wary of the changes in the standard that suggest that requirements, for example, for the quality manual and documented procedures are going away. That may indeed be the case, but any action on this and several other changes would be premature and might end up causing additional work and unnecessary confusion.

That having been said, there are a few things that you can do without waiting for the standard to be released. I’m going to discuss three changes that you can take action on now that will yield benefits, regardless of the ultimate language in ISO 9001:2015. These changes will enhance your system and assist you with strategic planning, risk mitigation, and improvement of your critical organizational objectives. Implementation of these proposed sections of ISO 9001 will not diminish conformance to existing requirements or create undue burdens, even if the requirements don’t make it into the final draft.

The three enhancements relate to the context of the organization, the introduction of risk-based thinking, and elaboration of how you manage quality objectives. In actuality, none of these concepts are completely new.

The first change, relating to the context of the organization, was introduced in ISO 9004:2009. This standard, which in the past made up the other half of the “consistent pair” along with ISO 9001, has always been intended to help organizations increase the benefit they derive from their ISO 9001 quality management system (QMS). In fact, with the 2009 version, the title of ISO 9004 was changed to “Managing for the sustained success of an organization—A quality management approach.” In ISO 9004 this concept was referred to as the organization’s “environment.” Other than that, the thought process is pretty much the same.

The second change, relating to risk, creates requirements for that which was always implicit in ISO 9001. In the introduction (0.1, “General”) the standard discusses risks associated with an organization’s environment and with such things as varying needs, particular objectives, products, processes, size, and structure. Additionally, the essence of preventive action is all about risk avoidance and mitigation. As we will see, this is well aligned with the intent in ISO 9001:2015.

The last change is the addition of requirements relating to responsibility, taking action, monitoring, and revising objectives. Frankly, it lays out what most organizations should already be doing to ensure that objectives aren’t just minimally relevant abstractions documented for the sake of fulfilling ISO 9001 requirements.

Let’s take a closer look at each of these requirements.

Context of the organization

Clause 4 is titled “The Context of the Organization.” ISO 9000:2015—“Fundamentals and vocabulary,” which is the normative reference for definitions and terms in ISO 9001, defines “context of the organization” as “...combination of internal and external factors and conditions that can have an effect on an organization’s approach to its products, services, investments, and interested parties.” Subsequent subclauses go on to articulate the requirements that are relevant to clause 4.

Subclause 4.2 deals with understanding the needs and expectations of interested parties, which will be further discussed later. The last two subclauses, 4.3 and 4.4, are aligned with the 2008 version of ISO 9001. They deal with defining the scope of the QMS and establishing and implementing the process of the system. They follow subclauses 4.1 and 4.2 because understanding the internal and external factors and the needs of interested parties has direct relevance to the scope of the QMS and the manner in which it is implemented. Overall, clause 4 requires that an organization determine and understand the internal and external factors that affect its ability to achieve its intended results. How will your organization fulfill this requirement?

Understanding those factors that affect your organization is an imperative that has never been clearly expressed in ISO 9001, but is a concept that is foundational to strategic and tactical planning. How will you know what actions to take if you don’t have a comprehensive understanding of these internal and externals factors? How will you best decide the most advantageous expenditure of resources to achieve results and mitigate risk? (Risk, as we will see, is another concept that requires greater consistency and vigilance).

Do you know what factors define your organization’s opportunities and constraints? Although some of the categories of factors we consider may be generic (e.g., people, infrastructure, product offerings, and process capabilities), the specific factors may have unique significance in your organization. For example, the workforce may be a general category of internal factors. However, in your organization, you may have an aging staff of engineers and must therefore plan on how to eventually address the foreseeable gap that will open when they retire. Actions might include capturing some of their knowledge, which is consistent with new requirements relating to organizational knowledge. Alternatively, the action might involve outsourcing design processes rather than attempting to hire and train new engineers. As another option, the company could decide to initiate a mentoring intern partnership with a local technical school.

The point is that an organization should understand all these factors and the unique effect they may have on planned outcomes. It’s important to remember that these factors will change over time. Some new ones will be added while others will diminish in their ability to adversely affect planned results.

Other internal and external factors, depending on the organization, could include:
• Turnover of personnel
• Aging infrastructure
• Challenges of new technology
• New product introductions
• Availability of raw materials
• Changes in financial regulations
• Increase in the amount of work

This is a very short list. What ends up on your list is dependent on the size of the organization, your market, the people who work for you, the complexity of your processes, and various other factors that ultimately constitute the context of your organization.

What tools will you use to identify and monitor these factors? Will you make use of the management review so that action plans can be developed with resources allocated and responsibilities assigned? What kind of records will you keep? How often will these factors be monitored? You get to decide how this clause is applied so that it is both workable and beneficial.

A lot of this can be tied into existing monitoring and data analysis activities. The most obvious repository for records and evidence would probably be those coming out of management review. It is quite likely that implementation of these requirements will result in a more robust and beneficial management review process. An auditor should be able to assess these records to verify that appropriate consideration has been given to these factors, how they are monitored for changes over time, and what actions top management has taken in response.

The other subclause in 4 is “Understanding the needs and expectations of interested parties.” There’s some overlap with the previous subclause in that some external factors are directly related to interested parties. For example, availability of raw materials relates to suppliers, which is a category of interested parties.

Because ISO 9001 is focused on fulfilling customer requirements, it’s important to point out that this subclause does not require an organization to meet the needs of interested parties. Not only would that often be impractical, in some cases it also would be impossible because some interested parties have needs that are diametrically opposed. The other reason that the standard’s developers want to ensure that the focus is on the customer is that any additional requirements would be inconsistent with ISO 9001 and outside of its scope. So, the strategy here is to understand the relevant interested parties and determine what effects (positive or negative), if any, they have on your ability to meet your organizational goals. The identified effects constitute the potential risk.

How will you apply this requirement in a manner that creates value for your organization? Again, this relates directly to upcoming requirements concerning risk. Who are your relevant interested parties? Typical examples include customers, suppliers, environmental agencies, financial institutions, the local community, and, in some cases, even your competitors. The extent to which your organization fulfills the requirements of clause 4 will have direct relevance on its ability to meet subsequent requirements relating to risk, objectives, and planning.

Risk-based thinking

Clause 6.1 is titled “Actions to address risks and opportunities.” This is under the general heading of planning and segues directly from the earlier requirements dealing with understanding the context of the organization.

The requirements under this clause deal with risk-based thinking. It does not carry requirements for a formal risk management program, for such a requirement would be too onerous for smaller companies. Additionally, there is an existing risk management standard—ISO 31000. Incorporating risk management into ISO 9001 would exceed the scope of TC 176 (the technical committee that works on quality management systems standards) and would impinge on the turf of TC 262 (the technical committee with responsibility for risk management standards).

Now that we’ve said what this clause is not about, we can talk about the requirement and the intent. The requirement is to understand the risks and opportunities inherent in the internal and external factors previously mentioned and the relationship with relevant interested parties.

Essentially, this is an improvement over the existing requirements for preventive action. Whereas subclause 8.5.3 of ISO 9001:2008 talks in general terms about what you should do, ISO 9001:2015 addresses the sources of these risks and opportunities. This allows for greater relevance in generating preventive actions and provides opportunities to mitigate or avoid risks that could have dire consequences for an organization.

How will you apply this requirement? The data that come out of management review is a great resource. There are some existing tools like failure mode and effects analysis (FMEA) that lend themselves well to this requirement. Depending on your industry there are other tools at your disposal.

It’s important for you to decide what methods you will use to consistently address risk at critical junctures within your organization. One of the best things you can do is to begin to foster a culture of risk-based thinking—one in which people can recognize both constraints and advantages. Get them into the habit of considering both the positive and negative consequences of change. Implementing actions to prevent catastrophes often leads to significant improvements and cost savings. It can even result in innovation.

As mentioned earlier, FMEA and records of management review will be two great resources for auditors to use to assess the effectiveness of your implementation of these subclauses.

Quality objectives

The last improvement you can make is to heed the guidance found in subclause 6.2.2 relating to quality objectives. The existing version of ISO 9001 had requirements for determining, measuring, monitoring, and reviewing objectives, but it lacks guidance on what to do with objectives. It doesn’t create the rationale or provide direction that will make quality objectives actionable and meaningful. Quality objectives end up like dead fish flopping inside the pages of management review with no purpose—except to make an auditor happy.

With ISO 9001:2015, there are requirements relating to what you do about objectives. Example: You’re monitoring on-time delivery. The status quo is 85 percent, and you would like it to be 99 percent. Every quarter you look at the numbers. Yep, still 85 percent.

Going forward, you will be required to say what will be done, what resources you will need, who will be responsible, when the action taken will be complete, and how you will evaluate the results. It’s a great addition. Now there’s a formal plan to move that 85 percent, and putting that plan together will probably involve having a better understanding of internal and external factors, requirements of relevant interested parties, and risks and opportunities engendered in a plan to improve the metric.

Although there are no requirements that specifically require an objective to be improved, there are requirements that actions be taken based upon the results of the monitoring of objectives. Auditors shouldn’t look to verify that the numbers have changed. What they should look for is evidence of plans to address the issues with the intent of experiencing improvement.

All three of these enhancements to ISO 9001 are currently available to you. Implementing them will allow you to reap benefits and get a head start on the 2015 transition process. There is no downside to adopting these improved requirements.

For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”


About The Author

Denise Robitaille’s picture

Denise Robitaille

Denise Robitaille is the author of thirteen books, including: ISO 9001:2015 Handbook for Small and Medium-Sized Businesses.

She is chair of PC302, the project committee responsible for the revision to ISO 19011, an active member of USTAG to ISO/TC 176 and technical expert on the working group that developed the current version of ISO 9004:2018. She has participated internationally in standards development for over 15 years. She is a globally recognized speaker and trainer. Denise is a Fellow of the American Society for Quality and an Exemplar Global certified lead assessor and an ASQ certified quality auditor.

As principal of Robitaille Associates, she has helped many companies achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as auditing, corrective action, document control, root cause analysis, and implementing ISO 9001. Among Denise’s books are: 9 Keys to Successful Audits, The (Almost) Painless ISO 9001:2015 Transition and The Corrective Action Handbook. She is a frequent contributor to several quality periodicals.


US TAG isn't interested in consensus

Denise accidentally lets the truth slip out:

"All the wringing of hands and ongoing debate will not hurry the process or change the outcome."

In short, ISO 9001 users, there's nothing you can do, so shut up. Take your passive position and accept the inevitable. This, of course, is against every rule and law governing the development of international trade standards. It is against every ISO and ANSI mandate demands that the TAG engage with users, listen to them, and adopt consensus-based positions. It's also a violation of WTO regulations, which is eventually going to bite ISO and ANSI back. Then pieces like this will point out those responsible for some very severe deficiencies in the standards making process.

Through its Annex SL mandate to TC 176, ISO proved it was not interested in consensus. The TMB, with its 15 nonelected permanent members, has trumped consensus by demanding specific content in standards, not merely structure. Now we watch as opportunistic would-be consultants. TC 176'ers and Quality Digest regulars reboot all of history, tell us "it was about risk all along" and claim sudden, retroactive mastery in "risk based thinking" even though such a thing has never before existed, in either the risk management or the quality management professions. If the TMB tomorrow invented dinosaur-driven flying cars, the same people would suddenly claim to be experts in this, too. 

Through its crony-driven leadership structure, the US TAG has squandered the nation's good will and interest in ISO 9001, failing utterly to meet the needs of major industries such as aerospace, automotive, medical devices and others. The US TAG leadership is obsessed with self-promotion over performance, and will kowtow to the TMB's unelected leadership if that means they can sell books and give keynote speeches. Meanwhile, US industry is considering abandoning ISO 9001 altogether, and returning to an era of endless 2nd party standards, contradictory customer audits, and passing on impossible costs to suppliers, and thus consumers.

Rather than arrogantly denigrating negative feedback as "hand wringing", Ms Robitaille should prove the management mastery she claims, and show how she can LEAD. She can start by listening to the overwhelming message that the US is sending to her and her TC 176 cronies, that RBT is a joke, that 9001:2015 is a disaster, and they should start from scratch. The 2015 deadline is a fiction, an arbitrary line in the sand that is no more a permanent thing than a snowflake. 

But Ms Robitaille isn't a leader, is she? She's a messenger, dutifully carrying the word of her masters, without so much as an ounce of critical thought. If she has to insult those who eventually have to buy her product, so be it. Geneva will be happy, and she will keep getting published.

At least this article goes on the pile of evidence that ANSI and the US TAG aren't interested in what anyone thinks, so when the heat gets turned up, we will know who to depose.

Evidence of RBT is everywhere in a QMS

Hello, Ms. Robitaille. Thanks for the article. It seems companies whose QMSs consist of clause-by-clause or 6 procedures only could now be applying RBT together with the process approach to establish effective QMSs. It's never too soon to do that, certainly. 

It seems more than being too onerous for smaller companies, "system FMEAs" or other risk assessment tools wouldn't be appropriate in many smaller companies. It might not be appropriate in some medium-sized, or even large companies, either. If an organization is managing risk successfully without such tools, ISO 9001 will not require that they start using such tools. (If risk assessment/analysis tools ARE needed, that's determined by management's application of RBT, not by management's applicaiton of ISO.)

The risk being entertained in a quality environment is a particular kind of risk: risk to achieving quality objectives. A QMS is established to systemically address this kind of risk. THAT's what a QMS is FOR. 

To say that ISO 9001:2015 will require additional risk assessment tools (beyond any that might already be in place), I believe, is mistaken. Rather, I believe it underscores the importance for auditors to find evidence of conformity where it exists and as it is presented, instead of expecting management to develop uneccessary routines to provide them with the evidence they think they need.

Rather than developing "system-level FMEAs" because it might look good to an auditor, how about we expect the auditor to recognize the effective application of RBT evidenced by our process-based management system with just the right amount of controls needed for our situation, and just the right amount of documentation needed to view and operate the system effectively, and just the right training to assure consistent performance, and in the effective actions we've taken to address risks and opportunities relvant to our ability to achieve our qualtiy objectives. 

Do we assume that auditors can't see the forest through the trees, so best practice is to riddle the forest with signs clearly pointing to each instantiation of RBT? We would hardly be able to see the forest through the signs! Rather than putting signs in the forest, or painting the trees with RBT, how about we expect the auditors to be able to recognize each tree as naturally being part of the (RBT) forest?

Rather than pointing auditors to FMEAs and managment review as evience of RBT, how about we point them to the architechture of the system, the documentation describing the system, the process controls in place, and the action log? Evidence of RBT is present in each of these; effective RBT would result in each of these being appropriate for the circumstances.