ISO 9001:2015’s Customer Requirements

Everyone is gearing up for the challenge of updating their compliance to the requirements of the 2015 version of ISO 9001. Most quality professionals I speak with seem to have digested the new requirements as something very different than past versions. Personally, I don’t see it in quite the same way.

After careful review, I see the new revision increasing emphasis on longstanding requirements and adding measurable controls to help ensure attention and accountability.

There have always been areas of ISO 9001 where organizations either took a minimalist approach or acted on gut instinct rather than concrete analysis. The new revision of the standard makes it much tougher for companies to make an ill-considered decision without leaving a very visible trail concerning both the decision and the subsequent actions.

If we focus on customer requirements, also commonly known as contract review, we see where this new approach is particularly pronounced. In most companies, the decision logic for what business to pursue is totally decoupled from any real analysis, much less risk assessment. Sales organizations tend to doggedly pursue all potential opportunities with equal zeal and aggression, and it isn’t until the business is won that most organizations begin to consider whether they have the means and ability to address the customer’s requirements. Performing risk analysis on business already won just tells you how deep the stuff you find yourself standing in actually is.

Historically, it wasn’t obvious that the company wasn’t prepared for the business until customer complaints, missed customer commitments, corrective actions, and nonconforming material trend analyses begin to bubble up to management. Even then, seldom is the root cause discovered to be, “What were we thinking when we decided to take on this business?”

The increased emphasis on a process-based approach with commensurate risk assessment will now almost certainly have to begin earlier in the decision process to allocate resources for a particular business opportunity. This can be a very good thing for the long-term success of the organization and the sanity of of those who work there. I can think of at least three examples of large and profitable companies that were destroyed by trying to fulfill the requirements of enticing deals that they weren’t positioned to accommodate.

Some questions to ask

Even rudimentary risk analysis of the following when deciding whether to pursue new business can ignite at least a discussion of the organization’s ability to deliver on what the customer expects. Questions to bear in mind include:

Will our technology and product or service offerings align with the prospect’s technical requests?
• Will winning the business require investing in R&D activities?
• What is the risk of failing to evolve the technology fast enough to deliver?
• How much will this R&D activity and subsequent qualification add to the projected cost to deliver?

Do we have the resources to deliver on time and within budget?
• Will retraining of existing personnel be required?
• Will new skills be required that must be recruited and added to staff?
• Will existing staffing levels need to be increased to ensure that commitments and deliverable timelines are possible?

Are there capital expenditures required that can be both identified and quantified as to cost or lead time?
• What is the projected lead time to obtain and install new capital equipment?
• Are special permits required for any new equipment or materials?
• Are there additional environmental, health, and safety (EH&S) risks associated with new equipment or chemicals?

Is our supply chain robust and expert enough to support our projected needs related to this new business?
• Do we need to develop and qualify new or additional sources for materials or services?
• Will we need to reassess our suppliers to ensure their ability to play their roles in this project?
• Are the suppliers’ abilities commensurate with the projected requirements and expectations for them?

If this new business is won, how will it effect commitments to other business already scheduled in the pipeline?

The empirical results from this analysis will allow the company to develop offsetting strategies to minimize identified risks. Even a decision to move forward with identified risks can ensure that management and other parts of the organization share equally in the assumed risk. It can also be invaluable in the unhappy event that you find yourself chairing a “lessons learned” or management review meeting, in which some participants inevitably seem to develop sudden amnesia. The salient intent at the end of the day isn’t to make the business risk-aversive to the point that opportunities are missed, but rather that risk assessment is performed and considered as part of the decision.

ISO 9001:2015 isn’t an additional layer of “dos and don’ts.” Consider it as providing guidance and tools for assessing whether a risk is likely to occur and how serious it might be. In the grand scheme of things, I can’t consider this anything but a prudent tool for making every process in your business better.

First published July 2, 2015, on the IBS blog.

For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”

About The Author