Document Management: Risks, Controls, and a Sample SOP Template

Most companies face the challenge of managing the documentation they generate—those that are developed to control their business and processes (e.g., standard operating procedures—SOPs) and the associated records as evidence of compliance with those procedures. This may go a step further if the company wishes to obtain or maintain certification to an external standard such as ISO 9001, which includes document-control requirements.

Document management can often be overlooked, especially by new organizations, as it may seem like a lower priority. But it can become unwieldy very quickly for such companies if not addressed from the get-go.

The primary risks are that poor documentation can:
• Have a negative impact on the functioning of a company and its products or services. For example, if an employee follows an out-of-date work instruction in processing a product, it can result in the product going to market not to specifications. The risk here can be great for healthcare products.

• Result in not obtaining or maintaining an ISO quality management system certification (if the company wants that). This can affect the revenue of companies, as some business customers require evidence of certification to a quality standard such as ISO 9001 before entering into an agreement to use the company as a supplier.

How does one address these document management challenges and potential risks to their company? We’ll look at ISO 9001, because it’s the internationally recognized standard for quality management systems (QMS) and includes document management and control requirements (clause 7.5).

We should first define “documented information” as referenced in ISO 9001:2015 (clause 7.5.1). The definition is in ISO 9000:2015—“Quality management systems—Fundamentals and vocabulary,” in section 3.8. To be brief, documented information is described there as “...information required to be controlled and maintained by an organization.”

Clause 7.5.1 of ISO 9001:2015 requires that a company QMS maintain documented information required by the standard, and documented information determined by the company as being necessary for the effectiveness of its QMS.

Thus, the minimum required to be maintained by ISO 9001 is the scope of the QMS, the quality policy and objectives, and those documents determined as necessary to support and control the operation of processes and ensure the effectiveness of the QMS, with the goal being customer satisfaction.¹ Also, the extent of documented information can vary, depending on such things as the size of the company, the complexity of its processes, and the type of services and/or products it provides. One should carefully consider the risks of having inadequate documentation (e.g., SOPs) to control its processes. If that is lacking, resulting in distribution of a defective product, a company opens itself up to potentially undesired consequences (e.g., for FDA registered facilities developing medical devices, it could lead to substantial fines, lawsuits, and loss of reputation).

Additionally, the standard requires companies to retain documentation (e.g., records) for the purpose of providing evidence of actions taken as planned and results achieved. There are too many to list here, but they include training records and those records indicating that processes were conducted as planned. Even if you do not plan to seek certification, maintaining this documentation is also recommended for tracking actions taken and reference purposes.

Note: Documented information may be on paper and/or in electronic format.

If your organization does not currently have a policy or procedure for document management itself—one is not specifically required by ISO 9001—it’s still recommended to ensure adequate control of your documented information. Even without one, there are requirements in the clause that must be met for your documented information if you want to be certified to the standard. These include (clauses 7.5.2 thru 7.5.3.2):
• Proper identification (e.g., title, date, author) and review and approval
• Protection (e.g., from loss of confidentiality) and controls over their distribution, access, storage, and use
• Appropriate control when changes are made (e.g., changes reviewed, version control)

While not ISO 9001 requirements, the following best practices can also be considered by your organization—again, depending on its size and complexity of processes. These include establishing the following:
• A designated department and/or lead responsible for overseeing your organization’s documented information and ensuring compliance with internal and any external document management requirements
• A system (electronic is preferred, e.g., an off-the-shelf document management e-system) to manage document creation, approval, and revisions; access/use; and retention. Recommended components of such a system would be ensuring edit rights for documents to the document owners, and availability of only the latest, approved, and read-only version.
• Standardization of document templates to ensure consistency of SOPs, forms, etc. If you seek certification to ISO 9001, you will also need to ensure the templates you develop are compliant with clause 7.5.2.

Documents can be ubiquitous and wide ranging in type and function, depending on a company’s size and processes. Make sure you have control over them.

I hope this helps you get started if your company is just getting off the ground, or, if your company is established and already has a document management system in place, reassess it if you find it necessary.

Here is a link to a document template that contains the key elements you need to get started.

Reference

1. There are other ISO management standards that also include document management requirements (e.g., ISO 14001), so you’ll want to review those for any differences from ISO 9001 if you want to be certified to them as well. Further, the same high-level structure of certain ISO management system standards, such as ISO 9001 and 14001, allows your company to operate a single (“integrated”) management system that can meet two or more management system standards simultaneously (guidance here).

About The Author