Milt Dentch, author of The ISO 9001:2015 Implementation Handbook, clarifies some changes from the 2008 revision, explains his take on risk-based thinking, and shares what he envisions future revisions of the standard to include.
What is your experience with ISO 9001?
I have been an RAB (Exemplar Global) lead auditor for quality and environmental management systems for over 20 years. For several years, I audited full-time for international registrars Bureau Veritas and TÜV SÜD America, completing audits for a diverse client base all over the US, Canada, South America and Eastern Europe. I have logged over 500 third party audits. The last few years I have reduced my auditing time and now provide consulting and internal auditor training for ISO 9001 and ISO 14001.
Do organizations have to do anything significantly differently in implementing ISO 9001:2015 versus ISO 9001:2008?
ISO 9001:2015 requires the organization to integrate the quality management system (QMS) requirements into the organization’s business processes and understand the context (external and internal issues) of the organization and expectations of interested parties. Additionally, the new standard requires the organization to provide a program plan to achieve its quality objectives: who is responsible, what is the schedule, and what techniques or methods will be utilized to manage the program.
A significant change for organizations upgrading to ISO 9001:2015 is the requirement to develop a process to address risks and opportunities. While many ISO consultants and practitioners refer to this requirement as risk-based thinking, I prefer to describe the requirement as risk analysis, which is more practical in my opinion than requiring the company to establish a new way of thinking. Inherent in several clauses of ISO 9001:2015 are various levels of risk and threats to the organization in satisfying their customers’ needs and preventing the organization from meeting their improvement objectives. Changes in processes or equipment, raw materials, and employee work instructions are examples where the organization should analyze and provide planning to mitigate the risks before implementing the change. Likewise, when scheduling internal audits, the organization should consider the risk level of errors presented by each process when establishing the frequency of audits.
Clause 7.1.6, Organizational Knowledge, is new to ISO 9001:2015. Organizations, depending on their operations, are now required to have some formalized program for succession planning, technology updating, and supplier contingencies.
As an Exemplar Global lead auditor (for both QMS and EMS), what will you be doing differently in auditing compliance to ISO 9001:2015 versus ISO 9001:2008?
I will look for objective evidence to support how the organization has integrated the QMS into its business, and how the organization considered internal/external issues and interested parties when establishing the QMS. I’ll expect to see some form of risk analysis, commensurate with the organization’s business model. What process does the organization use to retain organizational knowledge? (I will be sensitive to possible confidentiality related to the company’s business strategy). When reviewing quality objectives, I’ll expect to see a formal program related to how the organization will achieve its objectives. The program approach to achieving objectives has been integral to ISO 14001 for several years. It has been successful in improving environmental management systems (in my opinion)and should help the quality systems as well.
The spirit of ISO 9001:2015 is to relax the amount of documented information to allow the organizations to manage and control the processes within the QMS. While ISO 9001:2015 indicates a quality manual is not a requirement, my recommendation to organizations currently maintaining a quality manual is they should continue using the manual as a high level consolidation of the key elements–or roadmap–of their quality documentation. I also suggest that organizations with a quality manual that currently includes paraphrasing of each ISO 9001 clause requirement–going back through several ISO 9001 revisions–seriously consider streamlining the quality manual while upgrading to ISO 9001:2015. When documenting commitments to requirements of ISO 9001; organizations should define what they will do, not what they may do.
While ISO 9001:2015 may appear to present an opportunity to avoid or reduce documentation, I suggest organizations continue to “document what you do and do what you document”. The documentation of the quality management system should be suitable to the organization’s business, and provide value in managing the organization’s processes. The overarching principle in documentation should be to formalize and control what is needed to ensure users of the documentation have a source for information and instructions that is accurate and timely, providing consistency in managing the business.
I suggest individuals charged with implementing ISO 9001:2015 review Annex A, Clarification of New Structure, Terminology and Concepts, of the new standard and decide how the interpretations of the requirements described in the Annex fit their organization’s QMS and business model. Third party auditors should likewise review the Annex to become aware of the flexibility written into ISO 9001:2015 related to documentation.
Seven or so years from now when ISO 9001 is updated again, how will we know whether its 2015 version had been an improvement over the 2008 version?
I would expect the most significant change resulting from the implementation of ISO 9001:2015 would be the inclusion of a more formalized risk analysis process for organizations currently lacking such an initiative. As a collateral effect, I would hope that companies, who have maintained an ISO 9001 certification for many years, would take this opportunity to create documentation conforming to ISO 9001:2015, consistent with their business model, while eliminating nonessential verbiage and paraphrasing of ISO 9001 clauses.
In my opinion, the disciplined approach of ISO 9001 implementation and third party auditing have been very important in improving the quality of products and services provided to customers since its inception in 1987. Certainly, many other quality initiatives such as statistical process control, lean manufacturing and Six Sigma initiatives have contributed, but ISO has been a major component in establishing consistency in operations.
The current revision ISO 9001:2015 strives to make ISO 9001 a major driver in the business model of the organization. In the next several years, I would be surprised if ISO 9001 emerged as the central program used by top management to run their business. ISO 9001 will continue as an important tool for manufacturers and service companies in providing the discipline and consistency in the operation and control of their processes.
The ISO 9001:2015 Implementation Handbook is available through Quality Press.