Putting Things In Context
Implementing new requirements in ISO 9001:2015
by R. Dan Reid
It can be argued that ISO 9001:2015 enhances the role quality management systems (QMS) play in the success of an organization and its business processes. Evidence of this, in part, is in a new requirement in subclause 4.1 titled, "Understanding the organization and its context."
This subclause requires an organization to "determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system."1
ISO 9000 adds that the "creation of unity of purpose and the direction and engagement of people enable an organization to align its strategies, policies, processes and resources to achieve its objectives"2 (see Figure 1, p. 68). It also asserts: "Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization’s quality objectives."3
The 2008 version of ISO 9001 mentioned the "purpose" of the organization only in the context of ensuring that a quality policy is appropriate to that purpose. It did not mention the strategic direction of an organization, perhaps because the QMS was not previously thought to be a boardroom topic necessarily.
The new concept of context in subclause 4.1 also requires that the issues that can affect the intended results of the QMS be determined. This means these intended results or outcomes of the QMS must be determined up front. Figure 1 shows intended outcomes as an output of the scoping of the QMS.
The purpose and strategic direction of an organization are traditionally boardroom topics. There are differing views on what the purpose of an organization is. It has been defined as: "to accomplish the goals and objectives as indicated within the organization’s vision statement. The mission statement will indicate how [the organization] plan[s] on reaching those goals and objectives."4
The purpose has also been defined as "to serve and satisfy its customers."5 This follows the logic that businesses exist to serve customers, so customers are more important than stockholders, workers or management. Without customers, there is no business. ISO 9001:2015 deals with customers in a broader fashion by describing them as "interested parties," but more on that later.
Others could argue that the purpose of a for-profit organization is to make money, and that for not-for-profit organizations, it is to serve some segment of society in some prescribed way. Curiously, in ISO 9001:2015, purpose and strategic direction are not defined, but both terms are used in the new context requirement in subclause 4.1.
The word "mission" is defined as an "organization’s purpose for existing as expressed by top management."6 Because mission is defined as the purpose, mission is shown as an input for determining the context in Figure 1 and is a good starting point for engineering or reengineering a QMS.
In ISO 9001, context is defined as "the combination of internal and external issues that can have an effect on an organization’s (subclause 3.2.1) approach to developing and achieving its objectives."7
ISO 9000 offers more guidance. "Understanding the context of the organization is a process. This process determines factors which influence the organization’s purpose, objectives and sustainability. It considers internal factors, such as values, culture, knowledge and performance of the organization. It also considers external factors, such as legal, technological, competitive, market, cultural, social and economic environments. Examples of the ways in which an organization’s purpose can be expressed include its vision, mission, policies and objectives."8 The issues to be determined are those that:
- Are relevant to the organization’s purpose.
- Are relevant to the organization’s strategic direction.
- Can affect its ability to achieve the intended results of its QMS.
External issue examples include:
Technology. New technology has the potential to make current products or services obsolete. "Business leaders should keep their organizational strategies updated in the face of continually evolving technologies, ensure that their organizations continue to look ahead and use technologies to improve internal performance. Disruptive technologies can change the game for businesses, creating entirely new products and services, as well as shifting pools of value between producers or from producers to consumers."9
Technology’s impact on a QMS involves organizational knowledge. "When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates."10
Competition. A privately owned stamping organization has a much different competitive landscape from that of a turbocharger manufacturer. Competition typically drives prices down and quality and service up. These issues emphasize the critical need for good benchmarking, process effectiveness and efficiency, and can affect the amount of documented information needed and the amount of resources that are available.
Litigation profile of the organization. How much risk is involved in the product or service the organization provides? Due to the nature of their businesses, pharmaceutical organizations, hospitals and utility companies must act on the risk in their QMSs much differently and more diligently than does a manufacturer of cloth gloves. Problems with their product or service can result in lawsuits, which can be costly regardless of outcome. Legal costs just to mount a defense are significant. This requires better planning and risk mitigation through improved design, process controls and error-proofing.
Regulatory environment. Product and service sectors may be required to comply with regulatory and statutory requirements that can be ambiguous and complex. Often, organizations need a regulatory consultant to help identify and deal with the applicable requirements. This affects the new requirement for organizational knowledge.
Customer-specific requirements. Some sectors, such as automotive and aerospace, require third-party certification to ISO 9001-based QMS standards. Suppliers also are obligated to comply with additional customer-specific requirements, which add significant complexity as organizations operate at lower levels of the supply chain.
Organizations at the top require their suppliers to flow down their requirements to their suppliers. These suppliers typically add their own requirements and pass them all down to their suppliers. Add to that the need for second-party, on-site assessments to determine conformance, and organizations are forced to deal with a lot of work for little added value. This affects resources, supplier management (control of externally provided processes, products and services), data and documented information.
Union or nonunion. This also could be argued as an internal issue. Regardless, this can affect a quality system in several areas, such as communication, awareness, competency and policy.
Geographical. Delivery can be more complex to manage depending on where the organization is located and with what customers it chooses to contract. Exporting of products, as well as added regulatory issues increases inventory to the supply pipeline and carries more risk for design changes.
Some locations are prone to natural disasters—such as being in a flood plain or earthquake zone—which places a premium on business continuity planning and supply chain risk mitigation, which is costly at best.
Examples of internal issues include:
Resources. About the time of the economic turmoil in 2008, many organizations elected to downsize by reducing headcount. No doubt, many people who were left working in these organizations were required to do what had been the work of several others, in addition to their own work.
Without reengineering the processes involved, this dramatic cut in resources can significantly affect an organization’s QMS and, arguably, its ability to achieve its purpose. Technical human resources—engineers and quality practitioners—can be hard to replace. This emphasizes the need for capturing organizational knowledge, another new requirement in the ISO 9001 revision.
Other assets, such as infrastructure, also must be considered. Information systems are now at the forefront of key processes that support a QMS through control of documented information, such as procedures and records. Outdated or insufficient IT can harm the effectiveness and efficiency of a QMS and its intended outcomes.
Organizational structure. Is your organization a more traditional, pyramid structure or a matrix organization where a worker has more than one supervisor? This structure can affect various elements of the QMS, including subclauses:
- 5.3 on organizational roles, responsibilities and authorities.
- 7.4 on communication.
- 7.1.6 on organizational knowledge.
Are the authorities for work adequately and effectively specified and aligned with the responsibilities assigned? ISO 9001:2015 requirements for communication include determining the who, what, when and how for internal and external communications and the target audience.
Knowledge is described as knowledge specific to the organization gained by experience that is used and shared. Quality guru Philip B. Crosby indicated communication is hard work. If you don’t plan for it and work at it, it does not happen.11 Complexity in organization structure and related issues can affect a QMS.
Products and services. Even the product and service offerings the organization chooses will affect a QMS. Product complexity, volume, target markets and intended application are all issues that must be decided, planned for and effectively addressed. Clearly, this can affect resources, organizational knowledge, infrastructure, competency and other QMS elements.
Interested party needs and expectations. In ISO 9001:2008, the term "interested party" was not used. It was addressed in ISO 9004:2008: "ISO 9004 provides a wider focus on quality management than ISO 9001; it addresses the needs and expectations of all interested parties and their satisfaction, by the systematic and continual improvement of the organization’s performance."12
There is now a requirement (subclause 4.2) to include the requirements of relevant interested parties within the QMS. ISO 9000 adds guidance: "Relevant interested parties are those that provide significant risk to organizational sustainability if their needs and expectations are not met."13
Interested parties can affect the level of control expected for the design and development process.14 Feedback from relevant interested parties must be included in the management review process.15
The quality policy must be available to relevant interested parties, as appropriate.16 Examples of interested parties include providers, partners, customers, investors, employees or society as a whole.17 Determining interested party needs and expectations is now an input to the scoping of a QMS (see Figure 1).
Note that the intent of the standard is that the organization determine which interested parties are relevant. An organization could take a minimalist approach to this and exclude some parties or requirements that may, in fact, be relevant. Certainly, auditors of a system will need to audit the criteria used and determine the effectiveness of an organization’s conclusions.
Revising your QMS
Context and interested party expectations are not the only clauses that must now be considered in planning. Figure 1 depicts one way to look at the planning and implementation of major elements of the revised standard. It could be argued that processes such as objectives setting, resource allocation and QMS processes are not actually sequential or in the order shown in Figure 1, which is true enough. The important takeaways from Figure 1 are:
Linkages. A link to the mission and strategic direction of the organization.
The scope or rescoping of a QMS. The scope of a QMS may change. The scope defines what is included in a QMS. The definition of "management system" now provides for a narrow scope of one or more functions or disciplines inside an organization, as well as the entire organization.
While there is no longer an explicit provision for exclusions in the standard, minimalists could argue that the applicable requirements from the standard that must be included in the management system can be those applicable to only one or more functions rather than the whole organization.
Organizations that choose to do this will make life difficult for customers that require third-party certification unless the customers address this issue in customer-specific requirements. The addition of interested party needs and the context requirement could, on the other hand, require a scope expansion.
QMS outcomes. The standard refers to the QMS outcomes, creating a need for determining them.
Identification of risks and opportunities. Standards writers point out that the concept of risk has always been inherent to ISO 9001, but it is now an explicit requirement. Full risk management is not required, but risks must be determined and addressed. Risks pertaining to products, processes and suppliers should be included. Identified risks will need efforts to mitigate them through design and process controls and verification activities.
Objectives. The continued use of enterprise-level objectives that are to be deployed and aligned with more specific objectives at relevant levels and functions inside an organization is key and is maintained from past versions of the standard.
Objectives should be measureable and time based. They should be reset after they are achieved to drive improvement. Metrics must be monitored and acted on as necessary to achieve planned results. Good metrics drive good behavior; just as bad ones drive wrong behavior. Be sure to choose wisely.
- International Organization for Standardization (ISO), Final Draft International Standard ISO 9001:2015—Quality management systems—Requirements, Subclause 4.1—Understanding the organization and its context.
- ISO, Final Draft International Standard ISO 9000:2015—Quality management systems—Fundamentals and vocabulary, Subclause 184.108.40.206—Rationale.
- Ibid, Subclause 220.127.116.11—Statement.
- Answers.com, "What is the Purpose of an Organization?" Oct. 4, 2015, http://tinyurl.com/purposeoforg.
- Angelfire.com, "The Purpose of Business Organization," Oct. 4, 2015, http://tinyurl.com/q53hgtp.
- ISO, Final Draft International Standard ISO 9000:2015—Quality management systems—Fundamentals and vocabulary, Subclause 3.5.11—Mission.
- Ibid, Subclause 3.2.2—Context of the organization (terms).
- Ibid, Subclause 2.2.3—Context of an organization.
- James Manyika, Michael Chui, Jacques Bughin, Richard Dobbs, Peter Bisson and Alex Marrs, "Disruptive Technologies: Advances That Will Transform Life, Business and the Global Economy," McKinsey & Co., Oct. 4, 2015, http://tinyurl.com/nmbecug.
- ISO, Final Draft International Standard ISO 9001:2015—Quality management systems—Requirements, Subclause 7.1.6—Organizational knowledge.
- Philip B. Crosby, Quality is Free: The Art of Making Quality Certain, McGraw-Hill, 1979.
- ISO, ISO 9001:2008—Quality management systems—Requirements, Subclause 0.3—Relationship with ISO 9004.
- ISO, Final Draft International Standard ISO 9000:2015—Quality management systems—Fundamentals and vocabulary, Subclause 2.2.4—Interested parties.
- ISO, Final Draft International Standard ISO 9001:2015—Quality management systems—Requirements, Subclause 8.3.2—Design and development planning.
- Ibid, Subclause 9.3.2—Management review inputs.
- Ibid, Subclause 5.2.2—Communicating the quality policy.
- ISO, Final Draft International Standard ISO 9000:2015—Quality management systems—Fundamentals and vocabulary, Subclause 18.104.22.168— Possible actions (relationship management).
R. Dan Reid is the director of standards and consulting at Omnex Engineering and Management in Ann Arbor, MI. He is an author of ISO Technical Specification 16949, QS-9000/QSA, ISO 9001:2000, the first International Organization for Standardization international workshop agreement, the Chrysler, Ford, GM Advanced Product Quality Planning With Control Plan, Production Part Approval Process and Potential Failure Modes and Effects Analysis manuals and the AIAG Business Operating Systems for Healthcare Organizations. Reid was the first delegation leader of the International Automotive Task Force. He is an ASQ fellow and an ASQ-certified quality engineer.