Making the Most Of Management Reviews
What can you do to add value to QMS review meetings?
by Govind Ramu
ISO 9001:2015 requires top management review of an organization’s quality management system (QMS). This provides an important opportunity for a quality manager to present to upper management a State of the Union-style report on the organization’s quality health.
I have seen all varieties of such meetings: from day-long off-site meetings in which the owner of every business segment presents, to an hour-long ceremonial presentation featuring regurgitated graphs, tables and slides packed with text.
Management review participants often complain that these meetings are a waste of time because the information already has been covered. Or, they tell themselves that it’s just something they must do for International Organization for Standardization (ISO) certification.
How can these meetings be restructured so they add value?
The key is to understand the intent of the management review requirements. ISO 9001:2015 clause 9.3.1 states: "Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness, and alignment with the strategic direction of the organization."1 The intent is to ensure:
- Continuing suitability. What has changed in the organization or the QMS that will render the QMS unsuitable or less suitable?
- Adequacy. Sufficiency in terms of people, process, infrastructure and operating environment.
- Effectiveness. The "extent to which planned activities are realized and planned results are achieved."2
- Alignment with the strategic direction of the organization. Any changes to strategic direction require realignment of the QMS.
Let’s look at these requirements in more detail.
Many changes take place in an organization over time due to shifts in policy and strategy or external factors.
Let’s use the recent spike in ransomware as an example.3 Computer hacking is becoming more sophisticated, and organizations must determine how to prevent an attack or reduce the impact of one. This is IT-related risk mitigation, so what does it have to do with a QMS? A ransomware attack can prevent an organization from serving its customers promptly, and it can compromise private information. It also can put an organization’s intellectual property at risk by posting documented information in a public domain.
Because ransomware attacks are wide-reaching and evolving rapidly, it is important for organizations to review any potential IT vulnerabilities. Perhaps changes must be made to IT policies and procedures to anticipate and prevent such risks. In the event of an unforeseen sophisticated hacking, does the organization have a plan in place for business continuity?
If an organization’s manufacturing or service delivery has expanded to new territories, or if the organization has launched new technology products, is the QMS sufficient to handle this business expansion?
Offering products and services in new territories requires a launch plan that includes obtaining necessary regional certifications, hiring people from the new location (to address language and cultural barriers) and setting up infrastructure (hardware, software, building facilities and transportation, for example). Demo units may be required in the new territories, and an operating environment must be recreated or simulated to show product functionalities to potential customers.
New technology products may require extensive training materials. It shouldn’t be left to salespeople on the ground to figure out. A well thought out launch plan will have all the activities adequately covered so the sales team can provide an experience that delights customers.
Every organization has its own business processes, initiatives, goals and objectives to improve its bottom line and enhance the customer experience. How effective is the organization at meeting these goals and objectives?
ISO 9001:2015 subclause 9.3.2.c.5 requires the management review to consider monitoring and measurement results that are relevant to the QMS and assess their effectiveness. Not meeting the results could be caused by inadequate resources, internal and external issues, or a lack of risk-based thinking. Should analysis be performed to determine why the results have not been met? Are there any systemic issues or common themes that run through various instances in which results were not met?
Alignment with strategic direction
Organizations may occasionally change their strategies due to market shift and to enhance their offerings to customers. For example, an organization may offer services online, outsource services or partner with a joint venture to manufacture products. All of these scenarios require a QMS to be realigned.
Offering services online requires developing a website, offering on-site support and managing the website’s content. This, in turn, requires hiring a software development team and training virtual support personnel to handle online service requests and customer feedback. Documented information should be readily available online for support personnel to access from anywhere, and records and transaction information may require cloud storage.
If services are outsourced, controls must be in place to ensure quality and continuity of services.4 A manufacturing joint venture brings potential challenges regarding differences in QMS processes and controls, so an alignment between the joint venture partners’ QMSs is required to effectively run the business.
What if management review meetings addressed the above-mentioned intent of the ISO 9001:2015 management review requirements? Could the face-to-face time with senior management be more valuable? This is a refreshing approach to the traditional way of just covering requirements on the surface by presenting volumes of graphs, tables and slides.
There are many different misperceptions about conducting a management review meeting, such as:
- There must be one annual management review.
- Management reviews should cover all requirements in one meeting.
- All senior management should be present at the annual meeting.
- Management review should follow the ISO standard requirement sequence (for example, subsections 9.3.2.a through f).
These expectations have evolved over time—likely to make auditing easier—without keeping in mind that management review helps to improve business. In a typical organization, the outcome of a management review is reviewed periodically—weekly, monthly, quarterly or annually, for example (see Table 1). The performance results are reviewed as a business activity irrespective of whether an organization is ISO 9001 certified. For large organizations, it is unlikely that all senior managers will be present at these meetings. However, the information should be made available for comments and decision making when appropriate.
One of the major changes we made in our organization was to move away from arranging the management review presentation in the sequence of ISO 9001 requirements. Instead, we rearranged the contents consistent with other management presentation agendas. Our senior management was familiar with this format, which helped improve engagement with the content.
We were not saying, "Now presenting ISO 9001:2015 clause 9.3.2.a." We used appropriate captions, such as business segment highlights and lowlights, challenges, improvement actions and next steps. This kept the conversation relevant to our organization and didn’t give the impression that it was simply satisfying an ISO 9001 requirement.
To help internal and external auditors, we cross-referenced a relevant ISO 9001:2015 requirement in the top right-hand corner of the presentation. The main intent of our management review was to help senior leaders understand our presentation content so they could engage with it and provide value-added feedback. It was not for mere ISO 9001 compliance.
Quality professionals must be innovative in how they implement QMSs and bring value to their organizations. Every organization is different, and every organization’s values, culture and beliefs are different. Move away from the rigid, prescriptive approach to QMS implementation of the past. QMSs exist to help organizations, not the other way around. You should not compromise the intent of meeting ISO 9001 requirements, but you also should be flexible and open-minded when integrating a QMS into existing organizational processes to accomplish your objectives.
References and Note
- International Organization for Standardization (ISO), ISO 9001:2015 Quality management systems—Requirements.
- ISO 9000:2015 Quality management systems—Fundamentals and vocabulary, subclause 3.7.11.
- "Ransomware" is defined as a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. For more information, visit https://en.wikipedia.org/wiki/Ransomware.
- Govind Ramu, "External Demands," Quality Progress, April 2016, pp. 50-51.
Govind Ramu is senior director of global quality management systems at SunPower Corp. in San Jose, CA. He is a licensed professional engineer from Ontario, Canada. He also is the chair of the U.S. Technical Advisory Group to International Organization for Standardization Technical Committee 176, subcommittee 1 on ISO 9000:2015 standards. Ramu is an ASQ fellow, ASQ Crosby Medal recipient and holds six ASQ certifications: manager of quality/organizational excellence, engineer, Six Sigma Black Belt, auditor, software quality engineer and reliability engineer. He is a regular contributor to QP’s Expert Answers department, author of The Certified Six Sigma Yellow Belt Handbook (ASQ Quality Press, 2016), co-author of The Certified Six Sigma Green Belt Handbook, second edition (ASQ Quality Press, 2015) and a contributing author of The Lean Handbook (ASQ Quality Press, 2012).