It’s All in the Approach
Understanding the ins and outs of the process approach
by R. Dan Reid
It has been stated that all work can be viewed as a process. The process approach was introduced in ISO 9001:2000, but it has been difficult for auditors and organizations to implement. One problem is that the International Organization for Standardization (ISO) has never defined the term—ISO describes it, but doesn’t define it.
The difficulty is also evidenced, in part, by guidance issued by ISO and the International Accreditation Forum (IAF)1 in 2016 on how auditors should conduct an audit using the process approach.2 The guidance states that the process approach is viewed as one of the most important approaches for a quality management system (QMS). It says auditors must understand that auditing a QMS means auditing an organization’s processes and their interactions—not people or departments.
To effectively use the process approach, organizations and auditors alike must understand the difference between a department and the QMS processes employed in that department. Auditors must be competent in the processes they’re auditing. And, it’s critical for top management to provide the QMS resources necessary to make effective audits possible.
What’s the problem?
Given the IAF’s guidance, it appears that, for many years, auditors have been auditing departments or individuals rather than processes. In years past, QMS audits often involved a checklist consisting entirely of closed questions, such as those with yes/no answers.
The process approach involves understanding the inputs, outputs, metrics, controls, risks and improvements, for example, of the QMS. Therefore, auditing using closed questions is of limited effectiveness because, at best, it only checks whether the intent of the requirements has been met.
For example, early versions of ISO 9001 (1987 and 1994) required organizations to have a documented process for several QMS processes. In those days, the ISO 9001 implementation catchphrase was, “Say what you do and do what you say.” This did not consider whether the specified method was being fully used as intended or whether it was effective in producing the desired results, such as the degree to which it met the intended outcome. Back then, you only had to have a documented process without regard to whether it was effective or effectively implemented.
Too many organizations continue to use a checklist of closed questions when auditing QMSs, which is why the 2016 IAF guidance was issued.
Process map problems
The process approach requires an understanding of the sequence and interactions of QMS processes. Many organizations use process maps to demonstrate this, but there are several missteps to watch for:
- Using a traditional flowchart instead of a process map. Flowcharts have decision steps at which you can go different directions depending on a condition. A process map does not.
- Basing a process map on the clauses of the standard. A process map should follow the steps of the process, not the clauses of ISO 9001 (for example, clause 4.1 is followed by clause 4.2, which is followed by clause 6.1 and so on).
- Failing to include all of the key QMS processes. Often, organizations make the mistake of listing only four or five high-level processes or groupings of processes. This fails to effectively show the sequence and interactions of the actual QMS processes (which is required by ISO 9001, clause 4.4).
To be an effective QMS that complies with ISO 9001, most organizations need 30 or more QMS processes, even though the standard explicitly requires fewer. This is because ISO 9001 is a generic standard and must apply to organizations of all sizes and types.
Further, ISO 19011:2018, the international guideline for auditing management systems, provides helpful guidance on this and other subjects, such as the context of the organization (clause 4.1). The standard clearly considers auditing of clause 4.1 and other clauses to be auditing of processes for the context of the organization, even though the management system standards don’t explicitly require a process for this. Considering this, ISO 9001 and the IAF’s guidance suggest considering the organization’s processes for addressing the QMS requirements, even when the standard doesn’t explicitly require a process, such as for identifying interested party needs and expectations.
- Auditing departments or functions instead of processes. The IAF notes that auditing a QMS is auditing the processes, not the departments or functions. A sales department, for example, performs or supports several QMS processes—such as reviewing contracts, addressing interested party needs and expectations, and maintaining organizational knowledge—but the department itself is not a process.
Auditors must interview process owners and others to obtain objective evidence to conclude whether the requirements of the standard are met, but they must be auditing the department’s processes, not its people.
Example: The purchasing department
Like sales, purchasing is better thought of as a department, not a process. For direct product material, purchasing typically is involved in—or responsible for—several QMS processes, including supplier qualification, as outlined in Figure 1. Supplier qualification often is the process of deeming a potential supplier fit to supply a product to the organization going forward, without actually awarding the work. It is how new suppliers get added to an organization’s approved supplier list. Supplier qualification relates to or interacts with the following processes:
- Supplier selection—how most organizations choose which suppliers from their approved supplier lists they will award new business.
- Supplier monitoring and supplier quality—the process for addressing poor-performing suppliers.
Note that a large organization’s purchasing department could have more QMS processes.
Purchasing, sales and other departments often are listed erroneously as processes on an organization’s key process map. But departments more appropriately belong on an organization chart rather than a process map. However, this typically isn’t listed as an audit finding against ISO 9001, clause 4.4, requirements. Why? Most auditors have never worked in a purchasing, manufacturing, engineering or another such department, thus having a hard time in effectively auditing these processes.
ISO 9001, clause 7.2, defines competency as a combination of education, training and experience. Many people still believe that auditors shouldn’t audit their own department or function due to the need for independence and impartiality. The current standard for auditor independence and impartiality is auditors must not audit their own work. In fact, for processes involving technical work, how can anybody who isn’t competent—based on his or her education, training and experience—effectively audit these processes? Can a quality practitioner effectively audit the metrology lab or engineering department—or even purchasing—if they have never worked in these departments?
Any trained auditor can audit most QMS processes to a degree. However, their lack of experience in organizational departments may explain why so many audit results fail to identify nonconformances in processes that require auditor competency in the process itself.
A path forward
According to ISO 9001, clause 5.1, an organization’s top management is responsible for providing the necessary resources for the organization’s QMS. Since the Great Recession, however, most haven’t effectively done so. Many jobs were eliminated at that time and while the economy has since recovered in many sectors, top management often fails to provide enough resources to ensure the effectiveness of the QMS.
In some sectors, one worker still is expected to perform work that several people used to do before the recession. But certification body auditors often have failed to cite a lack of resources as a major nonconformance to the requirements of ISO 9001, clause 5.1. Perhaps that is why so many customers have elected to conduct their own supplier audits to identify QMS issues from their perspective rather than rely on third-party certification results.
Top management must understand and fulfill its obligation to adequately provide resources for the QMS, including the internal and supplier audit processes. QMS auditing cannot be performed effectively by the quality department alone. Top management must provide people from other departments, such as engineering, purchasing and manufacturing, to be internal and supplier auditors.
Make sure your top management is aware of its obligations prior to your next certification audit. As W. Edwards Deming stated, top management can’t be committed to just quality—it also must know what it must do to cause quality to happen.
Note and Reference
- The International Accreditation Forum (IAF) is the world association of Conformity Assessment Accreditation Bodies and other bodies interested in conformity assessment in the fields of management systems, products, services, personnel and other similar programs of conformity assessment. See www.iaf.nu for more information.
- ISO-IAF ISO 9001 Auditing Practice Group Guidance on Processes, Jan. 13, 2016, https://tinyurl.com/y4ufpvl3.
R. Dan Reid is the principal consultant with Management Systems Consulting LLC in Farmington, MI. He is an author of ISO Technical Specification 16949, QS 9000, ISO 9001:2000, ISO IWA-1 (the first International Organization for Standardization international workshop agreement), the Chrysler, Ford, GM Advanced Product Quality Planning With Control Plan, Production Part Approval Process and Potential Failure Modes and Effects Analysis manuals. Reid was the first delegation leader of the International Automotive Task Force. He is an ASQ fellow, an ASQ-certified quality engineer and a trainer of many standards, including ISO 13485, AS9100, ISO 14001, ISO 45001 and the German automotive standard VDA 6.3.