Originally posted on Cavendish Scott

By way of introduction, it must be said that the recent vote on whether to accept the DIS version of the ISO 9001:2015 standard included a rejection from the United States. While they publish and justify their reasoning, this is not made widely available and more than likely includes much political positioning as it does technical concerns. It remains to be seen if the overall vote (the US does not have any more voting power than other countries) is approved or rejected. If there is rejection it will cause delay to the publication of the new standard by at least 6 months as the rejection reasons are quantified and a new draft attempts to account for them. We shall see in the coming weeks.
However, irrespective of what happens next or even finally with the standard, the content in the current DIS give us some great direction which we should all adopt anyway.

Leadership and Full Integration

It was always intended that ISO should be adopted and integrated into an organization. It was never envisaged as something that would cause a manual to be written and have someone maintain it with the main emphasis being that it does not interfere too much with the operation of the company. Sadly many organizations ended up with this approach. Management perhaps did not believe in or understand the principles of a QMS or that ISO is only that – a model for a QMS.
Without the integration you don’t get the deliberate success out of your ISO that a QMS intends. No/limited management commitment, no/limited fact based management, maybe financial metrics (maybe not) but not/limited quality related, leading indicators of success.

Any major change in a standard would be an opportunity to change things with an established system but this new standard goes out of its way to press for true leadership, and full integration of the system into the workings of the organization. The pressure to assure certification may make management more committed and supportive of integration. A lowly and abused management representative now has some more teeth to implement a more effective system. Obviously you don’t get management commitment and supportive leadership just because a standard asks for it. However, it’s a start to open discussion and an opportunity to develop a more appreciative understanding. Once started, the need for certification should drive management to the right place with the appropriate coaxing. Integration of the system is a different manner. If the system is not currently being truly used in the organization then it is likely to need some resources to get there. These will need to be quantified in order to justify the resources to management but there are also cost reductions and tangible benefits which should support the case.
To be really successful, you need to manage your organization deliberately. Full integration will bring that. You also need real leadership from top management. ISO now provides a supporting hand to get you there.

Process Approach

The process approach was always advocated by ISO. Officially it first showed up in the 2000 standard but even earlier standards explained they did not advocate any particular approach. Many organizations needed ISO for a customer or contract and somebody was told “go get us ISO”. They got the task because they weren’t particularly doing much and they weren’t doing much because they weren’t very good. Management didn’t understand what it was; they just knew they needed it so it was a simple task allocation. Our new ISO guy read the standard and decided the easiest way to get ISO was to basically address each section of the standard in a procedure. Further, the procedure would use basically the same language. That way, how could it be wrong? It was wrong because although it reflected the requirements of the standard very well, it did not reflect what was going on in the organization. Hence the new “system” was not integrated; most people did what it said they had to and went back to what they were doing to run their department. Management quickly saw no value in this, labelled it as unhelpful and basically ignored it. They didn’t challenge it because they didn’t know any better.

ISO is about a QMS which is about being successful by design and not accident. A QMS is the activities (combined into processes) that start with a customer order and progress to delivery of product or service and ultimately the satisfaction of the customer. Any procedures should have defined the processes in the organization and not been based around a standard. Based around a standard, they need to be changed every time the standard changes. If they adopt the standard requirements numbering, they tend to adopt the structure and content of the standard. Obviously this helps to get ISO but it doesn’t help assure the running of the organization.
The new standard pushes quite hard for a process based approach. The current requirements are not totally mandating or explicit but it pushes a lot further than it has in the past. This provides significant motivation to convince other personnel in your organization to change the system to make it more integrated and more process based (it is almost impossible to have an integrated system without a processed based approach). Not only that, it will be useful, meaningful, drive improvement and be easier to maintain.

Annex SL

Less of a direct reason for you to adopt the 2015 version of ISO 9001 but certainly a good idea, is the inclusion of what is known as Annex SL in the 2015 standard. What ISO decided is that management system standards, like ISO 9001 and ISO 14001, that apply to the operations of an organization, have a lot of common processes. They decided to define a common structure, terminology and content for all standards that relate to organizations’ operations. Whether you are trying to achieve environmental superiority, information security or superb quality, you need management commitment, competency, documentation and records to do it. Consequently for every common activity, process or overlapping element ISO wrote the requirements for those areas in Annex SL. All the management requirements, resources, planning, support processes, measurement and improvement are all independent of the varied operations goals of different standards. This leaves the ISO 9000 committees to focus on quality and not have to worry about how to control documents. In practice the committees are allowed to change the Annex SL language if they have a compelling case. But the changes tend to be small. The net effect for you, the user, is that your standard is less and less likely to change (after this time when it is adopted) for the 70-80% of the standard that Annex SL addresses. Greater consistency, simpler changes, more common understanding and if you have more than one standard to adopt, even easier to combine multiple standards.

Risk

The new standard has abandoned preventive action. The wording in the old standard was not completely clear but it did ask organizations to proactively look for opportunities for preventive action. Unfortunately in most cases organizations just adopted a system that was the same as their corrective action system which is designed to be reactive. It’s easier to design a system for reaction because you are reacting to something that happened or exists. A proactive system requires stopping your very profitable activity to try to come up with something that doesn’t exist or hasn’t happened….yet. So most people didn’t. They simply waited for their ISO audit and then they filled in some preventive action forms with the actions that they took during the year, in a way that appeared proactive. Really what ISO 9001:2008 was asking for (and the 87, 94 and 2000 versions) was some risk assessment and management.
The new standard makes it clear. You will do risk assessment and management. While this will be “new” for most ISO systems, risk is a tremendous tool. It is common in most best practices and business models and is designed to avoid and mitigate problems before they occur. It does require some effort and there is no guarantee that the problem will actually occur but management will be in a much better position to make decisions, allocate resources and, it will make them accountable. Small organizations will take a “smaller” approach to it. Simple short reviews, quick updates, limited documentation. Larger enterprises might have individuals permanently assigned. The foresight it will bring to organizations will be tangibly beneficial.

…and Opportunity

ISO 9001 has always required continual improvement and this standard is no different. However, in addition to having improvement built into the processes (by taking a PDCA cycle for your process based approach) this standard takes advantage of the fact that you are going to be looking for potential problems (in a structured manner) because of the need to address risk, and it “suggests” you use that process or occasion (or define a completely separate process) to look for opportunities for improving performance. While it could be a completely separate process, it is likely to be more successful to have a similar process structure, but perhaps different content, and focus on where things are not bad, probably won’t get worse, but might be better. For instance, if your risk process was a team meeting where each process activity is reviewed for potential failures, the opportunity process might be a meeting where each important metric is reviewed for how its performance might be enhanced. This is a tangible improvement focus that 2015 will bring to organizations.

Conclusion

There are a lot of good things in the new version of ISO 9001:2015 and you don’t have to wait. It’s all too easy to moan about the difficult terminology or the weakening of the requirements. So don’t! Adopt all of the good things about the new standard now.