ISO 9001 Compliance
Over the years, ISO Champions have come to realize that there are common threads in their ISO success stories. This article reviews and analyzes these successes and provides practical suggestions for those who want to get their ISO project off to the right start. The three magic pills to achieve genuine value from ISO are what
We call “ISO Done Right”. They are:
Keep it simple!
Focus on business value!
Never do anything just to show an auditor!
This article speaks to those who are just beginning their ISO 9000 journey, and to those who already have quality systems that may not be providing satisfactory results.
ISO Done Right!
It was almost 20 years ago that I was first introduced to ISO 9000. I vividly recall my boss calling me into his office to say, “I want you to get us an ISO 9002 certification.” I’d been given many assignments as a new Quality Assurance Manager that I hadn’t known much about, but I knew that I’d have to work my way through a learning curve to figure out what it would involve, then put a project plan together that would show the resources we’d need to get it done.
When I got back from a week of “ISO boot camp” (Lead Assessor Training) I was somewhat overwhelmed. Not only was I confused by all of the new terminology (why can’t they write this stuff so mere mortals can understand it?) but I was sure we were going to need some help. Even if we could pull everything together and Somehow pass the audit, we’d be left with a boatload of procedures, meetings and administrative work to maintain the certification.
I met with my boss the following week for a debrief meeting. “We can certainly get this done”, I said (just HOW wasn’t clear to me), “but I’m going to need two or three new staff people in QA to keep up with everything.” My boss glanced over my draft project plan and said simply, “I believe I said I wanted YOU to get the ISO certification. You’ll have to make do with the staff you have.” Gulp. I knew that I’d have to get creative in terms of getting everyone involved and to keep everything as simple as possible.
A lot has changed in the world of ISO since those early days (including the elimination of ISO 9002 – everyone gets an ISO 9001 certification these days) and many of us think we’ve finally figured out what all the technical jargon really means. It’s also helped to actually see ISO in action in real companies. I have now had the opportunity as a consultant for the past 8+ years to see ISO in companies big and small in many industries such as manufacturing, service, technology, education and others. I’ve grown to appreciate a few things that seem to make all the difference in how ISO impacts an organization, whether positively or negatively.
On The One Hand…
In the worst of situations, some companies treat their ISO certification as an appendage that has been awkwardly grafted onto the side of the company (sorry to be so graphic, but it makes the point). In these companies, ISO is something to show an auditor once a year. When the annual audit is near, everyone scrambles around to neaten up the place because “company’s coming over for dinner”. Somehow they pacify the auditor enough to come away with a (somewhat lengthy) list of corrective actions to address, but none the worse for wear. Then all of the “ISO stuff” is quickly shoved back into the closet so it is out of the way of the “real” business that needs to get done. Everyone knows that their ISO system is mostly a sham and perhaps they privately wish they’d never signed up for the certification in the first place. But it seems to keep their customers happy seeing the ISO certificate in the building lobby. Slightly better are those companies who try to keep up with everything through the year unless a “crisis” comes up or everyone gets too busy. Unfortunately the crisis-of-the-month and the too-busy-with-the-customer excuses are quite routine and, worse, acceptable justification to “work around the system”. In too many cases these short term lapses become the standard operating procedure. Once the dust settles things get mostly caught up until the next “all hands on deck” is signaled. These companies commonly think of ISO as a “necessary evil” that has to be tolerated.
… On The Other Hand
While all of this seems rather cynical, there are happily a large number of ISO certified companies who appear to “get it” when it comes to achieving real value from their ISO QMS (quality management system) and have integrated it nicely into their daily business operations. In these companies, the management team has learned how to use the discipline imposed by ISO to their advantage in solving real problems and consistently achieve genuine improvements in business performance. These organizations report tangible and intangible benefits by using ISO as a lever for improving both customer satisfaction and their own bottom line.
I have personally worked with many of these ISO Champions over the years and have come to realize that there are a few common threads evident in their success stories. The remainder of this article will review some practical suggestions for those who either want to get their ISO project “off to the right start” or get their QMS “back on the right track”.
In either case, the three “magic pills” to achieve genuine value from ISO are what we call “ISO Done Right”. They are:
Keep it simple!
Focus on business value!
Never do anything just to show an auditor!
Keep it Simple
1. Misunderstanding of the requirements.
2. Copying a “big company” approach in a small company.
3. Carry over from previous ISO 9000 versions.
Every Registrar I’ve worked with has repeatedly said that the number one “mistake” companies make in implementing ISO 9001 is to make things too complicated. When procedures and processes are complicated they are cumbersome and expensive to maintain and create a stumbling block for getting the job done. The result is that these complicated and confusing processes are simply bypassed with “work arounds” when time is short or the pressure is on.
A common reason for overly-complicated QMS processes is a misunderstanding about what is REALLY required for certification. When a new ISO implementer is faced with his/her initial ISO learning curve there is a lot of fear regarding “passing” or “failing” the audit. This fear, coupled with an uncertainty about ISO requirements, often leads to a “better safe than sorry” mentality when setting up the company’s ISO system.
Another source of over-complicating ISO stems from those who previously worked in a “big company” that was ISO certified and they bring the same processes into their current smaller company because “that’s what ISO expects”. The assumption is that if it worked in another company it must be the “right” way to satisfy the auditor. What is not necessarily appreciated or understood is that ISO 9001 is merely a general framework of good quality practices, not a script to be followed identically in every business. The general (and some would say “vague”) language in the ISO standard is purposely non-prescriptive to allow for a great deal of flexibility when applying the requirements to your specific business. There is not “one size fits all” when it comes to how to set up an effective ISO QMS.
A third reason ISO is often made too complicated comes from those of us who have been exposed to ISO for years. In the year 2000 the ISO 9000 standard was overhauled to be more adaptable to more types of businesses. For business folks like myself who have worked with the old ISO (1994 version and previous) we remember the inordinate number of documented procedures required and the overall over-kill that was found in nearly every “clause” of the standard. But in the new “ISO for the 21st century” the requirements were opened up to work not only for big manufacturing companies but for service companies, schools, technology firms, consulting firms and even one-man shops (yes, we’ve worked with a growing number of one-man shops to achieve ISO certification!). In making the certification more adaptable, there are many areas of the standard that were greatly simplified. For this alone, many of us give thanks!
1. Minimize the number of documents.
It is still surprising to many that ISO 9001 “requires” only 7 documents: a quality manual and 6 administrative procedures. Beyond that, you are then to determine any additional procedures needed by your company. Your auditor will not walk in the door and hand you a list of required procedures. They will, however, expect you to effectively manage your quality management system, using documented procedures only when necessary. In smaller companies this might mean no more than one or two additional procedures, if any, beyond the required six.
For work instructions, it’s interesting to note the redundant qualification for determining whether, and if, a work instruction is needed: “as applicable” and “as necessary” (see ISO 9001:2008 Section 7.5.1). The authors of the standard were clearly signaling that work instructions are not ALWAYS necessary. In fact, the proper use of a work instruction is to better control a troublesome production or service delivery process. Keep in mind that not ALL of your production (or service provision) processes are troublesome. Some of them work just fine as they are. Why waste the time writing a work instruction no one needs?
Our consultants commonly advise clients to delay writing additional work instructions until after they’ve set up quality monitoring and measurement. Then, based on objective data analysis, the need for additional process controls will become evident including, on occasion, the need for new work instructions. Better to focus your attention at the start on controlling the work instructions you already have and making them effective. After all, long before ISO came along in your company, someone saw the need for the work instructions you have now in order to solve actual problems.
A final comment on documents is you should set up a means of ELIMINATING unnecessary documents as time goes on. If a procedure or work instruction is no longer needed, get rid of it!
2. Start with the Basics
3. Use What You Have in Place Now
4. Automate Where Possible
When my boss originally made it clear that we were going to get our ISO certification without adding any new resources, I knew we’d have to try to automate as many of the administrative processes as possible. Today’s computer systems can greatly simplify the tracking of documents and records and your IT or MIS department should be involved from the start to help find solutions your company can afford and implement.
Areas in the standard that are easily helped through the use of automation include:
Control of Records
Measurement and Analysis
Customer Satisfaction Feedback
Purchasing and Supplier Management
Corrective and Preventive Action
Incidentally, Core Business Solutions offers affordable web-based solutions for automating processes you might want to look into.
Drive Business Value
In addition to simplifying your QMS wherever possible, there is a second major area of focus in terms of the overall approach to ISO that will maximize your return-on-investment. From a big picture perspective, ISO is intended to improve business performance, especially as it impacts your customers. It is common for practitioners to miss seeing the forest for the trees. The ISO 9001 process model starts with customer requirements (business opportunities!) and translates them into customer satisfaction (leading to more business opportunities!) through excellent performance.
A critical weakness in many companies who don’t see ISO as an integral part of business success is that the big picture gets lost with all of the attention given to compliance. A better perspective would be to see compliance with ISO requirements as a means to a more important end – better performance for customers.
To make this practical, there are two key things that a management team can do to keep their QMS focused on what really matters to the business (see 5.2 in the standard).
1. Ask The Right Questions During Management Reviews
A starting point for driving business value from ISO is to look carefully at how time is spent during your management reviews. It is too common for senior managers to dread ISO management reviews as a complete waste of time because the issues under discussion aren’t relevant to the critical business issues. Too often the management review time is spent on going through all of the things that are not getting done such as corrective actions or audits. Typically, the management team is already aware that these systems are behind schedule and the management review becomes a reiteration of issues discussed in other meetings…
It would be better to spent precious management review time asking a different set of questions such as:
Are the corrective actions important enough to spend time and resources on at all?
If so, why aren’t resources being allocated right away?
If not, why are we opening corrective actions that don’t have business value?
Are we auditing the right things?
Do our auditors have the skills and knowledge to audit effectively?
Do audit findings uncover critical business process weaknesses that impact our fundamental business performance?
We all know there is a specific agenda that must be covered in our management reviews. However, how we address these issues is up to us. With some thought to what we really need senior management’s attention on, and what management decisions need to be made, a refocus of the management review can help management see the relevance and importance of the entire QMS to the business.
2. Look Again At Processes And The Process Approach
Identifying the most critical processes in your business that impact your ability to meet customer requirements (often this is 3 – 5 “big processes”).
Determining the workflow of each and how they impact each other (a process map for each would suffice).
Establishing ways to monitor the performance of these processes.
Evaluating the need for resources and information to make these processes work and to monitor their performance.
Tracking process performance to determine if they are meeting your objectives.
Taking action to improve performance.
What’s not spelled out in the ISO requirements is that you will need to determine who will be responsible for the performance of each process and how they will implement the Process Approach in your company. Perhaps a monthly meeting is held with the key players of each process to discuss the process and issues that need to be addressed. You may even want to implement a formal Process Management Procedure. For more ideas about managing your processes, see the related articles below:
Understanding the Process Approach
Implementing the Process Approach
The benefit of refocusing your QMS on driving improvement into your most critical business processes is that your entire ISO system will be directed toward those results that most matter to your business and your customers. If then, you establish measures and objectives for those processes that directly support your overall business goals, your entire organization will see the immediate relevance of ISO to business success. With this type of alignment, ISO will no longer be something to be tolerated (or avoided!) but will be a critical leverage point to the future success of the business. I’ll bet most of you can’t say that about your current ISO QMS.
Whether you are just starting out on your first ISO implementation or have had your system in place for years, (re)aligning your QMS so that it actually produces measureable business value will help to successfully integrate ISO into the heart of your organization.
Don’t Do It For the Auditor
A third key to getting the biggest bang-for-the-buck from your ISO efforts is to avoid the “just do it because the auditor will want to see it” mentality. That’s the kiss of death for any company trying to make ISO relevant and important.
You’ll hear this attitude in comments such as:
“What will make the auditor happy?”
“I have no idea how this is relevant to our company”
“ISO is making us do it”
This last one makes me laugh – as if the entire International Organization for Standardization in Geneva, Switzerland is standing over your shoulder to force you to do something that’s simply a waste of time. I assure you that the folks in Geneva have better things to do.
To combat that “victim” mentality, stay focused on our first two points: Keep it Simple and Drive Business Value. Always ask:
How will our company benefit from implementing this requirement?
What problems can we solve or avoid?
How will we better serve our customers?
What can we do to reduce the time and resources needed?
Is there a way to simplify our approach?
Have we selected the right processes to manage and objectives to meet?
Staying focused on making every aspect of ISO a true benefit to your company will pay huge dividends in terms of commitment and end results.
The Road Less Travelled
Every ISO certified company faces the same challenges – avoiding bureaucracy, eliminating wasted effort, maintaining relevancy, achieving results that matter. The past 20+ years of the World’s ISO 9000 experience has shown that there are two implementation paths that a company can take. The all too common approach is the obvious, myopic focus on “just get certified”. The other approach is “The Road Not Taken” (Robert Frost) by many companies, but promises to “make all the difference” in terms of measurable benefits to your company beyond the “certificate on the lobby wall”.
This second path is labeled “ISO Done Right.” Which will you take?