ISO 9001 Compliance

Over the years, ISO Champions have come to realize that there are common threads in their ISO success stories. This article reviews and analyzes these successes and provides practical suggestions for those who want to get their ISO project off to the right start. The three magic pills to achieve genuine value from ISO are what
We call “ISO Done Right”. They are:

Keep it simple!

Focus on business value!

Never do anything just to show an auditor!

This article speaks to those who are just beginning their ISO 9000 journey, and to those who already have quality systems that may not be providing satisfactory results.

ISO Done Right!

It was almost 20 years ago that I was first introduced to ISO 9000. I vividly recall my boss calling me into his office to say, “I want you to get us an ISO 9002 certification.” I’d been given many assignments as a new Quality Assurance Manager that I hadn’t known much about, but I knew that I’d have to work my way through a learning curve to figure out what it would involve, then put a project plan together that would show the resources we’d need to get it done.

When I got back from a week of “ISO boot camp” (Lead Assessor Training) I was somewhat overwhelmed. Not only was I confused by all of the new terminology (why can’t they write this stuff so mere mortals can understand it?) but I was sure we were going to need some help. Even if we could pull everything together and Somehow pass the audit, we’d be left with a boatload of procedures, meetings and administrative work to maintain the certification.

I met with my boss the following week for a debrief meeting. “We can certainly get this done”, I said (just HOW wasn’t clear to me), “but I’m going to need two or three new staff people in QA to keep up with everything.” My boss glanced over my draft project plan and said simply, “I believe I said I wanted YOU to get the ISO certification. You’ll have to make do with the staff you have.” Gulp. I knew that I’d have to get creative in terms of getting everyone involved and to keep everything as simple as possible.

A lot has changed in the world of ISO since those early days (including the elimination of ISO 9002 – everyone gets an ISO 9001 certification these days) and many of us think we’ve finally figured out what all the technical jargon really means. It’s also helped to actually see ISO in action in real companies. I have now had the opportunity as a consultant for the past 8+ years to see ISO in companies big and small in many industries such as manufacturing, service, technology, education and others. I’ve grown to appreciate a few things that seem to make all the difference in how ISO impacts an organization, whether positively or negatively.

On The One Hand…

In the worst of situations, some companies treat their ISO certification as an appendage that has been awkwardly grafted onto the side of the company (sorry to be so graphic, but it makes the point). In these companies, ISO is something to show an auditor once a year. When the annual audit is near, everyone scrambles around to neaten up the place because “company’s coming over for dinner”. Somehow they pacify the auditor enough to come away with a (somewhat lengthy) list of corrective actions to address, but none the worse for wear. Then all of the “ISO stuff” is quickly shoved back into the closet so it is out of the way of the “real” business that needs to get done. Everyone knows that their ISO system is mostly a sham and perhaps they privately wish they’d never signed up for the certification in the first place. But it seems to keep their customers happy seeing the ISO certificate in the building lobby. Slightly better are those companies who try to keep up with everything through the year unless a “crisis” comes up or everyone gets too busy. Unfortunately the crisis-of-the-month and the too-busy-with-the-customer excuses are quite routine and, worse, acceptable justification to “work around the system”. In too many cases these short term lapses become the standard operating procedure. Once the dust settles things get mostly caught up until the next “all hands on deck” is signaled. These companies commonly think of ISO as a “necessary evil” that has to be tolerated.

… On The Other Hand

While all of this seems rather cynical, there are happily a large number of ISO certified companies who appear to “get it” when it comes to achieving real value from their ISO QMS (quality management system) and have integrated it nicely into their daily business operations. In these companies, the management team has learned how to use the discipline imposed by ISO to their advantage in solving real problems and consistently achieve genuine improvements in business performance. These organizations report tangible and intangible benefits by using ISO as a lever for improving both customer satisfaction and their own bottom line.

I have personally worked with many of these ISO Champions over the years and have come to realize that there are a few common threads evident in their success stories. The remainder of this article will review some practical suggestions for those who either want to get their ISO project “off to the right start” or get their QMS “back on the right track”.

In either case, the three “magic pills” to achieve genuine value from ISO are what we call “ISO Done Right”. They are:

Keep it simple!

Focus on business value!

Never do anything just to show an auditor!

Keep it Simple

Every Registrar I’ve worked with has repeatedly said that the number one “mistake” companies make in implementing ISO 9001 is to make things too complicated. When procedures and processes are complicated they are cumbersome and expensive to maintain and create a stumbling block for getting the job done. The result is that these complicated and confusing processes are simply bypassed with “work arounds” when time is short or the pressure is on.

A common reason for overly-complicated QMS processes is a misunderstanding about what is REALLY required for certification. When a new ISO implementer is faced with his/her initial ISO learning curve there is a lot of fear regarding “passing” or “failing” the audit. This fear, coupled with an uncertainty about ISO requirements, often leads to a “better safe than sorry” mentality when setting up the company’s ISO system.

Another source of over-complicating ISO stems from those who previously worked in a “big company” that was ISO certified and they bring the same processes into their current smaller company because “that’s what ISO expects”. The assumption is that if it worked in another company it must be the “right” way to satisfy the auditor. What is not necessarily appreciated or understood is that ISO 9001 is merely a general framework of good quality practices, not a script to be followed identically in every business. The general (and some would say “vague”) language in the ISO standard is purposely non-prescriptive to allow for a great deal of flexibility when applying the requirements to your specific business. There is not “one size fits all” when it comes to how to set up an effective ISO QMS.

A third reason ISO is often made too complicated comes from those of us who have been exposed to ISO for years. In the year 2000 the ISO 9000 standard was overhauled to be more adaptable to more types of businesses. For business folks like myself who have worked with the old ISO (1994 version and previous) we remember the inordinate number of documented procedures required and the overall over-kill that was found in nearly every “clause” of the standard. But in the new “ISO for the 21st century” the requirements were opened up to work not only for big manufacturing companies but for service companies, schools, technology firms, consulting firms and even one-man shops (yes, we’ve worked with a growing number of one-man shops to achieve ISO certification!). In making the certification more adaptable, there are many areas of the standard that were greatly simplified. For this alone, many of us give thanks!

1. Minimize the number of documents.

It is still surprising to many that ISO 9001 “requires” only 7 documents: a quality manual and 6 administrative procedures. Beyond that, you are then to determine any additional procedures needed by your company. Your auditor will not walk in the door and hand you a list of required procedures. They will, however, expect you to effectively manage your quality management system, using documented procedures only when necessary. In smaller companies this might mean no more than one or two additional procedures, if any, beyond the required six.

For work instructions, it’s interesting to note the redundant qualification for determining whether, and if, a work instruction is needed: “as applicable” and “as necessary” (see ISO 9001:2008 Section 7.5.1). The authors of the standard were clearly signaling that work instructions are not ALWAYS necessary. In fact, the proper use of a work instruction is to better control a troublesome production or service delivery process. Keep in mind that not ALL of your production (or service provision) processes are troublesome. Some of them work just fine as they are. Why waste the time writing a work instruction no one needs?

Our consultants commonly advise clients to delay writing additional work instructions until after they’ve set up quality monitoring and measurement. Then, based on objective data analysis, the need for additional process controls will become evident including, on occasion, the need for new work instructions. Better to focus your attention at the start on controlling the work instructions you already have and making them effective. After all, long before ISO came along in your company, someone saw the need for the work instructions you have now in order to solve actual problems.

A final comment on documents is you should set up a means of ELIMINATING unnecessary documents as time goes on. If a procedure or work instruction is no longer needed, get rid of it!

2. Start with the Basics

If you’re just getting started with your ISO implementation, stay focused on the basic requirements of ISO without going any farther than initially necessary. For your registrar’s audit, you’ll need to be able to demonstrate, at least at a basic level, the implementation of EVERY requirement in the ISO standard (unless you’ve taken an exclusion – applicable only to section 7) You don’t need to have years of data or records to back everything up. Nor do you need to document everything. To get initially certified, you need to demonstrate a basic system. You’ll have plenty of time later on to add new features or apply ISO disciplines to other areas of the company not required for initial certification. When you start, do a few things well.

3. Use What You Have in Place Now

Again, when just starting out, its best to start with your current business practices and build on them, rather than assuming you need to start completely over. For example, when setting up your management review, see if you can use some existing management meetings to review your ISO system, perhaps addressing a piece at a time during each meeting. Or, if you’re trying to be sure customer contracts or orders are reviewed before they are approved, find out what you are currently doing and be sure it is done consistently. More than likely, if your company is currently successful then your contract review practices must be pretty good and may simply need a few more records. To make a determination about what you have in place now that may work for ISO purposes, start with a good Gap Analysis that will point out areas of your business that are in pretty good shape and those that have more serious “gaps”.

4. Automate Where Possible

When my boss originally made it clear that we were going to get our ISO certification without adding any new resources, I knew we’d have to try to automate as many of the administrative processes as possible. Today’s computer systems can greatly simplify the tracking of documents and records and your IT or MIS department should be involved from the start to help find solutions your company can afford and implement.

Areas in the standard that are easily helped through the use of automation include:

Document Control

Control of Records

Training Schedules and Records

Measurement and Analysis

Customer Satisfaction Feedback

Complaint Management

Purchasing and Supplier Management

Internal Auditing

Corrective and Preventive Action

Incidentally, Core Business Solutions offers affordable web-based solutions for automating processes you might want to look into.

Drive Business Value

In addition to simplifying your QMS wherever possible, there is a second major area of focus in terms of the overall approach to ISO that will maximize your return-on-investment. From a big picture perspective, ISO is intended to improve business performance, especially as it impacts your customers. It is common for practitioners to miss seeing the forest for the trees. The ISO 9001 process model starts with customer requirements (business opportunities!) and translates them into customer satisfaction (leading to more business opportunities!) through excellent performance.

A critical weakness in many companies who don’t see ISO as an integral part of business success is that the big picture gets lost with all of the attention given to compliance. A better perspective would be to see compliance with ISO requirements as a means to a more important end – better performance for customers.

To make this practical, there are two key things that a management team can do to keep their QMS focused on what really matters to the business (see 5.2 in the standard).

1. Ask The Right Questions During Management Reviews

A starting point for driving business value from ISO is to look carefully at how time is spent during your management reviews. It is too common for senior managers to dread ISO management reviews as a complete waste of time because the issues under discussion aren’t relevant to the critical business issues. Too often the management review time is spent on going through all of the things that are not getting done such as corrective actions or audits. Typically, the management team is already aware that these systems are behind schedule and the management review becomes a reiteration of issues discussed in other meetings…

It would be better to spent precious management review time asking a different set of questions such as:

Are the corrective actions important enough to spend time and resources on at all?

If so, why aren’t resources being allocated right away?

If not, why are we opening corrective actions that don’t have business value?

Are we auditing the right things?

Do our auditors have the skills and knowledge to audit effectively?

Do audit findings uncover critical business process weaknesses that impact our fundamental business performance?

We all know there is a specific agenda that must be covered in our management reviews. However, how we address these issues is up to us. With some thought to what we really need senior management’s attention on, and what management decisions need to be made, a refocus of the management review can help management see the relevance and importance of the entire QMS to the business.

2. Look Again At Processes And The Process Approach

In my experience, one of the least understood and implemented requirements within ISO 9001 is found in the very first section – 4.1 General Requirements. Perhaps that’s because of its indistinct title. Or, it may be seen to describe broad generalities that don’t have much practical application. Many companies but no more thought into identifying and managing their processes than to put a list of processes in their quality manual so they have something to show the auditor. Keep in mind that processes are the means by which you get work done in your business. Your processes exist whether or not you’ve identified them – or are managing them. The most critical processes to your business are those that directly address delivering your product or service to your customer. Most of the time these business processes cross functional boundaries and, therefore, have more potential to fall through the cracks. The ISO “Process Approach” outlines a practical means to manage these key processes including (see 4.1):

Identifying the most critical processes in your business that impact your ability to meet customer requirements (often this is 3 – 5 “big processes”).

Determining the workflow of each and how they impact each other (a process map for each would suffice).

Establishing ways to monitor the performance of these processes.

Evaluating the need for resources and information to make these processes work and to monitor their performance.

Tracking process performance to determine if they are meeting your objectives.

Taking action to improve performance.

What’s not spelled out in the ISO requirements is that you will need to determine who will be responsible for the performance of each process and how they will implement the Process Approach in your company. Perhaps a monthly meeting is held with the key players of each process to discuss the process and issues that need to be addressed. You may even want to implement a formal Process Management Procedure. For more ideas about managing your processes, see the related articles below:

Understanding the Process Approach

Implementing the Process Approach

The benefit of refocusing your QMS on driving improvement into your most critical business processes is that your entire ISO system will be directed toward those results that most matter to your business and your customers. If then, you establish measures and objectives for those processes that directly support your overall business goals, your entire organization will see the immediate relevance of ISO to business success. With this type of alignment, ISO will no longer be something to be tolerated (or avoided!) but will be a critical leverage point to the future success of the business. I’ll bet most of you can’t say that about your current ISO QMS.

Whether you are just starting out on your first ISO implementation or have had your system in place for years, (re)aligning your QMS so that it actually produces measureable business value will help to successfully integrate ISO into the heart of your organization.

Don’t Do It For the Auditor

A third key to getting the biggest bang-for-the-buck from your ISO efforts is to avoid the “just do it because the auditor will want to see it” mentality. That’s the kiss of death for any company trying to make ISO relevant and important.

You’ll hear this attitude in comments such as:

“What will make the auditor happy?”

“I have no idea how this is relevant to our company”

“ISO is making us do it”

This last one makes me laugh – as if the entire International Organization for Standardization in Geneva, Switzerland is standing over your shoulder to force you to do something that’s simply a waste of time. I assure you that the folks in Geneva have better things to do.

To combat that “victim” mentality, stay focused on our first two points: Keep it Simple and Drive Business Value. Always ask:

How will our company benefit from implementing this requirement?

What problems can we solve or avoid?

How will we better serve our customers?

What can we do to reduce the time and resources needed?

Is there a way to simplify our approach?

Have we selected the right processes to manage and objectives to meet?

Staying focused on making every aspect of ISO a true benefit to your company will pay huge dividends in terms of commitment and end results.

The Road Less Travelled

Every ISO certified company faces the same challenges – avoiding bureaucracy, eliminating wasted effort, maintaining relevancy, achieving results that matter. The past 20+ years of the World’s ISO 9000 experience has shown that there are two implementation paths that a company can take. The all too common approach is the obvious, myopic focus on “just get certified”. The other approach is “The Road Not Taken” (Robert Frost) by many companies, but promises to “make all the difference” in terms of measurable benefits to your company beyond the “certificate on the lobby wall”.

This second path is labeled “ISO Done Right.” Which will you take?

Epilogue

It was the discovery that there are a few practical steps any company can take to gain real ROI from ISO that led to the launch of the “The Core Solution” website (www.thecoresolution.com) with the theme of “ISO Done Right”. Thanks to all of our past clients who taught us these lessons. We have attempted to create simple, practical tools and professional support services designed to help companies get the most from their ISO certification. Everything we do with our clients is aimed at a single objective: aligning the focus of ISO implementation with achieving real business value so that you get more out of your ISO certification efforts than you put into it.