The Quality Hub Podcast

Listen Below. Learn More.

Spotify-The Quality Hub Podcast

Episode 5 – ISO 9001 QMS Review

ISO 9001 – Reviewing the QMS

Brian Smith, our esteemed Director of Consulting Services, is joining us as we discuss your progression and make sure your efforts are achieving the desired results. He will share valuable insights on what Management Review entails and how often it should be conducted. In addition, we will be sharing best practices for conducting internal audits and exploring the possibility of outsourcing internal audits. This is an episode you will not want to miss, especially as we are gearing up for the final push toward achieving your QMS certification.

Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.


Episode 5 Key Content

Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, Xavier Francis, and I’m here with Bryan Smith, director of Consulting Services at Core Business Solutions. So glad you could be with us today, Brian.

Thanks, Xavier. Good to be here.

That’s great to hear. Today’s show is entitled “Reviewing Your Progress,” where we will look at where you are in your quality management system implementation process. And we’re also going to talk about management review and internal audits. But first off, let’s learn a little bit more about our guest, Brian. Could you tell us a little about yourself, please?

Hello? Yeah, I’m the director of consulting here at Core Business Solutions. I’ve been with Core since 2017 in some capacity. I did a lot of consulting and then moved up through management and have oversight over the consulting group at this time. I have about 18 years of that in manufacturing, mostly furniture, some electronics, and recycling, and I’ve been working with the ISO 9001 standard since about 2000.

That’s great. That’s a whole lot of experience, and I’m really glad you’re here. So let’s get started with what we’re going to talk about today. Now that we’ve planned and implemented some of the processes of a quality management system, where should our focus be at this stage in the game?

Well, this is where we go back and review everything. You know, make sure what we’ve planned has been implemented, and we want to see if it’s effective. At this point, everything that you’ve implemented should meet the standard that we were structured for. So we want to make sure that all your processes are effective in meeting your targets and goals that you’ve set up.

You want continuous improvement. That’s what the whole entire 9001 standard is set up for now. So now it’s time to go back and take a look at whether are we meeting our results. Are we following our own program? And if not, we need to make some adjustments.

Since we have more than one person in the process, we’re going to have to plan some training for that review phase that you’re talking about right now. Maybe finalize, and improve the process plans of what you’re going to do, and make sure again, reviewing them. One of the other things that we want to do at this stage is to conduct a management review.

Sure. So Management Review is one of those examples with ISO 9001 of the definitions. As the standard sees it, versus Merriam-Webster’s Dictionary.


In this case, all successful organizations have management review things. Correct. But the standards.

Let’s say they should mean not if what if you’re a two-man shop? I mean, you know, who’s the management who reviews? But yes, you’re looking at something.

Exactly. And, you know, I always tell my clients, look, management reviews a verb, not a noun. It’s not an event. It happens daily. Weekly. You know, you’re always interacting with the management group and with everyone. However management review, as defined in the ISO standard, is a structured, planned review that has required inputs and output.

And this meeting, it’s going to have minutes. It’s not going to be your daily review. Hey, let’s sit down with management talk. And in this meeting, you’re going to discuss important issues that are not urgent.

You know, that not urgent thing is kind of critical because, you know, if there’s an urgent need for your department, your process, or your business, you’re going to bring that up. That’s one of those daily or weekly meetings at the moment. Hey, we need to take care of this problem right now. This is where you’re looking at a higher-level organizational structure and things that you’re going to implement.

So some internal factors. Hey, Jim’s 68, he’s looking to retire. He’s the only one that knows how to handle this piece of equipment. That’s the type of stuff that we’re talking about in this management review.

Exactly. When you come to a management review, you want to be prepared for it. You know, if you’re going to talk about requesting capital expenditures, you’re going to want data, you’re going to want some quotes and things like that. That’s what management review is intended for. It’s the things that you don’t talk about on a daily or weekly basis.

And it can be to inform top management of things that are going on. I do a management review for my department consulting here for the President, Scott. He’s not a micromanager. He lets me run my program. But quarterly I put together a structured meeting to inform him and get his counsel and feedback. It can also really work out well because now all your other process owners or other accountable people are in that meeting, and you can get counsel.

It’s like, has anybody ever dealt with this, anything like this before? I’m struggling with it. You have everybody in a structured meeting.

Oh yeah, you have Bill over here who has been in that situation before. You might not be aware of it. You have a need, a concern. And Bill’s like, Hey, I remember when we dealt with that one of my previous jobs, you’re getting some counsel, you’re getting some input that he can help, and you’re not trying to, you know, recreate the wheel.

Exactly. Or, you know, if you’re looking at making some plan changes, which is a good idea to plan your changes, you may find out in that meeting that there are some risks to another area of the operation that you didn’t realize. You know, we’re using data. We’re using a structured system to determine what actions to take or not take.

Right. Right. And that’s one of the critical parts of the management review, is there are required inputs in the standard that you must have in your meeting. The results of audits are one of them. Turning the inputs and outputs is the key. So what improvements do we want to make, we want to put forward or what actions do we need to take?

So you’re checking if you act? Yes. Now that makes sense. And even in this whole thing, you know, it’s like you’re looking at data, reviewing it, and seeing how you’re going to act on it. That’s a quality management system, really in a small nutshell. You’re being intentional. You’re making sure you’re tracking data, you’re reviewing it, and you’re acting on it.

Sure. So the data that you collect and review generally we call those objectives that should be congruent with your risks. You know, in section 4.1, the first auditable clause in the standard is called the context of the organization, and that it’s looking for opportunities to take advantage of and it’s looking for possible risks that we have to mitigate.

Right. Risks and opportunities are fundamental to 9001 and you’re looking at it. Is this a risk or is this an opportunity? And a risk can be an opportunity.

Yes. And the key to your objectives or your metrics is, you know, in the appendix of the standard, it mentions congruency. I don’t use that word very often, but it does sum it up if you’re metrics aren’t congruent with your risks, you’re missing something either. We’re missing a risk that we didn’t identify or we should have another metric because we have identified.

Gotcha. So you know, one of the big outputs of management review is how do we do on our metrics? And that’s where it gets subjective about your objectives. You have a little room there. If we missed our target by a percentage point, you have to take action. That action may be to decide not to take action.

But you’re being intentional. That’s you’re making a decision either way, whether it’s are we going to change and then try to address it or are we just going to choose not to?

That’s the choice is the action you chose to let it ride. That target was somewhat arbitrary. We have bigger fish to fry, right? Let’s sit on it. Let’s watch it for another quarter and decide what we want to do there. See if there’s another trend for you.

Were saying about sitting on it for another quarter. What do you recommend? What’s common for having frequencies of these meetings?

So let’s start with the standard again. The standard does not define for you how often to have management review. I wouldn’t do it any less than annually. Again, it doesn’t say that in the standard, but an auditor is going to say, look, this is an effective, you know, let’s do it every five years. It’s not going to work.

So doing it too infrequently is only going to be detrimental.

Yes. And on the other side of the coin, doing it too frequently can also be detrimental.

You don’t you’re probably not given time for that action to do anything before you’re reviewing it.

That’s one part of it. But like my rule of thumb we want to have our meetings set up as frequently as are data analysis. More of the parts of an improvement project is how frequently should we look at this data. And that has to do with how many data points you’re getting. You want to be strategic.

We have an objective here that’s a six-month objective because if you look at data too frequently, you could go in the wrong direction, right?

You haven’t had a chance for it to flush itself out, to get an accurate metric to look at, to make a decision on.

Exactly. So if we have quarterly objectives, it makes sense to look at these objectives quarterly and decide what action to.

Take, which may be nothing.

Which may be nothing. But if you have quarterly objectives, you do not want to meet biannually.

You’re doing quarterly metrics. The biannual meetings. There’s a point in there where you have data that you really should decide on.

So yeah, we set up the objectives to be monitored quarterly because that was what was appropriate. So you don’t want to wait six months to discuss the results of those metrics with the management.

Team, correct? Correct. So, the frequency should be practical, useful, and based on when you get data.

Exactly how often do you want to look at data for your objectives? If you have quarterly objectives, you want to have management review quarterly. And that’s very that’s probably the most common tempo is quarterly.

And again, this whole standard 9001, you set it based on your company. We’re not telling you, Hey, you need to do a quarterly, a standard or I should say isn’t telling you to do a quarterly biannually every month? No, it’s based on what you determine those business needs are when you should do it. So after we do this first initial management review meeting, we’re talking about prepping for an audit now.

Now there are two there’s an internal audit and then there’s a certification audit, which is done by an external party that is a specific registrar that can give you your certification. What’s the difference between those two?

So, yes, the certifying body has to come in and do a thorough audit and they determine whether your processes meet the standard.

But that’s not what we’re talking about.

That’s not what we’re talking about.

We’re talking about the audit before the audit.

Exactly. The internal audit. And then when you have a third-party audit, one of the first things they’re going to tell you is scripted. This is a sampling and that’s really what it is. They don’t have the time to dig deep into your processes. They’re doing samplings, your internal audit should be thorough, much more thorough. It’s much more effective for the well-being of your organization than a third party on it.

Right now. There are things to be learned in a third party on an absolute. You know, down the line, you don’t want to find yourself doing your internal audit a month before your third-party audit to get ready.


And I’m doing air quotes there. So you want to offset those by four or five, six months. So you get the most out of both of them.

So, Brian, we’re talking about prepping for that internal audit. You want to get that audit plan and schedule put in place for people. And if you have if we have some information that helps us get ready for that audit, we want to complete that. We have to have a registrar that’s going to come in and do the audit for the final certification audit.

We have to confirm those dates and make sure we know what our improvement plan is going to be. That’s some of the stuff that you want to do when you’re prepping for that first internal audit. Let me just ask, after you’ve done these things, what is an internal audit and its purpose?

So the internal audit part of this, the see the check in the PDCA and it’s a very thorough analysis of your processes to make sure that we’re doing what we’re saying. Now, in this initial audit, we’re also making sure we’re what we’re saying meets the standard, correct? Correct. And it’s an evidence-based, open-ended question where you gather evidence to prove that we’re doing what we’re saying.