Auditing against ISO 9001:2015
- Krishna Gopal Misra
It is easy doing an audit by records and documents i.e. acts of "doing" but an audit of a process is actually an audit of the "thinking" behind that "doing".
Typical example of operation is that of a dancer who is performing ( doing) on the stage and audiences ( auditor or clients) keep seeing it. But audiences do not at all, see the song writer and musicians playing background music and choreographer. Do not you think that it is the thinking "process" which is behind every successful dance (performance) and dancer( performer)? Actual purpose of management is to set the process ( thinking) and let operators operate ( doing) the dance or whatever ( be it design of machine or producing product or delivering services).
Did not you see that I have been doing it already in opening meeting with top management and kept discussing risks and opportunities in overall business context?
This is the shift in philosophy in mind of writers of standard and their guilt for revisions of standard. ISO 9001: 2008 standard was known more as documentation and records and often people joked at saying that "do what you write and write what you do". Quality management in earlier versions of standards were focused more at operations ( "doing" or performance ) rather than the process ("thinking" goal and roadmap and risk and opportunities).
Quality manual is done away with. It was most neglected document and dust over it was cleaned only when external auditors ask for. In most quality manuals, it was just an answer of requirements of standard by clause by clause. It could be of some help to auditors who go by standard but is none of the business of the organization. Reputation of auditor is lost when their context is not the organization but how clauses of standard were some how addressed.
With doing away of quality manual, mandatory procedures like document control and internal audit and nonconformity control and corrective action, are gone too. These are not actually gone but taken care by competence of people and where errors ( human or process both) could be cause of risks or actual defect (incident). For example, the reason or rationale of scheduling an internal audit is certainly audited but not the procedure as mandated in quality manual. Document control in these days of technology are very different than they once were, in days of paper and pen. Software tools, pictures and reports sent by WhatsApp and video records of meetings are unknown earlier. These are also documents and are more simple and authentic and therefore controls are left to organization to decide and make it goal or purpose oriented rather than procedure oriented.
Management representative is also not necessary to fix. It is a matter to be decided by an organization whether or not management needs such a role in the organization. ISO can not prescribe it for organizations as a requirement of quality management. Mostly, this formality is only to take care of internal coordination and arranging external audit and deal with certification bodies. Frankly speaking management representative gets noticed only temporarily during audits and certification.
Structure of new standard has coined few words like "Leadership". Leader is not a job title. Informal attitude "walk the talk" inspires the organization; whereas, formal titles and printed documents and records are just footprints. Leadership is not just limited to top management but it is a thought process or culture that integrates the organization, and makes it goal oriented. Leadership is demonstrated in the culture of organization rather than formalities. See how do people at helm of affairs keep in touch with other employees in person which instills confidence in them, is a leadership. People felt connected and share freely their voices in interest of organization.
Formalizing management policies, transparency and access to information and real time communication are examples of leadership. Management decisions or polices such as setting rules of business and giving authorization to people are formally implemented using IT enabled ERP enterprise resource planning or project management tool. These electronic instructions should be protected from unauthorized changes. This necessity of document (configuration control) is a safety from forgetfulness and disputes. This degree of formality is unavoidable. Forgetfulness is not always a bad thing as cleaning of memory is an important activity. Memory ( including document and records) is useful only for a recall value. This means, if we cannot go ahead with self confidence; at least, we can return back home. Retreat ( coming back) without records is impossible. Leaders are good at deciding what is needed to be remembered and what must be cleaned up. Use of white board for writing by non-permanent ink is one thing and printed documents like certificates or agreements are another. Retention of memory is context based.
ISO 9001: 2015 also has remodeled its style to meet its structure with other standards such as environmental management and occupation health etc. This is useful because people would not get unduly worried for references of clause numbers in different standards under umbrella of same ISO when they get audited.
The new version refers suppliers as external providers. Similarly, standards such as ASTM used in work are also external. Do not worry. It is not necessary to start calling suppliers, external provider. Standard has no such intent. It is just another name representing a logic or thinking.
Preventive action is eliminated. Any proactive approach which does not let a defect happen, at first chance, is called preventive action. Purpose of quality system such as roles and responsibility, training and competence and suitable equipment and so on are by itself proactive approach and therefore developing and implementing a quality system is itself a preventive action.
Risk based thinking is not about documenting risk. You can think but how can you document thoughts? Nobody is going to ask you a risk register and why this risk is more riskier than another. That would be funny. Standard is clever enough to not cause a confusion in fields of wild imagination in pick and choose risks.
"Quality Objectives" are the outcome of "risk based thinking". In earlier version of standards, there used to be a clause for "quality objectives" but it was not known how should that arrived at. There can be no other way of fixing goal and objectives at different levels in the organization other than the thinking of the risk and opportunities.
This natural behavior of management is included in the revised standard. Risk is unknown consequences. If consequence are known, you either know it that you have it or if you do not like you can plan for getting rid of it in near or long term. This is the way objectives are arrived at. Quality objectives at an organization level and at each process must be good enough to safeguard the quality, and if defects or unpleasant situations occur, that should be limited by defining quality objectives.
What is process ? How is a process different from operations? Process is all about a roadmap to set a goal and achieve it. For example, if you have to go to Delhi from Thimbu Bhutan, the goal is Delhi and various ways ( or valid possibilities) of reaching Delhi are called processes. The goal is product itself or av certain ambition of individual or organization. If there is no product or goal, there is obviously no process. Rice is same but its goals demand processes suitable for it. For example, dosa by one process and idli by another process.
Coming back to earlier scenario, to manage reaching a goal is challenged by constraints such as 1. cost of travel, 2. punctuality (in time arrival) and 3. comfortable journey. As long as goal is fixed, these constraints decide which process one should choose in the given condition. One can use taxi to airport and fly to Delhi. This is a high cost option but it gives comfort and timely arrival. In another case, one can take train to Delhi, which also meets same goal but is less expensive yet uncertain for timely arrival and not very comfortable. There can be an opportunity to buy discount air fare and journey is planned in such a way that cost and time and comfort, all three are favorable. So, there are options in work, and making choice of suitable process is what a manager is expected doing. Manager is setting goal, thinking and planning and takes decisions but not operates. He or she has not to act as taxi driver, or piloting aero plane, or run train. These are operations. Process is goal focused and accordingly, assembly of unit operations and resources takes place. Process is a mental roadmap ( decision making) to achieve a goal within given constraints called risks and opportunities. Operations are acts of implementing a decision. In earlier example of a dancer performing a show is "operation" or act of dancing but "process" is the thinking behind success of the show which involves song writers and musicians and choreographer.
People thought that doing a work as per given procedure was iso 9001. People joked in name of iso that you do what you write and write what you do. Iso did not get right kind of reputation for such an understanding.
New revision is about goal orientation and how best it ( process or decision making) is achieved given the risk and opportunities.
This gives people flexibility and understanding of various difference in approach and applicable risk and opportunities.
Revised standard is more realistic and natural representation of work in a successful organization. Unnecessary things are weeded out at every revision and quality now is given more emphasis than standardization. Quality standard is combination of two words. Quality is moving and standard is standing or keeps sitting. Standard is like safety railings on both sides of a staircase so that you do not fall sideways when moving up. But these standards should not become obstacles for users of stairs. Standards only act as safety or risk prevention and quality is all about Value (usefulness or desirability). Remember !! There are three elements in quality assurance 1. Value ( usefulness), 2. Variation ( consistency or standardized) and 3. Risk ( unknown consequence).
ISO 9001 is a management standard. Can there be any standard for management? It (management) is human understanding and is not a typical enforcement or practice like law or accounting or mechanical engineering. Management is a combination of formal as well as informal. Formal part is just a tip of iceberg. Standards in management have evolved as do writers of standard get insight in actual working of management. This (ISO 9001) is just one of attempts of servicing industry and commercial establishments with certain ideas of meeting customer requirement. It is not a substitute of quality management or quality engineering or such august body of knowledge. Standards provide framework which clients can choose voluntarily but ISO is not liable in anyway for performance of an organization or claims associated with it.
COURTESY NOTE: I am thankful to Shri Krishna Gopal Misra of Gurgaon (Haryana, India) for his kind permission to republish the article. - Keshav Ram Singhal