New to ISO 9001? What frustrates you about the standard?

The standard does not say that you cannot rename items the way you would like. In fact, I worked for one organization where we called ours the Business Management System which eventually evolved to [Company Name] Business System as it was deployed out to multiple sites around the world. The idea is to make the standard work for your organization, not to make your organization work for the standard. The standard fails to clearly articulate this degree of flexibility and, unfortunately, too many organizations pursuing ISO certification - and too many auditors who work for CBs - focus solely on the black-and-white of the standard within our/their own comforts. It is easy to repeat what the standard says. Any parrot can accomplish this. Yet, repeating the standard does not equate to understanding it nor applying it within the spirit of what it is intended for.

Take, for example, the quality policy. Too many auditors (CB and internal) ask the question "What is your quality policy?" That's the cue for the individual to stand up straight and bark out, word for word, what is hanging up nicely in the front lobby. Pardon me for being too blunt here, but who gives a flying f**k if someone can repeat the quality policy? How does that add ANY value to the organization or the stakeholders? During one visit from a CB auditor, that auditor would ask our employees on the floor "What is your quality" and each time the employees would look at me. I stood there with a small smile on my face and waited patiently until the CB auditor would start to write his notes that the employee did not know the quality policy. I would then politely ask "How do you impact the quality of our product?" Folks would then light up and talk about the impact if a machine broke down because they didn't follow a preventive maintenance routine or how they measured the product to make sure it conformed to the customers' requirements. When the auditor, at the end of the day, commented that no one knew the quality policy, I challenged him on that - every single employee was able to speak to their role(s) which were clearly aligned with the bullet points hanging up in the nicely framed piece of paper in the front lobby. I challenged him to dispute me on that and I challenged him to tell me memorizing the quality policy added more value to the organization than a passionate awareness and belief of how each person played a part in our ability to ship good product out the door. There was no finding issued on our quality policy communication after that.

The easy path is to create a system that conforms to the standard where no one asks the question "How does this process add value to the organization?" The easy path is to never question or challenge the CB auditor who might see something they don't necessarily agree with or understand. One of our responsibilities, as "quality" leaders, is to serve as teachers and translators. We are to help our organizations understand that a "quality" system applies to everyone in the organization and everything that is done. We are to help translate our organizational system back into ISO-ese so that the CB auditors who perhaps have had limited exposure to a system that does not parrot back the standard. We should not develop a system for the sake of making the auditors' lives easier. They are not our bread and butter. They are not the ones that help us pay our employees. We need to create a system that will help the organization survive but also thrive, and one of our humble responsibilities is to, from time to time, dumb it down for the CB auditors so that know which page to turn to in their pretty little checklists of things to audit.

As for the use of the word "quality", the issue here, in my opinion, lies in the beginning of the standard which fails - yet again - to clearly state that the use of the word 'quality' is meant to be used as an adjective (i.e., describer) instead of a noun (i.e., thing). When the standard says Quality Records, it means NOT to reference a document owned/maintained/controlled by the Quality Department, but rather it DOES mean to reference documents that indicate whether or not expected goals/targets/norms/requirements have been met (i.e. and meeting these goals/targets/etc. is, in the simplest definition, quality).

One of our responsibilities as "quality" leaders is to again aid those poor CB auditors who struggle with where to focus if there an organization-wide system that focus on producing quality results across all processes, departments, and levels. We need to keep them focused on the scope of their audit while explaining that the system goes above and beyond the quality of the product, but rather, focuses on the quality of performance throughout the organization. It adds more value to the organization when there is a common system used throughout - how amazing it truly is when the organization speaks one business language (e.g., when corrective action is a standardized process regardless of the issue or the process or the department) and is able to see, at a holistic level, which areas are doing well and those other areas which may be struggling. Individualized systems throughout make such an awareness more difficult.

The recognition that "quality" is meant to be applied throughout is missed by those who simply lack the awareness (or refuse to acknowledge) that this is the intent of the standard. One of our responsibilities as "quality" leaders is to educate and nudge our organization to this level of awareness. And if folks refuse to go there, then we, as "quality" leaders, have a personal decision to make.

Lastly regarding the phrase "top management shall be responsible...", it goes without saying that that the actual work is likely done by employees further down in the structure. Of course, this applies to larger organizations. In smaller organizations, top management may also be the person who does the coffee run in the middle of the morning. That said, the ultimate responsibility of the organization's degree of success rests with top management. They are the ones who determine who gets paid what, what resources (human and technological) will be acquired, and the direction of the organization. If they are unwilling to invest in proper training or the hiring of the proper staff or the acquisition of the proper resources/knowledge, then they are setting the organization up for failure and those individuals further down in the structure will not have the ability to do their job properly (i.e., they will likely not be able to meet the customers' requirements in a consistent manner).

To your own point that quality must be throughout the organization, it's not just a term that should be applied to every department, but it also needs to be applied at every level. We each have a part to play in our ability to meet our stakeholders' requirements - from the person who pushes the broom and empties the bins, to the person who authorizes our pay cheques and determines if it's worth it to acquire an expensive piece of machinery.

 

This morning I'm reminded of the situation which caused me to make the original post: A company wants to know how to make sure they have covered everything and ensure that when they get their CB audit, everything goes smoothly, because they know where to find all the relevant requirements, referenced within the QMS. Let's take and example and also deal with the frustration:

Clause 4 Context of the organization. It refers to internal and external issues, discusses the need to review information relating to these issues (not documented) and yet, doesn't refer to any other requirement which is linked in any way. So a reader has to read through to the other end of the standard to see if the same topics are ever mentioned again (which they are, in 9.3 Management Review). IMHO that's a BIG ask of the reader to do that. As a result, documents get created when none are needed and also a system of documentation is created, instead of a documented system.

To assist in the task, we set about creating a look-up table which had the following headings:

Monitor Information
Maintain Information
Retain Information
ISO Clause #
Sub clause #
Paragraph reference to the type of information required (items 1, 2 or 3)
Where found in QMS

This has proven to be very helpful in mapping requirements to the QMS. It isn't part of the QMS, however, simply a design tool

 

If that's a tool that works for your - I presume - client, great. I fully applaud an intent that aims to translate ISO-speak into the language of the organization and/or something that they can easily understand and apply.

My own approach, since our company was heavily into the PDCA methodology, was to align the components of our business management system within the PDCA "wedges" and then indicate the applicable ISO (sub-)clause(s).

The step of taking the standard and "reformatting" it in a way that works for the organization is the best approach to take in my opinion. Sure, some CB auditors may look utterly perplexed at what they're about to audit, but because the organization has taken the time to write a system in their own language, they should then have the ability to translate back into ISO-speak so that the CB auditor can assess if there is conformance to the requirement documented in their pretty little checklist.

 

Thanks. I figured that since it had been quite a while since I posted anything, I should make it a good one.

 

Me too.

 

ISO 9001 - and, well, most standards - were developed with the intent to enable organizations to standardize their processes relevant to the standard. If a company already had a mature, robust business management system established before pursuing ISO 9001, one of two events were likely the outcome:

1. Two separate systems were created - similar to @tony s 's reference about the Service Pledge and the Quality Pledge; one pledge would likely have sufficed. This creates a split culture where people do things because "it's what we believe" or "because of ISO 9001." This leads to a sense that ISO 9001 creates work, generates red tape, and adds little to no value to the organization.

- OR -

2. The company goes "Hey, we do this stuff already. We call it different things, but darned if we're going to change our culture because of this. We will be like the Borg (from Star Trek if any of you are not geeks), assimilate it into our collective, and make it a part of us instead of changing who we are to accommodate it." That's when a savvy auditor realizes that ISO 9001 jargon will likely not be found - similar to the example from @tony s about "success indicators and targets" instead of "quality objectives." The requirements are all there, just not necessarily in a way that is immediately recognized by someone outside of the organization.

I think many of us who have been playing in the ISO 9001 sandbox for quite for some see Outcome #1 more than the second one, unfortunately. This has led to frustration and even a dismissal of the potential value that the standard can offer an organization. Plainly put, more than a few of us are bitter towards ISO 9001.

That said, the standard can be a starting point for organizations who haven't really formalized their business management processes. They could look around and benchmark multiple organizations or they could just start with ISO 9001 and go from there. ISO 9001 has the ability to offer a good set of criteria to help an organization identify the basic components to a a quality or business management system. They might have certain things already nailed down like their production processes and accounting processes, but handing bad product or training people or even understanding how to assess the health of their organization are not aspects that every company has figured out. Should they have? Undoubtedly, yes. But have they? No.

There's a phrase I love to use - "Common sense ain't." Activities that should be second nature and foundational to an organization, just don't always happen. It's like this - common sense is to look both ways before crossing the street, but too often people don't and they're (nearly) hit by a vehicle when they step away from the curb. As for me, I look both ways even on a one-way street...because common sense tells me that there may be an idiot driver going the wrong way! In other words, common sense tells me that not everything will go the way I expect it to.

The downside to these organizations who decide to go the route of starting with ISO 9001 is that too many of them read the black-and-white (or are trained only on the black-and-white), and then we get into the mess of having a quality department instead of a quality culture, loose-goosey objectives not backed by data, massive piles of documentation, and so on.

Unfortunately, a mess evolved out of ISO 9001 - the $$$ associated with it. Customers realized that perhaps not all of their suppliers had a robust business management system, so they started demanding that suppliers be registered or certified to to this standard. This resulted in organizations creating systems for the sake of immediate profit and lead to development of meaningless, non-value-adding processes. And for those companies that already had a solid system prior to (or concurrently to) ISO 9001, well, unfortunately, they were lumped into this whole money-spending venture and that would take us back up to the start of my response.

At the end of it all, whether you have your own QMS and/or subscribe to ISO 9001, an organization gets out of it what it puts into it. If the organization does not go beyond the words - i.e., doesn't look at the connections, contemplate what the value of the requirement can be, etc. - it's a system that will result in a lovely piece of paper in the lobby, a celebratory pizza party, and people who "follow the rules" only when the auditors are out and about. If, however, an organization takes the time to thoughtfully and meaningfully connect the pieces - because ISO 9001 does rather let us down here - it has the potential to create or absorb a system that supports their culture and long-term bottom line.