Pre-Assessment Feedback

A company I work for recently had their pre-assessment visit by a registrar and gave some feedback that I would love to hear your inputs about:

Sequence and interactions of the Management and Support processes need to be clearly defined. (ISO 9001 4.4)


The auditor made a reference to a business process map. In my mind, this can be remedied by putting into words that BPM and generating or referencing the adequate documents. Is this a fair understanding of this?

Additionally, he made the following comments:

Company needs to be able to clearly show how they determine external and internal issues. Evidence of how the issues are monitored and reviewed will need to be evident. (ISO 9001 4.1)


Company will need to ensure Risks and Opportunities have been determined and actions taken address the Risks and Opportunities). (ISO 9001 6.1.1, 6.1.2, 10.1, 10.3)

These two observations are kind of confusing. Wouldn't the first one be completely up to us to determine? For instance, a document identifying a few internal issues and their immediate mitigation plans?

And wouldn't it be the same for the second one? We would identify a handful of serious threats and reference the documents that describe how we'd react?


Obviously, the ultimate clarifications would have to come from the auditor himself, but I've always appreciated the insights of this forum, so any input would be helpful, so thanks in advance!

 

So it seems to me they are heading toward the "lazy auditor standard." They are looking for crystal clear documents which they can "check the box" off their list.

For example, while 4.4 requires a determination of process and interactions, there is no specific requirement for a "process map." Thus, you can do it a number of ways -- we used to use a series of linked modified turtle diagrams, until we got "caught" by the lazy auditor. Easiest thing is to whip up a process map so you have that to show (plus you'll get extra credit if you use color).

Internal and external issues can generally be addressed in your business planning docs, if you have any. Risk and opportunities as well. You can have a simple business plan that addresses these areas. While we have a detailed biz plan, we use a 2 page worksheet which tracks these issues on a quarterly basis.

Bottom line, I find for the 4.0 Context of the Organization stuff a few "auditor handouts" helps ease that part of the audit along. Good luck.

 

You may find ISO/TS 9002:2016 (Guidelines for the application of ISO 9001:2015) handy in clarifying the requirements of the standard.

Clause 4.4.1b of ISO/TS 9002 provided this statement:

“when determining the sequence and interaction of these processes, the links with the inputs and outputs of the previous and subsequent processes should be considered; the methods for providing details of the sequence and interaction of the processes depends on the nature of the organization; different methods can be used, such as retaining or maintaining documented information (e.g. process maps or flow diagrams), or a more simple approach, such as a verbal explanation of the sequence and interaction of the processes.”

For internal and external issues, ISO 9002 clause 4.1 mentioned this:

“The organization should be aware that external and internal issues can change, and therefore, should be monitored and reviewed. An organization might conduct reviews of its context at planned intervals and through activities such as management review.”

“Information about external and internal issues can be found from many sources, such as through internal documented information and meetings, in the national and international press, websites, publications from national statistics offices and other government departments, professional and technical publications, conferences and meetings with relevant agencies, meetings with customers and relevant interested parties, and professional associations.”

ISO 9001 does not require organizations to have mitigation measures on issues. Most, if not all, requirements about issues in the standard only require issues are to be “considered” – NOT mitigated, corrected or have action plans. In Annex A.6 of the standard, you may find value in this statement:

“Where this International Standard refers to “information” rather than “documented information” (e.g. in 4.1: “The organization shall monitor and review the information about these external and internal issues”), there is no requirement that this information is to be documented. In such situations, the organization can decide whether or not it is necessary or appropriate to maintain documented information.”

I hope you have a copy of ISO 9001 standard because 10.1 and 10.3 don’t have requirements about risk. Managing risks starts at planning. Thus, they have to be determined “when planning for the QMS” (6.1.1) and actions must be planned to address them (6.1.2). Actions on risks are preventative (i.e. before the event measure) and not reactive (i.e. after the fact measure). These actions must be integrated and implemented into the processes (6.1.2b.1 and 8.1). Refer also to ISO/TS 9002 Clause 6.1.1 statement:

“The intent of this subclause is to ensure that when planning the quality management system processes, the organization determines its risks and opportunities and plans actions to address them. Its purpose is to prevent nonconformities, including nonconforming outputs…”

Actions or controls address risks - NOT documents.