Change over to ISO 9001:2015 and ISO 14001:2015 in a smart manner now
Half-time at the changeover to ISO 9001. What are the experiences, and how should the Revision be used to guarantee the further development of the quality management system rather than make it even more complicated? What can the changeover yield, and what should rather be avoided? Dr. Mag. Anni Koubek, Executive Vice President Innovation, Business Development Quality, gives some suggestions based on the first 1000 audits and has answers to frequently asked questions.
More than half the transition period has already gone by. Still most organizations certified have not changed over to ISO 9001:2015 yet. This means that many have decided not to use the normal audit cycle for the changeover but to avail of the transition period and to prepare for the new requirements in more depth. On the one hand, this means that the audit expenditure will be increased a little. On the other hand, these companies can profit from the experiences made by the pioneers.
As audit feedback has shown, organizations that have changed over up to now were prepared very well indeed. The new requirements were implemented consistently - in many different ways. Even though it is at the companies’ discretion to choose different approaches, some suggestions can be derived and can then provide helpful ideas to those that are still preparing themselves or are not satisfied with their solutions yet.
What are the topics with the biggest challenges?
It becomes quite obvious that it is, again and again, similar topics that are challenging for most organizations. In this respect, it is not a question of topics from quality assurance - after all, little has been changed there - but it is primarily a question of topics at an organizational level that strengthen an integration of the system and influence the organization’s fitness for the future. Cutting a long story short, these topics include the “context of the organization”, handling of “risks and opportunities”, the changed leadership culture, “organizational knowledge” and, last but not least, utilization of the opportunities offered by the fact that the documentation requirements have become more flexible and by the life cycle perspective as far as environmental management is concerned. Quite interestingly we have found out that organizations with a high level of “business excellence” mostly already focused on these topics.
What minimum requirements are needed for certification?
It would be great if this could be answered so generally! However, effectiveness, suitability and adequacy of the management system for the specific organization are what it is all about. Ok - again it is a question of these abstract terms of the Standard. In concrete terms, however, this means the following: It must work, create confidence for the future and needs to be suitable for what you are doing. What thus fits perfectly in connection with the flower shop round the corner, which has four employees, won’t be sufficient for the team of five software developers for machine controls. A small business will choose an approach different from that chosen by a company group acting globally. In one case, informal agreements and arrangements can be enough. In other cases, it may be necessary to provide for a procedure for documentation, approval and release that is controlled all the way through - it simply all depends!
How do organizations handle the topic of “context of the organization”?
In terms of this topic, we see different approaches. In this respect, some companies have built upon the courses of action that they had already developed for their business planning and/or strategy work. Of course, this is ideal because the topic is integrated perfectly like this. In some companies, the strategy processes are not mature enough to demonstrate that the companies proceed systematically (by determining, monitoring and reviewing topics). Quite often the topics will only be determined at certain points (e.g. in terms of the market or technology). Sometimes there are no ideas of how monitoring and review can take place yet. In these cases, it would obviously be best to make the existing processes and procedures robust enough.
Many companies also decide to use additional means - they gather the topics along a method (e.g. by means of a PESTEL analysis (Political - Economic - Social - Technological - Environmental - Legal) or according to Porter’s 5 Force Model). This will enable the company to get a good insight into blind spots that may have existed in the past. What is important, in this respect, is that the company is strong enough to succeed in deriving the right business opportunities and risks and resulting actions from these topics identified. The efforts should not lead to an additional planning channel, which has no connection with business planning.
What has stood the test in terms of “risk-based thinking”?
Once again integration is what it all about. We have already described this in our position paper “The integrated management system”. The determination of the risks and opportunities should also be integrated adequately. In concrete terms, this means the following: On the one hand, the determination of the risks and opportunities should be linked to the topics mentioned above so that constancy of purpose is guaranteed. The other way round, implementation within the processes should also be ensured by providing for clear responsibilities, establishing processes and acting in a consistent manner.
As for the methods, we have seen a large variety of approaches. In this respect, the size and type of the organizations actually play a decisive role. Many companies already have an excellent starting point because they have, e.g., already dealt with the topic of risk management on the basis of requirements placed on product safety. However, it would be unfitting to reduce ISO 9001 to the topic of product safety. As far as the opportunities are concerned, there also are different approaches: Some organizations handle opportunities and risks with the same method. For smaller companies, in particular, this often is a useful approach. For other companies, this won’t be useful because different persons or Departments are involved or different ways of acting are required.
How can the new flexibilities be utilized? Where can things be simplified?
In the Standard, the documentation requirements have not changed significantly - apart from the fact that the documented procedures and Quality Manual are not mentioned. Nevertheless, the organization’s own responsibility for documentation is addressed even more: What processes are necessary, how are they documented, what requirements do we need for carrying out the processes, what is appropriate when it comes to drawing up documents?
The changeover to ISO 9001:2015 is a good opportunity for “stocktaking”, for critical reflection and for possible housekeeping. The business world is becoming more and more complex, and as a rule, the number of documents will be increasing just as much. Frequently, however, there are opportunities for simplification in spite of this: To what extent are process descriptions used? What documents that are no longer needed are still available? Where can requirements be summarized usefully, where can we leave something out?
And last but not least, we would like to point out the following: If the answer to the question “Why do we need that?” is “for certification”, you should have a look that is particularly close. In most cases, the solutions will then be integrated insufficiently and will thus fail to create the desired value. Sometimes it will be sufficient to inform your colleagues better. In some cases, however, it will be necessary to think about alternative options for implementation - in order to improve your organization’s efficiency and performance.
Have things practically changed in terms of the topic of “leadership”?
The requirements relating to leadership have clearly risen in the new Standard. As for practical implementation, however, the primary field of tension has not changed: In companies whose top management assumes a strong leadership role and is personally committed to the quality and control of the management system, the requirements are a matter of course in the requirements personally placed on top management. In companies where top management regards this topic as being a cumbersome obligation and does not integrate its implementation into their own management functions, the workload for upholding these parallel structures will become higher and higher. In the sense of cost efficiency alone, it is more than recommendable to top management to personally understand the requirements to such an extent that lean and efficient implementation of the requirements can be found.
What is the further timetable?
The transition period will end on September 14, 2018. This deadline applies to ISO 9001:2015 and to ISO 14001:2015. Nevertheless, we urgently recommend you to have the relevant audit conducted no later than June 2018 - so that there will still be enough time to complete the certification process in an orderly manner. As many companies have postponed your changeover to 2018, the schedule for the work programme will be very tense. You are requested to discuss how to proceed with your auditor in detail and to provide for a sufficient lead time as far as possible.
Many organizations also are certified according to additional management system standards. These management system standards often have different deadlines. For example, this refers to ISO 45001, for which the deadline is expected for the end of the year, or for ISO 13485:2016. In automotive industry, the specification standards have seen a further development just as well. The transition period for IATF 16949:2016 will end at the same time as that for ISO 9001:2015.
A lot to do for the Quality Representative and/or Manager - we wish you a lot of power and success for this intensive time!
If you wish more information on the changes, suggestions and offers, please visit our Revision Site.