ISO 9001 Q & A

The Director of Operations of a perspective client asked me to address some of the concerns, questions, and reservations that his executive leadership has about implementing ISO 9001. He has been trying, unsuccessfully, to convince his executive leadership that developing a formal quality management system based on ISO 9001 was critical to the organization’s growth and development. He was kind enough to share their concerns, questions, and reservations in the form of a “top 10” list. I thought my response to him may be useful to others in a similar predicament.

1. “It’s not my job – call the ‘official’ person in charge of this”

I assume that this refers to a perception of ISO 9001 as a separate thing that exists outside of the company’s and an individual’s daily activities and is the responsibility of some dedicated individual or group within the company. This is a common concern that is not unfounded. Many companies (especially in the early days of ISO 9001) implemented ISO 9001 with the objective of obtaining a certificate that would allow them access to certain customers or markets. In these cases the management system framework stipulated by ISO 9001 was never understood or considered. The focus was on compliance by creating a bunch of documents that would only pass a third party audit. The general staff of the company was never involved in developing the management system and senior management never intended ISO 9001 to be a management system platform.

To overcome this problem my practice focuses on developing a management system that provides value to the organization. ISO 9001 registration should be a byproduct that validates the system, but not the objective. Individuals at all levels of the organization must be engaged in the implementation process. They must participate in developing and improving the processes that they own or participate in. Process ownership is critical. Process owners must be empowered to take control and responsibility for their process. Achieving this is the responsibility of senior management and a core element of my methodology. ISO 9001 clause 5.5.1 Responsibility and authority requires “Top management” to “ensure that the responsibilities and authorities are defined and communicated within the organization.”

The fact is that most profitable companies are doing nearly everything that ISO 9001 requires. They are simply not doing them effectively, consistently, and/or efficiently. Many companies rely on and succeed by the abilities and hard work of its people. These companies focus on managing people. But the focus must be on managing processes. ISO 9001, TQM, Lean, Six Sigma, etc. are all process management and improvement methodologies. None of them focus on managing people, but all address a senior management driven culture of continual improvement.

2. We need this prototype done faster than your quality program inspection will allow

Prototypes are not part of the general production process and should not be subject to the same process and type of controls. Prototypes are typically developed as part the design and development process. The design and development process must be developed as part of the ISO 9001 implementation (Clause 7.3). Prototyping can be part of this process or a separate process, as needed. It is important that the ISO 9001 based management system address the unique nature and requirements of your business and customer requirements, while ensuring consistency and control.

3. We need this piece done faster than your quality program documentation will allow

At no point does ISO 9001 stipulate how fast your system can or cannot produce a product. It is the processes that you design and the way processes are managed that will allow you to make a product at the speed needed by the customer. With this said, ISO 9001 does require that you determine and review product requirements from the customer, including delivery requirements, before you commit “to supply a product to the customer (e.g. submission of tenders, acceptance of contracts or orders acceptance of changes to contracts or orders).” Appropriate processes should be designed to allow for the identification, prioritization, and processing of “rush” orders. Examples of such processes are Sales & Contract Review, Order Processing, Engineering, Production Planning/Scheduling, and various production processes. A well designed management system will address how “rush” jobs are handled through all of the processes that should support a “rush” job. This will ensure that “rush” jobs are handled consistently. In turn, this will ensure that the impact of “rush” jobs on internal resources (e.g. manpower, material, methods, machines, money, etc.) can be measured and assessed.

4. Your outside contractor follows a different system/process than you do – or doesn’t have a system/process at all

From the customer perspective, outsourced processes do not absolve your company of the responsibility of ensuring that the outsourced process meets the stated and implied customer requirements. In clause 7.4 Purchasing, ISO 9001 recognizes this and stipulates that your company must ensure that “purchased product (includes outsourced process) conforms to specified purchase requirements. The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product.” This means that you must select suppliers that are capable of living up to the same standards that customers expect of you. If they cannot, then you must seek a new supplier or work to develop/improve the existing supplier or develop internal process controls to ensure that the supplied product/service meets requirements. This is a rather complex issue that deserves a separate detailed discussion.

5. We spend 10% of our labor time documenting quality inspections and processes – and creates higher turnover by employees as a result

6. Same as above and our costs go up 10%….

If 10% is true, then the management system is simply poorly engineered. There is significant room for improvement. The system is simply a bad bureaucracy and has little, if any, business value. With this said, there is some overhead associated with maintaining a well designed formal management system. In my experience, even a mediocre formal management system is able to generate a net gain by offsetting its overhead with improvements in consistency, efficiency, training, quality, problem solving, employee satisfaction, and in reductions in errors, rework, customer complaints, returns, and waste.

7. Our quality doesn’t improve but we can identify where the quality error occurred.

ISO 9001 does not and will not ensure quality improvement. ISO 9001 simply provides a framework/platform for a management system. It describes the minimal elements of a world class management system, but it does not provide guidance on how these elements are to be developed and implemented. Execution is completely up to the individual company and its leadership.

Being able to identify where quality problems occur is the first step to improvement. The next (after containment) is identifying the root cause of the problem and developing a corrective action that will eliminate the root cause and will ensure that the same problem does not occur again.

Corrective and preventive actions are a key element of continual improvement. However, the skills and methods used to effectively identify root cause and to develop robust corrective and preventive actions are not stipulated by ISO 9001. ISO 9001 simply requires that you have a formally defined corrective and preventive action system/process. The root cause analysis and corrective action skill sets and methodologies must be developed or acquired and incorporated into the management system. Process Mapping, Value Stream Mapping, SPC, DOE, Regression Analysis, and 8D are just some examples of the many tools and methods available.

8. Who owns ISO 9000 and how much time will they take each year to become certified?

As I discusses in some of the previous comments, ISO 9001 should not be the focus of any management system design and implementation effort. The objective should be to design and implement a value added management system that will meet ISO 9001 requirements by default. So, if the first part of the question is “who owns the management system?,” then the real answer is senior management because management is the ultimate process owner (see Deming).

But to achieve management’s objective of a true management system platform, “individuals at all levels of the organization must be engaged in the implementation process. They must participate in developing and improving the processes that they own or participate in. Process ownership is critical. Process owners must be empowered to take control and responsibility for their process. Achieving this is the responsibility of management and a core element of my methodology.”

If the ISO 9001 based management system was developed for its inherent benefits, then there should be no significant time attributed to maintaining certification. Certainly there is a need to invest time, resources, and money in designing and implementing the initial system. But the only time that should be directly attributed to maintaining ISO 9001 certification is the time that the Management Representative spends facilitating the registration and surveillance audit visits.

9. We spend all this time documenting quality issues and not enough time fixing them

ISO 9001 clause 5.1 Management commitment states that:

“Top management shall provide evidence of its commitment to the development and improvement of the quality management system and continually improving its effectiveness by:
a. communicating to the organization the importance of meeting customer as well as statutory and regulatory requirements;
b. establishing the quality policy,
c. ensuring that quality objectives are established
d. conducting management reviews, and
e. ensuring the availability of necessary resources.”

Furthermore clause 8.5.1 Continual improvement states that:

“The organization shall continually improve the effectiveness of the quality management system through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review.”

I quote these clauses to emphasize these 2 points:

  1. improvement can only happen if the management system incorporates improvement processes and elements at the appropriate points and levels, and more importantly
  2. only senior management can foster a culture and environment of continual improvement.

ISO 9001 certification does not ensure that your company will continually improvement, but it can validate that it is or is not. Furthermore, at best, consultants can only coach, mentor, encourage, support, educate, transfer skills and knowledge, and introduce tools and techniques. Ultimately it is senior management that must provide the vision, leadership, and resources to continually improve the company and its management system.

10. I can’t get anything done on time because everyone is documenting process – or I can’t get what I want done because it’s outside of the process.

As I commented in 5 and 6 above, an overly bureaucratic system that significantly hampers the flow of material and information is simply a poorly designed system. This problem is not the fault of ISO 9001, but rather its execution. Nevertheless, some level of a well organized bureaucracy is a good thing. It provides benefits in the form of “improvements in consistency, efficiency, training, quality, problem solving, employee satisfaction, and in reductions in errors, rework, customer complaints, returns, and waste”.

Regarding operating “outside of the process,” it is not realistic to develop a management system that can clearly account for every possible contingency. This is not the goal of ISO 9001 or of any management system initiative. The goal of a management system is to define, measure, analyze, improve, and control the vast majority of what you do on a daily basis. If customer requirements regularly create scenarios that require deviation from the “norm,” then by definition these are not deviations form the “norm.” In this case the management system must be revised or designed to address how you consistently handle unique scenarios.

Kirill Liberman, President

11 Responses to “ISO 9001 Q & A”

  1. Chris Carson says:

    These are some fantastic points on some very good questions. Having been on the side of a registrar, consultant, and managment rep/auditee at different times I think these are common issues or maybe more accurately misunderstandings.

    As you mention ISO 9000 is a framework for a system. In order to be applicable to a wide range of industries it isn’t a presciptive guide. It shows the minimum requirements and the intent is really to augment where necessary for your company’s needs. However, many companies read more into it and try to make it a prescriptive guide. As mentioned you need to have processes and controls, but at the same time don’t paint yourself into a corner by taking away your ability to be responsive to client needs or other aspects of your business that make your company unique.

  2. Kirill Liberman says:

    Thanks Chris. Always nice to hear from a like minded pro.

    I would like invite you to contribute to this blog. Please register and I will set you up as a contributor so that you can post on subjects of your own. For example, I am sure the readers of this blog would benefit from your take on additional questions or “misunderstandings” that we encounter in the field. Feel free to post/blog an other related topics too.

    Thanks again. The readers and I look forward to your contributions.

    Kirill Liberman

  3. Quality Junky says:

    This post should be really helpful to a lot of companies. I especially liked:

    “ISO 9001 registration should be a byproduct that validates the system, but not the objective. Individuals at all levels of the organization must be engaged in the implementation process. They must participate in developing and improving the processes that they own or participate in. Process ownership is critical. Process owners must be empowered to take control and responsibility for their process. Achieving this is the responsibility of senior management and a core element of my methodology. Clause 5.5.1 Responsibility and authority requires “Top management” to “ensure that the responsibilities and authorities are defined and communicated within the organization.”

    The fact is that most profitable companies are doing nearly everything that ISO 9001 requires. They are simply not doing them effectively, consistently, and/or efficiently. Many companies rely on and succeed by the abilities and hard work of its people. These companies focus on managing people. But the focus must be on managing processes. ISO 9001, TQM, Lean, Six Sigma, etc. are all process management and improvement methodologies. None of them focus on managing people, but all address a senior management driven culture of continual improvement.”

    I have been a quality professional for over 20 years and have seen most trends come and go. If there is one thing that I have learned it is that you have to engage your people and absolutely need strong and committed leadership.

    I feel sorry for the Ops Mgr that gave you these questions because it means that his mgmt really does not get it. In my 20+ years I have seen executive leadership questions the need for a formal mgmt system in 3 scenarios:

    1) the senior mgmt was very old and mentally stuck in the ’50s
    2) family owned businesses being led by the third or fourth generation
    3) company lead by accountants that never had actual production or operations experience.

    Good luck with these guys.

    Quality Junky

  4. Glenn Tanzman says:

    Chris,

    Do you think that ISO 9001:2008 will provide a fresh opportunity for companies to “paint themselves into a corner”? From what I am hearing many “quality professionals” are very concerned about the implications of the revisions to the standard.

    In fact, I recently presented the changes from ISO 9001:2000 at an ASQ meeting and was surprised by what some of the participants were reading into the changes. If anything, the revision gives more flexibility in meeting the standard but there are still enough old school thinkers who will write themselves into that corner.

    Glenn

  5. Kirill says:

    What an interesting question, Glenn. I will not speak for Chris, but I have not encountered the concerns that you did. I know that ASQ chapters are not bastions of progressive thinking, but I am still curious about the perspectives that were voiced to you. Would you please share them here so that we can all consider and discuss them.

    I completely agree with your take on ISO 9001:2008. In fact, I am surprised why any one would need to have the changes explained to them. In practical terms ISO 9001:2008 is not different than ISO 9001:2000. If a company is registered to ISO 9001:2000 or is planning on getting registered to ISO 9001:2008, there is nothing that they must or should do differently.

    If anything, I would consider ISO 9001:2008 an opportunity to eliminate the “old school” approach that has probably been applied to ISO 9001:2000. Instead of “analysis paralysis,” conjecture, and paranoia companies and quality professionals should use the upgrade to ISO 9001:2008 to eliminate the traditional documentation glut and build a foundation for a value-added management system that allows for integration of Lean Six Sigma tools and methods.

    Thanks for the thought provoking comment. I look forward to reading more about your experience.

    Kirill Liberman

  6. Chris Carson says:

    Good question Glenn. I have presented changes on the ISO 9001:2008 standard and the term “changes” might be a bit misleading. The changes are really clarifications of the existing requirements, rather than a true addition of new requirements.

    These include:
    -Reinforcement of Control over outsourced processes that affect product conformity to requirements.

    -Documentation Structure up to client

    -Management representative has to be a member of the organization management and not an external individual.

    -Competence of all personnel affecting conformity to product requirement must be controlled by the organization

    -Additional guidance to explain the different methods on measuring and monitoring customer satisfaction

    -For internal audits, the management of the audited unit must ensure that necessary corrections and corrective actions are taken

    -Clarification that information systems are included as part of the company infrastructure, and therefore the management system

    -New requirement to review the effectiveness of corrective and preventive actions

    Some areas were also revised to allow for a more natural integration with ISO 14001. But in truth a lot of these changes were things that companies should’ve been doing anyway.

    I can see where some old school thought might get in the way of doing things, but most of these are feedback companies should’ve gotten from consultants and registrars to help their system become more robust and useful to them as a tool.

    The possibility always will exist for painting one’s self into a corner, but I agree with Kirill that the new standard should reinforce the idea of flexibility within the standard.

  7. Kirill says:

    Great post, Chris. Thanks for the concise list of changes. It should be useful to individual new and old to ISO 9001.

    Kirill Liberman

  8. Colin KR says:

    My company suffers this:

    – “ISO 9001 as a separate thing that exists outside of the company’s and an individual’s daily activities and is the responsibility of some dedicated individual or group within the company. ”

    All actual quality processes we have are not mentioned in our QMS.
    – our productivity charts, our on time delivery, our part failures vs product shipped charts etc.

    At this moment ISO is only a corporate requirement and nothing that anyone wants to incorporate into their daily activities.

    BTW, great read.

    Cheers,
    Colin

  9. Kirill says:

    Hi Colin. Thanks for the visiting and contributing to the blog. I am really glad you enjoyed what you read. I read and responded to you other comment too.

    The ISO 9001 certification scenrio in your company is not uniques, as you probably gathered. Unfirtunately, many companies that obtaoned ISO 9001 Certification years ago never got out of the old paradigm. Clearly, your registrar has not helped move your organization toward a true mnagement system approach to ISO 9001.

    Perhaps one of the problems is that your management team has never been exposed to modern management system implementation methods that incorporate lean principles and acheive ISO 9001 certification as a byproduct.

    If you and/or your management team are interested, I can show you what I am talking about. There is no charge for this demonstraiton. Contact me at the number at the top of the page and we will set up a time for a web meeting.

    I look forward to hearing from you.

    Kirill Liberman

  10. Homer Dambrosio says:

    Brownie points for creating a post on this topic. There is not enough content written about it (not particularly useful anyway). It is excellent to see it receiving more coverage. Thanks again!

  11. Kirill says:

    Thank you, Homer.

    I am glad you found this ISO 9001 information useful. If you would like any specific questions regarding ISO 9001 Certification addressed, please post them here or give us a call.

    Kirill Liberman

Leave a Reply