Introduction

If your company is ISO 9001 certified, you have now heard that ISO 9001:2008 has undergone a major revision. This means that organizations that have an ISO 9001 quality management system must now transition to ISO 9001:2015. ISO 9001:2015 will mark a big transition for many companies that are currently certified and open the door for companies that are not. This article will discuss the major changes to the standard and provide you with some guidance to ensure a successful transition for your organization. Before we get into some of the substantive changes in ISO 9001:2015, I would like to debunk some of the main myths and misconceptions of the revision.

Download Article

Debunking The Myths

Myth 1: Quality Manual is no longer required. One of the main myths of the ISO 9001:2015 revision is that there is no longer a requirement for a quality manual. Although this is true, the standard does not explicitly state that an organization shall not have a quality manual. My personal opinion, is that organizations should maintain a systems manual for their management system. The reason that the requirement for a quality manual no longer exists, is that many organizations simply retyped the standard and called it their quality manual. The ISO 9001 standard states “what” organizations are required to establish to meet the requirements of ISO 9001 and the organization’s quality manual, is supposed to address “how” the organization meets those requirements. Organizations that have a quality manual, should not burn their quality manuals, but maybe take the opportunity to update it to address the “how”. Having a quality manual also provides a great roadmap of how the system is built, which is a good resource for training employees and for external parties, such as customers, certification body auditors, when they need to understand how your management system is designed.

Myth 2: ISO 9001 no longer requires documented procedures or records. The standard has eliminated the term documented procedures and records and now uses the term, documented information. Many have taken the term documented information to mean that the ISO 9001 standard no longer requires documented procedures or records. One of the main points of the ISO 9001:2015 revision is for organizations to stop reading the standard so literally and start using it as a business management tool. Of course organizations need to have documented procedures and records, the standard simply collectively refers to these document types as documented information. Keep your quality manual, documented procedures and records.

Process-based Quality Management Model

One of the biggest changes in the ISO 9001:2015 standard is the change to the process-based quality management system model that we are familiar with. The model in ISO 9001:2008 focused on customer requirements serving as the primary inputs, but as we can see below in Figure 1, the ISO 9001:2015 model focuses on the requirements of customers and relevant interested parties. Who are relevant interested parties? These are people or organizations that can affect, be affected by or perceive themselves to be affected by your organization. Some examples may include: customers, suppliers, regulatory bodies, industry, other internal departments, the surrounding community, etc.

Figure 1 Process-Based Quality Management Model

The next change we see in the model, is that product realization has now been changed to operations. Product realization only addressed production activities, but the term operations is broad enough to accommodate both service and product organizations. The new model also depicts the support processes that support all of the core processes of the organization. Examples of support processes include: Human Resources, Maintenance, Accounting, IT, etc. Measurement, analysis and improvement has been changed to performance evaluation. Performance evaluation is a much broader term, which can also apply to service organizations. It also ensures that organizations are also evaluating the performance of all processes, beyond only those that are used to produce products. Management responsibility has been replaced by leadership.

The new model recognizes that quality takes not only commitment, but leadership from Top Management. Although, leadership should come from the top, it often comes from various other levels within the organization. Top Management should focus on fostering an environment for quality leaders at all levels. Resource management has been replaced by planning, which includes planning at all levels beyond resource planning for products. There are many aspects of planning that may not involve resources, for example ensuring processes are executed in the proper sequence or the use of a project plan. There is now a much broader scope beyond just simply considering resources. The model no longer only focuses on the continual improvement of the quality management system, but now the focus is simply on continual improvement of the organization as a whole. The new model place more focus on the organization as a whole, as opposed to just the quality management system. Although the actual model does not show risk based thinking, I have added it in Figure 1, so that it’s clear that organizations should be constantly thinking about risks throughout all processes within the organization. The next big change in the standard is that of Risk-based thinking.

Risk-based Thinking

ISO 9001:2015 defines risk as the effect of uncertainty on an expected result. There are hundreds or maybe even thousands of processes that work together for an organization to produce its products or provide its services to its customers. These processes must provide an expected result for the organization, its customers and relevant interested parties, but there are uncertainties (variation) all along the way including: employees, vendors and equipment, which is often where risk is derived from. Organizations must proactively assess the existence of risk, their potential impact and the preventive actions (mitigation controls) that will be put in place to prevent or reduce the negative impact of the identified risks. Once a risk is identified, organizations should determine the probability of the risk occurring and determine what the potential impact would be, if the risk occurred.

Risk can have a low probability, but have a very high impact or can have a high probability, but a very low impact. Risk based thinking, requires the organization to take time to think about all of its processes, to determine probability impacts and move beyond thinking about the risk and implement preventive actions to control them. Organizations should also develop contingency (back-up) plans in the event the mitigation controls fail.

Context of the Organization

ISO 9001:2015 defines context of the organization as the business environment, the combination of internal and external factors and conditions that can have an effect on an organization’s approach to its products, services and investments and interested parties. Although context of the organization is new to ISO 9001 in name, it should not have a major impact on most organization, as organizations are constantly monitoring their business environments. An organization that’s aware of its business environment is an organization that is more prepared and responsive when their business environment changes. What is the context of the organization? It’s basically understanding your industry, its statutory and regulatory requirements, customers, impacts on its surrounding community, etc. Once an organization really understands the context of its business environment, it increases the chances of meeting those obligations.

If your organization is in business, you most likely understand the context of your organization, but you may need to document these requirements to ensure they have been addresses. Conducting a thorough risk assessment will also provide a good understanding of the context of your organization.

Leadership and Commitment

ISO 9001:2015 now requires Top Management to move beyond commitment and demonstrate leadership for the quality management system. This could be a significant change for many organizations, where Top Management may be used to only having the Quality Manager handle quality and engage them as necessary. Now, Top Management is expected to proactively engage employees. This means, that Top Management is expected to get actively involved in the QMS and actively engage the organization on an ongoing basis, not just when the organization has a negative quality event. This can be done mainly through providing an example of how Top Management is committed to following the requirements defined within the QMS and avoid going around it or only using it when it’s convenient. Top Management should always be working to integrate the QMS in their daily decisions and actions, which the other staff members will pay more attention to Top Management’s actions than their words. Responsibility for the quality system, should be spread amongst various members of management.

Management System Representative

To the pleasure, of many Quality Managers, there is no longer a requirement for a single person to serve as the Quality Czar. In ISO 9001:2008, the Quality Manager was often the go to person for all things quality. The other members of management, knew very little about the system and took on little, to no ownership. The quality management system, is something that all members of the organization should take ownership of; therefore, all applicable members of management should be involved. The revision opens up the responsibility to be shared. As with other myths, the revision doesn’t say an organization can’t have a single management system representative. In fact, it may still be a good idea to have a primary person that is responsible for the day-to-day implementation of the quality system, but all members of management should take ownership of the respective areas they impact.

Preventive Actions no Longer Required

Preventive actions are no longer required. In fact the ISO 9001 standard, no longer mentions the term preventive actions. Preventive actions have been replaced by risk-based thinking. The act of proactively identifying risks and implementing mitigation controls to prevent them are preventive actions. Organizations should not confuse risk-based thinking with nonconformities. A nonconformity would occur, if the controls that were put in place to prevent the risk were not followed or failed, which may then result in a corrective action being developed.

Quality Objectives

In ISO 9001:2008, organizations were simply required to have measurable quality objectives. The 2015 revision, now requires organizations to define how the objective will actually be achieved. Organizations must address:

This is a good change, as it forces organizations to actually put plans in place to achieve the quality objectives.

Nonconforming Process Outputs

In ISO 9001:2008, the focus was primarily placed on nonconforming products. As processes produce products, it’s important to put an emphasis on the processes, as opposed to the product. There are thousands of daily process outputs (transactions) that are not on the production floor, but have an impact on production and other functions within the organization. For example:

This change also accommodates service companies, which may not have nonconforming products, but all organizations have nonconforming process outputs. This is a good change, as organizations should focus on the outputs of processes, which will result in less nonconforming products and services to their customers. Organizations should also see a reduction in expenses, improved efficiency and increased profitability.

Impacts to Certification Bodies

One of the benefits of the 2015 revision, is that it explicitly states that organizations have no obligation to have their quality management system resemble the standard. Organizations are now encouraged to use their own terms and document types. It’s all about you! Not your certification body! Organizations are often required to make changes, due to the preferences and opinions of their certification body auditors. One auditor may want to see one thing and another, may want to see something different. This rollercoaster ride may be good for the certification body, but often causes confusion for the organization. Certification body auditors will now have to work a harder, when it comes to auditing your ISO 9001 management system. Most organizations will continue to follow the model of the standard, which I must admit makes life easier for all parties, but if you decide the model doesn’t work for your organization, you should feel free to design a system that fits your needs and your needs only. For organizations that go this route, they should consider developing a cross-reference chart, which should help facilitate audits from external parties.

Transition Steps

For organizations that are starting with no prior ISO 9001 management system, the transition is easy. Just do it! For organizations that have ISO 9001:2008, the transition is a bit more challenging, but it will not be earth shattering. To be honest, if you have ISO 9001:2008, you can simply add the few new ISO 9001:2015 requirements mentioned in this article and you will be just fine. As you have no obligation to resemble the standard, you can simply add the new requirements to the end of your existing quality manual and procedures. Some organizations may want to take this opportunity to overhaul their entire system. For these organizations, the transition may be a bit more difficult. The basic steps to successfully transition to ISO 9001:2015 will include:

Transition Timeline

Organizations that are ISO 9001:2008, must completely transition to 2015 by September -2018. To force their clients to transition quicker, many certification bodies are starting to audit to ISO 9001:2015, as early as November-2016. Transitioning organizations should estimate about 8 – 12 months to complete a successful transition. This should be a comfortable pace for most organizations. ISO 9001:2008 organizations should start the transition, no later than October-2017, unless your certification body is pushing you to start sooner. Bigger organizations with multiple locations, may want to consider starting as early as October-2016.

Transition Cost

Organizations that decide to pursue the transition, with the use of internal resources can expect to spend around $15k – $30k and can expect the transition to take around 12 months. Organizations at times may find that it’s more convenient and less expensive to hire a consulting company, similar to The ISO 9001 Group to assist them with their transition. The consulting cost may range between $10k – $15k, and may vary depending upon the size of the organization. This typically includes all of the steps mentioned above. In addition to the transitional cost, organization can expect slightly higher certification costs, as certification bodies may be required to work a little harder.

Conclusion

In conclusion, the ISO 9001:2015 standard introduces some major concepts and changes, such as leadership and risk-based thing, but the changes are not earth shattering. The revision should make it easier for organizations, both small and large to pursue and maintain their ISO 9001 certification. Organizations should not overthink the changes and should implement them in a practical manner. As the standard now makes it very clear that organizations should design a system that works for them, many of the perceptions of ISO 9001 certification being too difficult should subside.

Author Biography

Oscar Combs is the Founder and Senior Consultant of The ISO 9001 Group, a management consulting firm based in Houston, Texas. Oscar has over 20 years of experience working for several of the largest corporations in North America. Oscar has worked throughout North America, South America, The Middle East and Africa helping companies manage risk and improve their business operations. Oscar holds an MBA from the University of Houston and maintains various industry memberships. He also sits on various industry boards and committees.  Read a message from Oscar here.  The ISO 9001 Group | 832-326-9796 | info@iso9001group.com