Sunday, June 25, 2017
Resources
ISO Standards and Industry Resources

0 115

If your company is in the process of becoming certified to ISO 9001:2015, you’re probably wondering, “What do we need to do to ensure we are prepared?”   There’s no worse feeling than being caught in the middle of an audit unprepared, especially if it is for an ISO certification. Consistent planning and preparation can make sure that you’ll never be caught unaware, but of course, the fact remains that ISO 9001:2015 includes a number of new requirements. Below, we have covered some of the most asked questions organizations have when preparing for an ISO 9001:2015 audit.

What is context of your organization all about?

This question is the benchmark point of ISO 9001:2015 and it appears in section 4.1. The standard question uses the term “context”, but this could be easily translated to Business Environment.  Quite simply it is asking you to understand the environment in which your organization is operating.  It asks you to identify your organization’s internal and external influences. These questions about “context” are usually directed to the top management and the team responsible for the QMS. The auditor will be looking for a clear examination of forces at work within and around the organization. Some organizations use a SWOT analysis (strengths, weaknesses, opportunities, and threats) to help them get a grip of this, but it is not a requirement. What the auditors learn here will be a key input for risk analysis.

Who are your interested parties and what are their requirements? 

This question relates to 4.2 and is trying to ensure organizations understand who can be affected by their organization and who has requirements for them as an organization. The term “interested parties” could also be termed “stakeholders”. The auditor will always make sure that a reasonable range of interested parties has been identified, along with their corresponding requirements.

These first two requirements now lead us to the main requirements surrounding risk in section 6.0 – Planning.

What risks and opportunities have been identified in relation to the above, and what are you doing about them? 

Risks as well as opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective.

How are you working to achieve your quality objectives?

Measurable quality objectives are not new to ISO 9001. What is new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results.

How has the QMS been integrated into the organization’s business processes? 

This question is asked directly to top management (see section 5.1.1c) as they have the overall responsibility to ensure this is happening. ISO 9001 is becoming a more strategic management system. It’s not only about making sure products or services meet requirements. The standard is about managing every aspect of your business using risk based thinking and continuous improvement.

How do you capture and use organizational knowledge?

ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, exit interviews, staff meetings, customer reviews and feedback, examination of data, lessons learned logs. How the organization captures knowledge is up to them, but the process should be clear and functional. The knowledge should also be maintained and accessible. These should be documented in a way that your institution could create its own “Knowledge Base”.

These are some of the most asked questions when preparing for an ISO 9001:2015 audit.  We hope that this gave you a more clear understanding on how to use the standard to ensure a successful outcome for your organization.

    0 122

    When organizations decide to implement an Information Security Management System they often wonder what is the difference between ISO 27001 and the ISO 27002? To put it simply ISO 27001 holds the requirements of the Information Security Management System Standard and ISO 27002 gives guidelines and best practices intended for organizations who are becoming certified or implementing their own security processes and controls.

    ISO 27000 is a series of international standards all related to information security. The ISO 27001 standard has an organizational focus and details requirements against which an organization’s ISMS (Information Security Management System), can be audited. ISO 27001 is a management system standard and therefore establishes specific requirements in which it can be certified by a third party accredited registrar.  If an organization wants to certify its Information Security Management System (ISMS) it needs to comply with all requirements in ISO 27001.

    On the other hand, ISO 27002 is more focused on specific examples, guidelines and provides a code of practice for use by individuals within an organization. You cannot get certified against ISO 27002 because it is not a management system standard.

    Instead it was established based on various guidelines and principles for initiating, implementing, improving and maintaining information security management within an organization. The actual controls in the standard address specific requirements through a formal risk assessment. The standard consists of specific guidelines for the developments in organizational security standards and effective security management practices that would be useful in building confidence within inter-organizational activities.

    There are a dozen other standards in the ISO 27000 series which are all designed to assist companies is securing their organizational information. These include ISO 27005 for organizations looking for more detail on how to carry out risk assessment and risk treatment and ISO 27004 which provide guidelines intended to help organizations with monitoring, measurement, analysis and evaluation of their information security performance and the effectiveness of their ISMS.

    Every standard from the ISO 27000 series is designed with a certain focus in mind but if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; ISO 27002 is design to be a tool to help organizations with the implementation of ISO 27001 or for organizations who want to implement their own management guidelines and controls surrounding Information security.

      0 647

      Are your Business Management Systems still operating in Silos?

      If so then you may want to think about adopting a more integrated approach…

      Steve Tyler, CEO & Founder of BusinessDocsOnline


      Working in Silos?

      There comes a point in the development of many organisations when they need to obtain some form of certification, and for the majority they will probably implement a management system for either Quality or Health & Safety.

      There then follows a period of time where their requirements for certification will be covered with a single management system.

      However, once an organisation grows to a point where it requires more than one management system, then that is the time for top management to step back and consider adopting a more integrated approach.

      Yet too many organisations miss this opportunity and implement their management systems as stand-alone platforms.  They then end up with individual management systems being used in silos.

      For some organisations, working in silos may be the most suitable way to function, and there may be operational reasons why this approach works best for them.

      But working in silos also has a downside…

      Silo Mentality (as defined by the Business Dictionary):

      “a mind-set present when certain departments or sectors do not wish to share information with others in the same company.  This type of mentality will reduce efficiency in the overall operation, reduce moral, and may contribute to the demise of a productive company culture.”
      Whilst an integrated management system may not work for every organisation, for many the long-term benefits will far outweigh the short-term effort required to move forward.

      So why not integrate your management systems and eliminate all the inefficiencies and duplication of activities that are part and parcel of having individual systems and working in silos?

      But how easy is this to achieve?

      The PDCA Cycle: – Plan – Do – Check – Act

      With the latest release of ISO 9001:2015, this revised standard aims to further develop the “Risk Based Thinking” approach within an organisations.  It also brings two other aspects into the management system arena that are going to re-define the future of management systems.  One of these is Annex SL and the other is the PDCA cycle.

      Lets come back to Annex SL later, and deal with the PDCA cycle first.  Within ISO 9001:2015 this functions as follows:

      Plan

      Top Management must assess the risks & opportunities that may impact on the organisation and carry out the planning required to ensure these risks do not affect the organisations ability to deliver its “desired outputs”.  Exploiting any opportunities that have been identified must also be planned.

      Do

      Process activities must be carried out in such a way as to ensure they are aligned with the outputs of the planning processes.

      Check

      Top Management must review & measure the organisations performance against their objectives.

      Act

      Top Management must also plan & implement any actions that will deliver continual improvement.

      Whilst the “desired outputs” of each organisation are quite unique, one way or another they all lead back to Customer Satisfaction.  Once Customer Satisfaction can be monitored, it can be measured.  And as the saying goes – “What gets measured gets done….”

      So we can see how the PDCA cycle works for a Quality Management System, but this is really just the tip of the iceberg.

      This PDCA cycle can now be applied to just about every other ISO standard, including Health & Safety [45001]*, Environmental [14001:2015] and Information Security Management [27001], and every system you implement can follow the same structure.

      The net result here is that it is now possible to implement an integrated management system that combines Quality, Environmental, Health & Safety and Information Security.

      But can they be that much more effective if they are integrated?

      The Benefits of Integrated Management Systems

      Once an organisation has decided to integrate their management systems then it’s at this point they can start to see the real benefits.

      Organisations that have already implemented a single management system based around the PDCA cycle will find it up to 50% quicker when they come to implement their next management system.

      The PDCA Cycle means it is possible to integrate your management systems into one platform, and organisations can now implement a single solution that controls all of the following:

      • Risks & Opportunities for Product & Services
      • Customer Requirements & Satisfaction
      • Environmental Impacts
      • Health & Safety Hazards
      • Information Security Integrity

      With this integrated approach, much of what is needed from the management team can now be done under one umbrella, and top management can now take a broader view of their organisation whilst undertaking the following activities:-

      • Planning
      • Assessments of Risk & Opportunities
      • Internal Audits
      • Management Reviews
      • Continual Improvement

      The end result is that:

      • The organisation can now be managed using joined-up thinking.
      • Auditing models can be revised to provide a much broader remit, but with fewer audits.
      • KPI’s & SMART objectives can now become more aligned.

      But just how well are all the different standards able to interact, and how easy is it to implement a single integrated platform across 2, 3 or 4 different management systems?

      That’s where Annex SL comes in…

      What is Annex SL?

      Annex SL is an ISO document that defines a high level structure [HSL] for the framework of a generic management system.

      It was first published by ISO’s Technical Management Board (TMB) in 2012 and the recent release of ISO 9001:2015 has been revised to align with Annex SL.

      Annex SL has arrived with a vengeance with the latest version of ISO 9001:2015, and is now here to stay.

      In the future, all new ISO management system standards will adhere to the Annex SL framework and all current management system standards will migrate to it at their next revision.

      As a result of the introduction of Annex SL, all ISO management system standards will become more consistent, and hence more compatible.  They will share the same look and feel, having been built on a common foundation.  The structure of all management systems will now include the following sections:

      • Context of the Organisation
      • Leadership
      • Planning
      • Support
      • Operation
      • Performance Evaluation
      • Improvement

      There are common core definitions too; the following words will have the same interpretations across all Annex SL standards:

      • organisation
      • interested party (preferred term)
      • stakeholder (admitted term)
      • requirement
      • management system
      • top management
      • effectiveness
      • policy
      • objective
      • risk
      • competence
      • documented information

      • process
      • performance
      • outsource (verb)
      • monitoring
      • measurement
      • audit
      • conformity
      • nonconformity
      • correction
      • corrective action
      • continual improvement

      Annex SL represents the beginning of the end of the conflicts, duplication, confusion and misunderstanding arising from subtly different requirements across the various management system standards.

      Auditors now face the challenge of focusing their own, and their clients’, thinking on viewing organisations’ management systems holistically.


      About BusinessDocsOnline

        0 589
        What Does Schedule 16 of Bill 70 Really Mean for Companies in Ontario?

        On the 8th of December in 2016 Schedule 16 of Bill 70, the Building Ontario Up for Everyone Act (Budget Measures), 2016, gained royal assent and its amendments to the Occupational Health and Safety Act came into effect:

        Schedule 16 – Occupational Health and Safety Act – says:

        “The Schedule amends the Occupational Health and Safety Act to give the Chief Prevention Officer the power to accredit health and safety management systems, and to give recognition to employers who use accredited health and safety management systems. The Chief Prevention Officer may also establish standards and criteria that must be met by health and safety management systems or employers in order to receive accreditation or recognition. Related amendments are also made.”

        What Schedule 16 Means

        What this means in a nutshell is that once the CPO (Chief Prevention Officer) has defined the requirements through bill 70 for an accredited health and safety management system, companies could then become certified to that system. Certified companies that are then able to demonstrate their commitment to using a coordinated system to improve their OHAS would then be able to benefit from things such as reduced routine inspections through the MOL.

        In addition, the CPO will need to put in place a system that will recognize and incentivize companies to become certified. Details of those companies and their performance can then be made publicly available through the CPO.

        Currently the CPO has not yet released any standards for accredited health and safety management systems and has said that they will be holding an “extensive consultation” to develop an “accreditation standard and employer recognition program”. Until the CPO actually defines the standards for accredited health and safety systems, the changes implemented by this act will have no real effect on anyone.

        ISO 45001 as a Framework for OHS Standards in Ontario

        Of course, an accredited standard is currently on the verge of being released should the CPO want to use the framework provided by ISO. The new standard ISO 45001 Occupational health and safety management system – requirements will follow a similar framework to that of ISO 9001 and 14001 giving companies an accredited standard against which they can be certified by a third party. This new worldwide standard will become available hopefully towards the end of 2017.

        Assuming that this will meet the expectations of the CPO and interested parties then this would be a perfect way for companies to start putting in place processes, procedures, and other measures to drive continuous improvement in occupational health and safety.

          0 637

          “What’s in it for me?” is not an unreasonable question for anyone to ask, especially if you are going to ask them to spend money. If you want your business to invest in a Quality Management System such as ISO 9001 you should have some idea of what it is going to cost you and how much you will get back for your investment.

          Measuring Your Quality Costs

          One way to look at this is to look at the model for Cost of Quality (CoQ) suggested by Armand V. Feigenbaum. His model splits quality costs into four areas:

          • Prevention Costs: The money spent on preventing issues from occurring such as training, creation of standards, quality plans, etc.
          • Appraisal Costs: The money spent on physically checking and auditing products, and systems.
          • Internal Failure Costs: Costs incurred when a failure occurs in house; scrap, rework, time spent replacing product, etc.
          • External Failure Costs: These usually cover everything from warranty costs to lost business.

          It is generally accepted that spending money on prevention is going to be a lot less expensive than dealing with an issue once it hits your customer. In most models, it is suggested that costs increase by an order of magnitude for each step as you move from prevention through to external failure costs. Therefore, it will cost your business 10 times as much to deal with an issue once it has reached the customer than if you had caught it in-house, and would cost you a tenth as much to prevent the same  issue.

          How Much Can You Save?

          The problem of course is that with an effective quality system you prevent the problems from occurring in the first place so you never actually “see” the benefit as the problem never occurs. This can lull some businesses into a false sense of security and lead them to think that they can cut costs by spending less on quality when times are tough. The results of this can be very expensive when a product or service of poor quality slips through to the customer.

          Of course if you measure CoQ right from the start you will be able to see how spending more on prevention and appraisal helps to reduce your failure costs and will result in an understanding of what that return on your investment is. You will be able to see the effect of spending more up front lowers the cost of poor quality.

          Every business is very different and the ROI that you can achieve in one industry is going to be very different to that achieved in another. As a guide, a recent study undertaken through the American Society for Quality (ASQ) showed that for every $1 spent on your QMS, you could expect to see an additional $6 in revenue, a $16 reduction in costs, and a $3 increase in profits. On average, they saw that quality management reduced costs by 4.8%.

          Another study undertaken by the Harvard Business School showed that companies that adopted ISO 9001 had the following benefits:

          • Higher rates of survival
          • Increased Sales
          • Growth in employment
          • Increased wages
          • Less waste
          • Improved worker productivity

          So, while it may not be easy to predict your ROI, you can be pretty sure that investing money up front on your Quality Management System is going to be an effective investment.

            0 888

            Documented Information for ISO 9001:2015

            With the relatively recent release of ISO 9001:2015, many companies are still asking themselves what documentation is required. Back with the 2008 release, most companies were comfortable with the six mandatory procedures that were expected of them as well as the need for a quality policy and manual. The update to 2015 has however removed the requirement for a quality manual and blurred the distinction between procedures and records.

            With the new release, both documents and records are termed “documented information” and must be controlled and maintained. This is what will form the evidence required to show that you are conforming to the requirements of your quality management system.

            Clause 4.4 of ISO 9001 requires your organization to maintain the documented information that is required to support the operation of your processes and to retain that information to be able to have confidence that those processes are being completed as planned.

            So what is required by the standard?

            The following is a clause-by-clause breakdown of what is required by the standard. However, some of these clauses can be excluded if the company does not perform the relevant processes:

            Mandatory records:

            • 7.1.5.1 – Monitoring and measuring equipment calibration records
            • 7.2 – Records of training, skills, experience and qualifications
            • 8.2.3.2 – Product/service requirements review records
            • 8.3.2 – Record about design and development outputs review
            • 8.3.3 – Records about design and development inputs
            • 8.3.4 – Records of design and development controls
            • 8.3.5 – Records of design and development outputs
            • 8.3.6 – Design and development changes records
            • 8.5.1 – Characteristics of product to be produced and service to be provided
            • 8.5.3 – Records about customer property
            • 8.5.6 – Production/service provision change control records
            • 8.6 – Record of conformity of product/service with acceptance criteria
            • 8.7.2 – Record of nonconforming outputs
            • 9.1.1 – Monitoring and measurement results
            • 9.2 – Internal audit program
            • 9.2 – Results of internal audits
            • 9.3 – Results of the management review
            • 10.1 – Results of corrective actions

            Other Mandatory Documents:

            • 4.3 – Scope of the QMS
            • 5.2 – Quality policy
            • 6.2 – Quality objectives
            • 8.4.1 – Criteria for evaluation and selection of suppliers

            So what does this mean?

            You should still tailor your quality management system to meet the requirements of your own business and all of the interested stakeholders. This can be done in any way that your organization sees fit; although a quality manual is still one of the easiest methods. As long as these processes and associated records can be shown to meet the requirements of ISO 9001:2015 effectively then that is fine. If not then the relevant action should be taken to ensure that all of the required clauses are covered.

              0 537

              Even if you have an informal quality management system within your business it is often difficult to implement the requirements of ISO 9001:2015. Depending on the size of your business this could be a task that may take six to twelve months to complete depending on the established current systems. It is vital that your staff are fully trained and engaged to make any implementation a success. The following 10 tips are vital to smoothly and effectively implementing an ISO 9001 management system:

              1. Get senior management commitment; while this may sound a little cliché, without the full commitment of your management team throughout the business it is going to be very difficult to drive home the changes and improvements that are required.
              1. Provide training at all levels in the business. Your staff needs to understand not only about the requirements of ISO 9001 but also the different quality principles that they should strive to implement within their every day work. Training should be provided on an ongoing basis according to perceived needs.
              1. Ensure that you have effective internal communication. Without this you are not going to be able to maintain the constancy of purpose that is required.
              1. Establish an implementation team with the authority to make things happen. You cannot just implement an ISO 9001 management system by assigning a management representative and expecting them to do everything in isolation. You need to identify the staff that will be required at all levels throughout the business to craft your system.
              1. Conduct a Gap Analysis; you need to fully understand where your current system meets or fails to meet the expectations of ISO 9001:2015 so that you can allocate resources accordingly.
              1. Involve customers and suppliers in analyzing your current systems. It is important to understand how others view the effectiveness of what you currently do and what they expect from you to improve things.
              1. Plan your implementation fully; responsibilities, roles and schedule. As with any project, the better that you plan it the more likely you are to have success.
              1. Create clear and concise policies and objectives for quality to provide the company with a common direction. Well communicated and understood these will help your company to move forward together.
              1. Encourage everyone to question and improve. It is not enough to only have auditors looking for issues with the systems; everyone should continually seek better ways to do things.
              1. Conduct regular reviews of your ISO 9001 management system through your auditing process to ensure that you are continually improving how your systems function.

              In addition to the above, foster a good relationship with your certification body. Your auditor is not there to catch you out. They will want to help you to develop and grow a system that will significantly benefit your business, so use them fully.

                0 637
                Lean System

                Introduction to the Lean System

                As with anything in life, you will get out as much from your ISO 9001 management system as you put into it. If you treat it as a documentation requirement and burden on your business just to get certification then you are unlikely to see any real benefits; in fact, you may even stifle your own growth.

                The aim of any ISO 9001 QMS is to enhance your businesses product or service quality by standardizing and continually improving all of your business processes. This in turn will help you to increase productivity and drive out waste of all forms within your business.

                Why Use Lean System with ISO 9001?

                ISO 9001 outlines what is required for a certifiable QMS. However if you read ISO 9004 you will see that it suggests a huge amount more than 9001 requires as a minimum. Merely aiming for what the standard requires so that you achieve certification is not going to help you actually improve your business in a way that is going to help you grow it.

                A QMS should always consider the customer first, not the standard. It should also be put in place to continually improve the business and its output. Something that is also provided through implementing a Lean system.

                Lean Manufacturing has grown out of what is known as the Toyota Production System (TPS), and is why Toyota managed to dominate the world automotive market in such a short space of time. Lean is in its simplest form just another QMS; when you implement Lean you put in place the controls and systems to provide the customer exactly what they want, where they want it, when they want it, in the right quantity, without any waste or delays.

                Lean provides you with a host of tools such as 5S, which helps you to set up a highly visual, organized and efficient working space, through to continuous improvement techniques such as Kaizen. Lean fits perfectly within any ISO 9001 QMS and can only help you to further improve and grow your business using proven tools and techniques.

                  0 667
                  Key Performance Indicators for an ISO 14001 Management System

                  Why Do You Need Performance Indicators for Your Environmental Management System?

                  Performance Indicators are the measures that you put in place on your processes and business that provide you with the information that you need to see how well your ISO 14001 management system is performing. Each process could have a whole series of measures that will let you know how well it is performing financially, with regards to quality, H&S compliance and of course environmentally. After all, as the saying goes, “what gets measured gets done.”

                  Each process could potentially have many different measures that are important to it. Many of these measures will be monitored, and action taken at a local level. While others that are more important could be elevated to being Key Performance Indicators (KPIs) for the business. This ensures that those measures that are vital to your business or have a potential risk associated to them are highlighted.

                   

                  What Performance Indicators Do You Need for Your ISO 14001 Management System?

                  Many businesses are used to implementing performance measures as part of their quality management system, however they are equally as important as part of your ISO 14001 management system. Your measures need to be selected with great care for each process within your business and only those that are truly important should be elevated as KPIs for management monitoring.

                  Each business is of course different as are each of your processes. Therefore, your indicators and measures will always be different to those employed by other businesses. However, some typical measures are detailed below to give you some idea as to what you should implement within your own business:

                  Use of Natural Resources:

                  • Water, electricity, and gas usage by the business
                  • The amount of paper used within the business

                  Discharges to Air, Land, and Water:

                  • Pollutant parts per million measures
                  • Weight to landfill

                  Incidents and Potential Incidents:

                  • Number of actual and potential incidents
                  • Time lost due to incidents

                  Proactive Measures:

                  • Risk reduction measures implemented
                  • Environmental audit scores

                    0 1320
                    Quality

                    Have you ever stood staring at a range of products in a supermarket trying to make up your mind which one to buy?  They all look quite similar, but one stands out and you buy it.  Why?  It’s got a sign on the shelf and a logo on the product to tell you that it’s won an award for quality.

                    So you’ve just based your purchase on Quality – Your customers are making the same decision every day!

                    Quality is more than just finished product, it’s the processes, systems and people that are behind the product.   Quality is everybody’s responsibility.

                    Quality is the pursuit of excellence, striving to be the best we can and getting ahead of our competitors.  It is meeting the needs and expectations of all stakeholders – our customers, our suppliers, our staff and the community at large.

                    How can we ensure that we are exploiting all avenues to be the very best?  A recognized standard such as ISO 9001 certification promotes the use of quality tools in business.   The ASQ (American society for quality) estimates that for every €1 spent on a quality management system, such as ISO 9001, returns €6 in revenue, €16 in cost reduction and €3 in profit – that’s €25 for every €1 spent!

                    93% of organisations agree that the implementation of a quality management system such as ISO9001 was a significant driver of success and most would agree that without it they could not justify their pricing to customers.

                    If you are looking at ways to improve your ROI by improving your quality then consider ISO certification.   Using an expert to help you implement a quality management system will ensure ISO 9001:2015 accreditation which will in turn help you make significant improvements and lead to significant growth.

                     

                    This post has been a guest posting from Joann O’Brian over at our friends at CG Business Consulting Ireland .