A Leader's Light-hearted Reflection on the ISO Transition Journey
Part Two: 10 Tips to a Successful Audit & Transition - How We Got There With Zero Infractions - Part of our Series on Project Management Best Practices
The ISO 9001: 2015 transition process is causing angst among ISO Management Representatives (a term redlined in the 2015 requirements) and Process Managers/ Owners in the more than 1 million ISO 9001 certified organizations around the world. Some of those organizations may well be in “panic mode” to meet the re-certification deadline.
In response to this, and because I don’t like seeing people suffer, I’ve put together 10 tips based on my experience for those currently or planning on making the transition. (Read Part 1 of this article here).
1. Make the Decision and Commit
This should be the easy part, right? After all, everyone in the organization is aware of the external and internal benefits of acquiring, holding, and maintaining certifications. As an organizational level “cert”, surely this would be an easy assumption. So, what’s the problem, right?
As with most special projects, team members must also complete their daily tasks and responsibilities despite the short term, high priority re-certification process. The ISO Transition Lead must drive the completion of the certification process without impacting daily business operations as much as possible. Below are 5 key steps to help you manage resources throughout the re-certification process.
Identify Process Owners and approvers early to accommodate busy schedules. This will give everyone time to adjust workloads and mitigate schedule risks.
Engage with Top Management early and often. As my second tip below outlines, ISO 9001: 2015 holds Top Management responsible. You should too…at least to the extent possible. Remember, don’t approach them with just a problem…. have a solution to present as well.
Be prepared to dynamically schedule resources. This means you may have to be involved at the Process Owner level and engage in numerous 15-minute discussions to identify supporting and supported processes and resolve overlap and gap issues to keep everyone moving forward.
Maintain centralized control without centralizing execution. Remember, HR knows how to do HR best. Let them. I routinely engaged with Process Owners to discuss process and documentation changes. In general, I followed the “Write it how you do it!” approach. This resulted in some additional compliance checks but Process Owners were empowered to write usable processes rather than process for process sake. FYI…. This was made much easier to do in 2015.
2. Top Management Support is Crucial
We all know that Top Management (i.e., Executive Leadership) is ultimately responsible but how often are they really engaged in the daily tasks of completing a re-certification? ISO 9001:2015puts more emphasis on Top Management involvement with the addition of the Context Of The Organization (COTO) (Clause 4) and updated Leadership (Clause 5). This requires Executives to think about external factors as well as internal that could impact the organization’s ability to deliver quality products and services to its customers.
But it’s more than that. ISO 9001:2015 also eliminated the role of the ISO Management Representative (IMR) that decentralizes ISO control and execution. Therefore, oversight now falls into Executive Leadership. My advice is to get them involved early and ensure they understand the additional oversight roles ISO is placing on them. With Top Management on board, things will fall into place quickly.
3. Take a Project Approach to Prepare
This may seem like a simple statement that most would assume as a foundational concept. However, there are some factors to consider ensuring success. Most Process Owners don’t initially think how extensively their processes and procedures affect other Process Owners and business activities. Although the ISO Transition Lead should address this in the kick off meeting, it doesn’t seem to hit home until shortly before the audit when they realize their process inputs and/or outputs don’t align with predecessor or successor processes.
To mitigate this, ensure the Process Owners collaborate to establish seamless transition between processes (i.e., recruiting to HR, marketing to business development, etc.…), and maintain good schedule control (keep your variance low). As stated above, this may mean additional small group communication with supporting and supported process owners, but it closes process gaps early…. before they become non-conformities or findings in the audit. Below are a couple of tips to help you manage the ISO transition project:
Hold Recurring “Tag Up” Meetings: We know everyone is busy but a 30-minute recurring meeting (we held ours weekly) alleviated a lot of confusion, identified risks early, and produced on-the-spot mitigations to issues and risks. By touching base with everyone, we caught several gaps and issues early before they created a non-compliance or impacted the schedule. I also ensured Top Management was present to support the process and make corporate decisions in a timely manner.
Conformance Matrices are a Must: We built a cross-reference matrix to map existing 2008 activities to 2015 requirements. We used this throughout the process up to and including the audit. Remember, you must maintain your 2008 QMS while you transition to 2015. We provided the “matrix” to our auditor as a tool so he could map across both requirements. This put us on the auditor’s “nice list” right out of the gate.
Train Early, Train Often: We conducted our “Transition Training” almost immediately after the kick-off. By doing so, we reinforced the 2015 knowledge level providing Process Owners with mindset early…. before they began updating processes. Furthermore, touch on training topics throughout the preparation process to refresh ISO-related information. By doing so, your team will have confidence in their processes and ISO knowledge when the auditor interviews them.
Schedule an Internal Audit or Two: We partitioned our internal auditor except for reviewing and updating audit-related processes. By doing so, our internal auditor remained unbiased throughout the process. We leveraged him repeatedly to assess compliance throughout the process.
4. Your QMS is a Tool, Not a Record
This is probably the greatest benefit we didn’t know we had. During the early stages of the ISO project, we reviewed existing 2008 documentation to establish the Level of Effort required to complete the transition. Well, the documents I could find anyway. This fact coupled with the complete review and considerable changes in 2015 made us re-visit how we document, record, and disseminate ISO-related information.
Our solution was to develop an interactive Portal capable of a single view of all ISO-related documents. This didn’t mean they were all stored in the same place, just accessed via a unified location. For example, we maintain a training/Knowledge Management portal for all corporate and field employees. Rather than pulling all the documentation and records over to the ISO location, we simply updated our process and provided a link to the Training/KM site.
We also implemented a role-based permissions system allowing process owners to update processes and documents, route for review, and notify the Document Manager and approver for signature. This resulted in an automated ISO Documentation Management system reducing coordination time and Document Control resources.
Of note, our Portal-based QMS was identified as a “Best Practice” by the auditor.
5. If You Don’t Do it, Don’t Put It in the QMS
Easier said than done, right? Too often we document for the sake of documenting; something that doesn’t provide any business or procedural value. The major revision of requirements in ISO 9001:2015 loosens the documentation requirements required for compliance in a couple of ways. First, it completely removed the Quality Manual requirement which makes sense. Why have a manual that tells you to look at the processes and procedures in the organization?
Our Portal now provides a structure and “outline” to follow in an automated fashion. Second, the new requirements provide an avenue to meet requirements without writing long Word documents. For example, The COTO requirement can be met with a spreadsheet to outline internal and external Interested parties, Issues, and Risk and Opportunities. Of note, we added a QMS RACI to clearly outline ISO-related roles and responsibilities.
Another relief 2015 gave us was the ability to customize/tailor documentation needs with minimal risk of nonconformance. We identified this early and reviewed our processes for form, fit and function. We found that several of the pre-existing processes contained additional steps or were no longer applicable. This was a recurring topic in our Tag Ups (see Tip #3 above).
Partly because of the short timeline and mostly because I take issue with maintaining unnecessary documentation for documentation sake, I provided some simple guidance for Process Owners; just write/update it the way you do it…. I’ll check for compliance. Simply put, this worked! Overall, we eliminated approximately 20% of the documentation and shortened most of the remaining through developing clear, concise and value-based Operational Processes, workflows, and procedures.
Clearly, this was a bit risky. I reviewed every document for compliance and leveraged our “rolling internal audit” approach (see Tip #3 above) to ensure compliance despite reducing/shortening documented processes (some were consolidated).
6. Automate Everything…Or Everything You Can
This tip will save you considerable work! We integrated (where possible) with our supporting tools. Rather than writing long, drawn out documents, we “linked” to the automated workflow tools we already had such as our CRM and recruiting tools. This made documenting the process very easy. In fact, our audit consisted of opening the link, and describing the workflow to the auditor as the “system” worked through the process.
During your planning stage, take a good look at your supporting business systems and evaluate the workflows within them. If you have automated processes built into the workflow, minimal or no documentation may be required. If the workflow is clear in the system (i.e., workflow overview on the dashboard), then a simple link from your QMS will suffice. Remember, automation almost always increases quality!
7. Make Decisions Based on Business Value
A common theme throughout this article is that ISO 9001: 2015 provides an opportunity for (or forces) organizations to look at Quality operations slightly differently. Although not all encompassing, the COTO exercise (Clause 4) and quality process reviews made the organization evaluate where we stand, how outside parties and variables may impact us, and take an honest look at our process efficiency.
The new requirements represented an opportunity to conduct an overall self-assessment and drove us to make some larger, Business Improvement decisions (tabled of course until after the audit).
Did I mention how important Top Management involvement was? This ranged from evaluating our current suppliers (i.e., external parties), to implementing risk mitigation strategies at the corporate level (i.e., COTO Exercise), and assess resource savings/level existing resources through streamlined processes. All items important to any business but critical to Small Business success!
8. Engage Your Auditor
This one will make most professionals formally known as “ISO Management Representatives” cringe at the very thought. There is an inherent stigma associated with auditors; even the word audit strikes fear into functional managers that make them begin to question every action. I agree that audits introduce risk, something all professionals instinctively try to avoid. But engaging with your auditor can help reduce audit associated risks and give you time to mitigate them.
The transition to ISO 9001: 2015 requires you to submit a transition application and provide some pre-audit documentation to assist them in preparing. Take this opportunity to ask questions like: What is the most significant issue transitioning organizations are having? What is the most common noncompliance you, as the auditor, are seeing? Are there any focus areas our type of organization should give attention to?
Establishing a line of communication with the auditor facilitates a smooth audit process, identifies key areas to address, and generally provides a foundation for a successful audit on both sides. The better you prepare your auditor, the better you as an organization will be prepared.
Not all auditors may be willing to engage and maybe we just had a lucky draw with ours but keep in mind that they are not the enemy. Make a conscious effort to fend off the fear instinct and leverage their skills and knowledge to make your QMS better. The bottom line is that engaging your auditor and working with them as opposed to against them will have a positive effect on the entire experience.
9. Streamline 2008 and 2015 Documentation
As stated above, all organizations must maintain their 2008 QMS while they transition to ISO 2015. This can be a challenge during your audit. However, articulating the lines between the two can alleviate the pain and confusion (see conformance matrix recommendation in Tip #3 above). Issues arise when requirements are different between 2008 and 2015, particularly at the sub-clause level.
As a rule, we kept the 2008 requirements barely alive over the last 60 days and fully transitioned to the 2015 requirements. Some items, such as the Management Action Log (MAR) were used equally in both and were critical to documenting the transition.
As mentioned throughout this article, documentation associated with each process changed considerably. Our team made changes as part of the transition through Continuous Improvement actions. This allowed us to document the changes as “transition” changes and implement them before the audit saving considerable time and effort. In the end, the auditor focused on the new versions and we “alibied” gaps with the 2008 QMS artifacts.
Although this approach worked well, the need to balance both requirements resulted in some duplication to ensure we were covered. Prior to our 2018 re-certification audit, we will complete the transition and make the duplications obsolete and refine/reduce documentation through the continuous improvement process.
10. Don’t Lose Sight of the Objective
It’s easy to get bogged down on process development and review but keep the focus on making the QMS stronger, more efficient, and practical. Contrary to popular belief, passing the audit is not the overall objective of the ISO audit preparation process. Crazy thought right there!
The objective is to ensure and improve your organization’s ability to provide quality products and services. This means if you’re completing a task just for the sake of the audit, you should probably evaluate the need for that task. My point is, if you remain focused on what needs to be done to manage quality operations, the audit itself should require minimal additional work.
Regardless of schedule or QMS maturity, ISO Transition Teams face a daunting challenge of making considerable changes to receive the coveted ISO 9001:2015 certification. I sincerely hope the tips above ease the process in some way. If they do, I am happy that someone learned from my experience. Good luck on your re-certification (by 14 September 2018) as I ramp up for the ISO 9001:2015 surveillance audit in 2018.