ISO-9001:2015 – eight months later…

ISO-9001:2015 – eight months later…

The newest version of the ISO9001 family was released last fall in September 2015. In response to the release, a bumper crop of consultants, experts in risk management and risk-based thinking, have overtaken the QMS industry like spring dandelions in a grassy field. Indeed, the ISO-related forums on LinkedIn have erupted with thread after thread of expert opinions on how risk management MUST be a requirement – well, just because. After all, if ASQ and registrars across the globe are offering Risk Management training classes and implementation classes, then all of this MUST be true. Well, isn’t it…?

Let’s look at some of the reactions from implementing the standard.

  1)      It remains unclear, like next week’s weather forecast, that a quality manual is a necessity. While the original elements for a quality manual from the 2008 standard still exist in the 2015 flavor, though re-arranged like peas underneath walnut shells, the fact that the standard does not prescribe a quality manual does not mean one can simply eliminate it without aftershock. Many consultants call it a business management manual, others continue to broadcast that no such creature exists, just because the standard no longer requires it.

The confusion trickles down to the organizational level: quality managers broadcast their confusion from the standard in the LinkedIn forums, even though the DIS was available for a long time BEFORE the September 2015 release date.

While it's undersandable that some learning curve is expected - yet some of the questions are head-scratchingly fundamental. 

2 )      Transition gap assessments, the latest fashion rage, are intravenously fed to the client to enable the transition to the 2015 standard. In the same vein, internal audits are denounced as “improper” and “unacceptable” as an effective tool for assessing the existing QMS for transition planning.

And why is this?

Internal audits provide an excellent assessment of current-state conformity, if properly done. For future-state conformity assessment, simply perform the internal audit against the 2015 standard. Voila! Instant assessment of current and future state QMS conformity.

Of course, the crop of consultants seems to have forgotten (or ignored) the TC176 cross reference matrix, released in July 2014. Oops.

3)      What in Ned is a “risk register”? Risk registers are another consultant-created response to so-called risk management requirements. None of them are, of course, a requirement – simply read Annex A.4 of the standard. Even under AS9100C, there are no requirements for “risk registers”. One colleague asked me a very intelligent question – if risks are identified on the register, what is the condition to remove or no longer track –even consider – the risk as a risk?

My response was simple - provide objective evidence that the risk has been determined to be “not a risk”. It’s that simple, folks. The organization makes this determination, not the CB, not the CB auditor. If the CEO provides a statement to the auditor, “Last week, I decided it isn’t a risk. Now go away.”, then this CEO’s testimony is evidence. Case closed. The risk is no longer a risk.

But – and here’s the addition to the cure – once risk registers are implemented in the QMS, one has to use them for everything where a “risk” might pop up: corrective actions, internal audits, accounts payable and accounts receivable, control of nonconforming material, MRB activities, document control, design and development activities, verification and validation activities. Everywhere. There’s no escaping it. One now suffers from the cure.

4)      Back to the gap assessment. Ever hear of a document titled, “N1224 ISO-9001 Correlation Matrices”? It was issued back in July 2014, based on the then-DIS. There’s very little delta between the DIS, the FDIS, and the final released standard. Reading the details in this devil, one can easily determine what requirements are new…there existed only THREE new requirements. The proof of this is left as an exercise for the student…and consultant.

The creators of the document, TC176, stated that after the standard was released, the document would be revised. “An updated version of this document will be made available once the next edition of ISO 9001 has been published…“

It’s eight months later, and we’re still waiting…

5)      And for the coup de grâce, nowhere is risk-based thinking defined. Nowhere. It's still "a concept."

In a future article, we’ll describe some of the confusion encountered from implementing the new language of the 2015 standard. I daresay that volumes of PhD doctorates will be published. Teaser: the organization can retain ALL language from the 2008 version in its 2015 QMS.

Summary

ISO 9001:2015 remains a head-shaking experience for users and organizations. Does it bring value to the organization and to its customers? Is it gentler and kinder like the new IRS? Unfortunately, the ISO 9001 standard is a result of a group who decided to reinvent the wheel, like someone named Clinton who tried to re-invent government. Chaos exists – perhaps to the advantage of the weed-like QMS consulting industry. Everyone’s an expert where none previously existed or was needed.

Guidance and advice are important, to be sure. You get what you pay for.

Please, continue to read my past RBT and risk-related blog articles here on my blogsite. And, guess what? It’s all free!

http://lawrence-international-llc.blogspot.com

Check me out on LinkedIn - www.linkedin.com/in/larry-caracciolo-bb63782