ISO 9001, an international standard for Quality Management System (QMS) requirements were revised on Sept 2015. This widely implemented standard has close to 1.2 million certifications worldwide. ISO 9001 requirements first released in 1987 underwent major changes in 2000 and again in 2015. There are several new requirements added to the new revision. However, I will briefly discuss only the requirements that may be of interest to readers of this magazine.
Context of the Organization
The international standard requires the organization to determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system. Examples of external issues could be threats to information security, availability of key talents due to changes in Immigration policies. Internal issues examples could be alack of IT infrastructure to support strategic goals and objectives. Items like this are typically reviewed at the strategic planning process.
Interested Parties and Requirements
There is a requirement to identify all relevant interested parties to your management systems and their requirements. As an IT team, typically interested parties are organization’s customers, internal users (employees), subcontractors, Outsource service providers, organization’s shareholders (or owners), regulatory bodies, even your competition and opposing pressure groups like the lobby. All these interested parties have requirements. Organization’s customer and internal users require a secure and reliable IT system. Subcontractors and outsource providers require clearly defined statement of work, service level agreements and satisfaction of economic benefits. Shareholders and owners want to ensure return on their investment and increasing growth on market share and profits. Regulatory bodies require organizations to comply with regulations. Competition wants to leap ahead. By doing adequate market intelligence, your organization requires outpacing your competitions. Your policy management team should stay keeping themselves abreast of market policy changes like net neutrality and privacy policies to assess impact to your business. By getting your IT team brainstorm, identifying all relevant interested parties as applicable to your organization and their requirements, you will be able to develop a management system that is both customers focused and business value added.
The standard also assigns responsibility for the management system to your top management for demonstrating leadership and commitment with respect to the quality management system. This is accomplished by ensuring that the resources needed for the quality management system are available to your staff. The resources include people, process, infrastructure, software, hardware, mobility, storage, work environment, etc. and everything that is required to make your organization’s system more effective.
"Organization’s customer and internal users require a secure and reliable IT system"
Risk Based Thinking
One of the key concepts added to the new version is “Risk Based Thinking.” Annex A.4 of ISO 9001 state that “One of the key purposes of a quality management system is to act as a preventive tool.” In order to prevent major issues, proactively anticipate issues, exploit new opportunities, your organization should periodically identify new risks, evaluate existing risks, and plan actions to address these risks and opportunities. Most mature organizations have an Enterprise Risk Management (ERM) process in place. However, from my experience, organizations do not consider IT related risks as high as a potential for a product recall or loss of market share. This is changing with the recent string of IT security compromises and losses to organizations due to a security vulnerability. I will be not surprised if IT Risk makes it to the top 5 ERM risks in any organization. Now to the opportunities, for IT as an organization opportunity exists in the development of Artificial Intelligence, big data analytics, and other new trends. By having these technologies and ideas input into your Strategic Planning process, your organization can get visibility into IT’s key role in organization’s success.
ISO 9001 standard finally caught up to the electronic document and data management in the current version. It now requires control to ensure that documented information are “adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).” This may involve security features like biometrics, data encryption where required, the reliability of storage infrastructure, and protection of intellectual property assets.
This standard requires organizations to determine, provide, and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services. If you are a manufacturing organization, IT infrastructure to provide adequate inline inspection and testing is to ensure conformity to products. This software requires configuration management control, compatibility with an operating environment, resource to periodically update the software application with new requirements from customers and other interested parties. For a service organization, IT infrastructure could offer a 24x7 access to organization’s web portal, place an order, and engage in transactions without compromise to personal data. Any issues could potentially result in customer dissatisfaction and loss of market share.
This is a new requirement that IT function can very much relate. Standard requires that organizations determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. While this applies to both organization’s core product and services, support functions like IT, the main question here is how IT can help support managing organizational knowledge? Organizations rarely learn from their past experience. This is not because that people are reluctant. There is no designed infrastructure to enable such learning. Products fail at the field and customers complain about poor services. Organizations perform extensive analysis on such failures and collect knowledge. However, the closed loop feedback loop connecting such knowledge and learning to the front-end planning and design of products and service offerings is often ineffective.
There are many Quality Management System software applications in the market. These applications address commonly used business processes and I am yet to see an application that captures knowledge and make it available to target employees when and where required. Typically, organizations work around this need by circulating whitepapers, internal meetings, or an accidental encounter with the affected work group. IT can play a key role in making this connection (where possible real time) so organizations can prevent recurring issues. This recurring failure is the huge cost of poor quality and erodes away the profit margins. Once the issues start to recur too often, people get numb and the natural tendency is to find containment rather than solving the issue once and for all to prevent recurrence. People will be willing to live with an expensive containment. From my experience as a quality professional, this is mainly due to lack of sharing the lessons learned from earlier experiences. How can IT function help collect new knowledge, maintain existing knowledge, review periodically for addressing changing needs and trends to keep our organization’s knowledge current? How to disseminate the necessary knowledge “on demand” to employees to deliver quality products and services? Once organization’s top management and head of the IT function figure this out, organizations will start to see reduced waste, improved productivity, and bottom line, and enhanced customer satisfaction.
In summary, ISO 9001 is not a standalone quality function. It is the way that we all do our business. ISO 9001 is applicable to all functions, departments, processes, and employees in an organization and IT is not an exception. I recommend that you sit with your organization’s head of quality and start the conversation. You will be delighted to know what we have in common in meeting quality and keeping our customers happy!