When you decide to become ISO certified you go through a series of steps and the certification body you choose also goes through a series of steps. Some companies hire a QA or QHSE Manager to undertake this task whereas others bring in outside help. The path you choose really depends upon your budget and how much time you are able to spend on writing processes, policies, procedures, job descriptions, conducting audits, writing reports, performing an audit, etc.
The consultant and certification body you choose have a huge impact on the integrity and robustness of your system.
Internal and 3rd Party audits serve two purposes. The audit by the Certification Body is obviously to get the certificate. The initial internal audit is to ensure that the QMS/QHSE system is ready for the 3rd party audit and subsequent audits ensure that the system maintains its integrity.
This is where 3rd party auditors play a key role. If 3rd party auditors do a bad job during audits it sends the wrong message to the companies’ management and internal auditors. A bad audit may take place because (1) the auditor is inexperienced in the industry he is auditing, (2) he generally lacks audit experience or (3) it’s deliberate. It is the latter that is the most worrying and is what I like to call a ‘fake audit’.
So what happens during these fake audits? Here are the signs to look for:
1. The consultant comes with a 2 in 1 package, i.e. get the consultancy and the certificate for one fee. In essence, well known Certification Bodies’ fees are not cheap for a reason and these are separate from the consultant’s fees.
2. A certificate is issued without an actual audit; maybe just after a meeting or a desktop audit.
3. If the auditor does turn up and conducts an audit, obvious major or numerous minor non-conformities are ignored. In other words non-conformities are not issued when they should be.
4. The Auditor says one thing to the Management Representative and another to the company management.
5. Instead of focussing on the audit, the auditor spends more time complaining about his job and wishing he worked in a company like yours. This might give an indication as to why he is being soft.
Therefore, it’s worth remembering that not all certificates are the same.
This article has been written by Birjees Hussain
Managing small business risks is often as simple as having someone else to open up for you if your main key-holder is delayed. Or having somewhere to divert your phone to if you’re unavailable. Or having a back-up plan in case your broadband service fails. These things might not initially seem worthy of a full risk analysis when compared to the risks faced by bigger organisations. But, if any of them actually happened, do you know how you would deal with them?
In its ISO 9001 definition, risk is the effect of uncertainty.
Not many of us have a crystal ball handy to gaze into and predict the future, but we can consider things which might reasonably happen.
In my earlier blog on risk management, I talked about risks in relation to quality and how they can arise internally and externally to your business. One really easy way to identify risks is simply to think about, and list, all the things that could realistically go wrong which would upset your customers or leave you unable to carry out your business.
- How much do you rely on your utilities services to be able to function?
- What would happen if a ‘flu epidemic wiped out half your employees for a week?
- How would you carry on if your landlord served notice on your business premises?
Using my tips on the Process Approach may help to identify where risks occur in your business processes.
Your own attitude to risk will differ from someone else’s so any steps you take to address risk may also be different. There is no one-size-fits-all approach.
Having said that, a fairly common method is to assess the likelihood of the risk occurring and the severity or impact if it does. You can score these out of 3 or 5, depending on your preference. Then multiply the likelihood by the impact to reach the overall risk score.
You decide the score threshold at which you need to take action to reduce or mitigate the risks. Anything above your threshold will need some action.
Considering plan B
The way you counter these risks may be different for each one identified.
Having a back-up plan for agency staff resources may be enough to satisfy the risk of large scale sickness absence. Or you could decide to provide everyone with a ‘flu jab each year. The point is that it’s up to you.
If access to the internet is essential to carrying out your everyday business activities, you may consider investing in a mobile broadband unit on a pay-as-you-go or a pay monthly contract. One of my clients did this just recently as a result of our earlier session on risks and opportunities. They even got to use it much sooner than expected when their office broadband failed.
The business benefits of managing risks can be diverse. Whether it’s managing supply your chain, ensuring profitability, securing funding for your next project through good governance and robust risk management or simply helping you sleep at night, taking action is the most positive step you can make.
The date that the General Data Protection Regulation (GDPR) is coming into effect is approaching soon. This new law affects almost all companies, but it can have a bigger effect on certified companies. Regardless of the certificate the company holds, all ISO certificates have the fundamental rule:
“The organization needs to demonstrate that they meet the legal requirements.”
This small but fundamental rule means that the certificates are only valid when an organization operates according to the law. Now we know that laws can be fluid and also contradicting depending on regions and countries, but we won’t go into this now. It is fair to say that all companies need to operate according to the GDPR. In this blogpost we provide some easy tips on how this can impact your management system. In the end a lot of companies treat compliance to laws in the same region as compliance to international standards.
There is a lot of data going through the company. In order to understand which data is stored where, classifying the data helps a lot. A good point to start with is classifying the data owners in line with the stakeholders identified in the stakeholder analysis. Most data can be classified into three categories: customers, employees and suppliers. When the type of stakeholder is known, it is important to classify the kind of data, such as: personal data, company data, payment data, etc. These classifications are highly dependent on the type of service or product you deliver. It is important to know where the data is stored. In order to have this overview you should map out all the products/services you have that hold any kind of data. Some topics we use for such a register are:
- Company name
- Contact person
- Purpose of data
- Type of Stakeholder
- Type of Data
- Contact details
- Payment details
- Personal details
- Duration of saving
- Agreement (PDF of contract)
On top of the register there are some processes that need to be added. People now have more rights, and in order to observe that it is important to document how you support these rights. Two important points here are:
- How is the organization going to make sure that people have the right to be forgotten? In essence, how are you going to delete all their data across all databases?
- How will the organization support a request from a customer to get an overview of all the information the organization holds of that person?
These are just two important questions, but it shows that clearly defined processes should be in place and therefore must be added in some way to the management system.
The organization can be quite significant. You need to assess whether a data protection officer is required. The three main assessment points are:
- Public authorities or bodies, except for courts acting in their judicial capacity.
- Companies who process data requiring ‘regular and systematic monitoring of data subjects on a large scale’.
- Companies who process, on a large scale, any special category of personal data. This includes data which reveals racial or ethnic origin; political opinions; religious or philosophical beliefs and other such information.
- Companies who process, on a large scale, personal data relating to criminal convictions and offences.
In case you are required to appoint a data protection officer it is good to include this in the management system, just like your prevention officer is part of the management system.
The last important part of the GDPR is that the organization has a clear policy on how to handle data and how to protect it. This policy should be readily available and easy accessible for stakeholders.
Impact on Management System
With the requirement to work according to the law and regulations, the GDPR has a clear impact on most management systems around the world. Due to the overlap in a lot of best practices within international standards, we recommend to make the GDPR an inclusive part of your management system, and not to treat it as a separate part.
If you want to know how you can structure a lot of the GDPR related activities within an integrated management system, just contact us.
The concept of risk-based thinking has been adopted explicitly by ISO 9001:2015 and replaces the previously stated requirement in ISO 9001:2008 for ‘preventive action’.
In ISO 9001 , risk is defined as ”the effect of uncertainty”. Therefore, risk management in relation to quality, involves the identification, assessment and prioritisation of risks to product or service conformity. The purpose of this activity is to minimize the potential negative effects of opportunities and risks.
Risk in relation to quality
Both internally as externally quality risks can arise to the company. Internal risks include:
- storage of raw materials
- storage of finished products
- after-sales support
External risks, which could extend throughout the supply chain, include:
- legal/regulatory compliance
- suppliers/delivery partners
- political/social/economic factors
- special interest groups/action groups
- general public
Identifying and assessing risks
Tools and techniques to assist in the identification of such risks to quality include brainstorming, fault tree analysis, process mapping and failure modes and effects analysis (FMEA). Effective application of these tools can help to identify risks.
Options to address risks
Options for addressing risks include:
- avoidance of the source of the risk
- taking action to reduce the likelihood of the risk
- taking action to reduce the severity of the risk
- transferring the risk to a third party
- retaining the risk under informed decision (perhaps in order to pursue an opportunity)
Benefits of addressing risks
The benefits of addressing risks include:
- reduced likelihood of occurrence
- reduced insurance premiums
- added assurance for investors/shareholders
- improved customer satisfaction
- improved employee engagement
Following a thorough risk assessment of your business operations, you can formulate a comprehensive, robust and practical Business Continuity Plan and/or Disaster Recovery Plan. As a result, you are able to be proactive in identifying risks and addressing potential pitfalls. This is surely preferable to simply leaving your business success to chance.
Key Performance Indicators (KPIs) are a very important part of a (integrated) management system. They can show how good or bad the management system is functioning. However, we see a lot of KPIs defined and monitored by quality that are mainly focussing on compliance to standards, such as number of audits performed, number of inspections performed, number of sick days, etc. We do believe that when KPIs are more aligned with company goals, the impact of the management system will be a lot bigger. In line with that reasoning you as a quality management should own these KPIs. Make them your responsibility even though you might not have a direct effect on them. Simply own them and make the line managers or operational managers also part of that process in order for the alignment to work.
It Is Not About Absolute Figures
We are a strong believer of ratios when it comes to KPIs, simply because a lot of one dimensional figures don’t work when the company gets bigger. When you have more orders there is a good chance more things can go wrong and more people are getting ill, so use ratios.
Some great examples include recall per X units manufactured or issues per Y units purchased from supplier B. Ratios allows for scaling whilst still giving a great insight.
Align with Business
In order for the business to get some real value out of the management system make sure the KPIs are aligned with its goals. For example, track quality issues per model or per project and put a financial figure to it. Even though the figure might not be very accurate, it is so much better than working with nothing at all.
With this setup you as a quality manager can directly show the impact on the business. Costs of quality have a direct negative effect on the company’s bottom line. Make sure this is well understood by everybody in the organization.
In order to show management that you are serious make sure you own the KPI’s and do whatever it takes to improve them. Set goals for the company based on the performance of last year or quarter. Showing ownership proves you take it serious. Go and talk with operational managers and discuss how the company can reach these goals, and what kind of processes need to be improved. Involve the line manager in the process of setting these goals, then celebrate reaching these goals with them and give them credits for it.
So in order for top management to not take the management for granted, make sure it adds value and show how it helps the company to increase the bottom line.
We have helped a lot of companies to get the insights in their cost of quality in order to go to an improvement approach. Top management can directly see what the (integrated) management brings them and how it adds value to the company, on top of staying compliant. Do you want to know how Qooling can help your organization with this? Just contact us.
Top Management Audits
There are two common types of Quality Management System audits. Theres the companys 1st party audit where the organisation audits itself. This type of audit is more commonly known as an Internal Audit. Then there is the 3rd Party Audit, usually carried out by your chosen certification body. Regardless of which audit is in process, both almost always have one failing in common. Tope Management is almost always excluded from the scope of the audit.
There could be a number of reason why this is the case, not the least of which could be because staff charged with performing these audits, including the Management Representative, may be afraid of speaking to a director or an MD or are afraid of asking tough questions for fear of reprimand.
But lets say that you have been encouraged by top management to do just that. So what should you be asking? Here are the top 5 questions that effective audits reveal about top managements commitment.
- What is their vision for the company? Is that vision documented somewhere and, if so, how is it communicated to all staff and not just those immediately below them?
- What overall Key Performance Indicators (KPIs) have they set and do they cascade this information down the organisation in a manner that all staff understand what is required of them to achieve those objectives. Even a staff member at the lower echelons of the organisation should be made aware of what he is required to do and how important his role is in achieving those KPIs.
- What resources have they budgeted for to ensure that the Quality Management System functions effectively and that their Quality Policy is fulfilled? The fewer the resources, the more the QMS department will struggle to get things done and vice versa.
- What is their role in the Quality Management System and how do they show their commitment to their staff. Their commitment and the way they get involved in the system is an indicator of the level of buy-in across an organisation and how well the system is adhered to.
- And finally, how often are Management Reviews held? When was the last review? Who was present and what were the key decisions that came out of that meeting? What happens to the minutes once they are recorded and to whom are they circulated? There is no point to these reviews if they are held just because the standard mandates it.
This article has been written by Birjees Hussain
The selection and management of suppliers is an important part of maintaining quality of the product or service you provide. No single company is able to deliver their service or product without suppliers. A company cannot simply produce everything that is needed; therefore managing suppliers is crucial to success. That is also why it has such an important position within a lot of the international standards such as ISO9001. The most important suppliers are of course the critical suppliers. It is vital to manage these suppliers rigorously because the quality of your product/service is dependent on it.
The first thing in selecting trusted suppliers is having clear and measurable selection criteria. Create a list of criteria the supplier needs to fulfill before even considering the company as a supplier. Some criteria can be:
- Quality of product/service
- Are there clear quality checks
- Skilled personnel
- Check the employees
- Time management
- How is the delivery time
- Do they come up with acceptable timeframes and stick to them
- Do they communicate when something is off
- Is there a clear way of communication
These criteria can be checked via an audit or a pilot purchase. It is important to carry out some tests before making the supplier a critical supplier. The trial purchase can give a good feeling of the quality of the supplier. During the selection process try to avoid the five most common mistakes.
When the supplier has been selected it is important to have a clear method to track your critical supplier. Define KPI’s, track them on a fixed time frame and make sure the supplier gets insight in them. Some KPI’s can be:
- On time delivery
- Failure of incoming quality checks
- Failure of on time communication in case of delay
Of course there can be a lot of different KPI’s but just create 2 or 3 and manage them. An overload of KPI’s will only make it more confusing. These KPI’s can be easily changed. Online quality management systems make it very easy to keep track of these KPI’s.
Good luck managing your suppliers!
How to Include Risk Management into Your CAPA?
Even though the preventive action is no longer part of the terminology of the ISO 9001:2015 standard, A lot of people still use the phrase CAPA (corrective and preventive actions). CAPA’s have been around for quite a while and are a crucial part of the continuous improvement for a lot companies. With the new risk-based thinking coming in it can be good practice to make risk management part of the CAPA strategy.
CAPA has been used a lot as a way to take action on incidents or issues that happened within a company. By deploying a strategy of corrective and preventive actions, the company tries to prevent these incidents from happening in the future.
The CAPA strategy allows companies to see what went wrong and forces them to think about proper actions on how to solve and prevent it. Because the output is an actionable list, every person involved in resolving the issues knows exactly what to do and when to do it. When all actions are taken the results are verified and checked for effectiveness. This way companies can clearly see the actual impact of the actions on the organization.
Risk Management Within CAPA
By adding the risk-based thinking into the CAPA, companies are allowed to keep their risk management up to date and lively. Whenever a CAPA strategy is created it is crucial to check the risks that are involved in that part of the organization. The very fact that something happened means that there is a risk in that particular part of the organization. Updating the risk management is important to keep the organization in line with the current situation. By incorporating the risk management, new actions are developed to reduce the risk for the company.
How to Do It?
Automation is there not only to help with the CAPA strategy, but also for the risk management strategy. Easily distributing the different corrective and preventive actions to the designated owners helps in tracking the progress of the strategy. Also the ability to directly connect to the different actions to the risks sets for much better traceability of the actions and their origin. This way the people in charge of quality and safety are more in control of the process.
If you want to know how Qooling can help you in managing your CAPA strategies, just drop us an email.
A quality management system for good and socially responsible business.
With the increasing pressure on efficiency and costs, we see the attention of quality management evaporate. As if it were a luxury, those organizations could hardly afford to keep at least an existing certification. While an efficiently operating quality management system is just as important today as ever before.
The basis for a quality management system is to make work processes clear in relation to the output (customer service), the effort to be provided, and other resources (money for example) and content quality aspects for the customer and the staff. That transparency, plus and then controllable compliance with what has been specified, provides reliable and certifiable service on a basic basis for financing and customer trust.
At the same time, there is a basis for critical review of the efficiency of those work processes. Are there “lean” terms of “waste”, waste of energy on issues that do not contribute to the customer and the quality to be delivered? Are quality and effort in balance? A quality management system is not ‘complete’ after certification, but must constantly be used for continuous improvement of efficiency, customer satisfaction and quality.
And for those who still find it quite luxurious: it provides a basis for communicating with clients or financing about that balance and reasoned counterweight of pressure to work under the cost price, for example. An organization that has its quality management system in order and insight into its processes is so many times stronger against cuts and irresponsible financiers.
Finally, let’s not forget the staff. Insightful work processes that focus on client and staff interests contribute to motivation and productivity, lower absenteeism and better self-responsibility in the workplace – to self-governing teams.
In short: an efficient quality management system (supported by a good planning / control cycle and a risk management system) is the basis for healthy and socially sustainable business management.
This article has been written by Jantina van Rossum of iConact.