Category Archives: iso9001:2015

GDPR in Quality Management

The date that the General Data Protection Regulation (GDPR) is coming into effect is approaching soon. This new law affects almost all companies, but it can have a bigger effect on certified companies. Regardless of the certificate the company holds, all ISO certificates have the fundamental rule:

“The organization needs to demonstrate that they meet the legal requirements.”

This small but fundamental rule means that the certificates are only valid when an organization operates according to the law. Now we know that laws can be fluid and also contradicting depending on regions and countries, but we won’t go into this now. It is fair to say that all companies need to operate according to the GDPR. In this blogpost we provide some easy tips on how this can impact your management system. In the end a lot of companies treat compliance to laws in the same region as compliance to international standards.

The Data

There is a lot of data going through the company. In order to understand which data is stored where, classifying the data helps a lot. A good point to start with is classifying the data owners in line with the stakeholders identified in the stakeholder analysis. Most data can be classified into three categories: customers, employees and suppliers. When the type of stakeholder is known, it is important to classify the kind of data, such as: personal data, company data, payment data, etc. These classifications are highly dependent on the type of service or product you deliver. It is important to know where the data is stored. In order to have this overview you should map out all the products/services you have that hold any kind of data. Some topics we use for such a register are:

  • Company name
  • Contact person
  • Purpose of data
  • Type of Stakeholder
    • Customer
    • Employee
    • Supplier
  • Type of Data
    • Contact details
    • Payment details
    • Personal details
  • Duration of saving
  • Agreement (PDF of contract)

Management System

On top of the register there are some processes that need to be added. People now have more rights, and in order to observe that it is important to document how you support these rights. Two important points here are:

  • How is the organization going to make sure that people have the right to be forgotten? In essence, how are you going to delete all their data across all databases?
  • How will the organization support a request from a customer to get an overview of all the information the organization holds of that person?

These are just two important questions, but it shows that clearly defined processes should be in place and therefore must be added in some way to the management system.

Organizational Impact

The organization can be quite significant. You need to assess whether a data protection officer is required. The three main assessment points are:

  • Public authorities or bodies, except for courts acting in their judicial capacity.
  • Companies who process data requiring ‘regular and systematic monitoring of data subjects on a large scale’.
  • Companies who process, on a large scale, any special category of personal data. This includes data which reveals racial or ethnic origin; political opinions; religious or philosophical beliefs and other such information.
  • Companies who process, on a large scale, personal data relating to criminal convictions and offences.

In case you are required to appoint a data protection officer it is good to include this in the management system, just like your prevention officer is part of the management system.

Policies

The last important part of the GDPR is that the organization has a clear policy on how to handle data and how to protect it. This policy should be readily available and easy accessible for stakeholders.

Impact on Management System

With the requirement to work according to the law and regulations, the GDPR has a clear impact on most management systems around the world. Due to the overlap in a lot of best practices within international standards, we recommend to make the GDPR an inclusive part of your management system, and not to treat it as a separate part.

If you want to know how you can structure a lot of the GDPR related activities within an integrated management system, just contact us.

Published by:

Risk management in relation to quality

The concept of risk-based thinking has been adopted explicitly by ISO 9001:2015 and replaces the previously stated requirement in ISO 9001:2008 for ‘preventive action’.

In ISO 9001 , risk is defined as ”the effect of uncertainty”. Therefore, risk management in relation to quality, involves the identification, assessment and prioritisation of risks to product or service conformity.  The purpose of this activity is to minimize the potential negative effects of opportunities and risks.

Risk in relation to quality

Both internally as externally quality risks can arise to the company. Internal risks include:

  • shareholders
  • employees
  • equipment
  • technology/software
  • storage of raw materials
  • storage of finished products
  • after-sales support

External risks, which could extend throughout the supply chain, include:

  • landlord
  • legal/regulatory compliance
  • suppliers/delivery partners
  • clients/customers
  • political/social/economic factors
  • special interest groups/action groups
  • general public

Identifying and assessing risks

Tools and techniques to assist in the identification of such risks to quality include brainstorming, fault tree analysis, process mapping and failure modes and effects analysis (FMEA). Effective application of these tools can help to identify risks.

Options to address risks

Options for addressing risks include:

  • avoidance of the source of the risk
  • taking action to reduce the likelihood of the risk
  • taking action to reduce the severity of the risk
  • transferring the risk to a third party
  • retaining the risk under informed decision (perhaps in order to pursue an opportunity)

Benefits of addressing risks

The benefits of addressing risks include:

  • reduced likelihood of occurrence
  • reduced insurance premiums
  • added assurance for investors/shareholders
  • improved customer satisfaction
  • improved employee engagement

Following a thorough risk assessment of your business operations, you can formulate a comprehensive, robust and practical Business Continuity Plan and/or Disaster Recovery Plan.  As a result, you are able to be proactive in identifying risks and addressing potential pitfalls.  This is surely preferable to simply leaving your business success to chance.

This article has been written by Lucy Payne of valeqms.co.uk

Published by:

KPI management

Key Performance Indicators (KPIs) are a very important part of a (integrated) management system. They can show how good or bad the management system is functioning. However, we see a lot of KPIs defined and monitored by quality that are mainly focussing on compliance to standards, such as number of audits performed, number of inspections performed, number of sick days, etc. We do believe that when KPIs are more aligned with company goals, the impact of the management system will be a lot bigger. In line with that reasoning you as a quality management should own these KPIs. Make them your responsibility even though you might not have a direct effect on them. Simply own them and make the line managers or operational managers also part of that process in order for the alignment to work.

It Is Not About Absolute Figures

We are a strong believer of ratios when it comes to KPIs, simply because a lot of one dimensional figures don’t work when the company gets bigger. When you have more orders there is a good chance more things can go wrong and more people are getting ill, so use ratios.

Some great examples include recall per X units manufactured or issues per Y units purchased from supplier B. Ratios allows for scaling whilst still giving a great insight.

Align with Business

In order for the business to get some real value out of the management system make sure the KPIs are aligned with its goals. For example, track quality issues per model or per project and put a financial figure to it. Even though the figure might not be very accurate, it is so much better than working with nothing at all.

With this setup you as a quality manager can directly show the impact on the business. Costs of quality have a direct negative effect on the company’s bottom line. Make sure this is well understood by everybody in the organization.

Own Them

In order to show management that you are serious make sure you own the KPI’s and do whatever it takes to improve them. Set goals for the company based on the performance of last year or quarter. Showing ownership proves you take it serious. Go and talk with operational managers and discuss how the company can reach these goals, and what kind of processes need to be improved. Involve the line manager in the process of setting these goals, then celebrate reaching these goals with them and give them credits for it.

So in order for top management to not take the management for granted, make sure it adds value and show how it helps the company to increase the bottom line.

We have helped a lot of companies to get the insights in their cost of quality in order to go to an improvement approach. Top management can directly see what the (integrated) management brings them and how it adds value to the company, on top of staying compliant. Do you want to know how Qooling can help your organization with this? Just contact us.

Published by:

5 Questions That Reveal Management Commitment

Top Management Audits

There are two common types of Quality Management System audits. There’s the company’s 1st party audit where the organisation audits itself. This type of audit is more commonly known as an Internal Audit. Then there is the 3rd Party Audit, usually carried out by your chosen certification body. Regardless of which audit is in process, both almost always have one failing in common. Tope Management is almost always excluded from the scope of the audit.

There could be a number of reason why this is the case, not the least of which could be because staff charged with performing these audits, including the Management Representative, may be afraid of speaking to a director or an MD or are afraid of asking tough questions for fear of reprimand.

But let’s say that you have been encouraged by top management to do just that. So what should you be asking? Here are the top 5 questions that effective audits reveal about top management’s commitment.

  1. What is their vision for the company? Is that vision documented somewhere and, if so, how is it communicated to all staff and not just those immediately below them?
  2. What overall Key Performance Indicators (KPIs) have they set and do they cascade this information down the organisation in a manner that all staff understand what is required of them to achieve those objectives. Even a staff member at the lower echelons of the organisation should be made aware of what he is required to do and how important his role is in achieving those KPIs.
  3. What resources have they budgeted for to ensure that the Quality Management System functions effectively and that their Quality Policy is fulfilled? The fewer the resources, the more the QMS department will struggle to get things done and vice versa.
  4. What is their role in the Quality Management System and how do they show their commitment to their staff. Their commitment and the way they get involved in the system is an indicator of the level of buy-in across an organisation and how well the system is adhered to.
  5. And finally, how often are Management Reviews held? When was the last review? Who was present and what were the key decisions that came out of that meeting? What happens to the minutes once they are recorded and to whom are they circulated? There is no point to these reviews if they are held just because the standard mandates it.

 

This article has been written by Birjees Hussain

Published by:

How to Manage Suppliers

The selection and management of suppliers is an important part of maintaining quality of the product or service you provide. No single company is able to deliver their service or product without suppliers. A company cannot simply produce everything that is needed; therefore managing suppliers is crucial to success. That is also why it has such an important position within a lot of the international standards such as ISO9001. The most important suppliers are of course the critical suppliers. It is vital to manage these suppliers rigorously because the quality of your product/service is dependent on it.

Selecting Suppliers

The first thing in selecting trusted suppliers is having clear and measurable selection criteria. Create a list of criteria the supplier needs to fulfill before even considering the company as a supplier. Some criteria can be:

  • Quality of product/service
    • Are there clear quality checks
  • Skilled personnel
    • Check the employees
  • Time management
    • How is the delivery time
    • Do they come up with acceptable timeframes and stick to them
  • Communication
    • Do they communicate when something is off
    • Is there a clear way of communication

These criteria can be checked via an audit or a pilot purchase. It is important to carry out some tests before making the supplier a critical supplier. The trial purchase can give a good feeling of the quality of the supplier. During the selection process try to avoid the five most common mistakes.

Managing Suppliers

When the supplier has been selected it is important to have a clear method to track your critical supplier. Define KPI’s, track them on a fixed time frame and make sure the supplier gets insight in them. Some KPI’s can be:

  • On time delivery
  • Failure of incoming quality checks
  • Failure of on time communication in case of delay

Of course there can be a lot of different KPI’s but just create 2 or 3 and manage them. An overload of KPI’s will only make it more confusing. These KPI’s can be easily changed. Online quality management systems make it very easy to keep track of these KPI’s.

Good luck managing your suppliers!

Published by:

Risk management in CAPA

How to Include Risk Management into Your CAPA?

Even though the preventive action is no longer part of the terminology of the ISO 9001:2015 standard, A lot of people still use the phrase CAPA (corrective and preventive actions). CAPA’s have been around for quite a while and are a crucial part of the continuous improvement for a lot companies. With the new risk-based thinking coming in it can be good practice to make risk management part of the CAPA strategy.

Vanila CAPA

CAPA has been used a lot as a way to take action on incidents or issues that happened within a company. By deploying a strategy of corrective and preventive actions, the company tries to prevent these incidents from happening in the future.

The CAPA strategy allows companies to see what went wrong and forces them to think about proper actions on how to solve and prevent it. Because the output is an actionable list, every person involved in resolving the issues knows exactly what to do and when to do it. When all actions are taken the results are verified and checked for effectiveness. This way companies can clearly see the actual impact of the actions on the organization.

Risk Management Within CAPA

By adding the risk-based thinking into the CAPA, companies are allowed to keep their risk management up to date and lively. Whenever a CAPA strategy is created it is crucial to check the risks that are involved in that part of the organization. The very fact that something happened means that there is a risk in that particular part of the organization. Updating the risk management is important to keep the organization in line with the current situation. By incorporating the risk management, new actions are developed to reduce the risk for the company.

How to Do It?

Automation is there not only to help with the CAPA strategy, but also for the risk management strategy. Easily distributing the different corrective and preventive actions to the designated owners helps in tracking the progress of the strategy. Also the ability to directly connect to the different actions to the risks sets for much better traceability of the actions and their origin. This way the people in charge of quality and safety are more in control of the process.

If you want to know how Qooling can help you in managing your CAPA strategies, just drop us an email.

Published by:

Why Quality Management

A quality management system for good and socially responsible business.

With the increasing pressure on efficiency and costs, we see the attention of quality management evaporate. As if it were a luxury, those organizations could hardly afford to keep at least an existing certification. While an efficiently operating quality management system is just as important today as ever before.

The basis

The basis for a quality management system is to make work processes clear in relation to the output (customer service), the effort to be provided, and other resources (money for example) and content quality aspects for the customer and the staff. That transparency, plus and then controllable compliance with what has been specified, provides reliable and certifiable service on a basic basis for financing and customer trust.

At the same time, there is a basis for critical review of the efficiency of those work processes. Are there “lean” terms of “waste”, waste of energy on issues that do not contribute to the customer and the quality to be delivered? Are quality and effort in balance? A quality management system is not ‘complete’ after certification, but must constantly be used for continuous improvement of efficiency, customer satisfaction and quality.

Luxurious

And for those who still find it quite luxurious: it provides a basis for communicating with clients or financing about that balance and reasoned counterweight of pressure to work under the cost price, for example. An organization that has its quality management system in order and insight into its processes is so many times stronger against cuts and irresponsible financiers.

Finally, let’s not forget the staff. Insightful work processes that focus on client and staff interests contribute to motivation and productivity, lower absenteeism and better self-responsibility in the workplace – to self-governing teams.

In short: an efficient quality management system (supported by a good planning / control cycle and a risk management system) is the basis for healthy and socially sustainable business management.

This article has been written by Jantina van Rossum of iConact.

 

Published by:

How to Handle Risk Management.

An organization cannot exist without taking any risks. The question is, how to manage those risks to improve predictability and reduce the level of risk?

Don’t make risk management an expensive and time consuming project.

Too often risk management is seen as a time consuming exercise. I personally believe that this is unnecessary.  When we talk about strategic risk management, it is possible to have just one or two sessions of about 1.5 hours with the top management to list all the risks.

Focus on the top 10 risks

Make sure the focus is on the top 10 most important risks and don’t bother working on all the risks for the moment. It is important to assess the risks by next year, as by then you can focus on the other risks to the organization.

Align the company objectives with the risks

To accomplish this, start with the stakeholder analysis including the objectives of every stakeholder related to the company. This helps you focus on the important risks that have a direct effect on the stakeholders and the objectives.

Internal communication

It is very important that the employees support the risk management. In order to increase support it is essential to communicate the importance of the risks and that people understand why certain actions are taken.

Have a clear division of tasks

After all risks are registered it is important to assign owners to certain tasks, preferably people in higher management positions. They will then be responsible for the corrective and preventive actions taken to reduce the risk levels. The managers can give certain tasks to other employees but they are responsible for the risk.

Go further than only financial risks

Most companies have the financial risks in order due to the yearly check by an accountant. There are more than just direct financial risks for an organization. Make sure you also think about the broader picture than pure financial risks.

Use risk management as a guide for management

Risk management is much more than just listing all the risks. It is an instrument to help management get a good picture of the risks involved. Next to this, it is a great tool to perform and manage corrective and preventive actions based on these risks. Furthermore, it holds some great input for the yearly management and the actions give a good measure on how management performs.

 

This article has been written by Jantina van Rossum of iConact.

Published by:

Root cause analysis: Cause and Effect

A proper root cause analysis can be the difference between making money and losing money. The analysis is designed to get into the detailed fundamental causes of the issue, without any bias. The cause and effect analysis will lead to significant insight in why things went wrong.

It is very easy to come up with a result that describes the person that made the mistake. However, it is important to always go deeper than the particular person. When a person messes up there is almost always a more fundamental problem to the issue. This could include things like:

  • Lack of training
  • Company culture
  • Hiring the wrong people

These things can lead to people messing up for all kind of reasons. However, the company can change these things to reduce the number of issues for example by changing the recruitment plan or sending people to training. In the next part we will describe the Cause and Effect methodology.

Cause and Effect

With a cause and effect diagram you start off with an effect or outcome you want to analyze. This effect may be positive or negative but has to be described as clear as possible. Then the main causes are identified. The main causes that might have lead to the effect could be the following 5M’s for a manufacturing plant:

  • Machine
  • Method
  • Material
  • Man / mind power / personnel
  • Measurement / medium

When the main causes of the issue are identified the next step is to identify as many causes that might have lead to the effect. Classify the causes according to the main causes and place these below them. This will lead to a result like this.

To go one level deeper you can ask why a certain cause happened. This will give more detailed insight into this cause. Create another layer of causes that are linked to this for example speed or temperature.

When the diagram is ready you can analyze the information. The main causes with a significant number of causes under them need some further investigation. Also, when a certain cause shows up multiple times this might be the root cause. Then look for clusters, when there are a couple of causes close to each other, then that is something that needs your attention. The same is true when there are very little causes, you might need to further investigate these and why there are so few. To really start improving, identify the causes you can take actions on and put these actions in the action list with clear owners of each action.

Next post we will dive deeper into the 5 Why’s.

Published by: