The Most Important Four-Letter Words in ISO 9001:2015

If transitioning to the new ISO 9001:2015, be very familiar with both four-letter words emphasized in the document: risk and plan.

Most organizations are well under way with the transition to the new ISO 9001:2015. As such you should be very familiar with the emphasis on two four-letter words found throughout the document …. risk and plan. While these words are emphasized throughout the document, they aren’t new within the business or quality management systems. Risk-based thinking is something we all do every day and has always been important in business management. Now that the new ISO standard requires the quality management system to be aligned with business strategy, the use of risk management allows for greater flexibility and less prescription. Additionally, the use of risk is considered a preventive tool and since it has been integrated throughout the standard, the specific clause for preventive action was eliminated from the standard. Clause 6.1 of the ISO 9001:2015 standard has formalized the use of risk-based thinking within the quality management system. The standard identifies the following benefits of implementing risk-based thinking within the business:

• Assurance the quality management system can achieve intended results
• Enhance desirable effects of the system
• Prevent or reduce undesired effects
• Achieve improvement

While there is an expectation for organizations to base decisions on risks and opportunities, there is no requirement for a documented procedure or specific format. That is a decision the organization can make to assure the approach and format is suitable for the business. There is an expectation for the organization to document the risks and/or opportunities and actions taken to address them. These risks/opportunities and actions must be evaluated and reviewed on a regular basis. It is also a requirement to present the status in Management Review. Most organizations are familiar with the FMEA (Failure, Modes, Effects, Analysis) for product and process risks. We have been using risk management in these areas for years. As you become more familiar with the standard, you will see the importance of reviewing these documents and keeping them updated over time.

Take, for example, the complaint management process. If a complaint has been determined to be a product or process issue, the original risk assessment should be evaluated to determine what might have happened. If the issue had been identified in the original risk assessment, was it mitigated? If so, was the mitigation appropriate and validated? If not, how was it missed? This approach should be considered to reduce and/or eliminate the potential for complaints.

A similar approach can be used for business risks. As you proceed through the transition to the new standard, you will be evaluating potential business risks/opportunities. When you determine/evaluate the context of the organization and the interested parties, you should consider business risks that have already been identified. I strongly urge you to get a copy of the business strategy document. I am sure the leadership team has something in place that they use for setting goals and objectives. This strategy should have the internal and external issues identified (required by Clause 4.1). There may also be a SWOT (strength, weakness, opportunity, threat) document in place. These are great sources of information for determining the risks and opportunities. They may also identify the interested parties and requirements (Clause 4.2). Leverage the information already available as it will help you to integrate the quality management system (QMS) with business strategy more effectively. As you evaluate the current processes for gaps or applicability, consider any potential risks or opportunities for the business. These decisions can be used to justify non-applicability where appropriate. Clause 4.3 requires risk-based decisions to support the determination of the scope of the QMS.

The second four-letter word

The other big four-letter word is plan. The 2008 version of the standard called for quality plans so this really isn’t anything new. Essentially, the 9001:2015 standard states in Clause 6.3 “When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner.” In other words, any changes you make to the QMS or business should be done in a controlled manner through a documented plan. The difference between chaos and controlled chaos can be a simple quality plan!

• Internal audit plans
• Corrective action plans
• Resource plans
• Production plans
• Design development plans
• Calibration/maintenance plans

Take credit for what you are already doing! You don’t have to re-invent the wheel. Just think about the types of plans you already keep as you work your way through the standard. When documenting quality plans, you must consider the following:

• Purpose of the changes and potential consequences
• Integrity of the quality management system
• Availability of resources
• Allocation or reallocation of responsibilities and authorities

While it isn’t explicitly called out in the standard, you should also consider the risks and opportunities that should be addressed within the plans. Risk and plan are both critical elements for successful implementation of this new standard. These two four-letter words are critical elements to managing a successful business. With the new focus of the standard on business strategy, I recommend you consider the following equation: Quality Management System = Business Strategy Systems = Success!