ISO 9001: RESPONDING TO A CHANGING LANDSCAPE
22 AUGUST 2022 09:00 ◦21 MINUTES
In this episode, we speak to Martin Cottam, former Assurance and Quality Director at LRQA, about ISO 9001, one of the most popular quality management system standards, and how it has performed since its revision in 2015, and more notably, how the standard has responded to the rapidly changing landscape we have seen more recently.
Hello and welcome to LRQA’s the Future in Focus Podcast. In this episode we speak to Martin Cottam, former Assurance and Quality Director at LRQA, about ISO 9001 one of the most popular quality management system standards.
We’ll hear how the standard has performed since its revision in 2015 and more notably, how it has responded to the rapidly changing landscape that we have seen more recently.
We began by asking Martin, what had been the challenges for quality management in organisations following the disruption over the past couple of years due to the global pandemic and other factors?
Well, perhaps the first thing I should say is that different organisations will have had quite different experiences over the last few years depending for example on where in the world they are operating, and in what sector of the economy they operate. So I can talk about some factors that have affected many organisations but they won’t necessarily have affected everyone. And I guess it feels natural to put the global Covid-19 pandemic right at the top of the list given the scale of disruption it's caused and indeed is still continuing to cause in some parts of the world.
I think relatively few organisations had actively prepared for how they would maintain their operations under the sorts of circumstances that the pandemic created. If it had featured in their risk assessments it was probably discounted as a very low probability or even a credible event and not given much further consideration. Having said that the impact on organisations varied greatly depending on the nature of their activities, for some the challenge was to switch rapidly to home-based virtual working with the associated communication and IT challenges.
For others such as those in let’s say the essential services, the utility sector, many activities had to continue to take place on site or in other people’s homes or in public spaces. So the challenges were very different and of course, we should remember that for some organisations particularly those say in the hospitality sector lockdowns and other restrictions effectively closed their businesses for significant periods of time. And all that sounds pretty negative, so it’s worth remembering that through the same period there were some organisations whose businesses boomed and where the biggest challenge was to try to respond to the rapid increase in demand for their products and services.
So thinking about that in terms of quality management and ISO 9001, what we’re describing are changes to an organisations context and to the needs and expectations or requirements of interested parties. And the particular challenge brought by the pandemic was both the scale and the speed of those changes something many organisations had not experienced before.
Another common issue in the pandemic was disruption to organisations supply chains. I’m sure many organisations which had already considered supply chain risks found themselves exposed in ways that they hadn’t foreseen simply due to the scale of the disruption which meant that if the normal supplier was affected the alternative suppliers were probably also affected. Prior to that experience, many organisations risk assessments would I’m sure have assumed that alternative suppliers would always be relatively easy to find.
And speaking of risk assessments, I think one of the biggest lessons for many of us has been about how in our risk assessments we consider events that have severe consequences but very low likelihood of occurrence. Sometimes particularly in the world of safety, those things are known as high/low events, high consequences low likelihood. It can be fairly common to dismiss such events as incredible and not to devote time or effort to asking ourselves how we would cope with them, or more importantly whether there is anything we can do to mitigate the risk.
It seems to me that in the unstable world that we’ve been experiencing over the last few years it begins to make sense to devote some additional effort to these high/low risks and to explore what steps we can take to be more prepared, able to respond faster, able to mitigate some of the worst effects. Because there may well be steps that we can take today that are worthwhile and cost effective ways of making our organisations more resilient against some of these events.
Another key challenge for many organisations during the lockdowns and other disruption has been communication with customers and others. Many businesses have reaped the benefits of IT investments, cloud based data storage and so on. But some others have really struggled and of course for many organisations the challenges have continued more recently with rising energy and commodity prices, the disruption caused by the war in Ukraine and the increasingly visible and tangible disruptive affects of climate change, and we’re told for example that global pandemics are more likely in the future.
So overall it feels to me that the biggest change and challenge for many organisations is that their context is simply less stable, more prone to significant and sometimes rapid change. Meaning that they need firstly to be more adept at monitoring this sometimes rapidly changing landscape and secondly more agile in being able to respond and adapt at pace to these changes.
Given the recent challenges and the way the world has evolved since its publication in 2015, how do you feel that ISO 9001 had served us as a standard for quality management?
I think I should start by highlighting that ISO 9001 like other similar management system standards, ISO 14001 for environment, ISO 45001 for occupational health and safety, is a specification of requirements for what the management system needs to do but not really telling us how it should do it. Recommendations on how to create a system that meet the requirements is sometimes available separately as implementation guidance.
So ISO 9001 as a requirement specification is really defining the essential processes that need to exist in the organisation to support quality management and how these processes interact to form a system. But it's not telling us how the individual processes should be designed.
I think that at a relatively high level what’s needed for an effective quality management system is frankly pretty unchanging. It’s the how we do it which often needs to change more over time as the organisations context evolves and I think that’s reflected in the fact that ISO requirement specifications such as ISO 9001 haven’t changed hugely over time. And Annex SL the common framework behind all the management system standards has also only really seen modest revision.
So just thinking of an example to illustrate that point, the ISO 9001 requirement that the organisation provides adequate resources for quality management is a pretty unchanging requirement. But the processes need to achieve that requirement may need regular review and adjustment depending on the changing circumstances in which the organisations operate. There may be times for example when resourcing only needs to be reviewed annually but there may be other times when it needs to be reviewed quarterly or monthly.
And even when there are revisions to the published standards, I think we’re entitled to ask are these really changes to what’s required of the management system or are some of the changes an attempt by the standard writers to better reflect or more clearly describe the original intention. Because in my experience many of the adjustments made to the language of standards fall into this latter category so over time it becomes clear that the words used in the standard haven’t quite conveyed the intended meaning. Users are perhaps missing something of the intent or perhaps they’re over-interpreting the requirement to be more than was intended. So the standard writers adjust the wording to make things clearer and that means of course that many organisations perhaps don’t need to adjust their systems when those changes occur or to take any action because their systems already accurately reflected that original intent.
I think one example of this has been in the area of documentation where the language in standards has changed quite a bit, the standards are much clearer now in encouraging organisations to be careful to keep documentation to a proportionate level and only really to document things to the extent necessary.
If the essential requirements remain as relevant as ever, what is it that organisations may need to do differently when implementing their quality management systems to maintain conformance to the standard?
I think the main reasons organisations may find themselves needing to do things differently over time are those changes in the internal and external context in which they are operating and the requirements of interested parties. In other words, keeping the system appropriate to the world around them and to where the organisation wishes to position itself in relation to the market in which it's operating.
And this is of course an ISO 9001 requirement that the organisation takes into account its context and the requirements of interested parties both as it develops and as it operates and maintains its management system. And we saw a lot of that sort of change occurring in organisations in the early months of the global pandemic as organisations adjusted ways of working or reconfigured supply chains or changed the way they communicated and engaged with customers.
But in general, organisations may change how they do things and how they meet the requirements of ISO 9001 for a number of reasons. Perhaps to improve the effectiveness or the efficiency of their processes or indeed perhaps to make those processes more resilient or more sustainable. That could include reengineering a process to improve customer experience, or to remove process steps that don’t really add value, or adding steps or checks to help assure quality. For example, we’re very much now in a world of rising prices whether we’re talking about commodity prices or energy prices, and many organisations will be limited in the extent to which they can pass these increases onto their customers and they’ll be looking for scope to increase productivity and efficiency.
Or the changes could be to better address emerging risks or changes in the organisations appetite for risk. For example, I think the global pandemic has caused some organisations to review the level of risk associated with their supply chains and to question whether their current approach or historic approach is leaving them more vulnerable than they might wish to be to supply chain disruption in the future. And therefore to start to explore ways of adding more diversity and more resilience to their supply chain and vulnerabilities to the potentially disruptive effects of climate change would be another example. It's only a matter of days ago that we saw reports of a major IT systems failure at a London hospital attributed to the extremes of the recent heatwave.
So overall there may need to be regular changes to the processes through which the organisation operates and meets the requirements of ISO 9001 even though the requirements themselves remain pretty constant.
What should organisations expect their certifier to be looking for in terms of the adaptation of their management system to a changing world?
Well, the prime responsibility of a management system certifier is to test the conformance of the management system to the requirements of ISO 9001 those requirements which as we’ve just said remain pretty constant over time. But and it’s a big but, there is that requirement in ISO 9001 that we’ve mentioned that the organisation takes into account its context and the requirements of interested parties as it develops, operates, and maintains its system. And that requirement means that the certifier should be taking a keen interest in the extent to which and the processes by which the organisation is evolving its system in line with its changing context and the needs and expectations of interested parties.
So a certifier wouldn’t be doing their job if they didn’t examine whether and how an organisation was monitoring its changing context and what its interested parties expect and need from it and how it was acting upon that information. And there are several reasons for certifiers to examine such changes, firstly as evidence that the organisation is meeting the requirement that we’ve just described. Secondly though because any change to a process introduces a degree of risk and so it needs to be subject to an effective change management process, again an important process within the quality management system that needs to be tested. And thirdly to establish whether the new version of the process is operating effectively and achieving its objectives.
And I think certifiers can add value by questioning organisations on their assessments of the potential impacts of changes in their context to help them ensure that these assessments are sound.
Many organisations have been using ISO 9001 for a number of years and have a very mature quality management system and so we asked Martin if he thought the standard or its certification to it had become less relevant to such organisations over time?
Well, I think it’s important to remember that ISO 9001 certification is just one point on the journey to establishing a mature finally tuned quality management system and that after initial certification that journey continues with opportunities for improvement in terms of the efficiency and or the effectiveness of the system. And it's very much up to each organisation to decide for itself to what extent they seek to fine-tune the system to help optimise organisational performance.
But the quality management framework of ISO 9001 provides the foundation for the system and for the subsequent process of fine tubing and maturing the system, so those foundations remain as important as ever and that means it's important to be vigilant and regularly check that these fundamentals are working well.
Remember the whole objective of the ISO 9001 framework and all similar management system standards is to help an organisation develop a closed loop process of continual improvement in which the organisation is continually learning from its own experience and adjusting and fine-tuning its processes to reflect that experience and that learning.
Now of course in the early days of system development and implementation, the organisation can feel to be heavily dependent on the feedback of external assessors to tell it what’s working well and what needs attention. But as the system matures the organisation should be increasingly capable of measuring the performance and evaluating the effectiveness of the system by itself, and if that’s happening then there should be fewer surprises in the results of external audits as the organisation should have detected issues for itself.
Now that said, in my experience as a quality director and as the owner of the organisation’s management system, there’s always a place for a fresh pair of eyes to help us test whether our own internal view of system performance is accurate and to help us to detect any organisational blind spots that might have developed. And to test whether we really are adjusting the system to address changes in the context in which we’re operating and the expectations of customers and interested parties.
And I think that’s where the ongoing surveillance provided as part of certification can really provide assurance and really add value. I know this from my own experience in quality management at Lloyd’s Register long before I became the Group's Quality Director. I remember a particular external audit which highlighted that our corrective action process really wasn’t delivering, yes you know individual issues were being quite thoroughly investigated and actions were being taken as a result and until then I think we kind of believed everything was okay. But standing back with the auditor and looking at performance over a period of time we all realised that the actions taken didn’t deliver sustained improvement and that the same issues kept recurring in slightly different guises.
And I think that’s a good example of how it's possible for organisations to miss slow deterioration in performance of a process and where that fresh pair of eyes that’s an independent surveillance, can really help even with a mature system.