ISO 9001:2015 Your Questions Answered

It is well over a year, since I carried out my first ISO 9001:2015 audit and my first transition audit. Like most things in life, the more we do something, the more we grow in confidence and understanding, and the quicker we can often repeat the task.

I have also been very fortunate to have had the opportunity to deliver a number of webinars, both on the overall changes in ISO 9001:2015, and more recently, focussing on specific requirements in more detail, such as process and risk.

I am constantly pleased at how well the webinars appear to be received, and the insightful, challenging questions that inevitably follow each broadcast. Recent questions include: 

• Do I need to document the context?
• Who needs to be involved when identifying the context of a business?
• In an audit, what should I be expecting when asked to show compliance to management support?
• For those companies that are utilizing third party manufacturing facilities can we use their risk based evidence that they are collecting? 
• Does the word "Risk" need to be documented throughout the QMS directly?
• Is the SWOT analysis, a good way for determine the risks and also find the opportunities and controls?

The main thing to bear in mind is that it is YOUR system and you know your risks. You can document as much or as little as your company culture and level of risk demands. Context does not actually need to be documented but you may find it useful to do so.

Two NQA clients that I am aware of are currently documenting their context from existing information already available in various documents across their organization. Defining context is never going to be a job fully completed. You will keep revisiting and reviewing this, involving a range of interested parties as needed – managers, department heads, customers, employees, regulators, to name but a few.

When it comes to issues such as context and management support – try not to overthink it or make too much of a meal of it. Good leadership is evident in many ways. Internal communications, how employees talk about the leaders and managers, how accessible they are to employees, customers, auditors or any other interested parties.

If not present on the day of the audit, what provision has been made to be contacted if needed? I have had a company director interrupt her holiday to speak to me by phone to describe how the employees’ annual conference helped determine corporate strategy.

Likewise with risk: your QMS/EMS has always been about management of risk, even if the word was not used. It does not have to be explicitly documented, but it might help. Every time you double check something, confirm an order before delivery, back up a file – you are identifying and mitigating a risk. Preventive action is risk reduction. Do have a dialogue with your suppliers about their risk management initiatives, particularly in respect of how this benefits their supply to you.

SWOT is one of many tools you can use, but do not feel you have to deploy additional tools just to address the 2015 requirements. You are not in business to meet a standard, but to satisfy your customers and stay in profit. You could start with a simple brain storm, or a few simple questions, to address context, risk and process:

• Who are we?
• Who are our customers?
• Where are we going?
• How will we get there?
• What might stop us?

Finally, the most important tip I can give you is: keep it simple, this will help enormously, with both parties understanding the evidence that is presented. 

To find out more about ISO 9001:2015, register now for my next webinar on the 10th May 2017 and have your questions answered live! 

Author: NQA UK Assessor Dr Margaret Rooney