ISO 9001:2015 – Part II: The Risk of Too Much Risk Management

Sometimes you can think too much, so that you never actually get anything accomplished.

Sometimes, you can think about potential problems so much that you start to find problems that didn’t exist in the first place.

Sometimes, when you get paid to come up with answers to problems, you find yourself motivated to come up with problems for which you can provide answers so that you can get paid.

ISO 9001:2015 really does beg the question: Why was Preventive Action turned into Risk Management?

ISO 9001:2015 – Part I: Don’t Miss the Big Picture

Be careful as you begin to transition to ISO 9001:2015.

Many people are becoming so overwhelmed with this mystical concept of “Risk Management” in the new Standard that they are overlooking the preeminent improvement made in this latest revision. The most valuable improvement made by the new Standard is its format, which is much more effectively aligned with the P-D-C-A process approach to continual improvement.

Remember back to 1994. ISO 9001 was originally created almost as if it was a template for you to follow in establishing a greenfield business. It started with management commitment and quality policy, moved on to planning, contract review, design, documentation, purchasing… Sure, after that, they kind of got caught up in a quagmire of throwing all the leftovers into the pot (corrective action, then shipping, then audits, then statistics?); and they underemphasized certain aspects (process control) and over-exaggerated others (customer supplied product?). And there was that whole ‘concrete life vest’ thing, where they forgot to mention that you might want to see if the product actually worked for the customer. But aside from that, the 1994 Revision was a fairly effective standard that could be used to model the structure of a business, and almost everyone fell into the trance of ‘Thou shalt…’ quality management systems because of it. Many business owners thought it was the best thing since sliced bread because it was a structure to drive improvement their businesses had previously been lacking.

The problem with using ISO 9001:1994 this way was that it was a “standard”. Standards are used for comparison in order to identify and assess deviation for the purpose of standardization. Standards are not made to be mimicked: if they were, they would be called “templates”. Too many consultants (and auditors and clients, too) took standardization, or minimization of variation, to mean, “Do exactly as I say,” and a whole generation of quality management systems were written so as to regurgitate what had been documented in ISO 9001 without any thought or personality or necessity applicable to the organization or the people to which it was being applied. By copying the standard and renaming it as ‘theirs’, industry had missed the mark.

Consequently, the founders went back to the drawing board. Harkening back to the P-D-C-A “process approach”, they created ISO 9001:2000. Unfortunately, the die had already been cast, and industry was not nearly as interested in growing from the experience of revision as it was in complying in order to yield certifications in order to produce sales opportunities. So, the next generation of certificate principals merely followed the one before, and a lot of consultants made a lot of money creating cross-matrices, changing numbers on documents to match the :2000 numbering conventions, and changing 14 procedures to 5 + a bunch of work instructions. Oh, and they added a new form called, “Customer Satisfaction Survey”. That has been the essence of ISO 9001:2000 certification for the past fifteen years; and yes, the mark had been missed, again.

Now, in the spirit of, “If you can’t beat ‘em, join ‘em!”, ISO has conceded to the new format of 9001:2015. Whereas 2000 (and the waste of paper and printing and legal fees that was 2008) had all of management’s responsibilities confided to one area of that Standard (clause 5) with no sequential linkage following the “Check” phase to bring us back into the “Act/Plan” phase for a complete cycle … because we all know management might bite onto 1 requirement, but if we tell them they have to do this and then that, there’s no way they’ll go for it! … 2015 defines management responsibilities up front for planning (clause 5) and then again at the end for assessing and improving (clause 9). And there are other, similar changes in format throughout the new Standard.  Consequently, the new format follows more fully the P-D-C-A process approach, so that it provides a much more effective model for organizations to mimic if they choose to go that route. Based on history, that is unfortunately likely; at least this time, businesses should land in the right boat.

So, in summary:

Don’t spend exorbitant time worrying about “Risk Management” just because it’s a new phrase that you aren’t used to hearing in ISO 9001.

Do spend your time thinking about the type and extent of involvement, both front- and back-end, that management needs to have in each of the processes of the business, and apply the guidance from the new Standard and its format to create a quality management system structure suited to your business. Some processes require significant involvement and control; others, merely oversight and occasional guidance.  Investing the time to plan your quality management system so that it effectively helps your business achieve its goals is smart money.