ISO 9001: 2015The 10 Core Elements of an Enterprise Quality Management Program

The recent revisions to the ISO 9001 standards are aimed at embedding risk-based thinking into the overall quality management framework, and thereby building a stable foundation for the future. The revised standard expects organizations to consider the numerous new and existing risks that affect the business, and hinder quality.

Since its release in September 2015, the new edition of ISO 9001 has created quite a stir in the global market. It is crucial for organizations to understand the implications of these standards on their overall approach to quality management.

The new standard and structure is more generic and applicable to all industries, including services organizations. It helps organizations integrate all or parts of their various management systems to ultimately achieve a truly unified quality management program.

ISO 9001:2015 Revisions and FocusUnlike the old standard, the revised version of ISO 9001 expects organizations to understand their objectives before establishing a quality management system. This, in turn, requires them to take a completely fresh look at their current quality processes, consider the external and internal issues that affect quality, and define their end goals toward achieving consistent customer satisfaction. Organizations also need to focus on identifying risks and potential areas of non-compliance by conducting a proper gap analysis, and re-evaluating how these gaps could affect quality.

The revised standard emphasizes the need for organizations to establish a quality management system only after they have understood their external environment and third parties, as well as their internal culture, values, and performance. Based on this understanding, organizations are expected to make changes to their policies, processes, SOPs, and other documentation to reflect the new quality management program and structure. This documentation will enable them to develop implementation plans, review the effectiveness of their current controls, define parameters to track continuous improvements, and implement new requirements for risk management.

Organizations also need to carry out impact assessments frequently (assuming every control may have changed), and initiate training and awareness programs for employees to keep them updated on the process changes. Insights from the impact assessments will help organizations define the scope of their quality management system, as well as the challenges that the system must be equipped to deal with.

Core Elements to Achieve ISO 9001:2015 Compliance The ISO 9001:2015 standard is intended to help organizations achieve excellence through a stronger customer focus and improved business performance. The revisions to the standard will enable organizations to enhance their existing quality management program by defining and documenting processes, training employees, ensuring better supply chain relationship management, adopting a risk-based approach to quality, and involving the leadership team in quality management more often.

The issues identified during the transition from ISO 9001:2008 to ISO 9001:2015 can be managed by triggering corrective and preventive actions. Non-conformances can be minimized by conducting frequent internal quality audits, thus strengthening compliance with the revised standard.

ISO 9001:2015 is based on seven principles: Customer Focus, Leadership, Engagement of People, Process Approach, Improvement, Evidence-Based Decision-Making, and Relationship Management. In line with these principles, here are the core elements that make up the overall quality management program:

1. Improve Customer FocusAccording to the new standard, the primary focus of an organization’s quality management program is to meet customer requirements, and exceed expectations in terms of the quality of products and services. Organizations would do well to comprehensively research, analyze, and understand both the current and future needs of the organization and adjust their programs and

processes to deliver to these goals. Before that, however, it is important to align organizational objectives to market trends, and communicate them across the organization. It is also essential to implement programs and processes to measure customer satisfaction, and act on the results.

2. Enhance Leadership InvolvementUnlike the earlier ISO 9001 standard, the revised version emphasizes leadership involvement in quality management. The leadership team is expected to be highly committed to strengthening the outcome of the quality management program. They need to ensure that every business unit within the organization understands and accepts the changes brought about by the new standard to ensure a unified commitment to quality. The leadership team also needs to understand the expectations of customers, end-users of the product, regulators, suppliers, distributors, retailers, and any other parties involved in or affected by quality management. Leaders should inspire, encourage, and recognize people’s contributions, and also provide the required resources and training to improve quality management.

3. Improve Engagement of PeopleThe new standard clearly states the need for all people to be competent, empowered, and engaged in delivering value. Organizations are expected to enhance employee communication, provide better clarity on job expectations, find ways to motivate employees to contribute to organizational success, capture regular feedback, and facilitate a dialog with supervisors to help employees achieve their growth plan.

4. Adopt a Process-Based ApproachThe new standard requires organizations to adopt a process-based approach to quality management that involves documenting and implementing processes, resources, methods, and controls to demonstrate compliance with ISO 9001:2015. The process-based approach also includes defining quality objectives at the relevant function and process levels, and ultimately, integrating quality management requirements into business processes. Organizations should have defined processes and guidelines to perform any quality management task, and keep track of ongoing activities.

5. Enable People and Process ImprovementAccording to the new standard, successful organizations are those that have a persistent focus on improvement, both in terms of organizational efficiency and effectiveness. Organizations are expected to implement a consistent, enterprise-wide approach toward training people to effectively utilize the methods and tools for improvement. Organizations should also focus on the improvement of products, processes, and management systems, with the goal of enabling the growth of every individual in the organization.

6. Facilitate Evidence-Based Decision-MakingThe new standard emphasizes evidence-based decision-making, indicating that decisions based on the analysis and evaluation of data and information are more likely to produce the desired results. Organizations are expected to revamp their quality management systems to support effective evidence gathering through observations, measurements, and tests, or by using any other suitable method like audits and inspections. The evidence collected should be accurate, reliable, and easily accessible to those who need it for decision-making.

7. Ensure Relationship ManagementTo ensure high standards of quality, organizations need to be able to effectively manage their relationships with third parties such as suppliers and partners to enable sustained growth. By sharing their knowledge, vision, and values with each other, organizations and their third parties can enhance their relationship. The key is to identify and select the right suppliers, establish joint development plans, and determine improvement activities, including training. Scorecards and metrics are also important to measure supplier performance, recognize improvements, and benchmark achievements.

8. Establish a Systematic Approach to Risk ManagementA key focus area of the new ISO 9001 standards is to inculcate risk management into an organization’s day-to-day activities. The end goal is to make business processes seamless to ultimately deliver

customer satisfaction. Risk has always been implicit in the ISO 9001 standards, but “risk based thinking” is now explicitly defined, making preventive actions part of one’s daily routine. The new standard requires organizations to support the creation and implementation of corrective actions (to manage incorrectly qualified risks), as well as preventive actions (to address potential risks and non-compliance violations).

Here are the key steps required to manage risks effectively:

Determine the risks that may impact the organization’s ability to meet objectives

Plan and take actions to address risks and opportunities

Define and manage processes to identify and address the risks in organizational operations

Determine which risks need to be monitored, measured, analyzed, and evaluated

Enable continuous improvement by responding to the changes in risk and opportunities

9. External Provision – Manage Third-Party RisksThere are specific requirements that organizations need to meet while outsourcing goods and services. First, they need to adopt a risk-based approach to determining the type and scope of controls required to manage the external provision of goods and services. They also need to define processes and controls for suppliers, and then constantly monitor and compare supplier scores, so as to benchmark supplier performance.

Performance measurement and analysis requires organizations to incorporate data from various quality sources, such as SCARs, audits, and inspections, as well as other quality management systems. Organizations are also expected to keep supply chain risks in check, by identifying high risk suppliers, assessing their risk impact and likelihood, and tracking their risk profile at regular intervals.

Identify risks and opportunities

Analyze & prioritize risks and opportunities

Plan actions to address the risks

Implement the action plan

Check effectiveness of action plan

Learn from experience

Transitioning to ISO 9001:2015

Transitioning Smoothly from 9001:2008 to

9001:2015

The recent revisions to the ISO 9001 standards are aimed at embedding risk-based thinking into the overall quality management framework, and thereby building a stable foundation for the future. The revised standard expects organizations to consider the numerous new and existing risks that affect the business, and hinder quality.

Since its release in September 2015, the new edition of ISO 9001 has created quite a stir in the global market. It is crucial for organizations to understand the implications of these standards on their overall approach to quality management.

The new standard and structure is more generic and applicable to all industries, including services organizations. It helps organizations integrate all or parts of their various management systems to ultimately achieve a truly unified quality management program.

ISO 9001:2015 Revisions and FocusUnlike the old standard, the revised version of ISO 9001 expects organizations to understand their objectives before establishing a quality management system. This, in turn, requires them to take a completely fresh look at their current quality processes, consider the external and internal issues that affect quality, and define their end goals towards achieving consistent customer satisfaction. Organizations also need to focus on identifying risks and potential areas of non-compliance by conducting a proper gap analysis, and re-evaluating how these gaps could affect quality.

The revised standard emphasizes the need for organizations to establish a quality management system only after they have understood their external environment and third parties, as well as their internal culture, values, and performance. Based on this understanding, organizations are expected to make changes to their policies, processes, SOPs, and other documentation to reflect the new quality management program and structure. This documentation will enable them to develop implementation plans, review the effectiveness of their current controls, define parameters to track continuous improvements, and implement new requirements for risk management.

Organizations also need to carry out impact assessments frequently (assuming every control may have changed), and initiate training and awareness programs for employees to keep them updated on the process changes. Insights from the impact assessments will help organizations define the scope of their quality management system, as well as the challenges that the system must be equipped to deal with.

Core Elements to Achieve ISO 9001:2015 Compliance The ISO 9001:2015 standard is intended to help organizations achieve excellence through a stronger customer focus and improved business performance. The revisions to the standard will enable organizations to enhance their existing quality management program by defining and documenting processes, training employees, ensuring better supply chain relationship management, adopting a risk-based approach to quality, and involving the leadership team in quality management more often.

The issues identified during the transition from ISO 9001:2008 to ISO 9001:2015 can be managed by triggering corrective and preventive actions. Non-conformances can be minimized by conducting frequent internal quality audits, thus strengthening compliance with the revised standard.

ISO 9001:2015 is based on seven principles: Customer Focus, Leadership, Engagement of People, Process Approach, Improvement, Evidence-Based Decision-Making, and Relationship Management. In line with these principles, here are the core elements that make up the overall quality management program:

1. Improve Customer FocusAccording to the new standard, the primary focus of an organization’s quality management program is to meet customer requirements, and exceed expectations in terms of the quality of products and services. Organizations would do well to comprehensively research, analyze, and understand both the current and future needs of the organization and adjust their programs and

processes to deliver to these goals. Before that, however, it is important to align organizational objectives to market trends, and communicate them across the organization. It is also essential to implement programs and processes to measure customer satisfaction, and act on the results.

2. Enhance Leadership InvolvementUnlike the earlier ISO 9001 standard, the revised version emphasizes leadership involvement in quality management. The leadership team is expected to be highly committed to strengthening the outcome of the quality management program. They need to ensure that every business unit within the organization understands and accepts the changes brought about by the new standard to ensure a unified commitment to quality. The leadership team also needs to understand the expectations of customers, end-users of the product, regulators, suppliers, distributors, retailers, and any other parties involved in or affected by quality management. Leaders should inspire, encourage, and recognize people’s contributions, and also provide the required resources and training to improve quality management.

3. Improve Engagement of PeopleThe new standard clearly states the need for all people to be competent, empowered, and engaged in delivering value. Organizations are expected to enhance employee communication, provide better clarity on job expectations, find ways to motivate employees to contribute to organizational success, capture regular feedback, and facilitate a dialog with supervisors to help employees achieve their growth plan.

4. Adopt a Process-Based ApproachThe new standard requires organizations to adopt a process-based approach to quality management that involves documenting and implementing processes, resources, methods, and controls to demonstrate compliance with ISO 9001:2015. The process-based approach also includes defining quality objectives at the relevant function and process levels, and ultimately, integrating quality management requirements into business processes. Organizations should have defined processes and guidelines to perform any quality management task, and keep track of ongoing activities.

5. Enable People and Process ImprovementAccording to the new standard, successful organizations are those that have a persistent focus on improvement, both in terms of organizational efficiency and effectiveness. Organizations are expected to implement a consistent, enterprise-wide approach towards training people to effectively utilize the methods and tools for improvement. Organizations should also focus on the improvement of products, processes, and management systems, with the goal of enabling the growth of every individual in the organization.

6. Facilitate Evidence-Based Decision-MakingThe new standard emphasizes evidence-based decision-making, indicating that decisions based on the analysis and evaluation of data and information are more likely to produce the desired results. Organizations are expected to revamp their quality management systems to support effective evidence gathering through observations, measurements, and tests, or by using any other suitable method like audits and inspections. The evidence collected should be accurate, reliable, and easily accessible to those who need it for decision-making.

7. Ensure Relationship ManagementTo ensure high standards of quality, organizations need to be able to effectively manage their relationships with third parties such as suppliers and partners to enable sustained growth. By sharing their knowledge, vision, and values with each other, organizations and their third parties can enhance their relationship. The key is to identify and select the right suppliers, establish joint development plans, and determine improvement activities, including training. Scorecards and metrics are also important to measure supplier performance, recognize improvements, and benchmark achievements.

8. Establish a Systematic Approach to Risk ManagementA key focus area of the new ISO 9001 standards is to inculcate risk management into an organization’s day-to-day activities. The end goal is to make business processes seamless to ultimately deliver

customer satisfaction. Risk has always been implicit in the ISO 9001 standards, but “risk based thinking” is now explicitly defined, making preventive actions part of one’s daily routine. The new standard requires organizations to support the creation and implementation of corrective actions (to manage incorrectly qualified risks), as well as preventive actions (to address potential risks and non-compliance violations).

Here are the key steps required to manage risks effectively:

Determine the risks that may impact the organization’s ability to meet objectives

Plan and take actions to address risks and opportunities

Define and manage processes to identify and address the risks in organizational operations

Determine which risks need to be monitored, measured, analyzed, and evaluated

Enable continuous improvement by responding to the changes in risk and opportunities

9. External Provision – Manage Third-Party RisksThere are specific requirements that organizations need to meet while outsourcing goods and services. First, they need to adopt a risk-based approach to determining the type and scope of controls required to manage the external provision of goods and services. They also need to define processes and controls for suppliers, and then constantly monitor and compare supplier scores, so as to benchmark supplier performance.

Performance measurement and analysis requires organizations to incorporate data from various quality sources, such as SCARs, audits, and inspections, as well as other quality management systems. Organizations are also expected to also keep supply chain risks in check, by identifying high risk suppliers, assessing their risk impact and likelihood, and tracking their risk profile at regular intervals.

10. Enable Knowledge ManagementOrganizations need to identify whether they have the knowledge to carry out the activities necessary for compliance with ISO 9001:2015. They should also be able to maintain, protect, and make knowledge available wherever necessary, anticipate changes to knowledge management, and mitigate the risk of failing to acquire the right knowledge.

Training programs for employees and third parties on changing standards and policies should be imparted in a streamlined manner with a clear understanding of gaps. In addition, training needs and potential red flags should be identified and communicated to employees and third parties.

Technology Acts as an Enabler to Manage Compliance with ISO 9001:2015Technology can be leveraged to automate the enterprise quality management program, and enable a seamless transition to the new ISO standard. It can provide a comprehensive view of quality risks, help implement corrective and preventive actions, support audits and inspections to assess supplier performance and internal performance, maintain a knowledge repository, and strengthen collaboration across the value chain. Adopting technology can also enhance visibility into quality risks across the organization and supply chain, while protecting the organization’s brand, and reducing the Cost of Poor Quality (COPQ).

With technology, programs like risk assessments and mitigation plans can be well laid out and executed, while quality audits and inspections can

be automated. Technology also enables organizations to correlate and aggregate risk data based on various hierarchies and structures to support better decision-making.

The historical results of corrective actions, customer complaints, inspections, or audits can be leveraged with the help of technology to identify areas of risk. Technology can provide a consolidated view of information to help organizations track audit results, manage audit findings, and implement corrective actions. It can also store huge volumes of data from multiple sources in a central place.

Technology can help simplify and streamline the flow of information across the value chain by mapping relevant third parties, products, and customers. In addition, it can provide a common base for organizations and third parties to share information, determine action plans for issues, and track the progress of these activities. Advanced analytics and visual tools such as dashboards, risk heat maps, and reports can provide in-depth visibility into quality and risk metrics, both internally and externally.

When it comes to training on quality management, technology can help define the training scope and curriculum, assign trainers, list down course schedules, and publish training progress reports. Gaps and potential red flags can be easily identified and communicated. In addition, central online repositories can help manage documents, processes, and entities in an easy and flexible manner.

An advanced technology solution can allow users to map processes to risks, regulations, and business information in order to gain a holistic view of quality. It can also offer the leadership team insights into multiple quality metrics by aggregating information from across business and functional units.

ConclusionComplying with ISO 9001 has been a key organizational focus since the inception of the standard. However the approach to compliance must be proactive and result-oriented, and not limited to achieving a certification. Organizations would do well by integrating the requirements of the revised standard into their business processes, and following these requirements consistently across the value chain, so that they become part of day-to-day activities.

Each organization’s structure, business processes, and operations are different from those of others; therefore the steps involved in adapting to the new standard will also vary. However, there are certain basic aspects that can be embraced by every organization to align their processes with risk-based quality, and map them to the ISO 9001:2015 standard. Organizations can also select and utilize various tools and methodologies to mitigate risks, document information, evaluate performance, maintain a controlled quality environment, carry out impact assessments, and engage people.

The transition from ISO 9001:2008 to ISO 9001:2015 is an opportunity to raise the bar on how organizations manage quality, and evolve over time.

MetricStream is the market leader in enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management Solutions. MetricStream solutions are used by leading global corporations in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their risk management programs, quality management processes, regulatory and industry-mandated compliance and other corporate governance initiatives.

Email: info@metricstream.comUS: +1-650-620-2955 Europe: +41-615-880-111 UK: +44-203-318-8554

© 2016 Copyright MetricStream. All Rights Reserved. India: +91-(0)80-4962-8000 UAE: +971-50-721-7139 Australia: +61-870-708-014

MSI

TL-II

SO 9

001:

2015

_M

ay20

16