A few thoughts...Posted by epinjen Mon, May 07, 2018 09:05:59
Bite Sized ISO 9001 – Supplier
A key staple of ISO 9001
certification and a somewhat “unnatural” process for many where purchasing is
not critical to their service, supplier evaluation is frequently picked up as
an opportunity for improvement or a non-conformity by auditors. In my opinion,
it is frequently not flagged because one of two things are happening.
of suppliers are done all the time, the first time a supplier lets you down,
you start to think about changing them;
of suppliers are frequently discussed as part of the annual management review,
however the minutes or the report rarely reflect the detail that is involved in
this review because most suppliers don’t screw up and will not be challenged.
So how do you evidence that the
review of suppliers is being done and how do you get this to add value, you can
try to follow this step by step guide:
Excel and in the top row, populate each column from left to right with the
Last Review Date;
Next Review Date.
to your list of invoices received (whether on Excel or bookkeeping software)
and after filtering the list to the period you want to review, copy the list
into the “Supplier” column of an Excel spreadsheet and remove the duplicates.
This will give you a list of every supplier used in that review period;
the columns to the right, “Reviewer”, enter the name of the person within your
organisation who has the most contact with the supplier or has the authority to
make decisions about the reason behind selecting this supplier;
would be a good time to sort the list by reviewers, then arrange a time to sit
and talk to each reviewer and identify the reason for using each supplier. It
will (more than likely) be because of price (cheapest), service (or quality of
the product), geography (they may be in the office next door or just down the
street), because there is a special relationship or partnership with that
company (you give them work because they give you work, etc.) or for another
reason not covered above (such as a legal or contractual obligation, they are
the only provider available to you of this product or service or maybe no other
supplier will work with you, etc.). Put an x in the column that corresponds to
the date of the chat with the relevant reviewer and ask them two simple
Did the supplier remain the cheapest / provide a
good service / still be the most conveniently located, etc. depending upon the
reason they were chosen in the first place;
Is there a need to change the supplier and if
table should now look a little like this:
With this simple table in place,
you will be ready for the auditor when they ask to see how you have managed
Of course, it would be great to
record some of the evidence seen in the review (think about hyperlinks to
quotes from other suppliers or their webpages, or a screenshot of their
location in relation to your premises, etc. depending upon the reason for using
that company), but what we now have is a quick and easy review of your
suppliers, meeting the requirements of ISO 9001 and, if done properly,
prompting a potential change of supplier or review of arrangements with
under-performing suppliers. Also, there is no absolute reason in the standard
why one supplier should be chosen over another. It is great to stay away from
price as you frequently get what you pay for but it is a reality, costs weigh
heavily upon a business and sometimes, it is necessary to base a decision on
this. It is up to you to decide and justify
Going forward, it would be easier
to start this process when selecting a new supplier and requiring the purchaser
to pass this “test” before doing business with them, however you can always
come back to this each year to demonstrate compliance and keep purchasers and
suppliers on their toes.
P.S. With GDPR in mind, this could also be an opportunity to record the non-disclosure or confidentiality agreements in place with each supplier as well.
A few thoughts...Posted by epinjen Fri, March 30, 2018 18:05:35
Having trouble identifying personal data within your
organisation? The starting point should be to consider the definitions of
personal and sensitive data.
Personal data questions to ask:
- Can a living individual be identified from the
data, or, from the data and other information in your possession, or likely to
come into your possession?
- Does the data ‘relate to’ the identifiable
living individual, whether in personal or family life, business or profession?
- Is the data ‘obviously about’ a particular
- Is the data ‘linked to’ an individual so that it
provides particular information about that individual?
- Is the data used, or is it to be used, to inform
or influence actions or decisions affecting an identifiable individual?
- Does the data have any biographical significance
in relation to the individual?
- Does the data focus or concentrate on the
individual as its central theme rather than on some other person, or some
object, transaction or event?
- Does the data impact or have the potential to
impact on an individual, whether in a personal, family, business or
Sensitive personal data means personal data consisting of
information as to:
- The racial or ethnic origin of the data subject;
- Their political opinions;
- Their religious beliefs or other beliefs of a
- Whether they are a member of a trade union;
- Their physical or mental health or condition;
- Their sexual life;
- The commission or alleged commission by them of
- Any proceedings for any offence committed or
alleged to have been committed by them, the disposal of such proceedings or the
sentence of any court in such proceedings.
In relation to sensitive personal data, most
organisations will only be beginning to consider any of these points in very
specific situations. Certain standards such as the SIA Approved Contractor
Scheme or certain Codes of Practice (specifically BS 7858 or any other security
sector standard) may make it a requirement for you to process information about
trade union membership, physical health or any criminal convictions. Here, we
need to be very specific about the justification for lawful processing. In many
cases, contractual obligations would still necessitate the processing of this
information however it is worth exercising as much caution as possible,
balancing the rights of the individual with your ambitions as an employer. In any case, consent is still going to be required before processing any of the sensitive data, regardless of a company's obligations for this processing.
A few thoughts...Posted by epinjen Wed, March 14, 2018 18:19:14
Bite Sized ISO 9001 – Non-Conformity
There is nothing more frustrating
in ISO 9001 than a non-conformity. I have seen non-conformities for incorrect
maths, a single missing signature, bad handwriting and many others that range
from the helpful to the unbelievable. Regardless of reason for the
non-conformity, there are five things that need to get documented to get them
resolved (if you include a few other details, this could also serve as a
template for a non-conformity form):
Action – This is what you do to put that particular instance right. If a
customer signature is missing, wither get the form signed or if this isn’t
possible, get it in writing that they acknowledge the receipt of the service or
detail that they were supposed to have signed for;
Cause Analysis – By far the most important. Identify the issue at the very
heart of the problem. At the bottom of this article is a list of root causes I
have found to be very helpful. You will note that there is something missing –
human error. The reasons for not including human error in this list could be
the subject of an article all by themselves, but I will summarise most of them
with this – if you think someone screwing up is simple human error, please ask
the person responsible for them what they were doing to a) ensure it didn’t
happen (clearly not supervising their work), b) prevent them from screwing up
(were they not trained for this task, if not, what was the person responsible
for them doing) and c) who approved a process that could be undone so simply
and not picked up on? All of sudden, human error is not the issue at the very
heart of the problem, is it?
to Address the Root Cause – This is essentially, what will be done to prevent
this root cause from occurring again. Here is another free bit of consultancy –
there is always something that can be done. Even when the most improbable event
occurs, think about training, process review, policy review, client or supplier
meetings, tool box talks, etc. The answer is never “nothing”;
of Actions Taken – Frequently overlooked on a lot of the mediocre
non-conformity form templates, it is essential that a summary (two lines can be
enough) of the review of remedial actions and the actions taken to address the
root cause be documented. It may be that these actions were discussed at a
management meeting, the solutions were tested and found to have worked in a
test environment, it may be the customer or supplier agreed that with your
chosen course of action and the world is right again. It is weak to simply
state that everything is now OK and the MD has signed it off (remember that bit
about leadership in clause 5?);
Analysis – Part of the required inputs for the management review, there are
some pretty simple steps that can be taken. Summarise the non-conformities with
their corresponding root causes in an Excel table, select all of the cells and
then create a pie chart and just like a magic, there is a trend analysis of
root causes. If you are a bit more comfortable with Excel, try adding in dates
or departments, playing around with chart types. In any case, it will be easy
to provide a visual description to the management team to review and comment
upon. Include the charts or a link to the charts in the management review
minutes or report and take note of the comments made. It will be very difficult
not to see some pattern if not the fortunate instance of very varied
In short, stop being afraid of
non-conformities, they are here to help us! As an auditor, I was always
horrified of any objective that stated zero non-conformities. This would almost
always suggest one thing, any problems were going to be ignored. Of course,
this would only constitute an issue when a non-conformity would be identified and
the objective therefore not achieved. Try setting an objective of “have no
increase in non-conformities over the next twelve months” or “have all
non-conformities reviewed and resolved within a pre-determined time frame”.
Both of these should be achievable and both of any improvement that stems from
a non-conformity is still improvement, not a bad payoff for something so
frustrating and a little bit of work.
List of Potential Root Causes:
· Machine – Machine or equipment related;
· Machine – Fixture related;
· Machine – Tool related;
· Management – Training was insufficient or
· Management – Responsibilities not defined or not
· Management – Resources competencies were
· Management – Communication issues (e.g., shift
hand over between operators);
· Management – Planning and controls were
· Management – Instructions or requirements were
insufficient or inadequate;
· People – Instruction or requirements were not
· People – Wrong decision was made;
· People – A reading error was made;
· People – Material handling error;
· People – Known defect or issue not reported or
· Material – Material did not comply with
· Material – Material shelf life expired;
· Material – Contamination of product;
· Method – Validation of process was insufficient;
· Method – Manufacturing process capability was
insufficient or inadequate;
· Method – Packaging, labelling or identification
of material was inadequate;
· Method – Design process was inadequate;
· Environment – Natural disaster (e.g.,
· Environment – Information technology system
· Environment – Fire or power outage;
· Environment – Unpredictable event (e.g., theft,
· Environment – Environmental conditions were
inadequate (e.g., climate);
· Environment – Lighting conditions were
· Environment – Ergonomic conditions were poor
(e.g., unsuitable equipment set up);
· Measurement – Inspection tool inadequate (e.g.,
· Measurement – Uncalibrated inspection tool used;
· Measurement – Calibration error;
· Measurement – Instruments, displays, or controls
· Measurement – Transcription error while
· Measurement – Verification method (i.e.,
inspection, sampling) was inadequate;
· Measurement – Inspection criteria was
inappropriate or unclear.
A few thoughts...Posted by epinjen Thu, March 01, 2018 14:59:31Articles originally posted on LinkedIn on 26th January 2018, 10th and 17th February 2018.
What can we learn from preparing clients for GDPR?
As we march towards the 25th May 2018 and the overwhelming shadow cast by the General Data Protection Regulations (GDPR) looms ever larger, I have begun to notice a couple of trends among clients I have worked with on their data protection management systems. Although the impact and complexity varies from business to business, there definitely seems to be some similarities in terms of what can be anticipated and what appears to be a certainty in terms of preparing for the biggest compliance shift on the horizon.
Of course, these are only personal observations from work I have done on preparing organisations for GDPR. I’m sure every consultant and data protection expert has also seen some of these trends, as well as others. Given how long this list is, I have decided to break it up into multiple parts. This list is not exhaustive, but gives me a chance to highlight the key trends in issues identified from my experience thus far.
1. Suppliers are a lot slower than hoped. Of course, this isn’t true of all suppliers, nor is this a surprise (having worked on ISO 28000 in a past life, nothing suppliers say or do will ever surprise me again). Allow me to use a recent example. During a gap analysis and with nearly the whole management team in agreement, there was an assurance given to me by the MD of the company I was working with that their IT support supplier will respond to all queries immediately, no delay or hesitation - "we ask, they jump". Despite my reservations, I take the MD at their word and when we get to the point where we need to start engaging with suppliers (sometimes as early as the data protection impact assessment), I found that we were confronted with a brick wall (at worst) or an accusatory “why do you ask” (at slightly less worse). Of course, the mention of GDPR non-compliance or an assessment of adequacy is usually sufficient to motivate the lacklustre contact at the IT company, however, even then, I have found a number of them to be slow in responding and supporting their client. For this reason, I have started to engage with suppliers much earlier in the consulting process (which ultimately risks delaying other actions). I should also point out that there have been some excellent IT companies and I would be happy to recommend some if anyone is struggling to get the support they need from their existing nightmare / provider.
Time is marching on and it is very much a case of looking after one's self. Frequently, your urgency may not be shared by your supplier so it is worth factoring this in to your project planning.
2. Put simply, copying your mate’s data protection policies, assessments and procedures does not work. This is an ugly truth within the certification / compliance / management consultancy sector – a lot of my “peers” seem to think it is acceptable to use incredibly generic documents copied from one customer to the next in an attempt to save time, hide ineptitude or worse, succeed through good luck (as opposed to good judgement), without sparing any thought for the people that have to survive the hurricane that is their service. Every organisation is unique, indeed, some of the solutions for their problems are the same, but each of these has to be tailored to fit. The one size fits all approach of many cowboys is not only unprofessional, but in some cases, dangerous. I was asked to review the policies and procedures of one client following a whirlwind visit by another consultant just before Christmas. Imagine my horror in finding the information flow analysis making reference to the small amount of personal data collected about the contact details of their employed gardeners, but absolutely no mention of the sensitive personal data required to adequately screen and vet their collection of security personnel (a minimum requirement for a SIA Approved Contractor Scheme status)! Ultimately, this fails the requirements of GDPR on many levels and leaves the company open to prosecution by the Information Commissioner's Office as well as considerable damage to their reputation (a security company that can't manage their own personal information, how are they to manage your personal information?).
Of course, I continued to work with them to put this right and the important lesson has been understood.
3. When it comes to data privacy, start with the beginning. As obvious as this sounds, it would be easy to not do this. A number of companies have started by hacking away at potential lead lists, needlessly changing processes or inventing forms for managing forms. Instead, a gap analysis could have highlighted the amount of compliant arrangements they already have in place and then taken comfort in their very positive starting point. They could also have completed an information flow register, a processing activities register and a data protection impact assessment, identifying a clear, coherent and balanced action plan. Or they could shoot themselves in the foot and hope that GDPR never happens… I should caveat this a little. I have seen two companies who were already working on ISO/IEC 27001 when they began to work on GDPR compliance. In this case, a thoroughly different approach suited them best, although they would still need to dedicate a lot of time of reviewing their information security policies and arrangements after having done data privacy preparation work.
4. This is the opportunity to get lean. A manager once explained a simple idea to me many years ago (and I wish I had learned more at the time) – it was a customer service role where in an attempt to be more lean in our processes, every time a customer asked me to do something that cost me time, but saved them time, I should ask myself the question “would the customer be prepared to pay extra for this?” Ultimately, they probably wouldn’t. I think the same logic can be applied to personal data. I have found it very useful to ask the question “do I really need this personal data?” when working with clients on data protection management. Of course, if they don’t it shouldn't be collected in future. It represents a risk to their compliance and if nothing else, this is more data to manage. If it was necessary, it is always worth checking to see if the personal had already been collected. In other words, are things being duplicated unnecessarily? In my line of work, that would be considered “continual improvement”.
Preparing for the arrival of GDPR will probably be difficult for most organisations, but aside from the legal compliance, it can be considered as a great opportunity for spring cleaning. It is worth considering using this opportunity to address the mountains of archived records that have built up over the years, “just in case”. It is worth considering using this opportunity to tackle a compliance project in a way as to add value to your organisation. In short, GDPR is an intimidating beast, but the best adversaries always are.
A few thoughts...Posted by epinjen Thu, March 01, 2018 14:50:27
Article originally posted on LinkedIn on 11th June 2017.
The 2015 revision of the ISO 9001 standard has made us all aware of the need to identify the risks and opportunities that our respective organisations are faced with. Current events since then have also made us aware of the complex times we live in. Although I don’t wish to seem insensitive in these times of crisis or appear to jump on the band wagon, cashing in on the recent tide of fear and insecurity, there is a thought that has been swilling around in my mind since November 2015. An idea which this week’s events has compelled me to put pen to paper (so to speak). With the need to identify and discuss the risks and opportunities that an organisation may face in relation to the context of the organisation, is it reasonable to expect political uncertainty to be a guaranteed risk and / or opportunity for all organisations? If so, can the absence of this consideration in the strategic risk assessment, risk register or management review constitute a non-compliance with this requirement of the standard? Referring back to my earlier statements about not wanting to be insensitive, please allow me to explain.
Please note, this is not a comment on politics or politicians, nor an exercise in lobbying or campaigning, simply an opinion in relation to the management of quality management systems.
There is no requirement to hold a MBA or PhD in political science when reviewing the current political landscape. Regardless of our varied political persuasions, ambitions or beliefs for what is good for the country, operating an ISO 9001:2015 compliant company in the United Kingdom at the moment means having to contend with political uncertainty. The impact of politics on the business world can be reviewed from a number of different perspectives. In terms of legal requirements (focusing solely on your quality management system), we know that in order for significant changes to occur, new legislation needs to be introduced. I attended the Security Industry Authority’s Stakeholder Conference earlier this year and the message was quite simple – no new primary or secondary legislation can be expected anytime soon. Thinking about this from the point of view of a security company, this means that there will be no changes to the current scope of activities requiring a licence, no changes to the legislation that underpins the UK regulator of the security industry and still no appetite to push for business licencing in the security sector. Whether this represents an opportunity (to continue to operate in potentially grey legal areas), or a risk (to continue to operate in potentially grey legal areas), or both, is a decision that each management team needs to arrive at themselves and to persuade you either way is again, not the aim of this post. However, the absence of this matter from any documented evidence – please see the brief list above – indicating the review or discussion by the management team has at least occurred in relation to political uncertainty, must surely mean that clauses 4.1, 4.2 or 6.1 have not been met, at least not in full...
While participating in the management review of a cleaning company in early 2016, I was fortunate enough to be witness to an amazing moment in that company’s history, the moment political uncertainty was finally acknowledged as a risk. There was a lot of discussion surrounding the possible outcomes of Brexit with the only known – known was the uncertainty of the situation. Sitting across from the Managing Director, we started to discuss Brexit as a risk when the Managing Director intervened to shut down the conversation stating that "none of their customers were European companies and therefore, Brexit did not present a risk to the organisation". Quizzically, the other members of his management team enquired as to the percentage of their front line workforce were from mainland Europe, as well as the countries of origin of their top ten customers whose premises they cleaned. Needless to say the answers stopped the Managing Director in his tracks. Over 90% of their workforce hailed from Europe and 70% of their customers were American companies, based in London in part because of its proximity to Europe. The realisation that political uncertainty would impact their employees and customers – and therefore their respective availability and potentially purchasing – suddenly hit home and the risk of political uncertainty became a key discussion point in their strategic planning. Over a year later, the focus of uncertainty may have shifted a bit, however it remains a subject that is still reviewed when planning and considering the future of the organisation.
Indeed, political uncertainty as a risk remains very difficult to mitigate. Some may opt to defer certain decisions or investment, waiting for politically calmer seas, while others may accelerate certain project timetables to avoid having to rush should the clouds not clear. For some, it will also be an opportunity to lobby or capitalise on the indecision of others. In either strategy, failure to acknowledge the political landscape, especially the uncertainty that has become somewhat consistent in British business since 2015 (as I write, multiple news feeds are informing me of everything from the likelihood of early elections to subsequent policy shifts, as well as new full proof cyber protection and a potential cure for the common cold). Should the absence of political uncertainty in quality risk management constitute a non-conformity? For an ISO 9001 certified company then I believe it should. Maybe my view oversimplifies the impact politics has on business. Maybe my interpretation of quality management exceeds the letter or spirit of the revised standard. However, in my humble opinion, failure to consider political uncertainty and to not comply with a clause of ISO 9001 should constitute a non-conformity. Failure to monitor current events and prepare for whatever the future holds, may prove to be even more costly than that.
A few thoughts...Posted by epinjen Thu, March 01, 2018 14:47:58
Article originally posted on LinkedIn
on 19th May 2017.
Quality management and social media. Not two things I would have previously put in the same sentence. Social media use has long been a scary subject for me from a compliance perspective. From the inevitable posts by former colleagues advertising their entire travel itinerary to a high risk area on business, to the disgruntled former colleague venting their frustration on social media, the plethora of opportunities where someone can (sometimes recklessly) work against the organisation they are employed by has made social media a bête noire for many compliance and quality managers (I am aware of the irony of discussing the compliance issues of social media on LinkedIn, please bear with me).
The digital age phenomenon that is social media isn’t all bad though. Many companies and professionals use social media to great effect. It provides another dimension to customer engagement and the ability to address interactive and relevant messages to anyone who is prepared to look, listen, see or hear. This has presented an interesting opportunity and challenge for me while performing internal audits for customers and the companies I work with. In addition to looking at the results of customer satisfaction surveys and feedback forms, as well as compliant management and press releases, I have found myself asking the question, does a company’s social media content constitute customer engagement and feedback in relation to its quality management system? Of course, ISO 9001:2015 is not explicit about reviewing social media and instead focuses upon the need to “monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled”.
When I ask companies about customer engagement and social media, the responses vary from acknowledging their company’s various social media pages to an enthusiastic "we are constantly publishing everything". Of course, quantity and quality use of social media is a subject that could be better addressed by a subject matter expert, however while incorporating the various strategies in to internal audits, I have noticed a trend that worries me as a quality management consultant. It quite interesting to review the arrangements and activities of these companies on seen it creep in to more and more internal audits of customer satisfaction, feedback and focus and on the whole, the monitoring of social media appears to provide a very modern a dynamic means of communicating a company’s message to their clients, however a lot of negative responses seem to be ignored.
For example, I recently did the audit of customer focus and engagement for one of the many companies that claimed to be very active online, frequently posting, tweeting and sharing with their online community of followers. During the audit, I put the customer’s business into Google and noticed that there were a large number of one star ratings on Google+ for this business. These detailed missed visits, rude staff interactions and even poor driving by company employees in company vehicles. When I approached the management team asking if there had been any complaints or negative feedback, I got a resounding ‘no’. Needless to say, the bombshell that followed when I showed the management team what their customers were telling the online community about the company in question, didn’t make me very popular. After a brief moment of denial, anger, bargaining, depression and acceptance, the mood was further darkened by the acknowledgement that a key part of the social media strategy on other platforms was to drive more traffic and interest through Google to the company’s website. I didn’t feel good about this conversation and I felt even worse after completing the non-conformity report and sheepishly presenting this to the management team. The root cause identified in the report – human error, the company wanted to put their message out there, without acknowledging there would be a response.
At the subsequent visit (yes, they let me back in a few months later), we went back and searched for the company on Google again. Two things were immediately evident – there was already a decrease in the number of one star ratings (largely due to the rollicking all front line employees had received to avoid anyone upsetting any customers in the future) and secondly, where there was negative feedback, the company were very proud to present e-mail evidence of where they had not only monitored and captured the comments, but had used their complaints management process to address these in a structured and controlled way. Additionally, their IT manager was very excited to confirm that traffic to their website had also increased since the non-conformity had been identified.
Social media remains a dynamic platform which, despite my past reluctance, even I can acknowledge the benefits in an ever more dynamic market place. I maintain that it can present more than its fair share of human resources nightmares, however, having seen how a bit of sideways thinking can be applied to ISO 9001, I am increasingly convinced of the merits of including social media inputs and outputs in the monitoring of customer focus and satisfaction. I still believe that social media will continue to present a unique set of challenges to quality managers, however it is a part of the 21st century business strategy and should be embraced, not feared.
For today’s quality management system to continue to ignore the benefits and costs of social media would be to ignore a very modern problem solving resource – good, old fashioned customer feedback.
A few thoughts...Posted by epinjen Thu, March 01, 2018 14:33:06Article originally posted on LinkedIn on 29th January 2016
Having made it through the first few months of 2018, there is almost certainly one subject that would have been discussed in board rooms, break out areas and project meetings at some point in January, “should we do the ISO thing this year?” For many, the subject would have been thrown around, maybe even had some cost (financial, emotional or technical) attached to it. Finally, a resounding “let’s do it !”, would have been the answer provided by those in the decision making roles. Of course, undertaking this project is daunting, it can be a complex and taxing task, therefore those who rationally postpone the inevitable for another year are possibly right to do so.
However, may I suggest a better course of action?
Of course, this may seem like another consultant desperately trying to generate potential leads by stating in my most compliant tone “thou must do ISO” (whatever this actually means). Instead, I hope you will see this post as not a well-crafted sales pitch (if I do say so myself), rather it should be read as a “benefit of my experience” recommendation, as it is intended to be read.
Disclaimer completed, the alternative approach I would like to suggest to anyone contemplating ISO certification in 2018, is to start now. Not next January when the same discussions will take place, not once the financial year is over and done with, do it now – as soon as you can get something prepared and feel confident enough to lead the charge. By this, I mean lay down some of the foundations to the heavy lifting to come, delicately introduce the concept of a management system in a way so as you do not send the compliance dodgers or those afraid of change (metathesiophobics, apparently) running for the hills. What if you try gently adding a few “vegetables” of control to the plate and encourage your colleagues, peers and management to give them a little try? You never know, they might like it.
Do you know where to begin with this process? Should you write down all the procedures, processes, policies, authorities, meeting minutes and passwords so as to establish the management system’s omniscience? Should you document control and risk assess every single piece of paper in the office only to find that drawer where an intern printed and then hid every document the company ever produced in an attempt to leave an organisational mark on the company? Should you shred, shred and maybe shred again? Strangely enough, none of these possible actions make it into the list of recommended starting points below. There are probably others and I’m sure that many of us will feel more comfortable with some more than others.
1. Get the Name Right – Minding your Language!
It may seem very simple and maybe a little simplistic, but not referring to certification as “the ISO” (especially as not all certification is “ISO”) will make an extraordinary difference to the mind-set of the people you are looking to win over. Being precise about the title (for example, ISO9001) will prove to be more engaging than the (dreaded) “ISO”. If you want to go a step further, try referring to it as a quality management system. Strangely enough, if you are providing the product or service that another party is buying, you are already operating within a quality management system. I have found that, calling this “monster” by its real name demystifies it a little bit
2. Introduction to Management Systems – The Common Enemy!
If presented with some facts about management systems and standards, your colleagues will be more willing to take it on board and engage with it – particularly if it isn’t your MD telling them, but a neutral voice, outlining the requirements of leadership, management responsibility and “support coming from the top down”. A very canny manager could arrange for part of a team building day to be spent listening to a presentation where these new weird and wonderful ways of torturing those in the ivory tower were presented by a new comer to the group. Needless to say, the human ability to evolve one’s thinking is never more evident than when they realise how much more inconvenient it would be to the MD than to themselves – a reluctant team can unite around the impending fresh hell your Directors are now facing.
3. Internal Auditing – Knowledge Dispels Fear!
A critical part of everyone’s least favourite part of implementing and maintaining a management system is the checking. More precisely, internal auditing. For a lot of organisations, this is something that is introduced towards the end of the implementation process. Here is the twist, providing you have the competent resource at your disposal, introducing this far from excruciating before the rest of the management system yields three important benefits. Firstly, it will take the fear out of the internal auditing process when those overwhelmed with fear realise there is nothing to be afraid of, especially as there is no certification in jeopardy (a common irrational fear attached to internal auditing). Secondly, when everyone realises that most processes are actually done properly most of the time in most organisations, that knowledge will dispel the fear of not only checking, but of the eventual certification. Finally, internal auditing is the opportunity to test, stress and push a management system in a safe environment. Certainly a safer way of determining the tensile strength of your system compared to waiting for your biggest customer to pile on the pressure. Come January 2017, you will find you are in a much healthier mind-set to move forward with real objective – compliance with the chosen standard.
4. Risk – Not just a Board Game!
If certification in 2017 is your objective, then you will find a possible increase in the focus upon risk. As has been common place with risk assessments, threat assessments and impact evaluation surveys in their respective management systems for some time, risk based thinking and in particular the documenting of risks and opportunities will provide you a unique opportunity to really examine the robustness of the arrangements in place. Whether the risks are operational, financial or compliance by nature, establishing a risk register or a strategic risk assessment is a fantastic starting point for any management system. In either case, your company will probably be confronted with the notion of risk tolerance or business continuity for the first time. It is important to remember that this approach may present added complications and if mismanaged (used as a stick to beat perceived or real underperformers), it can be incredibly unpopular, divisive and, on occasion, nothing short of brutal. Competence is a key part of any successful strategy that focusses upon risk. The ISO standard ISO31000:2009 Risk Management – Principles and Guidelines is a fantastic way to learn, to scope and to structure your approach to risk management, quite simply, it is a must read for anyone approaching a risk management system or certification process based on risk (in my opinion, it should be compulsory reading for anyone in a management role). Ultimately, if risk is approached properly, you can stimulate some of the healthiest conversations your company will ever have and provide you the confidence to cope with the rough as confidently as you cope with the smooth.
5. Gap Analysis – Open the Gates!
A gap analysis can be a very effective tool for introducing the requirements of a management, gauging where your organisation is in relation to the standard you will want achieve or simply give everyone the opportunity to experience a bit of healthy scrutiny. Much like the internal audit (as outlined above), there is a degree of “no harm, no foul” (compliance wise) as there is no certification at stake. As such, if the evidence suggests that the standard isn’t being met, then OK, the standard isn’t being met. In the worst case scenario, you may identify areas where you know improvement will be required in the future. In the best case scenario (and this is the outcome you will see the most), a desire to change before the implementation, planning, checking and scrutinising starts for real further down the line. Of course, there is always the possibility that most businesses do quite well (a tendency I have seen very often – it is never as bad as people think it will be). Surprisingly, seeing your work get any kind of approval tends to look quite good on your own self-assessment.
6. Supplier Evaluations / Due Diligence – Know Thy Neighbour!
An area where a lot of companies seem to struggle, due to time constraints mostly and partially because the reward is less evident in the short term, is evidencing the justification of using this supplier instead of this one, outsourcing to so and so as opposed to the other company next door, the list is as endless and irritating. In much the same way as demonstrating how competent your staff are through the development of personnel files, training matrices and career development plans, this logic can be and should be applied to those outside of your organisation, upon whom you are dependent. It can be as simple as taking your customer’s requirements (often established in the contract) and asking your suppliers or outsourced service providers how they are going to make sure that you don’t have to get it wrong, when they get it wrong. Is it unfair to ask your supplier to justify the trust you have put in them? If you think it is fair to expect your supplier to be suitably insured, certified, financially solvent and to guarantee you a designated account manager, just ask. Remember the first rule of logistics – if you don’t ask, you won’t get.
7. Do some Research – Wise Up!
Some of you may have experienced some hostility from co-workers, employers or employees regarding your pro-certification stance during the January discussions (as outlined above). If this is the case and all of the above has not worked, been thwarted or you just don’t have the resources to make it work, then stop what you are doing and step away from the standard. Counter intuitive as it may seem, there is always the possibility to draw inspiration from outside your organisation. What logos are on your competitor’s website and should the same be on yours? How did your suppliers or customers achieve this success? If we sifted through our LinkedIn contacts, I’m sure we could all find plenty of people who wouldn’t mind taking five minutes to share some suggestions with you (if nothing else, it probably beats reading this post). The important elements to understand here are that you are not the first and certainly not the last to be looking at certification with fear and loathing and that a bit of perspective can be as healthy as any kick off meeting, brainstorming session or late night spent searching the internet for the elusive secret to certification in five minutes.
Of course, any legal, statutory, regulatory or customer requirement to go ahead with certification will make these recommendations obsolete in terms of easy going management system implementation. If it is critical for your business, get the standard and begin the work immediately. For those who have a luxury (or curse) of time, then “make hay while the sun shines” and enjoy a challenging, but rewarding experience.
It is worth remembering that some of the recommendations may well be scheduled for implementation in January 2017 and may then become “urgently mandatory” as opposed to the “relaxed optional” of Q1 2016. I would encourage anyone to begin this undertaking during the “relaxed optional” time, resource permitting. However, I’m sure that like most companies, there is barely enough time to do the work in front of you now, let alone the work that will be expected of you in twelve months’ time. If this is hitting a little too close to home for you, then best of luck and get back to work. If I may I would like to offer one last recommendation to you which will never do any harm to a management system – say what you do, then do what you say.
If your company can do that, you are already doing better than most.