How To Write A Nonconformance

Audit reporting requires a complete picture – to report the good as well as the bad – but in this post I want to concentrate on how we construct nonconformances. Depending upon how adversarial the audit relationship is (and some of them can be very adversarial) you might need to be forensic in our choice of words, with watertight nonconformances. You won’t normally need to be so forensic in your choice of words when reporting the good points because, let’s face it, nobody ever challenges the positive findings.

The problem with nonconformance reporting is that many can be written in an unhelpful, general, consultative and even downright confusing way. “x is inadequate”, “y is insufficiently robust”, “the requirement for z is not fully met”. None of these statements give the required level of clarity that the auditee deserves. Frankly, it’s lazy. So what should a solid nonconformance report contain? Well, here’s the formula …

The 1-2-3 Trick

A solid nonconformance report will contain three components, and will be written in a clear, objective way.

  1. Quote the requirement that has been breached. Most auditees don’t have a detailed knowledge of the audit criteria, so help them out by being specific. This also creates the basis for objectivity.
  2. Describe how the requirement has been breached. Again this is useful information. It helps them understand the gap between the requirement and what is currently happening and, consequently, will give them a starting point with regard to how they may correct the issue.
  3. Detail the Evidence. You will have a reason for raising the nonconformance and this should not be limited to a feeling in your water. You should have evidence, so tell them what it is. Not only does this give them the opportunity to check it themselves if they doubt you, but it also gives them a starting point for their investigation, rather than having to find the problem all over again from scratch.

At the first level, think about writing out your nonconformance in that way as a test for yourself. If you can’t describe it in those terms you have to consider whether you can defend the nonconformance if it is challenged, and you probably can’t. At the second level you are giving the auditee everything they need to know about the requirement, the breach and where you found it. It will be specific enough to be helpful, evidenced and objective.

Posted in Auditing | Tagged , , , , | 1 Comment

ISO 9001:2015 External Issues

What is the new requirement?

Clause 4.1 of ISO 9001:2015 requires the organisation to;

“determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system”

and that the organisation shall;

“monitor and review information about these external and internal issues”

In this post I will explore what that actually means and offer some suggestions and examples of how an organisation might demonstrate conformance to this requirement, focussing in this post specifically on external issues. For more background information on the wider requirement and on internal issues, you might find some useful guidance in this earlier post.

Determining and Reviewing External Issues Systematically

Let’s face it, most organisations will have a fairly intuitive grasp of the most pertinent external factors that affect the success and operation of its processes. You learn that by trial, error and often bitter experience. The challenge that management system conformance and certification throws at you is to be able to demonstrate that this important dynamic is processed somehow systematically and in an auditable way. It’s all very well simply “knowing” what they are and “naturally taking them into account on an ongoing basis” but that’s not really systematic or auditable, and therefore, for certification purposes, not much of a response. So what are the alternatives?

PEST Analysis

Some organisations I work with use a periodic PEST analysis to apply a framework to this exact process. Like a SWOT analysis (Strengths-Weaknesses-Opportunities-Threats) its an acronym, and works in exactly the same way – to add structure to the review process, forcing management to revisit specific areas. So what is PEST?

I’ll have a “P” please, Bob

P is for POLITICAL. The P in PEST encourages the organisation to consider the political issues that can have a positive or negative affect on how the organisation works, so what could that include? Well, the recent decision of the UK to exit the EU is a massive and (at the time of writing) a major political event that could have significant effects on how an organisation operates. It will probably affect trade relationships (for better or worse we don’t yet know!), it may well also affect the organisations ability to recruit and employ non-UK citizens. Additionally, if the organisation receives a lot of its income via projects funded by, say, the European Social Fund (ESF), then the Brexit implications could well be severe. Other examples could include trade sanctions status. If the organisation has significant trade interests with, say, Iran or Russia, it would certainly need to keep in view the current nature of sanctions relevant to their operations which, at various points in time, may even become illegal. There are also ongoing domestic political issues that affect organisations. Public Sector bodies are always affected by current Government Policy, which sets both Public Sector policy and provides (or doesn’t) funding.

Gimme an “E”

E is for ECONOMIC. Economic factors affect virtually every organisation, but they aren’t the same for everyone and the scale is different for everyone, so what are the common examples? Well, the price of commodities is often a big issue. Oil prices on the world market have been depressed for some time. For some companies (for example those directly involved in the extraction of oil from the ground, and providing support for companies that do), the effects lately have been adverse and significant. Rates of pay have been cut, operations have been scaled back and people have lost their jobs. All these trends may of course be reversed as and when the oil price returns to a certain value, but clearly the oil companies need to monitor this very carefully, as the entire viability of their operation is reliant on that issue. However the fall in oil prices have not been bad for everyone. Organisations that produce chemicals that are derived from oil have seen the fall in price work in their favour – their costs have reduced. Transportation costs have also reduced as a consequence of falling fuel prices. However it’s not all about the price of commodities. Other economic factors that can affect the viability of the operation are trading conditions (often as a result of political issues), the availability of alternative options for customers and the price of alternatives (cheap imports, for example), or simply the liquidity of an organisation at a point in time and how much cash on hand it has.

“S” is for …

SOCIAL. Some organisations are affected significantly by social factors. Some products are massively affected by social trends. What may be the pinnacle of fashion one week, may be the least desirable thing to possess one month later (selfie sticks, shell suits, Gary Glitter CDs …). In understanding social trends, it is clearly important that the organisation understands the things that influence trends. For example, the ingredients used by TV chefs in their recipes significantly affect demand for that ingredient almost overnight, while a food scare (processed meat, saturated fat in fast foods) might affect consumer behaviour, for a time, in a very negative way. Obviously many large fast food, beverage and cosmetics companies actively seek to affect, manipulate or even dictate trends, and invest very heavily in doing it, so important a factor that it is. The demand for other products and services can be very seasonable or weather dependent (ice cream, lawn mowers, outdoor equipment …). This will obviously have an impact on production levels and also recruitment, which itself may be very seasonal. Bear in mind that what may be out of fashion in one market, may be the height of fashion in another (apparently in some countries they still LOVE Old Spice!). Companies that provide products and support of a medical nature will be affected also by world events such as outbreaks of diseases such as SARS or Ebola, so naturally they would need contingency plans to be able to move quickly whenever the World Health Organisation puts up a red flag.

“T” is for ….

Technological. Some companies are heavily impacted by technology, and will need to work hard to stay up to date with developments. Technology has a habit of (very quickly) creating new markets, drastically changing others and, at the same time, wiping others out in the blink of an eye. On a less dramatic level organisations may simply keep an eye on technological advances to see if better ways of working are being made possible (new machinery or ways of communicating, for instance) or even offering more user friendly options for maintaining a management system! This can include the use to a greater or lesser degree of cloud based storage systems, software and dashboard applications to replace documented procedures, using tablets with integrated templates to write up your audits and so on.

Anyway, I hope this post has given you some food and direction for your thought processes as you face your transitions. Done correctly, it is a review process that can add significant value to the efficiency of the organisation’s strategic processes.

Shaun Sayers

Posted in Auditing, ISO 9000, ISO 9001:2015 | Tagged , , , , , , | 8 Comments

ISO 45001 Update

Current status as at June 2016

The development of ISO 45001 has been beset by delays as consensus amongst participating national bodies has been difficult to achieve. This led to the aim that ISO 45001 would be issued in October 2016 and that the FDIS stage would be omitted from the process (that is, it was hoped that comments and issues relating to the DIS would be minor and enable the process to proceed directly to the issue of the standard). Unfortunately this did not happen. The volume of comments and concerns raised by participating national bodies was very high and consequently ISO 45001 and the process of further consultation, will require a significant amount of work, meaning that, at this stage, the very earliest we can expect the standard to be issued is Quarter 4, 2017. The current most optimistic timelines for the publication of interim consultation documents are:

Second Draft International Standard: December 2016

Final Draft International Standard: Quarter 3, 2017

Those of you that have been following the saga may recall that some time ago it was somewhat optimistically hoped that ISO 45001 could be issued without the publication of an FDIS. Not only has that not happened, but we’ve even ended up with 2 DIS publications instead of the usual one.

Impact on OHSAS 18001/ISO 45001 certification

If we work on the optimistic assumption that ISO 45001 is issued in Quarter 4 2017, then that will mean organisations that hold OHSAS 18001 certificates will have until Quarter 4 2020 to manage the transition and certify to the new standard (i.e. 3 years from the date of issue). However it should be borne in mind that once the new standard is issued, it will be a few months before most certification bodies have completed their own approval process with their Accreditation Body (e.g. UKAS), so the earliest certifications to the new standard will not now be until 2018.

Impact on OHSAS 18001 Lead Auditor Training

This year has seen an understandable reduction in the number of students taking the OHSAS 18001 Lead Auditor Course, as was the case the previous year with the ISO 9001 and ISO 14001 courses. People that are in a position to delay taking the course are understandably keen to take the course after it incorporates ISO 45001. The likelihood now is that the earliest that an ISO 45001 Lead Auditor Course will be available will be Easter 2017. In considering whether to take the OHSMS Lead Auditor Course, it should be remembered that when ISO 45001 is issued, OHSAS 18001 is neither withdrawn nor rendered redundant. In fact, given that the 3 year transition process will now stretch to mid-2020, it now means that most organisations that hold OH&S management systems certification will remain certified to OHSAS 18001 until at least 2019, and most audits before that time will be to OHSAS 18001 rather than ISO 45001. So the current iteration of the course is far from on its last legs.

ISO 45001 Transition Training

It is anticipated that a 1 day IRCA approved transition module to ISO 45001 will be available sometime in the final quarter of 2017. This assumes the optimistic estimates for the issue of ISO 45001 do not suffer further delays.

Reasons for the delay?

The specific issues raised by the consultation process have not been published so, at this stage, I can only speculate. At earlier stages in the review process, the new Annex SL definition of Risk (the effect of uncertainty) was an area of disagreement and concern. It could be that these concerns were not sufficiently addressed by the DIS. Additionally, from my own perspective, I did note that the the level of participation and consultation required by the DIS had increased compared to OHSAS 18001 requirements, to the extent that virtually every decision and piece of information relating the the OHSMS was now required to be run past the workforce (including audit findings, management review outputs, OH&S objectives). I could see many people considering this as inordinate, excessive and impractical. Frankly it looked to me that the whims of some unions had been indulged too freely – but that’s pure speculation and opinion on my part.

Here’s a link to the IOSH statement on the delay. Since that time, there has been a meeting of the International Committee during which the target milestones for the second DIS and the FDIS were agreed.

Shaun Sayers

Posted in IRCA, ISO 14001, Occupational Health & Safety, OHSAS 18001 | Tagged , , , | Leave a comment

ISO 9001:2015: A Dystopian Nightmare

We don’t need no ………….  documented procedures …

I’m having a laugh, of course, but then there’s a lot to laugh about, just now.

ISO 9001:2015 does not require ANY documented procedures and, in the words of Sarah Palin, heads are spinning. Is panic too strong a word to use? Possibly not. After all, what is an auditor to do when they ask to see a procedure, only to be confronted with an answer and a statement of fact;

“We don’t have a written procedure and the standard doesn’t require us to have one”

Where does that leave the auditor? The auditee has NO procedure and they can’t be FORCED to have one? Are there no rules anymore? Does that mean we have to accept everything and anything? Fear not, here comes the lifejacket, and I’ll try to make the lesson really simple.

Stop asking for “procedures” and start asking about “CONTROLS”

There was a time, years ago, when “controls” and “procedures” were tantamount the same thing. Documented procedures were BY FAR the most widely applied control, so asking for “the procedure” was a much more reasonable request. Those days are gone, and ISO 9001:2015 has tried to reflect that. It has tried to reflect the way organisations manage their affairs in the 21st Century and, unfortunately for the lazier auditor (and those that are just plain thick), this will involve “documented procedures” to a lesser and lesser extent. Organisations often do things differently.

So, whilst it is true to say the standard no longer requires any specific documented procedures, it DOES require auditable controls. That is, a controlled way of managing work activities that generates records of conformity. That is the whole purpose of an auditable management system. More and more these days that will involve the use of technology. The result is that where in the past where we’d have had documented procedures, we might now see software, on-line tools, menu driven screens and dashboard applications. Those are just a few examples.

Procedures may still be used of course, but they are just ONE option that an organisation has for exercising control, so it really is time to stop asking for procedures – and generating an increasingly predictable response (see above) – and to start asking about CONTROLS. Remember, it’s all about context now, and one “context” issue that affects absolutely everyone is that it is no longer 1995 …

Obviously this relies on the auditor understanding the concept of “auditable control” of course …

Shaun Sayers

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , | 1 Comment

ISO 9001:2015 Human Factors

Most people that know anything about management systems understand that human factors have to be accounted for. You can’t simply write a procedure or implement a control and then assume that it will be adhered to. People are not like that. People can be lazy, selfish, tired, distracted, hacked off … all of which can reduce the chance that a procedure, no matter how correct and communicated, may not be followed all of the time.

In general terms that means that a system manager should try so far as is possible to make the RIGHT thing to do also the EASIEST thing to do, as this dramatically increases the chances of conformance. Things that can’t be made easy (some things just are complicated) probably need a high level of monitoring (to account for the medium/high risk of nonconformance through poor understanding, laziness, short cuts or whatever).

At the time of writing, most of us are at the “theoretical” stage of understanding how ISO 9001:2015 will work. That is, we can see how it looks, but we don’t really know the levels that the certification bodies will operate at in terms of what they will and won’t accept. That process (which tends to work by custom and practice, osmosis even) will take some time to reveal itself. That said, I’ve noticed a couple of curious things that have not previously appeared in the standard that COULD have a significant impact – and the things I’m going to write about are very much hidden in the detail …

Controls to Prevent “Human Error”

How often is “human error” used as the Corrective Action Get Out Of Jail Free Card? Quite often, in my experience. Well, given the specific reference in Clause 8.5.1g, the options for organisations to use that excuse should be limited. Controls should seek to include actions to PREVENT HUMAN ERROR. Therefore, if human error is the cause of the nonconformity, then that Process Control requirement is not met. It will be interesting to see how that is audited (if it gets audited at all). At this stage I can’t help thinking that the standard might have been better if the aim to prevent human error was also included in the Nonconformity and corrective action clause too. It is very easy to overlook …

The “Social” and “Psychological” Work Environment

Good Lord! The requirements of clause 7.1.4 require that the organisation in terms of its work environment considers the following issues … (and I must to quote)

“Social (e.g non-discriminatory, calm and non-confrontational; and

Psychological (e.g. stress-reducing, burnout prevention, emotionally protective)”

Are they desirable attributes of an effective workplace? Well, yes they are, with the concept I have no problem. What I am looking forward to with a mixture of anticipation, trepidation and amusement is how they will be applied. Let’s think this through. How on earth will a QMS auditor interpret that? Quite aside from the fact that you are highly unlikely to witness highly charged and stressful events actually DURING the audit (because people are told to bite their tongues for a day) this could have significant legal implications for the company in countries where the employment laws deem stress, bullying, discrimination and so on to be unlawful. Are QMS sufficiently well versed in Employment Law so as to be legally correct in the call they make? In my experience they aren’t. Certification Bodies had better get their lawyers on standby.

I think this requirement, no matter how noble in its intent, is practically unenforceable. My guess is that this will actually be ignored.

Let’s see how these things move on. Time to get out the popcorn and plump up a cushion …

Shaun Sayers

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , , , , | 3 Comments