ISO 9001:2015: A Dystopian Nightmare

We don’t need no ………….  documented procedures …

I’m having a laugh, of course, but then there’s a lot to laugh about, just now.

ISO 9001:2015 does not require ANY documented procedures and, in the words of Sarah Palin, heads are spinning. Is panic too strong a word to use? Possibly not. After all, what is an auditor to do when they ask to see a procedure, only to be confronted with an answer and a statement of fact;

“We don’t have a written procedure and the standard doesn’t require us to have one”

Where does that leave the auditor? The auditee has NO procedure and they can’t be FORCED to have one? Are there no rules anymore? Does that mean we have to accept everything and anything? Fear not, here comes the lifejacket, and I’ll try to make the lesson really simple.

Stop asking for “procedures” and start asking about “CONTROLS”

There was a time, years ago, when “controls” and “procedures” were tantamount the same thing. Documented procedures were BY FAR the most widely applied control, so asking for “the procedure” was a much more reasonable request. Those days are gone, and ISO 9001:2015 has tried to reflect that. It has tried to reflect the way organisations manage their affairs in the 21st Century and, unfortunately for the lazier auditor (and those that are just plain thick), this will involve “documented procedures” to a lesser and lesser extent. Organisations often do things differently.

So, whilst it is true to say the standard no longer requires any specific documented procedures, it DOES require auditable controls. That is, a controlled way of managing work activities that generates records of conformity. That is the whole purpose of an auditable management system. More and more these days that will involve the use of technology. The result is that where in the past where we’d have had documented procedures, we might now see software, on-line tools, menu driven screens and dashboard applications. Those are just a few examples.

Procedures may still be used of course, but they are just ONE option that an organisation has for exercising control, so it really is time to stop asking for procedures – and generating an increasingly predictable response (see above) – and to start asking about CONTROLS. Remember, it’s all about context now, and one “context” issue that affects absolutely everyone is that it is no longer 1995 …

Obviously this relies on the auditor understanding the concept of “auditable control” of course …

Posted in ISO 9000, ISO 9001:2015 | Tagged , , | Leave a comment

ISO 9001:2015 Human Factors

Most people that know anything about management systems understand that human factors have to be accounted for. You can’t simply write a procedure or implement a control and then assume that it will be adhered to. People are not like that. People can be lazy, selfish, tired, distracted, hacked off … all of which can reduce the chance that a procedure, no matter how correct and communicated, may not be followed all of the time.

In general terms that means that a system manager should try so far as is possible to make the RIGHT thing to do also the EASIEST thing to do, as this dramatically increases the chances of conformance. Things that can’t be made easy (some things just are complicated) probably need a high level of monitoring (to account for the medium/high risk of nonconformance through poor understanding, laziness, short cuts or whatever).

At the time of writing, most of us are at the “theoretical” stage of understanding how ISO 9001:2015 will work. That is, we can see how it looks, but we don’t really know the levels that the certification bodies will operate at in terms of what they will and won’t accept. That process (which tends to work by custom and practice, osmosis even) will take some time to reveal itself. That said, I’ve noticed a couple of curious things that have not previously appeared in the standard that COULD have a significant impact – and the things I’m going to write about are very much hidden in the detail …

Controls to Prevent “Human Error”

How often is “human error” used as the Corrective Action Get Out Of Jail Free Card? Quite often, in my experience. Well, given the specific reference in Clause 8.5.1g, the options for organisations to use that excuse should be limited. Controls should seek to include actions to PREVENT HUMAN ERROR. Therefore, if human error is the cause of the nonconformity, then that Process Control requirement is not met. It will be interesting to see how that is audited (if it gets audited at all). At this stage I can’t help thinking that the standard might have been better if the aim to prevent human error was also included in the Nonconformity and corrective action clause too. It is very easy to overlook …

The “Social” and “Psychological” Work Environment

Good Lord! The requirements of clause 7.1.4 require that the organisation in terms of its work environment considers the following issues … (and I must to quote)

“Social (e.g non-discriminatory, calm and non-confrontational; and

Psychological (e.g. stress-reducing, burnout prevention, emotionally protective)”

Are they desirable attributes of an effective workplace? Well, yes they are, with the concept I have no problem. What I am looking forward to with a mixture of anticipation, trepidation and amusement is how they will be applied. Let’s think this through. How on earth will a QMS auditor interpret that? Quite aside from the fact that you are highly unlikely to witness highly charged and stressful events actually DURING the audit (because people are told to bite their tongues for a day) this could have significant legal implications for the company in countries where the employment laws deem stress, bullying, discrimination and so on to be unlawful. Are QMS sufficiently well versed in Employment Law so as to be legally correct in the call they make? In my experience they aren’t. Certification Bodies had better get their lawyers on standby.

I think this requirement, no matter how noble in its intent, is practically unenforceable. My guess is that this will actually be ignored.

Let’s see how these things move on. Time to get out the popcorn and plump up a cushion …


Posted in ISO 9000, ISO 9001:2015 | Tagged , , , , , | 2 Comments

ISO 9001:2015 Revised Quality Management Principles

The principles of quality management can be considered “threads” of good business practice that should focus the application and intent of the ISO 9000 series. ISO 9000:2015 provides guidance on the way that these principles should be applied:

Customer focus

“The primary focus of quality management is to meet customer requirements and to strive to exceed customer expectations”


“Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization’s quality objectives”

Engagement of people

“Competent, empowered and engaged people at all levels throughout the organization are essential to enhance the organization’s capability to create and deliver value”

Process approach

“Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system”


“Successful organizations have an ongoing focus on improvement”

Evidence based decision making

“Decisions based on the analysis and evaluation of data and information are more likely to produce desired results”

Relationship management

“For sustained success, organizations manage their relationships with relevant interested parties, such as providers”

The principles underpinning ISO 9001 have therefore been reduced from 8 to 7. Customer Focus, Leadership and the Process Approach remain, Continual Improvement becomes “Improvement”, a Factual Approach to Decision Making becomes “Evidence Based Decision Making”, Involvement of People becomes “Engagement of People” and finally Mutually Beneficial Supplier Relationships becomes “Relationship Management” (taking into consideration more than just suppliers). The Systems Approach to Management is the casualty in the revision.

It is important that we appreciate that these principles themselves are inter-dependent of one another. A system, by definition, is a set of inter-related activities and processes. Nothing should be viewed in isolation, and an effective QMS depends on effectively managing both the little picture (the detail of the procedures) and the big picture (but are we still in business?)


You can find more ISO 9001:2015 articles here

Find out more about Capable People, our work, and our fantastic clients at

IRCA Approved ISO 9001:2015 Transition Courses delivered worldwide.

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , | Leave a comment

ISO 9001:2015: Internal and External Issues

All management systems adopting the Annex SL format are required to identify and manage as appropriate, the management system’s internal and external issues. This will initially require an organisation to determine the scope of the management system, then to understand the processes within its scope, and then to further understand how they inter-relate both internally and externally.

Determining the Scope of the Management System

The requirement to determine the scope of the management system remains a requirement of ISO 9001:2015. It also remains a mandatory documentary requirement, however there is no longer any requirement as to where it must be documented (in ISO 9001:2008 it was required to have been documented with the Quality Manual). The issue of applicability remains within ISO 9001:2015. This means that, in certain circumstances, some of the requirements of ISO 9001:2015 may not be applicable to some management systems. The word “exclusion” no longer features, however clause 4.3 still states that;

“The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organisation determines is not applicable to the scope of its quality management system”

 Exclusions, therefore (in the ISO 9001:2008 use of the word), may still be claimed, and must still be justified, so in that sense there is no major change. In other words, and for example, if the organisation has no design and/or development function then it may state that the requirements of clause 8.3 do not apply. Clearly this claim of non-applicability must be consistent with the nature of processes that operate within the scope of the QMS in order for that claim to be justified.

ISO 9001:2015 does not put any limits on claims of non-applicability in the way that ISO 9001:2008 limits claims of exclusion to its clause 7. This places a higher emphasis for detailed justification on the organisation if it is to make any claim of non-applicability.

The Quality Management System and its Processes

Some processes will be purely internal, IT Support, for example, while other processes may interface with external bodies such as customers, suppliers and regulatory bodies. The Annex SL definition of a process is;

“Set of interrelated or interacting activities which transforms inputs into outputs”

 (Annex SL definition of Process)

Whilst it is important to understand how each process works, in terms of its individual inputs, outputs, objectives, the efficiency of the process flow and so on, it is also important to remember that the management system will contain several processes, and the efficiency and effectiveness of the system will depend to a large extent on how well these processes are harmonised as part of a cohesive system.

Needs and Expectations of Interested Parties

Some processes will interface with external parties, most commonly customers, regulators and suppliers. The effective operation of processes that interface with external interested parties will, as a minimum require the organisation to understand the inputs and expected outcomes from these processes in order that the needs and expectations of the interested parties can be served.

Customers and regulatory bodies in particular are critical to the long term success of the organisation and it is important that any processes that interface with these parties are appropriately monitored and measured in order to ensure that their needs are being fulfilled.

A word of caution

Be careful not to get too carried away identifying every conceivable “internal and external issue” – remember the standard is only interested in those that have an effect on the QMS. The trouble with creating an exhaustive list of every internal and external issue you can think of is that it opens Pandora’s Box, because the requirement does not end with simply identifying them. Once issues have been identified, the standard requires that they are then monitored, evaluated and reviewed on an ongoing basis. Therefore, just as it is bad practice to create a “Corporate Risk Register” that contains every conceivable, barely conceivable and improbable risk, it is bad practice to over-burden your QMS processes with “internal and external issues” that are insignificant.

You can find more ISO 9001:2015 articles here

Find out more about Capable People, our work, and our fantastic clients at

IRCA Approved ISO 9001:2015 Transition Courses delivered worldwide.

Posted in ISO 9000, ISO 9001:2015 | Tagged , | Leave a comment

ISO 9001:2015 Risks and Opportunities

I actually found it quite difficult to form a clear opinion about this new requirement when all we had to go off was academic discussion and argument, now we have the benefit of a few concrete worked examples to play with, my thoughts are becoming clear and … it could work.

The New Definition of Risk

Redefining “risk” as the effect of uncertainty caused me both confusion and concern. Frankly I didn’t see the point in messing with a definition based on likelihood x severity – it actually works and is hard wired into so many business processes. But I’m now coming round to it …

The penny dropped when I was working with the API Q9 standard earlier in the year. This standard has risk treatment ingrained front to back, more or less, and requires that uncertainties (risks) are identified, assessed and covered with contingency as appropriate. That’s it. Deming said years ago that not all management information was known or even knowable and all the standard is asking is that companies take account for the unknown and unknowable in the form of planning contingencies. A company, let’s say, could be reliant on a single supplier – what happens if that supplier has problems or starts abusing its position? In this case a contingency of a back up supplier would be prudent. Do the distribution processes take account of transport infrastructure disruption or weather? Can the production facility cope with infrastructure failure or a loss of internet access?

Upside and Downside Risk

This thought process also helped me to get to grips with another concept I’d been struggling with – upside risk. I had no problem understanding that upside risk was a piece of good fortune, but I did struggle to understand how a management system could be expected to plan for it, but again here’s an example. Let’s say a company launches a new product. In basic terms things can go OK, or they can go less than OK, or they can go better than OK. Just as a management system is expected to apply appropriate contingency to account for undesirable events (downside risks), it naturally should also take reasonable account for better than desirable events, because that sometimes happens. In other words, if things go brilliantly well, how does the company cope? There’s your upside risk. I’ve actually had numerous clients that have found themselves victims of their own success when demand has outstripped their ability to supply. It isn’t uncommon.

And Opportunities?

The treatment of the requirement to manage “Opportunities” is a car crash waiting to happen, in my opinion. The reason I say this is because there is no normative reference for the term “Opportunity” in either Annex SL or ISO 9000:2015, so we are very much at the mercy of the linguistic interpretations of our auditor .. Oh dear.

How would I interpret it? Well, in my working life, the closest thing I’ve encountered to a systematic management of “Opportunities” has been an Investment Appraisal process. That’s a process by which, prior to any decisions being made at a high level, the management are presented with projections that usually outline best, worst and most probable case scenarios, along with projected costs, benefits, risks and obstacles. Management will then usually make a judgement based on that information, along with a few other considerations, such as whether the venture fits with current Policy or the Brand, whether the company has cash on hand to fund the project and so on. As an example, British Nuclear Group may spot an Opportunity to make a killing by opening a bakery on each of its major facilities. Financially that might make good sense, but is it something an organisation like that should be doing?

Often the result of discussion is the approval of a pilot or a controlled trial and error project, but it is a hugely complex decision making process, much more complex than weighing up cost versus benefit and seeing which is bigger.


What will happen as ISO 9001:2015 assessments begin in anger? My fear is that a lowest common denominator will be found. That is, what is the least a company need do to comply? If I were a betting man I would put a decent amount on that being a retitling of the the “Preventive Action” procedure to something like “Management of Risks” and a superficial and pointless SWOT analysis being pasted into the Management Review process. Let’s hope we’re better than that.

You can find more ISO 9001:2015 articles here

And more articles on a range of risk management themes, techniques and approaches here

Find out more about Capable People, our work, and our fantastic clients at

IRCA Approved ISO 9001:2015 Transition Courses delivered worldwide.

Posted in ISO 14001, ISO 9000, ISO 9001:2015 | Tagged , , , | Leave a comment