We don’t need no …………. documented procedures …
I’m having a laugh, of course, but then there’s a lot to laugh about, just now.
ISO 9001:2015 does not require ANY documented procedures and, in the words of Sarah Palin, heads are spinning. Is panic too strong a word to use? Possibly not. After all, what is an auditor to do when they ask to see a procedure, only to be confronted with an answer and a statement of fact;
“We don’t have a written procedure and the standard doesn’t require us to have one”
Where does that leave the auditor? The auditee has NO procedure and they can’t be FORCED to have one? Are there no rules anymore? Does that mean we have to accept everything and anything? Fear not, here comes the lifejacket, and I’ll try to make the lesson really simple.
Stop asking for “procedures” and start asking about “CONTROLS”
There was a time, years ago, when “controls” and “procedures” were tantamount the same thing. Documented procedures were BY FAR the most widely applied control, so asking for “the procedure” was a much more reasonable request. Those days are gone, and ISO 9001:2015 has tried to reflect that. It has tried to reflect the way organisations manage their affairs in the 21st Century and, unfortunately for the lazier auditor (and those that are just plain thick), this will involve “documented procedures” to a lesser and lesser extent. Organisations often do things differently.
So, whilst it is true to say the standard no longer requires any specific documented procedures, it DOES require auditable controls. That is, a controlled way of managing work activities that generates records of conformity. That is the whole purpose of an auditable management system. More and more these days that will involve the use of technology. The result is that where in the past where we’d have had documented procedures, we might now see software, on-line tools, menu driven screens and dashboard applications. Those are just a few examples.
Procedures may still be used of course, but they are just ONE option that an organisation has for exercising control, so it really is time to stop asking for procedures – and generating an increasingly predictable response (see above) – and to start asking about CONTROLS. Remember, it’s all about context now, and one “context” issue that affects absolutely everyone is that it is no longer 1995 …
Obviously this relies on the auditor understanding the concept of “auditable control” of course …