ISO 9001: What Should You Expect from the 2015 Update?

It's been seven years since the last revision of ISO 9001. The update, scheduled for this year, will see the standard evolve, modernizing it through integration with other standards and management systems. As well as this, the update is designed to ease the increasing complexity of operating environments while establishing the standard itself as a foundation for quality management for the next decade and beyond.

A Focus on 'Risk-based Thinking'
Arguably, the revision to the ISO 9001 standard in 2015 is more of an evolution than a revolution. The update will incorporate Annex-SL for a degree of familiarity, while all the basics of ISO 9001:2008 remain. There's still the process approach that was so successful in the 2008 iteration, complete with underlying "Plan, Do, Check, Act" methodology.

However, despite this, we have to be careful not to discount one or two significant changes. For starters, there are lots of new examples of terminology ("Product" is now "Goods and Services," "Supplier" is now "External Provider," while references to the "Quality Manual" are removed altogether). But it's the emphasis toward "risk-based thinking" that has really caught the attention. I was speaking recently with David Sharp, managing director at Aletheia IMS Ltd, a company that provides integrated quality management and airfield assurance for NATO, the UN, the U.S. government, the international military community, and the health care, manufacturing, waste management, and food service industries. Aletheia also provides consultancy services for us here at Gael Ltd.

David is extremely knowledgeable about ISO 9001 and its development over the years. He explained to me that, in relation to the standard, organizations previously had greater flexibility to develop and implement their own methodology, but the update "appears to be becoming more formalized." He said there is "a notable move to expanding risk knowledge and awareness throughout the entire organization, and not just from within the safety departments. For most, this presents itself in the forms of key performance indicators (KPIs) and objectives. Of note is the change in focus away from a 'management representative' and towards overall management interaction and responsibility. No longer will it be sufficient for the quality manager or CEO being the only top manager involved in the QMS. It shall become everyone's responsibility, rather than just a core few: promoting a better understanding of quality assurance and, through better awareness, encouraging staff to be more invested in the process to drive forward improvement opportunities."

"As time is progressing and the understanding of risk continues to increase, a traditional opinion of what a risk 'is' is changing. Not only is it a trip or fall, but now the financial, reputational, competitor, regulator, and legislator risks are being taken into consideration," David explained.

Encouraging Risk-Based Thinking
This change in direction to encourage "risk-based thinking" will force organizations not already doing so to focus on risk management and risk-based models of thinking and governance. I believe the greater emphasis on risk-based thinking will bring with it more focus on achieving value for the company and its customers. A quality management system is about a prevention of problems, anticipating what might go wrong and doing things to avoid undesirable outcomes, such as non-conforming products. But now organizations are being encouraged to think about the "cause and effect." The identification of risk and the control of risk is now a requirement of the new revision, meaning organizations must understand how their business works, as well as the processes they have in place to be able to anticipate risks before they become undesirable events.

It doesn't mean a full risk management approach, but instead forces organizations – and particularly, senior management – to take more responsibility on risk in general. While many organizations may already practice some level of risk-based thinking, the challenges within 9001:2015 will include the ability to demonstrate such an approach within their QMS.

Speaking about the revision in one of his many YouTube/Google+ Hangout videos, Dr. Nigel Croft, who is also one of the world's foremost experts in quality management and conformity assessment of management systems, said the update was based on "three core concepts," adding, "There's no need for panic. We believe these core processes will help organizations develop a robust quality management system that will allow them to build confidence in the products and services that are delivered throughout the supply chain to organizations and to people worldwide."

What Do I Do Now?
Despite the three-year grace period, organizations are going to have to demonstrate their commitment to the change and also start to develop plans for its implementation. There is no way, practically, that all Auditors and Certification Bodies can wait until 2018 and complete all recertification then. They will expect change over the next three years and an evolution plan.

For starters, it would be good practice to familiarize yourself with the changes to the standards and begin to align your business to the new requirements. In terms of the risk-based approach, which will have the biggest effect on the vast majority of organizations, it would be sensible to consider starting a risk management plan if you don't already have one. Begin thinking how to address risk in the business. Think about adding and using words that are typical in the risk process, such as risk determination, risk control, risk mitigation, acceptable level of risk.

Finally, in what is a "good to know" rather than a "must do," organizations are advised to remain compliant to the ISO 9001:2008 standard while preparing for and implementing changes for ISO 9001:2015. The danger here is that some could be left without a valid ISO certificate by dissociating themselves from the 2008 requirements when trying to meet the requirements of 2015!

Andrew O'Hara is a strategic research analyst for Gael Ltd, developers of quality, safety, and risk management solutions to 2,500 organizations globally. He has more than 10 years' experience working with organizations managing quality to standards, including ISO 9001. For more information, visit the Glasgow, Scotland-based company's website.

Posted by Andrew O'Hara on Mar 12, 2015


comments powered by Disqus