the ultimate guide to ACHIEVing ISO 9001 … is ISO 9… · Web viewYour clause-by-clause guide to...

the ultimate guide to ACHIEVing ISO 9001 CERTIFICATION

Your clause-by-clause guide to attaining ISO 9001:2015

Certification

Contents................................................................................................0Contents..................................................................................1Introduction.............................................................................3

Section 1: Quality Management System Principles....................5Part 1: Customer Focus............................................................6Part 2: Leadership....................................................................8Part 3: Engagement of People...............................................10Part 4: Process Approach.......................................................13Part 5: Improvement..............................................................16Part 6: Evidence-Based Decision Making...............................19Part 7: Relationship Management..........................................22

Section 2: ISO 9001 Clauses Explained....................................25Part 8: Clauses 0.1, 0.2, 0.3, 1, 2 and 3.................................26

Clause 0.1 General..............................................................26Clause 0.2 Quality Management Principles.........................28Clause 0.3 Process Approach..............................................28Clause 1 Scope....................................................................29Clause 2 and Clause 3.........................................................29

Part 9: Clauses 4.1, 4.2, 4.3 and 4.4 – Context, Interested Parties, Scope, QMS...............................................................30

Clause 4.1 Context of the Organisation...............................30Clause 4.2 Interested Parties..............................................32Clause 4.3 Scope.................................................................32Clause 4.4 Quality Management System.............................32

Part 10: Clause 5.1 Leadership and Commitment.................34Part 11: Clause 5.2 Policy......................................................36Part 12: Clause 5.3 Roles, Responsibilities and Authorities. . .39Part 13: Clause 6.1 Actions to Address Risks and Opportunities..............................................................................................42Part 14: Clause 6.2 Objectives...............................................45

©Mango Limited Page 1 of 113

Part 15: Clause 7.1 Resources...............................................48Part 16: Clauses 7.2, 7.3 and 7.4 Competence, Awareness and Communication......................................................................51Part 17: Clauses 7.5 Documented Information......................54Part 18: Clause 8.1 Operational Planning and Control...........57Part 19: Clause 8.2 Requirements for Products and Services 60Part 20: Clause 8.3 Design and Development.......................63Part 21: Clause 8.4 Control of Externally Provided Processes, Products and Services...........................................................66Part 22: Clause 8.5 Production and Service Provision............69Part 23: Clause 8.6 Release of Products and Services...........71Part 24: Clause 8.7 Control of Non-Conforming Outputs........73Part 25: Clause 9.1 Monitoring, Measurements, Analysis and Evaluation..............................................................................76Part 26: Clause 9.2 Internal Auditing.....................................79Part 27: Clause 9.3 Management Review..............................81Part 28: Clause 10 Improvement...........................................84

Section 3: Getting Certified to ISO 9001..................................86Part 29: Getting Certified to ISO 9001:2015 – Selecting a Certification Body..................................................................87Part 30: Getting Certified to ISO 9001:2015 - the Stage 1 Audit..............................................................................................89Part 31: Getting Certified to ISO 9001:2015 - the Stage 2 Audit..............................................................................................91Part 32: You're certified to ISO 9001:2015, now what?.........94


IntroductionPeter Rogers started Mango over a decade ago, and I joined him a year or so later. For several years it was just the two us, working from a few PCs in a converted garage in the suburbs. We had a handful of customers (most of whom are still with us), a really brilliant programmer (also still with us) and a strong belief in our product (absolutely still with us).Over the last 10 years our customer base has grown significantly, not just in sheer numbers, but also in size, location and in the types industries they represent. We’ve brought in partners from all over the world so that we can get Mango out to more people. We’ve taken on many new staff, too, to help us with customer support, programming, marketing and implementation. To be a part of the growth and development of Mango has been an incredibly rewarding and positive experience. While this kind of growth is wonderful, it does bring many potentially negative issues with it. How do we make sure that all of our customers around the world receive the type and level of support that they need? How do we ensure that all of our partners have the marketing know-how and information that they require? How can we best manage the risks that we face? How do we continue to improve what we have? How do we keep on top of it all? Growing pains can negatively impact customers, and nobody wants that.Peter and I have always been Quality Management System (QMS) people. We strongly believe that there is nothing better than a QMS for managing organisations. A QMS is the framework that helps you deal with strategy, risk, processes, leadership and a whole slew of other necessary and valuable things. Since Mango’s beginning we have used QMS tools every day, but somehow we’d never quite formalised what we were doing. We also wanted to understand the issues that organisations face when they start on the journey towards ISO 9001 certification. And because Mango is a tool that helps organisations manage their QMS, we thought it was high time that we got Mango ISO 9001 certified.


So we did. And because we want you and your organisation to enjoy the benefits of a QMS, we documented our process and told the story in a series of blogs, which we have put together here in this eBook.This eBook is split into 3 sections. The first section (Part 1 to Part 8) talks about the principles that underpin a QMS and how to implement those principles. Once implemented these principles give you a fantastic framework to build your QMS and achieving ISO 9001 certification. The second section (Part 9 to Part 28) takes each clause of ISO 9001:2015 and walks you through how to meet the clause. I have included examples from what we did here at Mango. The third section (Part 29 to Part 33) takes you through the steps to get certification to ISO 9001:2015. Again I have added how we did this at Mango.Each part has a number of takeaways that you should take and implement those when creating your QMS.We have learned an awful lot over the past 10 years, but one thing we always knew was that a visible and vibrant QMS is worth its weight in gold when growing your business.Please take our years of experience, learning and stories contained in this eBook and use them to help you reach your own pot of QMS gold.As always if you have any questions or need help with your QMS or would like to talk about Mango then just email me on [email protected].


mailto:[email protected]

Craig ThorntonMango Limited


Section 1: Quality Management System Principles


Part 1: Customer FocusThe first QMS principle is to have a customer focus. Customer focus is so vitally important and so deeply intrinsic to a good QMS, that it should really be called “The First Law and Most Important Principle of Quality Management Systems Bar None”.If you look at successful organisations that have focused on quality, Apple immediately springs to mind. Apple has an unwavering focus on the customer and the customer experience with their products and services. Even if you’re not an Apple fan yourself, it’s impossible to deny that people who love Apple really love Apple. Apple puts the customer front and centre, and is rewarded with enormous loyalty.Take a leaf from Apple’s book and consider the impact of every part of your quality management system on the customer. Yes, every part. This process begins by being very clear about knowing who your customers are, both internal and external. Gather your people together and spend some time identifying all of your customers. When you account for all internal customers, the length of the list will probably surprise you. Once you are crystal clear about who your customers are, you can start delving into the detail.In creating our own QMS at Mango we debated and discussed – and continue to debate and discuss – these questions:

When developing our software we ask ourselves “who is the customer for this feature?”

When supporting the product we always consider “what is the customer asking?”

When implementing the software on-site we determine “what are the customer requirements?”

During inductions of staff we talk about “what will make us successful in the eyes of the customer?”

The requirements of your customers aren’t something you leave to the marketing department so that you can focus on calibration, training and perhaps safety.


I talked about customer satisfaction previously in a blog called “Customer Satisfaction - The Beating Heart of Quality Management”. In the blog I said that “the bottom line is that if you’re in quality, you are in the job of enhancing customer satisfaction. Not spreadsheet proliferation, meeting attendance or minute writing - but enhancing customer satisfaction.” Print that out and re-read it every morning before you start doing anything. It will help you to focus on what’s really important.Once you’ve worked out the requirements of the customer, you can then build that into your quality management system. Following that, it’s a matter of doing what ISO talks about, namely striving to exceed customer expectations. Exceeding expectations will help you achieve customer satisfaction and earn a ton of customer love (think of those millions of devoted Apple fans).Back in the day when I was working for a Certification Body auditing Quality Management Systems for ISO 9001, I saw Quality Managers having little or no knowledge of customer requirements. It was always someone else’s problem. At Mango we don’t want to be in that situation. Neither do you.Takeaway

1. Identify your customers with each of your teams (both internal and external).

2. Determine the customer’s requirements for each area of the company.

3. Communicate those customer requirements throughout the organization so that everyone has an understanding.

4. Start to measure customer satisfaction.


The customer should be at the heart of every decision you as a QMS professional make.

http://www.mangolive.com/blog-mango/customer-satisfaction-quality-management-iso9001

http://www.mangolive.com/blog-mango/customer-satisfaction-quality-management-iso9001

Part 2: LeadershipThe second QMS principle is leadership.Running a Quality Management System (QMS) can feel like an uphill battle. Winning the hearts and minds of busy CEOs, Directors and General Managers can be really tough – they’ve all got their eyes firmly on strategy, budgets, sales, and shareholders. If a QMS isn’t legislated or regulated it’s even more difficult to get any traction. Unfortunately it’s the view of many senior managers that a QMS can always be put on hold for another day…that never seems to come.The most important task for you, therefore, is to display leadership. Not spreadsheet skills. Not policies and procedures by the pound. Not having perfectly formatted policies and procedures. But leadership.As a Quality leader you will have to display an impressive array of skills.Top leaders think and act strategically. Nailing down a clearly defined strategy that top management believes in will give you a) momentum and b) credibility. Sit down with the Senior Management Team (SMT) and thrash out a Quality strategy that everyone believes in. Make sure that it clearly and strongly links to the company strategy, and get the whole team sign off on it. Keep top management involved by having them take part in the management review process. The SMT must not only buy-in to the QMS, but they must be seen to buy-in.All of this looks easy on paper, but how on earth do you actually get buy-in in the first place? This is where you need to display another leadership skill: that of a top sales person. It’s up to you to constantly sell the benefits of QMS to managers and staff alike. Become a collector of anecdotes, case studies and stories about the times that QMS turned organisations around. Think back over your work history for some examples. Use your networks to find evidence of success - LinkedIn is full of good stories. Another excellent place to look is the ISO.org website which has articles on the benefits of standards. If you have a great store of examples and stories it


will be much easier for your team to follow your path, because they will know that other teams have already successfully followed that very same path. Back up your examples with reliable numbers relating to waste, complaints received and so forth – solid numbers are crucial for setting targets and measuring progress and for keeping those with an eye on the bottom line happy.

On the flipside, you will also need to make your team aware of the costs of letting a QMS slide into atrophy. It’s the less positive way to get traction with the SMT, but sometimes, a horror story of a missed contract or stuffed-up order can work wonders for getting buy-in. Used wisely, cautionary tales can help jump-start action.The third leadership skill that you’ll need is the courage to take action if people don’t follow the system. You want to be tough, fair, and consistent, demonstrating total commitment to the processes. You have to walk the talk. If the procedures say that each article must be signed off by the Quality Manager, then each article must be signed off by the Quality Manager, no questions asked. If the procedures say monthly audits must be done, then monthly audits must be done, no exceptions. If you let things slide or apply procedure haphazardly, then your colleagues will infer that these tasks are unimportant, and that – by extension – the whole system is irrelevant. And if that becomes the prevailing culture in your organisation, then you’ve got an expensive, difficult mess to put right.Running a QMS can be tough, but we wouldn’t be in this profession if we didn’t believe that the rewards of a well-oiled system can be enormous. Be enthusiastic, be informed, and be strategic. Make sure that you are a success story worth telling.Takeaway


Success stories + hard data = QMS gold.

1. Sit down with the SMT and thrash out a Quality strategy that everyone believes in and have them take part in the management review process.

2. Constantly sell the benefits of QMS to managers and staff.3. Make your team aware of the costs of letting a QMS slide

into atrophy.4. Take action if people don’t follow the system.


Part 3: Engagement of PeopleThe third QMS principle is engagement of people.When building your QMS you must bring your staff on the journey with you.In my travels I encounter many managers who believe that staff – in particular frontline staff - have little to offer their QMS. It’s a huge shame because an organisation’s staff is by far its biggest QMS asset.Think about it - staff know processes inside and out. Many of them were probably working there years before most of the senior management team (SMT). They’ve seen management fads become hot, then disappear without trace. They know what goes wrong. They see patterns. They know exactly who in their organisations is lacking in training or experience. They know which people really have a grip on things, those individuals who can quickly and precisely cut to the heart of a problem. Newer staff also have much to offer – they have seen how things worked (and didn’t work) on the factory floors of your suppliers or competitors.And yet…few Quality Managers ever ask staff what they think, or know, or see. Once a year during an audit they might ask a few staff a question or two. But for the most part, their staffs’ knowledge and experience is never drawn upon. Instead, managers tend to spend most of their time talking with each other, or asking questions of their peers on sites such as LinkedIn.I was reminded of this recently when talking with a colleague who is a Quality Manager of a local factory. When he first started at his job, he was knowledgeable about QMS, but he lacked any practical experience. He was a young guy starting out, and his challenge was big – he had to introduce a new quality management system into an established manufacturing site.If that wasn’t tough enough, he had a spanner in the works in the shape of an older man who had worked at the place for years. This man had influence, but he also didn’t give a damn


about QMS. And not only didn’t care, he was also a master at bucking the system, at subtly and not-so-subtly undermining any attempts at change. He was belligerent. He was intimidating. He had the potential to stop the QMS in its tracks, and he knew it.My colleague’s response was simple – he went to the "Gemba". In Japanese gemba refers to the place where value is created; in manufacturing the gemba is the factory floor. In other words, he went to seek the truth. He walked the manufacturing floor every day, and each day made a point of talking with this man. They discussed the man’s fears (that he might lose his job; that he might be asked to do things that he couldn’t do; that he might be made to look a fool). They talked about the principles behind QMS, and about the various issues the employees had with it. My colleague asked a lot of questions, and did a lot of listening.Over many weeks, the older man learned that he could trust my colleague, and with that, his behaviour did a 180 degree turn. The belligerent, negative QMS-hater turned into a staunch advocate of the system. The man who had been against the very idea of a QMS became its very vocal cheerleader amongst the other employees.My young colleague gained a lot of respect from the other workers and from management for being able to turn around such an influential naysayer. The QMS has gone from strength to strength, and is deeply embedded into the organisation. The company has achieved ISO 9001 certification and is regarded as the leading QMS amongst its corporate group. It could have so easily been a very different story.Takeaway

1. Walk the gemba – every day talk with (at the very least) one frontline staff member. Ask open questions (i.e. questions that start with “how”, “why”, or “tell me about…”). Listen to the answers as if your career depends upon it.

2. Put together a quality team or council to develop the QMS processes. Put key staff on that team. Don’t


underestimate the desire of people to learn new skills, or their need to vary their day or expand their CV.

3. Train this team in the principles of the QMS.4. Once trained, teach them skills in how to communicate

the QMS. This could be via documentation, conducting meetings, speaking in front of groups, leading improvement projects and so on.

5. If you are documenting the system, get people to draft or approve the documents.

6. Have your QMS team train others.7. When you carry out audits, be sure to carry out plenty of

in-depth interviews with staff. Again, open questions should be your tool of choice. Deming once said – “If you do not know how to ask the right question, you discover nothing”.

Many intelligent, resourceful and observant people don’t have any higher education. Don’t be a snob about who you engage with. Deming again - “I am forever learning and changing”. Follow that example and learn from the people you work with.

Only good things can come from engaging your staff. If staff are involved, they are more likely to take ownership of the QMS and hold each other to account. So make the most of your organisation’s assets, and be sure to engage your people, every ... single ... day.


Remember, in a QMS it’s not what you do once a year that matters – it’s what you do on a daily basis that creates, shapes and drives your system.

Part 4: Process ApproachThe fourth QMS principle is process approach.The Process Approach is a hugely important principle of a quality management system. The ISO 9000 standard goes into great detail about what the process approach is, what the benefits are, and possible actions that you can take to run your organisation using this tool.This approach is the bedrock of the ISO system, and with very good reason - at its core, it’s all about recognizing that business activities are best understood and managed as interrelated processes. And not only is it an important approach to use when you implement your system, but it’s also vital to use it when maintaining your system.Despite being around for many years, the process approach is still quite a revelation to many management teams. In my experience most businesses use a combination of three different management styles to transform inputs into outputs for their customers. First, there’s the “This Fire Needs Extinguishing Right Now” method for those who like to wing it on bursts of adrenalin and diminishing customer satisfaction. For those who are a little more proactive, there’s the second approach, what I call “My Scatter Gun Is Locked and Loaded”. This is where processes in the business are kinda sorta dealt with, but only in a haphazard, half-arsed way (often as a result of putting out those pesky fires). Then for the empire builders there is the third approach, the Silo Method, where everyone proudly wears t-shirts that say “My Department Is Just Fine and That’s All That Matters”.Needless to say, these approaches may be common, but they leave a lot to be desired in terms of effectiveness. I’m not overstating it when I say that the process approach is by a country mile THE best way to organise and manage what you do.The process approach will give you transparency. It will bring significant gains in efficiency. It will provide you with consistent results. Your team will enjoy clarity and a feeling of


ownership. Your customers will love the effect it has on their experience. And naturally, all of that will make the shareholders and owners of the business very happy indeed.

When you start getting into it, it’s likely that you will be staggered by the sheer number of processes that need managing and perhaps documenting. Taking inputs and turning them into outputs doesn’t happen with the wave of a magic wand. There’s the design process, the measurement process, the internal auditing process, the delivery process, the training process, the distribution process, the customer communication process, the monitoring process, the traceability process, the complaints process, the market research process…and dozens and dozens more. To add to the fun, the output of one process often becomes the input of another. The processes contained in even a small business are numerous and complex.As great as it is, there’s no mistaking that using the process approach is a hefty undertaking. There will be much discussion and debate, and lot of back-and-forth with differing ideas and viewpoints. You’ll go to a lot of meetings. You’ll talk to a lot of staff. You’ll listen to a lot of staff. Many hours of your day will be spent mapping out the many dozens of processes that your organisation is built on. It’s important work that requires commitment and energy.


The process approach will give you transparency. It will bring significant gains in efficiency. It will provide you with consistent results. Your team will enjoy clarity and a feeling of ownership. Your customers will love

Good results from using the process approach will surely come, but how to manage the complexity? In a word - flowcharts. Flowcharts will be your new best friend on this journey. They are an elegant and useful piece of design. Whether your business is large or small, flowcharts will enable you to take control of your processes. They will simply and beautifully illustrate what would otherwise take many paragraphs of dense text to understand. They will enable you to get to the core of problems. They will make your organisation lighter on its feet. I can’t say it strongly enough - there really isn’t a downside to getting on board with the process approach, especially when you have flowcharts in your holster.Takeaway

1. Learn about the process approach – attend training events or seek assistance from a consultant.

2. Check out some process mapping tools like affinity diagrams and value stream mapping.

3. Map your processes from start to finish, making sure you capture the interrelationships between processes.

4. Analyse your processes to determine where decisions are made. These points are key for understanding where things can go wrong.


Part 5: ImprovementThe fifth QMS principle almost goes without saying – continuous improvement.I write “almost”, because for many businesses, compliance is what they think of when they think about QMS. It’s the activity that gets the resources, the attention and the time. For many, continuous improvement is what gets fitted around the edges of compliance. The bit that gets tackled last, energy permitting.I can understand how this has happened – auditors, policy makers and Boards often have a do-or-die focus on compliance. There are many more standards and regulations now, and much more legislation than even just a few years ago. I recently travelled through Australia, South Africa and the United Kingdom meeting both potential and existing customers. Time and again these quality professionals told me that their companies are spending way too much time on compliance and not nearly enough time on improvement. It’s a world-wide trend.Some of you are probably thinking that focusing on compliance is surely a good thing, right? Aren’t we supposed to be ticking boxes? Attending to checklists? Making compliance a priority? In a word – no. Most of the efforts around compliance are non-value-adding for the customer. Yes, non-value-adding. And all of this "busy" non-value-adding work stops the very things that do create value – namely, improvement initiatives - in their tracks. And that’s a big problem.Quality management should be all about the customer, always. How do you satisfy your customers, and continue to satisfy them? By formatting spreadsheets? By making sure your certificates are hanging on your wall? By tidying up your filing cabinet? Of course not. Only continuously improving what you do to keep your customers - and thus shareholders - happy.Improvement is what really matters. Improvement is fun. It’s stimulating. It’s satisfying for you and your customers. Compliance is none of these things.


Quality Managers need to commoditise their compliance efforts and focus more of their efforts on improvement. Commoditising means to design the compliance tasks in such a way that anyone can do them. Make it so that compliance doesn’t rely on you because you’ve got much more important fish to fry. By spending less time on compliance and more time on improving processes and systems, you’ll see improved productivity and increased profits.Quality Managers need to look for problems and then try to solve those problems. You need to get yourself into a prevention mind-set. I love this quote from quality thought-leader Phil Crosby: “Why spend all this time finding, fixing, and fighting when you could have prevented the problem in the first place?”Recently I ran a webinar with Ian Hendra on an alternative approach to internal audit. The traditional, confrontational approach (copied from the external auditing model) is true compliance, with not a lot of good improvement activities in the mix. Ian’s approach uses a DIME sheet to manage compliance and then to run separate improvement projects to solve the big problems. This puts improvement back in the centre of things where it belongs, and reduces a manager’s compliance burden by replacing months and months of auditing with a single, annual, one-off activity. Have a look at the webinar to get a clear understanding of the value of a DIME, and seriously think about changing the way you do auditing.The compliance versus improvement philosophy hit home to me when I worked for as a Director of Quality for an electronics


Improvement is what really matters. Improvement is fun. It’s stimulating. It’s satisfying for you and your customers. Compliance is none of these things.

company owned by a Japanese multinational. The Japanese CEO would say to me, “Craig you have very beautiful documents that describe your quality system. We don’t care for that. We want better quality. We want happy customers. We don’t want software bugs. We want a big improvement.” This pep talk snapped me out of compliance mode very fast and into where I should have been all along, in quality improvement mode. Make sure that’s where you are, too.Takeaway

1. Stop spending time making your documented procedures look pretty.

2. Stop spending time making/editing spreadsheets.3. Create a process to commoditise your compliance

activities.4. Look at alternative approaches to compliance (like view

the webinar) and commoditise those.5. Read and learn about improvement from Deming, Crosby

and Juran.6. Start some improvement initiatives tomorrow.


Part 6: Evidence-Based Decision MakingThe sixth principle of a quality management system - evidence-based decision making - is a tricky one to get right.We all know that decisions shouldn’t be made on information plucked from the air. We all know that gut-based decision making in business is probably a bad idea. We also know that decisions based on personalities are unlikely to be the best.And yet, when I visit or audit companies, evidence-based decision making is the decision making tool I am least likely to see, and by quite a significant margin.When you consider the hundreds of decisions that are made every single day by workers, management and Boards, that’s a lot of scope for getting things wrong, or at the very least, not getting things as right as you could. It’s so very easy for businesses to eventually find themselves in an unproductive cul-de-sac, wondering how on earth they arrived there. Well, unfortunately that’s the cumulative result of many thousands of decisions made with poor information, gut-instinct or around

personalities. You reach a dead-end many miles from where you were aiming.

Creating a culture of evidence-based decision making isn’t easy, and ISO 9000 recognises this:


It’s so very easy for businesses to eventually find themselves in an unproductive cul-de-sac, wondering how on earth they arrived there.

With such complex systems it’s vital to collect data and to use it to make decisions every single day. Don’t let data passively reside in spreadsheets or databases, instead use it to drive action. It should be key in shaping your continuous improvement initiatives. The collection of data and evidence, and then doing analysis based on that data and evidence, is key. But – and here’s the trick - you must collect the right data. Here’s what Deming said in 1942: “Scientific data are not taken for museum purposes; they are taken as a basis for doing something. If nothing is to be done with the data, then there is no use in collecting any. The ultimate purpose of taking data is to provide a basis for action or a recommendation for action. The step intermediate between the collection of data and the action is prediction”.

One of Mango’s clients put the collection of data first and foremost when it developed its quality management processes. Each process must collect data and present it in such a way that is readable and understandable by the shop floor staff. To do this they use display boards in each department showing things like control charts, check sheets, action lists and problem sheets. The staff enter the data themselves and can easily see if processes are in or out of control. With the relevant and up-to-date data placed exactly where it’s needed, decisions are made quickly and well. To give you a visual, the company has moved its quality management system from this:


To this:

This change in approach has reduced the number of internal quality non-conformances and customer complaints. Money has been saved and profits have increased. The business has deftly avoided the pitfalls of shonky decision-making.Takeaway

1. When you develop your quality management processes think long and hard about the data that is collected in the process.

2. Make sure you capture the data that is needed for decision making.

3. Make the data visible to the shop floor staff.4. Get the staff to enter the data on display boards.5. Make decisions based on data.6. Make decisions based on data. (This isn’t a typo. It’s just

that it’s such an important point that I wanted to make sure that you didn’t miss it).


Part 7: Relationship ManagementThe final quality management principle is relationship management.Building a relationship with your interested parties is another “no-brainer” but nevertheless companies consistently overlook this as a strategy.Your interested parties - suppliers, contractors, partners, customers, investors, employees or society as a whole - can significantly influence the performance of your business. Ignoring the management of these relationships is a serious and common quality management error. Poor relationships with your interested parties can significantly harm your profits – this can happen through increased costs, or by a reduction in revenue. Your top and bottom lines are at risk here.When I was a Senior Auditor for a Certification Body and auditing companies for ISO 9001 or ISO 14001, supplier management especially was always an area that companies were very weak in. I have blogged about this previously: “Too few organisations make supplier management a priority, but the ones that do reap impressive rewards”. I still stand by that statement.It’s true that relationship management takes time. It takes money. It takes effort. But people typically like to take the shortest path between two points, so for many the easiest way to “do” relationship management is to…not do it. Many compliance professionals instead decide that it’s more important to make their documents look pretty, their priority for the day being to get the conditional formatting right on their spread-sheets.Actively managing your relationships is a great idea that will pay off. If you even do just that minimum amount, you will be streets ahead of most other organisations.But…if you want go further than the basics and really excel in relationship management (and why wouldn’t you?), there are a couple of things you can do.


First, when there’s a problem, rather than diving headfirst into blame and shame, instead take a moment to step back. Bring

the customer into focus. How does the issue affect them? What do you all stand to lose if the customer’s needs aren’t met? Pointing the finger at each other – effectively leaving the customer forgotten in the margins – moves you exactly nowhere. Changing an adversarial customer-supplier relationship into a mutually beneficial partnership will improve quality, reduce costs, and increase market share for both parties.Second, focus on trust, especially in your supplier relationships. I always come back to what Deming says about suppliers. This is point 4 of his 14 points for management: “End the practice of awarding business on the basis of price tag. Instead, minimize total cost. Move toward a single supplier for any one item, on a long-term relationship of loyalty and trust”. Relationships are never a one-way street. It’s so easy to blame the other party for any issues that arise. It is much harder – and obviously, much smarter - to work with them to prevent the issue from happening in the first place. Trust can be a long-term game changer.This isn’t just a fine theory. Take the example of the company Bama, apple pie supplier to McDonalds. The two companies have been working together since 1957, with Bama currently earning $250 million dollars annually in sales from their relationship with the fast-food restaurant. In all of that time Bama has never had a written contract with McDonalds. As Paula Marshall, CEO of Bama says: “McDonald’s in the only one


It’s very easy to forget that you and your interested parties all want the same thing, namely, a delighted customer. Keeping the customer in the focus will enable you to solve the problem together.

that today, still, does not put any stock in a contract. They put stock in relationships”. You should consider doing the same.TakeawayDr. Kaoru Ishikawa, a key figure in the development of quality initiatives in Japan, has suggested 10 principles to ensure quality products and services and to eliminate unsatisfactory conditions between the customer and the supplier. Ignore these at your peril:

1. Both the customer and the supplier are fully responsible for the control of quality.

2. Both the customer and supplier should be independent of each other and respect each other’s independence.

3. The customer is responsible for providing the supplier with clear sufficient requirements so that supplier can know precisely what to produce.

4. Both the customer and the supplier should enter into a non-adversarial contract with respect to quality, quantity, price, delivery method, and terms of payments.

5. The supplier is responsible for providing the quality that will satisfy the customer and submitting necessary data upon customer’s request.

6. Both the customer and the supplier should decide on the method to evaluate the quality of the product or service to the satisfaction of both parties.

7. Both the customer and the supplier should establish in the contract the method by which they can reach an amicable settlement of any disputes that may arise.

8. Both the customer and the supplier should continually exchange information, sometimes using multifunctional teams, in order to improve the product or service quality.

9. Both the customer and the supplier should perform business activities such as procurement, production, and inventory planning, clerical work, and systems so that an amicable and satisfactory relationship is maintained.

10. When dealing with business transactions, both the customer and supplier should always have the best interest of the end user in mind.


Section 2: ISO 9001 Clauses Explained


Part 8: Clauses 0.1, 0.2, 0.3, 1, 2 and 3I know what you’re thinking – who on earth takes any notice of clauses 0.1 to 0.3 and 1 to 3 in ISO 9001:2015? Surely they’re just unnecessary padding, like the foreword to a book or the editorial in a magazine? Shouldn’t I just fast-forward to where the real action begins, at clause 4?Sure, you could do that – and certainly in my experience most people do – but overlooking clauses 0.1 to 0.3 and 1 to 3 is not like merely skipping the opening credits to a movie. It’s more like missing the first third of the movie. The first third of the movie is where all the necessary, important stuff is. It’s where the fundamentals of the story are laid out, where all the characters are introduced, and where all the groundwork is laid. Movies are structured like this so that you will understand what is going on when the actions heats up. ISO is just the same.Read all of the clauses prior to 4. Then re-read them. Think about them till you really get it (a good way to know if you’ve really got it is to try and explain the gist to someone else in your own words. Better buy that person a coffee and a muffin

before doing this, though).

Believe me, it will not be time wasted. I’ll wait here while you do that.Done? You really gave it a lot of time and considerable thought? Excellent! Now here are a few more things that may or may not have occurred to you while reading those clauses.


Understanding these clauses is going to give you a rock-solid basis from which to manage the whole certification process.

Clause 0.1 GeneralThis clause contains an overview of the strategic decision to implement a QMS, the benefits of a QMS and the fact that the standard can be used by both internal and external parties.In addition, here are some issues you need to consider when planning your QMS:

Get sign off from Top Management – here at Mango we have made this a strategic decision at Board level. If you are seeking ISO 9001 you should get sign-off from your Board or from the senior management team (SMT). As part of this decision-making process you’ll need to discuss (and perhaps argue) the benefits of a QMS with the Board or SMT.

Incorporating other business management systems - in developing our QMS we have decided to incorporate some business management systems too. Other non-traditional quality systems like financial systems, governance systems and sales and marketing systems can easily be added into the QMS. We highly recommend that you seriously consider doing this. After all, why invent another two or three ways of doing things when you have your QMS ready and able to handle it? It’ll keep everything chugging away nicely within a proven, sturdy structure.

Uniformity - the standard doesn’t imply that there should be “uniformity in quality systems”. This isn’t a cookie-cutter situation. I strongly suggest that your QMS is unique to your business and not just copied from another system. There is no other business exactly like your business. Let your QMS reflect this.

Numbering your documentation - the standard says that that you don’t have to align your “documentation to the clause structure of this International Standard”. So don’t feel that you have to make your documented QMS numbering match that of the standard. Having said that, however, this new ISO 9001 seems to be better structured than previous editions, so here at Mango we’ll be using the ISO 9001 clause numbering in our Quality Manual.


Terminology - the standard also says that you don’t have to adopt the terminology used in ISO 9001 within your organisation. Some ISO 9001 language can be very confusing to those who are new to the concepts. Unfamiliar language puts a significant barrier between staff and the QMS. At Mango we want clarity for every one – we don’t want our staff having to translate unfamiliar terms before taking action. So at Mango we will use our own terminology. For example, instead of “design review”, we will use “input review”, “code review” and “MRS review”. These are the terms we use every day in our business, so it makes sense to use them in our QMS.

Products versus services - the standard is complementary to both products and services. In the standard, products and services mean the same thing, so if you see the word “product” and you provide a service, then just replace the word “product” for “service”.

Sales and marketing - at Mango we will use our certification to ISO 9001 in all of our sales and marketing efforts, and you should too. The ISO 9001 logo should be in every staff member’s email signature, on letterheads, on every page of your website (actually there should also be an entire page dedicated to ISO 9001 on your website), it should appear in all of your quotations, and on any tenders or Requests for Proposals that you put forward. It should also appear on any ISO 9001-related resources that you give away, like forms and checklists, policies and procedures.

Clause 0.2 Quality Management PrinciplesThese have been covered in Part 1 to Part 7. See the takeaways tips in:

1. Customer focus 2. Leadership 3. Engagement of people 4. Process approach 5. Improvement 6. Evidence-based decision making and 7. Relationship management .


Clause 0.3 Process ApproachNext the standard suggests that a process approach should be adopted. This will include the plan-do-check-act (PDCA) cycle and the risk-based thinking approach. I’ve previously discussed in Part 4 Process Approach.When developing our QMS we will incorporate the PDCA cycle into our thinking. At the same time we must make sure that we have enough resources to do the job, and that opportunities to improve are encouraged and fostered.We’ll also ensure that risk-based thinking is well managed. We need to ensure that both negative risk and positive opportunities are considered equally (it’s so easy to focus on what could go horribly wrong, and allow those positive opportunities to drift on by).The standard then discusses the need to “adopt various forms of improvement… such as breakthrough change, innovation and re-organization”. This has been built into our philosophy from the beginning anyway.This clause finishes off with some important definitions:“Shall” indicates a requirement;“Should” indicates a recommendation;“May” indicates a permission;“Can” indicates a possibility or a capability.These are very important to understand when reading the standard. Every time these words are mentioned, we’ll refer to these definitions to make sure we’re on the right track.Clause 1 ScopeThis is the scope of the standard, not the scope of your business. This scope is for a quality management system only. I repeat, it’s not for all business management systems but only for the quality management system. It is also for organisations that need to demonstrate their ability to consistently provide products that meet customers’ requirements and applicable standards or regulations. Plus it aims to enhance customer satisfaction.


http://www.mangolive.com/blog-mango/iso-9001-principle-process-approach

As Mango grows, more and more customers are requiring conformance to different standards such as cyber-security, IT security and high up-time. Being ISO 9001 certified will give customers some level of assurance that we will provide them consistent products and service and continually improve that over time.Clause 2 and Clause 3Clauses 2 and 3 are around reference to ISO 9000:2015. You should buy this standard too because it provides many useful tips and tricks for your newly created QMS.In the end though, all of these tips and hints will get you only so far. If you haven’t got your foundation right – clearly understanding those early clauses 0.1 to 0.3 and 1 through 3 – then you’ll be building on shaky ground. You need to have a deep appreciation for the big picture before getting into all of the details. Do it right the first time.


Part 9: Clauses 4.1, 4.2, 4.3 and 4.4 – Context, Interested Parties, Scope, QMSWe have discovered that when it comes to trying to meet the clauses in 4.1 to 4.4 of ISO 9001:2015 there’s an important thing you should know – it’s actually best to start with clause 4.2. Then move onto clause 4.1. Then work on 4.4 and then finally tackle clause 4.3.This process requires some good planning with Senior Management’s involvement. Let me walk you through it.First, you must determine who will participate in this process, where the process will take place, and what data is necessary.Here at Mango, the Management Team devoted an entire day to meeting the requirements of clauses 4.1 and 4.2. To avoid any distractions we completed this task off site and banned the use of communication devices.Clause 4.1 Context of the OrganisationWith the interested parties as a starting point (see 4.2) we then discussed the context of the organisation.For many years here at Mango have used Brand Compasses to describe our vision, mission and our values. The compasses cover:

Our core promise Our values Our unique buying proposition The benefits of using Mango What customer insight we have What our target market is What brand anchors we use How we will behave

We have a compass for both our end-users and a compass for our partners. In situations where we strike uncertainty around a business decision we refer to our brand compasses to determine whether it aligns with our company’s purpose.


We then fleshed this out some more with a SWOT analysis. This analysis is a review of our strengths and our weaknesses, as well as the opportunities and threats to the business. In other words, we were doing - and documenting – some risk-based thinking.This analysis helped us understand our business environment by identifying internal and external factors, both positive and negative, that could have an impact on our product. This provided us with a 360 degree view of our organisation and much valuable insight into the big picture.We discussed techniques and processes that we have used in the past. Throughout the discussions we realised that we actually had a large portion of a these clauses in place, but we lacked some structure. ISO 9001 was going to give us the structure.Once these three processes were documented we were able to distil this information and turn it into our key business strategies. These business strategies took into consideration all aspects of our organisation’s context. They are focused on meeting customer requirements and on continuous improvement. Mango's key business strategies are:

1. Develop business processes to accommodate expected growth.

2. Improve the efficiency and effectiveness of the core processes.

3. Personnel to be capable of delivering the growth for the business.

4. Grow market share in all markets.To ensure we meet our key business strategies, we will create meaningful objectives and targets for each area of the business


This context of the organisation process should never be seen as an annual “document and forget it” requirement. This process should be viewed as a pot of gold.

that are specific, measurable, achievable, realistic and time-based (SMART).

It provides your organisation with a wealth of information that can be used to identify areas of improvement. It’s a process that could help change the strategic direction and overall success of your organisation. Yes, it’s that powerful, and as such, should be frequently monitored and reviewed by management. Don’t leave it sitting in a forgotten folder.Here at Mango, we have made it a process to continually monitor and review our processes outlined above, and we’ve made a commitment to act on areas where improvement can be made. This has been incorporated into the agenda of our monthly management meetings. To provide evidence of this taking place, we record the monthly review in the minutes of the meeting.Clause 4.2 Interested PartiesWe discussed Mango’s interested parties by first highlighting those who influence our operations and those who are affected by them. As you can imagine there were quite a few. These included customers, employees, partners, suppliers, contractors, government, registrar, public etc.We considered how each party actually has an impact or perhaps could have an impact on our quality management system, on our product, or on meeting customer requirements in the future. We documented their needs and expectations on a simple spreadsheet.Clause 4.3 ScopeNow that we have documented 4.1, 4.2 and 4.4, we are now in a place to determine the scope of our QMS.Our first cut scope will be “the provision of quality, health and safety and environmental management software”. This scope will be edited and refined over the next couple of months.Clause 4.4 Quality Management SystemThe next discussion was around what the QMS should look like and how should it be documented.


The ISO 9001:2015 standard doesn’t require a documented system. But because the benefits of having a documented system are so great we decided as a team that we will go to the effort of documenting our QMS. The QMS holds many years of insight and knowledge, information that was hard-earned and is incredibly valuable to us. We want to preserve it.We then decided on some of the core business processes that will be described in our QMS. The following procedures were placed on the whiteboard as the first cut of the operations that make us successful:

Marketing Sales Client Setup Implementations Design and Development Test and Release Support Finance Governance

TakeawayThe steps to meeting clauses 4.1 to 4.4 of ISO 9001:2015 are:

1. Determine the needs and expectations of your interested parties (4.2).

2. Review your purpose, vision and mission with reference to your interested parties (4.1).

3. Conduct a SWOT analysis (4.1).4. Develop your Key Business Strategies (4.1).5. Sketch out your QMS and document as you go along (4.4).6. Determine the scope of the QMS (4.3).


Part 10: Clause 5.1 Leadership and CommitmentI have always said that the lack of leadership and commitment is the most important reason why the QMS fails.

Staff begin to use work-arounds, circumventing the system. Customers’ wants and needs slide lower down the priority list, eventually to be almost forgotten entirely.As a certification body auditor I saw management signing their names on quality policies and saying the right words in front of customers and employees. But looking under the hood in the business it was clear that they had let the system slide by not “walking the talk”.When it comes to getting certified to ISO 9001, managers need to determine what leadership style they want to adopt. How they will communicate their commitment to the team? How will this style support the organisation’s QMS?Once this is established, displaying leadership and commitment to the QMS is straight-forward.For Mango, this step was a breeze. Throughout our careers we had worked under a variety of leaders, some good, some bad and some in-between. In discussing the different leadership styles that we experienced, we were able to shape the style that we felt would be most effective for our organisation.We agreed that our leaders would possess the following attributes:

Be open – Explain the QMS to all employees.


As soon as staff see their leaders showing behaviours that contradict commitment to the QMS, the system starts to erode.

Be encouraging – Invite employees to participate in the creation of our QMS.

Be Inclusive – Let everyone have their say. Listen – Hear employees’ different points of view. Learn – Be willing to allow all staff to learn from mistakes

while considering the risk.How did we plan to meet the leadership and commitment clause of ISO 9001?To start the process we sat down with our team members to explain:

1. What a QMS was.2. How they all fitted within the QMS.3. What Mango wants to achieve from being ISO 9001

certified.4. We discussed the creation of the context of the

organisation process. This included the:a. Interested partiesb. Vision and Mission – including Brand Compassesc. SWOT analysisd. Key business strategies

5. We made sure that everyone had a clear understanding of Mango’s strong focus and commitment to quality and to our customers.

6. We also promoted the idea that employees should be involved in the continuous improvement of Mango. All employees agreed that this was necessary and so we created an ideas noticeboard.

Takeaway1. Sit down with senior management and determine the

leadership approach you feel is best suited to gain commitment and support of your QMS.

2. Top management are accountable to communicate the QMS to the organisation.

3. Ensure that all employees are informed of what a QMS is, how they fit into it and what your organisation wants to achieve out of the process.


4. All employees should be involved in effectively implementing the QMS.


Part 11: Clause 5.2 PolicyWhen building a house, what’s the most important thing to get right? The walls? The windows? The roof? Of course, all of these aspects are very important to the finished product. A house with shoddy walls, windows and roof isn’t going to be comfortable to live in for very long. However, you can spend a lot of time and money sourcing the world’s best-designed, highest-spec walls, windows and roofs, and still have them perform poorly because you haven’t got your foundation right. It’s the foundation that’s of vital importance, because everything else is built upon it. Skimp on your foundation and your walls won’t be plumb, your windows won’t be weathertight and your roof will leak. Get your foundation wrong and you have created a cascade of future problems for yourself. On the other hand, get your foundation right, and you’ve given everything else the very best chance of succeeding.The same goes for your QMS. One of the first and most important documents you will create in a QMS is a Quality Policy. A Quality Policy is a document that is established, implemented and maintained by the top management of an organisation. The policy must align with the overall purpose and context of the organisation and be formally communicated to all staff.The Quality Policy is the foundation of your whole system. It’s what your whole system will be built on. The policy should clearly communicate the intentions and the strategic direction of the company. Its role is to create one clear vision so that everyone understands the objectives and strategic direction of the organisation. And it had better do this, because it’s from


The Quality Policy is the foundation of your whole system. It’s what your whole system will be built on.

the Quality Policy that everything else contained in the entire system will flow.

Here’s an example of what I mean – this graphic displays a document structure. The Quality Policy is at the top of the documentation hierarchy because it’s the foundation document from which everything else is created. Objectives will be created according to what the policy says. From these objectives high-level procedures will be created. These procedures will drive the creation of forms and records, which in turn will create the details for SOPs and so on. The Quality Policy is embedded in each and every document in the system.

When you have a poor Quality Policy, your entire system is at risk. Organisations which find themselves with an ineffective Quality Policy will eventually find themselves with a poorly performing system as a whole. If your system is performing poorly, it could be because your Quality Policy is:


Poorly worded (too complex and lacking in clarity); A process instead of a policy; Not clearly communicated throughout the organisation,

and/or Not fully committed to by management.

Here at Mango, we asked for input into the policy from all employees of the company. We listened to our staff because we value them highly, and because we wanted to encourage them to get on board with our Quality Policy and to share the same vision. This was an effective strategy for us as it encouraged participation and enhanced the engagement of our staff. If you are part of a small organisation then I strongly encourage you to adopt a similar approach.Upon completion of the Quality Policy many companies then disregard it, letting it gather dust behind the microwave in the break room. Unfortunately, this ‘document and forget about it’ attitude is far too common. Just like a successful relationship, commitment is key. The same goes for any policy. If staff commitment is invisible then so too is the direction of your company.Once your Quality Policy is finalised it is important that management clearly communicates it to your staff and make access to it easily available. At Mango, we sat down with our staff and went over our finalised policy to ensure everyone’s understanding was correct. We then uploaded it into our Mango document management system so that our staff could access it easily at any time.Takeaway

1. The policy does not need to be overly complicated. Simplicity is best.

2. The policy needs to be communicated, understood and applied within the organisation.

3. Management need to show commitment to the policy and be role models for the staff under them.

4. Each department needs to come up with their objectives and a framework as to how these will be met.


5. Commitment needs to be shown at all levels of the organisation.

6. Remember: “Out of sight, out of mind. In sight, goldmine”.


Part 12: Clause 5.3 Roles, Responsibilities and AuthoritiesClause 5.3 is one of the easier clauses to achieve. When you get it right everything tends to fall into place. However, get it wrong, and your whole system will lack direction and ultimately fail to deliver.In fact, the clause title “Roles, responsibilities and authorities” doesn’t really tell you what the clause is truly all about – it’s actually all about clarity and communication. The clause recognises that individuals in an organisation must communicate with each another and work together in order for the company to work effectively and achieve the intended outcomes of the QMS. Clarity about roles, and excellent communication about these roles, is where it’s at.Here’s an analogy for you – think of a QMS as being like an automobile. Just like a car, a QMS requires numerous parts of an organisation to work together in order for it to run effectively. The steering wheel, the accelerator and the brakes are the CEO. They steer, accelerate and break the organisation when required. Their role is to ensure that the organisation is meeting the rules of the land and that it’s making progress in the right direction. The mirrors, wheels and lubricants are the supervisors that help hold the company together by ensuring the plans are met. The staff are the engine-room of the business. They have the horsepower to perform the majority of the work in meeting the customers’ needs and expectations.Every part of the car - and of the organisation - has to know what it’s doing, and to make sure that does only what it is set up to do. We don’t want the brakes looking in the rear view mirror, for example, nor do we want the receptionist designing machinery instead of answering the telephone. Every part has to understand where their contribution fits and to have an idea of what all of the other parts do. A high level of clarity and communication is essential if the car or the QMS wants to deliver on their potential.


For an organisation to meet the desired outcomes of ISO 9001, top management needs to take charge. This requires establishing and communicating the following to all team members:

1. The structure of the organisation.2. Clear lines of reporting.3. Individual job roles, responsibilities, goals and desired

outcomes.4. The importance of customer focus.5. Assigning responsibility and authority to an appropriate

employee to maintain the QMS, and to ensure the processes are delivering the intended outputs.

How did Mango achieve this?Here at Mango, our structure is simple.We use an organisational chart to display the relationships between everyone in the company. Each employee reports to their department’s team leader and goes to them when they need help. This is a straight-forward structure and it works well for most small to large businesses.Once the structure and lines of reporting are defined, management needs to ensure that each employee has a thorough understanding of their job role. Details of each job role need to be provided both in writing and verbally. Just choosing one delivery method isn’t going to cut it – provide only a written outline of a job role, and your employee has no opportunity to clarify, no chance to ask questions, no place to raise concerns. Just having a chat about their job role is no good either – both of you will probably forget 80% of what is discussed. So do what we do at Mango. Sit down with the staff member and a copy of their unique job description. Talk them through each responsibility and process, and define appropriate goals that align with our system. Invite questions and provide clarification. Take your time over this, because it’s really important.At Mango we also give each employee their own login to our software. This gives them access to all the QMS information they need. Once this step is performed we then provide them


with the necessary training. This process enables employees to perform their duties in line with the requirements of our QMS.An area that doesn’t get stressed enough is the importance of employees being aware of other colleagues’ job roles. Understanding the responsibilities of other team members helps every individual understand the impact of their own and everyone else’s input. It helps employees see the bigger picture and to appreciate how they are working together to achieve the desired outcomes. One highly effective way of achieving this is documenting a ‘Roles and Responsibilities Procedure’. This is a list all of the positons in the organisation and the roles and responsibilities under each position. Again, employees need to be provided with verbal and written communication of this.

Now it’s time to discuss the most important part of the clause – the promotion of customer focus! Unfortunately many organisations get too caught up focusing on their daily activities, and forget about meeting customer requirements. Customer focus needs to be at the forefront of everything an organisation does because without customers, the business would not exist. Here at Mango, every single team member is responsible for meeting customer requirements.Takeaway

1. Everyone needs to know their role and responsibilities and communicate with each another in order for an organisation to be effective.


Understanding the responsibilities of other team members helps every individual understand the impact of their own and everyone else’s input

2. All communication of employee job descriptions needs to be in done both verbally and in writing.

3. Ensure that team members are actively listening to customer feedback.

4. Management needs to assign the authority and responsibility of the QMS to a suitable employee who is capable of performing the following tasks:

5. Communicate the importance of customer focus and the organisations vision, mission policy and objective throughout all levels of the organisation.

6. Ensure that the integrity of the system is maintained when changes to the system are planned and implemented.

7. Maintain the master list of documents such as job descriptions, processes, organisational charts and the systems procedure.

8. Ensure the processes are delivering their intended outputs.

9. Report on the performance of the QMS and on opportunities for improvement.


Part 13: Clause 6.1 Actions to Address Risks and OpportunitiesOver the years there have been many changes and additions to ISO 9001. In my opinion some have been, at best, neutral (see: all of ISO 9001 : 2008), while others have been potentially extremely useful game-changers (see: ISO 9001:2015 clause 4, the Context of the Organisation).Clause 6.1 is one of those changes that falls into the potentially-very-useful-game-changing category. Prior to this change, ISO 9001 didn’t even address the issue of risk. Not once. Not even to perpetuate the view that risk is nothing more than a dangerous grab-bag of big, scary negatives.ISO 9001’s new approach to risk is well-fleshed out, usefully structured, and much more reflective of what risk actually means for your organisation. ISO 9001 recognises not only that risk exists and that it poses challenges for organisations, but also that it presents organisations with many potential opportunities. Like community worker Bangambiki Habyarimana said in his book The Great Pearl of Wisdom, “Opportunity and risk come in pairs”.Here at Mango we’ve had to change our mind-set around risk, too. Our business mentor John Barr convinced us not to see risk as a negative chore to be waded through several times a year. Rather, he encouraged us view risk as something positive: he told us to “Celebrate risks. Celebrate weaknesses”. Risk is not just where you’ll find the things that could bring you down. Risk is also the place where you’ll find a myriad of

opportunities that can lift you up.

Let me give you an example. Let’s say that in your business that you don’t have particular product that some of your


Risk is also the place where you’ll find a myriad of opportunities that can lift you up.

customers have stated a need for. Without this product you risk losing those existing customers. Even worse, without this product you risk being unable to attract new customers. Without this new product the risk to the health of your business is definitely there. But – and it’s a big but – your customers’ new need also presents an opportunity. If you develop a product to meet this need, you could keep existing customers (dare I say, you’ll actually delight them), as well as win new ones. This is where things can get tricky. Say, for example, that your team decides to accentuate the positive and go ahead and develop the new product. All of a sudden a new set of risks is revealed…for example, you run the risk of not having enough competent staff to do the work. You may not deliver what is needed on time. You run the risk of diverting resources away from other product lines. But – there’s that word again – on the upside, hiring and training new staff may unlock a whole new set of potential products. New staff may actually make it easier to meet other deadlines. Again, risk and opportunity come in pairs.It’s very important that you realise that it’s your duty as an organisation to have an action plan for both your risks and opportunities. The good news is, if you’ve been following along with Mango on our journey towards certification, you will have already done a lot of the groundwork relating to risk and opportunity. Remember the work you did when you determined the context of the organisation and the interested parties for clause 4? During that process you will have carried out a SWOT analysis. From your SWOT analysis you’ll be able to firstly identify the risks associated with the context of your organisation and with third parties. Second, you can use the SWOT analysis to identify the opportunities that your organisation can act on to enhance your desired results.Once you’ve identified the risks and opportunities, you’ve always got a variety of choices in how to proceed. When


dealing with risk, you can at any time chose one or more of these options:

Eliminate the risk source Change the likelihood or consequence/s Avoid the risk Share the risk Retain the risk by informed decision Take risk in order to pursue an opportunity

When dealing with opportunities, you also have a number of options on the table:

Adopt new practices Launch new products Open new markets Address new customers Build partnerships Use new technology

Here’s how the process worked at Mango - we reviewed the work we did during our SWOT analysis. We then held a brainstorming session with our staff. We talked through the risks and opportunities and documented all of them into the Risk module in Mango. From there Mango has a workflow that documents action plans to prevent/minimise risks or enhance the opportunities. This became our action plan.One of the risks we identified for Mango is currency fluctuations. If the New Zealand dollar was to drop significantly against other currencies then Mango would be exposed. This would negatively impact Mango’s profits. To manage this risk we have chosen to review the international exchange rate on a daily basis. Mango may hedge against this drop. This approach is a combination of changing the consequences and retaining the risk by informed decision. One of the opportunities we identified was the development of a new feature in Mango that increases the chance of closing some sales deals. As a result we have created a development roadmap to enhance Mango so that some sales deals may close faster.


We then captured all the risks and opportunities and their associated actions onto a risk register in Mango. On a monthly basis we review these risks and opportunities - and any others that have popped up - in a management team meeting to ensure that they are being well managed. It’s not just about avoiding being blindsided, it’s also about being ready to seize opportunities when they arise. A big pat on the back to ISO 9001 for acknowledging this important game-changer.Takeaway

1. Review your SWOT analysis.2. Meet with your team and brainstorm.3. Outline how you will reduce or remove risks from

occurring.4. Outline how you will take advantage of new opportunities.5. Continually re-evaluate risks and opportunities at

management meetings.6. Encourage and allow your employees to contribute

towards the risk register.


Part 14: Clause 6.2 ObjectivesWhen creating Quality Objectives for your QMS there is lots to think about and lots to consider.At a basic level, objectives are something that you plan to do or achieve. So if you are going on a road trip, you plan to arrive at your destination by a certain time. To achieve this you have to take into consideration how long it will take to get there, including all necessary food, toilet and fuel stops and what resources you have. For instance do you have a car or can you take other transportation?So when it comes to setting quality objectives the same process takes place. You cannot just jot down any random objective off the top of your head. This process requires organised planning and some serious thought.The thought process needs to include:

What does our quality policy say? What does our organisation want to achieve? What do I want my department to achieve?

It is critical for ISO 9001 that the quality objectives are consistent with the quality policy and are relevant to the QMS.As I have previously quoted it’s important to use the SMART framework: SMART stands for Smart, Measurable, Attainable, Realistic and Timely.Specific - this means you need to clearly identify what it is you want to achieve. For example, here at Mango we want to increase our profit by 30% in the next financial year. Measurable - base line data is necessary to measure your objective against. For example, we will measure our objective by comparing it to the previous year’s profit. We use a spreadsheet to measure how we are tracking towards this goal. This helps us understand whether we are ahead, behind, or on track.


Attainable - ask yourself ‘Is this objective achievable?’ and ‘Is it out of reach?’ The objective for Mango’s Marketing Department is to receive 50 qualified leads per month.Realistic - This is the section where many organisations go wrong. Yes it’s great to dream big but you need to do so realistically. For Mango 50 qualified leads per month is realistic. But at the same time, the objective needs to be challenging.Timely - Objectives need to have a timeframe. You can’t just say “we will achieve 50 qualified leads”, you need to define the time period that you will achieve this by. Is it over a quarter? Annually? Monthly? This needs to be clearly defined.You may be asking yourself, “how do I come up with a relevant objective?”’ A good place to start is looking into audit non-conformances and customer complaints. This will help you identify areas for improvement.Now you may be wondering, “how many objectives should our organisation have?” The answer to this depends on the size of your organisation. It’s important that you don’t put multiple objectives in place for each department otherwise it makes it hard to focus. Some companies like to have one objective per department. Others like to have 2-3 per department (one short-term goal, one mid-term goal and one long-term goal). If this is the style you choose to go with then it’s important that you celebrate the victory of achieving short-term goals as this

will increase motivation in employees when they realise that achieving objectives is possible.


It’s important that you don’t put multiple objectives in place for each department otherwise it makes it hard to focus.

http://www.mangolive.com/blog-mango/non-conformance-reports-ncr

http://www.mangolive.com/blog-mango/non-conformance-reports-ncr

Here at Mango we have 5 departments - Sales, Marketing, Support, Development and Accounts. As each department strives to achieve different goals, we decided to create one objective per department. So in total we have 5 objectives. Each objective must be relevant and at the same time enhance customer satisfaction and the quality of the product/service that your company offers.One area where many companies struggle is in effectively communicating objectives. If you want to achieve your objectives then communication to all staff is crucial! One great way to do this is to hold a staff meeting.The following should take place in this meeting:

1. Each objective needs to be discussed in detail.2. The plan on how each objective will be attained and the

time-frame of each objective needs to be clear.3. The role of each team member.4. Identify who is responsible for meeting the objectives.5. Every team member needs to receive a print out of the list

of objectives and the steps necessary to reach them.6. End with a questions and answers session.

At Mango, we held a team meeting and each step above was followed. This was a great success and everyone was aware of how each employee fitted into the success of each objective.We used Mango to upload our organisation’s objectives so that any member of our team can log in and view them at any time.There may be occasions when you find yourself falling behind on your set goals, and this is ok. Sometimes the planning stage may not have been realistic, meaning you were set up to fail, or maybe you did not have the necessary resources to meet your objective. This is why it’s important to constantly monitor your objectives so you can identify when you are not on track and do something about it.Sometimes you might find yourself smashing your objective/s out of the park. Again, re-evaluate it and adjust it by challenging yourself to get a better result.Takeaway


1. Use the SMART Framework when establishing your quality objectives.

2. Include team members in the establishment of quality objectives.

3. If you are struggling to come up with ideas then look at non-conformances and customer complaints.

4. Try to stick to one objective per department.5. Communication is KEY. Ensure all team members are

aware of the objectives and the steps to meet them.6. Monitor the process.7. Evaluate the results.


Part 15: Clause 7.1 ResourcesIn the 2008 version of ISO 9001, the clause relating to resources was a paltry 31 words long. Titled “Provision of Resources”, it only required that an organisation provide resources to maintain and improve its QMS and enhance customer satisfaction. That’s it. Now that’s really broad. You could drive a bus through that. So as a customer and as an internal auditor this clause was something that I took for granted for years. I took it for granted because resources are just resources, aren’t they? It’s really hard for the auditor to prove that more resources are needed. They need to have a very sound case to prove that.In the latest 2015 version of ISO 9001, the resources clause has been given a make-over and now has some meat behind it.Let’s break the 2015 version down into its constituent parts:The general clause (7.1.1) covers the same as before. It’s about the provision of resources, but now also points to the need to consider the capabilities and the constraints on internal resources and the needs of external providers.The people clause (7.1.2) ensures that the organisation determines and provides personnel to implement a QMS and to operate and control its processes.The infrastructure clause (7.1.3) ensures that the organisation determines and provides infrastructure for the operation of processes and to achieve conformity.The environment for the operation of processes clause (7.1.4) ensures that the organisation determines, provides and maintains an environment necessary for the operation of its processes and to achieve conformity.The clause 7.1.5 Monitoring and measuring resources looks after measuring devices, calibration and measurement traceability.So far these clauses are pretty much a rehash of the previous standard. Here at Mango we use the PPE/Items modules for


managing critical equipment, the workplace, the infrastructure and other tools. Mango makes this really easy.The really interesting clause in 7.1 is 7.1.6 Organisational knowledge. This clause has some headaches. I have seen a couple of external audits from Certification Body auditors where the auditors have had differing views on what knowledge is. You need to get this clear in your own minds and define it yourself.Auditors need to evaluate if the organisation considers internal and external sources, such as:

Learning from failures, near miss situations and successes;

Gathering knowledge from customers, suppliers and partners;

Capturing knowledge that exists within the organization, e.g. through mentoring, succession planning;

Benchmarking against competitors; Sharing organisational knowledge with relevant interested

parties to ensure sustainability of the organisation; Updating the necessary organisational knowledge based

on the result of improvements. Knowledge coming from conferences, attending to fairs,

networking seminars, or other external events.To deal with this at Mango we have added procedures into our Quality Manual around how we capture knowledge in the company. This is how we do it:

Monthly Company meetings Scrum meetings Weekly development meetings Weekly marketing meetings Use of Wiki by the development team Use of Mango by all staff and partners Use of Hubpot (our CRM and our Marketing platform) Use of Mantis (our bug tracking software) Use of Xero (our accounting system) Use of Lynda.com (online training portal)


Every month in the Company Management Review we look at the effectiveness and efficiency of these

We capture this knowledge in each of these tools and share it around the company to ensure the knowledge is used in giving the customer value. Every month in the Company Management Review we look at the effectiveness and efficiency of these sources.TakeawayClauses 7.1.1 to 7.1.5 are straightforward to meet. There has essentially been no change from the previous standard.Clause 7.1.6 Organisational knowledge will not be a hurdle if you take a systematic review all your processes and determine how knowledge is captured. Following that, you’ll need to determine how that knowledge is disseminated to the rest of the organisation. Then ask: Is that efficient? Is that effective? Take action if there is a no to either question.


Part 16: Clauses 7.2, 7.3 and 7.4 Competence, Awareness and CommunicationIn this section I’m combining the competence, awareness and communication clauses. I firmly believe that someone can only be deemed competent if they have an awareness of the quality management system. No awareness? Then sorry, no competency. In my book, competence and awareness always go hand-in-hand.Let’s start with competence. The standard breaks competence down into 3 stages:

1. First, determine the competence that someone needs to have to be able to control the work they do that will have an effect on the performance of the QMS.

2. Second, ensure that the people who are controlling the job are competent based on their education, training and experience.

3. Finally, if there are gaps between stages 1 and 2, create an action plan to address those gaps.

At Mango we use a skills matrix to guide us through the three stages. We’ve found this matrix to be a powerful, elegant tool in our compliance tool box. Here’s what we do: on one axis of the matrix we describe the skills that are required for the system. On the other axis we list the people and their positions in the company. Next, we assess our people against the skill. We found – and you’ll likely find this too – that not all people have all of the skills, and conversely, not all of the skills have people assigned to them. At this point, the action plan on where to go next has pretty much written itself. As you can

see, the skills matrix is a valuable, visible compliance tool that does a lot of the heavy lifting for you.


This gap analysis neatly highlights the areas in which we are weak, lacking or exposed.

When I was working as an ISO 9001 certification body auditor I always took a great deal of interest in the competence and awareness clauses. I would ask what gaps the organisations had in their skills matrix and the importance of those gaps. Then I would go out and look at those gaps and the processes around them. I’d question the staff doing those jobs. All of this was real auditor fodder because the gaps are a goldmine for a non-conformances or recommendations. Don’t wait for an auditor to come in and walk you through the skills matrix. They’re simple to understand, easy to use and powerful in what they reveal. There’s really no excuse!Here’s another pro-tip from an external auditor’s perspective - one of the common problems I found was organisations failing to take into account an employee’s education, training and experience. All too often I saw organisations only listing the training that employees had received whilst under their employ, with no mention of prior experience, or other education or training received when they were employed elsewhere. Not listing experience, education or prior training is a big mistake. These aspects are valuable cultural capital that you ignore at your peril, because like financial capital, the health of your business is built on it. Next, let’s look at awareness and communication. As outlined in the sister standard ISO 9000 Quality Management Systems - Fundamentals and Vocabulary, “awareness is attained when people understand their responsibilities and how their actions contribute to the achievement of the organisation’s objectives” and “planned and effective internal (i.e. throughout the organization) and external (i.e. with relevant interested parties) communication enhances people’s engagement and increased understanding of:

the context of the organization; the needs and expectations of customers and other

relevant interested parties; the QMS.”


The key here is that you need to ensure that staff are fully aware of their responsibilities. This awareness could occur through various means such as:

Documented policies and procedures Training sessions Meetings Assessments

Once staff are clearly aware of their responsibilities, the next step is to make them conscious of how those responsibilities and their actions can contribute to the company meeting and achieving its objectives.For example, at Mango, we defined the operational procedures in a few simple documents. We then discussed those procedures in staff training sessions. Every month we have management meetings to run through those procedures again to ensure staff still have a clear understanding of their responsibilities. Then finally we sit with the staff and assess their awareness levels of their responsibilities. This assessment is then added to the skills matrix. Too easy!Takeaway

1. Determine the level competence required to do a job.2. Assess the staff for competency based on their education,

training and experience.3. If there are gaps then create an action plan to address

those gaps. Make staff aware of the QMS through:a. Documented policies and proceduresb. Training sessionsc. Meetingsd. Assessments

4. Keep the skills matrix up-to-date. Monthly is ideal, but quarterly will do in a pinch.

5. Keep communicating the QMS to staff. It’s a daily task.


Part 17: Clauses 7.5 Documented InformationSince ISO 9001 first became a standard back in 1987, one of its most debated issues is the number and type of documents that the standard requires.Where documentation is concerned, most people have erred on the side of “too much ain’t enough”. These days it could be argued that the standard is used as a rationale for documenting everything single little thing. Just in case, you know? Just like everybody else, right?Consultants have had a field day in this environment, making millions of dollars from creating a blizzard of policies, procedures, forms, checklists and templates. Consultants have an interest in creating more documents because for them, that’s money in the bank. Consultants then get to have a second crack when they regularly audit the same documents. If non-conformances are found then they demand that more documents be created to meet another part of the standard. It’s a never-ending pile-up of more and more documentation.Over the years many critics have slammed ISO 9001, arguing that achieving certification is simply a documentation exercise. And it’s easy to make this point – some companies do indeed create and maintain literal rooms full of documents, their justification being that the standard itself demands it. It could be argued that the standard is its own worst enemy.

According to ISO over a million companies have been certified…but that number is tiny compared with the potential number that could be certified. Organisations are reluctant to


I firmly believe that the madness around documentation is the reason why ISO 9001 hasn’t become more popular.

sign up to creating a paper tsunami, judging that the gains to be made simply aren’t worth it.Certification bodies have a case to answer here, too. Such bodies demand that documents be created so that you can pass an audit. Just today a manufacturing client of Mango was asked by a certification body to rewrite its manual to meet the clauses of the standard. What value does this bring to the company? I’d argue that there is actually no value at all, and that in fact it’s a big negative - a costly time suck! Just because the auditor can’t interpret the manual to the standard for documentation doesn’t mean that the company should be penalised for auditor laziness.So the question is, how many documents do you actually need?All that the standard says is that the organisation shall determine the amount of documents “necessary for the effectiveness of the quality management system”. That’s a pretty broad stretch from zero to a lot. So it really is up to you to ensure your QMS is being managed effectively.Let's start with what the standard doesn't require:

Quality Manual Forms Register Records Register Document Register Document Change Register

But what it does require is: Document identification and description Appropriate format (language, software version, graphics,

paper, electronic) Review and approval Available for use Protected (e.g. from loss of confidentiality, improper use,

or loss of integrity) Controlled (distribution, access, retrieval and use; storage

and preservation, including preservation of legibility; changes; retention and disposition).


So here at Mango we thought long and hard about what we needed for our QMS and we decided to create a quality manual. After many years in this game we thought having a quality manual was of greater value than not. The Quality Manual is a great tool for:

Communicating the QMS to staff Training new employees in the QMS Help with managing contractors understand our QMS

requirements Providing to customers if they want to see and audit the

QMSFortunately for us we also use our product Mango to control much of our documented information. Mango holds the quality manual, all the forms we use and many of the records we use to prove compliance to the ISO 9001 standard and for legal and regulatory requirements. Our system isn’t an overwhelming paper tsunami – it’s a trim, concise and easy-to-navigate system that gets used.Takeaway

1. Determine what an effective QMS looks like.2. Remember that documents are only necessary for the

effective management of the quality management system.3. Determine how large your QMS will look. 4. A Quality Manual is not required but it can be useful.5. The over-riding principle is that documented information

must be managed and controlled.


Part 18: Clause 8.1 Operational Planning and ControlSo far in this eBook I’ve mostly talked about very high-level processes. They’re what’s covered in clauses 4, 5, 6, and 7, and are the “Plan” part of the Plan-Do-Check-Act (PDCA) cycle. It’s the big picture stuff, the laying of critical foundations. But of course, in every certification process there comes a point at which you have to deal with the detail – the “Do” part of the PDCA cycle. Capturing exactly how your company controls the internal processes that it uses to provide products and/or services to customers is key to running a successful QMS.So, back in clause 4.4 you determined what your QMS will look like. Now, for clause 8.1, you’ll be getting specific and adding lots of detail.The first step is to decide exactly what it is that you want to capture. In other words, what criteria are you going to use for determining the processes are under control? There aren’t any particular criteria listed in ISO 9001 for you to adopt, but some criteria that are commonly used are appearance, dimensions, completeness, performance or customer satisfaction. Depending on the needs of your particular business there may be more. Whichever criteria you choose, there are two important things to consider when making your decision – first, remember to keep the customer firmly at the forefront of your mind. Everything you record, measure and analyse should be for the betterment of the customer in the long run, and the criteria you choose are critical to this. And second, the more information about processes that you capture, the better and more robust your system will ultimately be. Make sure that the criteria that you choose allow you to capture enough information to be useful.Once you’ve decided on criteria, the next step is to look at the resources that are required and spell that out. Who does what? What equipment do they use? What training is required? And so on.


Finally, look at what kind of documented information you will need to confidently show that the processes have occurred and that also prove conformity of the product or service to your requirements. Again, you decide this, as well as the amount of documentation that’s required. Don’t go overboard with this though. A tsunami of documentation will be counterproductive.It’s at this point of the certification process that many companies come unstuck.

Many end up documenting what the process would look like in a perfect world, as opposed to what happens in reality. How your company actually does things is what clause 8.1 is all about. If you’re honest about documenting the processes as they really are, you have done your team and your customers a great service. Big gains can be made when you are dealing with facts, and not fantasy. Be honest and rigorous about recording the reality of your processes.Here at Mango, the team fleshed out the processes listed in clause 4.4. We debated each process and looked at the criteria and resources for each. As an example, let’s talk about marketing processes. One of the goals for our marketing team is to successfully deliver leads to the sales team. So the first thing we did was to identify the processes that are used to deliver leads and the resources needed to do this. One marketing process we use to generate leads is to run monthly webinars. We debated the criteria around running those webinars, and nailed down what actually happens each month regarding the webinar process:


A common mistake is that companies capture what they wish they were doing, not what they actually do.

Appearance: Marketing webinars are run by Chief Marketing Officer. The webinars focus on QHSE and feature a guest with specialist knowledge.

Dimensions: They occur once a month for 60 minutes, using a product called “Go-to-webinar”. Promotion of the webinar is via email, blog and newsletter. A registration email is sent one week before the broadcast, with a follow-up reminder email 1 day before. Distribution of webinar recording occurs the day following the broadcast, and is done via email and blog.

Completeness: Webinar completed within the first week of every month.

Performance/customer satisfaction:o Number of registrations.o Feedback received via email/LinkedIn/comments.o Number of leads generated for the sales team by

each webinar. Resources: Go-to-webinar subscription, Chief Marketing

Officer, Marketing Assistant, expert guest. Documentation: blog, email, leads.

By documenting the process and the criteria we formalised what we’d been doing. We gained clarity as well as identifying a starting point for making improvements. Takeaway

1. Take the high-level processes identified in clause 4.4 and flesh them out with your teams.

2. Determine the criteria for what success looks like for each process.

3. Determine the resources required for each process.4. We recommend documenting these processes so that the

employees are clear in what the processes are.


Part 19: Clause 8.2 Requirements for Products and ServicesIt doesn’t take an entrepreneurial genius to realise that without your customers, your business doesn’t exist. Without people buying your products and services, you have exactly nothing. Of course, in healthy economic times finding customers can be relatively easy. Just by doing the minimum of opening your doors, you’re likely to get a few people wandering through. You may even be able to scrape out a living that way, for a while.But to really succeed and prosper over the long term - especially when the economy takes its inevitable, cyclical dip - you need to aim for your customers finding what Deming

described as “joy in [y]our products and services”.

So when you arrive at clause 8.2 Requirements for Products and Services, you need to roll up your sleeves, enlist the help of your marketing team (or person), and do your very best work. It’s a potential game changer.Clause 8.2 is divided into three sections. The first is about how you communicate with customers, the second is about the requirements of customers, and the final section is about reviewing customer requirements before committing to supply.The first part of the clause (clause 8.2.1) covers how you communicate with customers about:

your products and services


You want your customers waxing lyrical about you. Recommending you. Loving you. And like any healthy relationship, communication with each other is fundamental to achieving this.

handling enquiries, orders and contracts getting feedback from them handling customer owned property action you will take if certain events may or may not occur

Some of the customer communications processes we use here at Mango include:

communicating our product features on our website training customers in the product during implementations

and in help guides and FAQs providing both online and offline support for the product terms and conditions agreed online during the sign-up

process customer webinars

At Mango we’ve made a point of covering the various ways in which people prefer to give and receive communication. Deming once wrote that “people learn in different ways: reading, listening, pictures and watching”. A person’s learning style (such as auditory, visual etc.), influences the type of communication preferences they have, so we’ve made sure to use a wide variety of tools, from blog posts to videos to photos to phone calls to webinars. Our view is that if we employ an assortment of communication methods, we then have a much higher chance of communicating successfully with more people, more often.The second part of the clause (Clause 8.2.2) deals with determining the requirements of the customer before you engage with them. These could include legal or regulatory requirements from local or national governments and any other that your company determines. You also need to make sure that you meet the claims you make for your products and services.At Mango, when we’re thinking of developing the product further, we capture possibilities in a Mango Requirements Document (MRD). These are internally-generated and might include ideas for new modules, or new layouts or interfaces. The MRD gives us a roadmap of potential new features for our product. We then combine the MRD with the “Dev Requests”


we get from customers who use the product. Combining the MRD with Dev Requests means that we’re able to introduce new features, enhancements and updates to the Mango software in software releases. Not only do we meet the explicit needs of the customer, but we also delight them with the added value of things they didn’t know they needed.The final part of the clause (8.2.3) is around reviewing customer requirements before committing to supply the product or service. You need to take into account a few things here. You must consider how you will deliver, install, service and warranty what you deliver, at the same time making sure you meet all applicable Acts and regulations. You must also consider what to do when providing verbal contracts. Once all that is considered and reviewed, you need to formally accept the requirements with a confirmation back to the customer of what you are going to deliver and when. You need to keep documented information of this review.For example here at Mango when a new client signs up, the Mango Sales team checks the quote against the order, checks the employee numbers against the quote, and if it’s all okay, they process the order and set up the account. If there are any adjustments to be made there is an agreement of the change with the client by email. The order is then delivered to the Mango Implementation Team to then deliver, install and service the order with the customer.Clause 8.2 isn’t a clause that you’ll want to just phone in. Get your very best people on it. Takeaway

1. Determine how you will communicate with your customers.

2. Determine the requirements of the customers.3. Create processes to receive customer orders.4. Review whether you can meet the customer’s order.5. Ensure you have processes that can make necessary

changes to the product or service when things change.


Part 20: Clause 8.3 Design and DevelopmentBy now you’ve no doubt realised that I’m a huge W Edwards Deming fan. The man was incredibly smart, creative and clear-sighted. He was the King of Processes (“if you can’t describe what you’re doing as a process, you don’t know what you’re doing”), as well as a staunch advocate of the notion that “innovation comes from the producer – not the customer”. Clause 8.3 is a neat intersection of these two observations by Deming. His work may be many decades old by now, but it has

lost absolutely none of its power and relevancy. Keep his wisdom in mind as you work through this vital clause.

The first step is to get together with your staff and review what processes you have to design and develop your products and services (8.3.1). Look at the stages you use as well as the controls you have during and after those stages. Write them down on a whiteboard. Then check to see what controls you have in place to manage those processes – things like decision points, approvals, sign-offs, monitoring, meetings, customer review points etc. Put those on the whiteboard too.The next part of the clause (8.3.2) helps you determine those control points. It asks you to consider a list of 10 items, namely:

1. Complexity of the design.2. The process stages including the review stages.3. The testing you will do to check the design.4. Who will be responsible and what authority will they have?5. What resources are needed?


“If you can’t describe what you’re doing as a process, you don’t know what you’re doing” – W Edwards Deming

6. The interfaces between teams in the process.7. How will customers get involved?8. Who will use the design next?9. What control do customers and other parties have over

the design?10. Determine what records you will keep to prove what

you have done.For example, here at Mango we use a range of processes with multiple stages that include activities like SCRUM and Agile development (these are two fantastic quality tools used by the software industry – if you’re in software and you’re not using them, get with the programme ASAP!). We also have continuous release processes where we update the product monthly. It took us a few days to break down and describe the development process, but it was time well spent because it made things so much clearer for our whole team. Remember, as Deming pointed out, “it is not enough to do your best; you must know what to do, and then you do your best”.Next you need to work out the requirements for what you are designing (8.3.3). Once again the standard gives you a simple list of what you need to consider:

1. The functional and performance requirements for the design.

2. Any information from previous designs.3. What are the statutory, regulatory, standards or codes of

practise requirements?4. List any potential consequences of failure.5. Make sure the requirements are clearly defined and any

conflicts are resolved.6. Again, determine what records you will keep to prove what

you have done.Now that you have the requirements, the next step is to make sure that you have processes to control the design and development (8.3.4). These include reviews, verification, validation, problem solving and capturing records.


Once you have created your design (it could be drawings, specifications, coding, plans, models etc.), the standard (8.3.5) requires you to ensure that:

1. The design meets the requirements.2. The design can be manufactured or the service offered.3. The design can be inspected and tested.4. That characteristics of the design are specified.

At this point in working through the clause many people feel that the hard yards have been done, and spend little time or energy on the elements of review. Big mistake. Unintended consequences are always a possibility – not just for software, but for every single industry in existence – so to miss this step or to do a rushed job can be very expensive in terms of missed opportunities, and devastating with regard to costly errors. Deming was very aware that everyone has blind spots – as he said, “the big problems are where people don’t realise they have one in the first place”. So take time to thoroughly review, authorise and check all changes to the design. You need to be sure that they don’t cause other issues (8.3.6). You want to ensure that you don’t have any blind spots.Here at Mango, during each monthly release, we have a number of formal reviews to check on progress. In addition each requirement is designed, developed and verified by the Software Developer prior to delivery to a User Tester. The User Tester then validates that the requirement is working both prior, and after, release. Any problems are reported into the software developer for fixing. All changes are recorded, listed and monitored to ensure they are well managed.Takeaway

1. Clearly define what processes you use for designing and developing your products and services.

2. During planning consider the list of 10 items from ISO 9001 when you are determine your processes.

3. Work out the requirements for what you are designing.4. Make sure you have processes to control the design and

development.


5. Make sure any changes to the design and development are controlled.

6. Make sure you put in some effective reviews to ensure nothing slips through the cracks.


Part 21: Clause 8.4 Control of Externally Provided Processes, Products and Services Way back in Part 7 of this eBook I discussed the importance of relationship management in developing your quality management system. In that part I said that “when I was a Senior Auditor for a Certification Body and auditing companies for ISO 9001 or ISO 14001, supplier management especially was always an area that companies were very weak in.” Over the years ISO and its technical committees have recognised

this fact and in 2015 they significantly strengthened the requirements for this critical area.

Clause 8.4 is a tool to help you do that.Let’s take a look at the detail.Starting at 8.4.1 (in other words “Purchasing”), the standard talks about an external provider. Let’s call them a supplier. The list of suppliers could be in your ERP system, your accounting system, in Mango if you use it or in a spreadsheet.Next, evaluate the critical suppliers against a fixed set of criteria. As an example, I have used the following criteria for over 20 years and it has stood up well over time:

1. Technology - do they have the technology to supply what you want?

2. Quality - what quality standards do they meet?3. Responsiveness - are they responsive to your needs?4. Delivery - can they deliver on time?


Deming believed that your suppliers aren’t rivals or problems to be solved – in fact, he said that we should “ask our suppliers to come and help us solve our problems”.

5. Cost - is the price acceptable?6. Environmental impact - what is their impact on the

environment and society?As you engage these suppliers you will need to monitor their performance against your requirements. It takes some effort to ensure that they are performing, but it is time and resources very well spent. As you regularly talk with your critical suppliers about your issues and requirements a relationship will be built, one which is mutually beneficial, and more likely to be long-term.For the next major requirement (8.4.2) the standard gets down and dirty and specifies the controls you must have for your suppliers.First you need to ensure outsourced processes are controlled. For example, here at Mango we have partners that do implementations of our software at the customers’ sites for us. So we have procedures and training that provide the knowledge to partners on how to undertake and manage this important process.Second, you need to define the controls for the supplier. These controls could be defined in various documents such as purchase orders, in agreements, or in contracts. In addition you need to have controls on the actual product or service they provide. You could ask for a certificate of conformance, a test report or a third-party test. For example, here at Mango we have formal Partner Agreements in place that define controls around things like marketing, sales, implementation and support for customers.Third, don’t have “one-size-fits-all” controls for suppliers. For the critical suppliers that pose a significant risk to your business, put tighter controls in place. For others - not so much. Don't forget that you also need to make sure that your suppliers meet local laws and regulations.Finally for 8.4.2 you need to inspect the product or service from the supplier. This could be your inwards goods receiving inspection process. When you receive the product you need to check it against the order and ask:


Was it what was on the order? Was it the right price? Was it delivered on time? Was it damaged? Was it the right quantity?

The final requirement (8.4.3) is all about how you communicate with suppliers about the product or service you require. This is typically done with a purchase order but it could also be by contract or agreement. I have also seen other methods of spelling our requirements for suppliers, such as inspection and test plans, work briefs, statements of work and even forecasts. The standard says that you don’t have to write these down in a document but I think that it is best practise to do so.TakeawayIn working through clause 8.4, the standard asks you to consider the following questions:

1. What do you actually want to be supplied?2. How will you approve the:3. Product or service prior to delivery;4. Methods, processes and equipment the supplier will use;5. Release of the product or service to you?6. What is the competence of the supplier’s staff?7. How will the supplier will interact with you?8. How will you control and monitor their performance prior

to delivery?9. How will you verify and validate the supplier’s premises?

The answers to these questions are in essence the base structure for a long-term relationship that will be beneficial to all involved. Make the most of it.


Part 22: Clause 8.5 Production and Service ProvisionThe clause 8.5 “Production and Service Provision” is where the rubber meets the road for your QMS. With the addition of some important controls, you’ll find that this is the place where things really get done.My previous parts (Part 8.1, Part 8.2, Part 8.3 and Part 8.4) are an essential preamble and have been building up to this important clause. If you’ve done a thorough job of clauses 8.1 - 8.4, then congratulations are in order, because 8.5 will be a breeze.Clause 8.5.1 starts with controlling how you plan your production and/or service. There’s a handy list of things in the standard that you need to prepare for:

documented characteristics of product monitoring, measuring and acceptance criteria during

inspection and test infrastructure required appointment of competent persons testing the product or service assess human error release, delivery and post-delivery activities

Next, 8.5.2 requires you to identify and trace the product and service you deliver. Then you’ll need to check the status of product or service (for instance, does it pass or fail), to ensure that you deliver acceptable product to the customer.Third, 8.5.3 requires you to look after product that the customer owns and puts into your product or service. If you do damage to their property then you must report that to them. For example, here at Mango the customer puts their QHSE data into Mango. Therefore we must look after that data carefully with privacy policies (like encryption) and security policies (things like backups and redundancy). If data is lost it must be reported to the customer.


The fourth step - 8.5.4- requires that the product is preserved so that it doesn’t get damaged and that it continues to meet the customers’ wants. An example here is using refrigerators to protect food that has a short shelf life. For us at Mango, it means that we must preserve our software so that it’s always available to every customer 24/7. Therefore our database servers are hosted in a professional data centre with disaster recovery plans in place.Fifth, 8.5.5 talks about having post-delivery activities to ensure that the customer is well supported. For example here at Mango we have processes for the implementation of our software at the customer’s site. This implementation process includes setup, customisation and training. When implementation is complete, we then support the customer with FAQs, a Support module, videos, webinars and guidance documents.Finally, 8.5.6 has you manage change. How you make changes to your product or service can happen in a myriad of ways, and here at Mango we have a multitude of processes for managing such change. Things like:

Software code version control for managing the software Bug fixing changes for managing software incidents Support software for managing customer issues Release of notes notifying the customer of the changes Videos of changes to ensure the customers are aware of

the changes Training webinars for customers

Takeaway1. You need to plan the production of your products and

services.2. During production, identify and then trace the status of

the product or service.3. Look after customer-owned product.4. Preserve the product or service once you have produced

it.5. Ensure you support the product or service once supplied.


6. During this whole process manage any changes that are needed.


Part 23: Clause 8.6 Release of Products and ServicesDespite the title of this clause, 8.6 really is about how you inspect and test your product or service before giving it to your customer.The standard talks about “planned arrangements … to verify that the product and service requirements are met”. What this means in everyday English is that you decide what inspection and testing you will do to ensure the product or service is good enough for the customer.During the production of your product or service you need to put some checks (maybe quality control points) in place to ensure that you meet your plans, and to assure yourself that what you are giving the customer is what they want.The easiest way of doing this is to look at your production (or service delivery) process and determine the key stages that you use. Then look closely at the points in the process where you do quality checks (or inspection points). These points are the key parts of the “planned arrangements”. Then you’ll need to determine what records you’ll keep to prove that the product or service has passed or failed the quality checks. In addition, work out which person (or persons) will decide whether the results have passed or failed. Further, identify any equipment you use to determine if the product or service has passed or failed, because that equipment may need calibration.For example, here at Mango we do extensive inspection and testing of the product before it is delivered to the customer. The inspection and testing starts right upfront when we review the requirements documents to ensure that they are correct. Next the developers do code reviews and peer reviews of each other’s work. Then they do developer testing of the software. This is followed by in-house testing by a support tester who confirms that the product is acceptable for the customer. Due to the complexity of software, it’s just not feasible to test 100%


of the code – instead, the testing programme must be extensive enough to cover the code, but at the same time it can’t take days and days to test. Recording test results all along the chain is vital to the integrity of our product and therefore to our business, so senior staff have given our developers and testers extensive training on how to test and record results. The whole process is documented in our Quality Manual, and each group uses a different tool to keep records. The developers record their test records in a product called Mantis, and the support tester has a test plan and records of that are kept in our file storage. It’s comprehensive because it has to be. We want delighted customers and clause 8.6 is key in achieving this.

Takeaway1. Look at your process stages.2. Figure out the QC points during those stages.3. Determine how you inspect and test at those stages.4. Keep records of all testing.5. Make sure your staff are well trained on how to inspect

and test your product or service.


Part 24: Clause 8.7 Control of Non-Conforming OutputsWith clauses 8.1 - 8.6 done, the bulk of your production and service delivery will be in place. This is a great position to be in but as we all know, even with the best team and circumstances available to you, things can and will go awry.So the next two steps are very important: what happens when something goes wrong? And - just as vital - how will you manage outcomes?With careful reading of clause 8.7.1 you’ll notice that the standard says you need to ensure that ”outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery”. In other words, outputs are not just products and services - they could be anything. Documents that have errors, verbal quotes that aren’t understood, incorrect stock levels and invoicing errors are all common examples non-conforming outputs.This clause also hints at another important factor to bear in mind when identifying non-conforming outputs – outputs affect all customers, both external and internal. It’s not just the end user of your product or service that we’re talking about here. All businesses have internal and external customers which at some point will have to deal with shonky outputs. This clause covers all customers.The clause then states that you “…shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services”. In essence, let the size and scope of the problem dictate your response to it. Here’s an example: if we have a major error in our Mango software and our clients are unable to use Mango at all, then our action will be to urgently fix the issue by patching the software immediately. If, however, the non-conformity is a minor bug and the client can still use Mango just fine, then our action will be different – we may choose to fix the issue at the next software update later in the month, for instance. Your response


should always be appropriate to the magnitude of the problem at hand.Next, when dealing with non-conforming outputs you need to consider how you will:

Correct the problem; Segregate, contain, return or suspend the product and

service; Inform the customer; Get a concession from the customer to deliver the non-

conforming product to them.Finally, the standard requires you to record what you have done about the non-conformance. Typically companies record these things in a report. There are a myriad of forms you could use. Call them whatever you like but for this eBook let’s call them NCRs (Non-Conformance Reports).In your NCR the first thing to do is to describe in detail what the issue is. Many companies find this task difficult to achieve. There’s definitely an art to outlining the problem - you have to describe it so that others can understand at a glance what it means. Using a tool like WWWWH (who, what, where, when, how) can be a big help in achieving clarity.Next in your NCR, describe what actions you have taken to correct the problem. This could include some immediate actions and perhaps some root cause analysis.Next record any concessions from the customer in accepting the non-conforming product. The customer will have to authorise this acceptance of the inferior product or service (and remember, the customer could be either an internal or external).Finally, identify the authority who has decided on the action to fix the non-conformity.For example, here at Mango we use our own Mango product to record non-conformances. The non-conformances are reported in the online form and then allocated to a Co-ordinator. The Co-ordinator allocates the issue to an investigator to address the issue and to do some root cause analysis. The Coordinator


This “Non-conforming Outputs” clause can be a pot of gold for you and your

reviews what has been done and signs it off to authorise the fix. It’s all online and visible to all of the Management layers in the company.

Carefully managing non-conformance reports can directly increase your profits: as I said in this part, “[non-conforming reports] are feedback, a cause for pause, a chance to look at not just the detail of what you do, but also the big picture. But deal with NCRs sloppily and they have the power to put departments at loggerheads, get customers bad-mouthing you and reduce your profits”.

Takeaway1. Determine what outputs that do not conform will be

identified and controlled.2. Work out how you will:

a. correct the problem;b. segregate, contain, return or suspend the product

and service;c. inform the customer;d. get concessions.

3. Create an NCR form.4. Use the form to capture valuable information to increase

profits.


This “Non-conforming Outputs” clause can be a pot of gold for you and your

Part 25: Clause 9.1 Monitoring, Measurements, Analysis and EvaluationClause 9.1 is all about measuring how well we are doing. This is the “check” part of Deming’s Plan-Do-Check-Act cycle.Starting at 9.1.1 the wording on what to measure is very vague. The standard leaves it up to you to determine:

What needs to be monitored and measured; How you will measure it; When you will measure it; How to collect and analyse the results.

Based on my experience (much of which was using the older versions of ISO 9001), the “what you should measure” can be split into 3 areas:

Your product and service Your QMS Your improvements

For example here at Mango we monitor and measure the quality of the product by the number of bugs released to the client, as well as the up-time of the servers for the clients/users. We use two time frames to monitor and measure our QMS - every week in SCRUM meetings we review our processes, and every month we carry out a Management Review to ensure that we deliver on what we/customers want. And finally, we measure our improvements to the system using Mango itself.Next up is clause 9.1.2. This clause requires you to measure customer satisfaction. Or as the standard says, “…customers’ perceptions of the degree to which their needs and expectations have been fulfilled.”So how do you do that? The standard has a handy list of examples:

customer surveys, customer feedback on delivered products and services, meetings with customers,


market-share analysis, compliments, warranty claims dealer reports.

I don’t recommend surveys. I have completed hundreds of customer surveys in my time, but the reality is that I feel I don’t have the time to do them properly. I complete them without much thought - I tick the boxes and move on. How useful to

anyone is that kind of half-hearted feedback?

For example, here at Mango we try and visit our clients on a regular basis – all over the world. Recently I travelled from my home in New Zealand to visit our clients in South Africa. I took my camera with me and asked each customer for an on camera review of Mango. This will be presented back to staff in New Zealand or sometimes even posted on our website.Another way we measure customer satisfaction is to measure our customer “churn” or the client retention rate. We are currently at over 99% customer retention, which is very high in our industry.The final clause is 9.1.3. This is where you take all the data previously discussed and analyse and evaluate it to see if things are in or out of control. You can use statistical techniques for doing that. The standard again has a handy list of areas to evaluate:


What I do recommend doing is meeting with clients one-on-one and getting real customer feedback on the performance of your product and service. This is incredibly valuable data that is worth its weight in gold.

Product and service Customer satisfaction Quality management system Planning Risks and opportunities Supplier and contractors Improvements

For example, here at Mango we evaluate each of those above with the following:

Number of bugs Customer feedback interviews Review of processes Plan versus actual Risk register review Supplier performance Number of improvements open and closed

Takeaway1. Create measures of your product, QMS and improvements.2. Measure customer satisfaction to get great feedback on

your business.3. Evaluate your business’s performance over time.


Part 26: Clause 9.2 Internal AuditingI think the internal auditing clause of ISO 9001 has had more articles, blogs, webinars, videos and letters to the editor produced about it than any other clause in ISO 9001. Perhaps only Document Information (clause 7.5) comes close to having a similar number of column inches dedicated to analysing it.Not to buck the trend, I have written and presented numerous times on the subject of Internal Auditing. Here is a list of those articles I have written about it:

The Use of Risk Based Thinking When Creating an Internal Audit Schedule

Is it time to STOP Internal Auditing? 5 Habits of Successful QHSE Compliance Managers Internal Audits - Your (Not So) Secret Weapon

Here are the webinars I have presented on the topic: Tips and Tricks to Add Value to Your Audit Reports Freshening-up Your Internal Auditing Programme Are you Running an Effective Internal Audit Programme How to Create an Internal Audit Schedule Creating Internal Audit Schedules 7 Keys to Running an Effective Internal Audit Programme

Clause 9.2.1 requires that you conduct internal audits at planned internals. The technique of doing internal audits is up to you. The length of the intervals between audits is up to you. The way you’ll decide how your organisation conforms to your QMS and ISO 9001 is up to you. The manner by which you’ll determine how effective and maintained the system is, is up to you. It really is a free-for-all. The only requirement is that you have to do it.I have found that internal audits give great value but it can be a confrontational experience and, depending on your interview technique, people can be uncooperative and defensive. The clause 9.2.2 has the nitty gritty on how to conduct the audits.


First, plan your approach to internal audits based on the importance of the processes. A mistake most companies make is to audit absolutely everything once a year. The standard gives you flexibility around this, so use your resources wisely and only audit what is important or what is the highest risk to your business.Second, for each audit, work out the scope of what will be covered. You can’t audit 100% of the process, but you do need to cover enough to be satisfied that the important issues have been captured.Third, make sure the auditors are independent of the process under audit. This can be tricky so you need to give it plenty of thought.Fourth, report all findings to the relevant mangers so there aren’t any surprises.Fifth, ensure that the corrective actions from the audit are dealt with.Finally, retain the audit results in a document.

For example, here at Mango we are taking an innovative approach to internal auditing. We are using a DIME (documented, implemented, monitored and effective) matrix to ensure the QMS conforms. The DIME approach is referenced in this webinar: Freshening-up Your Internal Auditing Programme.Takeaway


I would highly recommend getting some internal auditor training from local experts to help find the best techniques to prevent and/or overcome such experiences.

1. Only audit what is important or what is the highest risk to your business.

2. For each audit work out the scope of what will be covered.3. Make sure the auditors are independent of the process.4. Keep records of the audit.


Part 27: Clause 9.3 Management ReviewThere are many good reasons why Management Reviews are much discussed and written about in QMS circles: they are absolutely key to the success of the ISO 9001 standard. They’re when you step back, take stock, analyse data, ask questions, listen, and then move forward. And not just once a year either, but often and with as many of your team involved as possible. Oh yes, I’m a big fan of this clause. But just in case you’re still not convinced, here are some blogs and webinars about Management Reviews that I’ve created over the past couple of years:

How to Get More Value Out of Your Management Reviews Top Tips for Getting More Out of Your Management Reviews QHSE Education for Boards and Management Teams 5 Habits of Successful QHSE Compliance Managers

The clause starts with 9.3.1. This requires top management to review the QMS at planned intervals to ensure it is:

Suitable, Adequate, Effective, and In alignment with the strategic direction of the company.

The canny amongst you may have noticed that the clause doesn’t include the word “meeting”. Management Reviews don’t have to be meetings. You could run reports to give to management. Perhaps use software options like skype, slack and so on.At Mango, we like to have a meeting once a month and because we’re small, all staff are invited. This meeting is very useful as a teaching and coaching exercise for the less experienced staff members to learn. Because we sell QMS software (Mango) the less experienced staff get to really understand what a QMS is - what better way for them to see how a QMS operates than for them to be part of the Management Review process?Clause 9.3.2 is about inputs to the Management Review. These inputs are a handy way to create an agenda for the


Management Review meeting. Although they are listed in an odd order, you can rearrange them into a logical order to suit your operation so that all areas are covered.The agenda items include:

Actions from previous management reviews; Review the external and internal issues from the Context; Customer satisfaction and feedback; Review quality objectives have been met; Review process performance and conformity of products

and services; Check nonconformities and corrective actions; Review audit results; Review suppliers; Check you have enough resources; Review risk (and opportunities) register; Review improvements.

For example here at Mango here is our monthly Management Review agenda:

From the Board – General, Business Planning Sales, Partners - Roadmap, ICT infrastructure People, Health and Safety, Environment – Accidents,

Hazards, Emergency Plans, Training Team Resources - Team development, Travel / Holidays System and Processes – Policies, Objectives, Procedures Processes – Audits Events


back for some great tips on how to run your Management Review: How to Get More Value Out of Your Management Reviews

https://www.mangolive.com/blog-mango/get-more-value-out-of-your-management-reviews-recording-of-webinar



OFI - Issues and Opportunities Risk Management – Risk Register Resources - Any resources required General / Departments activities – Marketing, Sales,

Support, Development, PartnersFinally clause 9.3.3 describes the output from the review. This should include any decisions made and list the actions that relate to opportunities for improvement. It should also include any changes to be made to the QMS, any additional resources, as well contain the minutes of the meeting plus any additional information like reports and data.At Mango we minute each meeting and sign-off and attach the minutes in Mango. Too easy!Takeaway

1. Decide whether to have a meeting or just run a bunch of reports through the Management Team.

2. Create an agenda that meets all the requirements of the standard.

3. Conduct management reviews at a frequency so you can see progress on the QMS.

4. Minute the meetings and record evidence of QMS progress.


Part 28: Clause 10 ImprovementThe final clause of ISO 9001 revolves around improvement and corrective action. This is the “Act” part of Deming’s Plan-Do-Check-Act cycle.Improvement, continuous improvement and implementing corrective actions are real game-changers for your business.

You should be continually looking for non-conformances that add value to your business and drive enhanced profits if that is your goal. Look often and look hard for improvements.However, as an auditor and a sometime consultant this is the weakest area of the standard to audit. This is because you can list almost anything as an improvement. Thus for an external auditor it’s hard to report a non-conformance because just doing something could be interpreted as an improvement.So let’s look at the standard in some more detail.Clause 10.1 requires you to determine and select improvements and then put action in place to meet customer’s requirements and enhance any customer satisfaction. These improvements could come from:

Improvements to your products or services Correcting mistakes Improving your QMS


It’s human nature to feel relieved when no non-conformances are found, but having no improvements to be addressed means that, frankly, your business isn’t going to be improving.

Then, you need some priority system to work out what improvement to work on first.For example, here at Mango we are continually getting improvement suggestions to our product. We have built a customer suggestion box into Mango call “Dev Request”. These suggestions give us ideas for improving our product and service. We sit down on a regular basis and prioritise what requests/improvements we will work on first. This not only gives us valuable information on what customers want, but we can then determine our own destiny on what we will develop first and what will be of the highest value to the customer.Clause 10.2 looks at how you manage your nonconformities and then put some corrective action in place to correct them.The standard has some handy steps you should put in place to address nonconformities:

1. Take action to control the nonconformity, correct it and then deal with the consequences;

2. Evaluate the need for action to eliminate the cause of the nonconformity;

3. Implement any corrective action;4. Review the effectiveness of any corrective action;5. Update the risk register;6. Finally make changes to the quality management system,

if required.The standard requires you to keep document information (or records) as evidence that the nonconformities and subsequent actions have been taken; and the results of any corrective action are also taken.For example, here at Mango we use the Improvement module that has a workflow that records the implementation of corrective action using the stages described above. It makes meeting this clause oh so easy.Finally clause 10.3 has a requirement to continuously improve the QMS. This is repeat of clause 10.1. I’m not sure why ISO have done this but there you go. Maybe they should flag this double-up as a non-conformance? *wink*


Takeaway1. Create a culture of reporting improvements.2. Capture them in a spreadsheet (or use Mango).3. Prioritise them based on the customer requirements.

Obviously customer issues are dealt with first.4. Deal with the issues with appropriate corrective action.


Section 3: Getting Certified to ISO 9001


Part 29: Getting Certified to ISO 9001:2015 – Selecting a Certification BodyNow that you have created your quality management system it’s time to seek certification.The first thing you’ll need to do is to select a Certification Body (CB) to carry out your audit.

Here are our top tips to choose your Certification Body:1. Are they accredited?

You’ll need to find out if they are accredited by a reputable body. It pays to only deal with CBs that are accredited by national Accreditation Bodies (AB). For example, here in New Zealand (and Australia) the AB is JASANZ. In the US it’s ANAB, and in the UK it’s UKAS.

2. Ask for their industry experience, background, and expertise.It is crucial that they understand what you do, how you do it and, most importantly, what is good quality and what is bad quality.

3. Ask them if they can work in your scope.If they haven’t got experience in your exact industry, kick them to the curb and find another. Request evidence that they can work in your scope. See the resumes of the proposed audit team.


These days there are plenty of CBs to choose from, so picking the right one for your organisation is no easy task. It pays to do your research, and to shop around.

4. Ask your clients for recommendations.At Mango we have hundreds of customers. We asked some of them for a recommendation for a CB because there’s nothing better than getting a recommendation from a trusted source.

5. See references from the CB.Ask the CB for any references from organisations that are in your industry and have used them in the past. Ask if you can talk to these reference sites too.

6. See if they can meet your time frame for certification.Some CBs are super busy so you need to check with them to ensure that you can book their auditors to do your audit when you want them to.

7. Check the fee schedule.Make sure the fee schedule is discussed and agreed upfront. There should be no surprises when the invoice arrives. CBs will withhold certificates if invoices haven’t been paid.

8. Is the CB keen to establish a long term relationship?It is good business practise to build a long term relationship with your CB to ensure that they continue to provide a good audit experience for you.

Here at Mango we decided on DQS (www.dqsausnz.com.au) based out of Melbourne in Australia.DQS ticked all the boxes as listed above. In terms of responsiveness to our requests they really stood out, whether that was by email or by phone. We met with them. They took time to understand our business. They were very interested in Mango. We demo-ed the product to them. It has been a very positive start to what we hope will be a long-term relationship.Takeaway


Tips for picking a certification body:1. Check that they are accredited.2. Check their industry experience, background, and

expertise.3. Check that they work in your scope.4. Get client recommendations.5. Check their references.6. Can they meet your time frame for certification?7. Check their costings.8. Check if they are keen to establish a long term

relationship.


Part 30: Getting Certified to ISO 9001:2015 - the Stage 1 AuditYou have created your QMS and you have your Certification Body all signed up and ready to go, now is the time to book in your Stage 1 audit.Stage 1 is where the Certification Body (CB) confirms that you are ready for the full audit. The CB checks that you have in place all the required processes, related procedures and that your resources are ready.Most CBs recommended that this Stage 1 audit is conducted on your site. However, if the CB already has experience of you and your industry, then this audit could be done offsite.During the audit the auditor will review your scope of the management system. They will obtain information on your organisation’s processes and operations, the equipment being used, the levels of control that you have established as well as any applicable statutory or regulatory requirements.Your internal audits and management reviews will be evaluated to ensure they are being planned and performed.

They will the review the allocation of resources and details for the next phase of the audit. The CB will give you a Stage 1 report to outline the state of your readiness for Stage 2. They will identify any areas of


The CB will determine the overall level of implementation of the quality management system and will decide if you are ready to move forward with the Stage 2 Certification Audit.

concern that could be classified as potential non-conformance during the Stage 2 Audit.The Stage 1 audit is much shorter in duration than Stage 2. The audit will usually be carried out in one or two days. If you have more than one location, the audit would usually be carried out at your head office location.Typically there are a few weeks between a Stage 1 and a Stage 2 audit. This is to allow you to address any observations prior to the full audit (called a Stage 2 audit).In addition the CB needs to determine the size of the audit team to conduct the audit. They also need to determine if they need technical experts are required to help with complex technicalities during the audit.So the objective of a Stage 1 audit is to determine your readiness for their Stage 2 audit of your QMS.Here at Mango, the Stage 1 audit was conducted remotely. Because we use our product Mango to manage our QMS the auditor didn’t need to visit us at our site. We gave the auditor a username login (and a password) to Mango. The benefit of this approach was:

The auditor could do this in their own time. The audit didn’t hold up any of our personnel in a visit. Communication was all online. Questions were emailed though and easily answered. Auditor was not under pressure to rush through the audit.

Because the auditor was based in Australia and our office is in New Zealand we saved thousands of dollars on flights and accommodation.We only had a couple of areas to tidy up. We even threw in a curve ball in the internal audit procedure. We added a couple of funny statements just to check that the auditor was doing their job. Fortunately those were picked up. At the end of the Stage 1 audit our CB determined that we were ready for Stage 2.Takeaway


To save time and money, ask the auditor to do the Stage 1 audit remotely.

1. Make sure everything is ready:2. Internal audits are done3. Management Review done4. QMS documentation is ready5. Capture evidence that the systems are in place6. Learn from the findings from the CB audit report.


Part 31: Getting Certified to ISO 9001:2015 - the Stage 2 AuditSo now is the time for your on-site certification audit.You may have spent hours and hours creating your quality management system (QMS). You may have captured all sorts of quality records like internal audit reports, management review minutes, training records, improvement forms, calibrations records, approved supplier lists, product check sheets, job cards, traveller forms and all sorts of other compliance documents or records. You have also had your Stage 1 audit. Now’s the time for things to get really serious.All this now builds for a 3rd party (your Certification Body (CB)) organisation to come and visit and audit your quality management systems. A Stage 2 audit follows a set process.Prior to the audit (about 2 weeks prior) the CB will send through an audit plan for the time they are onsite. This will typically be structured around the ISO 9001 clauses. They will request certain people to be available at certain times. Make sure your staff are available in their time allotment.On the day of the audit the auditors will call for an opening meeting. The attendees you should invite to this meeting will be the heavy hitters in the QMS. This will be representatives from top management and the Compliance Manager (or someone of a similar title). This meeting sets the scene for the auditors to ensure everyone understands the objectives of the audit, the ground rules that are in place and the plan for conducting the audit.Next the auditors will follow their plan as previously sent out. However, to conduct the audit the auditors need to see evidence of your quality management system in action. To do that they need to talk to staff. They need to listen to your senior managers demonstrating leadership. They need to poke around your organisation and measure a level of commitment and compliance to your system.


External auditors are trained to seek the truth. To do that they will ask your staff open questions. They will ask:

“Show me where you keep records of that process”. “Tell me what happens when an error occurs?” “Let me see the why is it done that way?” “How could it be done better?” “Show me how you were trained when doing this job?” “Tell me what maintenance is done on this equipment”.

During the audit the auditors will be highlighting issues and discussing whether some are non-conformances or opportunities for improvements (OFIs). The auditors tread a fine line here because they aren’t permitted to consult. I have previously blogged on this issue here: http://www.mangolive.com/blog-mango/external-compliance-audits-top-tips-for-successAt the end of the audit the auditors will call for a closing meeting. The attendees at the opening meeting should also attend the closing meeting. It is best practise that all non-conformances and OFIs are discussed in the meeting. I have seen some auditors report non-conformances that were never reported at any point in the audit. This behaviour should be reported to the Management of the CB.After the onsite audit the auditors will create an audit report summarising their findings. These will be the non-conformances and the OFIs.Here at Mango our onsite Stage 2 audit was conducted by a single auditor over one day. We are a small company with 11 employees and 20 reseller partners that are based all around the world. As we used our online QHSE software Mango, the auditor had viewed much of the QMS from his office before he had set foot in our office. The auditor said that this saved him a lot of time so that he could spend more time talking to our staff and less time on the administrative stuff that sometimes bogs audits down. So much time and effort is wasted with things like searching filing cabinets for files, travelling (or walking) long distances to see records or waiting for staff to turn up to see records filed somewhere on their desk. Time


wasting like this just sucks, for everyone involved. I want value from my audits. Value that could help my business be more productive or make more money.Takeaway

1. Ensure that your CB gives you an audit plan a couple of weeks before the audit.

2. Make sure your key staff are involved in the opening meeting.

3. Discuss the non-conformances during the audit. Don’t wait till the audit closing meeting. You don’t want surprises.

4. Have the same staff in the closing meeting as they are in the opening meeting.

5. If non-conformances are reported in the audit report that weren’t mentioned in the closing meeting send the audit report back and complain to the CB management.


Part 32: You're certified to ISO 9001:2015, now what?After many hours of hard work you have created your QMS. You have successfully:

Implemented it Had the QMS audited by a Certified Body Got your QMS certified to ISO 9001, and Celebrated the achievement with all of your staff.

Congratulations on a big job well done!Now what do you do?!Well, one thing you don’t do is rest on your laurels and think that the job is over and done with.A lot more work is required to make sure that the QMS keeps adding value to your business.If you have used a consultant to develop your systems, you may have spent thousands of dollars. You will have spent thousands of dollars on the external audit by the Certification Body. Plus all the time you spent on the systems will be a cost to the business. Therefore, your Management Team and even your Board maybe looking at you, the Quality Manager, and asking “show us the money” or “where is the return on our investment in a QMS?”Therefore, you need to show pay-back.

How do you do that?Well you need to work hard and measure the value-add to your business. This requires foresight and planning ahead.


You need to demonstrate that the QMS is giving the business value that is measurable.

Think about the areas of your business where the QMS has helped to reduce rework. In addition think carefully where the QMS could have been used to reduce waste. Finally ask the sales team and see if they have won extra jobs from your organisation being ISO 9001 certified. Add that value up and present it to the Management Team or Board to prove that getting certified wasn’t a waste of time.Back in 1989 when I first started developing systems that were being certified to ISO 9001 (well ISO 9002 first, then ISO 9001 a couple of years later) we tracked the jobs that were won by the Sales Team as a result of being ISO certified. This metric was cumulative and over a 12 month period added up to millions and millions of dollars. It was a very powerful metric that we used to counter the nay-sayers (and there were plenty of them) who thought that ISO was just a waste of time and effort.What else should you do? Well for one you should be reviewing the QMS regularly.For example, one thing we are doing here at Mango is to have all our employees attend the monthly Management Review meeting. In that meeting we talk about the adequacy, effectiveness and value the QMS is bringing to the business. We discuss the objectives in detail and look at the results against the objectives. We look at the documented Quality Manual and decide what areas that we can remove from the system because they are an overhead and don’t add value. Because we use our product Mango for our QMS, we don’t need to document the very detailed step-by-step procedures. If Mango does the job, why then document that? It adds no value to do so. So over time we plan to reduce the size of our Quality Manual - you should too.You need to keep improving and updating your QMS so that it remains effective and keeps adding value to your business. You need to demonstrate to Management that the QMS is not a time suck and that it makes their job easier. Winning over Management will mean that the QMS will have longevity.If your QMS is adding no value to the business then stop using the QMS right now.


Takeaway1. Plan to measure pay-back of the QMS.2. Measure the value the QMS has to the business3. Present the results to Management and the Board.4. If the QWMS is adding no value to the business stop doing

it.


the ultimate guide to ACHIEVing ISO 9001 … is ISO 9… · Web viewYour clause-by-clause guide to...

Documents

Transcript of the ultimate guide to ACHIEVing ISO 9001 … is ISO 9… · Web viewYour clause-by-clause guide to...