It’s celebration time! You completed all the work to implement your ISO 9001 management system, successfully navigate the ISO 9001 certification audit, and now your ISO 9001 certificate has arrived. You’ve certainly earned a break and a party to celebrate this great accomplishment with everyone in the organization. Sooner or later though, life returns to normal and work must be done to manage, support, and improve the management system. Consider how you will continue pursuing excellence with ISO 9001 and other operational excellence tools.
So now that your ISO 9001 system is running and certified, what needs to be done going forward? The first thing is to use it! Don’t get complacent with all the new processes and go back to the old ways of working. Old habits die hard, and it will be tempting and easy to fall back into the old processes and ways of doing things. Everyone, starting at the top down, must stay diligent and work to follow the new processes and ensure that they are embedded within the organization and culture. When a process regresses, everyone must take action to address the issue immediately.
Be sure to implement your measurement system and keep performance metrics current and in front of people throughout the company. Use simple, effective scorecards posted in appropriate areas or on intranet pages where people will see them. Make sure the metrics are relevant and facilitate personnel to improve what they do and how the organization performs.
Define your key improvement objectives and stay diligent with measuring and monitoring progress to achieve these objectives. When things start to go off the rails, management must get involved and take action to correct the course.
While you may have defined management review meetings as an annual gathering, it might be good to meet more often during the first year or until the new management system settles down. We often recommend quarterly management review meetings for the first year or so until new processes and the overall system becomes stable. As feedback into management reviews, periodic spot audits of key processes and functions might be of value to both identify potential issues and give your new internal auditors some much needed experience.
When issues do arise, utilize key ISO 9001 processes such as customer feedback, corrective action, and change management to drive the necessary changes and improvements. Failing to actively utilize these systems will be a key indicator to auditors that the new management system isn’t really be used and maintained. Finding only one or two corrective actions in the system that were added six weeks prior to the audit is a big red flag to auditors.
Organizational leadership should continuously show support for the management system with frequent communication and action. If the leadership team is lax with their responsibilities, the remainder of the company will do the same. Leadership should continuously speak of the merits of the management system, the need to exercise all system processes, and take an active role where appropriate.
Finally, reach out for help when needed. If something isn’t working or certain processes have stalled, get your consultant involved to help find solutions and perhaps different ways of doing things. It is not uncommon at all to find some of the new processes just aren’t as effective as originally envisioned and changes are needed.
While gaining ISO 9001 is a tremendous achievement and something to be proud of, remember that you are an ISO 9001 rookie. Some organizations may be further along than others, but they are still new to this stuff and there is significant room for growth and maturity. There is a reason that ISO 9001 puts so much emphasis on improvement which is to ensure that organizations continue to mature along a path to better performance.
Picture your growth to excellence as a twelve-rung ladder with the top rung being the optimal state of operational excellence and performance for your organization. Your initial ISO 9001 certification probably puts you on one of the first two or three rungs. You need a plan and correlating action over the coming months and years to keep climbing the ladder. The best companies know that they need to continue to mature and never stop their pursuit of growth, improvement, and excellence. And neither should you!
Pursuit of Excellence
So you may be asking yourself, what is excellence? What does organizational excellence mean for our organization? Well, that depends on many factors and your organization’s leadership will need to do some soul searching to determine what excellence looks like for them.
The American Society for Quality (ASQ) defines excellence as “a measure of consistently superior performance that surpasses requirements and expectations without demonstrating significant flaws or waste”.
The Malcolm Baldrige National Quality Award defines a framework for achieving excellence that considers seven criteria operating within a system to define, achieve, and measure organizational excellence:
Measurement, Analysis, and Knowledge Management
Notice any similarities between the ISO 9001 principles and requirements and Baldrige criteria? In fact you can find all seven Baldrige criteria within the ISO 9001 standard and supporting ISO principles.
Again, we see significant parallels the ISO 9001 requirements and principles.
Excellence Within Your Organization
We can’t define what operational and organizational excellence looks like for your company. That is something that you will need to invest time and effort to define and pursue. Google “organizational excellence” and start educating yourself on this term and the underlying tools to help get you started. While this might seem to be a little daunting at first, remember that this a journey up the twelve-rung ladder that takes most organizations many years to accomplish. Also remember that there really is no end to the journey. The top performing organizations continue to evolve, grow, and mature endlessly in their pursuit of excellence.
Also, we aren’t telling you to go all in and implement any of these “excellence” models or tools on top of ISO 9001. We are just providing additional insight to help you define excellence within your organization and some tools that might help you get there. ISO 9001 provides all the necessary requirements, processes, and tools to move you up the ladder, but sometimes fails to provide the incentive, push, and guidance to get you started and moving.
The Management System should be soundly integrated into a company’s DNA: The system should be seamless with the business vision and mission, strategic and operational plans, and functional processes.
To be successful, the Management System must be ingrained into the organization’s culture: This is accomplished through empowerment, ownership, and control of the System by everyone in the company.
Drop the word QUALITY and approach ISO 9001 as simply a Management System: The intent is an interconnected set of processes that govern, support, and drive the entire organization; not a “bolt-on” accessory or after thought just focused on product or service quality. This system applies to the entire organization.
The Management System should start and end at the top of the organization: The organization’s top executive and executive leadership team are totally accountable for system effectiveness, while demonstrating belief, support, and commitment for the system through actions and words every day.
Quality should provide Strategic Value: The Quality function should be represented on the Leadership team and provide direction and value in shaping and defining the strategic direction of the organization.
Top Leadership should adopt and practice the seven core ISO Quality Management Principles: All seven principles are fundamental and foundational to the success, growth, and performance of any organization:
Engagement of People
Develop and practice fundamental business methods: Top Leadership should practice Strategic Analysis and Planning, Performance Measurement (Objectives, Metrics, and Reporting), and Risk Management.
Promote a discipline of Excellence rather than Quality: The traditional quality paradigm drives a state of compliance to minimum standards and achieves mediocrity at best; an Excellence model pushes an organization to its highest level of capability and achievement.
Establish a performance Baseline, then plan for long-term Maturity: Rather than maintaining compliance through an ISO Certification Model, utilize a Maturity Model to continue elevating performance to a position of excellence which taps and exposes the organization’s full potential.
Those final two bullets emphasize the need to adopt an excellence mentality and push for long-term maturity of the organization and the management system. This most likely will not happen by just maintaining the ISO 9001 requirements and satisfying the auditor during your annual audit.
Take pride in and celebrate your tremendous accomplishment of achieving ISO 9001 certification. But be sure to let everyone in the organization know that there is still work to be done and that a continuous daily effort must be made to not only maintain, but also work to continue pursuing excellence with ISO 9001. Establish a culture of excellence while creating new goals and objectives to get better at what you do and how you exceed customer expectations. Remember that excellence is a mental state that is embedded in the organizational culture, the very fabric and DNA of the organization, and an excellence approach involves constant diligence in the form of improvement. As Tom Peters once said, “Excellent firms don’t believe in excellence – only in constant improvement and constant change”.
Before beginning our main article topic, I want acknowledge that the EBS Quality Solutions blog was recently selected by Feedspot as one of the Top 25 ISO Blogs! You can access the ISO Blogs list here. We greatly appreciate the recognition from Feedspot and continuing support from all of our readers! Now on to our normal programming.
What Happens After Your ISO Audit?
Now that you have completed your audit, what’s next? If you received less than a perfect score, meaning that the auditor found a couple things and issued some ISO 9001 audit findings (nonconformances), you will need to address these deficiencies before receiving your ISO 9001 certificate. A perfect score (no findings) will result in immediate issuance of your ISO 9001 certificate, usually within a couple of weeks.
Managing ISO 9001 Audit Findings
Alright, so you received one or more nonconformances during your stage one or stage two audit. Relax, it isn’t the end of the world; in fact, this is fairly common with new management system certifications.
Assuming that these are minor findings, you should be able to address them relatively quickly and receive your ISO 9001 certificate within a few weeks. In fact, you have really passed your audit, contingent upon satisfactory action to close out these minor issues. Now, if the findings are significant or cited as major nonconformances, you have a more difficult climb to get that certificate, but it should still be attainable given the right effort and actions.
We are going to assume right now that you effectively implemented your management system and that any audit findings are few and minor in nature. If you did receive major nonconformances, we recommend that you work with your registrar or a qualified ISO 9001 consultant to determine the best course of action going forward towards your ISO certification.
As the auditor closed out the assessment, he or she should have explained the process for responding to any findings sited during the audit. This process always varies a little from registrar to registrar, but the general approach is basically the same. In today’s online world, corrective actions for findings are usually submitted electronically through some type of cloud or website portal established and maintained by the registrar. If you haven’t yet done so, this will require that you establish an online account with login credentials. There may also still be a method for documenting your corrective actions on paper and submitting them via email or fax, but the days of paper submissions are disappearing quickly. Your auditor or registrar contact person can provide additional information about these options. Remember that your auditor is most likely a sub-contractor and has no control or influence over the systems used by the registrar.
Start the corrective action process by entering each nonconformance into your corrective action system. If you are using one of the ISO 9001 software applications, this might be your general corrective action module or some applications have separate corrective action modules for audit findings. Be sure to enter or create a separate corrective action for each finding and assign the appropriate responsibility for completing the root cause analysis and corrective action activities. Make sure that those assigned to the action are aware of the significance and urgency of the tasks to be completed. Given the importance of these corrections, it might be wise to take a team approach when completing the corrective action tasks.
Follow your corrective action process to complete root cause analysis and define a corrective action plan to address each audit finding. The initial submission to the registrar will most likely include the results of your root cause analysis and proposed corrective action plan for each finding. This initial submission is generally required within thirty days from the audit date. Often, assuming truly minor issues and a thorough analysis and plan, this submission is enough to satisfy the auditor and release their recommendation for certification to the registrar. If the auditor isn’t completely satisfied with your response, they will request additional effort or information and an updated submission.
Registrars will expect follow up submissions providing objective evidence that the corrective actions have been implemented (60 days) and verification that the corrective actions have been closed (90 days). For significant or major findings, there is a good possibility that the auditor will want to pay another visit to your facility to review and verify corrective actions before recommending your organization for certification. The cost of this additional visit will be your burden.
Disputed Audit Findings
If you feel that one or more nonconformances cited by the auditor is incorrect and your management system was in compliance, all registrars have an established process for resolving disputes. This usually involves some type of review board who will consider the finding along the evidence you provided during the audit to determine whether the nonconformance was valid. Contact your registrar to learn about their dispute resolution process and how to initiate the process, if needed. This process may take at least several weeks to complete and significantly delay receipt of your certificate. Be reasonably sure that the dispute has merit and that it is worth the fight. You may find that it is easier and quicker to just correct the issue and move on. You may also want to get a second opinion from an external ISO 9001 consultant prior to initiating a dispute.
While we have never experienced this type of situation, we have heard horror stories of auditors who have been belligerent, disrespectful, and/or extremely unprofessional during a certification audit. Please remember that during any audit, you are always in control and the auditor is a guest within your organization. At any time in which your feel a situation between your staff and the auditor is becoming extremely confrontational and out of control, you can end the audit and request that the auditor leave the premises immediately. After they have left the building, contact your registrar immediately to explain the situation and discuss a path forward towards certification, preferably with another auditor. On the flip side, if the auditor feels threatened or unsafe, they have the right to remove themselves from the situation and leave the building at any time also. The best situation is when both sides remain calm and civilized during the audit, no matter what the situation.
We have seen situations where there is just a bad mix between the auditor and organizational staff. If after you complete your certification audit you feel that the chemistry between your organization and the auditor is intolerable, you have the right to request a new auditor going forward. This might be due to any number of reasons from unprofessional behavior, poor audit process or technique, unacceptable audit findings, etc.
We’ve seen clients that request a new auditor only to get someone who is even worse in some way. Be careful what you ask for, you might get it. On the other hand, you paid good money and put forth significant effort and resources for this certification and you should demand a reasonable level of excellence from your registrar and associated auditors.
This is the most rewarding paragraph I’ve written in this article series. Once you implement acceptable corrective actions for any ISO 9001 audit findings and provide the auditor with supporting evidence of the corrective actions, your auditor will recommend your organization for ISO 9001 certification. Your registrar will complete their internal reviews of the audit results, and if everything is acceptable, they will issue your ISO 9001 certificate. This process usually takes a couple of weeks and you will generally receive your certificate electronically in PDF format unless other arrangements have been made.
Your certificate should be valid for three years, assuming that you successfully maintain the management system and complete your annual surveillance audits. Please don’t be like many organizations we have seen over the years that ignore their management system for months, then two weeks before an audit, rush through to update records and sweep everything under the rug. There is no value in this approach and it will catch up to you sooner or later. Maintain, utilize, and constantly improve your management system on a daily basis and it will return the investment in time and resources through improved performance and effectiveness at all levels of the organization.
Congratulations on successfully developing, implementing, and gaining certification for your ISO 9001 management system. Take some time to celebrate your achievements with your staff and employees. Also, make sure to let the world know about your new ISO certification. However, also remember that you are still a rookie at this ISO 9001 stuff and that your management system is extremely immature. The best companies know that the pursuit of excellence is never ending and that there is always room for improvement and growth.
Wow, you’ve finally arrived at your ISO 9001 certification audit. While there will be some nerves and anxiety, if you have done all the work to development and implement your management system in a manner that best suits your organization and have not taken any shortcuts, then your assessment should be fairly uneventful. Be sure to complete any needed preparation and training activities prior to the audit to further ensure success.
Stage 1 ISO AuditStage One Background
The initial stage one assessment is just to verify that your management system has been effectively developed and implemented. The auditor will generally be reviewing your process documentation (policies, procedures, forms, etc.) which should clearly demonstrate that your management system appropriately addresses the ISO 9001 clauses and requirements.
Just to give you a little history, back in the day, registrars would only schedule a single assessment, assuming that the management system was fully and appropriately established. Auditors would show up on site to complete a three or four day assessment only to find that the management system was far from ready. The audit would need to be postponed until a later date when the organization was truly ready, wasting the auditors time and leaving them and the registrar unpaid and with an empty calendar for the three or four days. So now registrars complete this stage one assessment to verify that the management system and organization are ready for the full system audit.
We have seen some registrars that allow this assessment to be completed through a remote desk audit of the organization’s documentation, however, most reputable registrars now insist on an actual site assessment allowing the auditor to put eyes on the facility and interact with personnel as needed. This is needed even more when organizations choose to operate with minimal process documentation as allowed by more recent versions of the ISO 9001 standard. When this is the case, the auditor must now determine system readiness through observation of the processes and interviews with personnel. In most cases, this initial assessment will take one day with a single auditor.
Note that before the ISO 9001 audit was split into two separate assessments, organizations with new management systems would often elect to pay for and complete a “pre-assessment” to verify that their system was properly implemented and ready for the certification audit. The stage one assessment has essentially replaced the pre-assessment, so there really is no need to add this additional cost and hassle to your ISO 9001 journey. If registrars or auditors try to sell you pre-assessment services, we recommend that you pass and allow the stage one assessment to fulfill the pre-assessment exercise. If they hard sell this service, you might rethink using that registrar.
If your processes are well developed and documented, stage one auditors will probably spend most of the day in your conference room reading through process documentation. They will also want to discuss processes with process owners throughout the day. The focus of this assessment is to verify that the management system has been adequately established and is ready for the stage two assessment. The auditor will not be assessing whether the system is compliant to your processes or the standard through review of objective evidence (process records).
You will be assigned an auditor by the registrar based on their industry experience and knowledge, ISO standard, geographic location, availability, and other pertinent factors. You can certainly request resumes or bios for all available auditors that fit your criteria and narrow that to a list of preferred auditors but this might also impact availability and lengthen your certification process. You can also request a phone interview with some of the auditors, but in the end it is extremely difficult to vet these auditors based on the limited information available. We recommend that you allow the registrar to identify the best auditor, obtain their bio for review and your records, and evaluate the auditor through your initial certification audit.
Most of the auditors we have experienced exhibited professional behavior and have done their job well. We do occasionally see or hear about one that is difficult to work with or is unprofessional in their approach or mannerisms. Just know that auditors are only human and each one will be different. Some of them very different. We have experienced auditors that spend most of their time chit-chatting and little time actually auditing. While some organizations may see this as an easy audit, most of our clients are frustrated with this behavior and feel that their time and money was wasted, and there was no value gained through the exercise. We have also had those auditors that do nothing but nit-pick every little issue and fail to see the bigger picture with the management system and the organization. Again, little or no value gained, and the organization certainly isn’t any better or improved by the assessment. The best auditors see and understand the bigger picture and focus on those elements and issues that will drive significant improvement in the organization. They understand that each company is different and allow for flexibility in how the company implements and satisfies the ISO requirements. They are also business minded and appreciate all the challenges each business faces.
There are also those auditors who want you to develop process maps, turtle diagrams, or other supporting documentation for all of your processes. While these can be beneficial for some organizations, they aren’t required, and the auditor is often pushing them to make his or her job easier. Other auditors will tell that you must adopt and implement certain methods or tools for various processes. These auditors often come out of specific industries where these methods are common practice, however, that doesn’t make the methods appropriate or required for your organization or management system. An example of this is auditors who prescribe the 8D method for completing corrective actions. This is a good method and you might consider it for your system, but the standard does not require you to adopt and use it. If your established methods satisfy the requirements in the ISO 9001 standard, the auditors have no business telling you how to specifically implement and satisfy the ISO clauses. In fact, auditors are forbidden to provide any type of “consulting” services to the organization. While many auditors will offer suggestions and recommendations based on their experience and knowledge, you in no way must accept or adopt these suggestions.
Many of the ISO 9001 requirements are written in a rather nebulous manner leaving them open to interpretation. This allows the standard to be flexible and universal for all different industries, cultures, products, services, and environments. The 2015 version of the ISO 9001 standard is less prescriptive than previous versions for many of the requirements allowing you, the organization, the freedom to determine how to implement the system in a manner that best suits your company, products, services, processes, and people. The down side is that this can result in differences of opinion or even conflict between your organization and the auditor, especially with interpretation of the ISO 9001 requirements.
Stage 2 ISO Audit
So, you survived your stage one audit and are now ready for the stage two assessment. We’ll assume that you have addressed any findings or issues sited by the auditor during the stage one assessment and are now permitted to move forward with stage two.
The next step now would be to schedule your stage two audit. If things went reasonably well during the stage one visit, your auditor may have worked with you to set the stage two dates before he or she even left the building, and if that is the case, no further action is required to schedule the stage two audit. However, if those dates have not yet been established on the calendar, contact your registrar to get the stage two assessment scheduled. You can probably expect those dates to be 30-60 days out.
Stage Two Overview
This audit will be a little more intense and involved compared to the stage one assessment, however, if you have done the work and completed all the necessary preparation, it should go well.
One of the main differences between stage one and stage two is that the audit will now want to review objective evidence demonstrating compliance to both your established processes and to the ISO 9001 standard. Compliance to the standard should have been verified during stage one with review of your processes. Now auditors want to see if you “walk the walk”. Your management system processes should be generating records (retained documented information) on a continuous basis.
While ISO 9001 does not mandate much in the way of process documentation (procedures, etc.), it does still require a significant number of records to be retained and controlled. It is these records that the auditor will be requesting to verify that your processes, products, and management system are operating in a compliant manner. Just be prepared to provide some form of objective evidence, whether verbal or written, for each of your processes under the quality system.
All auditors will start out the first day of audit (both stage one and stage two) with an opening meeting. It is imperative that the chief executive or top-ranking officer along with the head of quality be present at this meeting. Anyone else is welcome at your discretion. We’ve even seen small companies (10-15 employees) invite the entire organization to be present for this meeting. During the opening meeting, the auditor will generally address the following items:
Introductions / sign-in (as applicable),
Audit purpose and objectives,
Audit scope (standards and areas to be audited),
Proposed schedule, duration, and requested changes,
Functions or individuals that will be required during the audit,
Approach and methods to be used during the audit,
Definition of nonconformances,
Confirmation of formal communication channels,
Rules of conduct,
Confirmation of closing meeting review,
Confidentiality as applicable,
Auditor escorts during the audit,
Questions / comments.
Many of the auditors we’ve worked with over the years like to get a high-level tour of the facility after the opening meeting and prior to digging into the meat of the audit. It is always great if they can see operations in action during this walk through. Make sure everyone is aware of this activity and all processes are being followed. In most smaller organizations expect this exercise to take around 30 minutes, give or take. During this and any other facility tour:
Provide a high-level description of each area or process,
Keep the tour moving unless the auditor wants to stop,
Make sure all areas are clean, organized, and compliant.
These same practices apply to any time the auditor is moving through the facility as part of the audit activities. For manufacturing type organizations, the auditor will take some time to move through production areas to assess operational processes and activities. This includes areas such as engineering, receiving, warehouses, staging, manufacturing / production, QC labs, etc.
Daily Summary / Closing
In most cases, the stage two audit will extend beyond one day. The shortest stage two we have experience is 1.5 days and the length will all depend on the size of your organization (number of employees). The auditor should take some time at the end of each day to summarize and discuss all nonconformances cited during that day. You are welcome to provide any additional evidence that may have been found which supports process compliance, and in some cases, where the additional evidence is acceptable, the auditor may retract the finding. In some cases, we have even implemented corrective actions for a finding while the auditor was still on site, however, since the nonconformance still existed at the time it was discovered, it remained in the report.
On the final audit day, auditors will often complete audit activities an hour or two before the scheduled audit close to allow time to complete the audit report and prepare for the closing meeting. Some auditors will send an electronic copy of the report to you prior to leaving your facility and request either a written signature or electronic acknowledgement that the audit is complete. As with the opening meeting, the chief executive and head of quality should be present. Include any other staff you feel are pertinent. As the auditor discusses each finding, be sure that you understand and agree with the finding and associated evidence. Continue to question and discuss the issue as needed to gain clarity and agreement.
If nonconformances are cited where agreement cannot be obtained between your organization and the auditor, agree to disagree, accept the finding, and pursue other recourse through the registrar’s escalation and dispute resolution process.
Make a positive first impression with the auditor,
Remain courteous, prompt, and professional at all times,
Create a perception of organization and structure (clean / straighten up your area),
Ensure all materials are properly labeled,
Ensure all equipment is properly labeled, calibrated, and maintained,
Don’t leave controlled documentation laying out,
Make sure all records in use are of the corrective revision,
Answer the auditor’s questions in polite and professional manner,
Request clarification if you don’t understand the question or request,
Don’t offer information beyond what the auditor requests,
Don’t argue, ramble, or criticize,
It’s alright to not know the answer to a question,
If you don’t know the answer, simply say so, and offer to find the answer, or defer to someone who does.
Audit Findings (Nonconformances)
Where records fail to meet established processes or stand up to the ISO 9001 requirements, auditors will again cite nonconformances which will need to be addressed and corrected prior to receipt of your certificate. Your auditor should clearly explain and discuss any potential nonconformance immediately upon discovery and allow you an opportunity to verify the issue and produce evidence to the contrary. If the finding is legitimate, accept it and move on. The auditor will capture all pertinent information to support and document the finding as needed. Remember, it isn’t personal and he or she is just doing the job they were hired to do. We’ll discuss the process for addressing audit nonconformances in a future article.
Unless you are totally negligent with the development and implementation of your management system, you really can’t fail a certification audit. You can certainly receive some minor findings (nonconformances). It is not unusual for most new and immature management systems to receive one or more minor nonconformances during the initial certification audit. This is often due to a minor oversight during implementation or difference in interpretation of requirements between you and the auditor.
Be sure to discuss the finding with the auditor if you aren’t clear on the finding or why it is being cited. Consider each minor nonconformance when they are cited by the auditor to determine if the finding reflects a valid deficiency within the system, and if so, accept it. If you feel that the finding reaches beyond the ISO 9001 standard requirements or that your processes adequately satisfy the requirements, state your case in a calm and professional manner. As is often the case in life and business, you need to carefully pick your battles. If the auditor is insistent that the finding is valid, do a quick cost/benefit analysis in your head and determine if the fight is worth the effort. If the finding can be resolved by a quick process tweak or simple document revision, perhaps it’s best to accept the minor nonconformance and save your fight for a more unacceptable issue or conflict.
Major nonconformances are another story. These are only issued when gross systemic breakdowns exist within the management system or an entire process is omitted from the system. For example, if you totally neglected to implement a corrective action system, a major finding would be warranted. Also, an auditor may consider several correlating or related minor nonconformances and escalate these to site a major nonconformance. This might be several minor findings associated with unacceptable or missing required records within the management system which results in a major finding against retained documented information. You will want to take these major nonconformances seriously, because one or more can be enough evidence to deny certification or significantly delay your stage two assessment activities.
Auditors will not deny certification due to a couple minor nonconformances, however, you will be required to take some level of corrective action to address the issues based on the number and severity of the findings. For findings during the stage one assessment, this could be as simple as addressing the issues after the audit is complete, with the auditor reviewing your actions at the stage two assessment. If the findings are more severe, the auditor may not allow the stage two audit to be scheduled until he or she receives evidence that the nonconformances have be adequately addressed. A worst-case scenario might require execution of another stage one assessment to verify that major findings have been satisfactory addressed and closed. Stage 2 findings will need to be corrected and evidence submitted to the auditor before certification is awarded. A worst case scenario might require the audit to return to complete an on-site assessment of the corrective actions, but such return visits are rare. As long as you are diligent about addressing and correcting the nonconformances, your auditor and registrar will continue to work to complete your assessment and award ISO certification.
Good preparation will go a long way towards ensuring a pleasant ISO 9001 certification audit and successful outcome. Make sure everyone in the organization understands how to engage and behave around the auditor, especially those who will come into direct contact with him or her. When nonconformances are found, remain professional and make sure that you are clear on the finding. Any discussion about the finding should remain respectful and professional. Remember everyone, including the auditor, is just trying to do their job and that there is always recourse after the audit is finished if you still want to challenge anything in the audit report.
Prior to your ISO 9001 certification audit, it would probably be a good idea to ensure that your management system and people are prepared and ready for the assessment. At this time, we will assume that you have fully implemented your management system and scheduled your stage one assessment.
If you have not already completed your initial internal audit and management review, get those scheduled and completed ASAP. The expectation is that these are completed prior to your stage one assessment.
Management System Readiness
If you recently completed your internal audit and feel confident that your management system was thoroughly reviewed during the audit process, then you should be in good shape for the ISO 9001 certification audit. If you still have any level of concern, it might be beneficial to complete some additional reviews to further assess your audit readiness. These are informal reviews and there is no requirement to document results or any action taken, unless formal corrective actions are taken. Just make sure that any issues are properly resolved following established change management and change control processes.
The stage one audit will generally be concerned with verifying that your management system has been effectively established. The auditor will want to gather and review evidence that demonstrates the management system has been fully implemented and is ready for the certification (stage 2) audit. That evidence is usually maintained documentation which supports and defines your processes. Review your established documents to ensure that they are complete, reviewed, approved, and they accurately describe the process. If you have elected to not document some of your processes, the auditor will need to interview personnel to determine how the management system processes are established and executed. Make sure that all personnel associated with these processes are well versed on the process steps and activities and that everyone is aligned on how these processes are executed.
The stage two audit will verify compliance to both your established processes and the ISO 9001 standard. Auditors will be requesting and reviewing various records and retained documentation providing evidence that processes are being followed. Prior to the audit and where needed, review process records to ensure that they exist, are correct and complete, and they are properly retained (format, location, etc.). There is nothing more frustrating than trying to find records when requested by the auditor and they can’t be found. This is the worst time to be turning files upside down to find management system documents.
Audit Readiness Training
In addition to verifying the management system is ready to go, you should also spend some time educating your personnel on proper protocol and behavior during the audit. Also consider which employees might be needed during the audit to answer questions and discuss process activities and results with the auditor. In most cases, this will be your assigned process owners.
In preparing for your ISO 9001 certification audit, discuss the following with all employees prior to the audit:
The auditor will most likely be moving about the facility during the audit and anything in public view is subject to review including documentation, products, equipment, personnel, etc.
Any printed hard copy documents should be of the current revision and appropriately identified. If you use an electronic document control system, the best practice during audits is to not have any paper copies of controlled documents present except where necessary for company operations. Employees often have a habit of printing a controlled document for reference and keeping the document on their desk or in an area where it is needed. Over time this document revises, but the printed copy isn’t updated leaving an obsolete document in use. If paper copies are needed for some processes, make sure that they are printed fresh on the day of the audit. If the auditor discusses the document control process with an employee, the best response is that the document is verified for correct revision or printed on a daily basis or when required.
Ensure that no management system documents are being stored in personal files or desks.
Ensure that employees do not have any personal equipment or measuring devices on site or in use that aren’t under proper company control.
There is good chance that the auditor will move through the facility and talk to employees:
If the auditor asks questions, the employee should answer the question concisely and offer no additional information.
It is alright to not know the answer. If this is the case, options include finding the answer and getting back to the auditor, deferring to other employees or staff, or referencing documented procedures and other artifacts as needed. Guessing or making things up on the fly are not good options.
Employees are expected to know the quality policy, but it does not need to be memorized verbatim. Employees should be able to paraphrase the policy in their own words while touching on the key elements of the policy. It is acceptable to reference the policy as posted on the wall or written in other locations.
Employees should also be familiar with quality objectives, especially those aligned with the policy. They should be able to explain how their duties and function relate to and impact the objectives.
Employees should understand how they and their jobs impact product and/or service quality.
Employees should know where and how to access procedures and other documents which pertain to their jobs and responsibilities.
Employees should always be respectful of the auditor, even if they feel flustered or frustrated. In worst case scenarios, employees should defer back to the main auditor escort or responsible management staff.
If the employee sees an issue that could be a possible nonconformance which is not observed by the auditor, it should be reported to company management after the auditor has left the area. Employees should not make the auditor aware of the issue unless there is an immediate safety issue.
Remind employees that the auditor is assessing processes and documentation, not people. They shouldn’t take anything said by the auditor personally.
No matter what the situation, questions should be answered honestly. It is much easier to address a small finding than to re-establish trust and rapport with the auditor. Auditors who feel they are being lied to or deceived will dig even deeper into the management system to verify compliance.
Feel free to discuss any other behavior expectations and practices with employees as needed to ensure employees are ready and comfortable with the audit process. Make sure that all persons involved are aware of the agenda for the audit and their potential role in the activities. Consider executing mock audits using internal staff (internal auditors??) and randomly interviewing personnel to verify that potential auditor questions are addressed properly. Remember to not criticize or judge incorrect actions or answers. Just use this as a learning and teaching opportunity.
Also, don’t forget to address any logistical issues prior to the audit. Secure a conference room for the day where the auditor can work and interview various staff when needed. If you use an electronic ISO 9001 software solution, consider the best ways to share documents with the auditor. If you have a projector or monitor in the conference room, documents can be displayed, reviewed, and discussed as a group. Of course, some auditors will want printed hard copies to review, so ensure documents can be easily printed. One key document to have ready is a list of all current ISO 9001 management system documents (procedures, forms, work instructions, etc.) which includes at a minimum, the document name, number, and current revision level.
The auditor should provide you with an agenda for the day, defining the elements of the management system to be covered and the estimated times for each. If you don’t receive an agenda, request one so you know what to expect during the audit. This will also allow you to ensure that appropriate personnel are available when needed. For example, if the agenda states that Purchasing Controls will be reviewed on Tuesday from 1:30 – 2:30, then you can let the Purchasing Manager know to be available and ready at that time. If you have conflicts with the schedule or availability of personnel, you can address these issues with the auditor during the opening meeting. Please note that it is mandatory that the chief executive or highest-ranking company officer for the site or facility be present during the opening and closing meetings and available for discussion during the actual audit.
Most auditors will also expect a simple working lunch so plan accordingly. Perhaps some sandwiches from a local deli. Never offer to take the auditor out for a meal, either for lunch or dinner during the audit. Never attempt to sway or influence an auditor’s position or disposition with any type of favor or bribe, whether real or perceived.
Audit days can be very intimidating and stressful, and adequately preparing for your ISO 9001 certification audit can significantly reduce that anxiety. Investing time and effort ahead of time to verify that the management system is ready and employees know what to expect and how to behave, will help to minimize the stress. Double check maintained and retain documents to ensure they are compliant. Walk through the facility and verify that all areas are clean, organized, and don’t contain inappropriate documents or equipment. Finally, make sure all logistics have been planned and arranged.
What gets measured gets done, and in this case, improved. There is no way to know what aspect of your company that needs to be fixed or improved if you don’t first measure it. This means measuring the right things in the right way and reporting the results to those who can drive changes. As we continue with the EBS DIY ISO 9001 implementation series of articles, let’s dig in and take a look at the following ISO 9001 improvement clauses:
ISO 9001 requires that you determine key objectives and measures which provide an effective organizational and management system performance assessment. You must determine:
What to measured and monitored,
The methods to be used to assess performance,
When these methods are to be performed,
When the results are to be analyzed and evaluated.
As you create your performance evaluation methods, make sure that they address all of the above items. This can be accomplished with something as simple as a spreadsheet or table identifying key measures and how each of the above are satisfied.
Business Objectives and Metrics
Monitoring and measuring starts with established quality or business objectives. One method of monitoring objectives and system performance is through the use of audits, whether 1st party (internal audits), 2nd party (customer), or 3rd party (ISO registration) audits. Audits are great tools for assessing the overall management system performance and effectiveness and identifying areas of the system which need change and improvement. Depending on the depth of and methods used to complete the audit, just about any aspect of the organization and management system can be assessed at some level.
Quality objectives should be defined at the highest level of the organization and reflect initiatives that are strategic in nature. However, these objectives usually don’t fully measure and assess performance at all levels of the organization. Most companies define more tactical performance measures (metrics, KPIs, etc.) and reporting tools to measure the performance at functional levels of the organization. While metrics and key performance indicators are not specifically required by ISO, we don’t see how you could effectively govern an organization or satisfy the ISO 9001 improvement and performance evaluation requirements without some type of established measures or metrics. The nature and type of metrics established should be determined by the size of your organization, the complexity of your processes, the type of products and services offered, your organizational culture or environment, and the level of risk to be managed within your organization.
Analysis and Evaluation
ISO 9001 requires the data and information gained during monitoring and measuring activities to be analyzed and evaluated. The results of this analysis are used to evaluate the following:
The ISO 9001 standard includes a note stating that analysis methods can include statistical techniques and we definitely recommend utilizing some form of statistical analysis when evaluating performance data. This doesn’t need to be complicated, as a simple metric which measures the mean or average of a performance indicator is a statistical technique. You are probably already using some simple statistical methods somewhere within your organization.
If you don’t think so, just go look at your financial reports (balance sheet, cash flows, income statement, payroll, etc.).
Much of the analysis and evaluation requirements can be satisfied through other management system processes such as management review and strategic planning. Any other action or activity that involves the review of performance information and which result in decisions to drive changes and improvement work to satisfy the requirements under ISO 9001-9.3.3.
Section 10 of the ISO 9001 standard is all about improvement of the management system, especially improvement actions taken towards meeting customer requirements and enhancing customer satisfaction. This is the last section of the standard which is all about “Act” within the PDCA cycle. We see references to improvement through the entire ISO 9001 standard with the word “improve” appearing 20 times within 13 different clauses demonstrating the importance of improvement and how it integrates within the entire standard.
Since we covered clause 10.2 (Nonconformity and Corrective Action) in a previous article, that leaves clauses 10.1 and 10.3 to address in at this time and these ISO 9001 improvement requirements are generally satisfied through effective execution of the following processes:
ISO 9001 improvement clauses provide a platform for measuring and evaluating organizational and management system performance, and where warranted, taking action to improve the system and associated processes. This requires establishment of quality objectives and underlying key measures (metrics) to track and measure performance. All of this data and information is rolled-up and reported to the organizational leadership, usually during management review meetings and other periodic strategic planning initiatives.
Registrars are independent for-profit organizations which are qualified, certified, and authorized (accredited) to complete assessments and issue certifications for ISO 9001 and other similar standards. Registrars are also known as Certified Bodies (CB) in other countries around the world.
Auditors are Contractors
While you contract with your registrar to execute your assessment and issue your ISO certificate, odds are that the auditor that visits your organization to complete the assessment is an independent contractor who sub-contracts with the registrar to complete the work. In fact, your auditor will most likely be a contractor for several different registrars. Rather than finding the right auditor for your certification audit, you need to focus on selecting the right ISO 9001 registrar.
When selecting a registrar for your ISO 9001 certification, there are several major criteria that you should consider and verify to identify the best provider for your needs. You can obtain a list of registrars that serve organizations in the United States from the EBS free members library. Verify the following to quickly reduce your list from a dozen or more to 2 or 3 finalists.
Industry Sector: Registrars define the different industries they serve and for which their auditors have experience. Industries are usually defined using general NAICS or SIC code categories.
Company Size Served: Find a registrar that has significant experience serving companies your same size. You don’t want a large global registrar whose main business is fortune 500 organizations when your company is one location with 50 employees. Your registrar should value your business and auditors should have experience and an appreciation for the limitations and challenges faced by companies of your size.
Available Auditors: Determine how many auditors the registrar has available which fit your specific criteria (ISO standard, industry, location, etc.). Look for a registrar that has several auditors to pick from which will open up scheduling options and facilitate your certification process. This also provides options if you run into interpersonal or conflict issues with an auditor.
Registrar Location: While this may not be a major concern, it might be good to know that your registrar has at least a regional office in the same time zone. We would certainly recommend that they have a major office within your country.
Auditor Location: While not a showstopper, it is beneficial when auditors are regional and don’t need to fly across the country to complete your audit. This only adds complexity and cost to your certification process. For ISO 9001 and most general industries, a registrar should have several available auditors based within a few hundred miles.
Accreditation: Ensure that the registrar is properly accredited. In the United States this accreditation is often obtained through ANAB (ANSI-ASQ National Accreditation Board) and demonstrates that certification and registration services provided are in compliance to ISO/IEC 17021. There are other accreditation bodies, often based in other counties, but which are also recognized and acceptable.
Customer Recognition: If you are achieving ISO 9001 certification for a specific customer, consider the need to verify your selection or get input from your customer. Some customers may have issues or concerns with certain registrars or their accreditations.
These are some core criteria to help narrow your search down to two or three key finalists. At this point, it might be good to reach out to each final registrar on your list and schedule some one-on-one time with a sales person or customer service rep to gain more information and establish a better relationship. This can be completed remotely via online meeting technology or phone conference, but it says a lot about how much a company values your business when a representative is willing to visit fact-to-face.
Note that it is almost impossible to meet with and interview potential auditors. These auditors are almost always on the road executing audits at other organizations. It is also difficult to know which auditor will actually be assigned to you until the audit is scheduled. Most of the time, the first available qualified auditor is assigned unless there are extenuating criteria. The more you limit the pool of available auditors, the longer you may have to wait to get on the audit schedule. Selecting the right ISO 9001 registrar will help ensure that you get the right auditor for your certification assessment.
Also, consider requesting three to five references from each registrar and calling references to discuss their experiences with the registrar and auditors provided.
Another resource for finding registrars is ANAB (ANSI-ASQ National Accreditation Board). Use their CB Directory to search for registrars that fit specific criteria (location, standard, industry scope, accreditation status, etc.). A general search for ANAB accredited ISO 9001 registrars located in the United States returns 50+ different organizations as of this writing. You can further refine this list by filtering for your specific industry.
You can also complete basic search engine searches for possible additional registrars, but again, we warn against using non-accredited providers. You may also be able to search for reviews and feedback from customers of various registrars to help with your evaluation process.
ISO Registrar Evaluation
Many of the top registrars provide significant information about their services via their website. Following are some additional questions to consider and ask during your registrar evaluation and selection process:
General / Industries Served
What accreditations do they have?
What is the scope of activities the registrar has been accredited to audit?
Where is their world headquarters located? If outside United States, where are their local country office locations?
What percentage of their clients are similar in size and scope to our company?
Once we enter into a long-term relationship, who will be our point of contact?
If not satisfied with the level of service provided, what steps will they take to address our concerns?
What relevant industry experience do they have?
How many companies similar to ours have they registered?
How do they handle assessments for new management systems with limited operational experience and supporting records (if applicable)?
Can they provide references from clients similar to us?
What frequency of surveillance audits can we expect?
Do they do a full system audit every three years?
What additional fees beyond standard audit costs can we expect to pay?
Can they provide a detailed description of their audit and certification processes?
Can they describe their certificate conversion requirements? Are fees or penalties incurred for separation during the contractual term?
Can we expect to have the same auditor for all audits?
How many different local or regional auditors are available to support our certification needs?
How many auditors could we expect for each audit?
Can they provide bios for auditors (i.e. education, experience, companies audited, references)?
What method do they follow when there is a need or desire to change auditors?
How do they determine the duration for full system and surveillance audits?
How and when will findings be reported to company representatives during the audit?
How do they determine major and minor nonconformances?
How do they handle a major nonconformance?
How long do we have to respond to reported nonconformances?
What is their process for receiving and managing conflicts and disagreements?
What are their confidentiality policies?
Final Selection and Contracting
Consider any other questions or information that might be beneficial to your evaluation process. Be sure to review and understand the registrars conflict resolution process and your available recourse when disagreements and/or service issues arise. Verify that you can exit your contractual obligations in the event that issues can’t be resolved in a satisfactory manner. Evaluate each of the final candidates and select the best provider for your organization. Note that auditors are not permitted to consult or provide guidance during the audit. Most will provide some general ideas for meeting ISO requirements or address a nonconformance, but in general do not ask your auditor to provide detailed information on how to structure your ISO 9001 management system.
Once your selection has been made, your new registrar will require execution of a services agreement which defines the terms and conditions for both parties. Once you execute the agreement, you should be assigned a point of contact with the registrar who can answer questions and guide you through their certification process activities including scheduling your stage 1 and stage 2 audits.
The final few articles in the EBS DIY ISO 9001 series will provide guidance through the ISO 9001 certification process. We’ll start with an overview of the entire process in this post, then delve deeper into the topic in future articles.
Scheduling and planning your ISO audits (stage 1 and stage 2)
Completing any needed audit readiness activities and tasks
Completing your stage one audit
Completing your stage two audit
Addressing and responding to any audit findings
Receipt and management of your ISO certification
For an organization that is well prepared, the ISO 9001 certification process, start to finish, can easily take 12 weeks or longer. If you have established tight deadlines to complete your registration activities and receive your ISO 9001 certificate, then you will need to manage this process closely and work to keep project tasks on track. The biggest time constraint during certification is scheduling and getting time with the auditor. Most auditor’s calendars are booked out 30-60 days, especially for audits that require several days to complete. Consider the following schedule scenario:
Evaluate, select, and execute an agreement with you registrar (2-3 weeks): March 1 – March 15
Schedule time for your stage one audit (let’s assume 1 audit day): 1st available day is 30 days out (March 16 – April 15)
Schedule stage two audit – this cannot be scheduled until stage one audit is successfully completed (here we’ll assume 2.5 audit days): 1st available time is 45 days out (April 16 – May 1).
Complete stage two audit and respond to all sited nonconformances (1 week): May 1 – May 8
Review, rework, and approval of corrective actions by auditor (10 days): May 9 – May 19
Registrar certificate approval and issuance (30 days): May 20 – June 19)
As you can see this isn’t a quick process and while there might be some opportunities to shorten the above scenario, you should plan for the worst and allow at least 12-15 weeks to get through this process. You certainly can move forward with the identification and execution of an agreement with your registrar in parallel with your management system development work, but you really can’t schedule the stage one audit until you have the majority of the system established. You must also have completed your first internal audit and management review meeting prior to your stage one audit activity. These tasks alone can take several weeks to plan, schedule, and execute.
Three Year Audit Cycle
Most registrars issue an ISO 9001 certificate with a three-year expiration which includes the following audit activity:
Year 1 – Initial Certification Audit: Full system audit which includes the stage 1 and stage 2 assessments. This is probably the most expensive and time consuming audit you will experience.
Year 2 – Annual surveillance audit: Partial system audit which covers only select aspects of the organization and management system. This is usually about 1/2 the cost of the initial audit.
Year 3 – Another surveillance audit covering core business processes and areas of the system not addressed the previous year. Again, about 1/2 the cost of the initial audit.
Year 4 – Full re-certification audit covering the entire system. Since the stage 1 assessment isn’t required, the cost is usually about 2/3 that of the initial year 1 audit.
Rinse and repeat.
Management System Maturity
Also consider that you must provide a reasonable amount of time for the management system processes to operate after system launch and generate the records which provide objective evidence that the processes and system are performing in a compliant manner. You can’t just turn the system on day one and expect an auditor to assess it on day two without any documented evidence to review.
The duration of this maturation period will really depend on how active your system is and how quickly records are produced. With this said, auditors will have some level of grace with newer management systems and understand that records for certain processes are limited. They will audit what is available and take note to review those processes in greater detail at the next audit. We would certainly recommend that you allow your management system to operate for a month or two before completing your stage two audit. Remember that you can certainly use records that existed prior to your official system launch if they fully demonstrate compliance to your established processes and procedures.
Ok, so how much is this ISO 9001 certification process going to cost us? We have found that most of the reputable, accredited registrars charge approximately the same amount, give or take a few hundred dollars. Rather than worry about a few dollars, focus on finding a registrar that best fits your organization. With that said, go ahead and request quotes from each of the finalists on your list to get a firm understanding of their costs. If there are significant differences in price, inquire about these differences to verify quote accuracy and address discrepancies.
Each registrar will have certain fees and add-on costs, and these are sometimes negotiable, especially if they are hungry for your business, but again, don’t get too focused on trying to save $50 rather than picking the right provider. Be wary of registrars with exceptionally high or low costs. Don’t pay for unnecessary or unusual costs and remember that you generally get what your pay for. Many of the low-cost providers are not fully accredited which might impact the credibility of your certification with customers and external stakeholders. In the United States for ISO 9001, I only work with registrars that have ANAB (ANSI-ASQ National Accreditation Board) accreditation.
The biggest cost is the actual audit time with the auditor and the associated travel costs, especially if an auditor must fly to your location. Audit days are generally billed at rates around $1,000 to $1,200/day per auditor. The number of days required to complete an audit is generally dictated by the number of employees within the organization or site and defined in IAF (International Accreditation Forum) document IAF MD 5:2015 (IAF Mandatory Document for Determination of Audit Time of Quality and Environmental Management Systems). Annex A of this document provides a table defining the required audit days based on the number of employees. Note that this table provides a baseline for determining audit duration and resources, and that additional audit time may be added by the registrar to account for product, service, or organizational complexity, significant number of processes, etc. In our experience, the numbers provided in the IAF document are fairly accurate for most organizations. If your registrar is adding audit days to your quote beyond what IAF recommends, challenge the registrar to justify the additional audit time.
Below is an example of the certification costs for a general manufacturing company with 20 employees. Based on IAF document, 20 employees equates to approximately three audit days for both stage 1 and stage 2 assessments:
Stage 1 Assessment (1 day) – $1,100
Stage 2 Assessment (2 days) – $2,200
Additional Fees – $400
Travel Expenses (2 trips) – $750
Initial Certification Cost = $4,450
Year 2 Surveillance Audit = $2,000
Year 3 Surveillance Audit = $2,000
Year 4 Re-Certification Audit = $3000
Your mileage may vary depending on many different factors, however this should give you a ballpark estimate of what to expect.
Receipt of ISO Certification
Once you implement acceptable corrective actions for any audit findings and provide the auditor with supporting evidence of the corrective actions, your auditor will recommend your organization for ISO 9001 certification. Your registrar will complete their internal reviews of the audit results and if everything is acceptable, they will issue your ISO 9001 certificate. This process usually takes anywhere from ten to thirty days and you will generally receive your certificate electronically in PDF format unless other arrangements have been made.
Your certificate should be valid for three years, assuming that you successfully maintain the management system and complete your annual surveillance audits. Please don’t be like many organizations we have seen over the years that ignore their management system for months, then two weeks before an audit, rush through to update records and sweep everything under the rug. There is no value in this approach and it will catch up to you sooner or later. Maintain, utilize, and constantly improve your management system daily and it will return the investment in time and resources through improved performance and effectiveness at all levels of the organization.
While the ISO 9001 certification process can seem a bit overwhelming and daunting, it really isn’t too bad once you break it down into bite-size chunks. Having a knowledgeable resource on your side can certainly help provide guidance along the way. Just remember to plan ahead and allow enough time for your new system to mature and for scheduling the various tasks and activities.
As you are launching and implementing your ISO 9001 management system, it might be a good idea to review, confirm, and if needed, update some key activities and artifacts that were created along the way. Take some time to consider the full extent of the management system that has now been implemented along with the results of your internal audit and management review as you complete this exercise. Once your reviews and updates are complete, but sure to update any needed documentation.
Note that these reviews are optional and not required by ISO 9001. Most of this information will be reviewed during your management review meeting and you can certainly wait until that time if desired. Take action as you see fit.
Also, you need to complete your initial internal audit and management review activities before auditors arrive to complete your ISO 9001 certification audit. Plan and execute accordingly during your ISO 9001 system launch.
Confirm and Update Context of the Organization (Strategic Plan)
Determine and monitor the external and internal issues relevant to the organizations purpose and strategic direction, and
Determine and monitor the interested parties relevant to the quality management system.
In addition to satisfying these requirements, we recommend that you continue with strategic management activities by completing a SWOT analysis and a strategic plan for the organization. As we discussed in our article on context of the organization, formal strategic planning isn’t required by ISO 9001 if you satisfy the stated ISO 9001 requirements. As you review your organizational context also consider any revisions that might be needed for the quality objectives.
As part of the organizational context, take a quick look at the quality management system scope during your ISO 9001 system launch to ensure that it is still relevant and appropriate. Make any changes as needed and update appropriate documentation.
Confirm and Update Quality Objectives
It’s also probably been a while since you defined your quality objectives. It would be a good idea now that you are going live with your ISO 9001 management system, to pull those objectives out and make sure they are complete, appropriate, and ready to start implementing. We posted an article a while back that helps explain what ISO 9001 is looking for with quality objectives and how to document and implement them.
Confirm and Update Risk Assessments
Considering any updates and changes to the strategy, objectives, and organization, review and update your risk assessment and risk management activities which we discussed in a previous article.
As you complete this review, determine new risks and opportunities to the organization and changes to previously identified risk or opportunities. It also wouldn’t be a bad idea to start working on risk mitigation actions soon, if you haven’t already done so.
Confirm Awareness & Communication Activities
As you execute your ISO 9001 system launch, confirm that communication activities throughout the organization have and continue to reinforce those areas of ISO 9001 where awareness and communication is required. These activities fall under the general support processes defined by ISO 9001 in section seven of the standard. Communication activities can also satisfy some of the leadership requirements in section five.
Take some time to review any communication plans that might exist and make any necessary updates. Verify that communication activities completed to date have appropriately addressed the ISO requirements. Consider the effect that communication activities have had within the organization, and whether desired results have been achieved. Remember that communication should always be an ongoing process and that your really can’t over communicate. It is always a good idea to document communication activities.
Confirm Monitoring & Measuring Activities
One final confirmation step is to ensure that all monitoring and measurement activities have been initiated and that appropriate data and information is being generated and collected. Verify that all personnel responsible for collecting and documenting monitoring and measurement information fully understand the measurement processes and how and where to report the data.
Also verify that all effort and tasks associated with execution of business or quality objectives are correctly implemented and understood as you complete the ISO 9001 system launch.
Initial Internal Audit and Management Review Meeting
Let’s shift gears and look at a couple of mandatory key process activities. While the above review and confirmation activities where generally optional, completing your initial internal audit and management review are not.
Initial Internal Audit
All registrars will require you to complete a full internal audit prior to your stage one certification audit. Follow your internal audit process to complete this activity. If you made the decision to utilize employees as internal auditors, you need to ensure that they have completed all necessary audit training and meet your established competency requirements prior to executing the audit. If you are utilizing external contractors to complete the audit, identify and qualify the appropriate resource to add them to your Approved Provider List (APL).
This initial audit should cover all elements within the ISO 9001 standard that apply to your organization along with all processes associated with your management system. This full audit will establish a good baseline for planning and executing future audit activity and identify any significant deficiencies within your new management system. Note that while the audit itself must be completed prior to your ISO 9001 certification assessment, you do not necessarily need to address and close nonconformity corrective actions prior to the audit. The audit report should be completed, the nonconformities captured within your corrective action system, and corrective actions should be assigned and in-process. One exception to this is if your audit identified a major nonconformance or significant deficiency or gap in the management system. This should be adequately resolved prior to your stage one assessment.
While there are no specific ISO 9001 requirement mandating that this audit to be completed at this time, most ISO 9001 registrars will require evidence of a completed full internal audit during the stage one assessment. In addition, it just makes sense to complete this assessment to verify that the management system has been effectively implemented and is operating in full compliance to the ISO standard and your established process requirements.
One issue with completing an internal audit shortly after implementing and launching the management system is the lack of documented evidence to be reviewed and audited. If possible, allow the management system to run for a period time to generate some records and measurables. If time is of the essence, you might need to get creative and find ways to assess the effectiveness and compliance of processes within the management system.
Initial Management Review
As with your initial internal audit, your ISO 9001 registrar will require a completed management review prior to execution of the stage one assessment. This should be executed following the initial internal audit as audit results are a required input to management review.
Follow your established management review process to schedule, plan, execute, and document a formal management review meeting. Since your management system is relatively new there probably won’t be a significant amount of data and information to review at this time. Report and review what information is available and note in the management review report or meeting minutes where data is currently lacking. Use this first review to complete any needed training on the management review process with all team members and meeting participants. Where data and information aren’t yet available, review and discuss the viability and appropriateness of establish measure and metrics for the management system.
While there is no specific ISO 9001 requirement mandating that this management review to be completed at this time, most ISO 9001 registrars will require evidence of a completed review during the stage one assessment. In addition, it just makes sense to complete this activity to verify that the management system has been effectively implemented and identify where changes and improvements are needed.
It has probably taken several months at least to develop all the different process and documents associated with your management system. During this time, things within the system and your organization have most likely changed, so it would be a great idea to review and confirm some of the key elements within you ISO 9001 system during this ISO 9001 system launch. Make updates as needed and be sure to revise any needed documents and records accordingly. Also, be sure to complete your initial internal audit and feed the results of the audit into your first management review meeting. As always, be sure to document both activities along with their outputs and results.
Now that you have all your processes defined and documentation approved, it is time for you ISO 9001 system release and “go live”. Rather than just pushing the button and hoping everything works, you might want to turn this new system on in a planned and controlled manner. Consider a “soft-launch” approach that allows you to test parts of the system while making changes and improvements where needed.
Soft Launch / System Pilot
Now that you have approved and released your processes and documents, you have an opportunity to “pilot” or exercise the management system prior to a hard and final launch. This soft-launch provides an opportunity to test drive the management system and allows you to determine and discover certain aspects of the system that aren’t working as designed or desired.
Information gained during this activity should be used to define and implement changes and improvements prior to the official system launch. If the management system you have developed over the past weeks and months introduces numerous new processes, methods, systems, and tools to the organization, then we strongly recommend that you take a period of time to exercise the system before your official launch.
Piloting your management system can help with the following:
Evaluate, troubleshoot, and improve unknown processes,
Verify the effectiveness of established documentation (procedures, forms, records, etc.),
Other assessment, execution, documentation, or verification activities.
Please note that this pilot activity is completely optional and if your feel that your management system and associated processes are robust and ready to go, then there may not be much value in piloting the system and you are certainly welcome to move forward with a hard system launch.
If you do decide to soft-launch and pilot the system, consider the duration of this activity and what you want to accomplish. Perhaps the pilot period will be indefinite and last until certain goals are attained. Define how your will collect any data and performance information needed and how it will be evaluated and used. What is the scope of the pilot? You don’t necessarily need to launch and exercise all aspects of the system during this activity. You can limit the pilot to just specific processes that you feel need to be evaluated and improved.
You can run a pilot on draft documentation or, as we discussed back in our previous article, you can go ahead and complete a formal release of documentation. You can also use this pilot run to complete any needed on-the-job training or training verification activities to ensure roles and responsibilities are understood and personnel are competent. Be sure to properly document all training activities per established procedures.
Management System Launch
Whether you completed the system pilot or not, you need to formally launch the system and make it officially active. This ISO 9001 system release means that all management system processes are released and implemented for use throughout the organization. Processes that are already released and active don’t require any additional action, however, any process documentation that has not yet been approved and released must be released at this point.
One of the key aspects of this launch is that it establishes the official “go-live” date for all your processes and associated records. This will establish the time boundary for management system records and activities, which will be especially important during audits. This date will provide a limit or boundary for the records that auditors can request and inspect during certification assessments. You are welcome to share records beyond this date that are relevant and compliant if you desire, but you aren’t required to do so. Any activities, actions, or records beyond this date don’t need to meet the requirements of the ISO 9001 management system processes and auditors can’t hold you accountable for actions and documentation prior to your launch date.
As you launch your management system, remember to:
Approve and release all management system processes and associated documentation,
Ensure that all training is complete and competencies have been met. On-the-job training and effectiveness verification activities can be on-going at the time of launch,
Clearly communicate the system launch and ensure that all employees are aware of the need to adhere to the established system and processes,
You don’t necessarily have to roll the entire management system out at a single specific point in time. You can implement different processes and documentation over a period of time as they are completed and ready for use. Some ISO 9001 processes are dependent on others, so be sure to account for this during in your implementation plan. This approach would certainly be possible if you released and exercised some processes during the system pilot activity described above. It would still be a good idea to identify a specific “go-live” date in which the entire management system is considered fully implemented and use this date as your line in the sand with auditors.
As you initiate your ISO 9001 system release, expect some chaos and be prepared to put out some fires and address operational issues. Investing time and effort towards your planning activities and actions to review, approve, and test your processes and documentation will significantly reduce issues experienced during your system launch.
Now that the management system processes have been defined and associated documentation has been drafted, it is time to finish implementing the system including approval and release of all system documentation, along with completion of quality system training activities.
ISO 9001 Process & Documentation Review
So, at this point, you should have all ISO 9001 management system processes developed and associated documentation drafted and ready to go. Before moving forward with implementation activities, perhaps one final review of the processes and documentation would be beneficial. So much can change during the weeks or even months since the first process documentation was developed and you may find significant disconnects and misalignment from the initial work to creation of the latest processes and documents. A second set of eyes and full ISO 9001 system review will always find something to be corrected, changed, or improved.
Find some other appropriate personnel in the organization to review your established management system processes and documentation. Challenge the reviewers to look for things that don’t align, especially the linkages and actions between different processes. If needed, gather certain cross-functional personnel to complete a group design review of the different interconnected processes and find opportunities for improvement. Use whatever method works for you to ensure that all the processes you developed are still appropriate and effective before release and implementation. Consider the steps below to complete this activity:
Define Review Requirements: Determine what is to be reviewed, who will complete the review, and what methods will be used. Also determine how the results of the review will be captured and reported. In most cases issues should be reported to Quality and the appropriate process owners.
Assign Responsibilities: Determine and assign responsibilities for reviewing processes and documentation. Be sure to clearly communicate the review methods and expectations to all persons involved.
Execute Review: Complete all review activities ensuring that all issues are captured and communicated to appropriate personnel.
Address Issues: Update processes and process documentation to address all identified issues.
If significant process changes are made, it might be good to complete a follow up review to ensure new issues weren’t created.
Management System Training
Before you release your process documentation and officially implement your management system, all required training should be completed to address any competency, knowledge, or awareness gaps. Our article, Implementing ISO 9001 Support Processes, discussed the methods and tools for managing competency and training activities. You should have also started the process of defining competency requirements and identifying existing competency gaps. At this time, complete any assessments to bring the competency requirements and gap analysis current. Consider any new management system processes established and define all new training that is now needed.
Based on your gap analysis, develop a plan to address training deficiencies and ensure that all company personnel have the appropriate knowledge, understanding, and skills to effectively fulfill their duties and function within the ISO 9001 management system. Some training can be implemented later if the process won’t be released and utilized immediately, such as Management Review or Internal Audit. Just ensure that personnel involved with a specific process are trained prior to releasing and executing the process and that training records show training was completed and effective.
In the same vain, develop additional detailed training programs to cover these or other processes in greater detail and with narrower audiences as needed. As an example, the entire organization is trained on the basics of Documented Information (what it is, how to access documentation, how to initiate or suggest a change, etc.) while detailed training for process owners would impart information on how to initiate and implement a new document or document revisions.
Also, you can delegate training downstream to functional area management where it makes sense. For instance, the Engineering Manager could be responsible for training the entire engineering department on design & development processes and maintaining appropriate records. This isn’t required and if you prefer to execute training and maintain records from a central office, you are welcome to do so. If you do decide to delegate training throughout the organization, make sure all functional personnel responsible for training activities are trained on the competency and training processes (train the trainer).
Review, Approval, & Release of Documentation
Now that training is complete, and everyone knows what to do and how to do it, you can approve and release your management system documentation. ISO 9001 states that documentation must be reviewed and approved for suitability and adequacy prior to release. In other words, is the documentation appropriate for its intended use and does it effectively represent and explain the process.
Your documented information process should define the methods for completing a formal review, approval, and release of maintained documented information. This might involve a more manual paper-based process to obtain required document approvals or if you have implemented some type of ISO 9001 software, this will probably be accomplished through electronic workflows. The key is to ensure that the appropriate personal get a chance to review the final documentation and grant their approval prior to releasing the documents for use throughout the organization. Whoever completes the approval should be appropriate for the process being approved. For instance, someone from Engineering should approve all design and development documentation.
Once a document is approved, it now becomes available for release to the organization for use. We recommend that you release documents and processes in a control systematic manner which ensures that appropriate personnel are aware of the release and newly established process, and that the process must be followed and executed according to the documentation. At this point, all applicable employees should have completed all necessary training on the process, however, training verification may still be pending or in-process, depending on the nature of the verification requirements. Make sure that release of a process is aligned with the release of other processes that are linked or dependent on each other. As an example, Nonconformity & Corrective Action should be released prior to or at the same time as Control of Nonconforming Outputs as they are interdependent.
Note that in some cases, training doesn’t need to be completed prior to release of documentation. An example of this would be Management Review. You could release your management review process prior to the initial management review meeting as long as all members of the management review team are trained prior to the initial management review meeting. You could even start the initial management review meeting with training on the process then proceed with the meeting, which could be considered actual “on-the-job” training. Just be sure that personnel are not executing processes where required training has not yet been completed and competency demonstrated.
Our next article will discuss an opportunity to “pilot” the management system. This soft-launch provides an opportunity to test drive the management system, determine and discover certain aspects of the system that aren’t working as designed or desired, and make changes and improvements prior to the official system launch. Also, while the approach described in this lesson assumes a mass one-time release of the management system processes and documentation, it is certainly acceptable to release your system documentation systematically over time. Again, just be careful not to release documentation that is dependent on other processes prior to those supporting processes being released.
Note that your approval activities can be independent of the release triggers and dates. You can obtain approval for any process documentation, then hold that documentation indefinitely and release it for use at some other appropriate time in the future. You could obtain approval for Control of Nonconforming Outputs on May 1st, but not release it until Nonconformity & Corrective Action documents were approved and released on May 15th.
Prior to launching the ISO 9001 management system, all documentation should be reviewed, revised where needed, and approved. Reviews and approvals should be documented, and documentation released through an established document control system. Note that your document control process will need to be approved and released prior to all other documents.
Before releasing process documentation for implementation and use, be sure to complete and document any training needed to address any competency gaps. Consider using the system pilot methods described in the next article to evaluated and improve system performance prior to formal launch. A diligent and thorough ISO 9001 system review will help ensure your management system is ready to launch and avoid significant changes and rework following the launch.