Académique Documents
Professionnel Documents
Culture Documents
Clause titles.
Sequence of clause titles.
Text.
Terms and definitions.
These items are permitted to diverge among standards only where necessitated by specific
differences in managing the individual fields of application.
and achieves continual improvement. Annex SL calls for actions to address risks and
opportunities in subclause 6.14 but does not require risk management, risk assessment or risk
treatment.
The addition of these two strategic business processes were included to encourage an
organizations top management to become more actively engaged, ensuring the QMS takes a
more strategic view and is integrated into its business processes, with the overall intent to
promote improved performance of the QMS.
Subclause 4.1 contains requirements for an organization to determine external and internal issues
that can affect and are relevant to its purpose and strategic direction, and to monitor and review
information related to these external and internal issues.
One process that is underused but powerful in identifying internal issues is a self-assessment. It
should be considered for serious attention. Self-assessments can be complex, using criteria such
as those of the Malcolm Baldrige National Quality Award, the European Foundation for Quality
Management or the ASQ guidelines for performing a QMS self-assessment.
Assessment also can be simplified by using the seven quality management principles as a guide.4
It is up to each organization to determine how detailed the analysis should be and what follow-up
action, monitoring and review is needed.
External issues can be found through several techniques such as analysis of:
Also consider the potential interactions with other processes of your QMS. For example,
subclause 4.1 may have direct or indirect interactions with your processes dealing with interested
parties, risks and opportunities, or with clauses 8, 9 and 10.
These new requirements related to the organization and its context should provide the
organization an opportunity to expand the breadth and depth of its QMS, integrate the QMS with
the strategic and tactical management of the organization, and align objectives throughout the
organization.
References
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, clause 4.
2. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, subclause 4.1.
Consider Risk
by Denise Robitaille
One of the side benefits of the inclusion of risk-based thinking in ISO 9001:2015 is that it
eliminates the ineffectual and cumbersome preventive action process included in ISO 9001:2008.
Often, risk is presumed to be within the purview of large companies with loads of quality
technicians and MBAs performing failure mode and effects analyses and implementing
sophisticated risk management programsall slick with data, pretty charts and graphs printed on
high-gloss paper. This is hardly a capability for a small delivery service organization or a fiveperson machine shop.
To help an organization of any size get over this hurdle, look no further than clause 4 of ISO
9001:2015.1 All of the language about the context of the organization is directly relevant to the
conversation about risk. To understand your risks, you must understand your organizationits
internal and external issues, the interested parties that can have an effect on it and its ability to
fulfill customer expectations.
These concepts also can be parsed into smaller components. For smaller organizations, issues
can be as simple as the retirement of one person, the loss of a supplier, a change in cash flow, a
major road repair outside their entrance or change in the local schools calendar affecting parents
who need daycare. All of these events carry risks that must be managed properly.
There are other changes that must be understood and implemented. All the changes carry some
benefit. The transition process itself carries its own benefit because implicit in the transition is
the opportunity to objectively assess a system and sweep away what isnt working.
Reference
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, clause 4.
Explicit in the new standard, however, is the requirement that some minimal risk management be
integrated into an organizations quality system. Indeed, the writers deliberately created the term
"risk-based thinking" to encompass the varying, acceptable degrees in which organizations may
choose to manage risk. Employing the term "risk management" may have implied full adherence
to the ISO 31000 standard is required, a suggestion defeated in early international revision
negotiations.
While using ISO 31000 is not required in ISO 9001:2015, the existing risk management standard
already has become popular internationally, and it will be helpful in implementing ISO
9001:2015. As a guidance document, it allows for tailoring to various systems including the
management of quality. It is helpful for understanding the organization and its context, which is
sparsely defined in ISO 9001:2015, but more fully detailed in sections 4 and 5 of ISO 31000.
These sections explain the how and why of establishing the context.
Like ISO 9001, ISO 31000 is more clearly understood after professional training. Quality
professionals who master ISO 31000 will be able to identify how detailed an organizations riskbased thinking implementation must be to satisfy the requirements of ISO 9001:2015.
Why should your organization embrace risk management as part of your quality system? The
answer is stated in ISO 31000: "All organizations manage risk to some degree."3 In laymans
terms, managing risk is simple: Make decisions while considering how the potential
consequences of unknown factors can help or hinder your organizations objectives.
This idea is not new. The management of uncertainty is something you do each day in your
personal and professional lives to ensure you achieve your objectives. The requirement that
consideration of uncertainty be part of formal and auditable processes will serve to further
quality and corporate objectives.
Allen Gluck
References
1. International Organization for Standardization, ISO 31000:2009Risk management
Principles and guidelines.
2. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements.
3. Ibid.
In actuality, there are changes in ISO 9001:2015 that are logical, appropriate and carry the
potential to introduce concepts and requirements that will benefit all organizations. However,
they are still changes, and people are often averse to changes they dont understand.
The salient point is found in the key word: understand.
While all organizations are going to experience growing pains, small companies are likely to
undergo the transition with a higher degree of angst. Why?
Any change implies expenditure of resourcespeople, time and money. Theres a lot less of
these commodities in a small organization. How do they choose to best spend their limited
resources?
For small companies, the first hurdle is getting good, reliable information efficiently at a
reasonable cost. The other resource issues relate to the time individuals will need to conduct
assessments, attend training on the changes to the standard, implement the changes, revise any
affected documentation and train internal auditors. The second hurdle is understanding the
changes and operationalizing them in their organizations.
For all businesses, the two best sources of information on the ISO 9001 revision are ASQ and the
International Organization for Standardization. Other traditional sites that have a long history in
the standards arena also can be reliable sources of good information.
Small businesses simply dont have the time to slosh through the vast dumping ground of the
internet trying to figure out who has the best information. As in all things, something that looks
free can turn out to be expensive. This is not to say that all free stuff is questionable. Its just that
making a decision solely on cost can have devastating consequences. Caveat emptor.
Denise Robitaille
ASQ offers multiple sources of information for small businesses, including:
Leaders, Step Up
by Paul C. Palmes
The QMS now must consider how to manage "ensuring the integration of the QMS requirements
into the organizations business processes." They are now one and the same, requiring quality
objectives to support the achievement of the organizations business goals.
Who better to ensure business success than top management? After all, top management also is
tasked in the new version of ISO 9001 with "engaging, directing and supporting persons to
contribute to the effectiveness of the QMS."
Thats the vision you must encouragethe goal you wish to achieve when you begin with the
end in mind.
References
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, subclause 5.1.1.
2. Stephen R. Covey, The Seven Habits of Highly Effective People, Free Press, 1989.
3. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, see reference 1.
services and processes being audited, and be able to assess the effectiveness of the controls used
to manage those risks.
References
1. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, subclause 4.4.2.
2. International Organization for Standardization, ISO/FDIS 9001:2015Quality
management systemsRequirements, Annex A, section A.6.
3. International Organization for Standardization, ISO 31000:2009Risk management
Principles and guidelines.
Revision Resources
ISO 9001:2015 is scheduled to be released later this month and will be available for purchase at
asq.org. Find out more about the new standard by:
member of multiple ISO standards committees, including TAG 176 and the task force in the
Joint Technical Coordination Group that wrote Annex SL and the associated guidance.
Allen Gluck is president of ERM31000 Training and Consulting in Spring Valley, NY, and an
adjunct professor at Manhattanville School of Business in Purchase, NY. He has a masters
degree in leadership from Bellevue University in Nebraska. Gluck is an ASQ member and a
member of TAG 176, which develops ISO 9001, and TAG 262, which develops ISO 31000. He
may be contacted at his website, www.erm31000.com or at allen.gluck@erm31000.com.
Paul C. Palmes is president and principal consultant with Business Systems Architects Inc. in
Fargo, ND, and Prescott, WI. He is a member of TAG 176 and chair of international ISO/TC 176,
subcommittee 1, responsible for the revision of ISO 9000. He has been international ISO/TC 176
liaison to the International Accreditation Forum (IAF), co-chair of the IAFs ISO 9000 advisory
group, and member of the Auditing Practices Group and the Accreditation Council of the
ANSI/ASQ National Accreditation Board. Palmes is an ASQ-certified quality manager, British
Standards Institution-certified ISO 9001 auditor and has a masters degree in administration from
Gonzaga University in Spokane, WA.
Denise Robitaille is the author of 12 books, including ISO 9001:2008 for Small and MediumSized Businesses (ASQ Quality Press, 2010), and an internationally recognized speaker and
trainer. She is an active member of TAG 176, where she has participated in the revision of
multiple standards. Robitaille is an ASQ fellow, an Exemplar Global-certified lead assessor and
an ASQ-certified quality auditor.
John E. "Jack" West is a member of Silver Fox Advisors in Houston. He is past chair of TAG
176 and lead delegate of the committee responsible for the ISO 9000 family of quality
management system standards. He is an ASQ fellow and has co-authored several ASQ Quality
Press books.