The ISO Standards have been subject to significant criticism over the years. Generally, the systems have been viewed as paper exercises, costly to implement and only understood by those personnel responsible for quality. When the global business community became frustrated with the vastly different requirements and structures of the myriad of ISO Standards, the International Standards Organization decided to review, upgrade and standardize the Standards to similar structure and requirements. Consequently, the three systems of ISO 9001:2015 Quality Management, ISO 14001:2015 Environmental Management and ISO 45001:2018 Occupational Health and Safety were aligned to a ten clause structure with similar requirements, except where those requirements are specific to a field such as the identification of environmental aspects and impacts in ISO 14001:2015. The standardized 10-Clause structure is indicated below and captured in Annex SL of each Standard.
Clause 1 | Scope | Clause 6 | Planning |
Clause 2 | Normative references | Clause 7 | Support |
Clause 3 | Terms and definitions | Clause 8 | Operation |
Clause 4 | Context of the organisation | Clause 9 | Performance evaluation |
Clause 5 | Leadership | Clause 10 | Improvement |
With the updated Standards, The International Standards Organization introduced principle changes and incorporated specific new requirements. It is important to understand these updated requirements and to design the system in such a way that all the organizational stakeholders fully benefit from the changes and that the company complies with the certification requirements. Conceptually, the International Standard is based on the Plan-Do-Check-Act (PDCA) process approach and incorporates seven Quality Management principles, namely Customer focus, Leadership, Engagement of people, Process approach, Improvement, Evidence-based decision making and Relationship management.
The first significant change of the Standard is the increased focus on Leadership, and the requirement to demonstrate how quality is integrated in the organizational business strategy and planning, both in operations and resources. The company is expected to demonstrate how it has identified all known and potential internal and external risks, influences and opportunities, as well as the needs and expectations of interested parties. Universal business tools employed to conduct these studies are Hoshin planning, PESTEL (Political, Economic, Social, Technological, Environmental and Legal) analysis, SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis and business budgeting; and suggested interested parties are indicated in the diagram below.
The requirement for a fully documented system has been relinquished, with the requirement for documented information clearly indicated in relevant clauses for select processes and procedures. The practical impact of this change is that the ISO system can be fully digital without the need for a quality manual. Documents and records are replaced by documented information, and where the Standard does not specify documented information, the organization can determine whether it is necessary to do so. However, the responsibility resides with the company to demonstrate the effective operation of the quality management system, be it with or without written procedures.
To address the isolated responsibility for quality in the quality management division, the new Standard does not require the appointment of a management representative, but expects each employee to understand his or her contribution to the Standard, as well as the consequence if s/he were not to conform to the requirements as applicable to the specific organizational role. Preferably, the quality management requirements are captured in the employee’s job description and key performance indicators.
Previously, the 2008 Standard accepted exclusions from the scope for certification. This is no longer the case. The 2015 Standard does not accept exclusion and if the company were to request an exclusion it must clearly indicate that the exclusion does not affect the quality of the product or service. The impact of this change is significant: all services internal and supplied to the firm, as example human resources, finance and information technology, are now included in the scope of certification. The company is also required to consider the impact of outsourced services such as transportation, suppliers and sub-suppliers, and partnership agreements on the quality of the product or service offered. Different offices, branches and locations of the firm require inclusion in the scope and independent certification.
The updated Standard places significant emphasis on the well-being of employees and expects the organization to demonstrate that it has provided an environment conducive for their optimal performance. This includes consideration of the company’s physical and social environment, as well as the psychological well-being of employees. A recent article published by Harvard Business Review and Future Workplace indicates that the five most important wellness perks that matter to employees are air quality, comfortable lighting, comfortable temperatures, healthy food options and tech-based health tools. The principle underpinning this requirement is that employees can only perform at their best if they are comfortable in their workplace both physically and psychologically.
Two significant and entirely new additions to the Standard are the requirements for organizational knowledge and risk management. The requirement for organizational knowledge was introduced for the purpose of protecting the organization against loss of knowledge through staff turnover and failure to capture and share information. The intention of the Standard is to encourage the company to learn from experience, mentorship and benchmarking to ascertain and implement best practice from internal and external sources.Internal sources may include intellectual property, knowledge gained from experience, lessons learned from failures and successful projects, capturing and sharing undocumented knowledge and experience, and the results of improvements in processes, products and services. External sources include attendance of conferences,exhibitions and seminars; and gathering knowledge from customers or external providers.
The updated Standard places significant focus on risk management and actions to address risks and opportunities, including preventive action. The organization is expected to demonstrate a risk management system that identifies, mitigates, minimizes or eliminates risks; and a focus on opportunities may lead to the adoption of new practices, new products, new markets and customers, technology and partnerships. Risks may be identified from non-conformances, internal and external audit findings, change management requests and stakeholder analysis. Once the company has identified the risks, the likelihood and consequence of the risk can be analysed and reported as a risk priority number (RPN = likelihood x consequence), with corrective and preventive actions (CAPAs) implemented to address or prevent the risks. The risk management analysis assumes that the company has developed a risk matrix relevant to the company’s business and operational context. A simple schematic of such a process is provided below.
The new ISO 9001:2015 Standard is philosophically underpinned by the process approach and risk-based thinking. Practically the process approach is based on the Plan-Do-Check-Act (PDCA) cycle and the system therefore requires the organization to determine the criteria for acceptance of products and services, and the implementation of controls to measure and monitor these controls. Data and feedback from the quality management system is to be analyzed regularly to identify opportunities for improvement and to ensure suitability, adequacy and effectiveness of the system towards continued organizational sustainability.