The best way to explain the requirement of clause 4.1.1a in ISO 9001:2015 is organizations are now required to identify the inputs and outputs of the processes of their quality management system. Since these terms can be a bit confusing for some:
Inputs: Resources that are needed or used in the execution of a process step (raw materials, labor, information, etc.).
Outputs: The results or outcomes that are created through the execution of a process or process step.
The key to this requirement is understanding the transformational process that is performed by your business to create the product or service your company sells. Word of caution here: DO NOT GET TOO DETAILED when you are identifying the inputs and outputs. At a micro level, businesses can have hundreds of processes or steps and to identify the inputs and outputs of all those steps would be a monumental task.
Start at a very high level
I find the best, and most effective way to comply with this clause and get a good understanding of inputs and outputs is to utilize a tool commonly used in Lean Six Sigma practice called a SIPOC diagram. The SIPOC diagram is defined as, "A tool used by a team to identify all relevant elements of a process improvement project before work begins. It helps define a complex project that may not be well scoped, and is typically employed at the Measure phase of the Six Sigma DMAIC (Define, Measure, Analyze, Improve, Control) methodology." (iSixSigma, 2017)
SIPOC diagrams are very easy to complete. Here are the steps you should follow to create your SIPOC Diagram and Identify the Inputs and Outputs of your organization.
1. Clear some wall space and assemble a cross function group (3 to 5 people are generally sufficient). Post some flip charts with headings (S-I-P-O-C) written on each, or headings written on post-it notes posted to a wall.
2. Fill in the process steps vertically in the Process column (the "P"). If your organization was certified to previous versions of ISO 9001, you will already have a high level process map documented in your Quality Manual. Use this map as your process steps in the SIPOC. If you are starting new, describe what your organization does in 5 to 7 steps (roughly). An example manufacturer could be something like this: Quoting - Order Processing - Engineering - Outsourcing - Production - Shipping - Invoicing.
3. Identify the outputs of each process step. Once the process steps are in the center column, outputs are easily identified by asking the question, "what does this process step create?". Post those in the "O" column next to the associated step.
4. Identify the inputs of each process step. Now ask the question - "what resources are needed to accomplish the process step?" and post those next to the appropriate step in the "I" column.
Note: Following those steps to this point will give you a great start toward the understanding of your business' inputs and outputs. You can stop here if you'd like - but if you want to utilize the tool to its fullest, you take the following two steps and use that information to begin the formation of your list of interested parties.
5. Identify the customers that will receive the outputs. For each output, ask who the person, department, or entity is that will be receiving the output and list those in the "C" column. These customers could be internal or external to your organization.
6. Identify the suppliers of the inputs. Ask who provides each listed input and document those in the "S" column. Much like customers - suppliers can be internal or external to your organization.
Once this exercise is complete - confirm the information and document it in the appropriate location within your management system. Understanding the inputs and outputs helps provide a foundation for what comes next - evaluating (measuring) the inputs and outputs to determine potential opportunities for improvement.
Effective communication within a company allows the Management System to function efficiently, by providing relevant, meaningful information to the people who need it. The 2015 revision of ISO 9001 makes it is necessary for a company to decipher the internal and external communications pertinent to the management system and put some structure around it. In doing this it is necessary to know who to communicate with, how communication will occur and who is responsible for doing the communication.
When working with communication within a company there is two main divisions to consider; internal and external. Internal communication is all levels of the organization, this means the staff who deliver and implement information, operational staff and management staff. Internal communication can be delivered in three main formats; visually, written and face to face. The format of internal communication is determined by any barriers within the company. Barriers within a company could include language barriers, illiteracy, some staff working outside the office, technology within the company, etc. Internal communication is all about ensuring internal employees have the information they need to be able to effectively execute their job.
The second division of communication within a quality management system is external communication. This method of communication involves anyone pertinent outside the company; included would be other companies in the same field (service providers, maintenance providers), contractors, customers, stakeholders or board members. Devising effective external communication ensures all relevant interested parties are appropriately informed. (more on relevant interested parties - click here).
The easiest way to formalize organizational communication is to put together a communication matrix. Odds are pretty good that you are already doing quite a bit of communicating with internal and external stakeholders, the matrix functions as a summary so all communication can be viewed from a macro level to identify gaps and redundancies in communication. The easiest way to construct this matrix is to create a table in Microsoft Word or Excel with the headings listing in the next section. Then begin populating it with all of your current communications that are taking place and use this matrix as your starting point. I have included some definitions as a guide.
Categories and examples of internal and external communication:
a) What is communicated: Define and document the topic of communication - what is the information that is going to be delivered?
b) Frequency of communication; Specify how often this communication is going to take place. This is typically daily, weekly, monthly, quarterly, yearly. The frequency of the communication depends solely on the topic of discussion, for example financial communication may be monthly whereas structural or environmental changes could be yearly.
c) Audience; this can be anyone internal or external to the company and be decided based on the topic of the communication, for example financial communication may be with only internal employees that handle cash flow or budget information, structural or environmental may only include any employees that can make physical changes within the company or work in the department being altered or changed. Quarterly business reviews may be delivered to the Board of Directors.
d) Mode of Delivery; this can be done in many ways including face to face, visually which would include power points, videos, dry erase board or written could be a newsletter, email, manual, etc.
e) Communicator; this is typically determined by the topic of communication - who is the person (or group) responsible for delivering the communication.
All in all, communication is a really important aspect of running an effective and efficient business; utilizing a simple structure like a communication matrix can ensure intentional, relevant, and timely delivery of information.
Internal audits often provide the biggest problem for ISO certified organizations. Fundamentally nobody objects to internal audits, the goal is to optimize them but that can mean different things. Management usually recognizes that audits are supposed to review the way the organization is operating to ensure that processes are followed as expected, to ensure they are still achieving the goals set and to look for opportunities for improvement. However, when they don’t see audits reporting any problems or finding things to improve then the tendency is to move for cost reduction.
How can we reduce the duration and the cost of the audit?
Here is the thought, "If there are no findings then my processes must be excellent – I don’t need to audit them." Of course the problem is that the reason nothing was found and no improvements were suggested is because the audits themselves were not effective. Should every audit result in at least one nonconformity? No. The last thing you need is for audits to feel like a traffic cop walking around the facility writing tickets.
Management must ensure that audits are effective and demand improvement. All processes can be improved and audits need to provide this for management. To get back to the original question of reducing the cost of audits - Costs can be significantly reduced by implementing improvement ideas resulting from internal audits - not by minimizing the audits.
Even with that mindset in place, there are still issues with internal audits
The first problem with internally resourced audits is that people typically don't want to do them. This is not what their career path is, this is not their chosen vocation and they know that when they get back to their day job nobody has done their work for them. This is not something to be desired, it is extra work to be avoided and minimized.
The next problem is that these people are rarely adequately supported. They may have auditor training but because they do this once a year for a few days it’s easy to forget. It is difficult to remember the types of things they should be looking for, how to determine conformance, how to assess a process for effectiveness and with limited experience it is difficult to identify opportunities for improvement. Typically internally sourced auditors are cautious about what they say. They are unsure if a process is effective or not and tend not to say anything. Their findings normally focus on errors with procedures and occasional administrative improvements.
One indicator of the performance of your internal audit team is whether they catch all issues before the external auditor has findings. Not only does this protect your certification but it reduces effort and administration. If your
external auditor is finding things then you should question your approach to internal auditing.
Outsource your internal audits?
Outsourcing internal audits is the solution that more and more ISO certified organizations are moving to. Their recognize their internal people already have full-time jobs to do. They have difficulty maintaining adequate expertise and dedicating the necessary time to perform effective audits. Companies have outsourced functions with similar traits for years (accounting, legal, information technology, etc.) and now that thought process is moving its way to into the quality profession. As internal resources get busy, it just makes more and more sense to call on outside expertise.
The outsourced internal auditors not only protect your certification but they are ISO experts. They maintain the necessary competence, have loads of experience and can bring best practices that your internal resources may not have thought of or been exposed to. They should be coaching, training and helping as they audit (good internal auditors are different from external auditors). They should be experienced enough to identify any issues in your ISO system and allow solutions before the external auditor gets there. They should have a wide ranging knowledge of organizations and subjectively advise about the effectiveness of your system and challenge for improvements. Management should again demand this of internal auditors irrespective of the fact that they are outsourced – it’s just that now the benefits of good internal audits can be realized.
When you get right down to the numbers, in practice, outsourced audits are likely cheaper and add more value. Higher quality audits, more valuable suggestions and the development of a relationship with an outside expert that can help support the ongoing development of your management system - and with responses to third party and customer auditors in the event they find something. Add to that the missed hours of work, the distraction to an employee's "normal job" and costs of training, preparation, reporting and on-going communication and questions. Outsourcing makes so much sense.
This does, of course, all rely on the fact that an outsourced auditor must be good. While simply being able to demonstrate effective audits is the ultimate test, someone with lots of auditing experience, ASQ and RABQSA qualifications, experience with consulting, qualified trainer and other ISO experience all indicate the ability of the auditor.
The benefits are there to justify outsourcing your internal audits now. If you are considering the move to externally sourced internal audits - Click Here for more information and to get the process started!
Thinking of Outsourcing your Internal Audits?
Christopher M. Spranger, MBA, ASQ MBB
Want to receive free tips to improve your business?