The long awaited ISO 9001 revision is close to release. The final draft of ISO 9001:2015, or FDIS, has been released and the revision is expected to be formally approved in September of this year.
This is a major revision of ISO 9001, in terms of the standard’s structure and philosophy. There are 10 clauses in the revised standard, versus 8 in the current version. ISO 9001 will no longer make a distinction between “documents” and “records”. It will refer to both as “documented information”. And, what have been the six “required procedures” are no longer. Organizations will no longer be required to have documented “corrective action” or “preventive action” procedures.
Instead, the authors of ISO 9001:2015 will be asking us to incorporate the concept of preventive actions throughout our quality management systems. They are asking us to adopt risk-based thinking.
Risk-based thinking has been applied to a number of standards, laws, and regulations for over a decade. The most obvious example of this is Sarbanes-Oxley. After so many companies complained about the cost of implementing internal controls in response to SOX, the law was modified to allow companies to control risks in proportion to their probability and impact. In other words, companies should focus their attention (i.e., time and money) on the riskiest activities.
That is what the newest revision of ISO 9001 will be asking us to do: Determine the greatest threats to quality performance, products, and services in our organizations and decide how we will manage them.
First, we identify the risks.
- Risks to quality may include insufficient or outdated employee training, not maintaining equipment properly, and faulty or no measurement. What events or activities could pose the greatest risk to quality in your business? Make a laundry list of actual and potential risks to the quality of your goods or services. Check with a wide variety of employees to get a diverse, if not complete, set of opinions.
Second, we prioritize the risks.
- There are a number of ways to prioritize risks. FMEA, or failure mode effects analysis, is one tool we can use.
Third, we determine how to appropriately manage risk. Risk management alternatives include:
- Avoiding them,
- Reducing them,
- Transferring them,
- Accepting (or ignoring) them, or
- Exploiting them, which requires that we see the flip side of risk, opportunity.
Fourth, we develop and implement – and periodically review – a quality risk management plan. These are activities we’ll need to incorporate throughout our organizations as we move from ISO 9001:2008 to ISO 9001:2015.
But, don’t panic! From the time the ISO 9001 update becomes official, we have three years to adopt or change over to it. If your QMS has just been certified to ISO 9001:2008 this year, you need to comply with that version until your recertification, three years down the road.
Before the year 2018 rolls around, though, start planning for your conversion to ISO 9001:2015. If you have the time and the inclination, it won’t hurt to prepare your organization well ahead of time – to manage the conversion risk, for one thing.
 Don’t throw the baby out with the bath water. If you have a preventive action procedure and it’s working, don’t get rid of it!