Although ISO standards aim for clear and concise language, some terms have specific definitions and ramifications for quality management. The Standard itself references ISO 9000:2015 for explanations of relevant terms and definitions, but some additional commentary is useful for clarity, especially if you are new to management systems in general.
Quality
As noted earlier, quality does not necessarily mean that a product or service is provided to the highest standard; rather, it means that it is provided to the standard that the organisation sees fit. As ISO 9000:2015 states, “The quality of an organization’s products and services is determined by the ability to satisfy customers and the intended and unintended impact on relevant interested parties”, which makes it a function of the organisation’s ability to do business with its customers and other interested parties.
This naturally extends to the organisation’s culture, since an organisation that does not value the quality of its products and services will be unlikely to maintain the processes necessary to achieve the purportedly desired levels of quality. As such, you should make sure that your organisation understands what quality means and how each person contributes to it.
Modern ISO management system standards require the organisation to take the ‘context of the organisation’ into account when implementing the management system. This is a broad idea, encompassing the organisation’s business environment, industry, major partners and suppliers, legal requirements and so on. Essentially, the management system should not only fit the organisation itself but also be built with the broader environment in mind.
The idea of a business aligning its functions and processes with its objectives isn’t new, so this should not be difficult to come to terms with. It is important to remember, however, that determining the context of the organisation doesn’t necessarily need to be incredibly granular – a complete list of all interested parties isn’t necessary, for instance, as that could be overwhelmingly vast for some organisations, and simply recording all of them would be a massive project in itself. Rather, the organisation should identify the most important factors to its context.
Furthermore, the context should consider what the organisation itself wants to achieve. It can be useful to think of this in idealised terms that the organisation itself uses, such as mission statements, vision, objectives and so on.
Documented information
Documented information is crucial to any management system, and comprises all forms of documentation: policies, procedures, work instructions, records and so on. It is important to remember that certification of the management system will rely on having both a structured management system and evidence that it is functioning. This evidence includes results of checks on the products and services, as well as the results of checks on the QMS itself.
In previous versions of the Standard, ‘documents’ and ‘records’ were treated separately. This is no longer the case, so all documented information is now bound by the same requirements.
Finally, it’s very easy to forget that a management system is more than a set of documentation. Simply having all the required documents available isn’t necessarily proof that your organisation has developed a management system. As ISO states: “It is stressed that ISO 9001 requires (and always has required) a ‘Documented quality management system’, and not a ‘system of documents’.”3
As such, the documented information you choose to develop (or where your organisation’s ‘context’ requires it) should be an accurate reflection of the actual quality processes you have in place. Developing this documentation should be collaborative, so that the actual process meets the requirements of the Standard, and that the documentation accurately describes the process in action, rather than the documentation describing something that meets the Standard but doesn’t describe what actually happens.
All business processes have inputs and outputs, so the terms should be or should soon become familiar to anyone looking to implement a formal management system. It’s useful to remember, however, that inputs and outputs apply to all levels of the QMS – that is, the product or service has inputs and outputs, as do those processes that belong to the more abstract QMS.
Equally, inputs and outputs can take many forms. Understanding how to capture these so that they can be tracked and measured as necessary can present a logical puzzle. By staying aware of the importance of inputs and outputs when designing or formalising your QMS processes, it is much simpler to make sure that they are appropriately identified, measured and tracked.
Interested parties
Related to the earlier ‘context of the organisation’, interested parties are those people and organisations with some interest in your organisation and its activities. By default, this will include customers and suppliers, regulatory bodies and so on.
In some instances, interested parties could go beyond what the organisation itself realises, with the definition in ISO 9000:2015 stating that it includes “person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity”.4 In the UK, for instance, the scale of the public sector is such that it would be almost negligent to assume that contracts with government bodies won’t happen.5 Because of this, additional considerations may be necessary relating to meeting quality standards specified by government departments that exceed legislated standards.
Products and services
In previous editions of the Standard, ‘products’ was specifically defined as including services. This is no longer the case, presumably in order to remind organisations that services should also be subject to quality management and to account for the fact that services now form a significant part of major economies.
Furthermore, services have some differences from products, notably in that the output is typically more difficult to measure before it reaches the customer. As such, organisations will need to make provisions to maximise quality in the design and development phases to make sure that services meet customer requirements.
Risk-based thinking
This draws from experience of taking risk into account in other disciplines and is thoroughly described in the Standard’s Annex A.4. It outlines the role that risk plays in making sure the organisation meets quality objectives, in particular in its role as preventive action; because the QMS itself is a preventive measure, risk must, therefore, play a central role.
‘Risk’ is the “effect of uncertainty” (sometimes described as the “effect of uncertainty on objectives”), which can be either positive or negative, although it is most frequently understood in negative terms. Risk represents potential events that have consequences for the organisation, which should either be planned for (to limit the effect and/or compensate when they occur) or prevented.
Annex A.4 makes it clear that the organisation is not compelled to implement a complete risk-assessment process for the QMS. Instead, the organisation should determine an appropriate level of risk awareness, whether that be through formal risk assessment, procedural consideration of risks or simply keeping risks in mind while implementing and managing the organisation’s quality processes. The extent to which an organisation identifies risk awareness is required is likely to vary by the nature of the process(es) being considered.
3 Guidance on the requirements for Documented Information of ISO 9001:2015, www.iso.org/iso/documented_information.pdf.
4 ISO 9000:2015, 3.2.3.
5 Approximately 19% of the UK’s workforce is employed in the public sector.