CHAPTER 5 – CONTEXT OF THE ORGANIZATION

As described in the previous chapter, the context of the organisation is, broadly speaking, the environment in which the organisation does business, including the specific pressures affecting quality. The most tangible output of the Clause is the defined scope of the QMS. Although there is no requirement to progress through the clauses in order, this is clearly an important step early in the implementation of the QMS.

For an organisation to meet the requirements, it must be able to identify the key issues and stakeholders affecting quality. This can include the availability of resources, economic realities, customers and suppliers, legal and regulatory considerations, and so on. Although the organisation does not need to enumerate every single factor impacting quality, it does need to be able to identify its requirements for quality based on those pressures.

This clause takes an abstract perspective and includes the overarching requirement, at 4.4, to “establish, implement, maintain and continually improve a quality management system”. This includes establishing the broad structure of the QMS and the interaction between its processes.

Finally, the QMS processes should be documented where there may be doubt that the process will consistently produce quality products and services. As such, the QMS is both a record of what the organisation claims to do and a record of what the organisation actually does. Any organisation implementing ISO 9001 should make sure that these align.

Clause 5 – Leadership

This clause is directed almost solely at “top management”, which is the “person or group of people who directs and controls an organization at the highest level”.⁷ This focus makes sure that the QMS is led by individuals able to provide the resources and authority to establish, implement, maintain and improve the management system. Furthermore, because the QMS should integrate with the organisation’s broader business objectives and strategic direction, top management involvement is essential.

It should be noted that the “highest level” may not actually be the leader of the organisation and their peers – a QMS that only covers a portion of the organisation, for instance, can be led by the highest authority for that part of the organisation, rather than defaulting to the Board of Directors or C-suite executives.

Customer focus is directly addressed within the Clause, which reflects the fact that quality is a function of the product or service’s ability to meet customers’ requirements. The fact that this is addressed through leadership implies that the organisation should take this seriously – one of the aims of an ISO 9001 conforming QMS is that it enables the organisation to consistently provide products and services that meet customer requirements.

Top management must also produce a quality policy, which declares the organisation’s dedication to and perspective on quality. It also provides a framework for establishing the quality objectives that the QMS aims to fulfil. The policy doesn’t need to be a lengthy document – the requirements for the policy are actually quite brief – but it does need to be communicated and available to “relevant interested parties, as appropriate”.

Although the requirements dedicated to the quality policy are relatively brief, it’s important to remember that the policy should provide a framework for setting quality objectives. These are not necessarily the objectives for the QMS, but are specific to a function, level or process within the organisation. For instance, quality objectives might be reducing the rejection rate at a certain stage in production, or increasing human productivity (as opposed to machine productivity); QMS objectives might be reducing the total rejection rate to a defined level, improving sales through greater customer satisfaction, or meeting a contractual obligation to achieve accredited certification to ISO 9001.

Finally, top management is required to assign appropriate roles, responsibilities and authorities relating to quality and the QMS. As is repeatedly asserted, this includes responsibilities and authorities for making sure the QMS operates as intended and conforms to the requirements of ISO 9001, as well as the more obvious responsibilities and authorities for performing quality processes.

Clause 6 – Planning

This clause is focused on risk, quality objectives and change, which are interrelated functions within the QMS. In other words, risks can influence quality objectives – either through threatening them or becoming the topic of a quality objective – and change management makes sure that the organisation can adapt to the needs of the risks and the quality objectives.

Addressing risks and opportunities, as described in the previous chapter, does not necessarily take the form of a risk assessment. Whatever process the organisation adopts, it should be prepared to demonstrate how risk-based thinking is integrated into its processes, whether that be through the auditor interviewing personnel, reviewing notes of risk-related discussions at meetings or any other means.

Subclause 6.1 recalls the role that internal and external issues (as discussed in Clause 4) play in determining how quality is managed, as well as the requirements of interested parties. It is possible that these issues and requirements place stresses on the organisation that present risks to quality – or present opportunities. The possibility that opportunities arise is often overshadowed by the fear of the negative risks, so establishing a path for the recognition of opportunities can be a valuable investment.

It may be useful to think of this process in terms of making sure that it meets its quality objectives (by addressing risks) and can achieve continual improvement (by recognising and acting on opportunities). Thinking of it in this way aligns the clause with the broader goals of the QMS, rather than being seen as a requirement that adds burden without benefit.

Subclause 6.2 establishes the requirements for quality objectives and for plans to achieve them.

One of the more critical points is making sure that the objectives are measurable. This allows the organisation to inform the focus of future resources most appropriately, prove that they are meeting the requirements of ISO 9001 and also to prove that their actions are having the desired effects on quality.

While Clause 6.3 could be considered part of continual improvement – and in many ways it is – it can also be applied to make changes when no improvement is explicitly occurring. That is, some changes may be necessary without being designed specifically to deliver improvement of (or weakening, ideally) the QMS. Such changes might include adjusting the scope of the management system, accounting for changes in the business’ structure and so on.

Clause 7 – Support

Supporting the QMS by providing the necessary resources and organisational structures is critical to the success of any management system. The Standard broadly divides support into resources, competence, awareness, communication and documented information. Resources and competence are closely related, as are awareness and communication, and documented information should encompass nearly every facet of the management system.

It is important to note that all forms of support should be available and relevant to all stages of the QMS: establishment, implementation, maintenance and continual improvement. It can be easy to forget this and fail to allocate suitable resources beyond the initial implementation – if you are adopting the PDCA cycle, it is relevant well beyond the planning stage.

The requirements around resource in the Standard are particularly thorough, covering people, infrastructure, environment in which the processes are operated, measuring and organisational knowledge. For most organisations, this is simply part of everyday business – making sure resources are available for business processes shouldn’t be a surprise – but it’s useful to have a codified set of requirements for quality processes in particular, not least because the Standard may highlight important features that are not reflected in your current processes.

The aspect relating to monitoring and measuring is particularly noteworthy – the management information this generates helps focus future effort more appropriately.

Following resources, the Standard lays out the requirements for competence. The organisation should establish methods of identifying the actual requirements, assessing whether the appropriate individuals meet those requirements, and how to develop the necessary competence if it is not currently available. Once a competence is identified as required, it should be taken into account when hiring or assessing existing staff, and making it part of the business as a whole.

Competence is assessed on the basis of education, training or experience, ensuring those involved have the “ability to apply knowledge and skills to achieve intended results”.⁸ It is dangerous to rely on a single individual having the competence to do certain work if finding a replacement is going to be near impossible because of that individual’s curious combination of three degrees, 17 years’ experience in a niche field and a host of certifications from programmes that no longer exist. Even in less absurd situations, it’s more than useful to be able to train staff or hire contractors for busy periods, absence and the like.

Requirements for awareness apply to all “persons doing work under the organization’s control”, which can include people who are not ordinary employees of the organisation, such as contractors, suppliers’ employees and so on. The organisation must make sure that all such people are aware of key information regarding the aspects of the QMS they are required to adhere to, which serves to inform everyone of the importance of quality management and to make it part of everyday business.

Communication requirements in Subclause 7.4 cover both internal and external communications, although additional requirements for internal communication are also present elsewhere in the Standard (such as the requirements for communicating the quality policy, in Subclause 5.2.2). Defining communication procedures should not be difficult, and simply formalises what most organisations already do.

Subclause 7.5 describes the requirements for documented information. This is one of the more demanding parts of the Standard because many organisations don’t document their processes or take the time to properly manage what documentation they do keep. Furthermore, because a QMS can be a very large project, this can also mean creating and updating a great deal of documentation. It is also important to remember that the organisation needs to keep the documentation required by the Standard as well as the evidence it needs to be sure that the QMS is effective.

Many of the documentation requirements are common to all ISO management system standards, so it’s valuable to implement these requirements as broadly as you can, even beyond the scope of the QMS. This will make sure that all documentation is handled consistently and following good practice requirements.

There are no requirements for the format or medium of your organisation’s documentation – a set of diagrams printed on paper and kept in a folder is just as valid as electronic files stored on a company intranet, as long as the documents meet the requirements of ISO 9001 and the organisation’s needs.

If you’re daunted by the scale of documentation necessary, it may be useful to seek out a documentation toolkit containing templates of all the necessary documents.⁹ The key to getting the most from any documentation toolkit is to bespoke the templates as much as necessary to make them fit your organisation’s context, objectives and business.

Another key requirement for documentation is that it is appropriately identified, reviewed, approved and controlled. Establishing processes to manage this makes sure that the organisation’s documentation is readily located, accurate and – crucially – known to be accurate.

The organisation must also determine how that documentation is accessed and handled. Not all documentation needs to be available to all staff, whereas other documents (such as the quality policy) will need to be broadly accessible. This includes determining how the documentation is stored, preserved and disposed of: does your documentation need to be destroyed or archived? Are there legal considerations or a need to protect the information from prying eyes?

It is useful to reiterate here that a QMS should be a functioning, appropriately documented management system, not a system of documents. Simply having documents describing what you should be doing is not enough in itself to bring the benefits of a QMS; the organisation needs to make sure that any QMS documents describe what you actually do, and that what you are actually doing is sufficient to meet your quality objectives.

Clause 8 – Operation

Clause 8 contains by far the most requirements in the Standard, which is to be expected: responsibility for quality largely resides in the organisation’s day-to-day operations. The requirements cover the whole lifecycle of products and services, so each step has processes in place to meet quality requirements.

These processes will generally be generic so that they can be applied to any product or service that the organisation provides, whereas the work instructions, if deemed necessary, for actually producing the product/service will necessarily be more precise and specific.

Operational planning and control is outlined in Subclause 8.1, and essentially provides the minimum requirements for all processes and actions that are part of day-to-day operations of the organisation. Notably, these requirements also apply to the implementation of actions determined in Clause 6 (actions to address risks and opportunities). It also involves controlling processes to make sure they meet criteria established for those processes – and that this occurs for outsourced processes, too.

The subclauses that follow this broadly track the progression of a product or service from its initial conception through to post-delivery activities.

Subclause 8.2 outlines how the organisation determines the requirements for products and services. This includes communicating with customers on a number of topics, including information about products and services, obtaining feedback and complaints, and so on.

The organisation needs to identify the requirements for products and services according to a number of specific pressures, including customers’ requirements. These pressures also include statutory and regulatory requirements, requirements deemed necessary by the organisation, and making sure that the organisation can actually deliver the product or service as described.

The latter half of this subclause makes sure that the requirements for products and services have been accurately identified. This is handled in two separate processes: the first is for the review and confirmation of the product/service requirements, and the second accounts for changes to those requirements. Obviously, it is best if the review is thorough enough so that later changes are not necessary, but this may not always be possible. As such, having a backup process in place to allow changes to be made retroactively is both sensible and useful.

With the requirements for products and services set in place, Subclause 8.3 describes the requirements for processes involved in the design and development of products and services to meet those requirements. Different products and services will have different needs for design and development, however, so the Standard leaves the general structure of this process open to the organisation, instead making sure that the process is appropriately planned, that controls are in place, and that inputs and outputs are identified for each stage.

Planning of design and development processes (Subclause 8.3.2) defines the requirements for preparing ahead of the development work. This could be standardised across all the organisation’s products and services, but it is more sensible to create a process that determines the appropriate phases according to the needs of the product or service.

The subsequent phases for design and development relate to the inputs, controls, outputs and changes. Inputs are the information, content, resources and so on that the organisation enters into the design and development process, and outputs are the expected results. This also needs to include appropriate outputs for confirming that quality requirements are being met, such as metrics that can be fed to the monitoring and measurement processes (which will be discussed in Clause 9).

To make sure that the design and development process works as intended, the organisation needs to apply appropriate controls. Some such controls can be seen as preliminary monitoring and measurement activities, and others are proactive measures to prevent errors from occurring, validating that the emerging blueprints are aligning with the identified, and potentially changing, requirements.

Although changes to design and development are common – as anyone involved in the process can attest – the organisation needs to correctly manage these changes to ensure that the requirements will still be met. Subclause 8.3.6 also makes it clear that the process should ensure there is no adverse impact versus the requirements and sets specific requirements for documented information relating to changes.

Subclause 8.4 relates to externally provided processes, products and services.

Most organisations will already have processes in place to manage quality from external suppliers, although it’s likely that the processes are inconsistently applied, informal and undocumented. A sense of the requirements in this section of ISO 9001 can be conveyed by asking a few questions:

•  Do the processes/products/services meet our requirements? Can we make sure they do so consistently?

Subclause 8.4.1 requires the organisation to identify how the organisation checks whether each supplier’s goods and services are appropriate for its needs. As such, the organisation needs to make sure that its requirements are clear (8.4.3) and comprehensible so that suppliers cannot be under any illusions as to what the organisation wants.

This subclause also requires the organisation to have an established set of criteria for selecting and managing suppliers.

Subclause 8.4.2 is subtly different from 8.4.1 in that it establishes controls to make sure that supplied processes, products and services align with its quality requirements. This is an extension of the previous subclause, in the sense that supplier-provided processes, products and services can have an impact on the organisation’s ability to deliver. Such concerns might include making sure suppliers can reliably deliver on time, that software will not introduce unexpected consequences, that a particular product is provided within a specific narrow tolerance, and so on.

Subclause 8.4.3 is a set of requirements for a practice that almost every organisation will already have in place. The subclause requires the organisation to communicate with its suppliers regarding requirements for quality verification/validation.

Subclause 8.5 outlines the controls that organisations should put in place for product and service realisation. The first subclause within this – Control of production and service provision – appears to include a delivery function (service provision). Although you might expect to see this as part of Subclause 8.6 (Release of products and services), it is properly placed here as service provision is directly analogous to production. Furthermore, the controls described relate more to the functionalities involved in providing a service (infrastructure and so on) than the release of that service. The release of products and services at 8.6 is more akin to the sign-off of the product/service before release/launch.

Because production and service provision can be a lengthy phase in the broader process, Subclause 8.5.2 requires the organisation to identify and trace appropriate outputs. Some such outputs will be relevant for monitoring and measurement purposes, and others will be various stages of the product or service that can be tested for conformity to requirements.

Subclause 8.5.3 is a slightly expanded version of 2008’s Subclause 7.5.4 – Customer property. 2015’s standard now recognises that organisations may equally need to establish rules and controls to account for providers’ property as well as customers’. In other regards, this requirement should mesh with most organisations’ ordinary procedures for handling external parties’ property.

Although it may appear little more than a sort of reminder, Subclause 8.5.4 is an important requirement in the Standard. The subclause requires the organisation to preserve outputs during production and service provision, which makes sure that there is an auditable trail following the product/service through its production lifecycle. Trails like this make sure that the organisation can pinpoint the stage at which nonconformities occur.

The post-delivery activities described in Subclause 8.5.5 should be developed before the product or service has actually been released. In some cases, this may be because of safety concerns – such as making sure that a product is accompanied by training – or other legally mandated requirements, whereas in other instances it is simply to make sure that your organisation gathers feedback on the quality of the product/service from the most relevant source: the customer.

When releasing products and services, Subclause 8.6 requires the organisation to have arrangements in place to check (and recheck) that the product/service meets quality requirements. As this is traditionally the last chance you have to make sure your customer receives the quality they expect, this is an important – if unsurprising – requirement. Of note, the organisation is required to establish accountability for the release by making sure that the person(s) who authorised it can be traced.

The final subclause in Clause 8 lays out the requirements for controlling outputs that do not meet requirements.

Clause 9 – Performance evaluation

There are three core practices involved in performance evaluation: monitoring, measurement, analysis and evaluation; internal audit; and management review. The first two determine how well the organisation’s QMS is operating and where nonconformities are occurring, and the management review assesses all of this information to drive corrective actions and improvements.

Monitoring, measurement, analysis and evaluation is focused on gathering evidence throughout the quality management cycle. The monitoring and measurement phases are conducted as part of other processes, all the way from initial design planning through to customer feedback and on the QMS generally. This data is then analysed and evaluated to determine whether the product or service, and QMS, is meeting its quality requirements and the organisation’s quality objectives.

To properly establish this process, the organisation needs to be sure that it has activities and processes in place to gather the appropriate information. This information should be pushed through a rigorous procedure to make certain that it is then assessed and acted upon, and that the outputs of the procedure are passed to appropriate management, with summaries being fed into the management review.

Internal audits are a different matter. For organisations without any previous experience conducting internal management system audits, some training may be invaluable.¹⁰ It is also worth securing a copy of ISO19011 Guidelines for auditing management systems, which is recommended as guidance in a note to Subclause 9.2.3.

Whereas monitoring and measurement is conducted continually, internal audits are planned assessments that focus on the functioning of the QMS, its conformity with the organisation’s own requirements and those of ISO 9001. Internal management system audits normally involve interviews with key personnel (process owners, for instance) and the gathering and review of evidence (documented, observed and/or verbally reported) in order to determine whether the quality management processes are being carried out as defined and meet requirements. As before, where nonconformities exist they should be identified and acted upon by the appropriate management. Audit results are also passed along to the management review.

The management review is the process by which the organisation’s top management formally assesses the QMS and determines any necessary changes. The Standard lays out clear guidance for the inputs to the review, as well as defining the sort of actions that should result as outputs.

Clause 10 – Improvement

Improving the QMS is a core requirement of ISO 9001 because improving the processes that govern quality management will naturally improve the quality of products and services.

Subclause 10.1 sets out the kinds of actions that the organisation can take to improve the QMS and the products and services. The note to the subclause provides examples of the sorts of improvements that can occur, which helpfully includes things like innovation and reorganisation. This highlights that the QMS can be improved by processes that originate outside of its scope.

Nonconformity and corrective actions are covered in Subclause 10.2

The Standard sets a number of requirements for nonconformities and corrective actions, but these needn’t be as distinct and bureaucratic as it may appear. Rather, your method should focus on reacting to the nonconformity once it is identified, evaluating the need for action to address the root cause and other occurrences of the same issue, applying the determined treatment(s), reviewing the effectiveness of any treatment(s), considering the effect on risks and opportunities and, of course, updating the QMS if necessary. This can be handled relatively simply and is really just a reiteration of the methods most competent people would use anyway.

The final subclause in the Standard is a clear statement of the requirement for continual improvement. It is useful to note the distinction between ‘continual’ and ‘continuous’ to avoid headaches in the future:

•  Continual means that it recurs regularly; it is something that is repeated frequently.

•  Continuous means that it occurs without interruption.

Although many people use the terms interchangeably, the organisation must make sure that it continually examines opportunities for improvement (to both the QMS and to quality in general) and implements those that are viable.

⁷ ISO 9000:2015, 3.1.1.

⁸ ISO 9000:2015, 3.10.4

⁹ Documentation toolkits typically provide all the mandatory documents for a given management system, as well as a set of raw templates for generic documentation (such as work instructions, records and so on). Better documentation toolkits will also come with a set of ancillary tools to help you verify whether you have met the requirements, as well as guidance documentation to help you understand specific elements of the implementation and the standard.

¹⁰ Training providers can deliver certificated qualifications that can be completed relatively quickly – usually within a couple of days.