Get 4 FREE months of Conformio to implement ISO 27001

Case Study: Transitioning to ISO 9001:2015 in a large organization

The purpose of this case study is to enable the consultants and implementers to better understand the transition process from ISO 9001:2008 to ISO 9001:2015 in large organizations, regarding some of the more ponderous changes in this standard. The emphasis is placed on the requirements that appear, or are eliminated, for the first time in this revision of the standard.

For the purpose of this case study, XYZ Inc. is a large organization that does business on three continents. It provides design and architectural services to its clients, the majority of which are governments and/or government-operated agencies. More than 80% of the organization’s projects are worth more than 30 million USD. In order to keep tendering and doing public work, being an ISO-registered organization is a mandatory requirement.

Understanding the context of the organization

Determining the external and internal issues that have relevance to the purpose of the organization and its strategic direction is something that XYZ Inc. has always done during the executive board’s meetings in order to better understand and grasp the business. Section 4.1 of ISO 9001:2015 doesn’t specifically ask for a procedure to be established in order to understand the context of the organization; however, documented information that will serve as objective evidence that this matter is monitored and periodically reviewed is necessary. Keeping in mind that there is no “right tool for the job” in this case, the SWOT (Strengths, Weaknesses, Opportunities, and Threats) or PEST (Political, Economic, Social, and Technological) analysis can be used, though XYZ Inc. deemed that using a simple meeting minutes form would be sufficient in order to ensure compliance with this requirement.

Organizational roles, responsibilities, and authorities

The Management Representative is a thing of the past now. XYZ Inc. used to have an Office Quality Management Representative in each of their locations whose responsibilities, among others, were to ensure that the processes needed for the QMS were established, implemented, and maintained, as well as to report on the performance of the QMS to top management. This was usually a junior engineer who had no idea what he was getting into when he was assigned the responsibilities, and ended up working 60 hours/week while still falling behind on his regular work. It was never intended for the Management Representative to be a full-time position in any organization, but it was also never intended to be such a burden to bear. By appropriately allocating the responsibilities and authorities for the relevant roles in the organization, QMS-related duties shall no longer be obstacles. Don’t get this wrong – the responsibilities of the Management Representative are still a requirement of the standard, but not the position itself. With appropriate training, the project engineers will be able to ensure compliance with ISO 9001 on their own projects, without it consuming much of their time. XYZ Inc. realized that the most efficient way to document the roles, responsibilities, and authorities was by establishing a RACI (Responsible, Accountable, Consulted, and Informed) chart for each location, which will be periodically reviewed and changed if necessary, all in order to continually improve the overall effectiveness of the QMS.

Actions to address risks and opportunities

Preventive action was eliminated from the newest version of ISO 9001 and was replaced and upgraded to actions to address risks and opportunities. Risk is the effect of uncertainty on the expected outcome, and the concept of risk-based thinking has always been implicitly covered in ISO 9001. XYZ Inc. has always considered the risks and opportunities for each of their projects. The responsibility for addressing risks and opportunities is appointed to the Department of Risk Management. Risks and opportunities for every project are assessed and addressed before it commences, and periodically during its life cycle. The method used in XYZ Inc. is based on predictive management tools such as FMEA (Failure Modes and Effects Analysis) and SMEA (Success Modes and Effects Analysis), and consists of four parts:

  1. Identification
  2. Analysis and Evaluation
  3. Action (mitigating the risks and adopting or rejecting the opportunities)
  4. Evaluating the effectiveness of the actions

Appropriate documented information, such as a risk register and an action plan, are established for every project and are treated as “living” documents throughout the project’s life cycle, thereby ensuring that the organization is constantly aware of the risks and opportunities and has complete control over them.

Organizational knowledge

Just like every other company, XYZ Inc. has special knowledge that sets it apart from the competition and makes it unique. Section 7.1.6 Organizational knowledge says that the organization shall determine, maintain, and make available, to the extent necessary, the knowledge needed for operation of processes and achieving conformity of products and services. This can be interpreted in many ways, but the most efficient way to achieve conformity to this requirement must be selected, considering the fact that most auditors will deliberately avoid asking for evidence of conformance to this requirement, predominantly because they don’t fully understand it. XYZ’s approach regarding this matter was simple: a Knowledge Database was established on the organization’s servers with an appropriate filing structure, and the responsibilities for maintaining it and authorities for granting access were appointed. The knowledge (lessons learned, intellectual property, patents, etc.), from both internal and external origin, that the organization considers important is stored in the Knowledge Database.

In praxis

These simple examples will hopefully provide guidance with, and help you to understand better, your ISO 9001:2015 implementation in a large organization, at least for these four sections that involved major changes in this revision. Things will almost certainly not go the way they were planned, and that is perfectly fine. By continually improving the QMS and molding it to fit the organization’s requirements, the business and quality goals will align, thereby ensuring constant conformity of products and services.

Use this free online training  ISO 9001 Foundations Course to learn more about ISO 9001:2015 and make the transition easier.