Lizard People and the Context of your Organization (My first podcast!)

Last week I sat down with Kyle Chambers of Texas Quality Assurance to record my first-ever podcast. We had a wide-ranging discussion: the original idea was that we would talk about Context of the Organization and how your COTO analysis can benefit you. But while we were at it, we also talked about how to design your QMS, why policy matters, how to avoid common pitfalls in auditing ... and how the world is secretly run by intergalactic space lizards!

Check it out.

You can find the podcast version here: #QualityMatters episode 147.

Or there's a version that also includes video, which you can find here: 

Leave me a comment to let me know your thoughts!

Podcast with Steve Gompertz: "Guerilla Tactics for Quality Leadership"

About a month ago, I listened to a podcast that I really enjoyed. It was an interview with Steve Gompertz, a partner with QRx Partners and a long-time expert in Quality for the medical device industry. And what I loved about the discussion was how much of Gompertz's experience resonated with my own.

The medical device industry is—for obvious reasons—one of the most heavily-regulated industries in the country or the world. My own work has been in less-heavily regulated areas like telecommunications and automotive diagnostics. So I expected to hear about an environment much stricter than any of the ones I'm used to.

But no! What Gompertz learned about working under FDA regulation was exactly what I learned about working under a regimen of central directives in global companies: the structure of rules looks burdensome from the outside, but inside there is actually a fair bit of room to breathe. 

After all, it's not in the interest of the FDA for medical device companies to go out of business. They just want the devices to be provably safe before they are used on human beings. Therefore, Gompertz points out, the FDA largely regulates what you have to do, but leaves it up to you to figure out how to do it. This gives you a lot more leeway than many people realize, leeway that you can use to make regular improvements in your processes and methods. He tells stories of specific changes he made one time or another, which his colleagues were sure the FDA would reject—and the FDA auditor loved them. "Why don't other companies do it this way, when it's so much simpler?"

There's more, but I'd rather let him speak for himself. This, though, is exactly how Quality ought to be done.

Oh wait! Before I forget, Greenlight Guru is hosting an Ask-Me-Anything event with Steve Gompertz in a couple of weeks, on September 7. You can get more information and register for it by following this link here.

And here's the interview.

  

     

"Don't we already know this stuff?"

Over the last couple of weeks I've been discussing why you need to understand the context of your organization (COTO): this means the collection of people who want things from you (your interested parties), the things they want (their requirements and expectations), and any external issues that might affect your ability to get your work done (war, famine, pestilence, zoning regulations, or anything else).

Image by more photos boosty.to/victoria_art_music from Pixabay

And it would be fair for you to ask, "What's the big deal? Don't we already know this stuff? If I don't know what licenses and permits I need, I'm not going to stay in business long. If I don't know what my customers want, I won't have any. Isn't the simple fact that I have customers and I've kept my doors open proof that all this stuff is covered? Why do I need anything more?"

As I say, it's a fair question, and the answer depends on what you are trying to do. If your only purpose is to set up a Quality Management System so that you can get control of your business, you can afford to leave the COTO analysis for later. One day it will be useful, in identifying a list of business risks or in clarifying the exact scope of your system. But those aren't urgent needs. If all you want is to get control of your operations, then yes, the fact that your doors are still open is pretty good evidence prima facie that you can save this topic for later. 

But if you are trying to get or keep ISO 9001 certification, then you have to remember that all these topics are now auditable. While the actual documentation requirements are (as I noted earlier) embarrassingly thin, you have to convince an auditor that you know who your interested parties are, what they want out of you, and all the rest of it. It helps to have something in writing. This requirement was introduced in the 2015 edition of the ISO 9001 standard, and when it came out I went to the General Manager of the organization where I worked at the time. 

"Do you have what you need to be able to answer questions about these things?"

"Well I know what the answers are, but I don't know how I could prove it. The evidence is probably scattered through a dozen emails, some meeting minutes, and maybe a few Post-It notes that I scribbled during phone calls."

So he and I worked with the rest of the management team to set up a way that we could capture evidence of what we were already doing. I had to call a couple of brainstorming meetings to get everyone in the room at the same time. (My budget that year had several entries for pizza.) But the overall impact to the organization was much lower—and the level of acceptance by the organization was far higher—than either would have been if I had announced "There's a brand-new requirement in the ISO standard and we have to start complying with it!"

Yes, in a sense you more or less already know most of your COTO intuitively. But when you have a chance, take a little time to work through it systematically to cross-check what you think you already know. When we went through the exercise (along with all that pizza) we found that we had already covered most of our stakeholder expectations—all but one. And after we looked around the room in shock for a minute trying to figure out how we had missed it, one of the team offered, "Let me take that one. It's the kind of thing I like to do, and it fits in with the rest of what I'm doing anyway." Perfect.

           

Context and scope

Last week I talked about how a good understanding of the context of your organization (COTO) can support your identification of business risks, because what business you are in affects what kinds of risks you face. But your COTO does more than that. A well-analyzed COTO can clarify the scope of your Quality Management System as well. 

Image by Mohamed Hassan from Pixabay

Some years ago, I audited a service organization that had a very special relationship with their one and only customer. This company provided services to a particular campus of a large, global organization that I'll call Octopus Enterprises. (That wasn't their real name.) But the relationship was close enough that my client's personnel were actually located on the Octopus campus, on a couple floors of one of the buildings. And while the annual contract spelled out that my client was responsible for this and that services specifically, everyone understood that Octopus could ask for something new tomorrow and my client would do it. There might be a discussion about the price, but there would be no discussion about whether to take the job. 

The first time I was there I asked how they defined their management system, and they handed me a Quality Manual which looked exactly like every other Quality Manual you've ever seen. And so I asked the General Manager:

"Why did you write this?"

He said, "I thought we were supposed to have a Quality Manual."

"OK, that was the old edition of the standard and you don't have to any more. But there's a bigger issue. 

"Look, this says you have procedures and follow them. But if Octopus tells you all to 'Jump,' you jump, procedures be hanged. If Octopus tells you all to wear bright green hats to work, you all wear bright green hats to work. It doesn't say that here. 

"I understand that legally you are a separate company. But if Octopus says to do something one day that violates your procedures, you'll do it. And then you risk having me or some other auditor write you up for not following your procedures. 

"For your own protection, you should have something in your management system that explains the relationship, and that says Octopus can override your normal procedures under such-and-such conditions."

I know an auditor is never supposed to consult, but it was important for them to understand this point.

Anyway, that's what I mean when I say that understanding your COTO can clarify the scope of your QMS. Understanding your COTO means you know who wants things from you (your interested parties) and what they want (their requirements and expectations). When you know those things, you also know how much influence these interested parties have over your decisions. If your organization disagrees with a requirement from some interested party, when can you say "No," and when do you have to say "Yes, right away"? If any interested party is important enough that they can affect or override your Quality System, they ipso facto affect your scope and you should make sure to say so. Carefully understanding your COTO is what tells you this.