Context and scope

Last week I talked about how a good understanding of the context of your organization (COTO) can support your identification of business risks, because what business you are in affects what kinds of risks you face. But your COTO does more than that. A well-analyzed COTO can clarify the scope of your Quality Management System as well. 

Image by Mohamed Hassan from Pixabay

Some years ago, I audited a service organization that had a very special relationship with their one and only customer. This company provided services to a particular campus of a large, global organization that I'll call Octopus Enterprises. (That wasn't their real name.) But the relationship was close enough that my client's personnel were actually located on the Octopus campus, on a couple floors of one of the buildings. And while the annual contract spelled out that my client was responsible for this and that services specifically, everyone understood that Octopus could ask for something new tomorrow and my client would do it. There might be a discussion about the price, but there would be no discussion about whether to take the job. 

The first time I was there I asked how they defined their management system, and they handed me a Quality Manual which looked exactly like every other Quality Manual you've ever seen. And so I asked the General Manager:

"Why did you write this?"

He said, "I thought we were supposed to have a Quality Manual."

"OK, that was the old edition of the standard and you don't have to any more. But there's a bigger issue. 

"Look, this says you have procedures and follow them. But if Octopus tells you all to 'Jump,' you jump, procedures be hanged. If Octopus tells you all to wear bright green hats to work, you all wear bright green hats to work. It doesn't say that here. 

"I understand that legally you are a separate company. But if Octopus says to do something one day that violates your procedures, you'll do it. And then you risk having me or some other auditor write you up for not following your procedures. 

"For your own protection, you should have something in your management system that explains the relationship, and that says Octopus can override your normal procedures under such-and-such conditions."

I know an auditor is never supposed to consult, but it was important for them to understand this point.

Anyway, that's what I mean when I say that understanding your COTO can clarify the scope of your QMS. Understanding your COTO means you know who wants things from you (your interested parties) and what they want (their requirements and expectations). When you know those things, you also know how much influence these interested parties have over your decisions. If your organization disagrees with a requirement from some interested party, when can you say "No," and when do you have to say "Yes, right away"? If any interested party is important enough that they can affect or override your Quality System, they ipso facto affect your scope and you should make sure to say so. Carefully understanding your COTO is what tells you this.