A few weeks ago I was writing about the Context of the Organization (COTO), and there's one final point I'd like to make before I drop the subject. Your analysis is not a one-time exercise, because your context will change. Therefore you have to review the results and update them from time to time.
Image by Gerd Altmann from Pixabay |
You can expect smaller changes, too. One of the outputs from your COTO analysis, after all, is a list of risks for your business. Then once you have a risk list, the basic principles of risk management say that you go to work addressing the most important ones: either take action to prevent them, or to mitigate them, or at least to define contingency actions after the fact in case one of them takes place.
But those very actions themselves now change the risk profile that you face. Maybe when you did your COTO-and-risk analysis you found five high-priority risks. But over the next few months you took steps to prevent two of them outright; you made two of the others a lot less likely (even if still possible); and you defined a recovery plan in case the last one happens. Are you still facing five high-priority risks? Of course not. The list has dropped to three, and (depending how you evaluate the likelihood and impact of those three after the measures you put in place) they might not all be high-priority any more.
Or you might have changed your company's strategy to focus on different products for a different market. Many years ago I worked for a small startup in the B2B space: we made products that we sold to other businesses. But one year we saw an opening and reoriented the company towards making smaller, individual-sized products for the home office market. That was some years before we got ISO 9001 certification, so we didn't have a written scope statement at the time. But if we'd had one, it would have changed. And COTO is directly tied to scope.
So set up a regular schedule to review and re-evaluate your COTO. It's simplest to make this part of your periodic Management Review, since the ISO 9001 requirements for Management Review include checking most of the elements of your COTO anyway. And then, based on the results of your review, propagate the changes to your risk lists and scope statement as well.
Bear in mind that it's a lot less work to revise your COTO than to set it up in the first place. Yes, things change; but mostly they don't all change at once. So it should be pretty simple to read through what you've already got and look for the places you have to edit.
__________
P.S.: This is probably not a burning concern of yours; but one consequence of the foregoing is that, since your QMS is based on your COTO and your COTO changes, there is no such thing as the perfect or final QMS. Everything can change, because everything depends on what you need—under changing conditions—in order to get what you want.
No comments:
Post a Comment