The right attitude towards process

In honor of the upcoming Fourth of July, I thought I'd post a little bagatelle that I wrote years ago to illustrate the right attitude towards business processes. The words in dark red are my updates to Thomas Jefferson's deathless prose. 

We hold these truths to be self-evident, that all organizations are made of people, that they are endowed by their Nature with certain unalienable Goals, that among these are Care for the Customer, Respect for the Employee, and Productive Work.

—That to secure these goals, Processes are instituted within organizations, deriving their just authority from the results they achieve,

—That whenever any Form of Process becomes destructive of these ends, it is the Right of the People in the Organization to alter or to abolish it, and to institute new Processes, laying their foundation on such principles and organizing their interaction in such form, as to them shall seem most likely to effect their Happiness and that of the Customer.

Prudence, indeed, will dictate that Processes long established or involving many stakeholders over a wide area should not be changed for light and transient causes; and accordingly all experience hath shewn, that employees are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed.

But when a long train of directives and regulations, pursuing invariably the same Object evinces a design to reduce them to absolute Ineffectiveness, it is their right, it is their duty, to throw off such Process, and to provide new Guidelines for their future productivity. 

  

Have a great holiday!

By John Trumbull - US Capitol, Public Domain, https://commons.wikimedia.org/w/index.php?curid=180069

     

A word about remote audits

Last week I talked about some of the changes I've heard proposed for ISO 19011, and one was that it be expanded to include guidance on remote audits. Suddenly I realized that up till now I've never described my own experience with remote audits. So let me repair that omission.

Remote internal audits

Of course the topic came up in 2020, as offices were shutting down because of COVID-19 and people were starting to work from home. I had created an internal audit plan for our organization, to be carried out in the spring of that year. The plan covered several locations across the United States, and my boss told me clearly, "Do them remotely, to reduce the risk of contagion. I will not authorize you to travel."

"How do you want me to audit our factory, if I can't travel there?"

"There are other qualified auditors in the organization who live within driving distance of the factory, and won't have to take commercial transportation. Let them do it."

So I did; and for auditing office functions (i.e., everything except factory production) it went well enough. The one big difference between remote audits and in-person ones, I soon learned, was that remote audits take longer. Or (to turn it around) if you have only a fixed amount of time for each interview, you can't ask nearly as much, so you have to be far more selective and strategic about your questions. The reason is that time is invariably lost in setting up the connection at a technical level, and then in the auditee sharing documents so you can read them on your screen. In a few cases the auditee had only hard copies of some artifacts, and we had to find a workaround. And invariably you miss a layer of communication when you are not there in person. Still, within those constraints, we were able to make the internal audits work adequately.

Remote external audits

The exercise got more interesting when it came to our external surveillance audits. These had all been scheduled in the fall. Because all our sites used the same management system, our registrar had elected to audit only three of them, and the three audits were on consecutive weeks. I asked the registrar's scheduling office whether we should expect the audits to be in-person or remote, and their answer was, "That's up to each auditor to decide for himself individually, but none of them have told us that they plan to audit remotely. So I guess you should plan for in-person." I explained that in some cases the entire office had shut down: if the auditor arrived in person, he and I would be the only two people in the building. The scheduling office promised to make a note of that in our file.

Since we couldn't be sure what our external auditors would do, my boss reluctantly authorized me to travel to all three locations so that I could be there "just in case." And of course we assumed that the audit of our factory would have to be in person, so the auditor could walk around the production floor. In the end, I heard from each auditor mere days before his respective audit was scheduled, and all of them chose to audit remotely. So for the two pure office audits, I logged in from my hotel room and talked the auditor through our artifacts. Other auditees were scheduled to enter the conversation at specific times, and they did.

But what about our factory? That building was open, after all, and people were working there. (We were fortunate that our line of work was classified as "essential," so we were never shut down.) In that case, at least the auditor had a good reason for failing to show up: he was traveling from Canada, and the border had been closed. But how was this supposed to work?

Naturally some of the functions at the factory were office functions; and for those, our auditor conducted a remote audit in the normal way. Then he told me, "I want to talk to someone working on such-and-such a machine. Please carry your laptop onto the floor and find such an auditee." So I carried my open laptop out onto the floor, found the right machine, and asked the operator if I could have a few minutes. Then the auditor questioned the operator through the laptop screen, and I had to hold the laptop in a variety of positions so the auditor could see the specific things he wanted to see. (This particular auditor also had a very soft voice, so I regularly had to repeat his questions so that the operator could hear them over the general background din.) We spent ten or fifteen minutes like this, and then our auditor asked to look at a different machine. I set off across the floor to find the next machine, and we went through the cycle again. In all, I think we looked at three different workstations on the production floor that way—or maybe four, I no longer remember exactly.

At the time, it felt a little comical for me to be walking around with my open laptop like that. But I couldn't think of a better way to do it, and honestly I'm not sure I can even today. Perhaps a willingness to tolerate a certain level of absurdity is actually a job requirement for auditors.

As always, please let me know about your experience in the comments.

           

How would YOU change auditing?

Over the last two weeks (here and here) I've talked about some proposed changes that might be coming sometime in the future for ISO 9001 and ISO 9000. I promised one more in this series, about ISO 19011, Guidelines for auditing management systems. This one will be a little shorter than the other two, because I haven't talked about it with as many people or heard as much feedback. Still, it matters. Any change to requirements will drive changes to how to audit those requirements. Even changes to the underlying concepts might change the approach that auditors take. One way or another, auditing is directly involved.

As before, I have to clarify that I don't know whether there is any schedule for updating ISO 19011. In fact, this standard is not written by TC176 at all, but by a different committee. I don't sit on that committee, so I have no access to their schedule. Maybe something is in the works, and maybe not. Still, as always, people have opinions. What follows are some of the opinions I've heard about how to update ISO 19011.

And as always, I want you to think while you read this, What are your opinions? How would YOU update ISO 19011, if it were up to you? Then I hope you'll leave a comment to let us know.

When I first asked my colleagues what they would like to see changed in ISO 19011, they started by talking about how much had changed in the world since the most recent edition was published, in 2018. Naturally the COVID-19 pandemic had a prominent place on this list. So did ISO's London Declaration. 

But there were other issues as well. They pointed out that there are many organizations with integrated management systems that address multiple standards at once. Does it really make sense to audit these piecemeal? they asked. Or should a single auditor be required to have the competence to check for quality topics and environmental topics and information security and energy management? 

Others pointed out that the topic of risk was added to the latest edition of ISO 9001 (in the form of "risk-based thinking") without a lot of guidance to auditors. How are we supposed to check that the organization is practicing risk-based thinking? Is it good enough if the CEO says "Sure, I think about risks every morning while I'm driving to work"?

Still others talked about the advances in technology that obsoleted some assumptions behind the earlier standard, or about the challenges they faced auditing Context of the organization or Interested parties.

And then out of these thoughts came some suggestions for concrete changes:

• The experience of the COVID-19 pandemic led some people to hope for clear guidance on how to conduct remote audits.
• The fact of the London Declaration (that all ISO standards must consider climate topics) led others to hope for clear guidance how to audit for climate awareness. We all know that a hamburger stand has a different climate footprint from a chemical plant: so what should auditors look for?
• The proliferation of integrated management systems inclined some people to ask for more clarification on auditor competence requirements.
• The discussion of risk meant that others looked for the standard to address the nature of disruptive events, and what evidence auditors can accept to prove that an organization has met the challenge of these events adequately.
• Advances in technology drove some people to want guidance on cybersecurity topics, or on data science.
• Perplexity over Context of the organization and Interested parties led others to hope for guidance on, for example, auditing ESG (Environmental, social, and governance) topics.

There were also a couple of specific technical suggestions to make this diagram or that annex clearer than they are today.

These are the suggestions I've heard people make over the last few months. Now it's your turn. What updates do YOU want to see?

Please leave a comment and let me know.

          

What words would YOU add?

Last week I asked you what changes you would make to the ISO 9001 standard if it were up to you, and I described some of the suggestions I've heard from other people. But ISO 9001 doesn't sit in a vacuum. There is a whole constellation of related standards to consider as well. What about those? Would you like to update them too?

Let's look at a couple in particular. This week I want to ask about ISO 9000, Quality management systems – Fundamentals and vocabulary. Then next week I'll ask about ISO 19011, Guidelines for auditing management systems. In both cases, I'll tell you some of the things I've heard other people suggest, and I'll ask you to consider what changes YOU think are important.

So what about ISO 9000? This standard explains the "fundamentals" of quality management systems. This means it contains short descriptions (from a paragraph to a short essay) about the foundational concepts of quality—concepts like "customer focus" or "process approach"—and then it contains a long section of formal definitions. These definitions are then used across the whole family of related standards. As the Scope section of ISO 9000 states, "This International Standard specifies the terms and definitions that apply to all quality management and quality management system standards developed by ISO/TC 176."

So if we update ISO 9000, that means adding (or removing) concepts and definitions related to quality management systems. Therefore my question to you can be rephrased as, "What new concepts or definitions do you think we need to clarify or define in order to talk unambiguously about quality management systems? What new words do we need to add to the QMS dictionary?"

To be clear, there are no current plans to update ISO 9000. But that doesn't stop people from thinking about things they'd like to see. What follows are some of the suggestions I've heard from other people over the last few months. Meanwhile I'd like you to think about your own suggestions, and add them in the comments.

Adding new topics

Some of the words that I've heard suggested relate to topics that simply have not been addressed by quality management systems before now. Climate change is prominent on this list, of course. One person actually said it would be better to discuss climate change in ISO 9000 than in ISO 9001, because ISO 9000 could provide a conceptual explanation without having to get tangled up in specifying requirements for certification. (And of course most of the pushback related to discussions of climate change are tied to how certification requirements might change.) Another new term that came up in the same conversation was circular economy. Here the idea was that the concept of a circular economy can improve business performance once we reclassify anything thrown away—anywhere in the supply chain—as "waste."

The world's experience with COVID-19 prompted some other proposals, among them remote work and remote audit. Also, while the concept of a supply chain is not new, I've heard the idea that we should rethink how we approach it. In particular, one person said we should think about securing the supply chain. I think his exact words were, "Inventory is not always bad."

Emerging technologies inspired several proposed new concepts, including artificial intelligence and machine learning. In the same way, I heard several ideas for terms in the conceptual space around obsolescence. Rounding out the theme of change were suggestions like agility and demographic change.

Finally, I heard more than once the thought that ISO 9000 should clearly explain the concepts of ethics and integrity, along with organizational culture. Longtime readers may remember that I took up the question late last year whether the ISO 9000 family of standards needs a regulation about ethics, but the idea is ever-fresh.

Developing current topics

Then there were suggestions which did not so much propose new concepts, but asked for a fuller explanation of existing ones. Some of the concepts that I've heard people talk about include:

• Management system standard integration, since it is becoming ever more common for organizations to implement a single integrated management system that complies with multiple standards at once. (Commonly these include ISO 9001, ISO 14001, and ISO 45001.)
• Knowledge management, since the concept was introduced into the 2015 edition of ISO 9001 without much preparation or explanation. One person suggested that knowledge management could be combined with control of documents and records in a more general concept of access to information.
• Customer experience, as a more general category than customer satisfaction. After all, so the argument went, the absence of complaints doesn't necessarily mean the customer is happy. Someone else went even farther and said we should start to consider customer empathy.
• People aspects, as a broader category than performance management. The idea here was that if ISO 9000 takes seriously the concept engagement of people, then there are many angles to consider, relating (for example) to values as much as to objective working conditions.

Should ISO 9000 be updated at all?

Finally, some of the people I spoke to addressed the question whether ISO 9000 should be updated at all. Even here there was not universal agreement.

The arguments in favor of changing ISO 9000 were mostly straightforward. There are new concepts relevant to the implementation of quality management systems, there are new technologies that the standard has to account for, and there are concepts which have been inadequately clarified up till now. Other people pointed out that there have been discussions whether to make changes to ISO 9001, and any changes there will involve concepts that have to be reflected in ISO 9000.

But it was around this last idea that I also heard some voices of caution. After all, they pointed out, it is possible that ISO 9001 might not change. In that case, it would be risky to change ISO 9000, because new definitions might change the meaning of the ISO 9001 requirements even though the text itself remained untouched. Clearly users of the ISO 9001 standard would see such an outcome as (at best!) a dirty trick on the part of the committee, and so we should be careful not to let it happen.

 

So there are the suggestions I have heard for updating ISO 9000. Once again, now it's your turn. How would YOU update ISO 9000 if it were up to you?

Please leave a comment and let me know.

           

How would YOU change ISO 9001?

Let me start by saying that there are no current plans to update ISO 9001. ISO's technical committees review each standard every so often, and at the last review of ISO 9001 the vote was (by a narrow majority) to leave it as-is. I do not know the date of the next review.

But that doesn't stop people from having ideas about things that they'd like to see changed or improved. We've all got opinions about things we'd like to see changed in the world. And for those of us in the Quality business, it's no surprise if some of those opinions have to do with the international Quality standards. Why wouldn't they?

Over the last several months, I've talked and listened to a number of people about this subject, and I've heard a lot of different opinions, both pro and con. So I thought today I'd just list some of the ideas I've heard, to give you an idea of the thinking that's out there in the world right now. And while you are reading, please ask yourself: How would YOU change ISO 9001, if it were up to you?

Please leave comments with your answers. I'd love to get a discussion going.

Address new topics

A lot of the people I've talked or listened to expressed that they would like to see ISO 9001 address topics where it is currently silent. 

• One person wanted to see a better focus on business continuity management, because it is hard to ensure that you can perform reliably when you are at risk from any unexpected disaster. 
• Another wished that ISO 9001 would tie process requirements to business results, so that leaders can see right away their return on any investment in their Quality Management System. 
• A third pointed out that many different sectors of the economy write their own sector-specific standards based on ISO 9001, and added that we could slow the proliferation of this forest of specific standards if ISO 9001 itself took some cognizance of the needs of these sectors. 
• And a fourth suggested that since ISO 9001 is so widely-accepted around the world, maybe it's time to "raise the bar" so that it no longer represents a "bare minimum" set of requirements.*

Quite a few people said that their opinions were based on the world's experience with COVID-19 over the last few years. They pointed out that the lessons from COVID-19 extend far beyond simple business continuity management to touch topics like workforce relations and supply chain disruption. And it goes farther than that. We all know there is a direct linkage between the Context of your Organization (COTO) and your risks; so just as COVID-19 showed us risks we might not have thought of before, it also suggested another dimension to our COTO analyses.

Some organizations have made the switch to a work-from-home (WFH) model, or else a hybrid between WFH and in-office work. Does that change how we engage with our workforce? It might—and so I've heard people suggest that we need to revisit Clause 5 (Leadership) and Clause 7 (Support). Likewise, some registrars are doing a large number of remote audits, which argues for a review of all the guidance to auditors. What is more, organizations with multiple locations are making greater use of remote internal audits, which suggests that we had better review Clause 9.2 (Internal Audit).

Of course, climate change is currently the occasion of much debate, and I've discussed it before in this venue (see here, here, and here). Since the London Declaration specifically commits the ISO to "foster the active consideration of climate science and associated transitions in the development of all new and revised International Standards and publications," some people have argued that there is now a strict requirement to update all standards (for example, ISO 9001) to include verbiage with the word "climate." Others have replied that "active consideration" doesn't have to require changing the text, so long as the committee can prove that they have fully evaluated all sides of the issue. The last time I heard any news on this question, it had not been definitively resolved.

Make editorial improvements

Other suggestions have been of a narrower and more practical sort. 

• There are some clauses that always generate requests for a formal interpretation. There are others that users regularly say they find hard to implement.** Why don't we rewrite these to make them simpler and easier? 
• Someone else pointed out that there are non-prescriptive clauses in the standard which are very hard to audit.*** Maybe we could rewrite these to be easier on auditors? 
• A third person made the much bolder suggestion, "Why don't we just merge ISO 9000 into ISO 9001, instead of requiring so many references back and forth?"****

These are what I mean by "editorial improvements," and for the most part (except maybe that last one) I think they are pretty uncontroversial.

Think about how users see the standard

Some of the ideas I've heard have been more focused on protecting ISO 9001's "brand integrity," or making sure that users continue to see it in a favorable light. One of these came from someone who posed it as a rhetorical question this way: "Any time we decide to update a standard, it takes so long to get it through the review and approval cycle that if we don't hurry up and decide to change something the next edition won't come out till 2030. And who's going to take the standard seriously if it's15 years old?"

On the other hand, it was from people concerned with brand integrity that I heard the most cautionary voices against updating ISO 9001. These were people who all argued, in one way or another, that any change creates churn and uncertainty in industry, drives up supply chain costs, and introduces risk. So unless there is a compelling reason that forces a change, these people argued that the user base will see minor updates as frivolous and this will weaken the standard's prestige. Even people who acknowledged that there are big suggestions on the table—some of the "new topics" I listed above could potentially be huge—followed up by saying that there is no consensus on these topics across the relevant committees, so the warring opinions might cancel each other out and leave us with nothing but the editorial changes that are easy to agree on.

Other thoughts

Finally, a couple of people pointed out that a new edition of ISO 9001 would mean good financial news for ISO, because they sell copies of the standard; and also for consultants and trainers, who could sell more training courses. In almost the same breath, they admitted that the user community would probably resent having to buy an updated edition and pay for all those classes. So the financial argument supports both Pro and Con.

So there's a list of thoughts I've heard from people. I might have missed one or two, but I think it's pretty substantial anyway.

Now I want to hear from you. What's YOUR opinion on changing the standard? How would YOU change ISO 9001, if it were up to you?

Please leave a comment and let me know.

__________

* I didn't have the time right then to discuss this suggestion in detail with the person who proposed it; but in retrospect my own opinion is that we will always need something to define the "bare minimum" acceptable Quality requirements, so that we know the difference between "good enough to squeak by" and "bad enough you have to reject them." If we don't use ISO 9001 for this job, it has to be something else. But in that case, what? And until we define that "something else" I think we have to keep using ISO 9001 to fill that role.    

** Sorry, I didn't think to jot down a list of examples at the time, so I can't offer you one.   

*** Clause 7.4 (Communication) is an example, because it asks the organization to determine something but gives no requirement to document the determination in any kind of record or other auditable artifact.  

**** My only comment on this suggestion is that it would more than double the length of ISO 9001.