What's "proportionate"?

When the ISO 9001 standard requires you to take action to address your risks and opportunities, it includes this admonition in clause 6.1.2: Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

OK, I guess that's fine, but what does it mean? What does it take for your actions to be "proportionate" to the risks they address?

The word is never defined—or at any rate, neither ISO 9001 nor ISO 9000 define it. But intuitively I think we all have a sense for what it means, don't we? The basic idea is ancient: Nothing in excess.* If you face a risk that might, at worst, cost you $100, then it is foolish to spend $1000 to prevent it. That cost, or that level of effort, is disproportionate to the $100 downside that you face from the unmitigated risk. Most of the time, we probably don't need a definition more exact than that.

But "sometimes the clearest way to explain what a rangatang [sic] is, is to 'tell what it ain't.'"** A couple of months ago, I stumbled upon a blog post from 2016 that explains the concept of disproportionality with crystal clarity. The author of the post—Quinn Dunki of Blondihacks—just wanted to set up an automated cat feeder, so that her cat would be fed on time and she didn't have to watch the clock every day. Simple, right?

Turns out her cat had a different idea. Her cat's idea was, "How do I get this machine to give me more food than Quinn wants me to have?" So Quinn had to make some adaptations to her automated cat feeder, to protect it from the prying paws of her cat. As she says at the opening of her blog post, "The trick is to be smarter than the animal with a brain the size of a walnut."

But of course, Quinn worked on this problem part-time, and her cat worked on it full-time. 

You can read the results here.

In the end, Quinn won. But I'm pretty sure nobody would say that the effort she expended was proportional either to the benefits she gained or to the risks she was avoiding.

Verbum sapienti sat. 

__________

* "Μηδὲν ἄγαν" was one of the three proverbs said to have been inscribed at the entrance to the Greek temple at Delphi. See here for more information.  

** Owen Ulph, The Fiddleback: Lore of the Line Camp (San Francisco: Browntrout Publishers, 1995), p. 23.      

How do you prove "consideration"?

How many times have you seen departments do things that don't help them any, just because it's easier for the auditor once a year? I've seen it too often to count, and it's never the right thing to do. Oh sure, in a sense I appreciate it when I'm the auditor. But also, it's really unnecessary. I've audited a lot of departments over the years, and they've done things a lot of different ways. If it works better for you the other 364 days of the year to do this rather than that, … well, as long as it meets the rules I can probably figure it out.

I was thinking about this recently while talking to someone about the rules for management review. Right now, ISO 9001:2015, clause 9.3.2 states, "The management review shall be planned and carried out taking into consideration"—and then there follows a long list of topics, (a) through (f), where item (c) is further divided into seven subtopics. It's a comprehensive list. Anyway, my friend was saying he wishes the ISO would change this requirement to say that management review must explicitly include all these topics, because "How are you supposed to prove consideration to an auditor?" What he meant, of course, was that if the agenda for management review were required to include every one of these topics and subtopics, it would be easy to show that you had "considered" them all.

Long-time readers may remember that I think this is a terrible idea! The biggest risk in any management review is that the participants are likely to get bored. To avoid boring them, cut out everything you can. Discuss only the pain points that have to be resolved by the specific participants of this meeting. That means that if your internal audits or your supplier evaluations are all green, it's enough to wave your hand and say so; you don't have to drag the attendees through an itemized list of each one. Spend your time instead explaining that it's time to buy a new widget-stamping machine, because the old one slides out of alignment once a month like clockwork and the rework costs are eating you alive. 

But of course you still have to pass that audit once a year, so how are you going to do it? It's all very well for me to say that you shouldn't rearrange your whole management review just for the convenience of the auditor, but you are going to have to show some kind of objective evidence. What will it be?

Do it like this.

First, as you prepare the meeting, go through every single one of those topics listed in clause 9.3.2, and document where it stands right now. (You have to do that anyway in order to find out where your pain points are, since those are the topics you will discuss.)  

Second, while you are conducting the meeting, keep all this material handy where you can reach it. Maybe this means it's stored electronically just one click away, or maybe it's on paper in a notebook on the desk next to you. But just in case someone brings up a question about one of those topics you thought you could afford to skip, make sure the data is immediately available.

Third, store all this data as a permanent Quality record, together with the minutes from the management review meeting that it supported.

Fourth, ask your internal auditors to look for this data when they audit the management review process, just to keep you honest. 😃 Naturally whoever audits the Quality function doesn't work for you—do they??—so if you make a mistake they won't be shy about writing it up.

And finally Fifth, when the external auditor visits, pull out all this stored data as proof that you really did consider all the topics listed in the standard. Then you can explain why you tailored the agenda to address the problems that really needed management attention, and why you skipped over all the topics that were functioning smoothly because they were just business as usual. 

Simple. Straightforward. And you don't need to "include" all those topics in the review in order to "consider" them.