Are you not getting a ROI from your ISO system? NEW: The Management Review Dashboard!

Do you feel like you need to revitalize your management review meetings?
Do you have ineffective ISO management review meetings?
Is your ISO system stuck in a rut?
Do you realize all of the improvement that your ISO system is capable of providing?
Are your management review meetings a long, drawn out, waste of time?
Are you meeting your quality objectives? Do you even know how those objectives are trending month-to-month?
Does your management team tend to “kill the messenger” during management review meetings?
Are there issues in the company you just can’t seem to get a handle on?
As the quality manager, do you feel like you are the police and you are just heaping out bad news?
Do you even know if you are on the right track?

Finally a simple tool to help pull everything together…

The Management Review Meeting Dashboard

This automated, data driven tool, plus the shortened and formal ISO MR Meeting Agenda and the MR Meeting Tips for Success Guide, will put the train back on the tracks and stabilize your ISO system improvement metrics and audit results communication format.

What you get and why:

First, the ISO MR Meeting Agenda…if you are going to revitalize how your company runs its management review meetings with a new tool, then its best to not use the same old agenda.

Second, the MR Meeting Tips for Success Guide…this guide gives you an interpretation of the standards reasoning behind management review meetings, tips for MR meeting success and lays out common pitfalls to avoid. The guide was written by a member of The US TAG to ISO/TC 176 and the ISO 9001 Interpretations committee.

Last, the Management Review Dashboard…this easy to use application built with Microsoft Excel helps drive continual improvement and provides a window into your business metrics. The ability to see how your business is performing by using a dashboard will allow you to focus in on the areas necessary for improvement and will prevent you from wasting time in areas that are non-value added and that become time wasters.

View a video demo of the Management Review Dashboard here: (be sure to go to full screen mode upon the start so you can see the detail of the excel cells)


These three items are applicable to any business and any ISO standard. Even companies who are not registered to an ISO standard can use this tool to drive improvement and see their internal business trends.

The Management Review Dashboard, Agenda and Guide are $599.00.

Copy and paste the following link into your browser to order: http://www.shareit.com/product.html?productid=300378252

Why does confusion reign with records? A look at Records Management

ISO 9001:2000 addresses the control of records, but only includes three sentences of requirements:

1. Records must be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.
2. Records must remain legible, readily identifiable and retrievable.
3. A documented procedure must be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records.

If you want to know more about records management than included in ISO 9001:2000, you should look at ISO 15489-1:2001, Information and Documentation - Records Management.

Records:
According to ISO 15489-1:2001, records are information created, received, and maintained as evidence in pursuance of legal obligations or in the transaction of business. Records contain information that is a valuable resource and an important business asset. A systematic approach to managing these records is essential to protect and preserve them as evidence of actions.

A records management system results in a source of information about business activities that support subsequent activities and business decisions, as well as, ensure accountability to present and future stakeholders.

Records Management:
ISO 15489-1 defines records management as the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of, and information about, business activities and transactions in the form of records.

Policy:
Organizations should define and document a policy for records management. The objective of the policy should be to create and manage authentic, reliable and usable records that are capable of supporting business functions and activities for as long as they are required.

Authenticity:
An authentic record is one that can be proven to 1) be what it claims to be, 2) be created or sent by the person purported to have created or sent it, and 3) be created or sent at the time indicated. To ensure the authenticity of records, an organization should implement and document policies and procedures that control the creation, receipt, transmission, maintenance, and disposition of records.

Record policies and procedures should ensure that record creators are identified and authorized, and that records are protected against unauthorized addition, deletion, alteration, use, and concealment.

Reliability:
A reliable record is one whose contents can be trusted as a full and accurate representation of the applicable transactions, activities, or facts. They can be depended upon during subsequent transactions or activities as being reliable. Records should be created at the time of the related transaction or incident, or soon afterwards, by individuals who have direct knowledge of the facts, or by instruments routinely used within the business to conduct the transaction.

The system that manages the records should be capable of continuous and regular operation in accordance with applicable procedures and provide ready access to all relevant records.

Integrity:
The integrity of a record refers to its being complete and unaltered. Records must be protected against unauthorized changes. Policies and procedures should specify what additions or annotations may be made to a record after it is created, under what circumstances they may be authorized, and who is authorized to make them. Any annotation, addition, or deletion of a record should be explicitly indicated and traceable.

The record system should include controls for access monitoring, user verification, authorized destruction, and security to prevent unauthorized access, destruction, alteration, or removal of records.

Usability:
A usable record is one that can be located, retrieved, presented, and interpreted. The record should be capable of being connected to the business activity or transaction that produced it.

While you will probably never have an audit of your QMS or EMS delving as deeply into Record Control as the above might indicate, I would suggest an Opportunity for Improvement based upon ISO 15489-1. Use the document to ensure that you have legal, secure and manageable records.

Is an “eAudit” in Your Company’s Future?

With the increasing use of the internet for the operation and control of management systems, first, second and third party auditors need to consider new ways to efficiently and effectively verify conformity to quality & environmental management system criteria.

The most obvious example would be multi-site organizations. Audits could include remote access to electronic documents and records to save travel time and dollars. Furthermore, the remote access can be carried out without taking the time of anyone at that remote facility.

Some organizations are already conducting remote audits using collaboration tools like Plexus Online and eAuditPack (TM). To evaluate how these e-Audits work, we can see how a remote audit would examine the four primary types of evidence: Documents, Observations, Records and Interviews:

Documents: With the proper authorization, auditors are reviewing the remote location's electronic documents while planning the audit and also see them during the execution of the audit. However, use of a collaboration tool and/or a teleconference does not allow the auditors to see if any uncontrolled or obsolete documents are in use.

Observations: Since the audit is remote and cameras are not be available for full viewing of the facility, auditors are not be able to see if the work is being done per the organization’s planned arrangements and, just as important, what’s going on around the area being audited. So, evaluating conformity is limited to what can be judged through interviews and electronic records. Auditors do not see poor housekeeping at the site or observe body language during interviews.

Records: If an organization creates electronic records and scans hardcopy records into electronic format, these records are available for remote access by the auditor. However, some companies may have a significant number of completed forms that are kept as hardcopy records. Even if the auditor requests some of these hardcopy records be scanned for the audit, the auditor would not be actually selecting the sampled records.

Interviews: In many traditional audits, the employee being interviewed can be reluctant to have their answers recorded electronically. As a result, an auditor will write an abbreviated version of the comments in the audit notes.

In the case of the remote audit I conducted from Dayton of an organization in Brazil, we used a telephone to speak to each other and electronic transmission of records. The conversation was not recorded. I captured the responses in my notes, as with a traditional audit. However, I wasn’t able to observe the body language during the interview. Even if a video feed had been available, what could have been gained through observation would have been limited.

Auditor Competence
The auditors must have the necessary competence to carry out an e-Audit. They will need time allocated to familiarize themselves with the electronic management system and collaboration tool. The auditors must be given the access instructions and security clearances needed to view the relevant documents and records. And, the auditors must be reminded of the need to protect the confidentiality of the electronic data during and after the audit (Client property!).

Third Party Audits
What about the use of e-Audits by certification bodies? Will the duration of third-party surveillance audits be reduced by, or in some cases be replaced by, remote audits? Let's look at what the ANAB accrediting body has to say on the subject:

ANAB Advisory 1
The ANSI-ASQ National Accreditation Board (ANAB) has issued an Advisory that states it supports a certification body (CB) applying the Advanced Surveillance and Reassessment Procedures (ASRP) and Computer-Assisted Audit Techniques (CAAT) described in the International Accreditation Forum (IAF) guidance documents.The Advisory explains that the application of ASRP and/or CAAT will vary for each CB and for each client depending upon the capabilities of the CB and client; therefore, each application must be reviewed and approved by the Accreditation Committee of the Accreditation Council.

1. The CB must document its proposed ASRP or CAAT audit program for the client, consistent with the applicable IAF guidance.
2. The CB must document how the audit program varies because of ASRP or CAAT (i.e., how it varies from an audit program for the same client without ASRP or CAAT).
3. The proposal must be reviewed and accepted by the ANAB executive assessment team leader prior to its submission to an Accreditation Committee of the Accreditation Council.
4. The CB and its client must make a presentation to the Accreditation Committee at a face-to face meeting or by electronic means explaining the program and answering any questions.
5. Immediately following the presentation, the CB and its client will be dismissed, and the Accreditation Committee will make its decision, which may or may not include conditions, to accept or reject the ASRP and/or CAAT program for the CB's client.

The decision and any conditions will be promptly communicated to the CB. The ASRP and/or CAAT process must not be used for any industry sector program unless the industry group has specifically stated it may be used for its program.

So, ANAB supports e-Auditing, but certification bodies have a detailed process to follow to gain approval for its use.

We can see what the International Accreditation Forum (IAF) says on the subject.

IAF GD2:2005
According to the IAF guidance document GD2:2005, if remote auditing techniques such as interactive web-based collaboration, web meetings, teleconferences and/or electronic verification of the organization's processes are used to interface with the organization, these activities should be identified in the assessment plan and may be considered as partially contributing to the total on-site auditor time.

If the certification body (CB) prepares an audit plan for which the remote auditing activities represent more than 30% of the planned on-site auditor time, the CB must justify the audit plan and obtain specific approval from their accreditation body prior to its implementation.

On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out on the organization's premises. Regardless of the remote auditing techniques used, the organization must be physically visited at least annually.

Is an eAudit in your company’s future? Absolutely! However, there is still a lot of planning and thought that must go into the implementation of eAudits to ensure their effectiveness.

Scope Statements on Registration Certificates

Scope Statements on Registration Certificates

Many of our clients struggle with developing a Scope for inclusion in their Quality Manual. Some manuals that I have seen say something like “Our Quality System conforms to ISO 9000.” Unfortunately, while it’s true, that’s not a valid statement for a Scope. Here’s the “official” interpretation of that requirement.

The International Accreditation Forum (IAF) has issued the following guidance for registration certificates:

Certificates issued to ISO 9001:2000 shall state clearly in words the scope of the quality management system in a way that will not mislead customers, and shall ensure that information is available for the user to determine which categories of product and product realization processes are included within the scope of registration. (Emphasis added)

In particular, scope statements shall be explicit in stating the responsibility for product design and development and other principal realization processes, such as, manufacturing, sales, and service.

The exclusion of clause 7 requirements may relate to all or only some of the product categories that are within the scope of the quality management system. Justification for excluding these requirements must be given in the quality manual and the registration body must review the validity of any such exclusions during certification and surveillance audits.

If the organization has responsibility for (and realizes or outsources) the design and development process, the scope statement for registration must include the words "Design of ...", "Development of ...", or "Design and development of ....”

According to the IAF, the following sentence must appear on all certificates issued to ISO 9001:2000:

"Further clarifications regarding the scope of this certificate and the applicability of ISO 9001:2000 requirements may be obtained by consulting the organization."
(Registrars always miss this one!)

How does your Scope measure up? Email me a copy for a FREE analysis at mailto:george@4iqc.com