ISO 9001 - What is in IT for me?
By Govind Ramu, Sr. Director, Global Quality Management Systems, SunPower Corporation
The international standard requires the organization to determine external and internal issues that are relevant to its purpose and strategic direction and that affect its ability to achieve the intended result(s) of its quality management system. Examples of external issues could be threats to information security and the availability of key talent due to changes in immigration policies. Internal issues could include a lack of IT infrastructure to support strategic goals and objectives. Items in this category are typically reviewed during the strategic planning process.
Interested parties and requirements
Another ISO 9001 requirement is to identify all relevant interested parties for your management systems and their requirements. For an IT team, typically interested parties are the organization’s customers, internal users (employees), subcontractors, outsourced services providers, the organization’s shareholders (or owners), regulatory bodies, and even your competition and Political groups and lobbyists. All these interested parties have requirements. An organization’s customers and internal users require a secure and reliable IT system. Subcontractors and outsource providers require clearly defined statements of work, service level agreements and details around the satisfaction of economic benefits. Shareholders and owners want to ensure a return on their investment and increasing growth of market share and profits. Regulatory bodies require organizations to comply with regulations. Competitors want to leap ahead. In gathering adequate market intelligence, your organization requires outpacing the competition. Your policy management team should keep themselves abreast of market changes like net neutrality and privacy policies to assess the impact to your business. By helping your IT team to brainstorm, identifying all relevant interested parties applicable to your organization and their requirements, you will develop a management system that is both customer-focused and business value added.
The standard also assigns top management with the responsibility of demonstrating leadership for and commitment to the quality management system. This is accomplished by ensuring that the resources needed for the quality management system are available to staff. The resources include people, process, infrastructure, software, hardware, mobility, storage, work environment, and anything else required to make your organization’s system more effective.
One of the key concepts added to the 2015 version is “risk-based thinking.” Annex A.4 of ISO 9001 states that “One of the key purposes of a quality management system is to act as a preventive tool.” In order to prevent major issues, proactively anticipate issues, and exploit new opportunities, your organization should periodically identify new risks, evaluate existing risks, and plan actions to address these risks and opportunities.
Organizations, customers and internal users require a secure and reliable IT system
With the current revision, the ISO 9001 standard finally caught up to electronic documentation and data management. It now requires control measures to ensure that documented information is “adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity).” This may involve security features like biometrics, data encryption where required, the reliability of storage infrastructure, and protection of intellectual property assets.
The ISO 9001 standard requires organizations to determine, provide, and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services. If you are a manufacturing organization, your IT infrastructure should provide adequate inline inspection and testing solutions to ensure conformity to requirements. This software requires configuration management control, compatibility with an operating environment, and resources to periodically update the application with new requirements from customers and other interested parties. For a service organization, the IT infrastructure could offer customers 24 X 7 access to a web portal to place an order and engage in transactions without compromise to personal data. Any issues could potentially result in customer dissatisfaction and loss of market share.
This is a new requirement to which the IT function can very much relate. The standard requires that organizations determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. While this applies both to an organization’s core products and services and to support functions like IT, the main question here is how IT can help support the management of organizational knowledge. Organizations rarely learn from their past experience. This is not because people are reluctant. Rather, in most cases, there is no designed infrastructure to enable such learning. Products fail at the field and customers complain about poor services. Organizations perform extensive analysis on such failures and collect knowledge. However, the feedback loop connecting such knowledge and learning to the front-end planning and design of products and service offerings is often ineffective.
There are many quality management system software applications in the market. These applications address common business processes and I have yet to see one that captures knowledge and makes it available to target employees when and where required. Typically, organizations workaround this need by circulating whitepapers, holding internal meetings, or reacting to accidental encounters with affected work groups. IT can play a key role in making connections (where possible in real time) so organizations can prevent recurring issues that typically account for a huge percentage of the cost of poor quality and erode profit margins. Once issues start to recur too often, people become numb to them, and the natural tendency is to contain the impact rather than solve them once and for all to prevent recurrence. People are willing to live with an expensive containment. From my experience as a quality professional, this is mainly due to lack of sharing the lessons learned from earlier experiences.
How can the IT function help collect new knowledge, maintain existing knowledge, and review knowledge periodically to address changing needs and trends, keeping an organization’s knowledge current? What is the best way to disseminate necessary knowledge “on demand” to employees to deliver quality products and services? Once an organization’s top management and head of the IT function figure this out, organizations will start to see reduced waste, improved productivity, growth of the bottom line, and enhanced customer satisfaction.
In summary, ISO 9001 is not a standalone quality function. It is the way that we all do business. ISO 9001 is applicable to all functions, departments, processes, and employees in an organization, and IT is not an exception. I recommend that you sit with your organization’s head of quality and start the conversation. You will be delighted to know what we have in common in meeting quality and keeping our customers happy!