Planning in ISO 9001:2015

Planning in all previous versions of the quality standards was considered a bit of neglect. Now, this will change.

There was however a point 5.4. Planning, which consisted of [ISO 9001:2008]:

  • 5.4.1. Qualiy objectives
  • 5.4.2. Quality management system planning.

In addition, in chapter 7 there was point 7.1. Planning of product realization. However, the requirements of those points were very vague. As a result, if the company was planning anything, it met these requirements.

The new requirements

First of all, the organization is expected to implementing a quality management system will take into account context of the organization (I wrote about it in the text Organization and its context in ISO 9001:2015) and identify risks and opportunities that need to be addressed to [ISO 9001:2015, p. 4]:

  • Ensure the achievement of the intended quality management system results,
  • Enhance desirable effects,
  • Prevent or reduce undesired effects
  • Achieve improvement.

Therefore, it is not enough to have any plan. Now the following is required:

  • Identification of risks,
  • Identification of opportunities,
  • Analysis of opportunities and risks.
  • Planning of activities according to the results of analysis,
  • Integration of activities with the quality management system,
  • Evaluation of the effectiveness of actions taken.

Some readers probably already yearn for preventive action. Earlier it was possible to fill a table once a year and continue to pretend that the system works.

How to meet the requirements?

First, we need a simple and flexible approach to risk management. Organizations that already manage risks (financial, information security, others) over the years have developed own tools. If your organization does not have any, at the beginning a very good tool is a Failure Mode and Effects Analysis (FMEA). On the CEOpedia website you will find an article describing the use of this method.

FMEA provides us with information about risk factors and opportunities. It tells us also whether they are relevant (FMEA estimates: probability of occurrence, the difficulty of identification and the importance of consequences). Based on this information you can prepare plan. Please note that the scale of actions should be appropriate to the importance of the risks and opportunities.

Hint on how to prepare plan can be found in point 6.2.2 of the standard. It shows the way of describing the quality objectives. "Removal or minimization of the risks" and the "use of chance" are just the quality objectives. Therefore, the plan should specify:

  • What it is to be done,
  • What resources will be required (financial, material, knowledge, etc.),
  • Who will be responsible for the effects,
  • When should it be finished,
  • How the results will be evaluated.

Such a simple plan of response to a risk or a opportunity can fit on one page. CEO can approve it and can simultaneously allocate adequate resources for implementation. The effectiveness of actions should be evaluated based on:

  • Risk factor - a decrease in the probability, reduced relevance of the effect,
  • Opportunity - the volume of the benefits obtained as a result of its use.

Evaluation of new requirements

The new standard places higher demands on companies. The quality management system should work, not just be on paper. It reduces bureaucratic requirements. At the same time, however, it places greater emphasis on good management.

For further reading see Risk Management in ISO standards.

Concluding remarks

  1. If your organization already have a risk management process, it is best to use it. There is no sense to create several parallel processes.
  2. The risk management process works better when small fragments of the organization are analysed frequently. A extensive review of risks, e.g. connected to the management review, will not work well.

Photo: Sarah Ross, Flickr, CC