Ten Clients In: Feedback on Actual Implementations of ISO 9001:2015

I am troubled by the tendency by some, especially those in TC 176, to claim mastery over risk-based thinking (RBT) and ISO 9001:2015 when it is physically impossible for them to have had any experience in implementing it, since it was only published a few months ago. That hasn’t stopped them from publishing books, writing articles, holding webinars and giving speeches declaring — as fact — their expertise in the area, and their plans for implementing RBT. In some cases, they have gone so far as to make various claims of having done RBT for a decade prior to it ever having been mentioned anywhere the world; a neat trick, which one can assume only means they have invented a time machine.

In truth, this means that rather than actually doing any work related to RBT, they were busy writing books about it instead. Of course, they will successfully hoodwink most readers, who seem to trust any credential that anyone claims for themselves, without scrutiny. A sad state of affairs, but it bodes well for my announcement of having achieved a Nobel Prize in Nuclear Brain Archaeology and Psychobiological Genetics.

Meanwhile, some of us are actually doing the work associated with implementing ISO 9001:2015. Oxebridge is now on its tenth client for ISO 9001:2015, with the majority of those being upgraded systems from ISO 9001:2008, and a handful being new implementations in companies with no pre-existing QMS. About half of those were done under the FDIS version of the standard, and the others have been underway since the publication of the final standard. For those that have undergone audits by their registrars (CBs) so far, all passed with flying colors, but not necessarily for the reasons you would expect. Keep reading.

So based on those experiences, here’s a bullet list of some feedback points we have culled together so far, in no particular order:

1. Clients are getting good reviews from CB auditors because they auditors don’t know what they are looking for. Oxebridge uses its COTO approach (documented here), heavily tailored for each client, but which seeks to dramatically hit home every ISO 9001 requirement related to context of the organization and risk-based thinking, taking a literal interpretation of the standard whenever possible. This is done by documenting the company’s Strategic Direction in the minutes of management review, as well as creating an Issues Log of interested parties, issues of concern, risks and opportunities, and finally a Risk Register of risks for those (few) risks where an FMEA style approach would work when applying mitigation. As expected, the auditors fixate on FMEA, which comprises maybe 10% of the total implementation approach, and are surprised to see the rest of RBT and COTO so well defined. This isn’t a bragging point, it’s a denunciation of the complete lack of readiness on the part of CB auditors, who don’t know what they are looking for, so are willing to buy off on anything that seems to have the right words in the right order.
2. RBT is raising the same auditor problems that “risk management” did in AS9100. Under the aerospace standard AS9100, which has had a requirement for risk management since 2009, CB auditors have routinely attempted to trip up clients by dreaming up risks on the spot, and seeing if they could imagine one that the client hadn’t thought of. Then, if they can think one up, they write a minor finding for an “ineffective risk management process.” It’s very early yet, but we are seeing the ISO 9001 auditors do the same thing, in some cases because those auditors are also AS9100 auditors. It’s a disgusting practice, and it relies on the fact that risks are infinite, so any auditor may always dream up some risk the client hadn’t thought of, or dismissed as irrelevant, given enough time. “Did you consider the risk of an asteroid hitting your corporate HQ?” It’s also a violation of accreditation rules, and Oxebridge has been successful in getting about half of such findings thrown out entirely. Now the problem stands to infect the ISO 9001 world as well, but don’t worry: the CBs are not about to de-certify their clients over this, just issue enough minor nonconformities to make it appear as if they are doing something, and possibly generate a little extra revenue from “NCR processing fees.”
3. No one likes risk-based thinking as it is worded in the standard. Nearly universally, the clients are reporting they cannot understand the RBT language in the ISO 9001:2015 standard. They utterly rely on Oxebridge to interpret it for them, and at least half of the clients so far have a hostile reaction to it. The others are either ambivalent or resigned. No one is excited by RBT… no one. While they understand that ISO was trying to create a flexible form of “risk management lite” they vociferously denounce the way it is defined in the standard, saying it is completely unclear, and devoid of simple requirements. Nearly everyone says the ISO 9001 standard does a poor job in explaining why it’s included in the first place.
4. COTO gets mixed reviews. I like the new addition of “context of the organization” since, as I have said, it forces a company to understand itself before it attempts to understand ISO 9001. It also allows us to consider more stakeholders than just customers, so we can give a little attention to other parties such as vendors, regulators, the public and the oft-forgotten employees. But my enthusiasm isn’t universally shared with the clients; in fact, it’s been polarizing. About half report it’s a wasteful exercise, teaching them nothing they didn’t already know. The other half find it an eye-opening exercise that really improves their management review activities. So I am interested to gut-check this again after, say, client #50.
5. Emotionally protective workplace? Yeah, right. Clients nearly universally laugh at the language suggesting the workplace should be “nondiscriminatory, calm and emotionally protective.” Some acknowledge they could get sued if they tried to do anything in this regard. The CB auditors, thankfully, have not mentioned it at all, apparently not even aware that the language exists in the standard. Or maybe they were told to stand down on this one?
6. Lack of preventive action is a problem. For my clients who already had an Oxebridge style corrective and preventive action system — which differentiates between the two  and tracks them separately — they have no intention of doing away with their “PAR” system just because ISO 9001:2015 switched to RBT. They agree that it is a shame that the RBT language no longer addresses preventive action at all, since they credit PAR with being the one thing in an ISO 9001 system that helps them save money and make improvements. For the clients who are completely new to ISO 9001, I have to do a lot more explaining as to why they may want to implement a CAR-style preventive action system at all, since I can’t point to any firm ISO 9001 requirement which mandates they do so. They look at me suspiciously, wondering why they can’t just use a tepid approach of “we thought about risks” and call it a day… which, in fact, they totally can do and still remain 100% compliant to the new standard. Shudder.
7. Design is still a headache. For clients with pre-existing systems, they were hoping that ISO 9001:2015 would improve and advance the language related to design and development. Alas, that hasn’t happened, since it’s nearly a cut-and-paste from the earlier versions. Clients with design authority are disappointed.
8. Internal auditor training is a nightmare. Training new internal auditors to the ISO 9001:2015 standard is a mess. Whereas the previous versions had hard requirements that allowed auditors to clearly determine if something complied or not, the new 2015 version adopts a bafflingly backwards approach to defining requirements so that determining a literal nonconformity is a very, very difficult exercise. Consider this: there’s no longer a firm requirement anywhere that documents be subject to revision control, since the language now reads, “For the control of documented information, the organization shall address the following activities, as applicable … (3) control of changes (e.g. version control).” This adds a new debate into the mix, which can be invoked by someone defending their lack of revision control, by forcing the auditor to argue when version control “is applicable.” As a result, comaneis are already considering implementing a weird set of QMS document control rules where some documents get revision control and others do not, based on arbitrary decisions as to “applicability.” Under previous standards, this argument would never have come up. For new auditors, who aren’t ready to have these Supreme Court style debates over language and interpretation, it increases confusion and complexity over what were previously some of the easiest clauses to understand. When doing auditor training, I used to do an exercise where I would present a fictional scenario and ask students which clause had been violated; now we have long winded debates not only which clause is most applicable (it’s rarely clear now) but also whether or not the scenario actually presents a nonconformity at all. In short, the lack of firm requirements allows auditees nearly an infinite ability to wriggle out of any audit finding, and auditors are utterly confused.

So, in summary, the new standard is not getting good reviews from actual users in real-world, practical usage. The general agreement is that the company will get what it can out of ISO 9001, but in spite of it, not because of it. They do not intend to rely on the standard to provide any guidance on best practices or approaches since it’s so poorly worded, and lacking in firm requirements. Those with previous experience believe nearly unanimously that the older versions were superior, and those without previous experience are simply confused. Neither is a great endorsement.