- Whistleblower Program
- Legal Defense Fund
- Request Quote
Welcome to The O-Forum! Read this first! Then, feel free to introduce yourself here! If you need immediate, real-time support for the Oxebridge ISO 9001 or AS9100 Template Kits, click here to join our Slack chat channel.
I always seem to go around in circles on this one…it could just be semantics. I understand the definitions of process vs procedure, but where I get stuck is the what should have KPIs and can be mapped to ISO 9001 for compliance coverage.
The toolkit suggests that you should map each clause to a process and therefore a metric/KPI, but I wonder, is it acceptable to map to a procedure or manual (with no KPIs) instead of a process control document to ISO clauses?
For example, in the toolkit, risk management and internal auditing are provided as procedures. In a previous post (which I can’t seem to link to), it is suggested that for these, process definition documents should also written (which matches to the sample ‘Overall Process Flow’ in the toolkit). And in the example ‘process vs clause table’ of the toolkit, it suggests a process of ‘Management System Administration’ could cover these topics. But if I do not want a ‘Management System Administration process’ or individual process definitions for these, instead have procedures for these e.g. document control, internal auditing, corrective action, risk management and manuals for others e.g. IT Support and Configuration Management – those of which will cover ISO 9001 clauses but will not have metrics or KPIs assigned to all.
Instead, let’s talk about sex.
Sex is an activity. You do it (or not, whatever). It is a thing that happens and then a baby shows up or something (I’m not clear on it.)
Most people don’t need to read a book on how to have sex (although they probably should.) But if they do, that’s fine. They can read a book.
In this scenario, sex is the PROCESS and the book is the PROCEDURE. The process is going to exist whether you write or read the book.
Now let’s think KPIs. You sex partner probably has an idea about how good or bad you are at sex. That’s the KPI; it applies to the PROCESS, not the book. Your partner could judge the book, sure, but that’s not a real reflection of the process. A bad book may lead to bad sex, but that doesn’t make the process bad, it makes the book bad. In fact, you’re sort of jumping to the root cause without consideration (“honey, the problem isn’t me, it’s that damn book!”)
So you apply the KPI to the activity. Forget about the procedures entirely. Identify your processes FIRST, then the KPIs, then decide if you need to write procedures or not. The procedures may help your process achieve its KPIs, but they won’t have KPIs themselves, because they’re just pieces of paper.
I think this analogy is good, and anything with “sex” in the title will generate huge hits, so pardon me if I write an article on this soon.
Good analogy but follow up question on mapping clauses and what must have KPIs…
Risk Management is a process, mapped to 6.1.
What type of KPI would you suggest for risk management? Or is it acceptable to map to a a process for which no KPIs exist?
Or as per the toolkit example, the process mapped to a bunch of clauses is “Management System Administration”. What would be KPIs for that?
Risk management is rarely a process in and of itself. It’s usually an activity embedded in the management process or throughout all the other processes. So far I don’t have any clients who treat it as a standalone process, nor have any KPIs for it. (Not a bad idea, though.)
For the “Management System Admin” process, typical KPIs might be:
— Number of OTHER processes that did not meet KPIs. (If multiple other processes are failing, this puts the blame back on the management of the QMS.)
— Maintaining certification to ISO 9001
If resource management is included in the MSA process, then also:
— # of nonconformities or corrective actions issued due to lack of resources, or resource failures
— # of staff positions open for more than X weeks/months