Thursday, August 01, 2013

Major Revision Ahead for ISO 9001

I finished my review of the proposed revisions for ISO 9001. This edition is scheduled for release in 2015. It represents a significant change in managing for quality, similar to the degree of change introduced over a decade ago with the year 2000 edition.

The proposal now undergoing wide review is called a committee draft. It represents the opinion of a relatively small group of national experts. As with all standards writing committees, perhaps 15-20 do the actual writing, while the remaining 40-50 contribute mostly informal oral arguments. It now needs a much larger review and comment from the stakeholders who eventually use the standard. Once this review closes after summer, comments will be sorted, discussed, and eventually used to modify the document. It may then be circulated again as a committee draft, or it may be considered mature enough to go out as a draft international standard. Substantive changes can be made to a CD, while (theoretically) no substantive changes can be made to a DIS. The DIS is circulated for about six months, changed, and then sent out as a final draft international standard. This is the last, up or down, vote by the ISO members. If it passes (and it usually does), it is typeset and released to the national bodies for publication and use.

Perhaps the most significant revision to our old friend, ISO 9001:2008, is the use of the generic template for all management system standards. Last year, the main governing policymakers in ISO decreed that new or revised standards for all management systems (quality, environment, safety, security, energy, sustainability, etc.) had to follow the words and format of this template. No deletions or revisions are allowed. Only additions specific to the MSS committee discipline are permitted. In our case, the heavy-duty methods already defined in ISO 9001:2008 and used worldwide were transferred to the new committee draft.

The reasons for requiring a common template are many.
  • Conflicting and redundant processes can be reduced. If you are going to have a document control system for quality procedures and specifications, you might as well use those same control steps for your safety procedures and forms.
  • There is increasing desire to integrate all management systems within the organization. They are all based on the principles of PDCA. Perhaps we can share resources and take a common approach that is understood by all.
  • Firms are paying big bucks to register separate management systems. We can reduce this external cost by combining the registration into one certificate.
  • Not all management systems have matured at the same rate. Because of market and social pressures, quality and environment are quite mature. Safety is not as far along. Security and business continuity are just beginning the journey. The template applies contemporary thought to all these different management systems.
  • Risk now has a prominent role. Since the publication of ISO 31,000 in 2009, all professions are beginning to recognize the importance of understanding and managing risk. Embedded in this movement is the recognition of the part that management systems play in the management of risk. If risk is the effect of uncertainty on meeting the objectives of the organization, then management systems such as quality, safety, environment are the controls we put in place to modify that uncertainty.

This revision to ISO 9001 will not be easy to understand and implement. It will require deep understanding and participation by all levels of the organization. No longer can you hire a consultant to manage the quality, or safety, or security approaches by the organization. I suspect it will also be a big challenge to the conformity assessment agencies and their auditors.

Friday, June 14, 2013

What is Risk?

Risk is uncertainty. More to the point, risk is the effect of uncertain events on outcomes that matter to us. Our plans, goals, strategies, and objectives might – or might not – be realized. These uncertain events may be external (outside of your control) or internal (within your control). Risk is all around us. It is part of the fabric of the universe. It is randomness and the second law of thermodynamics. 

Risk comes in two colors and many sizes. If we accept some risks in business, our wealth might increase. That would make shareholders happy. In this case, the color of risk is positive. On the other hand, some risks might prevent the firm from achieving its strategic objectives. Those objectives are important to the company and its shareholders. The color of this risk would be negative.

The color of the risk – positive or negative – doesn’t really matter. Size matters. We take small, negative risks every day. We cross a street against the light. We buy copy paper from a new supplier. We balance on a stool to change a light bulb. We run a power extension cord along the floor. Everyday life is full of personal risk and corporate risk.

It is the big risks that we need to manage. Drilling an oil well off the stormy Norwegian coast might bring great wealth to Statoil and the people of Norway. On the other hand, it could explode, pollute the sea, and perhaps destroy the company and the government.

Risk is probability. Because it is based on uncertainty, it cannot be precisely measured. We must examine and manage risk using the principles of statistics. The likelihood of an event happening must be coupled with the consequences. For most personal and corporate applications, these values are approximate. Often, this is as general as low, medium, or high.

So, three things are necessary to begin risk management journey:
  1. Identify possible external and internal events that might happen.
  2. Estimate the likelihood that these events might happen.
  3. Estimate the consequences if these events actually occurred.

Once the three steps above are completed, we must take action. Three options are available:
  1. Accept. Likelihood and consequences are both low. So whether the risk event is positive or negative, we just let it go. We take no action.
  2. Transfer. We purchase an insurance policy, petition the government for legislative support, or outsource the operation to another country.
  3. Mitigate. We apply the classic control tools of the safety, quality, environment, and security professions. We try to reduce bad risk and increase good risk.

Risk is everywhere. It is part of our personal and professional lives. While it sounds very complicated and spooky, we have developed controls and tools over the last century to understand, measure, and manage it. In a way, risk management is the common bond that ties the separate professions of quality management, environmental management, safety management, security management, and even financial management.

Monday, June 10, 2013

Brief History of Supplier Auditing

Customers have been doing audits on their suppliers since the 1950s. Only financial auditing, in effect since the end of the Great Depression, has a longer history.

As the Cold War arose after World War II, America was rapidly growing in strength and stature. Scientific and technology advancements, developed under pressure during WW II, were being refined for the fighting in Korea. Military contracting for these weapons systems was building the country and committing huge resources in the process. Some of these contractors were more reliable and organized than their military masters. Some were not so good. Political pressure was building to reduce waste and fraud. One of the many solutions was to start monitoring military contractor performance. Because financial auditing had some known principles and practices, developed during the last two decades, they were applied to selected contractors. This was good, but not sufficient to assure that the military hardware would actually work!

The very first quality system standard was published in 1954. Called MIL-Q-9858, it was used to apply quality principles to military contractors. This standard was the foundation of the ISO 9001 quality management system standard that came out three decades later in 1987. It was also used by the budding nuclear power generation industry of the 1970s. The only way the military brass could be assured that MIL-Q-9858 was being used by their contractors was to send representatives on site to check. Thus, the Defense Contract Audit Service (DCAS) came into being. At first, these DCAS auditors were mostly inspectors, but slowly, they began to look at management system principles. A few of the contractors did some self-evaluations, but it wasn’t very formal or systematic.

As peace settled on the planet after the end of the Vietnam War, trade increased. This increase in the exchange of goods and services happened at the national and the international levels. No longer were large contracts the exclusive domain of the military. As contracts and resulting trade rose, so did risk. Firms needed some assurances that their suppliers were making things correctly. Customers started sending representatives to the supplier sites to check up. Conformity assessment firms started inspecting supplier jobs on behalf of their client customers. Some of the high-risk firms started doing internal reviews of their own operations. By the beginning of the 1980s, the auditing community was splitting into two branches: financial auditing and operational auditing. Financial audits were mostly applied internally; operational audits were mostly applied externally.

The maturity of the operational audit community was quite low. As pressure for supplier quality increased, many unqualified customer representatives were attempting to examine supplier performance. Some suppliers with many large customers were escorting these so-called auditors through the plant every other week. They were all using different checklists, often consisting of personal preferences rather than contract requirements. It was a real mess! Pressure was building for a single set of requirements that all customers could use for supply chain management. One supplier audit for multiple customers was the goal. ISO 9001:1987 was issued for suppliers doing both design and production work. ISO 9002:1987 was issued for suppliers building to somebody else’s design. ISO 9003:1987 was issued for distributors. Peace was restored to the planet.

Operational auditing was further subdivided during this period of the 1980s. Some of the more mature organizations began to realize the value of auditing themselves.  Internal auditors became known as first-party auditors. Some continued to send employees to audit their suppliers. Supplier auditors became known as second-party auditors. When it became apparent that a single requirement standard for suppliers would exist, the conformity assessment firms began to sell their solutions. Many firms bought into the promise of having a professional organization audit them. This would satisfy all customers and be cheaper in the long run. Registration auditors (and later regulators) became known as third-party auditors.

Thursday, April 04, 2013

What is GRC?

For the past few years, I have been thinking about the bigger picture of management. What part do management systems (Quality, Environment, Safety, Security, etc.) play? What are controls and why do we need them? What is risk and here does it fit?

A few years ago, I attended the ASQ Audit Division conference in Reno. As I listened to the keynote presenter from South Africa, I picked up a new term: GRC. He mentioned it so casually, as if everyone knew what GRC meant. I started my quest for knowledge on GRC when I got home from the conference.

GRC is short for Governance, Risk Management, and Compliance. It's Board-speak.

When I first looked at Wikipedia, I discovered it was a software package vendors sold for automating management. Ugh! Fortunately the Wikipedia entry has been cleaned up and the introduction is now pretty good.

In my own mind, I see "Governance" as the management systems embodied by ISO 9001, 14001, etc. Risk Management is receiving a lot of attention now, especially by the ASQ. At first I thought of risk as bad and something to be eliminated. But now I see risk as uncertainty. It is the natural entropy of the universe and can be good or bad. It depends on how it's managed. My primary reference on risk management is ISO 31000, with COSO as my backup. Compliance is part of the whole monitoring and measuring function of an organization. While many interpret compliance to be restricted to legal issues and government regulations, I see it as much greater. Auditing falls under this category.

I follow the writings of two gurus in these areas, using Linked-In and RSS feeds.

  • In Risk Management matters, I like the style, content, and credibility of Norman Marks. He is a regular contributor to the ISO 30111 Linked-In discussion group. But his blog postings on Governance, Risk Management, and Audit are even deeper. I have learned much from Norman.
  • In GRC matters, Michael Rasmussen is excellent. Even though his firm sells research and advice, his GRC Pundit blog posts emphasise concepts, not commercial solutions. Just yesterday, Michael reminded his readers of one of the most elegant definitions of GRC I have yet to see:

The Open Compliance and Ethics Group (OCEG) defines GRC as "a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [complance]."

I can live with that definition.

Monday, April 01, 2013

Supply chain management: Past, present, and future

This is the English version of the previous post in Chinese. I gave this keynote speech in Xiamen for the Fourth China-America Conference on Quality in December 2012.


Like most of the world, customer-supplier relations in America have followed the Golden Rule: “He who has the gold rules.” In the past, customers demanded high quality and low price. Suppliers sacrificed on wages and maintenance because they needed the business. For example, it was common for the American automobile corporations to push their suppliers past the point where quality suffered. In the long run, the car companies also suffered when failed parts caused customer unhappiness and warranty repairs.
The high technology industries, such as medical devices and aerospace, started implementing a partnership approach to their suppliers. This was partly due to demanding regulations and high consequences of failure.
On the other hand, the low technology industries, such as food, chemicals, and service, were very harsh on suppliers. For example, some firms suffered greatly while attempting to meet the WalMart demand for absolute lowest price and just-in-time inventory controls.
The Great Worldwide Recession of 2008 changed many things. Governments and enterprises were forced to reduce services and production. Money stopped flowing and fear was high. As the enterprise reduced production, they let employees and suppliers go. Many firms closed their doors, never to operate again. As the recession ended and funds began to circulate again, some customers had to look for different suppliers. Many of the suppliers had invested in newer equipment and modern management methods. They would no longer accept impossible demands from their customers. The government loans to the American automobile industry forced those large enterprises to pursue modern management principles. These principles included a systems approach to quality, safety, and environment. These new ways are now being used by the automotive suppliers and sub-suppliers.
The relationship between customer and supplier is becoming more of a partnership. This is very pleasing to ASQ members, as we know this is the proper relationship.


Since the beginning of this new century, America has gone through an intense period of outsourcing both manufacturing and services. Processes that used to be performed by the government or the enterprise were being performed by specialty firms. Examples include call centers in Manila and contract software development in Bangalore. Product packaging, distribution, and repairs were being contracted to outside firms.
This should have resulted in higher quality at less cost. Results were often disappointing. Contractors were assigned work without the necessary background knowledge, so there was a steep learning curve. Cultures were different and customers became unhappy. Some significant failures attributed to outsourcing include the melamine contamination of pet food and the delays in getting the Boeing 787 Dreamliner to market.
While outsourcing still occurs, it is becoming more focused. Where it makes sense, such as production of the iPhone at Foxconn, it works well. However, government and industry are bringing many processes back in-house. This is beneficial, in that the processes can be re-engineered to be more modern and efficient. Bringing work home may also reduce costs. It can allow the enterprise to regain control over design and service. However, it can be challenging, in that the workers with memory of the processes are no longer with the firm.
One of the biggest outsourcing challenges facing American medical device manufactures is the need to employ smart process validation controls. This is being stressed by our Food and Drug Administration regulators, as machines become more automated. Decisions formerly made by humans are now being made by software programs. While the major medical device manufacturers understand the principles of validation, many of their outsource contractors do not. Expect to see even more attention to this matter by customer auditors as they review outsourced operations overseas.


Before the Great Worldwide Recession, we still had a great many processes performed by manual labor. These processes included stamping, assembling, and shaping parts. They included inspecting shipments and finished work. They included distributing documents and copying records. In fact, all basic processes (production, support, and interface) were performed through manual labor. Advanced skills were not necessary for a good-paying job. All of that changed during and after the Recession, as manufacturers, governments, and their suppliers began to automate processes formerly done by humans. The demand for higher skills increased, but the educational infrastructure is not able to produce people with these special skills. That is another of the many reasons why the unemployment in America remains high.
This increased automation and redesign of work has affected professional staffing as well. In the past, the purchasing professionals and the quality professionals had very little integration. Safety and environmental professionals were rarely consulted in supply chain management. Today, we see the beginnings of a team approach. Purchasing, quality, environment, safety, and engineering are starting to understand the importance – and efficiency – of working together.
Perhaps more significant is the increasing use of software to generate and execute legal contracts between customers and suppliers. This is reducing the need for humans to think. As a result, customers are not clearly stating what they really want, and suppliers are forced to make assumptions. For example, large manuals of general requirements are forced on all suppliers, regardless of where they are located and what they provide. There is no customization, because the computer code developers did not include that feature. Another example is the use of Certificates of Compliance that are never examined by suppliers or their customers. The world has a significant challenge here, as we attempt to integrate the computer brain with the human brain.

Management Systems Integration

The advanced nations of the world have progressed through four eras of management. By about 1925, most of these nations had completed their major shift from an agricultural economy to an industrial economy. During the period from 1925 to 1975, we were in the control era, where the focus was on defining and controlling characteristics, conditions, and contaminants. We emphasized specifications and inspections. From 1975 to 2000, we were in the assurance era, where the focus was on defining and following processes. The first generation of quality management standards was based on “say what you do and do what you say.” With the major rewrite of ISO 9001 in the year 2000, we entered the management era. We established and certified separate management systems for quality, safety, environment, and security. Some of these systems promoted good, while other systems minimized evil. We are now entering the integration era, where these different management systems come together to provide a holistic approach for business and government. Of course, we do not reject our past tools and technologies. We will continue to use the proven control, assurance, and management methods, but in our new journey to identify and manage risk – in all its many forms – and promote sustainability.
Before the Great Worldwide Recession, America was somewhat behind the Europeans in our understanding of this integrated approach. That understanding and application is increasing rapidly. For the past five years, the ASQ World Conference has promoted presentations of integrated systems and risk management. ISO 31,000 is being purchased, read, and applied.

Emerging issues

American consumers are paying more attention to the country of origin. Politicians and media are urging us to buy locally. “Made in America” is becoming a powerful brand for many items, such as clothing, furniture, and appliances. When it makes sense, items and processes formerly outsourced are coming home. In purchasing goods and services made locally, we believe we can reduce environmental damage and keep jobs and skills.
We are also seeing more emphasis on scientific development, as promoted by China’s general secretary Mr. Xi Jinping. When making purchasing decisions, American firms are now considering environmental, sustainability, and social responsibility consequences. This is coming from business principles as well as government policies. I believe the second term of American President Barak Obama will continue this trend.
In addition to the human-machine challenges I mentioned earlier, automation is causing security problems with our various networks. Customers and suppliers are linked through the Internet. Reliability and data protection are serious issues. Service providers are having their networked databases compromised. Automated controllers for our electrical grid and transportation systems are seriously vulnerable to attack. These security issues must be addressed by government, industry, and their supplier partners.


Customer-supplier relationships are changing and maturing. The concept of suppliers as partners, not slaves, will continue. While outsourcing will continue, it will be smarter. Some of this outsourced work will return to the government and business, but lost knowledge will take time to develop. The number of jobs for unskilled workers will continue to decline. This is forcing Americans to seriously examine our public education models. Professional staff involved with customer-supplier relations will become more integrated and risk management principles will mature. Challenges in automation and security will result in increasing communications – in both directions – between customers and their suppliers. I believe these trends apply to both China and America. We are in this together and gatherings like this must continue.

供应链管理: 过去,现在和将来


正如世界上大多数国家, 美国的客和供商关系也都遵循黄金法:即“谁有黄金谁说了算”。在去,客要求高品,低价格,迫使供商为了获得业务而牲工人的工和对生产设备的维护。例如, 美国的汽生产厂家压迫其供商直至量受损是常的事。从长远角度来看,汽公司也由于众多故障部件引起使用者不和保修期修增加而遭受损失。















世界先国家的管理发展经过了四个代。大至1925年,大多数些国家已完成了从农业经济向工业经济的重大转变。1925年至1975年,是控制代,其重点在于给性质,条件和染物做定并加以控制,调规范和。1975年到2000年,是保证时代,其重点在于给过程做定义。第一代质量管理标准的基础就是:到做到”。随着2000年ISO 9001的重编,我们进入了管理代。为量,安全,境和保安建立并认证了独的管理系。其中一些优良,而另一些系抑制邪。我们现在正入整合代,即以上各种不同的管理系结合起来共同和政府提供一个全面的方法。当然,我们并不拒绝过去的工具和技术手段。在我们识和管理所有各种形式的风险以及可持续性发新征程中,我继续使用那些证实有效的控制,保和管理方法,

在2008年全球性经济大衰退之前,美国在对于全面整合方法的理解上是落后于欧洲的。之后,美国对于全面整合方法的理解和用增加得非常迅速。在去的五年里,美国质量管理协会的世界大会曾推出了对整合系风险管理的介绍演讲,并且,ISO 31000也被多数美国公司加以购买阅读,和用。


美国消者正在对原国加以更多的重视。政治家和媒体都在要求我们购买当地产品。 “美国制造”正在很多目上成一个有力的品牌,如服装,家具,家等。可以理解,以前外包出去的目和流程正在返回来。从购买商品和服本地化,相信我减少对环境的破坏以及保持就机会和工人技能。