Thursday, August 01, 2013

Major Revision Ahead for ISO 9001

I finished my review of the proposed revisions for ISO 9001. This edition is scheduled for release in 2015. It represents a significant change in managing for quality, similar to the degree of change introduced over a decade ago with the year 2000 edition.

The proposal now undergoing wide review is called a committee draft. It represents the opinion of a relatively small group of national experts. As with all standards writing committees, perhaps 15-20 do the actual writing, while the remaining 40-50 contribute mostly informal oral arguments. It now needs a much larger review and comment from the stakeholders who eventually use the standard. Once this review closes after summer, comments will be sorted, discussed, and eventually used to modify the document. It may then be circulated again as a committee draft, or it may be considered mature enough to go out as a draft international standard. Substantive changes can be made to a CD, while (theoretically) no substantive changes can be made to a DIS. The DIS is circulated for about six months, changed, and then sent out as a final draft international standard. This is the last, up or down, vote by the ISO members. If it passes (and it usually does), it is typeset and released to the national bodies for publication and use.

Perhaps the most significant revision to our old friend, ISO 9001:2008, is the use of the generic template for all management system standards. Last year, the main governing policymakers in ISO decreed that new or revised standards for all management systems (quality, environment, safety, security, energy, sustainability, etc.) had to follow the words and format of this template. No deletions or revisions are allowed. Only additions specific to the MSS committee discipline are permitted. In our case, the heavy-duty methods already defined in ISO 9001:2008 and used worldwide were transferred to the new committee draft.

The reasons for requiring a common template are many.
  • Conflicting and redundant processes can be reduced. If you are going to have a document control system for quality procedures and specifications, you might as well use those same control steps for your safety procedures and forms.
  • There is increasing desire to integrate all management systems within the organization. They are all based on the principles of PDCA. Perhaps we can share resources and take a common approach that is understood by all.
  • Firms are paying big bucks to register separate management systems. We can reduce this external cost by combining the registration into one certificate.
  • Not all management systems have matured at the same rate. Because of market and social pressures, quality and environment are quite mature. Safety is not as far along. Security and business continuity are just beginning the journey. The template applies contemporary thought to all these different management systems.
  • Risk now has a prominent role. Since the publication of ISO 31,000 in 2009, all professions are beginning to recognize the importance of understanding and managing risk. Embedded in this movement is the recognition of the part that management systems play in the management of risk. If risk is the effect of uncertainty on meeting the objectives of the organization, then management systems such as quality, safety, environment are the controls we put in place to modify that uncertainty.


This revision to ISO 9001 will not be easy to understand and implement. It will require deep understanding and participation by all levels of the organization. No longer can you hire a consultant to manage the quality, or safety, or security approaches by the organization. I suspect it will also be a big challenge to the conformity assessment agencies and their auditors.

Friday, June 14, 2013

What is Risk?

Risk is uncertainty. More to the point, risk is the effect of uncertain events on outcomes that matter to us. Our plans, goals, strategies, and objectives might – or might not – be realized. These uncertain events may be external (outside of your control) or internal (within your control). Risk is all around us. It is part of the fabric of the universe. It is randomness and the second law of thermodynamics. 

Risk comes in two colors and many sizes. If we accept some risks in business, our wealth might increase. That would make shareholders happy. In this case, the color of risk is positive. On the other hand, some risks might prevent the firm from achieving its strategic objectives. Those objectives are important to the company and its shareholders. The color of this risk would be negative.

The color of the risk – positive or negative – doesn’t really matter. Size matters. We take small, negative risks every day. We cross a street against the light. We buy copy paper from a new supplier. We balance on a stool to change a light bulb. We run a power extension cord along the floor. Everyday life is full of personal risk and corporate risk.

It is the big risks that we need to manage. Drilling an oil well off the stormy Norwegian coast might bring great wealth to Statoil and the people of Norway. On the other hand, it could explode, pollute the sea, and perhaps destroy the company and the government.

Risk is probability. Because it is based on uncertainty, it cannot be precisely measured. We must examine and manage risk using the principles of statistics. The likelihood of an event happening must be coupled with the consequences. For most personal and corporate applications, these values are approximate. Often, this is as general as low, medium, or high.

So, three things are necessary to begin risk management journey:
  1. Identify possible external and internal events that might happen.
  2. Estimate the likelihood that these events might happen.
  3. Estimate the consequences if these events actually occurred.

Once the three steps above are completed, we must take action. Three options are available:
  1. Accept. Likelihood and consequences are both low. So whether the risk event is positive or negative, we just let it go. We take no action.
  2. Transfer. We purchase an insurance policy, petition the government for legislative support, or outsource the operation to another country.
  3. Mitigate. We apply the classic control tools of the safety, quality, environment, and security professions. We try to reduce bad risk and increase good risk.

Risk is everywhere. It is part of our personal and professional lives. While it sounds very complicated and spooky, we have developed controls and tools over the last century to understand, measure, and manage it. In a way, risk management is the common bond that ties the separate professions of quality management, environmental management, safety management, security management, and even financial management.

Monday, June 10, 2013

Brief History of Supplier Auditing

Customers have been doing audits on their suppliers since the 1950s. Only financial auditing, in effect since the end of the Great Depression, has a longer history.

As the Cold War arose after World War II, America was rapidly growing in strength and stature. Scientific and technology advancements, developed under pressure during WW II, were being refined for the fighting in Korea. Military contracting for these weapons systems was building the country and committing huge resources in the process. Some of these contractors were more reliable and organized than their military masters. Some were not so good. Political pressure was building to reduce waste and fraud. One of the many solutions was to start monitoring military contractor performance. Because financial auditing had some known principles and practices, developed during the last two decades, they were applied to selected contractors. This was good, but not sufficient to assure that the military hardware would actually work!

The very first quality system standard was published in 1954. Called MIL-Q-9858, it was used to apply quality principles to military contractors. This standard was the foundation of the ISO 9001 quality management system standard that came out three decades later in 1987. It was also used by the budding nuclear power generation industry of the 1970s. The only way the military brass could be assured that MIL-Q-9858 was being used by their contractors was to send representatives on site to check. Thus, the Defense Contract Audit Service (DCAS) came into being. At first, these DCAS auditors were mostly inspectors, but slowly, they began to look at management system principles. A few of the contractors did some self-evaluations, but it wasn’t very formal or systematic.

As peace settled on the planet after the end of the Vietnam War, trade increased. This increase in the exchange of goods and services happened at the national and the international levels. No longer were large contracts the exclusive domain of the military. As contracts and resulting trade rose, so did risk. Firms needed some assurances that their suppliers were making things correctly. Customers started sending representatives to the supplier sites to check up. Conformity assessment firms started inspecting supplier jobs on behalf of their client customers. Some of the high-risk firms started doing internal reviews of their own operations. By the beginning of the 1980s, the auditing community was splitting into two branches: financial auditing and operational auditing. Financial audits were mostly applied internally; operational audits were mostly applied externally.

The maturity of the operational audit community was quite low. As pressure for supplier quality increased, many unqualified customer representatives were attempting to examine supplier performance. Some suppliers with many large customers were escorting these so-called auditors through the plant every other week. They were all using different checklists, often consisting of personal preferences rather than contract requirements. It was a real mess! Pressure was building for a single set of requirements that all customers could use for supply chain management. One supplier audit for multiple customers was the goal. ISO 9001:1987 was issued for suppliers doing both design and production work. ISO 9002:1987 was issued for suppliers building to somebody else’s design. ISO 9003:1987 was issued for distributors. Peace was restored to the planet.


Operational auditing was further subdivided during this period of the 1980s. Some of the more mature organizations began to realize the value of auditing themselves.  Internal auditors became known as first-party auditors. Some continued to send employees to audit their suppliers. Supplier auditors became known as second-party auditors. When it became apparent that a single requirement standard for suppliers would exist, the conformity assessment firms began to sell their solutions. Many firms bought into the promise of having a professional organization audit them. This would satisfy all customers and be cheaper in the long run. Registration auditors (and later regulators) became known as third-party auditors.

Thursday, April 04, 2013

What is GRC?


For the past few years, I have been thinking about the bigger picture of management. What part do management systems (Quality, Environment, Safety, Security, etc.) play? What are controls and why do we need them? What is risk and here does it fit?

A few years ago, I attended the ASQ Audit Division conference in Reno. As I listened to the keynote presenter from South Africa, I picked up a new term: GRC. He mentioned it so casually, as if everyone knew what GRC meant. I started my quest for knowledge on GRC when I got home from the conference.

GRC is short for Governance, Risk Management, and Compliance. It's Board-speak.

When I first looked at Wikipedia, I discovered it was a software package vendors sold for automating management. Ugh! Fortunately the Wikipedia entry has been cleaned up and the introduction is now pretty good.

In my own mind, I see "Governance" as the management systems embodied by ISO 9001, 14001, etc. Risk Management is receiving a lot of attention now, especially by the ASQ. At first I thought of risk as bad and something to be eliminated. But now I see risk as uncertainty. It is the natural entropy of the universe and can be good or bad. It depends on how it's managed. My primary reference on risk management is ISO 31000, with COSO as my backup. Compliance is part of the whole monitoring and measuring function of an organization. While many interpret compliance to be restricted to legal issues and government regulations, I see it as much greater. Auditing falls under this category.

I follow the writings of two gurus in these areas, using Linked-In and RSS feeds.

  • In Risk Management matters, I like the style, content, and credibility of Norman Marks. He is a regular contributor to the ISO 30111 Linked-In discussion group. But his blog postings on Governance, Risk Management, and Audit are even deeper. I have learned much from Norman.
  • In GRC matters, Michael Rasmussen is excellent. Even though his firm sells research and advice, his GRC Pundit blog posts emphasise concepts, not commercial solutions. Just yesterday, Michael reminded his readers of one of the most elegant definitions of GRC I have yet to see:


The Open Compliance and Ethics Group (OCEG) defines GRC as "a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [complance]."

I can live with that definition.

Monday, April 01, 2013

Supply chain management: Past, present, and future


This is the English version of the previous post in Chinese. I gave this keynote speech in Xiamen for the Fourth China-America Conference on Quality in December 2012.

Relationships

Like most of the world, customer-supplier relations in America have followed the Golden Rule: “He who has the gold rules.” In the past, customers demanded high quality and low price. Suppliers sacrificed on wages and maintenance because they needed the business. For example, it was common for the American automobile corporations to push their suppliers past the point where quality suffered. In the long run, the car companies also suffered when failed parts caused customer unhappiness and warranty repairs.
The high technology industries, such as medical devices and aerospace, started implementing a partnership approach to their suppliers. This was partly due to demanding regulations and high consequences of failure.
On the other hand, the low technology industries, such as food, chemicals, and service, were very harsh on suppliers. For example, some firms suffered greatly while attempting to meet the WalMart demand for absolute lowest price and just-in-time inventory controls.
The Great Worldwide Recession of 2008 changed many things. Governments and enterprises were forced to reduce services and production. Money stopped flowing and fear was high. As the enterprise reduced production, they let employees and suppliers go. Many firms closed their doors, never to operate again. As the recession ended and funds began to circulate again, some customers had to look for different suppliers. Many of the suppliers had invested in newer equipment and modern management methods. They would no longer accept impossible demands from their customers. The government loans to the American automobile industry forced those large enterprises to pursue modern management principles. These principles included a systems approach to quality, safety, and environment. These new ways are now being used by the automotive suppliers and sub-suppliers.
The relationship between customer and supplier is becoming more of a partnership. This is very pleasing to ASQ members, as we know this is the proper relationship.

Outsourcing

Since the beginning of this new century, America has gone through an intense period of outsourcing both manufacturing and services. Processes that used to be performed by the government or the enterprise were being performed by specialty firms. Examples include call centers in Manila and contract software development in Bangalore. Product packaging, distribution, and repairs were being contracted to outside firms.
This should have resulted in higher quality at less cost. Results were often disappointing. Contractors were assigned work without the necessary background knowledge, so there was a steep learning curve. Cultures were different and customers became unhappy. Some significant failures attributed to outsourcing include the melamine contamination of pet food and the delays in getting the Boeing 787 Dreamliner to market.
While outsourcing still occurs, it is becoming more focused. Where it makes sense, such as production of the iPhone at Foxconn, it works well. However, government and industry are bringing many processes back in-house. This is beneficial, in that the processes can be re-engineered to be more modern and efficient. Bringing work home may also reduce costs. It can allow the enterprise to regain control over design and service. However, it can be challenging, in that the workers with memory of the processes are no longer with the firm.
One of the biggest outsourcing challenges facing American medical device manufactures is the need to employ smart process validation controls. This is being stressed by our Food and Drug Administration regulators, as machines become more automated. Decisions formerly made by humans are now being made by software programs. While the major medical device manufacturers understand the principles of validation, many of their outsource contractors do not. Expect to see even more attention to this matter by customer auditors as they review outsourced operations overseas.

Workforce

Before the Great Worldwide Recession, we still had a great many processes performed by manual labor. These processes included stamping, assembling, and shaping parts. They included inspecting shipments and finished work. They included distributing documents and copying records. In fact, all basic processes (production, support, and interface) were performed through manual labor. Advanced skills were not necessary for a good-paying job. All of that changed during and after the Recession, as manufacturers, governments, and their suppliers began to automate processes formerly done by humans. The demand for higher skills increased, but the educational infrastructure is not able to produce people with these special skills. That is another of the many reasons why the unemployment in America remains high.
This increased automation and redesign of work has affected professional staffing as well. In the past, the purchasing professionals and the quality professionals had very little integration. Safety and environmental professionals were rarely consulted in supply chain management. Today, we see the beginnings of a team approach. Purchasing, quality, environment, safety, and engineering are starting to understand the importance – and efficiency – of working together.
Perhaps more significant is the increasing use of software to generate and execute legal contracts between customers and suppliers. This is reducing the need for humans to think. As a result, customers are not clearly stating what they really want, and suppliers are forced to make assumptions. For example, large manuals of general requirements are forced on all suppliers, regardless of where they are located and what they provide. There is no customization, because the computer code developers did not include that feature. Another example is the use of Certificates of Compliance that are never examined by suppliers or their customers. The world has a significant challenge here, as we attempt to integrate the computer brain with the human brain.

Management Systems Integration

The advanced nations of the world have progressed through four eras of management. By about 1925, most of these nations had completed their major shift from an agricultural economy to an industrial economy. During the period from 1925 to 1975, we were in the control era, where the focus was on defining and controlling characteristics, conditions, and contaminants. We emphasized specifications and inspections. From 1975 to 2000, we were in the assurance era, where the focus was on defining and following processes. The first generation of quality management standards was based on “say what you do and do what you say.” With the major rewrite of ISO 9001 in the year 2000, we entered the management era. We established and certified separate management systems for quality, safety, environment, and security. Some of these systems promoted good, while other systems minimized evil. We are now entering the integration era, where these different management systems come together to provide a holistic approach for business and government. Of course, we do not reject our past tools and technologies. We will continue to use the proven control, assurance, and management methods, but in our new journey to identify and manage risk – in all its many forms – and promote sustainability.
Before the Great Worldwide Recession, America was somewhat behind the Europeans in our understanding of this integrated approach. That understanding and application is increasing rapidly. For the past five years, the ASQ World Conference has promoted presentations of integrated systems and risk management. ISO 31,000 is being purchased, read, and applied.

Emerging issues

American consumers are paying more attention to the country of origin. Politicians and media are urging us to buy locally. “Made in America” is becoming a powerful brand for many items, such as clothing, furniture, and appliances. When it makes sense, items and processes formerly outsourced are coming home. In purchasing goods and services made locally, we believe we can reduce environmental damage and keep jobs and skills.
We are also seeing more emphasis on scientific development, as promoted by China’s general secretary Mr. Xi Jinping. When making purchasing decisions, American firms are now considering environmental, sustainability, and social responsibility consequences. This is coming from business principles as well as government policies. I believe the second term of American President Barak Obama will continue this trend.
In addition to the human-machine challenges I mentioned earlier, automation is causing security problems with our various networks. Customers and suppliers are linked through the Internet. Reliability and data protection are serious issues. Service providers are having their networked databases compromised. Automated controllers for our electrical grid and transportation systems are seriously vulnerable to attack. These security issues must be addressed by government, industry, and their supplier partners.

Summary

Customer-supplier relationships are changing and maturing. The concept of suppliers as partners, not slaves, will continue. While outsourcing will continue, it will be smarter. Some of this outsourced work will return to the government and business, but lost knowledge will take time to develop. The number of jobs for unskilled workers will continue to decline. This is forcing Americans to seriously examine our public education models. Professional staff involved with customer-supplier relations will become more integrated and risk management principles will mature. Challenges in automation and security will result in increasing communications – in both directions – between customers and their suppliers. I believe these trends apply to both China and America. We are in this together and gatherings like this must continue.

供应链管理: 过去,现在和将来

关系

正如世界上大多数国家, 美国的客和供商关系也都遵循黄金法:即“谁有黄金谁说了算”。在去,客要求高品,低价格,迫使供商为了获得业务而牲工人的工和对生产设备的维护。例如, 美国的汽生产厂家压迫其供商直至量受损是常的事。从长远角度来看,汽公司也由于众多故障部件引起使用者不和保修期修增加而遭受损失。

高科技行,如医疗设备,航空航天开始施与其供商建立合作伙伴关系的方法。部分原因是由于苛刻的法规要求和严重的失后果。

另一方面,技含量低的行,如食品,化学品和服务业,对供商要求非常苛刻。例如,一些企业对于试图满足沃绝对最低价格和准时存控制要求感到非常吃力。

2008年全球经济的大衰退改了很多西。各国政府和企被迫减少服和生货币停止正常流外加高恐惧症盛行。由于企减少生工和供商多被解雇。多企,不再营业。随着经济衰退的束和金再次开始流通,一些客不得不找新的供商。多供商已于新设备代化的管理方法。他将不再接受客的难以达到的要求。政府对美国汽车业贷款,以迫使那些大企追求代化的管理原些原包括针对质量,安全,和境的一个系方法。目前些新方法正在被汽车业商和其分包供商所使用。

与供商成为合作伙伴的关系越来越多。这使我们美国质量协会(ASQ)非常高。因知道是正确的关系。

外包

个新世开始以来美国经历了一个非常的制造和服务业的外包期。以往由政府或企业进行的事务改为由专业公司执行。例如在尼拉的呼叫中心,和在班加件开合同。品的包装,配送,和修复都被承包外国的公司。

这本该导致更高的量,以及更低的成本。但果往往令人失望。承包商对所分配的工作没有所需的背景知,因此有一个艰巨的学过程,并且文化差异也导致客不满。一些受重大故障所影响的外包例子有受三聚染的物食品,以及梦想牌波音787机市场发售的延迟

然外包仍然在继续,但它正得越来越集中于某些产业。如生iPhone的富士康外包工作做得很好是有道理的。然而,目前政府和企都在把很多的工作流程转回美国来作。对重新设计流程使之更加代化和高效率是有益的,还可以降低成本,并有助于重新得对产品设计和客户服务的控制。但是当掌握原工作流程的工人不再在公司工作时,把外包工程转会美国原地则具有挑战性。

对于进行外包的美国医疗仪器制造商所面的最大挑之一是需要采用智能验证控制。我的食品和品监督管理局(FDA)的法规人员更加剧了挑战的难度,因为仪器得更加自化。以往由人类所做的决定,现在转为由件程序来作。然主要的医疗设备制造商了解验证的原则,但许多的外包承包商不了解。我可以预见客户监察员在检讨海外外包业务时将更加关注此事。

劳动

在2008年全球性经济大衰退之前,我有很多工程序需要手工劳动进行些工程序包括冲,装配,成型件,量和已完成的工作,分文件和复制记录等。事上,所有的基本程(生,技支持和接合点)都是通过手工劳动来完成的,因而一个高收入的工作并不需要高技能。但所有一切经济衰退期和之后都改了,因为制造商,政府,和他的供商开始把以前通类操作的流程自化了,对高技能的需求也增加了,而我们的教育基础设施却不能培育具有些特殊技能的人。这也是美国持续高失率的众多原因之一。

化的增加和工作的重新设计也影响了专业员的就业。在去,专业专业质量管理人员很少互相接触。供应链管理人员也很少询问安全与专业的意见。今天,我们开始看到团队合作的方式。采量,境,安全和工程各部门开始认识到一起工作的重要以及高效率。

更引人注目的是使用件来做成并执行客和供商之法律合同的越来越多。降低了人类对思考的需要。结果,客不能明确地明他真正想要的是什么,供商则被迫为之作出假。例如,所有供商都被迫使用一般要求的大手册,无们位处哪里和提供什么产品。没有根据客户要求而特出设计,因为算机代的开没有将个功能设计进去。另一个例子是所使用的合证书从来没有商或客户验证过试图算机大与人脑结合对人类来说是一个世界级的重大挑

管理系集成

世界先国家的管理发展经过了四个代。大至1925年,大多数些国家已完成了从农业经济向工业经济的重大转变。1925年至1975年,是控制代,其重点在于给性质,条件和染物做定并加以控制,调规范和。1975年到2000年,是保证时代,其重点在于给过程做定义。第一代质量管理标准的基础就是:到做到”。随着2000年ISO 9001的重编,我们进入了管理代。为量,安全,境和保安建立并认证了独的管理系。其中一些优良,而另一些系抑制邪。我们现在正入整合代,即以上各种不同的管理系结合起来共同和政府提供一个全面的方法。当然,我们并不拒绝过去的工具和技术手段。在我们识和管理所有各种形式的风险以及可持续性发新征程中,我继续使用那些证实有效的控制,保和管理方法,

在2008年全球性经济大衰退之前,美国在对于全面整合方法的理解上是落后于欧洲的。之后,美国对于全面整合方法的理解和用增加得非常迅速。在去的五年里,美国质量管理协会的世界大会曾推出了对整合系风险管理的介绍演讲,并且,ISO 31000也被多数美国公司加以购买阅读,和用。

新出问题

美国消者正在对原国加以更多的重视。政治家和媒体都在要求我们购买当地产品。 “美国制造”正在很多目上成一个有力的品牌,如服装,家具,家等。可以理解,以前外包出去的目和流程正在返回来。从购买商品和服本地化,相信我减少对环境的破坏以及保持就机会和工人技能。

正如中国的秘书长近平先生所提倡的,我对科学展更加重视。在,美国公司在做购买决策,考虑对环境,可持续发展性和社会任的影响及后果。来源于商和政府的政策。我相信,美国总统巴拉克奥巴在其第二个任期将继续保持这趋势

除了我前面提到的人与机器的挑,自化正通过我的各种网络系统导致保安问题。由于客和供商是通过互连接在一起,导致可靠性和数据保成为重的问题。提供服务者连接网络的数据库遭到侵袭。我网和交通系的自动化控制器非常容易受到攻些保安问题由政府,各行,和他的供商,以及合作伙伴来加以解决。

总括

和供商之的关系正在化并日成熟。以供合作伙伴而非奴隶的观念将持续下去然外包也将继续将会更智慧。一些外包工作将返回到政府和企,但失去的知识技能将需要时间来培养恢复。非技工人的就人数将继续下降。迫使美国人审视其公共教育模式。涉及客和供商关系的专业工作人得更加全面整合,风险管理原则也将更加成熟。在自化和保安方面的挑战将致客和他的供商之的双向交流的增加。我相信些发展趋势适用于中美两国。我必须共同努力,并继续经常举行这样的聚会。