A colleague in the U.K. recently wrote to me. He asked how often he had to audit his internal procedures. My response:
First, you need to recall the document pyramid, where the external docs (like ISO standards and government regs) are at the very top. Then come the site-specific manuals, which describe how the local operations will conduct their business in accordance with the external docs. These are system documents and should be skinny. Then come the many process-focused procedures. These are job performance aids for an already trained and qualified employee, be they manager or operator. At the bottom of the pyramid are the job, task, or patient-specific specifications. They specify the form, fit, and function often used for QC inspections and are product-focused. Manuals (system) to procedures (process) to specs (product). Your question concerned the process procedures.
Now, we need to recall the concept of Document Control, especially for those process-focused procedures. The best procedures are 5-6 pages and written by the process owners and doers. They are the experts. Once a procedure is drafted by a person or a team, it must undergo peer review. This is to make sure it really works. The draft procedure may need to undergo several reviews and revisions before it is "perfect." Only then is is approved, usually by a manager and generally signified by a signature or database entry. This approval signifies that the procedure is perfect. Now the perfect procedure is ready for controlled distribution. This is called version control, where the old version is replaced by the new. Today, with most procedures no longer printed on dead trees, rather uploaded to a content management system, version control is a simple as replacing the old file with the new one. If you still use printed procedures, then individual copies must be swapped out. The procedure is ready for use. Through use, we may discover that the procedures is not "perfect," so it must be revised and we go back to the beginning of the document control cycle. Your mention of the annual examination (probably required by your manual, because ISO 9001:2008 does not require it) is a way to continually make sure the procedures are perfect.
There never was an ISO (or any other) requirement to audit each procedure annually! That's kind of dumb. The ISO 9001 standard says you must periodically audit the presence and implementation of all your controls, in a planned and systematic fashion. The most important activities - as measured by their effects on cost, production, and risk - are audited more often. Generally-accepted and good auditing practice says you should cover everything within a three year period. This also corresponds with the term of the registration certificate.
So, your managers are reviewing and revising their procedures and intend to keep doing this annually. That's a good thing! But it does not substitute for the internal audit, as the managers have ownership and a vested interest in the outcome. Auditors can look at the presence and implementation of needed controls more objectively.
10 comments:
Good info! I'm prepping for an international food industry cert as we speak called SQF, and they require annual review of all systems, processes, and procedures. Once every three years sounds good to me! Thanks!
it's all about change management. You've got to stay current one way or another. Be careful of pencil whipping during an annual review.
As a CISA, I think the length between reviews has to also correspond to the process "risk" and what controls are covered by that process. Some processes will be audited yearly as part of the annual audit process. Others can be reviewed less often.
Be Careful......If your customers require a more frequent review of your systems, you must meet this requirement. Remember the ISO standard tells us we must audit the system, our customers specify how often this should be done. If you have no customer, regulatory, federal, state, etc. requirements for how often, you can specify the frequency - make it reasonable, based on "risk" for that process.
I like the approach of reviewing all process every 3 years because if we had been ISO or any other for more than 3 years that means that our system is mature enough to be in compliance at any time , now if we have complaints and this involve the system then we should review that specific process in question more frequent until we feel comfortable.
I have trained in the past by a registrar company for ISO 9001 (certification body) and what I have been trained on that -according to ISO clause- at least every year I must conduct audit to be satisfied with the ISO standard.
Good article - I agree with this entire approach, and we are using it in our operation. My comment, or question in this case, is focused on the statement, "The best procedures are 5-6 pages and written by the process owners and doers."
I understand that, in some organizations, the work instructions are being changed from text-based documents to pictorial work instructions and flow-charts. My experience is that a document can be perfect, but won't function as designed if no one reads it. My question: Has anyone else found this to be true and begun moving to pictorial and/or flow-chart based documents? I'm curious to know the extent to which this is true and do some benchmarking for future reference.
The registrar audits certain functions every six months; some functions get audited once a year and others won't be audited except when the cert expires (every three years). The standard itself doesn't put a timeline; it tells the organization to determine that. Customers shouldn't be telling you how to run your organization!
Standard requires the organization to conduct Internal Audits, I believe the standards are not addressing the period or the conditions of the IA to be is non-sense at all.
Leaving the certification body to specify the period of the certification surveillance which would let the organization to perform IA only according to the surveillance is non-science also.
Post a Comment