The truth about ISO 9001:2015 documents, policies and procedures
What are some of the most common misconceptions about ISO 9001:2015 quality management systems, ISO 45001 OH&S safety management systems, ISO 14001:2015 environment management systems, ISMS data security management systems?
ISO 9001:2015 quality management systems - and the rest of the ISO standards - have earned a reputation of being bureaucratic. There's lots of documents, they're expensive to implement, expensive to maintain; the reality is that they're not. They actually describe logical steps to follow to manage risk. What's happened is: professionals have joined the industry, and they’ve felt that the best way to execute on the intent of the standard and implement an ISO 9001:2015 quality management system is to write thousands and thousands of documents. The standards themselves copped the blame for that, and there's still a lot of and industries that like you to write policies and procedures to address legal and other requirements.
There might be all the industrial relations requirements around employing staff or taxation management and those sorts of things in business; but this ISO standard is getting the blame for that, not the regulator. So, the misconception is that they're bureaucratic, and they've got lots of documents. The true intent, however, of the ISO standards is the logical steps to manage risk, and I'll give you an example.
What are the things that could go wrong in this business, over the next month? We could have a cash flow crisis, we could run out of cash- and cash is king to run the business. Some suppliers send us invoices that for the most part are not related to a purchase order. So, we send out purchase orders but they send in invoices, and we could incur charges that we hadn't planned for. That's a financial perspective and it's relevant to everybody because you could incur costs in your personal life that you just didn't plan for.
There's two ways to control that:
Control that with insurance. You can insure for and pay insurance for some expected things that could potentially go wrong, but you can't insure for cash flow.
Control that with your management system, in our financial management system, we have a process and a procedure for sending out our invoices to our customers and following up with them to ensure that they pay on time. That's our process, that's our management system.
What do we do if we have an emergency regarding one of our customers not paying? Well, we escalate it to management, as the management system or the policy says. This is where your policies branch out and you use risk-based thinking in your processes, and we use a flow-chart to demonstrate the differences in these processes.
So, that's really the gist of risk management in the sense of a financial or safety perspective: what are the things that could go wrong, how could people get hurt and what are we going to do to prevent them getting hurt. Not what are we going to write down to prevent them getting hurt - what are we going to do to prevent them getting hurt so from a safety perspective. How are we going to control that hazardous/unsafe environment?
The documents, policies and procedures that get developed are good way to record how we do it, but you don't have to. The standards don't say that you must. From an analysis perspective, to see if you can be more cost effective, you may need to keep records of what you do and sometimes you need evidence of that, but you don't need evidence from the standards perspective. You need evidence for your regulators, so the big misconception is that you've got two different lots of documents. Think about your audience, think about your staff. They don't need lots of documents.
Now typically speaking, I've observed in all my years of business that staff and the members of organizations don't read the policies and procedures. They just don’t. So stop putting so much effort into producing policies and procedures and put more effort into embedding the knowledge in your people, not putting it in something that they can read and refer back to.
Focus on embedding the knowledge in your people not embedding the knowledge in the documents and having a process to continue to do that.
I would argue that you do less writing of policies and procedures and more training. I like the master and apprentice model: the executive leadership being mentors and leaders and providers of knowledge for the up-and-coming members of the organization to consume that knowledge.
Focus on ensuring that the executives spend good quality time with the members of their team and avoid writing too many policies and procedures, because we spent time developing them, no one reads them, and then they go out of date. They are, for the most part, a complete waste of money. I don't dispute the fact that there are a couple of essential policies that a good business needs to have. As an example, don't go and write documents for a safety risk control, there's a concept called the hierarchy of control, so it's a risk management philosophy around, can we eliminate the risk? Can we engineer the risk? Can we eliminate, substitute, engineer, and then have administrative requirements, personal protective equipment.
Administrative requirements mean policies and procedures. If they're at the bottom of the hierarchy of control... why are they our first choice in managing and controlling our organizations?
So, have a think about can you substitute and engineer. We focus a lot here at Best Practice on our systems, our software systems, and our CRM systems, as our methods to work. We don't need policies and procedures because we follow those systems. They control our working environment and our workflow, and it doesn't work all the time, and it's not perfect, but it's certainly trying to engineer the process so that we engineer out that scenario.