ISO 9001: 2015 Customer Requirements: The Challenges of Just Saying “No”
Everyone is gearing up for the challenge of updating their compliance to the requirements of ISO 9001:2015. Most of the Quality professionals I speak with seem to have digested the new requirements as something very different than past versions. Personally, I don’t quite see it the same way as most of my contemporaries. After careful review, I see the new revision increasing emphasis on long standing requirements and adding measurable controls to help assure attention and accountability.
There have always been areas of the standard where organizations either took a minimal approach or acted on gut instinct rather than concrete analysis. The new revision of the standard makes it much tougher for companies to make an ill-considered decision without leaving a very visible trail concerning both the decision and the subsequent actions.
If we focus on Customer Requirements, also commonly known as Contract Review, we see where this new approach is particularly pronounced. In most companies, the decision logic for what business to pursue is totally decoupled from any real analysis, much less Risk Assessment. Sales organizations tend to doggedly pursue all potential opportunities with equal zeal and aggression. It isn’t until the business is won that most organizations begin to consider whether they have the means and ability to address the customer’s requirements. Performing Risk Analysis on business already won just tells you how deep the crap you find yourself standing in actually turns out to be.
Historically, it is not obvious that the company was not prepared for the business until the analysis from Customer Complaints, missed customer commitments, Corrective Actions and Nonconforming Material Trend Analysis begin to bubble up to management. Even then, seldom is the root cause “what were we thinking when we decided to take on this business?”
The increased emphasis on a process based approach with commiserate risk assessment will now almost certainly have to begin earlier in the decision to allocate resources to pursue a particular business opportunity. This can be a very good thing for the long term success and sanity of the organization. I can think of at least three examples of very large and profitable companies that were destroyed by trying to fulfill the requirements of enticing deals that they were not positioned to accommodate. Even rudimentary Risk Analysis of the following as part of a decision to pursue new business can ignite at least a discussion of the organization’s ability to deliver on what the customer expects:
- Will our technology and product or service offerings align with the prospects technical requests?
o Will winning the business require investing in R&D activities?
o What is the risk of failing to evolve the technology fast enough to deliver?
o How much will this R&D activity and subsequent qualification add to the projected cost to deliver?
- Do we have the resources to deliver on time and within budget?
o Will retraining of existing resources be required?
o Will new skills be required that must be recruited and added to staff?
o Will existing staffing levels need to be increased to assure commitments and deliverable time lines are within plan?
- Are there capital expenditures required that can be both identified and quantified as to cost or lead time, etc.?
o What is the projected lead time to obtain and install new capital equipment?
o Are special permits required for any new equipment or materials?
o Are there additional EH&S risks associated with new equipment or chemicals, etc.
- Is our Supply Chain robust and expert enough to support our projected needs related to this new business?
o Do we need to develop and qualify new or additional sources for materials or services?
o Are there suppliers that we will need to reassess to assure their ability to play their role in the project is commiserate with the projected requirements and expectations for them?
- If this new business is won, how will it impact commitments to other business already scheduled in the pipeline?
The empirical results can permit developing off-setting strategies to minimize identified risks. Even a decision to move forward with identified risks can assure that management and other parts of the organization share equally in the assumed risk. It can also be invaluable in the unhappy event that you find yourself chairing a “Lessons Learned” or Management Review Meeting where some participants seem to have developed sudden amnesia. The salient intent at the end of the day is not to make the business risk aversive to the point that opportunities are missed but rather that Risk Assessment is performed and considered as part of the decision.
ISO 9001:2015 is not an additional layer of “dos and don’ts”. Consider it providing guidance and tools for accessing whether a risk is likely to occur and how serious it might be. In the grand scheme of things I can’t consider that anything but prudent and a tool for making every process in your business better.