Not revision! That is the given and established answer to the headline question. And it is somewhat surprising. It has been quite common in recent decades to revise ISO 9001 every six to seven years. The world continues to evolve, especially the technology within it, the issues that define it, and the new challenges and demands, political as well as societal, that emerge from it and impact on it, anyway. It is therefore obvious that a management system that is intended to do justice to this world must also be adapted again and again. This happens at regular intervals. Sometimes there is a minor revision, for example in 2008, and other times there is a complete revision, for example in 2015. And sometimes there is no revision at all, for example in 2021/2022. No minor, no major, simply no revision at all.
Why is that? Because, according to well-informed circles, it is not so much necessary at the present time. And I, as a consultant and auditor for management systems according to ISO 9001, would like to agree with this. Completely. Let’s first learn to understand and implement the “old” 2015 version even better. And for that, it’s worth diving into the findings from the last six years, i.e. since the introduction of ISO 9001:2015.
Basically, a quality management system can and must always be understood holistically. It begins and ends with leadership – with a detailed path through the entire company and its context. Nothing has changed in this respect. This means that anyone who relates quality management exclusively to product or service quality has understood neither the one nor the other.
So where exactly does the challenge still exist? In many organizations, the necessary context to be considered is still analyzed rather half-heartedly. Yet it is precisely this analysis that must be the starting point of the entire management system. There are several methods for addressing this issue systematically and in a content-rich manner: PESTEL analysis or SWOT analysis are just two examples, which are also explicitly mentioned and thus recommended in ISO/TS 9002:2016. The reality in organizations often looks like this: A list of external and internal issues and interested parties was established after 2015. This list has existed since then and is confirmed annually, so to speak: “still applies”, “nothing has changed”, etc. Admittedly, this is compliant with standards. But it does not make sense.
Tip: Companies should take much more time to look at the contextual systematically, analytically, seriously and constructively. Here, the standard is up to date; one or the other company is still on the way.
The next step is to determine the necessary processes. Processes are still very often understood as descriptions of procedures. Of course, processes are also procedures. But they are procedures that have to be controlled. And that is the big difference to procedures. It is of enormous importance to understand this distinction.
In procedures, it is basically already clear at the beginning what will be achieved at the end. Let’s take the handling of a vacation request as a very simple example. In the end, it is approved or rejected. That’s it. There is a fixed procedure that must be followed. This does not mean that a procedure is less important than a process! Only the control postulate is missing.
In the case of processes, it is generally not clear at the beginning what will be achieved at the end. Let’s take the sale of a product here. It is not possible to say when, how much, at what price to whom something will be sold. A process description helps, but it must be controlled. To be able to do this, a clear objective with realistic targets and corresponding performance indicators is necessary. Based on these, the process can be steered towards the target setting. This is still a very big challenge for companies.
Tip: Companies should always reflect on their processes and consider the two questions: Is this really a process that can and must be controlled? And what significance does this process have for the overall result of the company?
Basically, a quality management system can and must always be understood holistically. It begins and ends with leadership. And here it is necessary to consider the operating system of the management system: the quality policy. Or the corporate policy. It must be clear why and for what purpose the company acts the way it does. This requires a general understanding of everyone in the company, the famous commitment. This requires understanding the context and the expectations and needs of interested parties. And for that, in turn, the current and future direction of the company must be clear. This seems logical. But it isn’t. In many companies, the quality or corporate policy is arbitrary and thus interchangeable: “With our outstanding employees, we create the highest customer satisfaction.” But that can be true for manufacturers of spaceships as well as for chewing gum rental companies. A serious commitment is not possible here – no matter how well this commonplace is communicated as a policy within the company. This is still frequently found in companies.
Tip: Companies should formulate a quality policy for themselves that is tailored to their company, reflects their daily actions and with which all employees, but also customers and suppliers, can and want to identify.
Risk-based thinking! An important catchword that has its starting point in ISO 9001:2015 and can be found in many ways in companies. Even if there are always one or two gaps in the corresponding measures that should be derived from risk identification and assessment. But the topic has arrived and, by and large, is being mastered. But risk is, after all, only one side of the coin. On the other side is the opportunity. And here we cannot speak of a gap – rather of a gorge. The good thing is that this gorge is full of opportunities. But few companies dive into this topic constructively. Now, a management system is not highly dysfunctional because opportunities are not recognized, or even sought. But then it is not functional either.
The topic “opportunities” was newly introduced in 2015, so it had no tradition in quality management. Continuous or ongoing “improvement” is not the same as “opportunities”; actually, everyone is clear about that, too. But how to deal with the topic systematically is certainly still one of the greatest potentials of ISO 9001:2015. Because, as one sees more often in companies: achieving a process or even a company goal is not an opportunity; that is the intention, the goal. Opportunities arise beyond the goals. Let’s take an example: In a nursing home, a company health management is introduced for the employees in order to prevent damage to their health. But now that occupational health management is in place in the company, why not communicate this to the outside world via HR marketing and thus make oneself more attractive as an employer?
Tip: Companies should look at/question their processes, their procedures, their resources, their suppliers, their employees and others much more intensively to see which “already there” prerequisites are present – and thus derive which opportunities arise for the company’s objectives.
These are just four topics where ISO 9001 still holds a lot of potential. There are others. However, a brief outline should be drawn here. And should it now become “boring” for companies after all, because they had waited in vain for a revision of ISO 9001: there is still ISO 9004 or the EFQM model or the GRI standards … in other words: there is always something to do. It will always be advisable to surface from the daily work routine, get an overview, and then purposefully dive back into one of the many topics and lift the corresponding “ISO 9001 treasures”. And you can hardly do anything wrong in the process!