Outsourced processes must be controlled by the organisation and these controls must be defined and described within their system. Organisations are required to identify the controls they apply for any outsourced processes. Examples of some outsourced processes include:

• A process completed wholly or partially by a sister facility outside the scope of management system, such as performing design, purchasing or customer related processes, including management activities such as business planning, goal setting, resources, data analysis, budgeting, etc. This may include the entire element or a subsection e.g. the sister facility completes supplier evaluation and re-evaluation of suppliers and the site running the management system initiates purchase orders.

• A process completed by an outside supplier or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc. These types of processes may be controlled by the purchasing process where a formal contract or purchase order may be the controls. If this is the case, written documentation would be the purchasing documentation and records, however these processes are required to be documented.

If an outsourced process is controlled through purchasing, there must be documented objective evidence to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes.

Outsourced processes may be controlled through such methods as, but not limited to, auditing, contractual agreements, process performance data review on an on-going basis of purchasing processes.

Ensuring control over outsourced processes does not absolve the organisation of the responsibility for conforming to customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as the potential impact of the outsourced process on the organisation’s capability to provide a product or service that conforms to requirements, the degree to which the control of the process is shared, or the capability of achieving the necessary control through the application of the purchasing process.

You should expect to see evidence that your organisation has determined their processes and interactions. If your organisation calls it a ‘process’, it must be monitored for effectiveness and improved.

Look for evidence that your organisation has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organisation’s management system.

​You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organisation’s management system are planned.

If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Processes such as design and development, manufacturing, customer service and purchasing are key to giving the customer what they want.

Supporting processes do not contribute directly to what the customer wants but do help the key processes to achieve their output. Support processes include often human resources, finance, document control, training and facilities maintenance, etc.

A good way look at this is to think about how work flows through your organisation. Consider how the inputs and outputs to the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in. For now, ignore the standard, in fact put it in a draw and forget it exists. Instead focus on your key processes and how your departments interface with each other.

When defining your processes, try to keep it simple. A process such as ‘receiving inspection’ could be a a sub-process of the ‘purchasing’ process, for example. You are looking for a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as your company chooses.

It should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy. In determining which processes should be determined and documented the organisation may wish to consider factors such as:

• Effect on quality;
• Effect on the environment;
• Effect on safety and wellbeing;
• Risk of customer dissatisfaction;
• Statutory and/or regulatory requirements;
• Economic risk;
• Effectiveness and efficiency;
• Competence of personnel;
• Complexity of processes.

Once you have defined the processes and interfaces, go back to the standard and determine which processes are responsible for meeting which requirements. When defining your organisation’s processes, think about each process and department and try to define those processes around the current organisational model and not around the requirements of the standard. For each process, ensure that is has:

• Owner(s) and participants, defined and documented;
• Procedures, work instructions or forms;
• Inputs, activities and outputs;
• Key performance indicators;
• Risks and opportunities;
• A sequence and interaction of processes.

You want to make sure that your organisation has determined your processes and that the interactions are also defined, preferably (but not necessarily) within a management system manual. Subsequently, this includes the actual and technical inputs and outputs of the processes to show their inter-relationship.

This requires that the description of the interactions between the processes should include process names, process inputs and process outputs in order define their interactions. Interaction means how one influences the other. The description of the interactions of the processes cannot be done if the processes are not determined (e.g. named).

As part of the standards, the organisation is not required to produce system maps, flow charts, lists of processes etc as evidence to demonstrate that the processes and their sequence and interactions have been determined - but certainly such documents will be useful, if not mandatory. Graphical representation such as flow-charting is perhaps the most easily understandable method for describing the interaction between processes.

If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

So far we've looked at setting up a management system for your organisation that conforms to ISO standards. But what evidence would you be able to show that it's working?

Evidence may include Top Management reviewing management system KPI’s as part of regular business reviews, awareness of contractors and employees of management system goals and expectations, etc. Check that process inputs and outputs are defined and review how each of the processes are sequenced and how they interact. Look for evidence that your organisation has:

• Assigned duties/process owners;
• Assessed risks and opportunities;
• Provided resources;
• Maintained and retained documented information;
• Implemented measurement criteria;
• Improved the management system and its processes.

Ensure that the documentation created and maintained by your organisation to support the operation of the processes is undertaken. Such documentation might be in the form of a management system manual, staff handbook, documented procedures, work instructions, guidance material, data cards, physical samples, IT systems (including intranet and internet), universal or bespoke software, templates and forms, etc.

Documentation identified and retained by your organisation that shows that the processes were carried out as planned should be retained as physical hard copy records or electronic media (data servers, hard drives, flash drives etc.).

Specific documentation needs to be created and maintained by your organisation, including a description of relevant interested parties (Clause 4.2), scope of the management system including boundaries and applicability (Clause 4.3), description of the processes needed for the Management System together with their sequence, and interaction and application and assignment of responsibilities for your processes.

You should audit your organisation’s management system to focus on process performance and effectiveness. Give priority to the following:

• Review your organisation’s processes, their sequence and how they interact;
• Identify functions and the assignment of responsibilities;
• Review performance against requirements and defined measures, focusing on processes that directly impact the customer;
• Review your organisation’s process for monitoring and measurement, validation and approval of processes, and process changes;
• Review the availability of resources and the information required to operate and support associated activities, including appropriate training and competency of personnel;
• Review process-based management techniques, including the examination of process measures that might include level of quality, output effectiveness, control limits, and process capability determination;
• Review any existing plans to ensure performance objectives and targets are monitored, measured, and analysed in order to realise the planned activities and achieve the planned results;
• Review all applicable action taken when objectives and targets are not met to promote continual improvement;
• Pursue audit trails that address customer concerns or requests for corrective actions, performance against objectives, and relevant process controls.

Based upon the extent of your organisation’s management system processes, you should seek evidence that your organisation has maintained documented information to support the operation of its processes; and that it has retained documented information to provide confidence that the processes are being carried out as planned.
​
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

ISO 9001:2015 includes specific requirements necessary for the adoption of the processes approach when developing, implementing and improving a management system.

This requires your organisation to systematically define and manage processes and their interactions so as to achieve the intended results in accordance with both the policy and strategic direction. Although ISO 14001 and ISO 45001 do not ‘specifically’ require the adoption of the process approach, both standards do infer its use.

A process model explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses but should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy.

I suggest that you map out which departments and functions are responsible for executing each element (from Section 4.0 to Section 10.0) of the standard as it applies to each process. You are trying to determine:
​

• How well the ‘process approach’ is understood and deployed within the organisation;
• How well the management system aligns with the organisational context and the requirements of interested parties;
• How likely it is the management system will achieve its intended outcomes and enhance environmental, safety & quality performance;
• Identification of the processes needed for the management system (e.g. process models, process grouping, process flow diagram, etc);
• Management system processes and their sequence and interaction (e.g. process mapping, turtle diagrams, etc);
• What information exists to ensure effective operation and control of the processes (e.g. defined process requirements, defined roles, required competencies, associated training, guidance material, etc);
• How the expected inputs and outputs from each of the identified processes, together with assignment of responsibilities and authorities, are aligned;
• The necessary criteria and methods to ensure effective operation and control of the processes (e.g. process monitoring indicators, performance indicators, target setting, data collection, trend analysis, audit results, etc);
• The arrangements for governing the processes (e.g. process reviews, dashboards, risks and opportunities relating to the process, resource needs, user training and competency, continual improvement initiatives, frequency of reviews, agenda, minutes, actions, etc);
• The organisational approach towards continual improvement and the type of action taken when process performance is not meeting intended results;
• How the capture of customer, statutory and regulatory requirements is achieved, and the method used to build these into the Management System (e.g. requirements capture, gap analysis, requirements embedded into the process definition, assigned contract assurance instructions, formal links to information, use of specified documentation, etc).

Existing operational procedures, quality manuals, work instructions and flow charts are valid examples of documented information and can be used to evidence the requirement for ‘documented information to support the operation of processes is being met’. Check that process inputs and outputs are defined, and review how each of the processes are sequenced and how they interact.

Your organisation should begin using quality, health and safety, and environmental performance indicators to control and monitor issues, and associated risks and opportunities. These types of objective evidence will indicate that your organisation has successfully integrated your management system processes into your business processes.
​
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Defining the scope of your management system is a key step when developing any management system. The scope should concisely describe the activities, regulatory requirements, facilities, and remote locations that are to be covered under, and supported by, the management system.

The scope of registration and certification (if you decide to go down this route) will need to reflect precisely and clearly the activities covered by your organisation’s management system - any exclusion to non-applicable requirements of the standards should be documented and justified.

From a review of the nature of your business’ operations, products and services, the scope of the management system should be apparent by the extent of the processes and controls that your organisation has already established.

Look for confirmation that your organisation has determined the boundaries and applicability of the management system to establish its scope with reference to any external and internal issues (discussed below), the requirements of relevant interested parties (also discussed below), and the nature of your organisation’s products and services. Consideration of the boundaries and applicability of the management system can include:

• The range of products and/or services;
• Different sites and activities;
• External provision of processes, products and services;
• Common support provided by centralised functions;
• Processes, procedures, instructions, or site-specific requirements.

The scope of your management system may include the whole of the organisation, specific and identified functions within the organisation, specific sections of the organisation, or one or more functions across a group of organisations.

Ensure that your organisation has considered its degree of control and influence over its activities, products and services from a lifecycle perspective. The degree of control needs to be determined for environmental aspects associated with such things as procured goods and services, outsourced processes, product performance requirements, and end of life treatment (recycling, disposal, etc).

The management system scope must be retained as documented information. If you’re getting certified, the scope statement is normally shown on the certificate, for most Certification Bodies, in 15 words or less. Here are two examples shown below:

‘provision of marketing, sales, support, development and implementation of software solutions, located at…’

‘manufacture of precision machined components for aerospace and industrial customers, including the delivery of these activities to requirements, located at…’

You may not design your products because your customers supply product specifications and drawings, in which case you can exclude the product design processes and requirements.

If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).