Policy management best practices 

Posted by Emily Hill on Mon, Mar 05, 2018

Every governance, risk and compliance person, regardless of the type of business they work for, wants their policies to be read and understood by their employees, customers and suppliers. 

But let's face it - most employees probably aren't engaging with your policies. Afterall, you wouldn't be getting so many repeated mistakes and issues if they had really read and understood your policies. 

Kate Armitage, Product Quality Assurance Manager at Qualsys has earned a reputation for making even the driest of subjects interesting and thought-provoking. 

So when it comes to creating Qualsys's policies, she's always got a strategy for raising awareness, getting everyone onboard and making real business improvement. 

In this article, Kate has shared 7 top tips for creating policies that are effective and engaging.

 Kate armitage - quality manager-718280-edited.jpg

1) Establish a process for creating policies

Create a process for creating policies. You can do this within our Document Manager software (see image below). 

Policies within our software.png

Determine what policies are needed. Typical business policies: 

  • Electronic device policy
  • Flexible working policy
  • Risk management policy
  • Quality policy
  • Information security 
  • Business continuity and disaster recovery planning
  • Ethical policy
  • Equal opportunities policy
  • Data protection policy 
  • Health and safety policy

Standardise a template for the processes and procedures. This way there is a common look and feel to all the documentation. Here is our privacy policy example. 


2) Don't do it on your own

All of your policies should have an official owner. But that doesn't mean you have to do everything. For example, get relevant departments to be part of the approval cycle before the policy goes live. Below is an example of how this works in our software. 

Approval path example.png

Give employees ownership, assign responsibility and create the processes and procedures with the staff members who are doing the work. This way your team feel involved and empowered and more likely to share any ideas or risks. 


3) Link between policies

Create good links between different policies and documents where relevant. This will encourage users to read around and you can improve views of your policies by up to over ten times.

 Qualsys process interaction map.png

Image: Example of Qualsys's policy map 


4) Make your policies really simple

Good communicators make themselves look smart. Great communicators make their audiences feel smart.

First, read this. Now the rule is to keep your policies as simple as possible.



5) Cater for different learning styles 

When you're writing a policy, first and foremost you are becoming a teacher. Good teachers cater to different learning styles. For example, create process flow diagrams to support the written processes or a visual representation often aids understanding, or, if you have the time, create a video / webinar or audio recording to go with the written policy.  


6) PDCA 

Always remember that as well as planning and implementing the policies, that you are also discussing and reviewing the processes during your audit schedule. 

 auditing software and quality management.png

7) Use our software to manage all of your policies

Your policies should not be dispersed, nor should they only exist on paper. You need a system which provides a framework for managing and controlling your policies. Our software enables you to manage the entire life cycle of your policies. 

See our policy management module in action. 


What you should do now

Try our Stakeholder engagement template for a free step-by-step guide to getting your team engaged with quality. 

 Stakeholder Engagement toolkit


Tags: ISO 9001:2015, Policy management

ISO 9001:2015: 3 examples of top management demonstrating commitment to the quality management system

Posted by Emily Hill on Thu, Jun 01, 2017

 managers must find a new approach to manage quality - John Oakland4.png

We've talked a lot recently about the new ISO 9001:2015 leadership requirements:

"All quality initiatives are destined to fail without support from leadership."

- John Frankin Acre, JFA Geestao & Technologies

Clause 5.1 of ISO 9001:2015 requires top management to demonstrate both leadership and commitment to the quality management system. Top management must drive continual improvement. 

However, a lot of quality professionals feel top management are not fulfilling their requirements – 67%, in fact (according to the Global Quality Survey 2017). 

So how should top management demonstrate their commitment? Below, we share three examples and give you the opportunity to share your own experiences in this short survey. 

"As soon as leadership got engaged with quality, we found quality took another shape and became a strategic priority for every employee."

- Amr Abour-bakr, Orana Egypt

Example 1: Talking to customers

Part of Qualsys's transition to ISO 9001:2015 has been to formalise existing activities. For example, Qualsys's Managing Director, Mike Pound, has been visiting his company's customers for the past 22 years. But he's now made that a formal duty by setting aside time in his diary to visit three customers every month. 

Mike says: "Now that Qualsys has grown to just under 50 employees, it's more important than ever to make sure we connect with our customers so we can align their needs with our own strategic priorities. 

"In the past month, I've been to see Bunzl, W. E. Rawson and Biocair. I find visiting customers very insightful and I think every managing director should take the time to understand the risks and opportunities their customers face." 

"Senior management and management want to concentrate on sales and profit. We demonstrate how the quality management system can enhance profit. I hold regular meetings with the management teams and feed back the improvements the management system is making to their business."

Roy Jones, RJ Project Management


Example 2: Encouraging departments to communicate

During the User Group 2017, John Oakland spoke at length about how a large textile manufacturer transformed its brand's reputation by demonstrating quality performance. 

John said: "This brand had a poor reputation for on-time delivery, but the operational team and the quality team worked really hard for two or three years to nail it. They worked it to death. Eventually, they got absolutely brilliant at it.

"After this, they asked all of their customers, 'What do you think of our on-time delivery now?'. And the customers still said it was poor. And that was because the customers were still thinking about the brand back when the firm's quality performance wasn't as mature."

John continued: "So the quality team realised they had to train their sales team to go and sit with the customer and show a record of their performance, which demonstrated to the customer that they'd delivered on time, every time. And the customer would be very surprised.

"Quality managers need to work on communicating good quality performance – that is partly their job. If you don't help people to translate good quality performance into business language, it's not going to happen."

Quality managers can help leadership engage and demonstrate commitment by translating quality performance into business marketing language. 

Watch John's presentation in full

Example 3: Investing in tools

Gemma Baldan, Key Account Manager at Qualsys, says: "For many organisations, leadership demonstrate their commitment by providing the tools to embed, communicate and manage quality. 

"For example, the University of Leeds is very quality-driven. Messages comes from the top of their organisation using their electronic quality management system EQMS, and that makes for a very successful and positive company culture." 

Many top management teams use EQMS to demonstrate their commitment to quality by: 

  • Informing everyone of the system's importance
  • Making it easy for everyone to participate, take ownership and manage their responsibilities
  • Investing in a solution which benefits everyone
  • The KPI dashboard gives leadership an instant, real-time picture of the business
  • Ensuring the quality policy and quality objectives are compatible with the strategic direction and the "Context of the Organisation"
  • Monitoring the system's performance.

In this case study, Lee Clack, Quality Manager at W. E. Rawson, talks about how he communicated to his top management how the company he needed a tool to centralise quality, health and safety and environmental management system. 

What are your thoughts? Do you have any examples of top management demonstrating commitment to quality we can share with other quality professionals?

Share your examples and ideas in the quick survey below: 


Have your say (20 second survey): 

Share your examples of how your top management demonstrate commitment and leadership to the quality management system:




Tags: ISO 9001:2015

Industry 4.0: Why it pays to be a smart factory

Posted by Marc Gardner on Tue, May 16, 2017

As we stand on the cusp of Industry 4.0, many organisations are facing down the challenge of digitisation and actively investing in new technologies. But for those businesses working in heavily-regulated industries, what might the revolution mean for quality management and compliance?

It's adapt with the times or face being left behind. Despite the uncertainty of Brexit, manufacturers have shown great resilience in coping with the demands of digitisation. And any business that chooses to embrace the opportunities provided by new and emerging technologies will reap the rewards when it comes to quality, productivity and compliance.

Below, we look at five organisations who have moved to get ahead of the game by building the latest technology into their business. 

#1 – Productivity gains – Ocado

Enter one of Ocado's enormous warehouses and you'll see robot pickers moving around a grid, retrieving items as needed and operated in real time via a carefully co-ordinated 4G radio-control system. By employing such ground-breaking automation, Ocado have been able to establish themselves as the world’s largest online-only grocery retailer, shipping more than 200,000 orders every week to customers around the UK.

#2 – Greater agility – Yazaki Europe Ltd

When auditing its many suppliers, sites and customer service centres, automotive parts supplier Yazaki Europe Ltd encountered a number of isolated systems and processes, and no method of recording data beyond manual spreadsheets. To eliminate this problem, Yazaki adopted an electronic integrated audit-management system that standardised the audit process and made complying to the numerous standards and regulations much more straightforward.

#3 – Lifecycle management – Briggs Automotive Company

For British supercar manufacturers Briggs Automotive Company, makers of the BAC Mono, a "Formula 1 car for the road", having access to the most cutting-edge design tools was vital if they were to continue revolutionising in their field. Using product lifecycle management (PLM) software, the company create fully customised specifications of their vehicles and visualise and simulate designs three-dimensionally before going into production.

Photo credit: Bryn Musselwhite

#4 – Enforced workflows – W.E. Rawson Ltd

W.E. Rawson Ltd has been manufacturing and distributing non-woven textiles from their site in Wakefield for 150 years. But the company was found wanting when it came to systems for recording and analysing data for continuous improvement. With that in mind, quality managers took steps to implement a quality management system that would give them greater control over documentation, better training provision, and more effective reporting tools for measuring trends in data. Integrated and connected event-based triggers within the system would ensure that any compliance and quality issues could not be overlooked.

#5 – Lower overheads – Sodexo

With nearly 425,000 employees operating in 80 countries worldwide, Sodexo are constantly battling to keep pace with ever-evolving standards in a heavily regulated market. With that comes documentation. Lots of it. Facing huge overheads and a heavy administrative burden, Sodexo implemented an electronic document management system, enabling them to communicate more effectively across sites and provide documents to their staff and clients much more promptly.

So, the question is not if you should become a smart factory, but when. Then consider which technologies you should adopt and how you should implement them.


What you should do now

For more information about how to integrate EQMS with your existing manufacturing processes, download Qualsys's ISO 9001:2015 toolkit.

ISO 9001:2015 Toolkit


Tags: ISO 9001:2015, Operational Excellence

5 tips for tackling Context of the Organisation

Posted by Emily Hill on Thu, Apr 27, 2017

With 37% of organisations planning to transition to ISO 9001:2015 this year, it's important that you have the best information. The ISO 9001:2015 toolkit is a free resource Qualsys uses to share useful information to support you throughout your transition. 

Recently, we have received a number of requests on how to best tackle the new clause, "Context of the Organisation".  

We reached out to quality professionals across the globe and asked them to share their advice, experience and templates. Below are five top tips for tackling "Context of the Organisation".

How to tackle context of the organisation

#1 – Don't over-complicate things 

Colin Partington of CPA Associates:

"This is much easier than many people are making it. When you look at an organisation's name it may tell you what they do (e.g. 'Smith's Timber Supplies', or 'Jones' Solicitors'), or it may be less clear, such as 'Partington Associates' or 'Bartons'. The context clause requires the organisation to identify what they do and to tell people, but it also requires them to identify which other groups may impact upon the organisation (e.g. suppliers, customers, regulators, industry associations etc.).

"You must identify what you do and tell people, but also identify which other groups may impact upon your organisation."

"Once identified, they need periodic review to ensure that they are still valid – management review is a good time for it. On the second point regarding internal audits, I wouldn't audit it separately; it should be covered when auditing top management and so on."

Context of the Organisation explained

#2 – Do a SWOT (Strengths, Weaknesses Opportunities, Threats) analysis

Dr Anu Spratley, EHS Manager, Cathedral Hygiene:

"For ISO 14001:2015, I explored all our internal and external opportunities and threats, then reviewed stakeholder needs. I then looked at issues associated with them, what we had control of, and what we do not have control of." 

Another quality leader:

"I tried to answer the following questions:

  • Who are our interested parties and what are their requirements?
  • What is the purpose of our organisation existing and sustaining over time?
  • What environment are we operating in (e.g. scale, geography, standard, technology specialisation etc.)?

This will give you the context of the organisation."

"What is the purpose of our organisation? What environment are we operating in?"

A simple, pragmatic approach

Lots of quality professionals recommend that you: 

  • Set out all environmental conditions that directly or indirectly impact your organisation.
  • Analyse the details of each condition.
  • Make a plan to anticipate every condition that might arise.
  • Put the conditions in a risk management worksheet.

Context of the Organisation explained 

 Requirements for quality professionals
In this free webinar, Richard Green, ISO Quality Management Consultant, discusses how quality professionals can ensure their organisation meets the new requirements of ISO 9001:2015

#3 – Align quality with your organisation's strategic priorities

Tim Welford, ECLM Ltd:

"Look at statement of purpose, business plans and business development plans and ask what has been taken into account or not and why in both cases.

"What market research has taken place that affects the business opportunities and commitment to the context of objective setting? Has this thinking taken on board due diligence, the factors and areas of the full business current operations and each section development plans that are aligned to the core purpose."

Download our playbook "Align Quality Priorities with the Strategic Direction of the Organisation"

#4 – Start with the regulatory requirements

In heavily regulated industries, "Context of the Organisation" means focusing on those regulations.

Quality manager in the aviation industry:

"We work in a heavily regulated industry, where context is defined by the applicable regulated framework: maintenance, airworthiness management, design and production of new components/modifications."

Subscribe to our free governance, risk and compliance newsletter

#5 – Use the free help available online 

One quality professional said: "We used PS ISO/TS 9002:2016 QMS guidelines issued by BSI, along with information from eqms.co.uk." 

Use Qualsys's ISO 9001:2015 Toolkit


Richard Green, ISO Quality Management Consultant, talks about how best to analyse the "Context of the Organisation" 


What you should do now

Learn how EQMS can help your organisation manage business processes and ISO requirements by requesting a 30-minute demonstration with a member of our team.

Request 30 minute EQMS Demonstration


Tags: ISO 9001:2015

What United Airlines can teach us about processes and people

Posted by Emily Hill on Tue, Apr 18, 2017

Your company has been there - your staff followed a set process, but it failed to meet the needs of your customer. Perhaps your company over-promised and under-delivered, or delivered nothing at all. It resulted in a customer complaint, lost your company money and potentially a bad review. 

However, few companies have faced as much outrage as United Airlines last week. 

Turbulence on the groundUnited airlines 2.png

The airline suffered a public relations nightmare after a video showed security officers dragging a bloodied passenger off an overbooked flight in Chicago to make space for a member of staff. The result was backlash on social media, billions of dollars wiped off their market share and a seriously tarnished reputation.

In an interview with ABC's Good Morning America, Oscar Munoz, CEO of United's parent company said he felt "ashamed" and has promised to review the airline's passenger-removal policy.

Munoz said: "That is not who our family at United is. This will never happen again on a United flight. That's my promise."  

We could focus on why a thorough risk assessment hadn't been done on the policy beforehand to prevent such a PR disaster. However, one of the most worrying aspects of what happened was that none of the staff took the initiative to stop the situation before it got out of control. 

The staff followed the set process, but they forgot on the most important thing. The people.

The airline invites you to "fly the friendly skies", so why were they not friendly on the ground? Why didn't the airline staff help the customer? Why didn't they step in, realising how much the flight meant to him? 


Moral conscience of the organisation

Kate Armitage, Quality Manager at Qualsys Ltd said: "This incident raises an important question - where was the moral conscience of the organisation? Indeed, United Airlines had the right to remove a passenger. It doesn't mean that it was the right thing to do."

Armitage continued: "The purpose of ISO 9001:2015 is to ensure the organisation is consistently supplying products and services that meet customer requirements. This incident shows employees following a policy, but forgetting customer needs."  

The revised ISO 9001:2015 standard has more explicit requirements for leadership commitment, risk-based thinking and a process approach. Changing employee mindset from rules-based to full ownership and accountability is essential for organisations to remain certified, and for a culture of quality. 

Armitage added: "Organisations need to move beyond rules-based processes of the past - where employees feel they must simply follow a set process, towards a "true culture of quality" - an environment in which employees seek improvement." 

Read: 4 Essentials for a Culture of Quality - Harvard Business Review  




Start by Assessing Behaviour

So how can organisations encourage ownership, accountability and improvement? 

In Culture May Be The Wrong Question, Norman Marks, says that while be should be worrying about culture, it can be difficult to assess as there is hardly ever a single culture.

There are also often differences between teams, locations, as well as changes over time. 

Instead, Marks suggests we start by assessing behaviour.

How to do this?

In the article, Marks suggests taking the below list and making is specific for your own organisation. Then assess each attribute for your team, department, location and organisation as a whole. 

  1. What behaviours do you want your organisation and its people to demonstrate every day?
  2. What are the risks to achieving the objective you just defined?
  3. What actions (i.e., controls) are you taking to provide reasonable assurance of appropriate behavior?
  4. Is there reasonable assurance, or are the risks to behaviour outside desired levels?
  5. How are you monitoring both the level of risk and the incidence of undesired behaviour? 
  6. What needs to be done to provide reasonable assurance that people, both individuals and groups, will behave the way we need them to behave?

Read the full article here


Change Behaviour

If you found any weaknesses and inconsistencies across your organisation, Michael Ord, Director at Qualsys Ltd suggests building a stakeholder engagement plan. He said: "Introducing behavioural change can be incredibly challenging. There are many moving parts and it can be difficult to measure.

To help quality professionals navigate this shift, we have created a stakeholder engagement toolkit. The toolkit gives you a step-by-step guide to make you an agent of change." 

To become a change-agent, download the Stakeholder Engagement Toolkit here.


Change company culture

Alternatively to learn more about the new ISO 9001 risk-based thinking requirements, download the ISO 9001:2015 toolkit or sign up for the ISO 31000 toolkit.


Tags: ISO 9001:2015

Quality management software for ISO 9001:2015 – clause by clause

Posted by Emily Hill on Fri, Feb 24, 2017

Quality Management Software for ISO 9001:2015

Every day we get quality professionals asking us how they can use EQMS to meet the requirements of ISO 9001, ISO 14001, and other management system standards. 

Below, we have broken down many of the main requirements for ISO 9001 and provided brief examples of how EQMS will help manage each of these requirements. 

Hopefully this guide gives you a taster of how EQMS can help you manage your own ISO 9001:2015 requirements. In no way is this an exhaustive list of all the ISO 9001 requirements, nor does it share all of the functionality of EQMS, but it should help you visualise how quality management software can help you fully comply with ISO 9001:2015.


Clause  Requirements  Example of how EQMS helps 
4. Context of the organisation    
4.1 Understanding the organisation and its context Identify, monitor, and review external and internal issues that are relevant to its purpose and strategic direction. 

You can use EQMS Risk Manager to identify, monitor and review issues and risks relevant to your organisation's strategic direction.

Identify and monitor risks with EQMS

Image: Example risks in EQMS

4.2 Understanding the needs and expectations of interested parties The organisation must determine the relevant requirements of relevant interested parties. It must then monitor and review the information about these parties and their requirements. 

You can monitor and review interested parties' relevant requirements in EQMS. For example, you can use EQMS Training Records Manager to assess training needs and any gaps in performance. 

Monitor and review training with EQMS

Image: Example training matrix in EQMS

4.3 Determine the scope of the quality management system The scope of the quality management system must be made available and maintained as documented information. 

You can store the scope of the quality management system in EQMS Document Manager and communicate it to the whole organisation. Versions can be easily controlled. You can use the audit trail to view all changes that have been made. 

Control and manage documents

Image: Example Document Navigator Tree in EQMS

4.4 Quality management system and its processes 

The organisation must establish a process-based quality management system.

Once in place, the QMS needs to be maintained and continually improved.  


With EQMS, you can manage, monitor and evaluate all processes at the click of a button

Learn more about a process-based quality management system here. 

You can view performance-related indicators either through the EQMS KPI Dashboard or via customised reports.

5. Leadership    
5.1 Leadership and commitment 

Leadership must ensure that their quality policy and objectives are consistent with the strategic direction of the organisation. 

Leadership must promote awareness and adoption of the process approach and risk-based thinking. 


EQMS ensures leadership can easily take a "hands on" approach.

Learn how Sodexo's leadership communicates policies with EQMS here. 

The EQMS KPI Dashboard ensures there is one single source of truth for all activity across the organisation, enabling the leadership team to get more visibility, promote awareness, and know how the business is performing. 

EQMS KPI Dashboard

Image: Example KPI Dashboard in EQMS

5.2 Policy Top management must establish a quality policy that is appropriate to the purpose and strategic direction of the organisation.

EQMS makes it easy for top management to implement and systematically maintain the quality policy and ensure it is applied throughout the organisation. For example, EQMS Document Manager ensures all employees have read and acknowledged the required documents.  

Employees read and acknowledge documentsImage: Example document acknowledge in EQMS

5.3 Organisational roles, responsibilities and authorities  Top management needs to ensure the necessary responsibilities and authorities are assigned to the roles within the organisation designated to carry out quality-related objectives. 

EQMS has customisable workflows built into its framework to ensure that necessary responsibility and authorities are completed within required timeframes. 

Customised workflows for assigning roles

Image: Example workflow

6. Planning

6.1 Actions to address risks and opportunities  The organisation must determine the risks and opportunities that need to be addressed for its given context. 

EQMS Risk Manager allows you to employ ISO 31000, COSO, SOX, Basel, AS/NZS 4360 or your own unique control framework to identify, quantify, and prioritise risks and opportunities. 

 Identify and prioritise risk with EQMS

Image: Example risk categories in EQMS Risk Manager

6.2 Quality objectives and planning to achieve them  The organisation must set quality objectives for relevant functions, levels and processes within its quality management system. 

EQMS allows you to set quality objectives and monitor your progress in achieving those objectives. 

See KPIs with EQMS.

6.3 Planning changes  When the organisation determines there is a need to change the quality management system, the change must be carried out in a planned and systematic manner. 

With EQMS Change Manager, you can manage any changes to your quality management system through a workflow. This allows you to assess whether the integrity of your quality management system could be compromised. 

Use EQMS to manage changes to your system

Image: Example changes paths in EQMS

7. Support    
7.1 Resources  The organisation must determine and provide all the resources needed to establish, implement, maintain, and improve the quality management system.

EQMS Document Manager allows you to document all the resources needed for a management system, including people, infrastructure, the environment for the operation of processes, monitoring and measuring resources, and organisational knowledge. 

Plan resources with EQMSImage: Plan resource requirements in EQMS

7.2 Competence  The organisation must determine the competency requirements for those people performing work under its control. 

EQMS Training Records Manager allows you to identify competency issues with quick and easy overviews or drill-down records.

Identify competency issues with EQMS

Image: Run 100s of different custom reports about training records in EQMS

7.3 Awareness  The organisation must ensure that all people doing work under its control are aware of the quality policy and objectives, and how they are contributing to the effectiveness of the QMS. 

EQMS makes it easy to ensure that anyone who is working under the organisation's control is aware of the implications of not conforming to the quality management system. 

For example, a new employee can be sent the quality policy and the objectives. They can then acknowledge that they have read and understood the implications of not conforming to the quality management system.

Make staff aware of quality policy

Image: How to acknowledge quality policy in EQMS

7.4 Communication  The organisation must determine the quality management system-related matters on which it wishes to communicate. 

EQMS makes it easy to communicate quickly and effectively with stakeholders. You can send emails and push notifications to staff when you need to communicate quality management system-related matters, or staff can view activity on their 'To Do' list. 

Easy communication with stakeholdersImage: To do list in EQMS

7.5 Documented information  The organisation must document information required for ISO 9001:2015 and for the effective operation of its quality management system. 

EQMS makes it easy to control documented information to ensure it is available where and when needed, and that it is suitable for use. All documented information is controlled within EQMS, with unique identifiers, authors, reference numbers etc. 


Control documents as best practice

Image: Documented information follows a best practice approach in EQMS

8. Operation     
8.1 Operational planning and control  The organisation must plan, implement and control processes to meet the requirements for delivering products and services. 

EQMS makes it easy to plan, implement and control processes. 

Plan and control processes easily

Image: View all activity related to a process on one screen.

8.2 Requirements for products and services  Organisations must be able to determine and review requirements for products and services, and document customer communication and feedback. EQMS Issues Manager makes it easy to log and manage customer feedback. Any user can raise an issue, meaning your organisation always has an up-to-date, real-time overview of any issues relating to customer communication.
8.3 Design and development of products and services  Organisations must establish, implement and maintain a design and development process.

EQMS allows you to apply controls to your design and development process. For example, you can annotate and control even complex CAD drawings, and view all changes through the audit trail.  


8.4. Control of externally provided processes, products and services  The organisation must ensure that processes, products or services provided externally meet requirements. 

EQMS provides a framework to monitor external providers' performance and have the results of that monitoring, any further re-evaluation, and any necessary actions as documented information. 

Monitor and assess supplier performance

8.5 Production and service provision  The organisation must control the way in which they produce their products and services. 

EQMS ensures monitoring and measuring activities will be carried out at appropriate points. It allows you to verify that processes are being controlled and that outputs, products, and services are meeting their acceptance criteria. 

The integrated EQMS modules make it easy to understand control changes. 

8.6 Release of products and services The organisation must carry out predetermined arrangements at appropriate stages of the production / service delivery in order to verify that products and services meet all requirements.  By using EQMS to plan, manage and control workflows, it becomes easy to retain documented information. EQMS Audit and Inspection Manager makes internal audits quick and easy, and allows you to reschedule audits as frequently as you need.
8.7 Control of nonconforming ourtputs  The organisation must identify any outputs that do not conform to its intended requirements and establish and implement controls to ensure that these non-conforming outputs are neither delivered to the customer nor used unintentionally. 

EQMS Issues Manager ensures that any changes are managed and controlled before they are released to customers. You can use the EQMS workflows to predefine who will decide what action is taken. 

Easily manage issues and changes

Image: EQMS Issues Manager allows changes to be easily managed

9. Performance evaluation    
9.1 General  The organisation must determine what it needs to monitor and measure.  EQMS brings all information together to provide an extensive range of custom reports, making it easy for you to adapt your quality management system to your changing requirements (for example, you can measure customer satisfaction through the number of complaints, or the time taken to respond to issues). EQMS gives you many options to analyse, evaluate and manipulate the data. 
9.2 Internal audit  The organisation must carry out internal audits at planned intervals. 

EQMS Audit and Inspection Manager makes it easy to schedule, plan and manage audits. Any non-conformities or issues raised can then trigger a workflow. 

The integrated modules make it easy to manage audits from the planning phase. 

Schedule, plan and manage audits

Image: The iEQMS Audit Manager app allows audits on-the-go without duplicating any effort.

9.3 Management review Top management must carry out reviews at planned intervals to ensure the quality management system continues to be suitable and effective. 

EQMS Audit and Inspection Manager has predefined checklists and audits, making it easy for you to determine the effectiveness of your quality management system. 

Review QMS with visual reports

Image: Use visual reports to quickly review your QMS

10. Improvement    

10.1 General 

Organisations must actively seek and take opportunities to improve so they can better meet customers' requirements and generate greater customer satisfaction. 

EQMS ensures risk-based thinking is embedded in all processes. Permissions controls in EQMS Document Manager protect the security of your information without harming your business's performance. You can commit to ongoing improvement by using EQMS Audit Manager to schedule and carry out internal and supplier audits.

Schedule audits with EQMS

Image: EQMS Audit Manager lets you schedule repeated audits with ease

10.2 Non-conformity and corrective action 

The organisation must set out how it acts when a non-conformity occurs.  You can use EQMS Document Manager to document processes for following non-conformities. Also, EQMS Issues Manager has customisable and automated trigger workflows to ensure clear corrective action is taken.

10.3 Continual improvement

The organisation must use the outputs from analysis and evaluation and from management reviews to determine areas of underperformance and to identify any opportunities for improvement.  EQMS's KPI reporting enables management to view real-time reports with a range of custom widgets. Continuous monitoring of activity within EQMS and its reports allows you to commit to ongoing improvement with regular performance reviews.

What you should do now

Download the ISO 9001:2015 toolkit for more information on how your organisation can fully comply with the requirements. 


ISO 9001:2015 Toolkit


Tags: ISO 9001:2015

ISO 9001:2015 – Control of externally provided processes, products and services (clause 8.4)

Posted by Emily Hill on Thu, Feb 02, 2017


In the new ISO 9001:2015 standard, there are more rigorous requirements for managing suppliers. 

The following forms part one of three instalments of our ‘ISO 9001:2015 and Supplier Management’ series which focuses on the major changes of the standard.

Today will focus on explaining the key changes introduced in ISO 9001:2015, Clause 8.4. Control of externally provided processes, products and services.


Why is it so important to manage suppliers? 

Supply chain networks are expanding and evolving at an unprecedented pace. At the same time, companies face enormous pressures to improve supply chain efficiency, reduce costs and mitigate risks involved in supplier compliance.

Poor supplier quality results in reputational damage, not to mention huge costs to your business. A supplier delay could push back your product deadlines and cause significant costs on a per day basis. Last year, one in three businesses felt the blow, experiencing cumulative losses over one million euros due to supplier failures.

Read more here


Clause 8.4  Key changes 

clause 8.4 supplier management explained.png

Clause 8.4 of the standard focuses our attention on our responsibility to control externally provided processes, products and services.

There are three main changes: 

1. Who are your suppliers?  

You will notice that there has been some small terminology changes in the new ISO 9001:2015 standard. “Purchasing” and “Outsourcing” are now called "externally provided processes, products and services”. While this doesn't mean you need to update your terminology, ISO 9001:2015 has now made it more explicit who a supplier is.

A  supplier is anyone who is a provider external to the scope of the quality management system.

who are my suppliers.png

ISO 9001:2015 requires the organisation to address all form of external provision, whether it is by purchasing from a supplier, through an arrangement with an associate company, through the outsourcing of processes and functions of the organisation, or by any other means. 

It is also worth noting that an external provider is a provider external to the scope of the quality management system. This means that if a quality management scope covers a single site in a wider group structure, then anything sourced from other members of the group would be classed as externally provided and subject to the requirements.


2. Record the results of supplier activities 

In ISO 9001:2008 sub-clause 7.4.1, it was required to keep records of the criteria for selection, evaluation and re-evaluation of the suppliers.

In ISO 9001:2015, there is now an explicit requirement to ensure monitoring and measurement activities are undertaken at appropriate points.

The organisation is required to record not only the criteria, but also the results of these activities, including performance and monitoring. This has many implications for you if you haven’t previously maintained records of the results of supplier performance activities.




3. Verification activities 

In ISO 9001:2008, the organisation needed to ensure the purchased product met specified purchase requirements. In ISO 9001:2015, the verification needs to ensure "the externally provided processes, products and services meet requirements." 

If organisations were previously only verifying external provisions against the initial purchase requirements, rather than the ability of the provision to help the organisation to achieve their overall objectives, the organisation will need to update their processes and management system accordingly. Using EQMS Supplier Manager will help you systematically manage supplier records and performance. More about EQMS Supplier Manager here. 


Download Supplier Management Webinar for a step-by-step guide to managing and controlling your external provisions. 


New Call-to-action


Tags: ISO 9001:2015, Supplier management

Leadership and Risk - Understanding ISO 9001:2015 Requirements [Video]

Posted by Emily Hill on Mon, Jan 23, 2017


One of the main changes in ISO 9001:2015 is more explicit leadership requirements to manage risk. However, these changes are causing a lot of confusion. So, what exactly does your leadership team need to do to meet the new requirements of ISO 9001?  

We asked Richard Green, Founder of Kingsford Consultancy Services to explain leadership, risk and ISO 9001:2015.

In the video below, Richard explains: 

Watch the video 


Transcript from the talk

How can you get top management to manage risk to meet ISO 9001:2015 Requirements? 

What are quality risks? 

If your organisation is still trading it is probable that your top management already has a good appreciation of the risks the business faces. You organisation probably has already put in place arrangements to both manage existing risks and to horizon scan for any new ones. 

In respect of your QMS, the risks you are concerned with are those which have the potential to impact:

  • Your organisation’s ability to consistently provide customers with conforming products and services
  • Your organisation’s ability to meet applicable statutory and regulatory requirements
  • Your organisation’s ability to enhance customer satisfaction

ISO 9001:2015 Toolkit

Top Management's Role

Firstly, ISO 9001:2015 states top management are responsible for ensuring the effectiveness of their organisation’s quality management system and for ensuring its intended results are achieved. 

They therefore need to be mindful of internal and external threats that could prevent them from delivering the intended results. However, risk can be positive as well as negative in the ISO world. Top management need to be mindful of opportunities which will facilitate the realisation of the intended results.

Secondly, top management are explicitly required to promote risk-based thinking in respect of their organisation’s QMS. This does not mean they have to do all of the risk-based thinking themselves, but they do need to evidence that they support a risk-based thinking approach.


What is Risk-Based Thinking

One of the key changes Annex SL has brought to existing MS standards is a systematic approach to the management of risk (P-D-C-A). We refer to this as ‘risk based thinking’. A useful overview of risk-based thinking is provided in 9001:2015’s introduction for those new to the subject or you can find an article here.

Risk-based thinking was implicit in ISO 9001:2008 (preventive action) – ISO 9001:2015 now makes the requirement explicit.


Why do we need risk-based thinking? 


Within our organisations different processes carry different levels of risks in terms of their potential impact on our organisation’s quality objectives and outcomes. We need to focus our efforts on our critical processes – how might they fail or how might they be improved?

Also the consequences of experiencing a process, product, service or system nonconformity is not the same for all types of organisation. You’d therefore expect greater management of risk in a nuclear power station than a dog grooming business. So too would your auditor.


Where in ISO 9001:2015 is Risk-Based Thinking? 

Clause 4 Context - Determine the processes required for operation of the quality management system and the risks and opportunities associated with these processes.

Clause 5 Leadership – Top management must ensure that the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed.

Clause 6 Planning – to give assurance that the quality management system can achieve its intended result(s), prevent or reduce, undesired effects and achieve continual improvement.

Clause 8 Operation -The organisation is required to implement processes to address risk and opportunities.

Clause 9 Performance Evaluation - The organisation is required to monitor, measure, analyse and evaluate risk and opportunities.

Clause 10 Improvement - The organisation is required to continually improve processes whilst responding to changes in risks and opportunities.

The requirements around risk are extensive. How can we ensure top management embrace these?


Grabbing the attention of Top Management

If top management are not engaged with respect to quality management system risk, what can you do?

  • Highlight the cost of quality failure - (Deepwater Horizon $43bn). As well as financial costs there is reputational damage or even jail.
  • Remember positive risk (opportunities) too – these include cost reduction, elimination of waste, faster to market and new innovations. Top management are always interested in bottom line improvement
  • Remind them this is not optional.


Approaches to Risk Management

ISO 9001:2015 doesn’t tell top management how to manage risk. It leaves that up to the organisation. Usually, it is the one(s) that works best for you. When selecting a risk assessment methodology ensure;

  • It enables the requirements of 9001:2015 to be met
  • It is straightforward to use
  • It is not cost prohibitive to use
  • It gives consistent and repeatable results
  • It is universally applied across functions managing the same risks
  • There is documentation, training and support available in order to ensure it is properly applied

Here are some risk management techniques: 

  • ISO 31010 Risk Management – lists some Risk Assessment Techniques
  • Failure mode and effect analysis
  • Cause and effect analysis
  • Delphi technique – structured, interactive forecasting
  • Hazard analysis and critical control points
  • Scenario analysis
  • Root cause analysis
  • Risk Indices
  • Cost benefit analysis


For more information about the changes to ISO 9001:2015, download the ISO 9001:2015 toolkit here

 ISO 9001:2015 Toolkit

Tags: ISO 9001:2015

Internal auditing challenges: Emerging trends from ISO 9001:2015

Posted by Emily Hill on Fri, Nov 18, 2016

Back in July 2014, Richard Green, CQI's former Head of Technical Services, said he believed the upcoming changes to ISO 9001 meant the auditor's role would transition from 'auditor' to 'assessor'. Auditors would increasingly need to deal with "shades of grey" and "new evidence sources would need to be examined".

Now many organisations have made the transition to ISO 9001:2015, how have internal auditors coped with the new changes? Have the changes been logical? Are there brand-new challenges, problems and issues? 

In the following short videos, Richard Green shares five main challenges internal auditors may now have to face. 

1)  Internal auditing is still seen as a box-ticking exercise

Colin Partington, quality management consultant, says in 'Next Generation Auditing', Qualsys's whitepaper, that the changes in ISO 9001:2015 require internal auditors to move from procedure-based auditing to process-based auditing. He said this will drive a cultural shift from procedure auditing where "findings are discovered, corrective actions and made, and ultimately, boxes are ticked, to a more analytical approach which focuses on process auditing".

So, is there still a perception that ISO 9001 is a box-ticking exercise? Richard shares his thoughts: 



Hi! We're Wistia. We provide business video hosting to attract, engage, and delight

Wistia video thumbnail - ISO audits box ticking exercise

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?



  • ISO 9001 makes top management responsible and accountable for carrying out a certain number of activities themselves.
  • Clause 5.1.1 lists some activities top management need to be involved in. Some they can delegate, others they can't.
  • This is all designed to bring people at the highest levels into the quality management system. It can no longer be centred around the quality management representative.
  • Leadership must promote quality management as a process and need to understand how all processes fit together.
  • There are also requirements around risk.
  • Leadership now need to make decisions around whether the system is effective, and rectify any issues.
  • It has come as quite a shock for some organisations but the changes are logical.

2)  Moving from procedure-based to process-based auditing

Clauses 4.4 and 6.6 of ISO 9001 say auditors must monitor, measure and evaluate their organisation's processes to make sure they are helping to achieve the outcomes the organisation wants. This requires process-based auditing.

As Colin Partington says: "Process-based auditing is more about following through a trail by taking a job from start to finish and reporting what is seen as it passes through the various departments. By taking this approach, a number of clauses can be covered in one audit."

So how are auditors coping with the new challenges? Richard explains: 



Hi! We're Wistia. We provide business video hosting to attract, engage, and delight

Wistia video thumbnail - Auditor  assessor

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?




  • Things are now less clear cut than they used to be.
  • Context is amorphous – your perception of context is different from the auditor's.
  • The challenge for auditors, especially checklist auditors, is that it used to be black and white, but there are now a lot of grey areas. That's where the assessor comes in.
  • There now needs to be judgment calls based on objective evidence that the auditors see.

3)  Leadership commitment to enforcing audit controls

Under ISO 9001:2015, senior management must be accountable for the effectiveness of their quality management system, and ensure that it delivers real improvements to their business.

But are internal auditors seeing the level of commitment they need from top management? And are top management listening to their internal auditors as much as they should be? Richard explains:



Hi! We're Wistia. We provide business video hosting to attract, engage, and delight

Wistia video thumbnail - challenges internal auditors

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?




  • Internal auditors are the most valuable auditors out there.
  • Internal auditors understand the business and the standard processes; they know where your weaknesses are.
  • Internal auditing is too often seen as a secondary part of the role.
  • The organisation and top management need to recognise the real worth of their internal auditors, nurture and develop those people, and make use of their insight.
  • These are the people who are completely familiar with the business management system and can significantly impact the bottom line, if you listen to what they're saying.

4)  Speaking the language of the board

In 'Next Generation Auditing', Richard Green says: "Going forward, assessors are going to need to be able to speak the language of the boardroom. They will need to engage with top management regarding strategy and context, not minor operational matters. They will need to feel comfortable challenging individuals at this level." 

But are auditors comfortable challenging top management? What about when they have to deliver bad news? Richard shares his thoughts:



Hi! We're Wistia. We provide business video hosting to attract, engage, and delight

Wistia video thumbnail - Auditors deliver bad news

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?




  • Auditors have always had to deliver bad news.
  • It's more challenging when bad news isn't directed at quality managers but at those people at the helm of the business.
  • In certain parts of the world, the very notion of challenging what top management do is completely alien to their business culture.
  • It'll be difficult and take a while for auditors to find their feet.
  • The skills set out in ISO 9011, in terms of the approach of auditing, diplomacy and tact, are all coming to the forefront now.

5)  Training to meet new requirements 

"Many auditors come to me overwhelmed with increasing commercial pressures and time constraints," Colin Partington says in 'Next Generation Auditing'. "Such issues can result in constrained or irrelevant information being delivered to senior management.

To rectify this, as stated in ISO 9001:2015 4.1, Understanding the Organisation and its Context, the auditor must understand what the organisation does and what influences there are upon the organisation. How the auditor will establish these factors needs to be considered, almost certainly needing the top management to be interviewed to discover these." 

This requires a whole new skillset. So are auditors getting the training they need to meet the new requirements? Richard offers his response: 



Hi! We're Wistia. We provide business video hosting to attract, engage, and delight

Wistia video thumbnail - Auditors training to meet new requirements

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?




  • When we saw the new version of ISO 9001:2015, the requirements were significantly different for auditors in terms of their skillset.
  • CQI's transition courses now actually last two days.
  • 85% of the transition course focuses on skills and behaviours.
  • Because auditors must be able to interpret all the diverse sources of evidence, they'll need to learn new skills.


What you should do now

Want more information about ISO 9001:2015? Download our toolkit.

ISO 9001:2015 Toolkit

Tags: Audit Management Software, ISO 9001:2015, Quality Culture

Cross-Functional Teams - Jaguar Land Rover Shares Advice

Posted by Emily Hill on Wed, Nov 16, 2016

Many businesses have realised how cross-functional teams can dramatically improve the products and services they provide. It makes the most of different perspectives and backgrounds to reduce product defects, improve efficiency and meet customer needs. 

However, there are two fundamental challenges managing governance, risk and compliance of cross-functional teams. Firstly, how with an increasingly remote workforce to get the right information to the right person at the right time, and second, how to manage the integrity of the data?

In a talk at The Manufacturer's Annual Leaders Conference, James Dyson, Finance Manager at Jaguar Land Rover discussed some of the challenges cross-functional teams have making decisions. Like many organisations, Jaguar Land Rover has an abundance of data coming in from all areas of the business and faces familiar challenges of turning this into useful information.

In this article, we have summarised 3 key points from Dyson's talk for helping cross functional teams make complex decisions. 


#1 Elimate Manual Processes 

Costly to maintain, slow to escalate issues and prone to error, Dyson advises that where possible, there are many issues with using spreadsheets to make complex decisions.  

''Teams need to spend less time crunching data and more time acting on the key information. By eliminating spreadsheets, you will open up a new level of insight, be able to make faster decisions and everyone will be better informed."

Spreadsheets can put the organisation at risk. They silo information, often contain outdated data and it is difficult to verify the integrity of the data being used. 



#2 Single Source of Truth

Cross-functional teams are often making very complex decisions based on a vast amount of data. But data systems have become more complex, fragmented, and chaotic, putting data integrity at risk. 

"You need a single source of truth which enables you to extract valuable information while the data is still in motion."

The 'Single source of truth' will ensure that important decisions are made based on authentic and reliable information. 

Managing authentic and reliable information 






#3 Use Simple KPI Dashboards

Not everyone in the team needs to be able to access all data, but teams need to be able to able to easily drill down to the information they require. 

"Use simple KPI Dashboards. You do not want to throw all the data at everyone."

Organisations must ensure teams can not only access information, but understand the role they need to play. 


Automote, Control and Assign Responsibility with EQMS

Cross-functional teams benefit from using software such as EQMS, a cloud-based, modular governance, risk and compliance management solution. The software provides a robust framework for managing data integrity, risk and compliance:

  • Highly configurable workflow ensures no issue is overlooked. 
  • Information is controlled. 
  • Every activity has a full audit trail with a time, date and person responsible. 

Here for more information about using EQMS. 

See EQMS in action - free software trial

Tags: ISO 9001:2015