5 common objections to getting ISO, Quality & GRC software tools (and how to tackle them)

Posted by Emily Hill on Thu, Apr 19, 2018

60% of Governance, Risk and Compliance professionals say they are missing the essential tools they need to make real improvement in their roles, according to the Global GRC Trends report 2018. This is resulting in highly-skilled professionals spending heaps of their time completing manual data processing tasks, rather than focusing on strategy, development and business improvement initiatives. 


Many attribute this to not having the tools they need to implement the necessary changes, with only 25% saying that they have access to a budget. 


GRC challenges

John Oakland, Founder of Oakland Consulting and author of the best selling book ‘Total Quality Management’, says your management system is your business’s most important competitive weapon.

So how can you get buy-in to get the system you need?

In this article, we've shared the 5 most common objections we come across and some hints, tips and examples of how you can combat them. Or you can watch the webinar here: 



#1 We don't need one 

The most common objection is knee-jerk reactions from busy people who don't understand the value of the solution. "We don't need one." 

The response: The business case

Articulate value early and concisely. You don’t have to spend weeks and months creating this document. When you have a demonstration of our software, and if we think we can help you, you'll get free, dedicated one-to-one support building a business case tailored to your business. 

What to cover in your business case: 

  1. Costs of poor quality
  2. List of current issues versus benefits 
  3. Total cost of ownership of both solutions
  4. Savings over 4 years
  5. Next steps 

After you've created the business case, sit your team down and go through it with them. Don't just email it out and hope they'll open it. Qualsys provides a number of services to help you with this.

Read more about these services here 


#2 We've already got our ISO 9001 certification

It is important to be familiar with the benefits of the software, and be able to explain the value clearly. 

The response: Align with the long term business strategy  

"Our business strategy is to grow by X by the year X. In order to get us there, we need an integrated management system which is going to be scalable and sustainable."

Key considerations

What else does your business want to achieve?

  • Is your business planning on entering new markets?
  • Are you diversifying your product range?
  • Are you opening more sites / factories?
  • Would you need additional employees to manage GRC without the software? 
  • A robust governance risk and compliance management system is going to help with all of this.

Access high-growth playbook to help build your strategy here


#3 We don't have the budget

75% of GRC professionals don't have a budget. But in most cases, that doesn't mean it's unattainable. 

The response: Calculate the savings with a solution

"If we implement this management system, we'll be saving 45% of our working time collating data for reports, as this will be managed instantly. Over the next four years, this works out at X." 

Try our 4-year cost-savings calculator here


#4 We don't have the internal resource to manage the implementation 

The implementation process is the most resource-intensive part of the project. But it is also incredibly rewarding to set up a system which is going to deliver long-term, sustainable results. Our software really does transform businesses, and that level of change does not happen overnight. So what do can you do if you don't have the internal resource to manage the implementation? 

The response: Outsource what you can't internally manage

You can outsource a lot of the implementation process to Qualsys. Many businesses outsource their training, data cleansing, and configuration to Qualsys. This means you can continue with your daily work while we do a lot of the heavy lifting.

Read more about our best practice implementation services here

 governance risk and compliance software UK vendor best software - Copy

#5 Our current system works 

Don't get disheartened by this response. When the person sees the advanced applications and how it will benefit them, they will want to invest in the idea and a solution. 

The response: Take a 30 minute demonstration with one of our experts 

Companies with highly developed quality cultures spend on average £238 million less annually fixing mistakes (Harvard Business Review). Very few CEOs will walk away after they've seen our software in action and not want to invest in an integrated management system. 

Read more about our best practice implementation services here


What you should do now

Every now and then, we all need to take some time away from our daily routine to learn, talk with peers and broaden our knowledge. 

This is why Qualsys provides a range of monthly workshops in Sheffield. 

All workshops cater to different learning styles, mix theory with working examples, and the agendas are designed based on insights from a diverse team.

You'll leave the end of the workshop feeling better equipped, inspired and ready to tackle your challenges. Browse the workshops here. 

Can't visit Sheffield? Request a free online meeting with one of our domain experts to talk about your challenges and we'd be delighted to help. 

 GRC Workshops training compliance

Tags: Governance Risk and Compliance News

Document management for one of the world's largest businesses: Diageo case study

Posted by Alex Pavlovic on Thu, Apr 19, 2018

Behind every pint of Guinness, shot of Smirnoff or glass of Johnnie Walker is the international quality management system of Diageo, the world's second largest distiller.

We sat down with Janice McMillan, BMS Coordinator at Diageo, to explore how she uses Qualsys's document management module to keep on top of thousands of documents in a controlled, unified fashion for one of the world's largest businesses.

janice mcmillan diageo qualsys quality management system


Qualsys: Thanks for joining us, Janice. Could you start by explaining how Diageo first found Qualsys? How did you come to be using our EQMS software?

Janice: Well, I actually started my work with Diageo as part of the project group working to implement the new software system that had just been supplied by Qualsys. The leadership team at the time had been looking for a way to view all compliance-related documentation in a single area, and chose Qualsys's solution. That was thirteen years ago. My manager leading the project and who sourced Qualsys was Hamish MacSween, who eventually went to work at Qualsys himself.  I believe he still does testing for you.


Qualsys: He does - though as he's based in Scotland the rest of the team don't see him as much as we'd like to! What was the main reason for selecting a document management solution back then? What was the goal?

Janice: The main thing was to build a system in one place across the entire packaging function of Diageo, so our end users didn't have to go around a dozen different systems to get the documentation they needed. The system was a success, so it eventually expanded into the distillation and maturation areas of the business [Diageo is the world's largest whiskey producer]. Now it's global. Diageo staff in other areas like Australia and Singapore heard about the system and jumped on the bandwagon.  The module is now used in North America, Australia, Southeast Asia, Ireland and Scotland, which is my area. I believe Ireland was the first area to use the system, with the Guinness operation.

We've allocated a lot of resources here in Scotland to support Qualsys's module, because it works so well for us. I look after the distillation and maturation processes, my colleagues further north look after malt distilling, a colleague at Shieldhall [Diageo's Glasgow bottling site] looks after the beer operations. The system has been configured with a range of owners and administrators to support what we're doing. 


Over 6.5 billion litres a year - that's a lot of supporting documents to manage


Qualsys: Are you happy with how the EQMS system supports the Scottish operation?

Janice: I love it. I've been here from the start and seen our use of the system grow. EQMS is my baby. It's been absolutely set up in the right way for us. That's really down to Hamish. It doesn't matter which site you're on - all the documentation storage and navigation is exactly the same. It's very uniform. We perhaps don't have that same level of uniformity worldwide yet, but Diageo is a huge operation so it's a long process.

For the same reason, it took time for everyone to realise the value of the system but now more and more people are engaging. We have internal and external audits all the time and getting our documentation in one place has reduced our compliance burden and meant we don't have to search for documents on G drives and H drives anymore. It's made life easier for everyone.


 It doesn't matter which Diageo site you're on - all the documentation storage and navigation is exactly the same. It's very uniform. 


Qualsys: And what kind of documentation goes into distillation and maturation? What's the paper trail behind a bottle of Scotch?

Janice: We use the system for everything. Health and safety, environmental, quality, security, HMRC. My job is to administer it all and keep it controlled and consistent with the right permissions. 


diageo factory document quality control

 Diageo needed a standardised, secure repository for their documentation


Qualsys: What does your daily routine look like as a quality professional?

Janice: The bulk of my activity is dealing with requests for document changes and updates, answering queries and running reports. This morning, for instance, I've uploaded 20 documents, answered 3 change requests, ran 15 document reviews and 2 batch date resets. That's a continual process and I use the system for all of it. 


I've been here from the start and seen our use of the system grow. EQMS is my baby.


Qualsys: So before you started using EQMS in 2005, what was the main challenge you faced doing all of that? 

Janice: The biggest challenge was getting my colleagues to pass the correct information onto me in a consistent format. We use the module to store standardised change request and upload forms for my colleagues to complete, so we follow the same process every time. Once the documents are ready, they then go into the system too. It's become a natural location for us.

We then run monthly reports to capture how many document reviews and approvals might be overdue and who's responsible for them, which is how we measure the impact of quality and track how well the system is supporting us. The reports are all instantly generated by the system, which is another great help. Then they're passed onto the leadership and governance team for review.


Qualsys: Why does quality matter to Diageo? What's the bigger picture?

Janice: It means everybody's compliant and following the correct procedures, so we're providing the best quality products to our customers. We want every Diageo staff member to do a great job for us and get home safely every day. It underpins everything we do. 


Image result for guinness factory

 The Guinness branch began using Qualsys's solution first, before Diageo expanded the system worldwide


Qualsys: Do you use any of our other modules?

Janice: The document management module's the main one for me, obviously. I also use the change management module to drive the workflows. My colleague Sharon Parsons, our IT Asset Manager, and our ISC auditors use the audit management module to manage the quality of our products.


The biggest problem before we began using the system was getting colleagues to pass the correct information on in a consistent format. We use the system to store standardised forms, then when the documents are ready they go into the system too. It's become a natural location for us. The reports are all instantly generated by the system, which is another great help.


Qualsys: What would you say are your three favourite features of the system?

Janice: I like the simplicity of it for the end user. It can sometimes get complex behind the scenes for me because the workload is so high, but the simplicity for the end users is fantastic. It's so user-friendly. 

I like the fact there's an owner for every document. It encourages responsibility and ensures nothing falls through the cracks. 

And although this isn't a module feature per se, I love the support we get from Qualsys. Rob [Needham, Technical Director] and Simon [Wells, Support Desk Manager] have helped us a lot. You're very 'hands on'. You don't always get that with systems like this. Some companies leave you to get on with it. I know I can get on the phone anytime and get something resolved or cleared up quickly. 


diageo growth quality whisky

 Diageo reported a 6% growth in half-year pre-tax profits in January 2018 and plans to invest £150m in new Scotch whiskey visitor attractions, like this planned Johnnie Walker Edinburgh site


Qualsys: And what do you most enjoy about your role as a quality professional?

Janice: As an individual I try to get everything in my life under control, in the correct box and the correct area. That's how I am as a person. The system's allowed me to bring that approach into my work life. When I go to work, I have a start, middle and end to each process, from receiving a document to uploading it into the module. I like the uniformity of it. 


The simplicity for the end users is fantastic. It's so user-friendly. I love the support we get from Qualsys. 


Qualsys: What does the next year have in store for you? What's on the cards? 

Janice: I've heard about the Version 7 upgrade that you're rolling out this year. I'm excited about that. It's great to see you're always working to improve the software. Everything's an improvement and it'll be the same for me at this end. In the next year I want to improve everything I'm doing and get our quality processes even tighter and more efficient.


What to do next

Read what else Diageo achieved with our software - including topping the CQI's 2017 Good Governance Report - on the Diageo case study page.

Diageo have been using our solution for 13 years. Read their top 10 implementation tips here.

Looking to explore our document management module? Discover more here.

Or schedule a 15-minute discovery call with us at your convenience.

Document control software


How to engage your business with the GDPR

Posted by Kate Armitage on Thu, Apr 19, 2018

Responsible for getting your business ready for the EU's General Data Protection Regulation? This is not something you can tackle all on your own. You need every employee to understand what the GDPR is, identify information security risks and use their expert knowledge to spot opportunities to improve data management practices.   

However, a November 2017 survey found that buy-in, lack of interest, and engagement are among the main challenges GRC professionals face in preparing for the new regulation. 

GDPR survey


So how can you engage your leadership and your wider business with the GDPR? During a recent GDPR workshop,  I shared three tips.

I've included the tips and some example tools to help you below. 


GDPR - most significant change to data protection regulation


1) The cost of doing something vs nothing

The fastest way to get your leadership team interested and invested in complying with the General Data Protection Regulation is to mention the potential fines. Businesses who fail to comply with the regulation will face fines of up to €20 million or 4% of annual turnover. That's significantly higher than previously, and that is scary for leadership teams.   

 79 times higher breach


2) Assign roles and responsibilities

Your job is to oversee compliance. It's not to think for people and do everything for them. Developing your communication plan is key. For this, you need:

Top down engagement: Technology and data are now so important, that data protection and cyber security needs to be on the board's agenda. There’s no point expecting employees to follow new rules if leadership doesn’t know what’s required and why. Leaders need to lead by example, while working together to ensure the message is communicated effectively across the whole business. In our organisation, we knew sales and marketing processes and controls a large majority of our data, so our MD set the sales and marketing team the task of doing a research project and presenting the findings to the rest of the business about the regulation.

Implement a data protection policy: Processes and procedures regarding data and security should be outlined in a clear and concise policy, which all employees should read and sign. The document should include key dos and don’ts regarding handling sensitive information, customers rights, as well as password security and how to detect and report any data concerns or suspicious activity.


risk management software

Document control software

Communication, training and development: The new regulations provide a good excuse to host regular training on data protection and cyber security issues. Here are some quizzes and workshops you could use: 





Workshop scenarios GDPR

 Workshop example: Give the scenarios to your team to test their understanding of the regulation and discuss as a group.


roles and responsibilities gdpr

Roles workshop: Get your team to fill out their roles and responsibilities to test their understanding of why. 




3) Make it easy to be proactive 

Give every employee a central system to manage training records, policies, risks, suppliers etc to encourage Privacy by Design. Privacy by Design needs to be embedded into the design and architecture of the system and business practices. It is not bolted on as an add-on. 


 Privacy by design

 GDPR software: Privacy by Design example


What you should do now

Download our GDPR toolkit for more templates, quizzes, policy examples, tools, and tips. 



Paper to pixels: five reasons your business should go paperless

Posted by Alex Pavlovic on Mon, Apr 16, 2018

As any paper salesman will tell you, paper is still the core of business documentation management.

Every day, one billion photocopies are made. The USA alone houses over four trillion paper documents - and Gartner estimates businesses are increasing their average paper documentation output by 25% every year.

But modernised, paperless business processes are expanding too. 'Going paperless' offers businesses a series of distinct advantages, from cost-cutting to tightening information security.

Here are five reasons your business should join the 'paper to pixels' movement.

qualsys paperless office

1. Improved quality management

Any competent and effective quality management system requires rapid, simple traceability of information. From checking a policy or procedure to tracking a batch of manufactured product, electronic paperless systems allow information to be quickly identified and acted on. 

As quality issues like customer complaints, product recalls and audit non-conformances arise, getting off the paper trail and into the world of paperless - think automated, electronic workflows and email notifications - drives much quicker and coordinated responses. No more passing a piece of paper from office to office to get things done.

2. The environmental impact  

We hear about it all the time. Use less electricity, and so fewer fossil fuels. Use less paper, and save the trees.

There's no doubt that eliminating paper from the modern office will have wider environmental benefits, as fewer trees are felled to support vast amounts of paper expenditure. In an age of increased environmental uncertainty, there's a lot to be said for this and initiatives like World Paper Free Day aim to promote the benefits of wasting less paper.

Nevertheless, aside from a few particularly environmentally-conscious businesses, saving the trees isn't the primary factor most companies will consider for going paperless.

More and more businesses are going paperless primarily to:

  • Optimise their processes
  • Boost efficiency
  • Minimise expenditure

Which brings us to...

3. It saves money and time

Money doesn't grow on trees. In fact paper constitutes a significant expenditure in both raw costs and associated paperwork management time.

Buying, completing, filing, sorting and sharing paper documentation costs time and money. A study in the U.S. found for every dollar spent on paper - and the average office worker goes through 10,000 sheets a year - another six are spent on management, handling and distribution. 

It's not surprising that eliminating paper-based processes has a beneficial impact on the company finances and operational efficiency. 

Qualsys customer Sodexo presented the impact of their electronic quality management system on their business processes at the AIIM 2017 conference. IT Systems Manager Rob Gibson noted that:

One of our team has to go out on site and do lots of very detailed audits using the iEQMS Auditor application. Then he has to write a formal report about the findings. It used to take three days. Now it's automatically produced the same day. That's a really powerful story. 

 Along with the burden of compiling paper documentation, AIIM estimates that a further half hour per employee per day is lost searching for documentation. Organising electronic documentation into a repository removes this burden and promotes more efficient, profitable working.

Of course, electronic systems cost money as well. But the sum total of costs including:

  • Paper
  • Administration and searching time
  • Filing cabinets, boxing and storage
  • Rental cost of office space for document storage

make paperless solutions increasingly cost-effective for the modern business.

MedTech Intelligence found a cardiac resuscitation device company experienced an annual reduction of £61,000 in paperwork management as well as an annual drop of £22,800 in paper costs, storage and boxing costs after migrating to an electronic document management solution. That's far more than the solution cost them.

auditing 5-1

Electronic systems cost money too - but eliminating paper costs means they can pay for themselves in months  

 4. It's more secure

Paper documents are inherently less secure and easier to access than digital documentation.

You might have seen the recent leak of Mark Zuckerberg's senate hearing notes. A confidential binder of information for presentation to a joint committee was photographed and went viral as an aide moved to close it - an ironic breach of data as Mr Zuckerberg attempted to explain Facebook's involvement in the recent Cambridge Analytica scandal.

paper documentation security issues

The misuse of digital data took a political consultancy firm. The misuse of paper documentation took a single camera.

Businesses looking to tighten their information security for ISO 27001 compliance or manage their data risks for ISO 31000 will find their job much easier with a paperless repository.

Migrating business documentation to an electronic format like Qualsys's document management module means:

  • Version control: multiple circulating versions of the same document can be eliminated with a single source of truth
  • Controlled viewing permissions: paper like Mr Zuckerberg's notes can be read by anyone. Navigational trees with bespoke viewing permissions mean electronic documents are only seen by who needs to see
  • Change control: amendment records and trails remove the impact of human error or misuse while enforcing accountability

Which all help with...

5. The GDPR 

There are now just 39 days until the GDPR is enforced. The Information Commissioner's Office is expecting businesses to have taken the necessary steps to make the personal data they hold secure, private and controlled by 25 May. Or as they put it:

We would like to see more organisations integrating core privacy considerations into existing project management and risk management methodologies and policies.

Still managing your projects and business processes with paper that could be misplaced, lost, destroyed or misused? 

Now's the time to become GDPR-compliant with 'privacy by design'. For the ICO, 'privacy by design' means baking data protection into your business management, rather than simply bolting it on as an afterthought (like locking your filing cabinets).

A secure, electronic document management system is a great example of privacy by design. There isn't much time left to get ready for GDPR - so understanding how and where data is managed within your business should be a top priority.

Building a register or completing a privacy impact assessment becomes much simpler with a single paperless source of information to assess.

What to do next

Considering a paperless solution for your business? Product Quality Assurance Manager Kate Armitage explains how to find the electronic solution that works for you in our GRC software buying guide.

Access our free whitepaper 'The Case For Document Management' for more information about why paperless document control is more crucial than ever.

Want to speak to us about our electronic document management solution?

Schedule a 15-minute discovery call at your convenience.

Schedule a GRC Software discovery call

The data breach process and the GDPR

Posted by Alex Pavlovic on Mon, Apr 09, 2018

The biggest overhaul of data protection regulation in twenty years comes into effect on 25 May and alters the way businesses must respond in the event of a data breach.

Unless you've been living under a rock, you'll have heard about the GDPR. But our 2018 Global GRC Survey revealed that only 1.61% of quality professionals feel fully prepared to meet the new regulation. 

A key area of concern is the data breach process - how to respond to a breach in a GDPR-compliant manner, what to do, and when to do it.

Ensuring your business is prepared for the worst is a vital step to take before 25 May.

Into the breach

The GDPR is, of course, all about data - so companies who suffer a data breach are a key focus of the new regulation. 

It's not surprising that such importance has been placed on data breaches by the GDPR when we look at the infographics below.

Here is a diagram illustrating the reported data breaches in 2007:



 And here's the picture in 2017:


There's a good chance your data is somewhere in here

Data breaches are getting increasingly frequent as databases grow and hacking techniques grow in number and sophistication. The GDPR will mandate that businesses take the necessary steps to protect themselves from a breach and to respond properly in the event of a breach.

What is a breach?

Personal data breaches can include:

  • access by an unauthorised third party
  • deliberate or accidental action (or inaction) by a controller or processor
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen
  • alteration of personal data without permission
  • loss of availability of personal data

Image result for data breach

Hacking isn't the only cause of a data breach. Human error and flawed data security also contribute.

What to do

If the worst happens and your business suffers a data breach after 25 May, you must:

1) Contact the Information Commissioner's Office (ICO) through their website, with a Security Breach Notification Form or via the Security Breach helpline on 0303 123 1113

2) Inform them within 72 hours of the breach being discovered

3) Provide full details of the breach, including the scope and type of compromised data


Picture1How not to do it

Failure to notify the ICO within 72 hours can result in the GDPR's significant financial clout being brought to bear. That means fines of up to €20m (£17.7m) or 4% of global annual turnover. It simply isn't worth the risk of not informing. 

After being informed of a breach, the ICO will either:

  • Record the breach and take no further action 
  • Investigate, then take no further action 
  • Investigate, then take formal enforcement action
  • Investigate, then serve a monetary penalty notice

Naturally, the ICO's response depends upon the severity, scope and nature of the breach, whether the breach has already been rectified, how quickly the ICO was notified, and whether steps have been taken to prevent future breaches.

The more mature and robust your data security process, the less likely severe responsive action becomes. 

Do affected individuals need to be informed?

That depends.

The ICO will not inform the public or affected individuals themselves, since that is the responsibility of the data controller.

The ICO may recommend that companies with a breach inform those affected where there is a significant risk to their privacy rights and freedoms. In severe cases, it may compel them to do so.

Where personal data has been compromised, it's usually best to inform those affected by default. Doing so builds trust and demonstrates a business's commitment to data security. The Data Protection Act currently in effect doesn't mandate breach notifications - but MyFitnessPal sent out this email to its customers anyway: 

myfitnesspalMyFitnessPal does it properly by informing its customers of a breach

Quickly owning up to a breach and working to correct it will be enforced by law in a little over forty days - so get into the habit now.

Getting a policy in place

Managing data breaches properly and in compliance with the GDPR requires input from everyone in the business. A security breach management policy provides guidance to all staff regarding the policy and process for managing data and information security breaches. Everyone in a company should be responsible for identifying and logging breach incidents.

Picture2Does your business have one?

Use a policy to highlight to your team:

  • The scope and responsibilities of your company's security breach management
  • Aims and objectives (i.e. minimising breach likelihood, notifying within 72 hours)
  • How security incidents will be handled
  • How incidents will be reviewed and monitored

What to do next

Preventing a breach is better than responding to one. And responding to one is better than sweeping it under the carpet.

To prepare your data security processes for the GDPR:

1) Conduct a privacy impact assessment to identify where and how personal data is stored, managed and processed in your business

2) Use the results to identify risk areas and implement effective controls to minimise the likelihood of a breach

3) Create a security breach management policy and communicate to everyone for an integrated, coordinated response in the event of a breach


For a detailed breakdown of the GDPR's requirements, practical expert-led advice, and a range of time-saving resources and templates, join the Qualsys GDPR workshop on 11 April or 23 May

Sign up for our highly-rated GDPR workshop


Five ISO 9001:2015 videos to watch

Posted by Emily Hill on Mon, Apr 09, 2018

Whether you have already transitioned to ISO 9001:2015 or you are yet to make the required changes to your quality management system, it is always useful to learn from peers and industry experts. 

Here are five videos you can watch in approximately two hours to give you some tips, ideas and inspiration for getting more from your ISO 9001:2015 quality management system. 

Alternatively, join our ISO 9001:2015 transitioning workshop later this month. Product Quality Assurance Manager at Qualsys, Kate Armitage, will talk you through challenges, opportunities and risks when implementing the changes to your quality management system. 




1) ISO 9001:2015: Leadership & risk requirements



2) ISO 9001:2015 - Redefining Quality


3) ISO 9001:2015 and managing external provisions 


4) ISO 9001:2015 KPIs



5) ISO 9001:2015 - Succeeding in Quality 



What you should do now

If you can't attend the ISO 9001:2015 transition workshop, check out our ISO 9001:2015 toolkit. There are lots of free online resources to help you to tackle the standard. 

 ISO 9001:2015 Toolkit

Tags: ISO 9001:2015, News

Former attendees explain why you should sign up for a workshop

Posted by Emily Hill on Mon, Apr 09, 2018

Qualsys provides a number of workshops to help you to tackle important business challenges. 

If you are thinking of attending but you are not sure whether they are right for you, below you'll find feedback from former attendees who have explained how they benefited. 

I found the day most useful. It’s great to see the materials that have been shared with us. I often go on learning events and have never experienced the same level of willingness to (1)-1


1) More confident

Kevin Tuke, Epta Group's Integrated Management Systems Manager recently attended the ISO 31000 Risk Management workshop. He said: 

As with other workshops, you may well be attending with some existing knowledge of the topic, but you may not be clear on everything.

In regard to the Workshop provided by Qualsys – I am now fully in line with understanding the topic. But more than this, I am ready to apply the theory into practice and provide clear guidance for my colleagues.

 In addition, the documented information provided in support of the workshop for future reference was extremely clear and practical. Links were provided to all of these user documents.

 Overall it was an exceptional learning opportunity – in great / historical surroundings, great staff and hospitality.


Workshop 2-678547-editedThe GDPR resources



2) Informative 

Geoff Airey, Group Audit and Compliance Manager at Lowri Beck, also attended an ISO 31000 risk management workshop. He said: 

The Workshop was informative, clear and taught by people who knew the subject. All attendees took part, and it was a great foundation for Risk management which wasn’t a sales pitch for your software.



Workshop 1Before and after: How prepared do you feel to tackle the GDPR? 



3) Based on feedback from your peers

Chris Owen, Services Director at Qualsys planned the workshop schedule. He said:

GRC is a really challenging role with a lot of responsibility. It's important that the person in this role has the latest knowledge and insights.

These workshops are designed using the feedback we've received from hundreds of GRC professionals and insights from our internal teams. 

When we plan these workshops, our team works together to ensure that they cover important areas, useful tools, and share ideas. 

There are currently seven topics to choose from - Supplier management, Risk, the GDPR, ISO 45001, ISO 9001:2015 transition, Culture of Quality, GRC Metrics. But any requests for other topics can be sent to info@qualsys.co.uk


What to do now

If you still aren't sure whether the workshops are for you, give our team a call on +44 (0) 114 282 3338 and we'd be delighted to answer any of your questions. 

Alternatively, browse all upcoming workshops, learn more and sign up here: https://qualsys.co.uk/knowledge-centre/training/.

GRC Workshops training compliance  



Tags: GRC Resources

MDSAP: How to open five markets at once for your medical device business

Posted by Alex Pavlovic on Fri, Apr 06, 2018

Medical device manufacturers operate in one of the most heavily regulated business environments on the planet. ISO 13485 and ISO 14791, as well as the requirements of the FDA and MHRA, are just some of the hoops to jump through.

Expanding into international markets only increases the compliance burden.

Fortunately the Medical Device Single Audit Program (MDSAP) offers an accelerated route to market and compliance for medical device companies.

medical device - microscope


What is the MDSAP?

The MDSAP was formulated in 2012 by the International Medical Device Regulators Forum (IMDRF) as a way of ensuring the appropriate regulatory oversight of the industry in a more efficient and less burdensome manner. 

Participating medical device manufacturers can be audited once to demonstrate the necessary standard and regulatory compliance for five international markets.

The participating countries are:

  • Australia
  • Brazil
  • Canada
  • Japan
  • The United States 

mdsap medical device quality compliance

The MDSAP opens the door to a combined population of 719.29 million


When did it start?

After a three-year trial period from 1 January 2014 to 31 December 2016, the MDSAP Regulatory Authority Council were sufficiently satisfied to continue the program.

Alongside the five 'equal partners' in the Program, the WHO and EU act as 'Official Observers'. With the successful completion of the trial period a little over a year ago, the possibility for the Program to expand into Europe and beyond shouldn't be ignored.

auditing software and quality management-1When you purchase our software, Qualsys's Service Implementation Team helps you configure our software to meet any regulatory requirements. 


What does it do?

The MDSAP's main aims are as follows:

  • To minimise regulatory burden by combining five potential audits into one
  • To share resources between regulators more efficiently and effectively within a single program
  • To promote a greater degree of international standardisation within the medical device industry

Successful completion of the 'single audit' means medical device manufacturers can demonstrate compliance for operation in five territories.

  • The Australian Therapeutic Goods Administration will accept MDSAP certificates as evidence of ISO 13485:2003 compliance
  • The Brazilian ANVISA will accept MDSAP certification to grant its GMP certificate for manufacturers to put Class III or IV medical devices onto the Brazilian market
  • Canada will accept a MDSAP certificate or a Canadian Medical Device Conformity Assessment System (CMDCAS) certificate when granting Class II, III or IV licences.
  • Japan's Ministry of Health, Labour & Welfare will use an MDSAP audit report to exempt a manufacturing site from on-site inspection, and may also accept the report in lieu of other documentation required for QMS inspection.
  • The American FDA will accept MDSAP audit reports as a substitute for its biennial inspections.

medical device - surgery

Medical device manufacturers can target five major international markets at once

How long does it take?

The Program operates on a three-year audit cycle.

medical device quality mdsap process

Predictable audit sequences are a further benefit of the Program

How do I take part?

Interested in joining the Program? Find out more at the MDSAP homepage here.

You must contract with an MDSAP-recognised auditing body to arrange your audit. View the complete list of approved organisations here.

Contact one (or more) of the auditing organisations to arrange your audit. MDSAP audits are generally longer than what you might be accustomed to - often between 5 and 9 days.


What should I do next?

If you are planning on entering new markets using MDSAP, our medical device software tool and compliance services helps accelerate the time to market, reduce compliance burden and cost-effectively manage compliance. 

Schedule a 15 minute discovery call to learn more. 

Schedule a GRC Software discovery call


6 Quality KPIs your CEO cares about most: GRC 2018 Global Survey Results

Posted by Michael Ord on Thu, Apr 05, 2018

GRC professionals are spending a lot of time compiling reports. In fact, the Global GRC Survey 2018 found that 42 percent are spending over a week every month compiling reports.

This is 2.7 extra days every month spent reporting compared with 2015

With more time and energy than ever spent reporting on key performance indicators, it's important to focus on what matters most. 

Below we've used the Governance, Risk and Compliance survey results to answer what KPIs your CEO needs to see and explained how our software tool can help you save weeks getting this information. 


Don't tell me your job is compliance. We can't have somebody in charge of quality. We're all in charge of quality. When Land Rover Jaguar send out a car, everyone in the factory agrees they are responsible for quality. If there's something wrong with it, we collectively have got that wrong. And that's the mindset change that's needed in many companies. Mostly, Quality is about money. Top management are very interested in money. If you don't think money is on your agenda, then think again. You have to speak the language of the business.

John Oakland, Oakland Consulting. 

Read more: http://get.eqms.co.uk/skills-quality-career-progression/


governance risk and compliance software UK vendor best software - Copy

The GRC Metrics Your CEO cares the most about


KPIs 2017

Results from the GRC survey


1) Cost of Poor Quality 

The Cost of Poor Quality (COPQ) is the total lost due to either internal or external quality issues. These are unwanted overheads due to poor systems, processes or practices, and can severely reduce business profitability.

COPQ can be measured by: 

  • Incidents
  • % rework
  • Defects %
  • Non-conformities
  • Right first time percentage
  • Time dedicated to root cause analysis / resolve issues
  • Scrap / wasted product / time

Our software enables businesses to track and measure these costs using CAPA Manager. Cost data is captured so trends can be analysed, risks can be reviewed and preventive action can be put in place.

CEOs want this data because reducing this waste is one of the fastest way to make the business more profitable. 

EQMS Modules

Image: Integrated software modules enable you to plan, manage and assign roles and responsibilities so everyone in your business can play their part in practising good governance, risk and compliance. All activity is displayed on a single KPI dashboard, giving your leadership team a picture of the business. 


2) Customer retention 

Acquiring new customers is expensive. Most businesses rely on repeat business from their existing customers.

High customer retention levels demonstrate your business is well aligned, that you are delivering on value and keeping your promises. 

A kink in the chain will result in higher customer churn rates. Ignored customer feedback, a drop in Net Promoter Score , and higher customer churn rates will all reduce your profitability. 

Our customers use Complaints Manager to log customer feedback, assign roles and responsibilities and monitor trends over time. The reporting tools enable you to drill down and answer questions such as: 

  • Are we noticing more complaints or issues from a certain department, supplier, type of customer, product? 
  • Do we need to adjust the business strategy or the process and operations? 


Chris O and Mike P

3) Asset value 

Few businesses keep an updated list of assets and equipment owned. Consequences are inevitably costly. Being unable to fulfil an order because you don’t have the equipment to do the job. Buying duplicate items of equipment. And wasting money, time and effort purchasing equipment you do not need.

Your CEO wants to be able will want to know that investments are being maintained and will want a forecast of any assets which will require cash.  

Our customers use Equipment and Asset Manager to manage;

  • Tangible and intangible asset register (e.g. DPR)
  • Asset life cycles, including calibration, maintenance schedules, eol plans. 
  • Asset values


Desktop Issue & Equipment Manager


4) Risks 

Every business needs to be identifying and managing both internal and external risks. 

Your CEO wants to know about any vulnerabilities, new risks and new opportunities which will help to make the business more profitable. 

Qualsys's customers use Risk Manager to identify, assess and manage risks. Risk suggestions can also be raised for a more collaborative approach. 

Risk KPIs include: 

  • Impact assessment results - potential costs 
  • Outstanding compliance risks
  • Risk treatment 
  • Internal audit performance and audit scores
  • Business continuity plans / disaster recovery > performance testing metrics 


Risk impacts assessment


5) Culture 

Your CEO wants to know whether your business has a culture of quality. A culture of quality can seem difficult to measure, but engagement with quality, governance, risk and compliance management is a good indicator. 

  • Risk suggestions from across the business
  • Training scores e.g. using Training Records Manager to send a quiz
  • % of policies read and understood by employees 
  • Number of change requests / process changes 
  • Time taken to resolve issues

Document Manager, Training Records Manager and Change Manager are all used by our customers to measure culture and provide CEOs with an understanding of where improvements and investment is needed. 

How would you rate the maturity of your management system

GRC Global Benchmarking Report  


6) Productivity

An efficient management system will enable your business to react faster to risks and be more able to make the most of new opportunities. 

Metrics will be very specific to each organisation, but may include:

  • Documented policies, procedures and processes  
  • On time in full (OTIF)
  • Speed of responses to any findings
  • Training days completed 

All of Qualsys's GRC software modules will help improve the efficiency, resilience and profitability of your business. 

Plan Do Check Act


What you should do now

Join our GRC Metrics workshop. 






Tags: ISO 9001:2015, Key Performance Indicators

Mexichem selects Document Manager by Qualsys for new quality management system

Posted by Tom Hodgson on Thu, Mar 29, 2018

Mexichem, the world's largest producer of fluorspar, is implementing document management software from Qualsys to improve process visibility, gain faster insights, and reduce compliance burden. 

mexichem-logo chemicals QMS.jpg

Founded in 1953, the chemicals company now has commercial activities in more than 100 countries and employs over 22,000 people. In the UK, Mexichem Fluor operates eight production sites and two research and development centres. 

Supplying chemicals into the heavily regulated pharmaceutical industry, Mexichem's compliance team recognised an opportunity to incorporate a consolidated approach to document management.  

Chris O and Mike P.jpg

Mike Pound, Managing Director at Qualsys is delighted to be partnering with Mexichem.

He said: "Our software provides an essential framework for assigning ownership, managing risk, and giving leadership a picture of how the business is performing. 

"However, we know it takes more than providing the tool on its own to get our customers the results they want. We don't simply provide the software and leave our customers to do the rest. 

"Successful implementation of any management system requires us to understand the business's internal and external needs, tailor a strategy, and to engage the wider business. It's a tool for cultural change. This is why we place such an emphasis on our best practice implementation. 

"The best practice implementation involves discovery and scoping workshops, configuration support, validation services, data migration, training, and end user engagement plans.  

"We look forward to working with Mexichem on their journey to operational excellence and helping them to become more efficient, resilient and profitable." 


What you should do now

See how our document control software can work for you. 

Document control software



Tags: Document Control Procedures