by Chad Kymal
Organizations often embrace standards simply to show that certain functional areas--for example, quality, environment or financial reporting--are in compliance with regulatory bodies. In many cases the customer or government drives compliance. Just as frequently, top management seeks compliance as an indicator of a company's sound management system.
How do companies deal with standards required by their industries? Three facts must be noted when addressing this question. First, organizations often comply with more than one standard--usually three or more. Second, each standard targets a single functional area while addressing an overall goal for the business. Third, each functional area and/or department must address multiple requirements from one or more of these standards.
The figure below lists common standards, expected outcomes for each, functional areas affected and the multiple requirements for each functional area.
The best way for companies to avoid the confusion of meeting multiple requirements and diverse compliance issues within standards is to integrate them. Because it costs more to comply with and implement multiple stand-alone standards, integration not only increases operational efficiency but also saves money.
The confusion that results from not integrating standards can be illustrated with two real-world examples. The first involves a company required to implement Sarbanes-Oxley (SOx), ISO 9001 and ISO 14001. Separate implementations required four reviews by top management--one each for SOx, ISO 9001, ISO 14001 and the organization's regular business routines. At first, this company didn't think it needed to integrate these standards. "We're a good company," top management asserted. "We like the way we do things, so we'll just add the requirements to our standard operating procedures." So, along with regular meetings, top management had to conduct three additional management reviews with the organization's financial, quality and environmental management system leaders. Each of these reviews required long presentations and separate action plans. The reviews were considered a cost of doing business; the possibility of actually improving business was overlooked.
Whenever organizations meet requirements without considering the value they'll add, the requirements end up adding extra costs instead. It's no wonder that the prevailing comments in this company regarding ISO 9001 and SOx were "Why are we doing them?" and "What value are they to us?"
To turn the situation around, the organization integrated the requirements of SOx, ISO 9001 and ISO 14001 into the business reviews already conducted by top management. All the requirements weren't examined during every monthly review, but they were covered at a rate that seemed more reasonable to management. In this way, four meetings were integrated into one business review meeting and resulted in one action plan. This created less confusion and cost less to implement and maintain. Rather than problem solving for three standards as well as normal operational concerns, top management could focus on the most effective solutions for the integrated issues discussed at the one meeting.
A second example involves a large European company with thousands of employees. It had implemented ISO/TS 16949, OHSAS 18001 and ISO 14001 separately. As a result, when new products were designed, the organization conducted an environmental risk analysis, which meant an aspects and effects review, a quality risk analysis using a design failure modes and effects analysis (DFMEA) and a hazards review using a hazards analysis sheet. Three different groups conducted these three different activities. These similar requirements created redundant work, so the organization merged the activities into one risk analysis and used FMEA as the single tool. Integrating three risk-analysis steps into one saved valuable time and increased the potential for well-designed, quality analyses. These two factors saved money for the organization.
In most organizations, requirements are detailed in process or procedure documentation. If the organization doesn't spot the similarities in requirements and integrate them into one process using one tool, then it creates multiple process documents using multiple teams. Different people usually carry out the process. The European company mentioned above has three document control procedures--one each for ISO/TS 16949, OHSAS 18001 and ISO 14001. It would be much more efficient and less costly for the ISO/TS 16949 documentation team to fold in OHSAS 18001 and ISO 14001 requirements as well. An incremental cost increase would be necessary, but it would be less than the costs incurred by three different teams spending more than half their time managing their own documentation. On top of this, there is the additional cost of having three different management representatives provide final approvals to changes before the implementations.
Cost savings of 20 percent or more can be realized when internal and external audits are integrated. For a medium-sized organization, this translates to a bottom-line savings of at least 25 percent (including travel), or a dollar savings of $15,000 over three years.
Some words of caution: You can't conduct an integrated audit of a system that isn't itself integrated. Using as an example the company that had four separate management reviews, the auditor would have to sample each of the management review processes individually. Savings occur when the process is the same and the auditor only needs to consider one sample, whether it's for management review, document review or training.
Overall, integrated systems save money by avoiding confusion and reducing costs for implementation, maintenance, and internal and external audits.
Integration usually fails when management assigns responsibility for different standards to different functional groups. For example, an EMS manager in the legal department won't fundamentally understand a quality system that's been implemented. Moreover, middle managers will sometimes take great pains to create duplicate, isolated systems to maintain management control over those responsibilities. Integration will also fail when there's insufficient understanding of all the standards in question. Integrators must understand all the standards thoroughly--including the intent, content, documentation, implementation and auditing requirements of each.
Knowledge is the key to moving forward on integrating your organization's standards and processes. Both vertical and horizontal levels of integration can occur within a company. Keep in mind, however, that integration is strategic and shouldn't be done in every case. For example, the figure above shows that the Level I manual can be integrated for EMS, QMS and OHSAS, but sometimes it's best to leave them as stand-alones so they can serve as pointers for how the organization implemented each standard.
Should a corrective action be integrated into one process? Maybe not. The organization, process, environment and other factors must be considered before deciding to integrate. Stand-alone systems are easier to implement than integrated systems. Integration requires sequencing and should be planned in stages.
Typically, large organizations with multiple locations, offices and design groups don't even integrate ISO 9001 and ISO/TS 16949, probably because each implementation has its own challenges. An organization might begin with the best, value-adding intentions to integrate a new standard with existing systems, but end by pushing only for certification. The following steps can help overcome this tendency:
1. Integration should begin by aligning the requirements of the various standards.
2. Determine which requirements would benefit from integration or indeed can be integrated.
3. Determine processes and organizational responsibilities for the different areas within the organization.
4. Document these processes and implement them accordingly.
5. Integrate the auditing of processes and requirements.
A large global organization had implemented European Foundation for Quality Management and ISO 9001 worldwide. It assigned EFQM responsibilities--typically given to top business-unit management--to the highest levels of the organization, although ISO 9001 was relegated to the quality department at local levels within each business unit. Every year the or--ganization would go through a self-assessment for EFQM where a team would review the results and identify actions to improve the systems and raise their scores. Also, depending on the organization's readiness to receive an award, it would receive an outside assessment many months later. This organization had an ISO 9001 system that was treated separately from the EFQM system. The organization had tried for several years, in fits and starts, to integrate the two.
The company organized its ISO 9001 implementation, then analyzed the opportunities for integrating ISO 9001 and EFQM. There were many levels of integration possible, including in the briefing document and quality manual, the process map and process management, measurements and results, and audits.
A characteristic of this organization is the level of empowerment at different levels. For example, management often suggests a strategy that's then exclusively left up to the discretion of general managers, vice presidents of quality, quality directors and quality managers to implement. The organization has a difficult time implementing a single process worldwide because of the organizational culture and the level of empowerment at different sites and functions. Currently, it maintains different levels of ISO 9001 and EFQM integration in its U.S., European, and Asian operations and is proceeding slowly.
A large U.S.-based organization with a design center in Michigan and plants in the United States, Mexico and South America requested an initial assessment to determine what processes best integrated with its existing ISO/TS 16949 system. The integration was identified in the figure below.
The organization documented an integrated system of procedures and work instructions. The plant-floor controls fully integrated both the work instructions for operating equipment and the quality checklists with EMS-related controls for significant aspects and their effects. The integrated documentation structure ended up looking like the one in the figure to the left, which shows a different manual for the EMS and QMS, respectively. However, the processes and/or procedures, work instructions, and forms and/or checklists were completely integrated for the EMS and QMS.
The key to this integration and implementation was identifying EMS aspects and effects using environmental FMEAs and control plans. The control plans were used for measuring and monitoring the controls.
Auditors were trained and audits were conducted. The company passed an integrated audit by its registrar. Before integration, the organization had external auditing costs of $480,000 for the previous three years. Using a combined auditing method, those costs were reduced by $120,000.
During the next five years, organizations will increasingly integrate their operational systems to multiple standards, using Web-based documentation systems for support. Integration avoids confusion and promotes focus, reduces implementation and maintenance costs of standards, and saves money on internal and external auditing. Overall focus, efficiency and effectiveness are the three keys of integrated systems, and knowledge is the key to success.
Chad Kymal is an international trainer, consultant and CEO of Omnex Inc. His recently published book, The ISO/TS 16949:2002 Implementation Guide, is available through Paton Press. He's currently writing Conducting Effective Process-Based Audits: An Auditor Handbook for ISO/TS 16949:2002.
Kymal works with large corporations to design effective business management systems and strategies and get the most value from implementations. He's served on the Malcolm Baldrige Board of Examiners and is a RAB-certified lead auditor.
|