I know what you’re thinking: How can ISO9001 be transformative rather than a hindrance? Of course, you might also be asking, “What the heck is ISO9001?” Let me explain.
ISO9001 is a standard that spells out the requirements for a “quality management system” that companies use to show their customers that they can systematically meet their requirements. A quality system is basically about saying what you do and doing what you say. It is one of many ISO standards, but it’s the only one in the ISO9000 family where you get certified. ISO9001:2015 is the latest revision of the standard, and a much needed one — the last update was back in 2008.
The challenge with such quality systems is that they are often relegated to a policy and procedures documentation role, bureaucratic and disconnected from day-to-day operations. Organizations typically pursue certification because a big customer requests it. Companies view certification as a cost of doing business, not necessarily an enabler of better business. Critics say that organizations can get certified even if their processes stink — just as long as they document them and adhere to them. (Those interested can read more about this problem in a good article here — make sure to check out the comments section — but in it, the author cites an interesting Harvard study that empirically demonstrates how ISO9001 adopters outperform non-adopters on a slew of business performance metrics.)
Why are adopters improved rather than hindered? The key is that more progressive organizations adopt ISO9001 as a manifestation of a closed loop business management system. Quality systems get a bad reputation because they are viewed as quality with a small “q” (i.e., focus on quality departments, QC, QA, quality documentation, etc.) rather than a big “Q” (i.e., satisfying customer requirements in the same way that design thinking does). If you simply replace the word “quality” with “management,” everything changes. ISO9001:2015 is really an enterprise management system, or alternatively an enterprise performance management (EPM) system.
Therefore, the role of supply management is to translate the EPM system to a supply performance management system that aligns to enterprise objectives to supply chain objectives and translates them out to upstream external partners. In fact, consider the current definition of ISO9001:2015 from ISO itself (emphasis added):
The objective of ISO9001 is to provide a set of requirements that, if effectively implemented, will give you confidence that your supplier can consistently provide products and services that meet your needs and expectations and also comply with applicable regulations
So, ISO9001 is really just about good supplier management rather than a regulatory compliance framework or a low-level process documentation standard driven by the quality department. In other words, it’s about supplier performance management, supplier quality management, supplier relationship management (SRM), supplier information management and supplier risk management. And all of these areas must dovetail nicely as you reach out and engage suppliers within a supplier.
The last aspect mentioned above (supplier risk management) is deceptively complicated and nuanced. Supply risk management is a two-headed beast. One head is typified by a supply risk program and governance structure to ensure that the supply chain is assuring supply and compliant with enterprise risk and compliance requirements. The other is a “shadow” system (that must come out of the shadows) that parallels and protects the supplier requirements and KPIs that you measure. Supply risk management ensures supply performance management.
What’s fascinating about this dichotomy is that ISO actually has a voluntary risk management standard called ISO31000, which helps guide enterprise risk processes and capabilities. But it’s not very well implemented. Yet, the 2015 version of ISO9001 has an entirely new set of supply risk requirements baked into it, even though ISO31000 is very rigorous. Why? Because suppliers and supply chains must perform in the face of risk and therefore must protect those supply outcomes from those risks. Supply chains don’t exist in a risk-free steady state environment — and the old ISO9001 standard didn’t really reflect that.
Supply risk is always lurking right below savings/value delivery on the CPO agenda, and ISO9001:2015 has a stated goal of introducing “risk-based thinking” into its vocabulary. Supply risk is the VUCA (variability, uncertainty, complexity, and ambiguity) that adversely affects expected supply outcomes, whether supplier outcomes at the supplier level or supply chain outcomes across the multi-tier network. Organizations that can manage this risk are, by definition, agile.
The beauty of ISO9001 though is that as a certification-based standard, it’s a perfect regulatory compliance “burning platform” that can light a fire under the organization to do supply risk properly that protects whatever is strategic to you: support rapid revenue growth, cost excellence, sustainability and so on. So, if you’re struggling to fund initiatives to actually deal with supply risk systematically and meaningfully, you now have a regulatory mandate that shouldn’t go to waste.
In my last post, I mentioned a whitepaper from supply chain risk management provider riskmethods and that dove into some details about how supply chain risk management dovetails with the closed loop management system implicit in ISO9001. It’s a very good analysis from the standpoint of supply chain risk, and in an upcoming Spend Matters Plus analysis, I’ll dive into the many new and improved facets of ISO9001:2015 and the specific language of the regulation, as well as how procurement can use it as “organizational judo” to transform not just supply risk management but also supplier management.