ISO9001 in 2021 Week by Week - Week 37 – 8.4.3 Information for external providers

This is a 52 week discussion of ISO9001:2015. Each week, we discuss a specific clause of the ISO9001:2015 standard in detail and look for ways to trim the fat. (As a member of TAG/TC176, the committee responsible for review and revision of ISO9001, (possible revision in 2023), I’ll keep you posted on what I learn all year!)

(It is strongly recommended that you purchase a copy of ISO9001:2015  for reference).  And, be sure to do your homework!

8.4.3 Information for external providers

Readers, I appreciate your patience as we work carefully through this section.  It is one of the most detailed, which is a plus because it is clearly defined so it can be easily understood.  However, the section is wordy and can be somewhat redundant.  I’m happy to continue, though, because all these words and stating and restating, make the importance of this process clear.

External providers can potentially introduce considerable risk to an organization’s ability to function successfully.  And today’s economy is stimulating an increase in the use of external providers or outsourcing as companies try harder and harder to find ways to specialize in their core competency and rely on less expensive outsourcing for other activities.

Control of external providers has always been an important clause, but not always well understood by either many organizations auditors.

Traditionally, an organization may have an “approved source” list which was created using some sort of selection process and some sort of performance evaluation such as a score card.  This is pretty simple, but in many cases, marginally effective.  The troubles come when the system is implemented purely as an intent to comply with ISO9001 with little or no use or interaction with the procurement or purchasing people.  Many companies try the popular workaround of simply requiring all their suppliers to be registered to ISO9001 or similar national standard and everyone else is considered “non-critical” or some additional inspection may be used to confirm the quality of their product.  There is often a disconnect between the system and the actual usefulness by the impacted users.

Many audits of this clause have included a superficial dance by the organization and its CB/auditor simply “checking the boxes” to ensure compliance with the requirements of purchased products/services.  Sadly, this is a parallel weakness so many organizations have suffered while seeking compliance to ISO9001.  There are a lot of areas where compliance can be rather easily achieved without a discernible impact on the actual quality of the product/service provided by the organization.  Thus, frustration by so many organizations (and also consumers of those organizations).  Past weakness in this area has also provided a rich environment for a poor sourcing management process resulting in poor performance by their vendors/external providers.

The additional language and painstaking detail now included does help to put some more teeth in the requirements.  Our previous week’s discussions have included our obligation to first create a process adequate to meet our needs, to clearly define its workings and also its applicability.  It pushes the envelope somewhat in requiring an organization to actually create a working, live and dynamic sourcing management process with consideration of risk and more immediate consequences of actual performance.

There are now requirements to communicate specific information to external providers (which by default will force the organization to have a disciplined process for identifying them):

“The organization shall ensure the adequacy of requirements prior to their communication to the external provider.”

This means there should be a thorough review of purchase orders, contracts, etc PRIOR to communicating them to the supplier.

“The organization shall communicate to external providers its requirements for:,

a)  the processes, products and services to be provided;” 

This is such a simple, self-evident requirement, but it is very common to accidentally leave things out if not carefully evaluated and stated.

“b)  the approval of:

• Products and services;
• Methods, processes and equipment;
• The release of products and services;” 

These are the types of requirements that can be sometimes “dropped in” to contracts after the fact, which can create difficult for either party.  These are those little “extras” that can be sometimes assumed by the buyer, and not assumed by the seller when the contract cost is estimated.  This can result in confusion after a contract has already begun.  These requirements protect organizations both up and down the supply chain.

“c)  competence, including any required qualification of persons;”

It’s not hard to understand why all this language is here – outsourcing is risky business as it is.  When faced with pressure to deliver, and forced to obtain assistance from an external provider, we often choose something “easy” to offload.  This can include outside processing, temporary workers, etc.  While something may seem “easy” to an experienced organization, without the external provider’s willingness and ability to ensure the competence and qualification of their personnel (including a clear understanding of all the requirements), the external provider may introduce significant risk to an otherwise reliable organization, and potentially severely impact its customers.

“d)  the external providers’ interactions with the organization;

It’s important to define how, when and with whom external providers should communicate with.  Often times, especially with well matured and bonded relationships between organizations, many different channels of communication can be opened.  This should be controlled to the extent necessary to ensure the information, and more importantly, changes, are managed carefully and by the right people.  Some appropriate guidelines should be considered ensuring that the pipeline of communicating and decision-making is clearly defined.

“e)  control and monitoring of the external providers’ performance to be applied by the organization;”

However simple or complex your organization’s selection, monitoring and evaluation process, the supplier should be notified of that process.  Will they be expected to participate in corrective action investigations in the event of an issue?  What level of inbound inspection will be performed?  What is their responsibility in terms of “self-certification” of product?  Are there any consequences for poor delivery performance, quality performance, customer service?  The supplier should understand your process.

"f) verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises."

Again, in some cases, there may be an expectation that there will be interaction, visits and support expected - perhaps on-site inspection.  If this is expected, it should be clearly communicated at the time of the order.

THIS WEEK’S HOMEWORK

You’ve already reviewed your source management process and its scope.  Now, connect the dots and ensure that the process as defined is actually implemented as designed.  Are the items above consistently determined and communicated through the use of contracts, purchase orders, terms and conditions, etc?  Are providers selected based on their ability to meet all requirements?  Is there a method to detect and mitigate any shortfall of provider performance?  Does the process actually work?

You may also rely on customer feedback, results of corrective actions/root cause analyses, internal disruptions, etc.  Are any of these a result of a provider performance issue?  Are all the proper connections in place within the source management process to ensure that external providers are adequately controlled?  Consider any improvements that may be required.  Good luck!

This weekly series is a DIY guide including lots of FREE STUFF like templates, examples and tutorials.  So, SUBSCRIBE today and we’ll keep it coming to your inbox weekly.

Do you need help with your Supplier Management process to comply with these requirements?  Connect with us today and we'll help you create a robust but simple supplier management program that will be easy to manage, but powerful in terms of your reliance on your supply chain.  

And the options don't stop there.  

Watch this 3-minute video about another great resource to accompany this series.   Get the self-directed, on demand, online learning series  ISO9001 in Plain English, today and you'll get:

• A clear understanding of the requirements of ISO9001:2015
• Proven tips to build a robust quality system that's easy to use
• Ways to reduce documentation and paperwork (yes, really!!)

Each video is about 15 minutes and targets a specific element of ISO9001, (with over 6 hours of total content!).  We translate all the gobbledegoop into Plain English you can understand and leverage the requirements to get maximum VALUE from your quality efforts. 

For a deeper dive into the process side of your quality system, get Tribal Knowledge - The Practical Use of ISO, Lean and Six Sigma Together, a simple guide to UNITE ISO9001, lean and Six Sigma to create a robust quality system with better results.  Read what ASQ American Society for Quality – Quality Progress Magazine  had to say about it. 

We look forward to continuing this YEAR LONG journey with you.  SUBSCRIBE today and the series will come to you weekly to get you off to a great start and your quality system reinvigorated. 

And join me on my journey to always keep improving!