QCS International

Did you know that last year 4500 memory sticks were found in the pockets of clothes taken to the dry cleaners?   And with the frequent high profile data leaks that now occur every few months, there is many a horror story concerning the most basic of ISO 9001 requirements – ‘Control of Records’.

Section 4.2.4 of ISO 9001 requires you to store, protect, retrieve, retain and (safely) dispose of records.   But for such a relatively simple requirement, we all still seem to think of records as paper rather than electronic data.    Here are some of the most common issues with electronic records/data we have seen recently…

Cheap Memory Sticks…

You can buy them from Amazon for less than a pound – you can even pick one up as a freebie next time a sales rep come to visit but do you really want to trust your data onto something that cheap?

Key issues with using memory sticks are – they are easy to lose, cheap sticks are not that reliable and can corrupt data and because they are so easy to use, people tend not to back them up.   This year alone, QCS has seen critical company records that are required by law, lost because of the use of cheap memory sticks.

I always back up using a re writable CD…

Great idea – back up your company data on CDs so that if you accidently delete your records on your computer, you have a back up copy.   You also have a handy archive.

Beware however…according to many IT professionals, rewritable CDs are good for about 4-5 years before data can start to corrupt on the disc so if you are relying on rewritable CDs for archive records of longer than 5 years you will need to think of another way to archive.

Damaged tapes…

I recently audited a company who had to retain records for 80 years and they took it very seriously due to the legal implications of loosing certain records and data.   All data was stored on a central sever and data could not be stored on laptops, desktops of memory sticks.   They religiously backed up their data on tapes and kept them locked away in a fire proof safe.

I asked if they ever did a data restore just to check the system was working – they never had so they gave it a go.   None of the backup tapes worked!

The tapes were quite old and had not been replaced for years so when it came to recovering data, they did not work.

I’ve got a Big 1 Terabyte plug & play NAS drive…

I have one and I have no idea what it is other than it stores data!   The bottom line is if you store data on hard drives, solid state drives, tapes, NAS drives or your laptop, you need to make sure that your electronic data is

• Stored securely
• Protected damage, corruption and loss
• You can retrieve it easily
• You retain it for however long you may need it
• You dispose of any data safely (what do you do to the hard drive when you throw a laptop away?)

Love them or not, the ISO gurus thought of this when they wrote ‘Control of records’ into ISO 9001, way before memory sticks were invented.

And so over the last couple of weeks, Gordon Brown has found himself at the centre of a bullying scandal and his allegedly abusive behaviour to his staff.

The Director of an anti-bullying helpline has made public claims that Downing Street aids have contacted the helpline with issues and concerns about Gordon Brown’s bullying culture.

Bullying in the workplace is more common than you may think according to Bullying UK, and if you perceive it to be a problem at work or not, there are a few simple steps that you can take to ensure you are safeguarding your organisation.

What is bullying?

According to the HSE, bullying may be characterized as offensive, intimidating, malicious or insulting behavior, an abuse or misuse of power through means intended to undermine, humiliate, denigrate or injure the recipient.

How do you manage bullying?

ACAS has produced a practical Guide to Bullying for managers.

The main point to effective management is to;

• ensure a policy is in place that clearly explains what bullying is and the consequences of bullying
• train your management team to understand what bullying actually is and how to use the policy
• communicate the policy to your organisation so that everyone understands
• manage teams to ensure that standards of behavior are set and your management team actively takes action if bullying is reported.

OK, but what if someone actually reports an incident?

Initially it is always worth trying to informally fix the issue with the person making the compliant and the alleged bully – it could always be just a conflict of personality.

If you feel the issue needs to be elevated then a formal complaint needs to be raised and you need to investigate this following your bullying policy and your discipline & grievance policy.

So as the Downing Street debate continues you may think this is a storm in a teacup but it is worth while protecting yourself by having a policy in place and proactively managing this aspect of health & safety just in case.

When a Certification Body issues a non conformity during an audit there is strict guidance they must follow to close out the nonconformity.   Here is a 10 point check list for you to follow to ensure you will get full closure during your next audit…

Correction…what the auditor is looking for…

1. The nonconformity has been determined and contained?
2. If correction cannot be immediate, there must be a clear plan in place with responsibilities, dates and if required the issue must have been communicated to all affected departments internally and to any customers and suppliers affected.
3. There must be evidence that the correction was implemented or is being implemented.

Root Cause Analysis…what the auditor is looking for…

4. There should be a defined Direct Cause as well as a Root Cause… (e.g. someone did not follow a process would be direct cause; determining why someone did not follow a process would lead to the true root cause).

5. The Root Cause should not be a repeat of the non-conformity or the direct cause and should not attempt to explain or justify the direct cause.

6. There should be a Root Cause statement to addresses a fundamental issue without any obvious “why” questions remaining.   If a “why” question can reasonably be asked, this indicates that the analysis did not go far enough.   This hints at using 5 Why analysis as a tool for more complex issues.

7. There may be several ‘Root Causes’ but each cause must have a Corrective Action Identified…for instance if training and inadequate work instructions are identified as root causes, a Corrective Action plans must be identified for each.

Corrective Action…what the auditor is looking for…

8. The corrective action must address the root cause(s) determined in the root cause analysis.   This needs to include specific actions, responsibilities and dates for completion.

9. In order to accept the evidence of implementation there must be enough evidence is provided to show the plan is being implemented.

10. Full evidence is not required to close a non-conformity and this may be carried forward to future assessments in order to verify full effectiveness.

Now here is where I let you into a little industry secret…Quality Managers, Auditors and Consultants in fact pretty much everyone has an opinion about what preventive action really is but in truth, many people (including Certification Body Auditors) often get it wrong.

Even the Audit Practice Group goes as far as saying that auditors should not lose their way when auditing Section 8.5.3 of ISO 9001 by having a philosophical discussion.   But in truth this often happens.

So what is Preventive Action…

The problem is preventive actions isn’t a separate process or procedure unless you have a defined ‘Risk Management’ process such as Failure Mode Effect Analysis or as in the Medical Device Standard ISO 14971.

The key question to ask yourself here are…

1. What do we do to prevent poor product/service affecting my customer?
2. What do we do to prevent poor product/service affecting my business?
3. How do we learn from things that have gone wrong and stop things from going wrong in the future?

These are not easy questions, but if you can answer the three questions above and define how you handle each situation, then you will have a good understanding of preventive action.

Preventive Action Procedure…

So your Preventive Action Procedure as required by ISO 9001 Section 8.5.3, may infact be included in several procedures rather than the traditional approach to please auditors by having just one documented procedure.

Infact because the ‘procedure for preventive action’ does run across many business processes probably the best place for this documented procedure, is to use your Quality Manual to ‘point’ to other procesess that support preventive action.

In the current economic climate some areas of improvement are being de-prioritised as budgets get tighter.   Most organisations will still support safety as a ‘Number 1 Priority’ – quite right – but what are we doing about the ‘Health’ bit in Health and Safety at Work?

If you need safety shoes and hard hats – no expense spared but how about stress management training, promotion of healthy eating or programmes to help people quit smoking – surly these are all ‘nice to haves’ that only large corporations can afford.

This is precisely why the Department for Work and Pensions has launched the Health Work and Well-being Challenge Fund – a £4million grant scheme to fund innovative projects that improve employees’ health and welfare at work.

Simply put the fund is there to support small and medium sized businesses in health & welfare projects and there is a particular emphasis on promotion of mental well being.

Are you eligible?

Small and medium sized businesses with between 1 and 249 employees, and local partnerships can apply for a grant of between £1,000 and £50,000 in each year. Businesses and organisations must be based and trading in Great Britain and must have been established for at least two years.

How to apply?

The Fund is available over two years with two bidding rounds. Applications for awards in 2010 are now closed but you can apply between September 2010 and December 2010 for awards in 2011.

For further information go to the Department for Work and Pensions website here.

Setting your company/quality objectives is often the focus for organisations at this time of year.   But some times deciding on measures and targets for a process can be difficult.   This is where the KPI Library can be useful…

The KPI library can be found at http://kpilibrary.com/ and is a collection of over 2500 key performance indicators which is more than enough to satisfy any Senior Management Team score cards I have come across.

The KPI Library include measures for Human Resources, Legal Compliance, Sales, Improvement, Purchasing, Quality, Supply Chain, Health & Safety and Environment  to name but a few.

This FREE service but for an additional fee ($99), the web site will also let you bench mark each KPI against your peers so you will get an idea of how good you are.

This web site will help you if you have any kind of issue about monitoring and measuring your processes.   One way we have used this is to take an organisation’s process map and use the KPI library to decide on 2-3 measures per process.   We then summarise this using excel into a monthly score card and decide how and who will collect the data.

The two most important things to do after setting up your score card are:

1. Collect the data but if you find the measure is meaningless after a couple of months stop using it

1. The meaningful data should be regularly reviewed and acted upon – this includes looking at the information and deciding on improvement objectives in your management review

The January sales are upon us and although International Standards don’t generally get marked down in the sales, I thought it would be worth checking out different websites for the cheapest ISO standards available…

I decided to buy a down load copy of ISO 9001:2008 and checked the price at the following on line stores:

BSI (http://shop.bsigroup.com/)

ISO (http://www.iso.org/iso/iso_catalogue.htm)

SAI Global (http://infostore.saiglobal.com/store/)

I am sure that you have probably heard of ISO and BSI but SAI Global?   This is a global standard database that looks at standards world wide and gives you the cheapest version available… and a thrifty friend told me this was the cheapest place to get a copy of ISO 9001.

The Results…

1. BSI (Members Only): £40
2. SAI Global: £56.71
3. ISO: £ 71.00
4. BSI (Non Members): £80

BSI were in fact the cheapest although you do have to be a member which costs a minimum of £161 per year.

SAI global were next at £56.71.   If you are not a BSI member, buying from BSI proved to be the most expensive way to buy a standard.

So,  SAI Global provide you with cheap downloads without a membership price tag.

Setting environmental objectives is getting easier by the day.   With Government Initiatives raising overall awareness, even Financial Directors are asking how we can reduce the Carbon Footprint of the company.

Also many organisations have heard of SMART objectives so we now know to make any objective for our system specific, measurable and time bound.

The real problem is that environmental objectives are a bit like a Gym Membership –signed up too hastily in January by everyone and then not re-visited for at least 6 months…

But remember ISO 14001 requires that you have a programme for your objectives including a ‘means and a time frame’.

As we are often setting objectives at this time of year, it is worth getting an effective programme set up at the same time to make sure that all objectives are prioritised and given the right resources to be successful from the start.

Objectives, targets and programmes…

Once you have decided on your ‘SMART’ objective break this down into a brief project plan.   Also make sure that resources in terms of time and money etc are clearly identified as part of the overall programme and that the senior management team in your company has bought into the objective and the programme.   This will make sure that every one really understands what’s involved in achieving an objective and more importantly that the right objectives are given a priority and you don’t fall into the trap of setting too many objectives.

Also make sure that within the programme you have regular reviews/updates to monitor progress and update and amend programmes as you progress your objective.

This may seem like a detailed approach, but failure to have an effective programme for your objectives may well result in non-conformities at your next ISO 14001 audit.

You may now be thinking about setting your 2010 Health and Safety objectives. If you are short on inspiration, here are a few ideas straight from OHSAS 18001:2007…

1. Look at your risk assessments – what hazards still have a high risk score? Can you reduce these in any way?
2. Still looking at your risk assessments – have you really used the hierarchy of control in deciding robust control measures or are there hazards that rely a bit too much on ‘good old’ supervision and PPE?
3. Your policy (the little used document in your reception area) – take a look at this. If you have made commitments in the policy then you really should be setting objectives to achieve this.
4. Accidents and incidents from last year – have you closed our on all corrective actions are there still some outstanding issues?
5. Near misses – again have you closed our on all corrective actions are there still some outstanding issues?
6. Management Review – you probably made some commitments in the meeting – it’s always worth taking a close look at this and make sure any actions are tied into your objectives for the year.
7. Compliance Evaluation… Did you find any areas that needed improvement from your review?
8. Health & Safety committee meeting minutes – Review the minutes to make sure you have picked up any longer term actions into your objectives.
9. OHSAS 18002 & OHSAS 18004 – The Guidance documents are packed with help and advice on how to apply and improve OHSAS 18001 in your organisation.
10. HSE Web Site – Very user friendly and full of free information – Use this to look for any up and coming changes in legislation so that you and your organisation.

And finally for every objective don’t forget these should be measurable if possible and have a clear responsibility assigned with a time scale.

In the spirit of keeping Christmas well and truly in December we can now turn our minds to the festive arrangements.   And the top tip for this month is that mistletoe and wine really do prevent Swine Flu.

Hopefully swine flu has not had the impact on your business that was feared in the summer.   But as coughs, colds and swine flu begin to affect us all in the winter months, the NHS is advising us that greeting with a kiss rather than shaking hands is less likely spread the virus.

Now before you all start using this as a way to give a cheeky Christmas kiss to someone in the office,  the advice refers to a light peck on the cheek  (If you have any French colleagues, just ask them to demonstrate) and not full lip to lip contact.

Kissing under the mistletoe

The facts are that colds and flu viruses are passed on very effectively by hand to hand contact so a quick peck is far more hygienic.    You may have to excise some judgement however before rushing out to buy mistletoe as your work colleagues may not share your enthusiasm for this traditional Christmas greeting purely on the grounds of Health & Safety.

Try Alcohol…

So perhaps good hygiene is still the best solution – by encouraging regular hand washing and use of alcohol rub, this is a practical way to reduce the risk of swine flu affecting your business.

So in true festive spirit, buying some mistletoe for the office will undoubtedly encourage kissing but as for the wine, alcohol rub will be far more effective to prevent the risk of swine flu spreading at work.