Refusing to Show Management Review Records or Minutes

Marc

Fully vaccinated are you?
Leader
Any comments on this folks?

----------snippo----------

From: ISO Standards Discussion
Date: Thu, 3 Feb 2000 07:37:10 -0600
Subject: Re: Management Review Record /El-Homsi/Lambert/Meron

From: Emanuel Meron

I do not think that an auditor, either from a second party (the customer) or third party (the registrar), may ask to see the actual minutes of a management review. If the review was worth the time, it probably dealt with sensitive items and generated information that, if leaked out, may give competitors an advantage. This is the kind of information that every company likes to guard closely and you, as an auditor, should honor this. I do however agree that evidence should be provided showing that reviews actually took place.

The FDA recognizes this situation and only asks for a management declaration stating that reviews were held in accordance with the requirements of the quality system regulation (QSR). Their auditors are not allowed to inspect the actual minutes.

If you ever find yourself on the receiving end, I suggest you refuse to divulge the actual review items, data, decisions, etc., Just give the auditor the dates of the reviews and the names or functions of the participants.
 

Marc

Fully vaccinated are you?
Leader
By the way - this is what started the thread....

-------------snippo----------

From: ISO Standards Discussion
Date: Thu, 3 Feb 2000 07:12:52 -0600
Subject: Re: Management Review Record /El-Homsi/Kozenko

> Heather writes:
>
> I then asked what had been shown to the auditor(s) during
> the audit, and he said the same things that had been shown
> to me. (In addition to the agenda, there are some active teams
> pursuing corrective action on key measures such as Corrective
> Actions, Non-Conforming Mat'l, etc...) which meet weekly or
> monthly.

Were there records available for these meetings?

> He replied that they had been with the registrar for some time
> and they trusted him when he said that all of the required
> people had met and that they had decided current activities
> were adequate for their quality system. The last formal meeting
> minutes were from 1995. After that, they just had the agendas.


This ought to put the cat amongst the pigeons <g>

The Registrar deserves to know that its Lead Auditor(s) performed in this manner since 1995, and your company's concerns with the Registrar's findings (or lack thereof) with respect to "Records" compliance (especially records of 4.1 Management Review records compliance). Let the Registrar go on record after investigating the apparent validity of your firm's concerns.

While what you described may be limited to a Records nonconformity and not necessarily a systemic collapse, the fact remains that aggravated Quality Managers are such bad conversationalists -- your long discussion with one does not count under 4.18 Training, you know? You can save a lot of time with the words, "Objective evidence not found."

Finally, what other suppliers does your firm have, who certify under this Registrar's banner? Maybe revise your firm's surveillance audits, consummate with risk, etc.

David Kozenko

[This message has been edited by Marc Smith (edited 15 February 2000).]
 

Marc

Fully vaccinated are you?
Leader
In reading this over, one thought I have is: If you can sign an affadavit swearing you did the management review, why couldn't you do the same with Internal Audits? Undoubtedly there's plenty of sensitive, proprietary info in audit findings...
 
Q

Qualiman

Marc:

I agree with you regarding the risk of extreme positions saying something like " I am the Director, I swear on the Holy Bible that all my Quality System is OK, then I don't need to show you any evidence"

The auditors need to see evidence that a QS is in place, but I think that in such cases like 4.1.4 (Bussiness Plan) and 4.1.3 Management Review when they have to audit the existance of documents of these activities, that demonstrate that they are "live" in place, would be enough a "bird sight" quick review "from a distance" of papers. I think is not proper to allow the auditors read details of plans, costs or new technologies, sensitive and strict property of company.

Qualiman
 

Marc

Fully vaccinated are you?
Leader
The whole process is intrusive by its very nature. My initial objection to QS-9000 was the business plan requirement. It's pretty standard for a company not to show the auditor the business plan contents but I have yet to see a company keep an auditor from seeing actual management review records. The question becomes where is that 'thin gray line' of what can and cannot be seen by an auditor.

Audits I have witnessed were always precluded with a long speil by the lead auditor about confidentiality and such - supposedly they've got 'Top Secret' ;) clearances.
 

Marc

Fully vaccinated are you?
Leader
From: ISO Standards Discussion
Date: Thu, 10 Feb 2000 07:48:32 -0600
Subject: Re: Management Review Record /El-Homsi/Humphries

Heather,

> As part of the audit, we asked to see the Meeting Minutes from
> their last Management Review Meeting, which was held in the
> Spring of 1999. We were shown an agenda which included a
> summary of audits and CAR's for the last few years in table form,
> and some questions for discussion around the effectiveness of the
> quality system. The Quality Manager stated that he handed this out
> before the meeting to the attendees. When I pressed further for
> documentation that showed who had attended the meeting, and what
> the group consensus was to the questions, he was unable to present
> anything. I then asked what had been shown to the auditor(s) during
> the audit, and he said the same things that had been shown to me. (In
> addition to the agenda, there are some active teams pursuing corrective
> action on key measures such as Corrective Actions, Non-Conforming Mat'l,
> etc...) which meet weekly or monthly. He replied that they had been with
> the registrar for some time and they trusted him when he said that all of
> the required people had met and that they had decided current activities
> were adequate for their quality system. The last formal meeting minutes
> were from 1995. After that, they just had the agendas.
>
> As he was agitated with my line of questions, I reviewed ISO section
> 4.1.3 Management Review with him, and showed him the requirement
> for "records of such reviews shall be maintained". We had a long
> discussion around records vs. forms and objective evidence. We also
> discussed that the intent of Periodic Management reviews was not to
> deal with the day to day firefighting, but to take a step back and look at
> the "Big Picture" to see if the quality system in it's entirety was
> effective.

In principle you're correct: I generally require that Management Review
meetings be minuted, so that agreed actions can be followed up. As to
attendance, it is again normal to specify who should attend the meetings.

However, in practical terms, neither of these solutions is itself
specified: they are merely effective and common ways of meeting the
requirements.

A company could quite easily specify that any action decided through
management review will be monitored through the corrective action system,
and a standard agenda will be used. Under such conditions, the evidence of
the meeting (the records) will be the corrective actions that are
initiated as a consequence of the meeting, presumably on the day of the
meeting. There also won't be an individual agenda for the meeting, merely
a proforma.

It is also not stated what should go in the records, so attendance is
optional.

That having been said, in your place I would be quite suspicious that no
effective management review is taking place. Perhaps you should look for
an incident that SHOULD have triggered management review: major expansion,
restructuring, new products, etc, and ask for what records there are of
management review at those times.

Best Regards
Edwin Humphries
 

Marc

Fully vaccinated are you?
Leader
From: ISO Standards Discussion
Date: Thu, 17 Feb 2000 07:06:48 -0600
Subject: Re: Management Review Record/../Blair/Arter

From: Dennis Arter

>I'd have to disagree with this statement. 4.1.3
>specifically calls for Quality Records (4.16)... "Records
>of such reviews shall be maintained".

True. The standard also requires the using organization (and NOT the auditor) to define a) what their records are, b) where they will be kept, and c) how long they will be kept. Perhaps you are confusing a document with a record. I consider an agenda to be a document; although, certainly NOT a "controlled" document.

>In plainer language:
>Any company having a Management meeting without preparing
>a written agenda is wasting everyone's time. Any company

Opinion

>having a management review without attendance by top
>management is wasting everyone's time. Any company having

Opinion

>a management review with no action items and/or comments on
>the status and readiness of the quality system is wasting
>everyone's time. Records provide this proof, or, as the

Opinion

>auditor would say... "If you didn't write it down, it never
>happened"

I believe your auditor may have forgotten about the other forms of objective evidence. Written records are important, but they are not the only bits of evidence.

Dennis R. Arter
 

Marc

Fully vaccinated are you?
Leader
From: ISO Standards Discussion
Date: Thu, 17 Feb 2000 07:12:09 -0600
Subject: Re: Management Review Record /../Blair/Humphries/Blair

> I agree with everything you say, except for the "in plainer language".
> What you go on to say is correct in every sense, but is an interpretation
> of the Standard, not the meaning of it's requirement

O.K., lets use the actual words in the standard (and yes, I know I'm violating
Copyright Laws)

"...management with executive responsibility shall review the quality system"
Where is the objective evidence of this without an attendance list?
"at defined intervals sufficient to ensure its continued suitability and
effectiveness.."

Where is the objective evidence of this without proof that the required
elements are being addressed (4.14, 4.17) as an agenda coupled with either
action items to address relevant issues and/or a statement summarizing the
effectiveness of the current system?

If all you're saying is that the record doesn't have to be a paper record,
then I'm o.k. with that....I would pass a video-taped management review
conducted as a teleconference in a heartbeat once I had viewed the tape and
determined its completeness and effectiveness.

What I'm getting so far is that it is theoretically possible to register
someone if:

1. I have a quality policy that says I make Crap and I have clearly communicated this to everyone.
2. My management review consists of a discussion while passing in the hall, followed by one or two memos.
3, I select suppliers based on whoever has the lowest price.
4. Hiring/Training consists of holding a mirror in front of an employee's face and looking for fog.
......etc, etc.

Yes, I suppose it is possible theoretically, but please, please, say it ain't so, Shoeless Joe....

Grant Blair
 

Marc

Fully vaccinated are you?
Leader
From: ISO Standards Discussion
Date: Thu, 24 Feb 2000 07:45:54 -0600
Subject: Re: Management Review Record /../Meron/Pb/Hankwitz

> Subject: Re: Management Review Record /../Lambert/Meron/Pb
>
> > Emanuel stated:
> <snip>
> > I do not think that an auditor, either from a second party (the
> > customer) or third party (the registrar), may ask to see the
> > actual minutes of a management review. If the review was worth
> > the time, it probably dealt with sensitive items and generated
> > information that, if leaked out, may give competitors an advantage.
> > This is the kind of information that every company likes to guard
> > closely and you, as an auditor, should honor this. I do however
> > agree that evidence should be provided showing that reviews
> > actually took place.
> <snip>
>
> Hereabouts (India), it is the practice for auditors to pore through
> every line of the management review minutes to find omissions. I
> am looking forward to avoiding the disclosure of the minutes!
>
> Dhanish

I must be missing something in this dialog. What is everyone putting in their meeting minutes? Why is "sensitive" information being included? I don't see any requirement mandating this type of information, so why are you doing it?

Our company is (very) privately owned, so I only include information relating to the status and effective implementation of the quality system in the minutes, as stated as the primary purpose of the meeting. I then proudly provide our third party auditor with a copy of the latest minutes at each audit opening meeting. If the auditor isn't given insight into our strengths and weaknesses, how can he be expected to efficiently help us locate potential improvement areas? Unless, of course, you're not really interested in having him find them. So, then why bother having an ISO registered quality system in the first place?

I don't know how our competition knowing that our corrective action on-time closure rate increased from 80% to 95% over the past year, or that our customer dissatisfaction rate improved by 98.7% since our initial registration could possibly be a competitive advantage. Besides, if you can't trust your registrar/auditor to keep this information confidential, you need to find someone you CAN trust.

Perhaps someone could provide me with some further insight on this by providing some (bogus) examples of required "sensitive" information they wouldn't want to disclose in the minutes.

John Hankwitz
 

Marc

Fully vaccinated are you?
Leader
From: ISO Standards Discussion
Date: Fri, 25 Feb 2000 16:04:30 -0600
Subject: Re: Management Review Record /../Pb/Hankwitz/El-Homsi

Having started this thread, I want to thank everyone for their input. Initially, I just wanted to see if my concerns over the lack of objective evidence (records - which may be in the form of meeting minutes, action item registers, or other method that works for the company) that a management review had taken place. I believe that the group has overall supported that that is a requirement of ISO.

Now, to respond to John's request that "Perhaps someone could provide me with some further insight on this by providing some (bogus) examples of required "sensitive" information they wouldn't want to disclose in the minutes."

I often see companies that have their quality system management review as part of a larger "business" meeting. In those cases they may include details around 1 - 5 year plans, finacial info, Marketing strategies, Research directions, HSE concerns, unions, etc, etc, that they wouldn't want competitors to see.

The example I used to start the thread involved a Supplier Quality Assessment of an ISO certified company. During a supplier audit a company may (rightly so) refuse to share confidential info if there is not a non-disclosure agreement in place. Especially if they are being pitted against other suppliers for the same commodities.

I agree with John that if a company is certified in the true spirit of ISO, there needs to be trust between the company and its registrar, and if there isn't, find someone else!

Another thread of this discussion pulled in FDA requirements. I'm out of date on how FDA audits are performed currently, but a company I used to work for we made it a practice to be very open with the FDA auditors, and would willing share (NOT volunteer :) info. We believed that this would demonstrate the company's true commitment to doing the right things, and we were proud of the improvements we had made, and how we were addressing customer complaints. This approach was very successful for us.
 
Top Bottom