Management Review: Separate Procedure or Description in Quality Manual?

How do you address Management Review?

  • Quality Manual (only)

    Votes: 16 18.8%
  • Management Review Procedure

    Votes: 22 25.9%
  • Both

    Votes: 38 44.7%
  • I use a simple form (agenda)

    Votes: 9 10.6%

  • Total voters
    85

Wes Bucey

Quite Involved in Discussions
#41
patahaconsulting said:
I umderstand from a FDA Audit POV that they can not review the minutes from MR meetings - (5th amendment - protects us).
However, what if the External ISO Auditor wants to look at them, should we allow it?
My further take on the question:
Any auditor (short of one with a court order or search warrant) may determine if the organization has a management review system by seeing the written procedure and even by seeing a filing cabinet (or computer menu) of reports of the reviews, BUT no organization is required to disclose the substance of those reviews to third parties any more than they would show trade secrets to third parties (trade secrets could include secret formulas, marketing strategies, or just salary levels of individuals.)

If you would be willing have those reports printed on the front page of the New York Times or Wall Street Journal, or sent to all your competitors, by all means, feel free to let an auditor browse through them.
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#42
Wes Bucey said:
My further take on the question:
Any auditor (short of one with a court order or search warrant) may determine if the organization has a management review system by seeing the written procedure and even by seeing a filing cabinet (or computer menu) of reports of the reviews, BUT no organization is required to disclose the substance of those reviews to third parties any more than they would show trade secrets to third parties (trade secrets could include secret formulas, marketing strategies, or just salary levels of individuals.)

If you would be willing have those reports printed on the front page of the New York Times or Wall Street Journal, or sent to all your competitors, by all means, feel free to let an auditor browse through them.
BIG disagreement here. Third party auditors (at least the serious ones) will demand to see the contents of the management review records, in order to ensure that the minimum requirements for input and output are being satisfied. Your proposal is not supported by the Standard since you are not required to have a procedure for management reviews, nor you are required to have hard copies of such records. For a company that has only electronic copies of the management review records, what would they do? Point a computer to the auditor and tell: Trust me we have records of management reviews in the hard disk drive of this computer. This is a ludicrous suggestion....

Further, such records will determine if action items from previous reviews have been dealt with or not. Any 3rd party auditor worth his/her salt would not accept not having access to such records.

All of the records are protected by confidentiality clauses and, I can guarantee to you that it happens hundreds of times every day, around the World and, still, you will never see that (leaked information) on the front page of the NY Times, Wall Street Journal, or any other newspaper anywhere. The Regulatory Auditors approach to review of records is different.

Waiting for the return fire....
 
Last edited:

Wes Bucey

Quite Involved in Discussions
#43
Sidney Vianna said:
BIG disagreement here. Third party auditors (at least the serious ones) will demand to see the contents of the management review records, in order to ensure that the minimum requirements for input and output are being satisfied. Your proposal is not supported by the Standard since you are not required to have a procedure for management reviews, nor you are required to have hard copies of such records. For a company that has only electronic copies of the management review records, what would they do? Point a computer to the auditor and tell: Trust me we have records of management reviews in the hard disk drive of this computer. This is a ludicrous suggestion....

Further, such records will determine if action items from previous reviews have been dealt with or not. Any 3rd party auditor worth his/her salt would not accept not having access to such records.

All of the records are protected by confidentiality clauses and, I can guarantee to you that it happens hundreds of time every day, around the World and, still, you will never see that (leaked information) on the front page of the NY Times, Wall Street Journal, or any other newspaper anywhere. The Regulatory Auditors approach to review of records is different.

Waiting for the return fire....
Not to pick a fight, but could you cite chapter and verse in the requirements for 3rd party auditors that they have to see the CONTENT of the management review versus the fact the management review process exists?

It seems to me the methodology you describe treads dangerously close on the auditor making a DECISION about the efficacy of the management review versus the presence of a management review.

Determining the presence seems a viable audit function. Determining whether the content meets the auditor's concept of "minimum requirements for input and output are being satisfied" seems more like an advising or consulting function than auditing.

One of the major complaints I hear about third party auditors is "they tried to tell me how to run my business."

Next, the auditor will be determining whether the method of training an employee to perform a task is sufficient. Following that, the auditor will reinspect product and determine the inspection process is inadequate and that there is insufficient attention to transferring information to a continuous improvement program.

After that, the auditor will determine whether the Contract Review process is adequate and whether the auditee is charging too much or not enough money for a product or service.

Perhaps the auditor will take biological samples from surfaces in the lavatory and determine the infrastructure does not meet the auditor's concept of hygiene.

All of these items, of course, are spelled out specifically in EVERY third party registrar contract that the auditee will comply with any request by an auditor, no matter whether the auditor can cite a Standard clause to justify the request.

Although I, personally, argue for open disclosure by management, I recognize and respect the right (even necessity) for some managements to keep things VERY CLOSE to their vests. Coming from a background of dealing with mergers and acquisitions and public offerings of debt and equities, I can see where some managements may be very loathe to disclose information for fear of regulators pawing through back history to see who might have garnered inside information on a pending transaction.

The option, of course, is for managements to keep TWO sets of management review minutes - one for their own personal use and one for the auditor (smell kind of like Enron to anyone?)

If anyone senses a strong odor of irony here, it is all intended.
 

Helmut Jilling

Auditor / Consultant
#44
Wes Bucey said:
Not to pick a fight, but could you cite chapter and verse in the requirements for 3rd party auditors that they have to see the CONTENT of the management review versus the fact the management review process exists?

It seems to me the methodology you describe treads dangerously close on the auditor making a DECISION about the efficacy of the management review versus the presence of a management review.

Determining the presence seems a viable audit function. Determining whether the content meets the auditor's concept of "minimum requirements for input and output are being satisfied" seems more like an advising or consulting function than auditing.

One of the major complaints I hear about third party auditors is "they tried to tell me how to run my business."

Next, the auditor will be determining whether the method of training an employee to perform a task is sufficient. Following that, the auditor will reinspect product and determine the inspection process is inadequate and that there is insufficient attention to transferring information to a continuous improvement program.

After that, the auditor will determine whether the Contract Review process is adequate and whether the auditee is charging too much or not enough money for a product or service.

Perhaps the auditor will take biological samples from surfaces in the lavatory and determine the infrastructure does not meet the auditor's concept of hygiene.

All of these items, of course, are spelled out specifically in EVERY third party registrar contract that the auditee will comply with any request by an auditor, no matter whether the auditor can cite a Standard clause to justify the request.

Although I, personally, argue for open disclosure by management, I recognize and respect the right (even necessity) for some managements to keep things VERY CLOSE to their vests. Coming from a background of dealing with mergers and acquisitions and public offerings of debt and equities, I can see where some managements may be very loathe to disclose information for fear of regulators pawing through back history to see who might have garnered inside information on a pending transaction.

The option, of course, is for managements to keep TWO sets of management review minutes - one for their own personal use and one for the auditor (smell kind of like Enron to anyone?)

If anyone senses a strong odor of irony here, it is all intended.

Gee, Wes, generally your posts are pretty sound, but this one seems to be meandering off into the distance. Sure, if we extrapolate to the extreme, we can imagine all kinds of evils.

But, I have to agree with Sidney. Auditing managment review and contract review and training, etc. for effectiveness is basic and common to almost any appropriate 3rd party audit, at least if performed by an experienced auditor. We generally avoid financials, and in rare cases I have had a client ask if a particular business document could be excluded as it contained sensitive data. Never been an issue. Generally this kind of business record would be peripheral to the quality audit, and was easy to exclude.

But, if I simply accept a client saying they had a meeting, would be akin to them telling me they did an internal audit as well.

We don't evaluate the business decisions a client makes. We evaluate whether the meeting was appropriate and covered the required inputs/outputs.

Truly cannot recall where a client and I ever had an issue over it.
 

Helmut Jilling

Auditor / Consultant
#45
SSwanson said:
The Management Review has to be in the manual.

We have a procedure as well... just for clarification.

And we don't use forms... because forms don't leave room for innovation.

QS required a procedure for MR, but you are being considerably more specific than either ISO or TS requires. Cl 4.2.1.d merely says documents needed to control a process. MR Requirements may be defined in the manual, a procedure, an agenda template, or not at all. It is up to the organization. Fortunately for us auditors, most folks define them in the manual or a procedure, but we cannot require that.

As an auditor, I hate to see forms. Tells me that the company doesn't know how to conduct a management review.
Forms don't necessarily mean they don't know how to conduct a management review. I created a template "form" for a consulting client which defines the process and reduces the amount of redundant writing. In fdact, the client and I think it is a wonderful form, and no one has ever suggested I don't understand management review.

IAOB and ANAB both strongly stress that auditors need to be a little more flexible in their approach. When clients have tried to make a system they thought the auditor would like, it was never as effective as when they created one they liked.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#46
Wes Bucey said:
Not to pick a fight, but could you cite chapter and verse in the requirements for 3rd party auditors that they have to see the CONTENT of the management review versus the fact the management review process exists?.
Wes, we are so far apart in this discussion that I don’t believe we would EVER reach common ground here, but just for your edification, ISO 19011 is the accepted “guidance” standard that “rules” 3rd party audit activities.

From ISO 19011:

[FONT=Arial,Bold]6.5.4 Collecting and verifying information[/FONT]
During the audit, information relevant to the audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded.

[FONT=Arial,Bold]Practical help — Sources of information[/FONT]
The sources of information chosen may vary according to the scope and complexity of the audit and may include the following:

d) records, such as inspection records, minutes of meetings, audit reports, records of monitoring programmes and the results of measurements;
So, there is no chapter and verse that tells exactly that, just like there is no chapter and verse that states that auditors have to base their assessment on objective evidence. But if we were to follow your approach and extend it a bit, any audit would boil down to a single question:

Auditor: Does your QMS comply with ISO 9001:2000?
Auditee: Yes.
Auditor: Good. Here it is your certificate.
 
Last edited by a moderator:
C

chaosweary

#47
Mangement Review

We just state that management reviews are conducted in the quality manual. The 3rd party auditors need to validate them according to the standards requirements (9001) 5.6.2 and 5.6.3. That must be in the form of a record (fundamentals and vocabulary 3.7.6 "document stating results achieved or porviding evidence of activities performed"). You don't have to have a procedure but you must have a document (3.7.1 or 3.7.2) that relates to the standards requirements. Since I am a recipient of 3rd party audits, I put the burden on the auditor to validate the record. I need only to show that a record exists of the managment review.
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#48
mshell said:
I am just curious to find out if most people address Management Review in the Quality Manual (only) or if you have a Management Review procedure? Please post to the poll. Also, if anyone would like to share their procedure please do so.

mshell

As for your question. It is basically up to you to determine how you want to document the Management Review (via procedure or policy). I have documented the Management Review process in a working procedure.

As for the other discussions. Let me throw this question out there:

Would not an Management Review Meeting Agenda that identifies the parties involved and certain discussions, meet the intent of ISO9001:2000?


Coury Ferguson
Program/Contracts Manager
 

RoxaneB

Super Moderator
Super Moderator
#49
Coury Ferguson said:
Would not an Management Review Meeting Agenda that identifies the parties involved and certain discussions, meet the intent of ISO9001:2000?
How will the agenda address the 5.6.1 requirement of "...at planned intervals..."?

Don't get me wrong, I am a firm believer in the agenda. It promotes consistency in Management Review...and no one can say "I didn't know we were going to talk about that." :)
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#50
RCBeyette said:
How will the agenda address the 5.6.1 requirement of "...at planned intervals..."?

Don't get me wrong, I am a firm believer in the agenda. It promotes consistency in Management Review...and no one can say "I didn't know we were going to talk about that." :)
That is where the procedure or policy would define the intervals.
 
Last edited:
Thread starter Similar threads Forum Replies Date
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
G Management Review (integrated system) Management Review Meetings and related Processes 17
M Management review check-list Management Review Meetings and related Processes 3
S Management Review (9.3) - Management Review Minutes/Report ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
J ISO 13485 System 'soft start' - How to best reflect this in initial audits, management review minutes and other records? ISO 13485:2016 - Medical Device Quality Management Systems 3
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
G ISO 17025-2017 Management Review reporting items - Inputs ISO 17025 related Discussions 1
I Management review in conformity assessment standards - Certification Bodies Management Review Meetings and related Processes 6
S Has anybody done IMS - Management Review Meeting ISO 14001:2015 Specific Discussions 8
T Management review meeting workflow ISO 13485:2016 - Medical Device Quality Management Systems 9
Casana ISO 9001 - 9.3.1 Management Review - Attendees in a flat organization Management Review Meetings and related Processes 6
C Management Review Agenda Management Review Meetings and related Processes 20
Q Do Management Review records have to be on a controlled form? ISO 13485:2016 - Medical Device Quality Management Systems 30
J ISO 9001:2015 Small Operation Management Review General Auditing Discussions 6
W ISO 9001:2015 Management Review Input Template wanted ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
G ISO 9001 - 9.3.1 Management Review - Content and Frequency Management Review Meetings and related Processes 12
S ISO 9001:2015 Clause 9.3.2 - MR (Management Review) - Adequacy of resources ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Q How to run a Management Review Management Review Meetings and related Processes 10
S List of requirements for Management Review in IATF 16949 IATF 16949 - Automotive Quality Systems Standard 10
D EMS Management review outputs - Strategic direction of the organization Miscellaneous Environmental Standards and EMS Related Discussions 1
B How to comply with IATF 16949:2016 9.3.2.1k - Management review IATF 16949 - Automotive Quality Systems Standard 2
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6
M FDA News USFDA Final Report – MDUFA IV Independent Assessment of FDA’s Device Review Process Management Medical Device and FDA Regulations and Standards News 0
R ISO 9001:2015 9.3 - Required inputs to the management review - Audit Nonconformance Manufacturing and Related Processes 14
T Difference between "data analysis" and "management review" ISO 13485:2016 - Medical Device Quality Management Systems 4
J 3 Questions about Management Review - ISO 9001 and IATF 16949 Management Review Meetings and related Processes 4
W Can 2 different sites under different Quality System have a common management review? ISO 13485:2016 - Medical Device Quality Management Systems 4
I Trying to explain some of the Management Review Inputs (AS9100D) Management Review Meetings and related Processes 10
W IATF 16949 Clause 6.1.1 - My first Major NCR (Management Review) IATF 16949 - Automotive Quality Systems Standard 57
H ISO 9001:2015 Cl. 9.3.1 - General Director doesn't participate in Management Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Tagin Management Review - How elaborate should Management Review be? Management Review Meetings and related Processes 14
R University Research Project - Management Review Management Review Meetings and related Processes 17
G ISO 9001:2015 - Management Review 9.3.2 c) 5) - Monitoring and Measurement Results ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
B IATF 16949 Clause 9.3.2.1 - Management Review Inputs IATF 16949 - Automotive Quality Systems Standard 1
B IATF 16949 Cl. 9.3.2.1 - Management Review Inputs - Process Effectiveness and Efficie IATF 16949 - Automotive Quality Systems Standard 14
A How to satisfy the "Interested Party" Management Review Requirement ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Z MRM (Management Review Meeting) Template for ISO 9001:2015 Management Review Meetings and related Processes 3
S What defines Top Management after a Merger? Quality Management Review (9.3.1) Management Review Meetings and related Processes 1
A ISO 9001:2015 Clause 9.3.2 - Management Review Inputs must be Documented? Management Review Meetings and related Processes 15
S Corporate Quality Manager keeping me out of the Management Review Meeting Management Review Meetings and related Processes 28
B Global / Local Management Review - ISO 9001:2008 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
D What should be included in Management Review Meeting for ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
P Trending CAPA's in our Management Review Meetings ISO 13485:2016 - Medical Device Quality Management Systems 1
S Risk Management during Contract Review AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
P How CAPA's are trended in Management Review Nonconformance and Corrective Action 1
P Management Review - Performance and Product Conformity question General Auditing Discussions 7
Q Management Review - Alternative methods Management Review Meetings and related Processes 20
N Incompleted tasks from previous management review meeting Management Review Meetings and related Processes 1
N Suggestions for Management Review Presentation Management Review Meetings and related Processes 2
S Quality Assurance Manager involvement in Management Review AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11

Similar threads

Top Bottom