Refusal to take Corrective Actions after the Internal Audit

[JaneB]

the scope of my audit was to document the work processes since we dont have one

I don't really see how an audit can have a scope of documenting work processes! Either you were 1. analysing processes (with a view to documenting them) or 2. you were auditing processes against requirements.

Since you cannot do 2. until you've done 1. then it follows you were not auditing. So raising 'nonconformities' is not appropriate at this point and making recommendations for improvement at this point, as you've found, is Not a Good Idea.

and to check the compliance to the requirements of iso:9001:2008.

OK - this is a gap analysis, not an audit (or should not be). Again, don't go into audit mode! The outcome here is better as an objective report on where you comply, where you don't and what actions are required to achieve compliance. Again, recommendations for improvement are premature and ill-advised.

also i audited against the iso:9001:2008 requirements.. i raised a non conformity against:
-quality policy and objectives. (not being communicated and measured).
-document control need to be implemented (we do have one in place but the division is not impelemnting it).
-also some processes needed to have some improvement to raise the effectiveness of the outcome and results.
- management reviews that need to be conducted..

the problem came from my improvements suggestd for certain work processes (un-documented). so shall i cancel the NCR related to those un-documented proceses..

Yes. I'd cancel any and ALL noncoformities. Too early and the wrong approach. Get people involved (remember that principle of quality?) get leadership (remember that one too) and don't charge around issuing NCs all over the place.
Your Director is right in this case: first step is to document proceesses/procedures/standards and what-ever. Build the system first, get it running, and then start to audit it when you have something to audit against!

By the way, did /do you have a documented audit procedure? And do you have a written procedure for NCs or similar? Because I sure as hell wouldn't consider doing any kind of internal audits until I did!

You'll have to do a bit of damage control and rebuilding bridges here, I'm afraid. Better - far, far better - to start off gently than go in heavy with the NCs.

 

[JaneB]

The content of the correction/corrective action/preventive action depends on the one's decision responsible to eliminate the non conformity.

There isn't a 'nonconformity' until there's some kind of clear benchmark (ie, documented system) to audit against!

An analogy: would you 'audit' someone who hadn't yet learned a certain mathematical skill... and then issue nonconformities against their lack of ability in doing same? A sure way to get people unhappy and very much offside (meaning annoyed and feeling burned by the experience).

 

[JaneB]

Interesting. You might want to keep in mind that getting people on board is a big part of your project....

you'll be best off if you can show some positive direction early, the "quick-win" idea. If you've only raised awareness through training and initial audit review that's actually a start but you might look out for something productive that people could relate to early, not just problems and far-off KPI-based gains built on top of a marketing edge foundation.

Good ideas and good advice.

Yes, achieving the fix for a problematic area - one of those quick wins - is a great way of doing both, and highly recommended.

 

[john.b]

It seems there might be problems occuring on different levels here: implementation strategy, roles, intention of the system, staff awareness and commitment, and taking a systems view.

Too much focus on getting a lot of little pieces together as compliant could divert attention from the goals, why the implementation is occuring, or other broader strokes, eg. the importance of interrelation between processes. Some quick review of maturity analysis and company level soul searching might help. In the roughest terms, processes mature from activities that are not consistent, to becoming consistent and repeatable, then clearly documented (standard procedures and records), then functioning as an inter-related system, then measured, then optimized.

If a primary goal is to get certification for a marketing edge (just an example) then one might try to skip straight to documentation and never even consider the later steps that bring the most gains (in theory), and never acheive the consistency, which could be awkward. I'm not advocating stacking up too much theory, for example adding a matrix of maturity numbers to a functional gap analysis, since you've already got enough to deal with.

 

[Wes Bucey]

the scope of my audit was to document the work processes since we dont have one and to check the compliance to the requirements of iso:9001:2008.

also i audited against the iso:9001:2008 requirements.. i raised a non conformity against:
-quality policy and objectives. (not being communicated and measured).
-document control need to be implemented (we do have one in place but the division is not impelemnting it).
-also some processes needed to have some improvement to raise the effectiveness of the outcome and results.
- management reviews that need to be conducted..

the problem came from my improvements suggestd for certain work processes (un-documented). so shall i cancel the NCR related to those un-documented proceses..i think am gona do this.. and keep the ones related to the iso requirements. till then, processes we will finish from documenting all the work processes.

Interesting. You might want to keep in mind that getting people on board is a big part of your project. If it came down to it you could turn any issue into a power play and revert to your upper management support to get things moving on a minor point, but since it's a lot easier to implement systems that never do work in the end you'd be better off not, or at least not playing that card until you need to. If someone is claiming there should be more clear documentation and formal process as a guideline that person should be in the pro-implementation camp.

Even if you are doing an early gap analysis issuing NC's and moving on to documenting corrective actions (suggested by who is responsible for the work-scope and resolution, ideally) sounds right to me but you could put people off with the terminology or just make the process less pleasant than it needs to be. Technically you're not really non-conformant in relation to any designed system yet (there isn't one) and let's face it, standard requirements in general are kind of vague. In some clear cases not that vague; if there is no document control that's obvious enough.

One last point: as with all the general large-scale change guidance you'll be best off if you can show some positive direction early, the "quick-win" idea. If you've only raised awareness through training and initial audit review that's actually a start but you might look out for something productive that people could relate to early, not just problems and far-off KPI-based gains built on top of a marketing edge foundation.

I don't really see how an audit can have a scope of documenting work processes! Either you were 1. analysing processes (with a view to documenting them) or 2. you were auditing processes against requirements.

Since you cannot do 2. until you've done 1. then it follows you were not auditing. So raising 'nonconformities' is not appropriate at this point and making recommendations for improvement at this point, as you've found, is Not a Good Idea.


OK - this is a gap analysis, not an audit (or should not be). Again, don't go into audit mode! The outcome here is better as an objective report on where you comply, where you don't and what actions are required to achieve compliance. Again, recommendations for improvement are premature and ill-advised.


Yes. I'd cancel any and ALL noncoformities. Too early and the wrong approach. Get people involved (remember that principle of quality?) get leadership (remember that one too) and don't charge around issuing NCs all over the place.
Your Director is right in this case: first step is to document proceesses/procedures/standards and what-ever. Build the system first, get it running, and then start to audit it when you have something to audit against!

By the way, did /do you have a documented audit procedure? And do you have a written procedure for NCs or similar? Because I sure as hell wouldn't consider doing any kind of internal audits until I did!

You'll have to do a bit of damage control and rebuilding bridges here, I'm afraid. Better - far, far better - to start off gently than go in heavy with the NCs.

It seems there might be problems occuring on different levels here: implementation strategy, roles, intention of the system, staff awareness and commitment, and taking a systems view.

Too much focus on getting a lot of little pieces together as compliant could divert attention from the goals, why the implementation is occuring, or other broader strokes, eg. the importance of interrelation between processes. Some quick review of maturity analysis and company level soul searching might help. In the roughest terms, processes mature from activities that are not consistent, to becoming consistent and repeatable, then clearly documented (standard procedures and records), then functioning as an inter-related system, then measured, then optimized.

If a primary goal is to get certification for a marketing edge (just an example) then one might try to skip straight to documentation and never even consider the later steps that bring the most gains (in theory), and never acheive the consistency, which could be awkward. I'm not advocating stacking up too much theory, for example adding a matrix of maturity numbers to a functional gap analysis, since you've already got enough to deal with.

John and Jane have correctly identified the task you were set: a gap analysis (a comparison of current status with the "ideal" of 100% conformance to an ISO Standard.)

In my opinion, somewhere along the line you interpreted "gaps" to mean "nonconformances." Your director has correctly interpreted the exercise as identifying gaps to fill, not nonconformances to correct.

John and Jane are trying to be diplomatic here, but I'm an old guy relatively impervious to retaliation, so here's my straight no nonsense response and concurrent advice:
As the person set to the task of performing a gap analysis, you did not have sufficient grasp of how to follow through correctly once the gaps were identified. Somehow, you used the wrong terminology, inserting "corrective action" and then getting embroiled in an argument with the director when you were both talking about achieving the same result - an organization compliant with an ISO Standard. (In some cases, the lower ranked employee who gets in such arguments finds himself an ex-employee, so it pays to proceed with caution and to be completely sure of your ground before proceeding.)

My advice:
Reacquaint yourself with the principles and techniques of a gap analysis and present your gap findings again with a goal of helping the organization create and implement a system of policies, processes, and procedures which fit their operation and which are compliant with the ISO Standard, simultaneously setting up a periodic evaluation schedule and system to ensure the system continues to work as planned.

Clue: don't use the term "corrective action."

 

[john.b]

I like that frankness; classic American style. You can never really appreciate that until you're living not in the US and hedging is the norm.

A minor related complication is that implementation gap identification and closure could look and feel a lot like the later audit / corrective action process will, especially in a case of a smaller company where QA is carrying a diverse load. You will still identify a shortfall based on requirement compliance and functional gap, research it, identify responsibility for resolution, set timeline, etc. Stepping back and helping guide people responsible for both as objective non-participant rather than stepping in and helping facilitate might not work in some situations.

In any case keeping the ruckus in check during the gap analysis phase seems well-advised since there's a ways to go from there and no guarantee the resulting system will ever actually be functional.

 

[amadisonr]

If the processes are that good that they need no documentation then great. However, how are they establishing this greatness. Is there never any NC's in this business? Are all process owners able to describe the processes and then make perfect product. This is highly suspect. I also would question the traceability if it is important for the business, with AS9100C for aerospace this is generally critical. This just sounds like a case of I don't care and what are you going to do about it. I am surprised that you have internal auditing at all...... ie lack of management commitment and review... just saying