1 Apr 2020 Oleh Dr Edly Ramly

Rata-rata syarikat tidak bersedia untuk menghadapi perintah kawalan pergerakan (PKP) akibat dari pandemik Covid-19 dengan tidak menyediakan pelan kelangsungan perniagaan (business continuity plan-BCP), mengikut pemerhatian yang dijalankan melalui audit sistem pengurusan kualiti yang dijalankan pada 2019 kepada lebih 70 syarikat.

Hampir semua syarikat SME tidak mewujudkan BCP secara formal. Walaubagaimanapun, ada beberapa syarikat multinasional mempunyai pelan kelangsungan perniagaan (BCP), tetapi pelan tersebut tidak mengenalpasti ganguan dari pandemik yang menyebabkan PKP dikeluarkan kepada hampir semua syarikat dalam rantaian bekalan kecuali kepada perkhidmatan perlu (essential services).

Kesan paling besar yang dihadapi oleh syarikat pada masa ini ialah kehilangan punca pendapatan dan berkemungkinan besar menghadapi pengurangan permintaan pada fasa pasca pandemik Covid-19 pada masa hadapan. Walaubagaimanapun, tinjauan terkini kepada beberapa buah syarikat, BCP sedang dirangka untuk memulihkan dan meneruskan perniagaan, apabila PKP ditamatkan untuk menempuh fasa seterusnya. Malah syarikat masih tidak terlewat untuk menyediakan BCP untuk ganguan kawalan dan sekatan pergerakan yang sedang berlangsung sekarang.

Untuk syarikat telah membangunkan BCP sebelum ini mengikut standard ISO22301, tugasan penyediaan dan menambahbaik BCP berkaitan pandemic Covid-19 ini akan menjadi lebih mudah dan bersistematik.

Menurut standard sistem pengurusan kelangsungan perniagaan (business continuity management system – BCMS) ISO22301 versi 2019, BCP adalah dokumen yang akan membimbing organisasi untuk bertindak apabila berlaku ganguan termasuk tindakan menyambung semula, memulihkan dan mengembalikan penyampaian produk atau perkhidmatan selaras dengan matlamat kelangsungan perniagaan. Di dalam standard tersebut, BCP dibangunkan melalui rangka kerja sistem pengurusan kelangsungan perniagaan termasuk mengenalpasti aktiviti utama (prioritised activity – PA), mengenalpasti jenis-jenis ganguan (disruption), dan juga strategi-strategi untuk bertindak balas.

Pada masa hadapan, syarikat digalakkan untuk menambahbaik BCP sediaada, dengan menjalan pengujian terhadap BCP tersebut, serta menjalankan pelbagai persediaan awal untuk mengurangkan risiko dan kesan terhadap apa-apa ganguan kepada kelangsungan penyampaian syarikat. Syarikat juga digalakkan untuk mendapatkan persijilan ISO22301 untuk memastikan sistem pengurusan kelangsungan perniagaan tersebut dibangunkan dengan berkesan.

Determine product and scope for certification

Why “Determine product”?

Determine type and family product is one of important criteria for “Operation process” clause 8, support process clause 7, planning process clause 6 and performance evaluation clause 9 of ISO9001:2015. After the product have been determine as process output, the product criteria, risk and their performance measure need to be determine and measure. In addition, the process sequence, interaction need to determine and resources provided.

In ISO14001:2015, the product need to be determine in order to study the life cycle of product.

Determine product effectively is also one of Baldrige business excellence criteria in Category 3.2a as followed:

(1) Product Offerings HOW do you determine product offerings? HOW do you

• determine CUSTOMER and market needs and requirements for product offerings and services;

• identify and adapt product offerings to meet the requirements and exceed the expectations of your CUSTOMER groups and market SEGMENTS; and

• identify and adapt product offerings to enter new markets, to attract new CUSTOMERS, and to create opportunities to expand relationships with current CUSTOMERS, as appropriate.

Issues

In some organization, they produce hundreds of products. Hence, the organization should profile their product to segment, family or category in order to manage the product realization process effectively.

Purpose of this criteria

The idea to determine the type and family of product is to:

1. Define the scope of quality/ environmental management system;
2. Effectively plan, monitor and measure the product performance;
3. consistently provide products and services conforming to their requirements;
4. Effectively improve the product

Definition and Description

ISO9000:2015 defined:

Clause 3.7.6 Product

Output of an organization  that can be produced without any transaction taking place between the organization and the customer

Note 1 to entry: Production of a product is achieved without any transaction necessarily taking place between provider  and customer, but can often involve this service  element upon its delivery to the customer.

Note 2 to entry: The dominant element of a product is that it is generally tangible.

Note 3 to entry: Hardware is tangible and its amount is a countable characteristic (e.g. tyres). Processed materials are tangible and their amount is a continuous characteristic (e.g. fuel and soft drinks). Hardware and processed materials are often referred to as goods. Software consists of information regardless of delivery medium (e.g. computer programme, mobile phone app, instruction manual, dictionary content, musical composition copyright, driver’s license).

3.7.7 Service

Output of an organization with at least one activity necessarily performed between the organization and the customer.

Note 1 to entry: The dominant elements of a service are generally intangible.

Note 2 to entry: Service often involves activities at the interface with the customer to establish customer requirements as well as upon delivery of the service and can involve a continuing relationship such as banks, accountancies or public organizations, e.g. schools or hospital

CATEGORIZING PRODUCT

Commonly product is categorized by:

• Customer
• Profile i.e. commodity
• Process Family

The benefit to categorise the product by customer is performance evaluation and analysis of the sales .  However, one customer may purchase different product commodity and process family. Hence to determine the improvement opportunities of products, the recommended tools and techniques is product-process matrix to determine the product family.

Product family is product that passing through similar processing steps and common equipment just prior to shipment to the customer. The significance of product families for lean thinkers is that they are the unit of analysis for value-stream maps, which are defined from the most downstream step just before the customer.

Note that product families can be defined from the standpoint of any customer along an extended value stream, ranging from the ultimate customer (the end consumer) to intermediate customers within the production process.

PRODUCT FAMILY MATRIX

A chart above constructed by lean thinkers to identify appropriate product families.

In the illustration below, a firm with seven product lines, as perceived by its customers, arrayed its assembly steps and equipment across the top of a product family matrix and quickly found a common path for Products A, B, and C, which it then value stream mapped as a product family.

Why “Process Approaches”?

Extract from ISO9001:2015

Clause 0.1

… This International Standard employs the process approach, which incorporates the Plan-Do-Check-Act (PDCA) cycle and risk-based thinking.

The process approach enables an organization to plan its processes and their interactions.

The PDCA cycle enables an organization to ensure that its processes are adequately resourced and managed, and that opportunities for improvement are determined and acted on.

Clause 0.3

• Process approach

• General

This International Standard promotes the adoption of a process approach when developing, implementing and improving the effectiveness of a quality management system, to enhance customer satisfaction by meeting customer requirements. Specific requirements considered essential to the adoption of a process approach are included in 4.4.

Understanding and managing interrelated processes as a system contributes to the organization’s effectiveness and efficiency in achieving its intended results. This approach enables the organization to control the interrelationships and interdependencies among the processes of the system, so that the overall performance of the organization can be enhanced.

The process approach involves the systematic definition and management of processes, and their interactions, so as to achieve the intended results in accordance with the quality policy and strategic direction of the organization. Management of the processes and the system as a whole can be achieved using the PDCA cycle (see 0.3.2) with an overall focus on risk-based thinking (see 0.3.3) aimed at taking advantage of opportunities and preventing undesirable results.

The application of the process approach in a quality management system enables:

a) understanding and consistency in meeting requirements;

b) the consideration of processes in terms of added value;

c) the achievement of effective process performance;

 d) improvement of processes based on evaluation of data and information.

Figure 1 gives a schematic representation of any process and shows the interaction of its elements. The monitoring and measuring check points, which are necessary for control, are specific to each process and will vary depending on the related risks.

Clause 5.1

Top management shall demonstrate leadership and commitment with respect to the quality management system by:

d) promoting the use of the process approach and risk-based thinking;

Determine type and family product is one of important criteria for “Operation process” clause 8, support process clause 7, planning process clause 6 and performance evaluation clause 9 of ISO9001:2015. After the product have been determine as process output, the product criteria, risk and their performance measure need to be determine and measure. In addition, the process sequence, interaction need to determine and resources provided.

In ISO14001:2015, the product need to be determine in order to study the life cycle of product.

Determine product effectively is also one of Baldrige business excellence criteria in Category 3.2a as followed:

(1) Product Offerings HOW do you determine product offerings? HOW do you

• determine CUSTOMER and market needs and requirements for product offerings and services;

• identify and adapt product offerings to meet the requirements and exceed the expectations of your CUSTOMER groups and market SEGMENTS; and

• identify and adapt product offerings to enter new markets, to attract new CUSTOMERS, and to create opportunities to expand relationships with current CUSTOMERS, as appropriate.

Issues

In some organization, they produce hundreds of products. Hence, the organization should profile their product to segment, family or category in order to manage the product realization process effectively.

Purpose of this criteria

The idea to determine the type and family of product is to:

1. Define the scope of quality/ environmental management system;
2. Effectively plan, monitor and measure the product performance;
3. consistently provide products and services conforming to their requirements;
4. Effectively improve the product

Definition and Description

ISO9000:2015 defined:

Clause 3.7.6 Product

Output of an organization  that can be produced without any transaction taking place between the organization and the customer

Note 1 to entry: Production of a product is achieved without any transaction necessarily taking place between provider  and customer, but can often involve this service  element upon its delivery to the customer.

Note 2 to entry: The dominant element of a product is that it is generally tangible.

Note 3 to entry: Hardware is tangible and its amount is a countable characteristic (e.g. tyres). Processed materials are tangible and their amount is a continuous characteristic (e.g. fuel and soft drinks). Hardware and processed materials are often referred to as goods. Software consists of information regardless of delivery medium (e.g. computer programme, mobile phone app, instruction manual, dictionary content, musical composition copyright, driver’s license).

3.7.7 Service

Output of an organization with at least one activity necessarily performed between the organization and the customer.

Note 1 to entry: The dominant elements of a service are generally intangible.

Note 2 to entry: Service often involves activities at the interface with the customer to establish customer requirements as well as upon delivery of the service and can involve a continuing relationship such as banks, accountancies or public organizations, e.g. schools or hospital

CATEGORIZING PROCESS BY PRODUCT FAMILY

Commonly product is categorized by:

• Customer
• Profile i.e. commodity
• Process Family

The benefit to categorise the product by customer is performance evaluation and analysis of the sales .  However, one customer may purchase different product commodity and process family. Hence to determine the improvement opportunities of products, the recommended tools and techniques is product-process matrix to determine the product family.

Product family is product that passing through similar processing steps and common equipment just prior to shipment to the customer. The significance of product families for lean thinkers is that they are the unit of analysis for value-stream maps, which are defined from the most downstream step just before the customer.

Note that product families can be defined from the standpoint of any customer along an extended value stream, ranging from the ultimate customer (the end consumer) to intermediate customers within the production process.

PRODUCT FAMILY MATRIX

A chart above constructed by lean thinkers to identify appropriate product families.

In the illustration below, a firm with seven product lines, as perceived by its customers, arrayed its assembly steps and equipment across the top of a product family matrix and quickly found a common path for Products A, B, and C, which it then value stream mapped as a product family.

Understanding Context of Organization

Why “Context of Organization”?

The newly revised standard of ISO9001 and ISO14001 version 2015 have the common requirements named as “Context of organization” on the first clause of requirements which is clause 4. 

Purpose of this requirements

The main purpose of this clause is to determine:

1. Organization profile (Adopted term from Baldrige Business Excellence 2016/2017: See below for detail)
2. Issue or Threat face by organization
3. The interested party of organization
4. Scope and boundary of management system

Definition and Description

ISO9000:2015 defined:

Context of the Organization is “business environment“, “combination of internal and external factors and conditions that can have an effect on an organization’s approach to its products, services and investments and interested Parties“

ISO14001:2015 (Annex A4.1) further decribed:

The intent of 4.1 is to provide a high-level, conceptual understanding of the important issues that can affect, either positively or negatively, the way the organization manages its environmental responsibilities. Issues are important topics for the organization, problems for debate and discussion or changing circumstances that affect the organization’s ability to achieve the intended outcomes it sets for its environmental management system.

ISO9001/14001:2015 Requirements

Both ISO9001 and ISO14001 have four requirements (sub-clause) which are:

4.1         Understanding the organization and its context 

4.2         Understanding the needs and expectations of interested parties

4.3         Determining the scope of the quality management system          

4.4         Quality management system and its processes  

BEF organization profile

The Organizational Profile is a snapshot of your organization, the KEY influences on HOW it operates, and your competitive environment.

P.1 Organizational Description: What are your key organizational characteristics?

a. Organizational Environment

(1) Product Offerings What are your main product offerings (see the note on the next page)? What is the relative importance of each to your success? What mechanisms do you use to deliver your products?

(2) MISSION, VISION, and VALUES What are your stated MISSION, VISION, and VALUES? What are your organization’s CORE COMPETENCIES, and what is their relationship to your MISSION?

(3) WORKFORCE

What is your WORKFORCE profile? What recent changes have you experienced in WORKFORCE

composition or your WORKFORCE needs? What are your WORKFORCE or employee groups and SEGMENTS,

• the educational requirements for different employee groups and SEGMENTS, and

• the KEY drivers that engage them in achieving your MISSION and VISION?

What are your organized bargaining units (union representation)? What are your organization’s special health and

safety requirements?

(4) Assets What are your major facilities, technologies, and equipment?

(5) Regulatory Requirements What is the regulatory environment under which you operate? What are the KEY applicable occupational health and safety regulations; accreditation, certification, or registration requirements; industry standards; and environmental, financial, and product regulations?

b. Organizational Relationships

(1) Organizational Structure What are your organizational structure and GOVERNANCE system? What are the reporting relationships among your GOVERNANCE board, SENIOR LEADERS, and parent organization, as appropriate?

(2) CUSTOMERS and STAKEHOLDERS What are your KEY market SEGMENTS, CUSTOMER groups, and STAKEHOLDER groups, as appropriate? What are their KEY requirements and expectations for your products, CUSTOMER support

services, and operations? What are the differences in these requirements and expectations among market SEGMENTS,

CUSTOMER groups, and STAKEHOLDER groups?

Recommended Best Practice

How to conform to the ISO9001/14001 requirements for clause 4.1-4.3

4.1       Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its environmental/ quality management system. Such issues shall include environmental conditions being affected by or capable of affecting the organization.

Even there are many approach to address this requirement, one of the most common tools and technique is 4P (sometime 5P) matrix with PESTLE and/or SWOT

What is 4 P?

P – PRODUCT

P – PROCESS

P – PEOPLE

P – PLACE

In marketing some organization add P – PROMOTION and PRICE

What is PESTLE?

P – Political

E – Economy

S – Social

T – Technology

L – Legislation

E – Environment

What is SWOT?

S – Strength

W – Weaknessess

O – Opportunities

T – Threat

EXAMPLE 1

The organization can determine the internal and external issues by developing the matrix

4P	Internal Issues	External Issues
Strength	Weakness	Opportunities	Treat
Product/ Service
Process
People
Place
People
Promotion

EXAMPLE 2

The Internal Issues may relate to 5P while the external issues may relate to PESTLE

EXTERNAL (PESTLE)	ISSUE	R -Risk (Environmental/ Quality Concerned )	O – Opportunities	Action to address R & O
POLITICAL
ECONOMY
SOCIAL (Neigbourhood)
TECHNOLOGICAL
LEGAL
ENVIRONMENT (Surrounding)

INTERNAL (P-P-P-P)	ISSUE	R -Risk (Environmental Concerned )	O – Opportunities	Action to address R & O
PRODUCT & SERVICES
PROCESS
PEOPLE
PLACE
PROMOTION

What is the minimum requirement accepted by EFR Certification?

The documented information shall be retained at minimum in management review minutes (Clause 9.3). At least 2 external and 1 internal issues shall be identified.

The external issues shall cover:

• Customer of the organization product or services i.e. customer complaints
• Legal Authority such as legal non compliance to business licencing authority

Internal issues shall cover internal complaints or rejections

More than ever especially during Covid-19 lockdown, organizations are looking for a flexible substitute the conventional to virtual auditing due to lower costs, eliminate unnecessary travel, and ease the burden of demanding work schedules and travelling time.

But can virtual auditing deliver the same results as conventional auditing?

We already know either conventional and virtual auditing works in domains is obtaining the EVIDENCE, by question the auditee, observed the actual workplace and check documentation.

In EFR, we already develop the procedure for online audit since 2009 according to International Accreditatition Forum IAF MD4 – 2008 under computer assisted auditing

IAF-04 was updated on 2018 IAF MANDATORY DOCUMENT FOR THE USE OF INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) FOR AUDITING/ASSESSMENT PURPOSES

How we implement it?

Questioning – Understanding and Competency

• Live interaction between auditor and auditee via web auditing platform
• Actual face to face virtual auditing environment

Observed – Actual Activity

• Live web camera with mobilty platform
• CCTV
• Control room camera
• Drone (Eventhough listed in our procedure, we not yet implemented it)

Check – Documentation

• Document sharing through web auditing share screen
• Send out the documentation early i.e. during stage 1

Issue in online audit

1. Time consuming wating for documentation
2. To minimised this, provide the list documentation at least 1 week before the audit.
3. Information system data protection
4. All our online audit is not recorded (screen recording). Client can record but we did not request any copy of recording from the client to minimised risk of leak of confidential information
5. Poor connection (poor audit, poor video)
6. We only conduct online audit after the risk assessment result shown a good internet connection

Hence the result from conventional auditing vs virtual auditing is almost the same.

Kindly contact us for any enquiries on virtual (online) auditing.

About ISO 45001 Occupational Health and Safety Management System

ISO 45001 is an International Standard that specifies requirements for an occupational health and safety (OH&S) management system, with guidance for its use, to enable an organisation to proactively improve its OH&S performance in preventing injury and ill-health. ISO 45001 is intended to be applicable to any organisation regardless of its size, type and nature. ISO 45001 enables an organisation, through its OH&S management system, to integrate other aspects of health and safety, such as worker wellness/wellbeing; however, it should be noted that an organisation can be required by applicable legal requirements to also address such issues.

Benefits of ISO 14001 Environmental Management Certification

An ISO 45001 based OH&S management system will enable an organisation to improve its OH&S performance by:

• Developing and implementing an OH&S policy and OH&S objectives
• Establishing systematic processes which consider its “context” and which take into account its risks and opportunities, and its legal and other requirements
• Determining the hazards and OH&S risks associated with its activities; seeking to eliminate them, or putting in controls to minimize their potential effects
• Establishing operational controls to manage its OH&S risks and its legal and other requirements
• Increasing awareness of its OH&S risks
• Evaluating its OH&S performance and seeking to improve it, through taking appropriate actions
• Ensuring workers take an active role in OH&S matters

In combination, these measures will ensure that an organisation’s reputation as a safe place to work will be promoted, and can have more direct benefits, such as:

• Improving its ability to respond to regulatory compliance issues
• Reducing the overall costs of incidents
• Reducing downtime and the costs of disruption to operations
• Reducing the cost of insurance premiums
• Reducing absenteeism and employee turnover rates
• Recognition for having achieved an international benchmark (which may in turn influence customers who are concerned about their social responsibilities)

Contact us for detail certification for ISO45001:2018 version

Build the resilient (Berdaya tahan) system in your organization

About ISO 22301 Business Continuity Management

ISO 22301 is an ISO standard for Business Continuity Management under organization security and resilient technical committee. The standard provides a framework to determine the potential disruption, business impact, develop the strategy by Plan – Do – Check – Action to implement, operate, monitor, review, maintain and continually improve a Business Continuity Management System (BCMS).

Regardless of your organisation’s size, nature of business or sector, it is vulnerable to many forms of disruptions. Natural disasters, political disturbances, terrorism and technology failure may occur at any time and lead to business disruptions.

Benefits of ISO 22301 Business Continuity Management

• Identify and manage current and future disruption to your business.
• Minimise the impact of incidents and losses.
• Minimise downtime during incidents and improve recovery time.
• Keep “prioritised activity” up and running during times of crises.
• Ensure comply with  legal and regulatory requirements.

We ASSESSED and CERTIFIED your organization Business Continuity Management System

• ONLINE ASSESSMENT FOR GAP ANALYSIS
• We have a large pool of experienced and professional auditors that are qualified internationally.
• The competency of our multi-disciplined auditors adds value and credibility to our certificates.

ONLINE AUDIT FOR CERTIFICATION

• We offer the option of combined certifications of more than one management system to minimise disruption to your organisation.

If your organization already develop business continuity plan, let answer this questions

When is the last time, you review your business impact analysis?

What is your prioritized activity (PA – Previously known as critical business function)?

What is your the “maximum tolerable period of disruption (MTPD)”?

What is you agree capacity to operate during and after disruption?

How many types of threats determined for the PA?

Have you update the threat of Pandemic and lockdown?

What is your strategy and solution? How you select?

Is the strategy and solution have been documented of each type of threat as business continuity plan?

If you managed to answer with detail description and evidences, then your business continuity documentation has been effectively develop. So let us certified/ give the score and determine opportunities for improvement

ISO 9001 is defined as the international standard that specifies requirements for a quality management system. Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements. It is the most popular standard the standard that organizations can certify.

ISO 9001 was first published in 1987.

BENEFITS?
ISO 9001:2015 applies to any organization, regardless of size or industry. More than one million organizations from more than 160 countries have applied the ISO 9001 standard requirements to their quality management systems.

ISO 9001 helps organizations ensure their customers consistently receive high quality products and services, which in turn brings many benefits, including satisfied customers, management, and employees.

Because ISO 9001 specifies the requirements for an effective quality management system, organizations find that using the standard helps them:

• Organize processes
• Improve the efficiency of processes
• Continually improve
• Cost saving

What topics does ISO 9001:2015 cover?
ISO 9001 is based on the plan-do-check-act methodology and provides a process-oriented approach to documenting and reviewing the structure, responsibilities, and procedures required to achieve effective quality management in an organization. Specific sections of the standard contain information on many topics, such as:

• Context of Organization planning and determining process interactions
• Risk based Thinking
• Leadership
• Support process, including human resources and an organization’s work environment
• Operation, including the steps from design to delivery
• Performance evaluation, and improvement of the QMS through activities like internal audits and corrective action
  

How do I get started with ISO 9001:2015?
Whether you are beginning your ISO 9001 journey or transitioning to the 2015 revision, your first step is to purchase a copy of ISO 9001:2015.

ISO 9001 CERTIFICATION
ISO 9001 is the only standard in the ISO 9000 series to which organizations can certify. Achieving ISO 9001:2015 certification means that an organization has demonstrated the following:

• Follows the guidelines of the ISO 9001 standard
• Fulfills its own requirements
• Meets customer requirements and statutory and regulatory requirements
• Maintains documentation
• Certification to the ISO 9001 standard can enhance an organization’s credibility by showing customers that its products and services meet expectations. In some instances or in some industries, certification is required or legally mandated.
• The certification process includes implementing the requirements of ISO 9001:2015 and then completing a successful EFR audit confirming the organization meets those requirements.

Contact us for more detail on certification