Uncategorized
How Not to Fail: The Core Compliance Platform
For the common good, I am laying out to you some information on how not to fail using the Core Compliance Platform. The Core Compliance Platform is a product of Core Business Solutions, and is a “canned” ISO9001 quality system and work flow that a lot of people are using. They actually have a variety of other products, for some of the other standards. Some of these things may apply to the other standards as well.
Who am I to be telling you this?
I did a count the other day and found that I did 21 audits for clients last year that are using this platform. I am under confidentiality, so I can’t tell you who they are, nor who the registrar is. Also, be aware that Core Solutions is not giving me anything, nor taking anything away from me for writing this.
They have a website.
https://www.thecoresolution.com/
Frankly, I hope that this will save me work. You do know, don’t you, that writing a non-conformance actually costs an auditor some life force which he or she would prefer to spend elsewhere.
Since I am sending this out into the public domain, this does not constitute consulting. I am not biased either for or against any particular company or other method of achieving certification. The word “should” does not appear in here anywhere.
If anybody disputes any of this, feel free to comment, and bring your audit log and we will see who is the more authoritative.
What is the Core Compliance Platform?
The Core Compliance Platform is a canned software setup which people use to get and maintain their ISO QMS documentation. The customers can also sign up for some hands on nurturing by a consultant. This helps them get through the registration process. They may do this a-la carte. There there are different subscriptions and options they can use to establish and maintain their system.
People use this system sometimes because they want to expedite their registration.
Someone decides they need to be ISO certified, often to bid on some new piece of business. They enroll in the program because it is fast and gets them through the initial certification process reasonably reliably, which is a good reason.
How Not to Fail: ISO Deployment
I can make these generalizations because of my experience. In my 500-ish or so audits, I’ve done maybe 70-ish first time registrations.
This is a common scenario: A company wants to be ISO certified. Someone, usually the sales manager or a VP of some kind says “no problem, we’ll just use the quality manual from my old company.”
So they upload the file, change the letterhead, and they’re good, right? They have a conformant ISO quality system right? Actually I’ve see that happen the week before the audit, with poor results.
What happens is that the processes, work instructions, and other things aren’t set up properly. They don’t actually reflect current practices within the company.
So the auditor shows up, says “where is this document that you require yourself to have?” There are potential areas of non-conformity.
You can actually download some quality manuals and work instructions from various sources on the web for free. But, this is also not a good practice.
In a way, buying a “canned” system is a little better, particularly if your consultant trains you properly. But, sometimes this doesn’t happen, hence the following failure modes.
Failure Mode 1: Not knowing what is in the system.
So this is the first failure mode, and it is not specific to the Core Solutions system. Requirements are put into the QMS that the client is not aware of. Here is an example: communications planning. The client puts in a requirement for themselves that says there will be an annual communication of the quality policy and/or objectives.
The standard does say in 7.3 that the client must determine what, to whom, when, and by what method communication should happen. The Core system has some suggested communications. The word “annual” does not appear in the standard anywhere.
So the client adopts the system, It requires some communication. The first surveillance audit rolls around, The auditor asks for objective evidence that the communication took place somehow, and the client doesn’t have any. There should be objective evidence that this stuff took place.
The root cause is the client was unaware that they had put the requirement in the system. Don’t do that. Know what you are requiring yourself to do. Even better, rethink the requirements every so often so you don’t require yourself to do a lot of non-value added activity.
There are several places in the system that are like this.
Failure Mode 2: Grandfather Clauses
There are two places in the Core platform that have grandfather clauses. One is in Competence, 7.2, and the other is in purchasing, 8.4.2. They basically say that as of a given date, all employees are considered competent. Also, all suppliers are considered “approved.”
Having a “line in the sand date” is perfectly reasonable. It basically says “before this date we were not ISO compliant. We didn’t have a requirement, but as of this date, now we do.” I have no real argument on that.
Howecver, when the first surveillance audit rolls around, the auditor asks for the supplier evaluation or employee evaluation for any new suppliers or new hires. Often, there isn’t any. Very often, the client doesn’t remember their requirements or document the competency of the new people, and is not in conformity with their own system.
This causes extra work for all concerned.
Failure Mode 3: Unplugging the Rules
The Core Compliance Platform has a built in work flow, that controls the document management and corrective action functions. In my opinion, this is one of the best parts of the system because it allows the user to lay out the frequency and approval authority for all of the documents.
It also allows the user to track corrective actions, and sends employees and process owners a friendly reminder when their action items are due.
However, this is an optional feature, and is a subscription situation, that costs the client an annual maintenance fee of some kind.
So the temptation is to unplug it to save a few dollars.
The problem is, that these work flows actually have the rules built into them. These include how often and who reviews documents, and reporting on who is slacking on responding to corrective actions.
So in the first surveillance audit, the auditor rolls in, there has been a document change, and the auditor asks “was the document approved by the proper approval authority?” and the client doesn’t know. The rules for approval and review of documents were programmed into the system, and when you unplug it, nothing replaces them.
So unless the client is aware, the rules for doing these activities are gone, and the auditor doesn’t know whether your documents and corrective actions are in conformity.
Failure Mode 4: Deleting the Calendar
I’ve actually seen this a couple of times.
The Core work flow has built into it a system of notifications. It notifies the process owners and document owners when it’s time to do work. It notifies everybody of the management review and internal audit schedules. It lets you know when it’s time to review your documents.
But if you unplug it, it no longer does these things.
So, the first surveillance rolls around. The auditor says “let’s see your management review notes from April, which you require yourself to have.” Then, you figure out that you didn’t have a management review in April because you deleted the reminder.
So if you do delete the calendar, don’t forget to take the information and program it into Outlook or whatever your system is. The NC you save may be your own. You can’t just forget to do these things.
Failure Mode 5: Not understanding ISO9001
This is another repeat occurrence. Someone needs expedited ISO9001 certification. They enroll in the Core Solutions system. They get their certification, because the Core Solutions system is pretty good from that point of view. The consultant tries to train them up. They say “yeah, yeah, we will do all of that just like you say.”
But at the end of the day, the client doesn’t understand that there are ongoing requirements and activities that need to be done periodically. It is up to them, the clients, to do this.
But they think the ISO requirements are about the one time only piece of paper. They don’t understand that there is maintenance involved.
The auditor’s job is to help remind them of this.
Are there training resources available, to lay out to the customers how the system works? Here’s one.
Here is my link to Udemy course, “How Not to Fail at ISO9001”
https://www.udemy.com/course/how-not-to-fail-at-iso9001/learn/lecture/34733460#content
Here’s the link to my Quality Systems Training. You can hire me to give this training in person, complete with questions and answers, and along with a few decades worth of horror stories about product quality, dangerous products, and why people don’t do their jobs.
www.jimshell.com/quality-systems-training
How Not to Fail: The Core Compliance Platform
I’m actually indifferent to any given product or products, except the one above, of course. But I am not indifferent to being in conformity to requirements, including requirements that you, the client, have imposed on yourselves.
The basic drawback to any canned ISO documentation system is translating it to the reality of how you run your organization.
I will probably have more to say on this a little later. Meanwhile, hopefully you will take these things to heart and understand the nuances of the system a little before you adopt a system, whatever it may be.
PS: I can’t be both your consultant and auditor but I can and do occasionally give people advice on how not to fail at ISO9001. Click the link.