The current CEO of BIT (Emma), was interested to understand how an ISO 9001 QMS introduced in the late 80’s could still be useful for the Company.
So, the question is how a “Norm” like ISO 9001 can exhibit such flexibility to accommodate the big changes of BIT over such an extended period of time? The secret to its resilience lies in its high-level approach, which empowers organizations to tailor it to their specific needs. In this post, we will explore how ISO 9001’s high-level framework has been a strength for businesses like BIT, emphasizing the importance of incorporating best practices into the norm.

The ISO 9001 standard, in its initial 1987 version, was structured around clauses. Each clause addressed various aspects of the quality management system but did so at a very high level of description. At first, this might have left some individuals, like Emma’s father, disappointed. The combined documents for ISO 9000 and ISO 9001 in 1987 were short, totaling less than 50 pages. They outlined the requirements and provided essential terminology, but they did not delve into the practical details of how to build a QMS.

This approach contrasted starkly with other standards like ITIL V1, which spanned thousands of pages, or the comprehensive 600 pages required to describe the core model of CMMI V1.1. However, Emma’s father soon realized that ISO 9001’s high-level approach had its strengths. It allowed practitioners to fill in the norm with their own best practices, tailoring it to their specific industry and needs.

At that time, the best practices related to ISO 9001 were primarily linked to physical products, particularly in the automotive sector. These practices aligned well with the reality of BIT, which predominantly revolved around the IBM AS 400, and whose customers were primarily focused on physical products. Emma’s father, however, foresaw a shift towards services in the future.
After obtaining ISO certification for BIT, he introduced best practices from ITIL into the QMS. His primary goal was to establish a shared language within the company, recognizing the importance of adaptability in the ever-evolving landscape of operations.

As services became more important to BIT’s daily activities, ITIL best practices became the “how” of ISO 9001 implementation. For example, ISO 9001:2015 requires organizations to control and coordinate their suppliers. This subject is dedicated an entire clause (8.4), made up of three sub-clauses (not surprising if if you think that the control and coordination of the suppliers – for the US Army – is in the DNA of the ISO 9001 norm).

While ISO 9001:2015 does not specify how to control suppliers, the ITIL V3 standard, still used by BIT, dedicates many pages to the supplier management process, which the BIT service team was already following.

The ITIL V.3 (the version still used by BIT), dedicated instead many pages to the supplier management process. The service team of BIT was already applying the ITIL V3 Supplier Management Process

Always following the ITIL V3 best practices, they use an evaluation matrix to categorize the service providers.

BIT evaluates each supplier on two dimensions: value and risk. The value dimension is made up of two characteristics, and the risk dimension is made up of five characteristics. Each characteristic has a value from 1 (very low) to 7 (very high). All characteristics within a dimension have the same weight, so the value of each dimension is the average of its characteristics. The supplier’s value is then calculated by multiplying the value of each dimension. The evaluation matrix then classifies the supplier into a category based on its value.

For example, if a supplier is rated 3.5 for risk and impact and 2.5 for value and importance, its initial value to BIT is 8.75. This means that the supplier is classified as Operational according to the evaluation matrix.

This evaluation is repeated annually based on the supplier’s performance. The results are stored in an SQL database, along with other important information such as the contract between the parties, contact persons, and the supplier’s certifications. This database is the core of the Supplier and Contract Management Information System, which uses Power BI to generate reports.

BIT’s Supplier and Contract Management Information System is complemented by Jira Confluence. This solution is used to store unstructured information about suppliers, which is difficult or impossible to store in the SQL database.

The service team created a policy, or rather a collaboration policy, for each category of supplier, aligned with the values of the team and BIT. (This topic deserves its own post.)

Since suppliers are no longer a restricted set of vendors, but rather a complex network of service providers, it was natural for BIT to adopt the ITIL process to meet the requirements of ISO 9001:2015 clause 8.4. This process was reviewed during the last BIT certification audit, and the auditor had no remarks.