8.4.1 Control of externally provided products and services
Make it or buy it? That is the question.
Organizations with a focus on core competencies often choose to outsource rather than try to do themselves those things that fall outside of their “wheelhouse”. When making this choice, the organization is relying on an outside provider to provide the same level of quality that they themselves would expect to provide to their customers. This is why this clause is so important and managing suppliers is so critical.
Having a look at the introduction in this section, the statement is a simple “shall”.
“The organization shall ensure that externally provided processes, products, and services conform to specified requirements.” Great. Let’s move on.
“The organization shall apply the specified requirements for the control of externally provided products and services when:
a) products and services are provided by external providers for incorporation into the organization’s own products and services:”
This is a great help in defining exactly how much control we must have, and over whom. I was once asked if my uniform and floor mat providers were on my approved source list by an auditor. I’m glad to have this definition to prevent from ever having to have that conversation again. The scope of the requirements is those outside products/services to be incorporated into our own products and services. Nice and tidy.
“b) products and services are provided directly to the customer(s) by external providers on behalf of the organization;”
This area can be a little bit tricky. Not overly so, but a little bit. Often when an organization has products or services essentially “drop shipped” to a customer, there is a little bit of a sense of disconnect. The organization may “wash their hands of it”, so to speak. But, when you rely on an outside source to be your customer-facing provider, you better have some good controls in place. It’s important to carefully define the criteria for the purchased product or service, then carefully evaluate and select a provider based on their ability to meet all expectations (both yours and your customer’s).
“c) a process or part of a process is provided by an external provider as a result of a decision by the organization to outsource a process or function.”
The third qualifier of “when this applies” is whenever a decision is made to outsource a process or function. This is very important, because this pulls into the mix any outside processing, which is more than just purchased parts. It’s outside processing like post-manufacturing treatments such as painting, plating, assembly. It may also apply to logistics, specialize packaging, inspection, etc. Or it may be simply the temporary outsourcing of a process due to capacity. In any case, a structured method for evaluating, selecting and monitoring the provider must be put in place.
Now that we know when the standard applies, the clause goes on to define exactly what is needed for the organization to be considered compliant. For all the scenarios listed above, the following requirements apply:
“The organization shall establish and apply criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers based on their ability to provide products and services in accordance with specified requirements.”
This clarifies that there must be a defined process for evaluating, selecting and monitoring its providers. Each of these is an individual requirement where it is expected that criteria be established for 1-evaluating, 2-selecting and 3-monitoring. And the section wraps up with the big one – “and it shall be documented”.
“The organization shall retain appropriate documented information of the results of the evaluations, monitoring of the performance and re-evaluations of the external providers.”
Again, just as individual criteria are expected for each 1-evaluating, 2-selecting and 3-monitoring, records for each of these activities is also required.
THIS WEEK’S HOMEWORK
Review your current supplier management process and ensure that you have clearly defined where it applies (and does not apply). Next, be sure that the three areas 1-evaluating, 2-selecting and 3-monitoring are all defined for all scenarios – where products or services are used by the organization, where products or services are provided directly to the customer or where processes are outsourced. And finally, be sure there is documented information to support all of it. Good luck!