8.4.3 Information for external providers
Readers, I appreciate your patience as we work carefully through this section. It is one of the most detailed, which is a plus because it is clearly defined so it can be easily understood. However, the section is wordy and can be somewhat redundant. I’m happy to continue, though, because all these words and stating and restating, make the importance of this process clear.
External providers can potentially introduce considerable risk to an organization’s ability to function successfully. And today’s economy is stimulating an increase in the use of external providers or outsourcing as companies try harder and harder to find ways to specialize in their core competency and rely on less expensive outsourcing for other activities.
Control of external providers has always been an important clause, but not always well understood by either many organizations or by many individual auditors.
Traditionally, an organization may have an “approved source” list which was created using some sort of selection process and some sort of performance evaluation such as a score card. This is pretty simple, but in many cases, marginally effective. The troubles come when the system is implemented purely as an intent to comply with little or no use or interaction with the procurement or purchasing people. Many companies try the popular workaround of simply requiring all their suppliers to be registered to ISO9001 or similar national standard and everyone else is considered “non-critical” or some additional inspection may be used to confirm the quality of their product. There is often a disconnect between the system and the actual usefulness by the impacted users.
Many audits of this clause have included a superficial dance by the organization and its CB/auditor simply “checking the boxes” to ensure compliance with the requirements of purchased products/services. Sadly, this is a parallel weakness so many organizations have suffered while seeking compliance to ISO9001. There are a lot of areas where compliance can be rather easily achieved without a discernible impact on the actual quality of the product/service provided by the organization. Thus, frustration by so many organizations (and also consumers of those organizations). Past weakness in this area has also provided a rich environment for a poor sourcing management process resulting in poor performance by their vendors/external providers.
The additional language and painstaking detail now included does help to put some more teeth in the requirements. Our previous week’s discussions have included our obligation to first create a process adequate to meet our needs, to clearly define its workings and also its applicability. It pushes the envelope somewhat in requiring an organization to actually create a working, live and dynamic sourcing management process with consideration of risk and more immediate consequences of actual performance.
There are now requirements to communicate specific information to external providers (which by default will force the organization to have a disciplined process for identifying them):
“The organization shall communicate to external providers applicable requirements for the following:
a) the products and services to be provided or the processes to be performed on behalf of the organization;” This is such a simple, self-evident requirement, but it is very common to accidentally leave things out if not carefully evaluated and stated.
“b) approval or release of products and services, methods, processes or equipment;” Required qualification and testing is very important and it is critical that all parties understand the expectations and their roles and responsibilities. It should be clearly defined (and acknowledged) as part of the provider agreement.
“c) competence of personnel, including necessary qualification;” This requirement is not new, but it is still rarely understood or complied with properly. External providers must be required to create and maintain a system for ensuring all requirements are understood and consistently met by its personnel. It’s not hard to understand why this language is here – outsourcing is risky business as it is. When faced with pressure to deliver, and forced to obtain assistance from an external provider, we often choose something “easy” to offload. This can include outside processing, temporary workers, etc. While something may seem “easy” to an experienced organization, without the external provider’s willingness and ability to ensure the competence and qualification of their personnel (including a clear understanding of all the requirements), the external provider may introduce significant risk to an otherwise reliable organization, and potentially severely impact its customers.
“d) their interactions with the organization’s quality management system;” When an external provider is utilized for an organization’s products/services, the quality management system doesn’t stop with the organization, it becomes automatically associated with the provider as well. This is meant to eliminate “exclusions” and potential shell games of getting ISO9001 registration for the easy parts of the organization, while outsourcing the rest.
“e) the control and monitoring of the external provider’s performance to be applied to the organization;” A clear process of not only monitoring (score cards), but control meaning consequences or countermeasures to minimize risk to the product/service provided to the ultimate customer must be in place. Should an external provider fail to perform, the organization must have some method of still ensuring the ongoing quality and integrity of its products/services.
“f) verification activities that the organization, or its customer, intends to perform at the provider’s premises.” This is an old requirement as well, but it is important to mention to ensure all interested parties are clear in their intent, as well as their roles and responsibilities.
“The organization shall ensure the adequacy of specified requirements prior to their commitment to the external provider.” Each of these considerations should be made prior to entering into an agreement with an external provider. Basically, the rules can’t be made up as we go along. And suppliers must be selected on their ability to meet all requirements, and of course, the requirements must first be known in order to make the best selection of an external provider.
THIS WEEK’S HOMEWORK
You’ve already reviewed your source management process and its scope. Now, connect the dots and ensure that the process as defined is actually implemented as designed. Are the items above consistently determined and communicated through the use of contracts, purchase orders, terms and conditions, etc? Are providers selected based on their ability to meet all requirements? Is there a method to detect and mitigate and shortfall of provider performance? Does the process actually work?
You may also rely on customer feedback, results of corrective actions/root cause analyses, internal disruptions, etc. Are any of these a result of a provider performance issue? Are all the proper connections in place within the source management process to ensure that external providers are adequately controlled? Consider any improvements that may be required.
