Let’s start with clause 4.2. What level of detail is required here? Is “supplier” or “customer” sufficient, or is it required to drill down from there to specific suppliers or customers? We have hundreds of suppliers and many more customers. Regarding 4.1, thinking about working this from the bottom up. Each Leader (supervisor, manager, director) will review processes under their control and identify issues related to those processes. Those processes can have internal and externally related issues. It’s the hope (plan) that this approach will cover all relevant issues (internal & external) that would impact our ability to meet the needs of the QMS -and- meet the needs of the interested parties (we are adding a column that identifies which interested party would be affected by the issue). As a side note, we’ll also do our risk analysis on all of the noted issues and roll the top items into the CAR/CI process. I feel I may be missing something with this approach, but it seems to mostly meet the requirements of 4.1 and 4.2.
4.2: What level of detail? The standard states, “the organization shall determine:
- the interested parties that are relevant to the quality management system;
- the requirements of these interested parties that are relevant to the quality management system. The organization shall monitor and review information about these interested parties and their relevant requirements. [emphasis added]
Is “supplier” or “customer” sufficient? It would be if all had the same requirements. Assuming that they do not, you are required to “drill down.” Customer satisfaction cannot be achieved unless you understand the individual requirements and monitor and review those requirements (which are an input to Management Review).
Furthermore, the list of interested parties goes beyond “customers & suppliers.” Owners, employees, regulatory agencies, financial institutions, etc. to name a few have requirements as interested parties. These need to be addressed, as well.
“We are adding a column that identifies which interested party would be affected by the issue.” This is a good approach if the requirement is also addressed and you go beyond customer and supplier.
“Regarding 4.1, thinking about working this from the bottom up.” Once again, the standard states, “The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction…”
The key in this requirement is “strategic direction.” If from working from the bottom up, you ultimately tie these external and internal issues to the organization’s strategic direction, there should not be a problem.
Be aware that your approach will not be familiar to your auditor. In that case, you will need to fully explain your approach.