Outsourced Processes

Has your organization outsourced any processes? Are these processes being properly controlled?

ISO 9001:2000 clause 4.1 states: “Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.”

What is considered an outsourced process? Document ISO/TC 176/SC 2/N 630R2 at the ISO web site describes an “outsourced process” as a process that has been identified as needed for the quality management system, but one which the organization has chosen to be carried out by an external party.

An outsourced process can be performed by a supplier that is totally independent from the organization, or which is part of the same parent organization. For example, a separate department or division not subject to the same quality management system. The process may be provided within the physical premises or work environment of the organization, or at an independent site.

The intent of Clause 4.1 is to emphasize that when an organization chooses to outsource a process (permanently or temporarily) that affects product conformity, it cannot simply ignore this process or exclude it from the quality management system. The organization has to demonstrate it exercises sufficient control to ensure the process is performed according to the relevant ISO 9001:2000 requirements, as well as, the requirements of the quality management system.

The nature of this control will depend on the importance of the outsourced process, the risk involved, and the competence of the supplier. Also, the outsourced process will interact with other processes (either carried out by the organization or outsourced). These interactions must be managed as required by ISO 9001:2000 clauses 4.1.a (process identification) and 4.1.b (sequence and interaction).

The acquisition of an outsourced process will normally be subject to the requirements of both ISO 9001:2000 clause 7.4 (Purchasing) and clause 4.1 (General Requirements). In some situations, the organization might not actually “purchase” the outsourced process. It might receive the service from a corporate office or from another division, without a monetary transaction taking place. Under these circumstances, however, ISO 9001:2000 Clauses 7.4 and 4.1 are still applicable.

There are two situations that frequently must be considered when deciding the appropriate level of control of an outsourced process:

1. When an organization has the competence and ability to carry out a process, but chooses to outsource that process (for commercial or other reasons), the process control criteria should already have been defined and can be transposed into requirements for the supplier, if necessary.

2. When the organization does not have the competence to carry out the process itself, and chooses to outsource it, the organization has to ensure the controls proposed by the supplier of the outsourced process are adequate. In some cases, it may be necessary to involve external specialists in making this evaluation.

It may be convenient, or even necessary, to define some or all of the methods to be used for control of the outsourced processes in a contract between the organization and the supplier. Care should be taken, however, not to inhibit the supplier from proposing innovations to the outsourced process.

In some situations, it might not be possible to verify the output from the outsourced process by subsequent monitoring or measurement. In these cases, the organization must ensure the control over the outsourced process includes process validation in accordance with ISO 9001:2000 clause 7.5.2.

The new ISO/DIS 9001:2008 standard has added two notes under clause 4.1 to further explain outsourced processes. One note says, “An outsourced process is identified as one being needed for the organization’s quality management system, but chosen to be performed by a party external to the organization.”

The other note says, “The type and nature of control to be applied to the outsourced process may be influenced by factors such as,

a) the potential impact of the outsourced process on the organization’s capability to provide product that conforms to requirements;

b) the extent to which the control for the process is shared;

c) the capability of achieving the necessary control through the application of clause 7.4.

Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory, and regulatory requirements.”

To audit the outsourcing of processes, an auditor might ask these questions:

1. Have any processes been outsourced?
2. What is your criteria for outsourcing?
3. How are the suppliers being evaluated?
4. Are relevant ISO 9001 requirements assigned?
5. What outsourcing controls are in place?
6. How is risk considered in the controls?
7. How is supplier performance evaluated?
8. How are supplier problems handled?

If an organization uses outsourced processes, it is still responsible for conforming to customer and legal requirements. Carefully evaluate the suppliers of outsourced processes according to ISO 9001:2000, clause 7.4.1, as you must for all other suppliers of products and services.