There are three specific ISO9001 requirements that I find most businesses I visit are terrible at.
- Document Control
- Corrective & Preventative Action; and
- Management Review
I'm not entirely sure why it is, but I think its because it takes a real drive from the top to make it work. Funnily enough the businesses that do it well are generally the ones where the business owner or General Manager has taken a really active role in developing and implementing the Management System.
Implementing Document Controls is an absolute pain when starting to develop a new Management System. Everyone loves to keep a copy of forms in their own personal folder so they don't have to keep looking for them when they're needed. People also love creating their own forms to suit their needs without going through any approval process. This is where the drive from senior management is required. If the boss is strict on document control then everyone tends to fall in line.
Corrective and Preventative Action is also a requirement that tends to get overlooked until right before an audit or until a major issue has occurred. By rewarding identification of potential and actual issues rather than punishing non-conformance it changes the culture of corrective and preventative action. People will be much more inclined to report issues if they won't get in trouble for it and there is an incentive to do so.
Lastly Management Review is probably the most poorly handled ISO9001 requirement that I see on a regular basis. It is rare to see a properly minuted, detailed and beneficial Quality Management Review that covers all of the agenda input items required by ISO9001. The majority I see are done purely to meet auditor requirements and provide no real benefit to the business whatsoever. This is one requirement that really needs a strong leader to ensure it gets done and gets done well.