Document Control – It's all about risk!
Jeff Ryall
One of the great aspects about ISO 9001 is that it is totally management systems focussed and risk centred. It also follows the cycle of due diligence in terms of compliance, delegation and deployment and monitoring, review and reporting. This helps us enormously in that it assists us to develop robust systems of management that are centred around all stakeholders and their protection.
Of all the areas of management systems, document control is one that people seem to struggle with most. Yet the principles of document control are absolutely based on risk to your organisation. In one sentence, document control is all about everyone having the up to date information they need to do their job properly.
Document Control has two parts, internal and external.
Internal documents are those that are internally generated. They are developed by your organisation. Examples of these are policies, procedures, forms, and brochures. External documents are those that are generated externally from your organisation (e.g, legislation, regulations and standards). Typically, they require compliance and to be maintained as current. For the purposes of this article we will focus on internally generated documents, ie. internal document control.
It is at this point important to say that internally generated documents are not records. ISO 9001 discerns a difference between the documents you generate which can and are changed from time to time, and records which are evidence of historical data and cannot be changed. If you look at it this way, a form is a document until it is written on and then it becomes a record.
Let’s start by looking at the key risks related to internal documentation within your organisation. If we ask the questions ‘What can go wrong regarding the documents we create and manage in our own organisation?', the following issues always come up.
There is a risk of:
- Documents not being up to date
- Staff not able to determine which document is the most recent
- Documents in circulation that are not approved or authorised
- Documents not being at the point of use where they are needed.
- Staff do not know and understand what the changes are in the new document as compared with the old.
- Obsolete documents still in circulation
- Documents not being retrievable in the event of IT systems failure.
- Staff not knowing how internal documentation is controlled.
When we look at these risks, we can then start to identify the type of system required to manage internal document control. As a starting point, we can ask, ‘what are our internally generated documents?’ Then we find the appropriate answers to the questions above:
- How do we make sure everything is up to date?
- What is our approval process for new and revised documents?
- How do obsolete documents get taken out of circulation and so on?
When we ask these questions it not only helps us to write down how we do this but also helps us identify gaps where we have not addressed basic risks.
One of the great things about ISO 9001 is that it allows us to balance the amount and level of documentation with the expertise and competence of the staff. Where you have low staff turnover with good competency (and records of this), you are able to reduce the quantity, or make less detailed your internal documentation. This is a refreshing thought, especially for many who have considered the requirements of ISO 9001 as being a significant extra burden of documentation, with little benefit. However, remember that it is all about risk management: where there are high-risk processes, more-detailed documentation may be required. Therefore keep this in mind when developing the procedure for internal document control.
Let’s look at how we can break down and interpret what is required in response to these key risks.
Documents not being up to date
Some organisations use a combination of document review, internal audit and action request processes for determining if documents are out of date. This gives them both a pro-active and re-active practice to make sure everything is current. From the results of these processes they then often go through an update process that may include staff or stakeholders involved in the processes included in such documents. Depending on the size of the organisation, this could be one or two people through to a team or committee approach.
Staff being unable to determine which document is the most recent
Different organisations also implement this differently. Some use a version number or letter, others put the date of issue on the document, and others do both. A master list of dates of issue can then easily be referenced so that staff can be assured of which is the most current.
Documents in circulation that are not approved or authorised
Once again, depending on the size of your organisation, the process for approving or authorising the internal documents will be different. For very small organisation, one or two managers might have sign off authority; for a large organisation, committee approval with evidence in minutes occurs might be more appropriate. Different organisations also have different ways of showing approval. This can range from signing a hard copy master of approved documents, from which all are copied, through to an electronic document management system that has approval built into it.
Documents not being at the point of use where they are needed.
This risk relates to people's ability to access their information when and where they need it. Many organisations have computers in each work area for access at point of use. For some this is not possible, and a manual system is needed so that relevant internal documents are located where they are needed.
Staff do not know the changes between the old and new document
Once again depending on the size of your organisation, this may be done in a number of ways. Some send around a memo that all concerned need to sign off that they have read and understand what the changes are. Others highlight the document to bring attention to changes and others use their staff or other meetings and notice boards to bring such changes to the attention of relevant stakeholders.
Obsolete documents still being in circulation
How does your organisation make sure that obsolete documents are not floating around for people to use without realising that they are out of date. We have all had circumstances where old forms turn up and are being filled out, or we look at a form and think, 'wasn’t there a new version of this?' In all of these circumstances it depends on the size of your organisation. Some have a delegated responsible person whose role includes the removal of old documents and the replacement of the new document, whether they be hardcopy or electronic. Larger organisations may have staff delegated in each department who receive the new document and have to sign a form and return it to show that the old was removed and replaced with the new.
Documents not being retrievable in the event of IT systems failure.
This is a most important part of the document control process, and often one that is often overlooked. We have all had circumstances, or known of someone who has lost all of their information when their computer or server has crashed. Being able to retrieve and restore data is an imperative. Imagine having to scan in or retype all of your internal documents. Costly and time consuming! What a nightmare! Worse still imagine if you only had an electronic system and had no backup (as recently occurred for a research scientist who had his laptop stolen!).
The first stage is working out how often you should back up and then if you overwrite the CD’s or tapes you are backing up on, how often you will keep one permanently and not overwrite it. One organisation had a laptop computer that synchronised with the main one. One of their staff found that a file had not synchronised at all and had deleted the file of the laptop. Because they overwrote their backups they could not go back and retrieve it. They now make a permanent backup once a month so that if needs be they can go back.
Some organisations use CD’s or tape backups to store their data, others mirror their data on another server or at an off site location and some use a service provider to do their backups. This is only one part of the process. We have seen organisations who leave their backups sitting on top of their computers, unsecured and risking total loss in the event of a fire. Options are protective storage, or removal off site.
Finally there is restoration practice to ensure that if and when you do need to reload your backed up data, it actually works. If it doesn’t, it would be the same as having not backed up at all. Test runs are often done to ensure it works.
Staff not knowing how internal documentation is controlled.
One of the assets of having a documented management system is that it really helps when responsibilities change or people leave. It helps them retain their organisational knowledge. ISO 9001 actually requires a procedure that describes how all of the things we have described above is undertaken in your organisation, because the whole area of document control presents so many risks. A problem we often see is that organisations create a generic document control procedure, that covers everything, but actually explains nothing! When you describe the document control process, make sure that you explain how each type of document (internal and external) is controlled.
Conclusion
When you sum it all up, document control is all about good risk management in relation to your documentation, data and information. All of those things described above are implemented by organisations to reduce or eliminate, where possible, risk. They are risk controls. We have talked about internal document control with hundreds of clients, and brainstormed the associated risks, without even looking at ISO 9001. Every time we then look across at the requirements in the standard for document control, all of the issues become obvious. The consensus is that ISO 9001 is a great way to implement process risk management, and best of all just good business and management practice.
Are you absolutely sure your document risk management is sound? You need to be confident this is right! Quality Award Partners® can provide you with a review, tailored to your organisational needs, to give you the information you need.
Contact us now!.