Question

Let’s start with clause 4.2. What level of detail is required here? Is “supplier” or “customer” sufficient, or
is it required to drill down from there to specific suppliers or customers? We have hundreds of suppliers
and many more customers. Regarding 4.1, thinking about working this from the bottom up. Each Leader
(supervisor, manager, director) will review processes under their control and identify issues related to
those processes. Those processes can have internal and externally related issues. It’s the hope (plan)
that this approach will cover all relevant issues (internal & external) that would impact our ability to
meet the needs of the QMS -and- meet the needs of the interested parties (we are adding a column that
identifies which interested party would be affected by the issue). As a side note, we’ll also do our risk
analysis on all of the noted issues and roll the top items into the CAR/CI process. I feel I may be missing
something with this approach, but it seems to mostly meet the requirements of 4.1 and 4.2.

Answer

4.2: What level of detail? The standard states, “the organization shall determine:

the interested parties that are relevant to the quality management system;

the requirements of these interested parties that are relevant to the quality management system. The
organization shall monitor and review information about these interested parties and their relevant
requirements. [emphasis added]

Is “supplier” or “customer” sufficient? It would be if all had the same requirements. Assuming that they
do not, you are required to “drill down.” Customer satisfaction cannot be achieved unless you
understand the individual requirements and monitor and review those requirements (which are an input
to Management Review).

Furthermore, the list of interested parties goes beyond “customers & suppliers.” Owners, employees,
regulatory agencies, financial institutions, etc. to name a few have requirements as interested parties.
These need to be addressed, as well.

“We are adding a column that identifies which interested party would be affected by the issue.” This is a
good approach if the requirement is also addressed and you go beyond customer and supplier.
“Regarding 4.1, thinking about working this from the bottom up.” Once again, the standard states, “The
organization shall determine external and internal issues that are relevant to its purpose and its strategic
direction…”

The key in this requirement is “strategic direction.” If from working from the bottom up, you ultimately
tie these external and internal issues to the organization’s strategic direction, there should not be a
problem.

Be aware that your approach will not be familiar to your auditor. In that case, you will need to fully
explain your approach.