top of page

How to Build a Quality Management System

Updated: Aug 29, 2022


in today's highly competitive business environment, forward-thinking organisations are more committed than ever to continually refining their processes and procedures to improve their products and services. The development of a Quality Management System (QMS) is perhaps the best way to demonstrate this commitment.

However, the creation of a QMS is always a challenge for companies. All markets have become very competitive and having the right QMS is important to be sure that you provide the right product and service to your customers.

It is important to understand that a QMS is a system to manage the your business. It is not a system to guarantee quality. It is a management system that, if done right, produces quality outcomes. A QMS could be built for ISO certification, to satisfy customer requirements, or to create a system to continuously improve products and services and provides organisations with the opportunity to increase their competitive position by focusing improvement efforts on those operational areas in the most need of change.

To build a QMS, start by identifying issues, and interested parties, and continue with mapping your processes, defining your QMS scope, quality policy, quality objectives, determining support, developing documentation, critical procedures, your defects, processes, then measure, monitor, and improve.


Identify and Assess Issues (Clause 4)

The standard requires:

The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system.

Most organizations look at things like their market, applicable legislation, competitors, their customers, and their internal processes while some will include looking at their environmental impact. Very few organizations actually look at their workforce, their community and the cultural and social aspects of the company. The 2015 version of the ISO 9001 standard pushes companies to include all these elements when planning the scope of the QMS.

When the phrase Context of the Organization is used, context means a combination of external and internal factors that have a direct impact on the organization and its ability to continue providing products and services to its customers.

Internal factors includes things like the organization’s culture, structure, governance, technology, strategic decisions and vision for the future.

External factors encompassed the whole environment in which the organization operates: social, cultural, legal, political, regulatory, statutory, economical, etc., at all levels including local, state, country and even international.

When thinking of the internal issues for the business, I suggest that you start off by noting the interested parties within your business. By knowing who is involved in the business, you’ll have a strong foundation of what needs to be considered here.

To assess internal and external issues, you will need to do a SWOT analysis:

  • Strengths: the unique benefits that are brought about by your current resources, and market position that your business has within your industry.

  • Weaknesses: deficiencies that your business currently has in the market that you operate. These could be brought about by your resources, or your current position in the market.

  • Opportunities: new areas growth, or improved quality of service/product that can be obtained by doing changes in your current business. These improvements can generally be made available to your business by changing resources or focus within your business.

  • Threats: potential outside circumstances that could have an effect on your business.


Identify and Assess your Interested Parties (Clause 4)

Interested parties have always existed, the same as context did. We now need to take them into account based on the boundaries defined by the context.

There are many interested parties, including shareholders and owners, government bodies, employees, business associations, customers, suppliers, debt holders and the communities where people or facilities are located. The context can be used to determine how wide you need to go.

A common method of determining this is with an Interested Party Matrix – where the Interested Party is plotted against two variables. These variables might be plotting the level of ‘stake’ in the outcomes of the organization against ‘resources’ of the Interested Party. Another is the ‘importance’ of the Interested Party against the ‘influence’ of the Interested Party.


  1. Make a list of all Interested Parties.

  2. Rank the Interested Parties. This ranking could be done on a scale of one to five, according to one of the criteria on the matrix, such as ‘interest in the organizational objectives’ or ‘interest in the financial success’.

  3. Another method for ranking interested parties is using an Interested Parties Matrix.

  4. Ask the following questions: Are there any surprises? Which Interested Parties do we have the most/least contact with? Which Interested Parties might we have to make special efforts to ensure engagement?

Use the Power and Interest Matrix

A useful tool for helping you decide how to manage a particular interested party is the Power/Interest Matrix developed by Johnson and Scholes.

This simple tool relates two important relationship variables:

  • How much interest do they have in your decisions and activities? This could be interpreted as the strength of their relevance.

  • How much power or influence do they have over your decisions and activities? This could be interpreted as their significance or risk.

Plotting interested parties helps you to prioritize the effort required to meet their needs and expectations:


Identify Needs and Expectations of Interested Parties (Clause 4)

Due to their effect or potential effect on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, ISO 9001 requires the organization to determine:

  1. the interested parties that are relevant to the quality management system;

  2. the requirements of these interested parties that are relevant to the quality management system.

Once the interested parties have been identified, we need to define their “needs and expectations”. Identification of an Interested Party’s needs and expectations is an essential part of developing a compliant QMS.

Use different research methods as necessary to confirm your knowledge of each group or significant stakeholder. Summarize the findings and add them to the relevant column in your table of Interested Parties.

Taking the time to understand the needs and expectations of your interested parties is essential to:

  • Defining the scope of your management system.

  • Ensuring customer satisfaction.

  • Meeting compliance obligations.

  • Continual improvement of the organization and its management system.

  • Meeting the requirements of ISO 9001.

By using the methods described in this article, you can develop your own process or framework for identifying, understanding, monitoring and reviewing interested parties in terms of:

  • Level of interest (Relevance)

  • Level of influence (Significance)

For each relevant interested parties you then need to write out what their known needs & expectations are. These needs and expectations can be declared or unspoken, so it is important to think through all of the possible places that an interested party might identify their needs. For each of the categories mentioned above, here are some of the places to look to find this information:

  • Customers & Suppliers – Contracts and performance specifications is the first place to look. Other sources of information can include; customer meetings, supplier meetings, concerns and complaints, responses to purchase information, warranty information, returned products, and almost any other time you interact with a customer using your products or services where they can identify what they expect and what they are displeased with.

  • Government organizations – What statutory and regulatory requirements are applicable to your business. Remember, this can include environmental or health & safety legislation to as not meeting this could impact your ability to delivery on your product and service agreements.

  • Non-government agencies – Are there any industry standards or codes of practice for the products and services you are providing? If so, have you committed to implement these?

  • Employees – What do your employees need to successfully provide your products and services? Are there infrastructure or workplace needs that you should deliver on? This will greatly depend on the union status of your workforce, so keep this in mind.

  • Shareholders – As shareholders are focused on the profit of your business, what QMS processes can improve on this, for instance continual improvement or cost reduction initiatives?


Map your processes (Clause 4)

Now you need to map your processes. This includes determining and defining processes. The process of creating process maps will force you to define your processes and the sequence and interaction of those processes. This is to address the requirements of clause 4.4 of ISO9001.

Process maps are important for understanding who is responsible for what. They define your core business process and communicate the flow of your business. Every company is different, and you need to take a close look at how your processes meet the needs of your customers.

When mapping your processes:

  • Follow an order through the system.

  • Identify support processes for IT, HR, and Accounting.

  • Determine how quality interacts with each process either for inspection, review, or to roll-up metrics in support of Quality Objectives.

It is going to be difficult for you to make changes to your company if you do not know what you are tracking. Start at the beginning. What happens when a customer places an order? Then, you may want to follow this order through your company. What happens to the order? How is it processed? How do you decide how to get your order to your customers? Some things might be delivered electronically, while others might need to be delivered in a physical package.

Mapping your processes could be done through establishing a Quality Manual for your QMS. Whilst a Quality Manual will no longer a mandatory document, according to the ISO 9001:2015 standard, we strongly recommend one for your QMS as it is a document where the organization presents itself, its quality management system, and even its way of thinking and approach to quality management. Common practices besides the requirements from clause 4.2.2, include some requirements from clause 4.1 and some other requirements that were easier to document through a Quality Manual.

A lucid, short, and clear Quality Manual gives the impression of an organization that knows what it is doing – an organization that really manages its QMS. A good Quality Manual facilitates the job of the auditor, and gives him the opportunity to better audit the system – and, with his observations, really contribute to improvement of the system. And what is more important, such Quality Manual is useful to the management representative and process owners because it provides an overall insight into the QMS.

Big companies often require their suppliers to have a QMS may demand to see a Quality Manual during selection of suppliers. What impression does your Quality Manual give about your company? A bulky Quality Manual says that you would rather spend resources instead of applying a creative approach.


Define Your QMS Scope (Clause 4)

Determining the scope of the QMS has been a part of the ISO 9001 requirements for a long time. The scope is a vital part of the quality manual, as it defines how far the QMS extends within the company’s operations, and details any exclusion from the ISO 9001 requirements and the justification for these. It is through the scope that you define what your Quality Management System covers within your organization.

The Scope Statement precisely describes your products and/or services, the regulatory requirements, activities, locations and facilities supported and documented by the quality management system of your company. In essence, your scope identifies exactly what your business does. Make sure your Scope details are fully documented in your QMS.

Section 4.3 of ISO9--1:2015 details the requirements for determining the scope of the Quality Management System. In a note about the QMS, it is stated that the QMS can include the whole organization, specifically identified functions of the organization, specifically identified sections of the organization, or one or more functions across a group of organizations. To start, there are three considerations to be included when determining the scope:

  1. External and internal issues that are relevant to the purpose of the organization, the strategic direction, and the ability to achieve intended results

  2. Requirements of relevant interested parties

  3. The product and service of the organization

It is most common that the scope of the QMS covers the entire organization. Some noted exceptions are when your QMS only covers one physical location of a multi-location company, or when your manufacturing or service is distinctly split between industries (e.g., in a plant with three assembly lines where assembly lines 1 and 2 are for automotive and need to have a QMS certified to the ISO/TS 16494 QMS standard for automotive, but you want line 3 to be certified to ISO 9001 since many of the automotive requirements do not apply).

So, your scope should identify the physical locations of the QMS, products or services that are created within the QMS processes, and the industries that are applicable if this is relevant. It should be clear enough to identify what your business does, and if not all parts of the business are applicable, it should be easily identified which parts are. Some examples could be:

  • XYZ Manufacturing located in London, England, producing machined components in the aerospace and automotive industry within Europe.

  • XYZ Consultants located in offices in Europe, Asia, and North American provide Information Technology Support to companies in any industry.

  • XYZ Computing provides software development services to companies in the automotive and heavy machinery industries within North and South America.

  • XYZ Industries is a division of XYZ International that operates in Indonesia and provides paper products to the Asian market.


Define Your Quality Policy (Clause 5)

Your Quality Policy states your missions and visions of your organization as it relates to quality which are basically what your customers expect from you. It is your quality mission.

When building your quality management system and writing your quality policy, think about your commitments to your customers:

  • Quality – What do you need to do consistently to satisfy your customer?

  • Customer Satisfaction – What are your customer’s requirements?

  • Continuous Improvement – What do you need to do better to satisfy your customer more than now?

By establishing quality policy an ISO 9001 standard wants to say, besides creating it and maintaining it, that you have to write in such a way to match with the purpose of your company’s nature. Ensure to show the company's commitment, such as meeting applicable requirements like customer or regulatory requirements.

The standard requires top management to establish, implement and maintain a quality policy that:

  1. is appropriate to the purpose and context of the organization and supports its strategic direction;

  2. provides a framework for setting quality objectives;

  3. includes a commitment to satisfy applicable requirements;

  4. includes a commitment to continual improvement of the quality management system.

Other policies that are important to your organisation include:

  • Ethics & Conduct Policy

  • Employment Policy

  • Non-discrimination Policy

  • Compensation and Benefits Policy

  • Internet, Email, & Cyber-security Policy

  • Misconduct Policy

  • Purchasing Policy

  • Credit Policy

  • Workplace Safety Policy

  • Environmental Policy


Define Your Quality Objectives (Clause 6)

Your quality objectives establish an important link between your Quality Policy and the management programmes. The objectives and targets must be consistent with the policies, including the commitment to continual improvement and customer satisfaction.

Depending on the size, management structure, and other factors pertaining to your organization, the objectives may be established and reviewed by various personnel and with direct top management input.

Your organization will need to set their quality objectives for relevant functions, levels and processes within the management system. It is for your organization to decide which functions, levels and processes are relevant.

A key addition in the 2015 revision of ISO 9001 is the use of indicators to monitor the achievement of objectives. Indicators are defined as a measurable representation of the status of operations, management or conditions. Each objective will need one or more associated indicators.

Objectives can apply to an entire organization, can be site-specific, or can be specific to individual activities. The appropriate level(s) of management personnel should define the objectives and targets.

In some cases, personnel who set objectives may not be the same as those who set targets. Remember that the objectives are the overall goals as reflected in the principles established in the policy.

The scope and number of the objectives and targets must be realistic and achievable. Otherwise, the success and continued commitment from top management and employees will diminish. Consider the factors below, as you begin to formulate your objectives:

  1. Compliance obligations;

  2. Financial, operational, and business requirements;

  3. Views of interested parties.

ISO requires that your quality objectives are:

  • Derived from your quality policy

  • Deployed through the organization


It is important to set objectives using SMART philosophy. SMART stands for Specific, Measurable, Attainable, Relevant, and Time-Oriented. Make sure each objective is:

  • Specific – All the objectives should be clearly defined to ensure that every team member is on the same page.

  • Measurable – Any objective that you identify should be measurable in terms of size or degree it may impact.

  • Attainable – The objectives you set should be within the organization’s capacity. There should be proper measures and methodologies established to meet the quality objectives.

  • Relevant – Relevancy is also an important factor to be considered when it comes to setting quality objective. They, rather, should be aligned with the strategic goals of the organization in terms of meeting statuary or customer requirements.

  • Time-Oriented – Every objective should be time-bound. There should be a proper mechanism to access the time within which an objective can be met.

In addition, the following requirements apply to Objectives:

  • Documentation: Make sure you document all the quality objectives identified and agreed to meet. Earlier there was a quality manual to refer to, but it is not required now.

  • Communicate with Team: Once the quality objective are identified and documented, make sure you communicate those objectives clearly to your team.

  • Establish Evaluation Methodology: For measuring the quality objectives, you should establish proper mechanisms for every team, department, and function.

  • Review the Objectives: Once you have set the quality objective, you need to continuously evaluate them as well as the mechanisms established to record the on-going performance of those objectives.

  • Address the Risks: It is quite often a case that your organization fails meeting quality objectives due to some or other reasons.


Determine Support (Clause 7)

Everyone needs to demonstrate competence in their job. Training is only the beginning and can occur on the job, from a class, or through other means. Either way:


Develop Your Documents and Records (Clause 8)

ISO 9001:2015 requires some documented information. There are many more optional documented information that can be used but they are not mandatory. You can start with the minimum ISO document set and add more as needed.

  • Create required document information for your business model,

  • Create necessary Quality policies, procedures and forms,

  • Create documented information for each processes,

What Critical Quality Procedures do you need? Are you plagued by a tight money supply, a tight job market, stagnating production and a general crisis of confidence? Some organisations are going about business logically, methodically, and with a clear sense of direction and purpose. Will your organisation be making great strides forward in the coming years? Among them are implementing or refining your key quality procedures.

Critical Quality Procedures

8.8. Vendor Evaluation

We’ve all outsourced many of our “non-core” functions, but how many of us are guilty of inattentive behaviour with respect to our outsourcers? You get a little complacent and what happens? Deadlines start to slip, or substandard product starts to sneak in. Since vendor evaluation is a top quality procedure, now is a good time to evaluate your product and service vendors to see if they’re measuring up to your standards.

8.7. Document Control

Do you know if your employees are following the same guidelines? If you had to ask an employee to take over another’s duties for the day because of an illness, would that first employee know where to go for information? Do they have access to the latest version of the procedure? It’s important that you keep your documentation, however critical it is, under control. One easy way to follow this one of the top quality procedures is by using policy management or document compliance management software.

8.6. Process Monitoring and Measurement

Companies that don’t monitor and measure their performance have no way of knowing for certain if they’re doing better than they were six months or a year ago, or in which direction they’re headed. We can’t improve what we don’t measure.

8.5. Control of Nonconforming Product

One of the worst things that can happen to your company…worse than finding an error on the production line, worse than finding a defect during inspection…is having a customer find a problem for you. Nothing hurts your company’s reputation worse than a customer finding a poor quality product, getting a late delivery, or finding a billing error in your favour. So, it makes sense that this is one of the top quality procedures.

8.4. Identification and Traceability

This is one of the biggest issues in quality. As important as identifying unsafe product and removing it from the supply chain is tracing the offending product to its source. Whether you’re in the food business or another line of work, your customers will benefit from improved traceability of your components.

8.4. Competence, Awareness, and Training

Very few things improve your company’s performance — and reputation — more than a well-trained, capable work force. Ongoing training helps your employees gain self-confidence. This one of the top quality procedures also lets them know how important they are to your success.

8.2. Customer Satisfaction

Some refer to it as “customer loyalty”; others call it “the customer experience”. Whatever label you give it, your company wants to do more than retain customers. You want your customers telling all their contacts how great you are, how if every supplier was as customer-conscious as you, their business would be exceptional.

8.1. Control of Records

Your quality records, your accounting records, your sales records — these are the foundation for your company’s success, now and in the future. Barring the invention of a foolproof “crystal ball” app for your smartphone, knowing where you are in relation to where you’ve been and acting on that knowledge to improve your processes are key to your growth. Without adequate recordkeeping, you are flying blind into the future.

And don’t forget what binds these top quality procedures together — a mission, vision, and strategic plan for your firm. What do you think? Are there any procedures you’d add to, or take out of, this list? Would you put them in a different order?


Define Defects and Monitor Processes (Clause 9)

Defects are nonconformances that occur either as a product defect or a process defect. Each time a defect occurs it needs to be counted, corrected, and determined whether corrective action is required. When defining your defects:

  • Determine defects (product and process based)

  • Define how defects are recorded

  • Define how defects are charted and communicated

Your monitoring processes include:

  • Internal audit process

  • Corrective and preventive action process

  • Management review

9.1. Internal Audit

The best way to ensure the effectiveness of your operations and the viability of your organizations is to have your systems — accounting/finance, operations, IT, quality, etc. — audited. You should have a third party, someone with knowledge, experience, and impartiality, periodically audit your systems. In between, you should self-audit your systems to ensure that they’re in compliance, are effectively implemented and maintained, and that they’re achieving the desired results, and the most important one of the top quality procedures you can implement to improve your quality and performance.

9.2. Corrective and Preventive Action

It’s a two-way tie for number one. Corrective and preventive actions are intertwined, though they’re not interchangeable. A corrective action is the one you take to ensure that a problem does not happen again. A preventive action is what you do to prevent, or lessen the likelihood of, the problem from happening in the first place. Think of a heart attack: surgery to repair the damaged heart, combined with other measures (improved diet, exercise, etc.), is a corrective action. Regular exercise, a healthy diet, and (when you reach a certain age) regular visits to a cardiologist before you have a heart attack are a preventive action.

9.3 Management Review

Management Review process makes sure the Top Management are monitoring and controlling the necessary resources to make the company function. The review highlights Top Management Leadership, Customer Focus, Evidence Based Decisions and Improvement.

Instead of being a burden, Management Review should become one of the main elements of QMS improvement. Management Review is all about reviewing the available data to confirm that adequate resources are present to ensure customer satisfaction and improve the QMS and the product and to ensure the QMS remains.

  1. Fit for purpose by reviewing performance

  2. Effective by determining the need for change

  3. Suitable and appropriate for the organization

With regards it’s effectiveness, change could be on several fronts, for example:

  1. Quality Policy

  2. Goals & Objectives

  3. Any other areas that may require change

In terms of ISO 9001, specific clauses exist for management review purposes, under ISO 9001:2015 it’s clause 9.3 Management Review.

If you are using the quality management system, then you are collecting data. But what good is data you collect but do not understand?

You need to:

  • Track your Quality Objectives performance

  • Define new performance benchmarks

  • Discover improvement opportunities in your data by identifying trends, patters, or correlations


Take Action That Improves Your Performance (Clause 10)

If you have data and identified trends, then it is time to act. Action is what the QMS is all about, either corrective action or preventive action, but take action. We are not tracking data for the auditor, for ISO, or for the quality manager.

The whole goal is to deliver improvement and this happens by:

  • Prioritizing your improvement opportunities

  • Choosing opportunities that make a difference

  • Reinforcing your commitment to quality to achieve better results


49 views0 comments

Recent Posts

See All

IT security is crucial for any business because it protects sensitive information, network systems, and business assets from malicious threats and potential security breaches that can have a huge impa

bottom of page