Get 4 FREE months of Conformio to implement ISO 27001

How to control outsourced processes using ISO 9001

It’s common for global organizations, when acquiring new businesses, to make “cuts,” and many processes that are not core business processes are outsourced. On the other hand, SMEs (Small and Medium Enterprises) also outsource some processes for the simple reason that they do not have enough internal resources to manage all processes in an efficient and effective manner.

So, outsourcing is all around us, sometimes even if we are not aware of it… but if we are not aware, how it is under our control? What about the satisfaction of our clients? What about legal compliance? What about my business plans? Do I feel “lucky”?

Outsourcing in ISO 9001:2008 and ISO DIS 9001:2015

Almost all organizations, regardless of their size or complexity, have some outsourced processes. With respect to ISO 9001:2008 clause 4.1, there were and still are many issues that arise on audits between organizations, consultants, and auditors about what is or is not an outsourced process and what is a purchased service. ISO DIS 9001:2015 clause 8.4.1 requires that external providers must be controlled and their performance be evaluated. The term “purchasing” is no longer used. There is almost no difference between purchasing of a service and outsourcing of a process. To be honest, there never was; however, outsourcing was often not very clear.


What processes are usually outsourced, and how are they usually controlled?

Usually, outsourced processes include things like:

  • accounting,
  • maintenance,
  • transport,
  • IT support,
  • storing,
  • forwarding agency,
  • bank,
  • lawyer,
  • consultant/auditor,
  • distribution,
  • canteen/catering,
  • cleaning,
  • etc.

These are basic services that are purchased very frequently, or even on a daily basis. Many times during audits, the answer was that those “external providers” were under control by contract, through a supplier evaluation methodology, or through certificates/licenses held. As for contracts, you see that in 90% of cases they are based on price. Common sense tells us that the same type of control is likely applied to purchasing of tangible products from time to time and for provision of ongoing service. Prices do not tell us anything about the behavior of the outsourced organization. Also, universal criteria and methodologies for suppler evaluation do not tell us much about the reliability of outsourced services. As for possession of certificates and required licenses, it is questionable how hard it really is to get them. If the cantina where our employees eat and our company’s catering organization have all necessary systems certificates and legally requested licenses, does that mean that the risk of poisoning of all employees and related business impact is lower?

How to control outsourced process/external service providers

A process is not a product, so the focus should be on specific process parameters rather than on product characteristics. One of management principles on which ISO 9001:2008 is based is named “Mutually beneficial supplier relationship.” In ISO DIS 9001:2015 that principle is named “Relationship management.” (Read the following article to find more details about management principles in ISO DIS 9001:2015: Seven Quality Management Principles behind ISO 9001 requirements.) Both of them had the same idea, which is that our business heavily depends on purchased or outsourced products/services. Frequently, though, the “purchasing of service” approach is “as fast and cheap as possible.” So, what is “beneficial” for our service supplier? Nothing. He will leave us as soon as he finds a better solution, or a better business partner. In order to secure mutual sustainability between us and our outsourced service supplier, it is necessary to define mutually recognized and accepted tailor-made service level parameters, as well as monitoring methodology, reporting, and follow-up actions. How deep those parameters and monitoring methodology should go depends on the business risk associated with the service that we get from an outsourced organization, so they definitely must be customized according to the organization or the types of services we need.

One of methodologies over outsourced processes is that the contract with the outsourced organization should refer to a mutually accepted and approved document (procedure/work instruction… let’s say documented information) which very clearly defines service level parameters, roles, responsibilities, and authorities for monitoring, reporting, and consequences.  Both parties have the authorization to make further improvement to the documented information in order to improve cooperation, depending on both parties’ identified business risks.

Another type of control of outsourced processes is by a second-party audit process. To learn more about second-party audits, read this article: First-, Second- & Third-Party Audits, what are the differences?. In this case, the checklist used should be mutually defined, agreed, and approved. Auditors should be very competent in evaluating not only the level of compliance with requirements or agreed parameters/performance, but also how sustainable the outsourced business is, as well as further identifying possible risks not only for your own company, but also for the outsourcing partner organization.

Whatever type of the above control mechanisms are used, they are transparent for both sides, focused on business risk and opportunities for both sides, and secure satisfied customers at the end of the chain.

Interested parties, including outsourced organizations, have a big influence on our performance. Our performance is based on our ability to secure and satisfy clients. This brings us to mutually accepted, controlled, and improved relationship management between us and our outsourced organizations.

Use this free  ISO 9001 Gap Analysis Tool to check compliance of your organization with ISO 9001 requirements.