written by Maree Stuart
Compliance is big news! The woes of Optus following its data breach keep on coming. And we can look forward to investigations by the Office of the Australian Information Commissioner and ACMA to help understand why this breach of data security requirements occurred. Hopefully, we’ll also get some insights into how these things can be prevented in the future.
It’s not like Optus didn’t have the right certifications in place. After all, it has ISO 9001 and 27001 certifications. We’re not about to criticise the certification bodies, although there may be questions about the incident by them at the next certification audit.
Maybe Optus didn’t do its best to put in place good compliance practices (the other GCP). Read on to find out how GCP can help you get through an assessment or audit and help protect you from such a perilous fate as Optus is experiencing now. And don’t think it couldn’t happen to you!
Reading Standards and finding loopholes
The laboratory shall, if relevant, to the extent necessary, maintain records of competence to read standards. Understood?
Deciphering these kinds of phrases in standards is not easy. Learning to read and understand them is like learning a new language. But once you get the hang of it, a whole new world of interpretation opens up.
But first, the basics:
‘Shall’ = ‘must’. This is a mandatory requirement. You do not have any option but to comply.
‘Should’ and ‘guidance’ = recommendations on how to address a requirement.
‘May’ and ‘can’ give you some idea what is considered good practice.
Then there are some more interesting words/phrases; the ones that give labs and other businesses some wiggle room. Words and phrases such as:
‘To the extent necessary’
Look closely where these words or similar ones appear and use your common sense and interpretive power to figure out what the requirement means in the context of your industry. Maybe something you thought would be a lot of work can be done differently to ensure compliance.
A big part of Good Compliance Practice is to understand the context. What are the internal and external things that shape the way you run the lab? These things will affect what your quality management system looks like.
One of the other considerations is understanding the needs and expectations of your customers and other stakeholders for your lab. Those needs and expectations help you to also understand what “quality” should look like. That also drives what your quality management system looks like, not what an auditor thinks you should be doing.
The secret is to always go back to the standard and the words in it and interpret it through the lens of the customer and stakeholders and internal and external factors affecting your lab.
For instance, NATA might have some particular, detailed requirements covering which standard your equipment has to be calibrated to. These types of external and internal factors are the boundaries of the sand pit that you can play in.
When you get good at reading and interpreting standards, and importantly understanding the context you operate in, you start seeing ways your system already meets standards – or parts that can be tweaked as opposed to having to create whole new procedures.
But the auditor still says I have to comply with their requirement!
We get it. The auditors are in a position of power. Hey, we were external auditors too once upon a time!
The external auditor is not unaccountable. They report to someone, and their organisations have appeal mechanisms in place under the standards they operate to.
The secret here is to pick your battles. While something isn’t a requirement, it might be a great idea and you can appease the auditor by doing what they suggest. Remember, they get to see lots of systems in their line of work so perhaps they have seen the pitfalls of your approach.
But, if something really will have a detrimental impact on quality in your lab, then that’s the time to advocate why you can’t simply follow their requirement as it’s written in an audit report. We do a lot of work in this area, teaching our clients how to advocate to the external auditing body.
If you don’t have the time or desire to learn the language of standards but still want to reap the benefits…contact us at MAS Management Systems!
We can help you:
- Build or revise your quality system to be simple and practical
- Liaise with NATA or your certification body on your behalf
- Provide tailored training in compliance standards, Quality Management systems, internal audits, measurement uncertainty and more
- Prepare for and attend your NATA or certification audit so it will run smoothly.
Remember, you don’t have to do this alone!
Download the article Best kept secrets to GCP