Structure of the analyzed audited organizations.
This book chapter focuses on process management as one of the key requirements of ISO 9001. This research highlights an issue of raising the effectiveness and efficiency of process management in implemented ISO 9001 Quality Management Systems (QMS) by its integration with information technology (IT) support. Performed research reveals this to be an area of further scientific work. This is just a preliminary study to prepare the background for practical implications and further empirical research. The latter research includes literature review, ISO 9001 requirement analysis and a case study on practiced process management in South-East Europe countries as identified from external audit reports. The new standard ISO 9001:2015 is less formal regarding the documentation than the previous ones, while being more focused on effective running and improvement of the company processes. Actually, ISO 9001 requires basic elements and activities of Business Process Management (BPM). However, there are no obstacles to provide the required evidence of the defined, running and improved processes through the business IT support. Indeed, IT support to the ISO 9001 process management is not generally practiced nor encouraged enough.
- Quality Management System (QMS)
- ISO 9001
- Business Process Management (BPM)
- information system/IT system
- process effectiveness
- process efficiency
The subject of the chapter is focused on Quality Management Systems (QMS) combining three scientific disciplines:
Quality Management (QM) by addressing ISO 9001 requirements;
Business Process Management (BPM) focusing on process description, characteristics, management, methodology and tools;
Business informatics and information technology (IT) systems for running everyday business in the companies, their prevalence, availability, characteristics and features.
Process approach including BPM is one of the ISO 9001 key requirements. This chapter is pointing out an important but not commonly addressed way to make BPM in ISO 9001 QMS more effective and more efficient by its integration with internal IT system of the company. It highlights a number of topic-related elements described herein.
ISO 9001 is still the most prevalent international QM standard with the highest number of certificates worldwide; however, the number of granted certificates is continuously decreasing in the last 7 years (from 1,118,510 in 2010 to 1,033,936 in 2015) . Considering the ISO 9001 requirements, especially customer and process orientation, the certified companies should stand out and develop competitive advantage based on the developed internal quality culture, process effectiveness and efficiency all resulting in better products and better customer service. On the other hand, presence or absence of ISO 9001 certification is a poor predictor of organizational performance and product or service quality . The new revision of the standard in 2015 (ISO 9001:2015) tries to make the QMS more business oriented and thus, more appealing for companies again.
Performed research indicates that implemented ISO 9001 QMS should positively affect the company performance and its image . The core process management practices in the certified companies should have a strong, positive and direct effect on quality improvement . Although the process orientation is an important focus of ISO 9001, the impact of the standard on rising performance in the business sector is limited (also because of the fact that ISO 9001 certified companies represent just over 0.5% of the estimated 190 million companies worldwide ). Sometimes also positive results of other undergoing activities in the companies are (wrongly) attributed to the implemented ISO 9001 . The research on ISO 9001 effectiveness in the last decades was not balanced (mostly exploring positive practices and successful cases of implementation) and might reveal a wrong picture of generally improved performance of certified companies.
The “customer pressure” is still one of the main motives to achieve ISO 9001 certification mentioned by companies. As such, there is a lack of real internal motivation and management support to develop an effective QMS and process approach as its vital part. In many cases, ISO 9001 is implemented and operated with minimum effort and in such a way that many opportunities for improvement are lost . Although having strong internal IT systems for running their everyday operation, many companies still develop and run their QMS as a separate (stand-alone) and frequently bureaucratic system including process documentation and reporting. Hence, QMS with its process approach is not considerably linked with the operation management and business IT system supporting it.
“Digital business is a reality now and it is expected to be a very significant aspect of achieving competitive advantage and differentiation using information and technology” . Applications for planning, running and controlling everyday business activities (as required by the ISO 9001) are available, affordable and implemented not only in bigger but also in small companies . The most widely used software packages are Enterprise Resource Planning (ERP) systems and Business Process Management Systems (BPMS) . Along with it, ISO 9001 is one among the business drivers causing organizations to focus on business process change . These claims and findings of IT analysts and researchers might be an incentive to think about possible digitalization of the ISO 9001 QMS. Thus, management and running the processes according to ISO 9001 requirements would be much easier, more effective, less costly and better accepted by management and employees.
1.1. The research purpose and questions/objectives
The purpose of the research is to get an insight into the situation of BPM in the ISO 9001 certified companies and use of IT support to facilitate it. The main research focus is on whether the requirements of the standard are well accepted and effectively implemented. The intent of the research is to encourage some more research in this field and improvement initiatives for the practitioners.
In view of the above, the aims and objectives of this work are outlined below:
the elements of BPM required by ISO 9001;
the elements of BPM practiced in the companies;
the benefits, disadvantages and barriers of QMS and IT integration;
the practiced IT support to the QMS process approach in the companies;
encouragement for integration of the QMS and IT.
1.2. Research methodology
In order to address observed bottlenecks in companies, this paper will introduce an ISO 9001 text analysis and a preliminary empirical BPM maturity evaluation model fostered by statistics.
The research approach takes an analytical comparison approach regarding ISO 9001:2015 and BPM requirements. In doing so, it will analyze corresponding features and functionalities of the most frequently used IT business solutions, followed by analytical and empirical investigation of the current global situation in ISO 9001 and BPM implementation in the companies upon the literature review and the presented case study.
The latter tries to give an insight into the praxis of process approach in ISO 9001 certified organizations on the information collected from ISO 9001 audit reports of a certification body operating internationally. The “SIQ Ljubljana – Slovenian Institute of Quality and Metrology, Ljubljana” kindly agreed to co-operate in this research, as it is a certification body covering several international standards and countries in South-East Europe. The case study includes analysis of BPM-related records in 48 randomly chosen ISO 9001 audit reports from the year 2016 from 6 countries in South-East Europe.
The described frame of research in “Introduction” is followed by a hypothetical research model addressing major bottlenecks exposed in the “Introduction” and evidenced praxes from literature review (in Section 2) making the theoretical background for the case study (in Section 3). The results are discussed (in Section 4) including implications and limitations of the research. A conclusion follows in Section 5.
2. Literature review
2.1. Processes and BPM
A process is a collection of events, activities and decisions that collectively lead to an outcome that brings value to the customers of an organization. Zairi  defined a process as an approach for converting inputs into outputs in a way in which all the resources of an organization are used in a reliable, repeatable and consistent manner to achieve the company goals.
Every organization has processes. Understanding and managing these processes in order to ensure that they consistently produce value is the key driver of effectiveness and competitiveness of organizations. Through their focus on processes, organizations are managing those assets that are most important to serve their customers well .
In any company there are different types of processes : core processes oriented on the customers and covering the main business (e.g. purchase, production, sale); supporting processes (e.g. IT support, maintenance, administration) and management processes (company management – planning and control). Generally, a process flows through different business functions in the organizational structure of the company enabling their harmonized work for achieving the same common goal – making value for the customer. The majority of the business processes are complex. Therefore, they are hierarchically split into sub-processes until reaching down to activities and basic tasks. Hence, these may facilitate better management. In doing so, the elements of the processes, their various inter-connections should be identified and properly determined. That means that at least basic elements and characteristics of a process should be set and applied for each business process. Summarizing different definitions of a process, the following list of characteristics for a business process may be compiled  and may provide the following:
the process owner or process manager (the manager responsible for the process, its performance and improvement);
target groups of internal or external customers and suppliers for the process;
customer-oriented process objectives, performance criteria and performance indicators;
process borders (beginning and end points), inputs and outputs and connecting points with other processes;
sequences of the process activities and tasks, their internal connecting points, inputs, outputs, timing, conditions and task description;
responsibilities for each task;
skills needed to perform each task;
the required resources (skilled workers, infrastructure,etc.);
control points and required measurements; established measurement, control and information feedback loops close to the operation activities;
recognized possible risks and defined preventive actions;
effective non-compliances-handling and process improvement formal procedures.
A scheme of a process with the listed process elements is presented inFigure 1. The process elements are marked with their bullet numbers from the list.
The importance of adopting a process view and their continuous improvement has led to the creation of the process management philosophy. After defining the processes they should be systematically applied, managed and improved. The systematic approach covering it is called Business Process Management (BPM). BPM is defined as “supporting business processes using methods, techniques and software to design, enact, control and analyze operational processes involving humans, organizations, applications, documents and other sources of information” ). Companies can decide to use BPM to manage only one or more chosen core processes or to manage all its business processes. In a company, BPM is frequently introduced through its IT support development (implementation of ERP or BPM systems) or through QMS initiatives .
As a methodology BPM comprises of the following :
organizing for quality;
The BPM methodology can be facilitated by the following tools: (1) process mapping and process measurement (as foundational pillars for managing processes); (2) process re-engineering or redesign; (3) models for continuous improvement such as the “plan-do-check-act” cycle and (4) instruments for benchmarking.
Performed literature review indicates that a shift from product orientation to process orientation and from functional to process organization emerged in the 1990s by emerging holistic (ERP) software solutions. It continued in the 2000s by development of the QM and Business Process Orientation (BPO), suggesting that the whole organization should be viewed as a system of processes that should be mapped, improved and controlled . “BPO of an organization is the level at which an organization pays attention to its relevant (core) processes” (end-to-end view across the borders of departments, organizations, countries, etc.) .
Interestingly, the majority of authors of 15 reviewed papers on BPO regard this as a means to achieve operational excellence and tend to ignore its strategic potential for establishing a long-term competitive advantage .
2.2. ISO 9001 principles and requirements on process approach that call for IT support
The release of 2000: ISO 9001 for the first time sets process orientation and requirements for indicating, defining, describing, controlling and improving performance . The process approach is even more emphasized in the latest release of ISO 9001:2015  where not only process effectiveness but also process efficiency is searched for. Additionally, the latest standard release is more flexible regarding the form and quantity of documentation depending on the company context (size, industry, culture, strategic frame and business environment).
Principles and requirements of the ISO 9001:2015 are set in the 10 chapters (Ch.) of this standard. Process approach is the core principle for implementation of “Plan-Do-Check-Act” (PDCA) loop. In the introduction chapter of the standard (Ch. 0.3), this QM principle is described and other six are listed (customer focus; leadership; engagement of people; improvement; evidence-based decision-making; relationship management).
The aims of the process approach are (Ch. 0.3.1): (1) development, implementation and improvement of the effectiveness of a QMS; (2) enhancing customer satisfaction by meeting customer requirements and (3) organization’s effectiveness and efficiency in achieving its intended results in accordance with the quality policy and strategic direction of the organization.
The means of the process approach are (Ch. 0.3.1): (1) systematic definition of processes, and their interactions; (2) understanding and managing interrelated processes as a system and (3) controlling the interrelationships and inter-dependencies among the processes of the system, so that the overall performance of the organization can be enhanced.
The expected benefits of the process approach are (Ch. 0.3.1): “(1) understanding and consistency in meeting requirements; (2) the consideration of processes in terms of added value; (3) the achievement of effective process performance; (4) improvement of processes based on evaluation of data and information.”
Figure 1 in Ch. 0.3.1 gives a schematic representation of any process and its basic elements (“input; sources of input; activities with their starting and end points; possible controls and check points for measuring performance; output; receivers of output”) and shows the interaction of its elements.
“Management of the processes and the system as a whole can be achieved using the PDCA cycle (see Ch. 0.3.2) with an overall focus on risk-based thinking (see Ch. 0.3.3) aimed at taking advantage of opportunities and preventing undesirable results”(Ch. 0.3.1).
The PDCA steps and risk-based thinking philosophy are shortly described in these chapters with no guidance of a proper methodology or tools to be applied.
The BPM requirements in the standard: specific requirements considered essential to the adoption of a process approach are included in Ch. 4.4. It states that the organization shall establish, implement, maintain and continually improve a QMS, including the processes needed for the QMS, their application throughout the organization and their interactions, in line with the requirements of this international standard. According to Ch. 4.4.1 organizations shall perform the following process management activities:
“determine of the inputs required and the outputs expected from these processes;
determine the sequence and interaction of these processes;
determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;
determine the resources needed for these processes and ensuring their availability;
assign the responsibilities and authorities for these processes;
address the risks and opportunities as determined in Ch. 6.1;
evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;
improve the processes and the QMS”.
To the extent necessary, the organizations shall also (Ch. 4.4.2):
“maintain documented information to support the operation of its processes;
retain documented information to have confidence that the processes are being carried out as planned.”
The above-listed requirements of the standard (Ch. 4.4.) match with the content (activities and defined data set) of BPM which is IT applicable and mostly implemented together with IT support (see Sections 2.1 and 2.3 for details).
It is supposed that the activities that need extensive data management support; identification and tracking; time, status and access control; workflow and automation; group work, data exchange, data analytics can be nowadays performed more effectively using IT support .
The standard leaves open space for use of different technologies and infrastructure, including IT support and process automation although there is no guidance in the standard about it. It is rather strange that the standard expects “improvement of processes based on evaluation of data and information” (Ch. 0.3.1), however, it gives no technical support to it. In ISO 9001:2015 and its past revisions no requirement nor any suggestion is given for the QMS as a whole nor for the process approach as its core requirement on how to facilitate the implementation and operation of both with modern technologies. Such approaches are not clearly suggested, encouraged and commonly practiced . Moreover, the research on IT supported QMS is rare.
Facilitating the QMS requirements with IT support would make QMS and BPM as its part more integrated in everyday business, thus, making it more effective, more comprehend and easy-to-use . Only little general suggestions are given in additional guidelines (ISO 9004:2009, ISO/TS 9002:2016) on how to effectively implement the requirements with the aid of technological support [27, 28, 29]. However, more emphasis regarding the use of technology (a special chapter) is planned in the next revision of ISO 9004 which is at present in a draft phase (DIS ISO 9004) .
2.3. Implementation of BPO and BPM in companies: different approaches
2.3.1. Development of practiced BPM in companies
Advances in IT over the years, have changed business processes within and between enterprises. In the 1960s, operating systems had limited functionality and any workflow management systems (WFMS) that were in use, were tailor-made for the specific organization. In the 1970s–1980s, the development of data-driven approaches was brought, as data storage and retrieval technologies improved. Data modeling rather than process modeling was the starting point for building an information system. Business processes had to adapt to IT because process modeling was neglected. In the 1990s, the interest in business processes increased and the shift toward process-oriented management occurred, initiated by emerging of Six Sigma, Business Process Reengineering, ERP software with workflow management components, such as SAP, Baan,
In 2016, a global ERP report involving 215 respondents showed that 82% of respondents improved either key business processes or all of their business processes by implementing ERP system .
2.3.2. Prevalence and maturity of practiced BPM in companies: a global research
A worldwide BPM research on the state-of-the art pertaining to the years 2005–2015  included companies of different size and different industries. It shows that there has been no real trend of rise in use of BPM in the last 10 years. Individual companies may have become more process-oriented and may have invested in BPMs or may have created business process architecture, but most companies have not. The state of BPM, as defined in 2005, is roughly the same today (in 2016).
Among business drivers causing organizations to focus on business process change, the ISO 9001 and business risk management (by 17%) and management of IT resources by ERP (by 15%) were recognized in stated international research.
According to this research, the share of companies practicing BPM is still low. Only 2% of the respondents perform the planned BPM activities regularly covering all the processes. Among all the respondents, less than 50% of them have their processes documented, less than 40% of them have their processes automated, less than 30% of them have standardized key process indicators (KPIs) for measuring process performance (see the shares of organizations with maturity levels 3–5 in Figure 2). Just 10% of all the managers are trained to think as process managers. Most respondents think that BPM is about managing process change throughout the business and not an implication of introducing a new software technology.
This BPM study investigates also the maturity of BPO and BPM. For the assessment, the maturity model called Capability Maturity Model Integration (CMMI) was used. It defines five levels of process maturity, namely:
“no organized processes” (immature);
“some organized processes”;
“most processes organized”;
“processes are managed”;
“processes are continuously improved”.
Most organizations in 2015 are at Level 2 on the CMMI maturity scale. They have invested in defining their processes, but have not invested in aligning processes throughout the enterprise. Significant differences in specific elements of BPO maturity can be found among countries, however, this is not presented in this global study on BPM.
2.3.3. Introducing BPM through ERP and BPM software implementation
The role of IT was always important in BPM – as an initiative to develop BPM when developing or changing the core business software in a company and as a set of tools facilitating BPM. According to performed empirical research, introducing BPM through business software implementation is still a way of starting BPM in a company. Many companies have their own tailored IT business solutions or combination of more standard partial solutions that cover the business needs. Implementation of an ERP or BPM system is a more holistic approach to facilitate the operation. However, implementation of such a system takes more time and money and is not a general approach in smaller companies . Regardless of having more partial business solutions or a holistic one, managing processes with such a support is possible if the data model matches with the required process data (see requirements of the standard in Section 2.2) and enables management features.
ERP systems are integrated systems of applications for planning, operation and control of the company business. They typically operate in (or near) real time, use a common database that supports all the applications and provide a consistent look and user interface across the modules that cover specific business topics and functional areas . ERP services and operations management include integrated application suites designed to automate a range of business processes from back-office operations to financial management and from sales order capture to customer information management. Currently, ERP also covers functions not being addressed by other functional markets, such as environment, health and safety, governance, risk and compliance, as well as vertical industry-specific solutions . Functional areas of an ERP system are financial accounting, management accounting, manufacturing, order processing, supply chain management, project management, customer relationship management (CRM) and data services .
CRM systems are not always considered as a part of ERP systems, but rather as Business Support Systems (BSS). The implementation of an ERP is quite a complex project and cannot be realized in small steps. ERP systems can be also implemented through implementation of BPM, while ERP matches with the first four phases (steps) of BPM. Important part or upgrade to an ERP system can be Business Intelligence and Business Analytics (BI, BA) applications that enable better decision-making information.
The Business Process Management System (BPMS) software provides “automation of a business process, in a whole or just in a part, during which documents, information or tasks are passed from one participant to another and put into action according to a set of procedural rules” . BPMS will increasingly offer an alternative to the companies to manage their business – or at least a way to “adjust” their ERP with more flexible process models that can be more easily changed. According to a global study (see Section 2.3.2), it is estimated that well over a third of the BPMS applications developed to date have been developed as an alternative to ERP, or to make ERP more agile.
BPMS software typically includes following tools and features :
BPM engine (server);
organization modeling tool;
business process modeling tool;
process simulation tools;
business process monitoring;
measurement and management tools;
Such modeling, workflow, administration and control tools are supported with a database, keeping all the process-related data (as defined in Section 2.1), process rules and operation constraints, performance criteria and results (Key Performance Indicators – KPIs).
A detailed description of each activity (as a guidance for workers) and a description of a process as a whole may be embedded in the software, as well, or kept separately in the form of an electronic or printed document. The planning and reporting about process performance, including historical data, trends and hierarchical consolidation of data and KPIs is possible directly from the included IT tools. Data entry from different sources is feasible and each data needs to be entered only once.
2.3.4. Introducing BPO and BPM through ISO 9001 implementation
ISO 9001 tries to make a shift in mind of managers and employees by introducing process orientation as a business principle. This way the standard raises awareness about it. The requirements on process identification, definition, documenting and measuring often result in one or more documents (quality manual, optional process map and optional additional process description documents) and some summarized reports (at least for the required management review). Companies that have complex business and high structured organization often decide to merge the ISO 9001 documenting requirements with the documenting and reporting capabilities of their current IT system or even implement special software to facilitate both better. Generally, in real life, the QMS and its process approach are still paper-driven or managed with support of office tools only , although the new ISO 9001:2015 eliminated the need for extra documenting for the sake of the system or audit requirements. In companies, where the QMS does not produce process-related documents and records that are used as a guidance to work and decision-making support, the ISO 9001 requirements might still be formally met and the company is still granted a certificate. However, the effect on the business is more than less negative and perceived as “useless extra work”.
It might be quite demanding and hard to follow to map, document and regularly update the processes manually. A simple, actual, detailed and user-friendly process mapping is needed (but it is not required in the standard). To make it easier Carmignani  proposed a structured methodology to successfully apply BPM as required by ISO 9001. The process definition approach is in a top-down principle (from the general to the particular), while the drafting of descriptive documents, if necessary, is bottom-up (from the particular to the general, that is, from instructions and procedures to the manual) and prepared after the actual implementation of the QMS.
The steps of the proposed methodology are the following:
identify macro-processes, their mutual relations, inputs, outputs, constraints and necessary resources;
specify, progressively, the single macro-processes to the activity level;
build complete flow charts for priority activities and successively for all activities;
define the gaps between the activities, the fixed targets and the norm and, if necessary, re-think (re-engineer) the activity;
check the effectiveness of the activities and of the process that subsumes them;
draft a document that describes the activity (instruction) or the process (procedure); and
document the QMS globally, from process map to policies, to choices and activities (manual, procedures, instructions, indicators, plans, etc.).
It is important to achieve management commitment in order to implement BPM successfully. However, there are only a few articles mentioning how to do it practically . Beer  argues that there is often a gap between the management rhetoric about their intentions for QM and the reality of the implementation of the concept within the company.
2.4. Integration of QMS and IT for better process management in ISO 9001 QMS
2.4.1. Integration need
The use of IT systems is not part of the requirements in the standards; nevertheless IT is often used in larger organizations to efficiently meet the standard enforcement and documentation required for compliance to QMS procedures (see Section 2.2). As recognized from the practice and Carmignani’s research (see Section 2.3.4), a broad mapping of the processes appears to be insufficient. Actually, it does not enable setting the modalities of activity management and control. The need for appropriate instruments to represent and manage “sequences and interactions” and “objective deployment” in a simple way is pointed out in that research. Furthermore, retrieving past data on monitoring and control and activity trend information is recognized as an issue, especially at the operational level. The QMS often needs information from the basic operational IT systems of the company or contributes to it.
Manual data handling raises issues, such as:
a lack of visibility and availability of data (scattered information, personal hold of data and documents, technical barriers and no proper channels for sharing the data, inability to extract the data, too many personalized and incompatible reports);
human errors because of multiple input of the same data, manual control and reporting resulting in biased or even incorrect reporting and wrong actions;
time spent for data clarification;
repetitive tasks and repetitive tiresome reporting that could be automated;
a lack of data transparency making errors, frauds and corruption hardly discoverable and thus possible.
These issues are implied by data management needs (see Section 2.2) upon the requirements of the standard.
Finally, it is the author’s view that running ISO 9001 BPM separately beside the IT system running the business causes additional costs and requires extra efforts. Moreover, it is not motivating to maintain such a paper-driven BPM system that is not applied in business operation. As such, more often than not, QMS BPM documentation is not promptly updated following the applied changes in operation and is more or less a burden to the business. However, such a BPM may barely formally meet the minimal requirements of the standard and suffices for gaining or keeping the ISO 9001 certificate.
Authors already tried to make the implementation of BPM as a part of QMS easier and more effective. Carmignani developed a structured approach to implement BPM as a support to QMS. It offers a systematic approach to map and describe company business processes. The steps in this approach are close to the ones applicable in BPM software tools, however, no IT support is explicitly demanded in the presented approach. Despite a clear approach updating process parameters and controlling processes in more complex environments would be hardly feasible and costly without IT support (manually).
Literature review shows that only a carefully considered combination of process redesign efforts coupled with appropriate IT support offer the most beneficial potential to organizations embarking on transformation path to BPO. Use of process-oriented IT systems and the principles of BPO in combination yields most noticeable increase in quality and success of individual processes .
Measurement and metrics are the basis for any improvement program and software makes it feasible and more effective. The emphasized shortcomings of paper-based solutions for process approach in ISO 9001 QMS (mentioned above and in Section 2.2) could be eliminated or at least reduced by a proper IT support. Therefore facilitating QMS process approach (BPO and BPM) with IT is called for.
2.4.2. Integration applicability and feasibility
Three aspects of an IT support are recognized as important for implementing an effective QMS:
well defined and essential processes;
related QM processes;
related process improvement practices.
The listed elements of such IT support to the core and supporting business processes and to the QMS background system processes (planning, control and improvement processes) match with the defined BPM elements by theory (see Section 2.1). They also match with ISO 9001 BPM requirements in Ch. 4.4 (see Section 2.2) and with the features and data models of general BPM and ERP applications (see Section 2.3). Upon these findings from the presented analysis and former research it may be concluded that:
all the ISO 9001 requirements on BPM are IT applicable;
the set of data and features, required by ISO 9001, is even narrower that generally provided in company business IT support;
ERP systems generally cover the requirements of the ISO 9001  or offer QMS as a part (module) of an ERP. Furthermore, the majority of companies already use IT support, it is affordable also to SMEs and it is vital for effectively and competitively running the business.
2.4.3. Recognized positive praxis
A number of research papers show that there are cases of IT facilitated BPM in ISO 9001 certified companies – for example, through implementation of an ERP, BPMS or CRM system, with support of Document Management System (DMS) and workflows .
2.4.4. Integration advantages and disadvantages
Integration of the classical QMS process approach with a company’s IT support may result to advantages. One integrated, IT supported and more effective BPMS is established instead of having not really valuable extra QMS process documentation and separately operating business processes through the company business IT system. The benefits of digitalization may be expected (one entry for each data; real time, accurate, valid and reliable information always available; easier information availability and sharing; automatic or at least facilitated data retrieval, consolidation, analytics and reporting; built-in process rules; process automation, etc.) .
The compliance evidence (in case of audits and controls) can be taken directly from the business IT system. This way meeting ISO 9001 process approach requirements becomes a part of everyday activities. The process rules, instructions, controls and reporting are embedded in the IT system people are using every day. A single data entry and automatic data retrieval for reporting is provided. In view of the above, the process and QMS requirements are better known to the workers, less manual documenting, reporting and training is needed, process control is improved. Consequently improved availability and reliability of data may contribute to less errors, disruptions and possible frauds . Less manual work due to (1) easier data collection and clarification; (2) better process control and less re-work and (3) implemented process automation can result in reduced operating and labor costs and improved process effectiveness and efficiency is improved .
As such, it may be argued that BPO becomes a part of organizational culture. Furthermore, BPM as a part of the QMS turns from a bureaucratic burden into an important management tool for decision-making and continuous improvement. Such BPM is actually applied on all the company levels and supported by the company management.
There may be also some barriers to the suggested integration. An IT part of the QMS process approach should be developed, implemented and applied, so the QMS implementation might be more complex, taking more time and money, and requiring cooperation of IT specialists .
However, such implementation should later result in better performance and satisfaction. It is also hard to develop a common integrated solution if there is a lack of a single interface for decision-making on data management and budgeting of IT support development.
Therefore, instead of one strong management system, several separate partial systems are developed and the gaps among them raise issues and reduce performance (see Section 2.3.4). Additionally, there is no guidance from ISO for a proper QMS and IT integration. Furthermore, ISO 9001 consultants and certification bodies may not have proper knowledge and experience to motivate and support IT integrated implementation of a QMS.
In case of such an integration, it is the author’s view that one should be aware of its possible risks and disadvantages. For instance, BPM effectiveness is to a great extent dependent of the effectiveness of the basic IT solutions, in which it is integrated. It means that if there are any troubles in IT support (e.g. access lost, data or programs temporary unavailable, not friendly user interface, low software and hardware performance), this might affect the BPM performance. The extent of this influence depends on the way and the depth of integration of both systems (IT and BPM).
2.4.5. Practiced non-integrative approach
Performed research indicates that the positive role of quality thinking and QM is not often applied in IT application development. The findings of a survey involving 160 organizations in Serbia and the wider region do not support the theoretical assumptions related to the direct effect of IT application on organizational performance. The mediating role of QM is crucial for overcoming the shortcomings of IT application development.
The research results can be used as guidelines for the implementation of an integrated approach in the application of QM in the IT context. In particular, managers should consider the application of QM techniques for the improvement of IT quality .
The companies often do not point out the link between IT and QMS when presenting the IT support development in the company, even if they are certified to the ISO 9001  or some other management system standards . It looks like the ERP and BPM development in the ISO certified companies is often dedicated only to IT departments. The literature review on synergies between IT systems and QMS  similarly shows that 80% of the papers address the limited perspective of one type of system being dominant.
Additionally, the global research on use of BPM tools reports no major impact of ISO 9001 on implementing BPM (see Section 2.3.2). In only 17% of ISO 9001 cases and business risk, management were drivers for implementing the BPM and in 15% of cases management of IT resources by ERP was mentioned as a driver for BPM. Therefore, one can hypothesize that integration of both (QMS and IT) is not a general praxis, moreover it is still rare and downsizing. Namely, according to this research, the use of ISO 9001 in companies practicing BPM was reduced from 2005 (49%) to 2015 (23%) to half of their share. These findings contradict the claim raised in handbooks  that point out that efficient BPM is based on “process thinking,” “quality thinking” and “automation”.
2.4.6. Room for improvement
The findings herein indicate that there is indeed room for further improvement. At first, research methodology was aimed at getting an insight into the situation through the eyes of certification bodies, which are regarded as the most influencing actors in this case . In addition to the above, information about BPM maturity and the use of IT in certified organizations was gathered, so as to gain an insight regarding ease-of-use concerning BPM.
3. Practiced process approach in the ISO 9001 certified organizations: a case study in South-East Europe
3.1. Research methodology
This paper discusses process management-related information in audit reports (ARs) of the Slovenian certification body SIQ Ljubljana (SIQ). The latter was covering over a third of Slovenian certification market that included 1481 certified organizations in the field of ISO 9001 in Slovenia at the end of 2015 . SIQ was equally operating in neighboring countries, such as Italy and countries in the Balkans. Among the issued certificates in 2016, 61% of them belonged to QMS (ISO 9001), 75% of them were issued in Slovenia and other countries took a share of 1–8% .
A random sample of 48 ARs was taken from the SIQ database of 1073 ARs pertaining to the year 2016 . This database included ARs addressing ISO 9001 and other systems, different types of audits and different countries. In the present study, a sample of ARs from different countries (Slovenia, Italy, Croatia, Bosnia and Herzegovina, Serbia, the former Yugoslav Republic of Macedonia) were randomly selected. The structure of the selected audited organizations was quite diverse also regarding business sector or industry and size of organization (see Table 1).
|Structure of the analyzed organizations||Country (number of organizations)|
|Organizations by country||BA||HR||IT||MK||SI||SR||Total|
|Organizations by the audited standards|
|Only ISO 9001:2008||2||1||2||4||10||5||24|
|Only ISO 9001:2015 or in transfer to it||1||6||7|
|ISO 9001 + 1 another standard||2||1||9||12|
|ISO 9001 + 2 or more other standards||1||1||3||5|
|Type of the audit|
|Business sector of the organizations|
|Other business services||1||2||1||7||11|
|Public services – public sector||2||2||2||6|
With regard to the ARs, records were searched about BPM and for identifying documented non-conformances and recommendations addressing it. Then the findings were grouped and analyzed following nine BPM maturity criteria from a global BPM research from 2015 (criteria C1–C9 – see Table 2) and using the same grading scale (from 1 = immature to 5 = mature) (see Section 2.3.2).
|Practiced BPM elements||Maturity level (number of organizations)|
|C1. Process documented||0||0||1||21||16||10||48|
|Number of NCRs||0||0||0||0||0||0||0|
|Number of recommendations:||0||0||0||15||11||4||30|
|C2. Standard processes||23||0||2||3||12||8||48|
|Number of NCRs||0||0||0||0||1||3||4|
|Number of recommendations:||10||0||1||0||9||3||23|
|C3. Value chain modeled||4||0||6||10||20||8||48|
|Number of NCRs||0||0||0||1||0||0||1|
|Number of recommendations:||0||0||0||1||0||2||3|
|C4. Measures for major processes||4||0||4||8||25||7||48|
|Number of NCRs||0||0||0||0||0||0||0|
|Number of recommendations:||0||0||1||3||5||1||10|
|C5. Consistent IT support||20||6||6||9||5||2||48|
|Number of NCRs||0||0||0||0||0||0||0|
|Number of recommendations:||0||0||0||0||1||0||1|
|C6. Skills defined||–||–||–||–||–||–||–|
|C7. Managers trained||–||–||–||–||–||–||–|
|C8. Managers use data||–||–||–||–||–||–||–|
|C9. Process improvement||2||1||1||23||16||5||48|
|Number of NCRs||0||0||0||0||0||0||0|
|Number of recommendations:||0||0||0||6||2||0||8|
|Total number of organizations||53||7||20||74||94||40||288|
|Total number of NCRs||0||0||0||1||1||3||5|
|Total number of recommendations:||10||0||2||25||28||10||75|
Thus, the results were comparable with this global research. For each organization the information related to each of nine BPM maturity criteria was searched for. All criteria were assessed and the number of non-conformances and recommendations addressing these criteria was recorded.
If the demanded data was not found in the AR, it was marked with “–“.
|Practiced BPM elements||Maturity level (% of organizations)|
|The case study results:|
|C1. Process documented||0%||0%||2%||44%||33%||21%||100%|
|C2. Standard processes||48%||0%||4%||6%||25%||17%||100%|
|C3. Value chain modeled||8%||0%||13%||21%||42%||17%||100%|
|C4. Measures for major processes||8%||0%||8%||17%||52%||15%||100%|
|C5. Consistent IT support||42%||13%||13%||19%||10%||4%||100%|
|C9. Process improvement||4%||2%||2%||48%||33%||10%||100%|
|The global BMP research for 2015*:|
|C1. Process documented||0%||4%||50%||29%||14%||4%||100%|
|C2. Standard processes||0%||9%||48%||21%||21%||1%||100%|
|C3. Value chain modeled||0%||7%||44%||26%||19%||5%||100%|
|C4. Measures for major processes||0%||14%||59%||10%||11%||6%||100%|
|C5. Consistent IT support||0%||3%||59%||17%||18%||3%||100%|
|C9. Process improvement||0%||12%||54%||18%||13%||4%||100%|
|Average assessed % of BPM maturity level|
|In the case study||18%||2%||7%||26%||33%||14%||100%|
|In the global BPM research for 2015||0%||8%||52%||20%||16%||4%||100%|
For each BPM maturity criterion, there is a number or a share of organizations attaining that grade under each grade (from 1 to 5). In the same grade column, there is a total number of non-conformances and recommendations on this criterion, given at the audit to the group of organizations assessed with this grade. This way maturity level of the selected sample of organizations is presented (Table 2) and a comparison to the global BPM research is made (Table 3).
There was no intention to prepare this preliminary study in greater detail by including analyses by country, industry or size of organizations. This would form part of further research.
3.2. Research results
Less than 20% of all the research conducted on ISO 9001 effectiveness is dealing with disadvantages, negative effects, issues and non-realized expectations of ISO 9001 implementations, such as bureaucracy, a lot of people engagement, costs and superficial integration . Thus, instead of operating effective process planning and control following the “Plan-Do-Check-Act” loop, some additional general process-related documentation is prepared just for the sake of the audit and not for being used at work. In such cases QMS is not perceived as a tool for managing processes, but as a tool for handling documentation. This way it may boost bureaucracy and become a burden for the company. The important role of better managed processes is recognized (see Section 2.1). The results of the empirical part of this research show the level of practiced BPM in certified organizations.
The structure of the analyzed ARs and the related audited organizations in Table 1 shows that the structure of the selected organizations is quite balanced and in some relation with the structure of the certification business of SIQ. They came from different industries and also from the public sector. The data about the size of organizations was not found in the ARs, so this data could not be presented. A total of 17 organizations (= 35% of them all) were certified to some other standards as well. Most frequently these standards were ISO 14001, ISO 13485, BS OHSAS 18001, ISO TS 16949 and ISO/IEC 27001.
Two-thirds of ARs were from control audits, 15% of them represented certification audits and 18% of them included re-certification/surveillance audits. Two organizations came from IT services, what may be important for the analyses of practiced IT facilitated BPM in the audited organizations.
The number of organizations from the analyzed sample earning each level of BPM maturity and the number of their recorded shortcomings (non-conformances and recommendations) in the ARs is presented in Table 2.
As expected from the ISO 9001 focuses in the last years (after the year 2000) the majority of organizations earned at least grade 3 in almost all the documented criteria. That means that the majority of the audited organizations (more than 79%):
had their processes documented (criterion C1);
had their process objectives set and regularly reviewed in accordance with the organizations strategic goals and values (criterion C3);
had the performance measures for the core processes set and the processes measured (criterion C4);
established systematical and effective process improvement mechanism (criterion C9). It should be commented that C9 was broadly established (in 92% of the organizations); however, it was mostly used to only set and follow corrective actions from the audits (in 48% of organizations – the organizations with grade 3).
There was a lack of information in ARs on the extent of standardized procedures and on following their rules in praxis. If only the assessed share of organizations (organizations providing information on this criterion) is taken into account, this criterion (C2) is also covered very well (almost 90% of them earned grade 3 or more).
In ARs, there was also a lack of information on the IT support to the QMS and its BPM. There is no requirement about it in ISO 9001 and probably also from the certification body itself. Only some general information on it was provided in a good half of the reports. Besides, this information was short and not much informative. This criterion (C5) attained the worst grades. 42% of ARs included no information on it, 57% of the rest had at least some support identified from the ARs at grade level 3 or more. Grade 3 means a step more than just using office tools like Word and Excel. At this level, data and document sharing and group work through the common IT network of the organization are enabled and facilitated.
For each criterion (C1–C5, C9) the number of findings (non-conformances and recommendations) is presented, as well. It varies between 1 and 30 findings per criterion (see Table 2) for all the 48 audited organizations. The highest number of findings was related to the process documentation (C1) and the lowest one to IT support (C5).
There was no information in ARs related to the knowledge management, training and use of data for decision-making (criteria C6, C7, C8). Occasionally, some corresponding information was given in some reports, but it was not a general report content that could be analyzed.
The comparison of results (see Table 3) from this case study and the global BPM research (see Section 2.3.2) comparing the chosen criteria (C1–C5, C9) shows much better grades and thus, a higher level of BPM maturity of the organizations contained in this study regarding all the criteria but one (C5).
With regards to the global research the majority of the organizations (52%) earned grade 2 (= some organized processes indicating very low maturity) (see Figure 3); in this case study organizations performed at least one grade better.
It is worth noting at this point that the highest shares were gained at grades 3 and 4. Besides, all the shares for the grades 3–5 were much higher in certified organizations (72% in average) than in the global research (40% in average) (see Figure 4). Consistent IT support (C5) was the only criterion that could be performed at lower maturity level in our analyzed organizations than generally (upon the data from the global report). However, this can not be claimed yet due to a lack of the data on the ARs.
4. Discussion, research implications and limitations
In view of the above, it may be stated that ARs are very condensed giving only short information and basic facts on meeting the requirements of the standard. As a matter of fact, that was their basic aim. In the ARs also the identified shortcomings were recorded in the form of non-conformances (if the requirements were not met) and recommendations (if there was identified room for improvement). Therefore, the records in the report were generally not descriptive enough to show the maturity level of a specific criterion. Sometimes, it was possible to identify it from the AR, sometimes not. Some topics (on knowledge management) were not covered in the ARs at all (the corresponding fields are empty and shadowed in the Table 2). Additionally, ARs could not give the complete picture of the QMS operation and the managed processes in its frame, because they were based on a sampling method.
Evident differences in BPM maturity levels among countries and industries were not noticed in this case study; however, this was not statistically tested.
A comparison of results of the case study with some global research on BPM (presented in Section 2.3.2) shows (see Table 3) that BPM is more mature in the audited (= ISO 9001 certified) organizations than generally according to the analyzed criteria (C1, C2, C3, C4, C6). That global research involved organizations from all over the world regardless of their ISO 9001 certification or implementation, however, the sample in this case study included only ISO 9001 certified organizations.
Non-existent or incomplete information on criteria C2 and C5 in 42–48% ARs disabled making a complete maturity assessment for these criteria for all the organizations. At this stage the grades for these two criteria are not final, yet. The real maturity level in the analyzed sample might be higher.
4.2. Implications for practitioners
Some room for improvement is recognized in IT support to ISO 9001 certified organizations from this case study. General global BPM research (see Table 3) shows 97% of organizations having at least some kind of IT support to BPM (grades 2–5), while in this case study only 45% of organizations were IT supported. Slovenia is an IT developed country similar on one hand to other EU-countries, as well as to non EU-countries .
As IT support and IT systems are an important element of BPO (see Sections 2.1 and 2.4) that contributes to operating BPM and QMS more effectively and efficiently such approach could and should be more encouraged by certification bodies who have an important role in QMS development in the organizations.
As such – and based on the findings presented herein – it may be stated that certification bodies do not systematically follow the elements of QMS and BPM that are not explicitly required by the standard but make the QMS more effective. Similar findings were identified in some other empirical research, too .
In view of the above, a number of questions may appear:
“Do auditors pay any attention to such elements (like IT support)?
Do they give any initiative to the audited organizations for improvement in that field and in which form?
Are the auditors properly skilled to see the IT integration gaps?
Where can organizations get proper guidance on the IT and QMS integration issues?”
It is worth mentioning at this point that this case study did not reveal any information or even hint pertaining to IT support to the QMS (criterion C5) in 20 of all the 48 analyzed ARs. In other ones some solutions were explicitly or implicitly mentioned when describing some parts of the QMS. Many times only use of office tools (6 cases) and document sharing through the company network (6 cases) were reported (see Table 2). In other 16 cases, different levels of use of company IT business solutions were reported as a support to the company process and project management.
The attractiveness of ISO 9001 QMS for organizations may be related with their added value. The research shows that the certification has probably reached the saturation level and became less attractive as a sign of quality . Certification bodies could help raising the value of ISO 9001 QMS and certificates among their users and in general, by motivating organizations for making their QMS and BPM systems more effective and more efficient. The audits could broaden their focus also to BPM maturity and give messages (recommendation) for BPM improvement. This is probably not a general praxis, yet. The reported findings in ARs, their focus and the number of them might indicate what the main focuses of the audits are. In the case of this study the highest number of findings (30 recommendations) was reported on documentation and the lowest number of findings (1 recommendation) was focused on IT support to the QMS. It is worth noting that this only one recommendation addressing IT support did not come from ISO 9001 audit. It was related to the audit of ISO/IEC 27001 information safety system that was audited at the same time and documented in the same AR.
When implementing the QMS and its required BPM the mindset and professional knowledge of consultants, auditors and certification bodies is very important . They are the first contacting point for the implementation of QMS, so a positive attitude to the use of IT support and some knowledge and experience in this field would be expected from them. It is the author’s view that knowledge may be further empowered as this might act as a barrier to foster QMS BPM and IT integration. As such, it could be argued that the provision of proper courses, trainings, properly skilled consultants and auditors could help to improve it.
Some considerable advantages may be gained already by filling gaps where necessary and integrating IT systems with risk management, process control and QM in mind. The improved procedures and processes will not only provide compliance, but will also reduce cost, improve product quality and ultimately improve customer satisfaction and the bottom line .
Additionally, the suggested QMS BPM and IT system integration is in line with the current trend of digitalisation in the 4th Industrial Revolution. It will also contribute to better common attitude to the ISO 9001 which is still often considered as bureaucratic.
4.3. Implications for researchers
This research calls for further investigation of the addressed issue. There is a lack of research on integration of IT and BPM as a part of QMS. Only some reports from praxis on IT facilitated QMS cases and only a few research papers dedicated on linking of QMS and IT were found. The one of them that best discusses the issue was already 20 years old . Only a few papers were found addressing the issue in some part. For instance, among 86 papers found in the period 2001–2012 regarding the use of ERP, no papers were found on supporting QMS by ERP .
There is still much room for improvement in the field of use and integration of BPM and ERP with the QMS. The new standard ISO 9001:2015 is more open to it, requiring just the evidence of realized requirements and no extra documentation therefore.
Some more empirical research is called for to identify the praxes in organizations, the reasons for the recent downsizing of the use of BPM tools and low integration of IT support and BMP as a part of QMS in the companies, expected improvements following the new standard and possible obstacles on this way.
4.4. Limitation of the research
This empirical research is just a preliminary study. It has a limited sample and period of observation. Additionally, the ARs are not informative enough to make more deep and complete analysis on the addressed issue. Some other sources of information should be used for deeper analysis, such as dedicated questionnaire survey and interviews with different groups of stakeholders involved (certified organization, consultants, auditors, certification bodies). On more detailed and advanced level of such a research also special site visits at organizations (like focus-related audits) would be called for.
5. Conclusion and further work
Effective management of the identified business processes in the company should be a core ingredient of an effective ISO 9001 QMS as required by the standard since the year 2000. The latest revision of the standard ISO 9001:2015 enables better effectiveness and easier running of the QMS and it required process management by becoming more business oriented and more flexible and less demanding regarding documentation.
Following the objectives from the “Introduction” the research lead to the following conclusions:
The review of requirements of ISO 9001:2015 shows that the requirements on process approach call for IT support; in particular, the process management requirements of the standard match with the BPM characteristics. The latter is prone to IT implementation and development. Proper software solutions exist and they are applicable and affordable also to SMEs;
In many cases, QMS is not properly implemented. In such instances, it is incorporated as an inefficient and bureaucratic paper-driven parallel system, running separately from the real business management system that is mostly IT facilitated (by ERP, BPMS, DMS, WFMS, BI, solutions). This study shows that the elements of BPM are practiced more frequently and at higher level in organizations certified according to ISO 9001 than generally in organizations. The level of maturity 3–5 on a 5 level scale for the assessed criteria in the analyzed group of certified organizations was attained at 72% of organizations (in average). In general, this level was reached at 40% of organizations (in average) only;
Integration of the QMS BPM and IT system would make running the ISO 9001 BPM much easier, more effective and less costly to maintain. As such, the QMS requirements are more visible to everyone in the company, easier to understand and to follow by the employees and easier to control by the management. It is the way to make QMS more embedded into everyday operation in a very natural and effective way. It also prevents splitting QMS from operation management system and boosting bureaucracy. Nevertheless, there may be some barriers and disadvantages related with the integration, such as making QMS implementation more complex. Moreover, BPM performance and ease of use is to some extent dependent on the proper functionality and performance of the IT support;
As evidenced from this research, ISO 9001:2015 gives no requirements or guidelines on use of IT support to the QMS, nor to the BPM as its vital part. Moreover, the literature review showed little research on integration of the company QMS and IT system. Only some specific aspects of such integration can be identified in the literature. However, no holistic analysis of the possible integration of the ISO 9001 BPM with the company’s IT system was found. Some praxis may be evident only through some professional IT presentations and reports. This case study shows that there is not much attention given to the IT support in ARs of a certification body, neither in the body of the reports nor in the involved recommendations to the organizations. Despite a lack of such information, some sort of IT support was identified at 45% of analyzed certified organizations. This is much less than 97% of organizations reported generally in global BPM research;
The objective of such integration should be only one integrated and more effective IT the same information at the same time at the same place to all the eligible participants and requiring as little as possible additional paper work. The data for running the QMS shall be provided and shared through this very system in the same way and in combination with other business and operation data. Such approach should be encouraged through all possible channels.
It may be concluded that integration of ISO 9001 process approach including BPM with business IT support is possible, feasible and rational. To do it, the role of consultants, auditors and certification bodies as the first contacting point in QMS implementation and certification process research. They should give stronger initiatives, guidance and support to the organizations on facilitating QMS with IT and integrating them. A lack of knowledge, experiences and cooperation of all involved parties (internal and external ones) in BPM implementation is identified and should be overcome with a proper guidance, trainings and information exchange.
Some more detailed study of the praxes in the certified companies, especially under the conditions of the new standard ISO 9001:2015, is called for and could be a subject of further research.
I would like to express my gratitude to the “SIQ Ljubljana - Slovenian Institute of Quality and Metrology, Ljubljana” for cooperation in this research. Especially I am grateful to the manager of Management System Department Mr Miloš Seražin who was willing to share the Institute’s internal data for the sake of this research. I would also like to thank all his colleagues at the Institute who helped me at the data collecting.