Continual Improvement, Nonconformities, and Corrective Actions | Interview with Carlos Cruz
Welcome to Secure and Simple Podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic the CEO at Advisera and the host of Secure and Simple Podcast. Today, guest is Carlos Cruz, and he's the founder of a consulting company called Metanoia based in Portugal, and he's also the main ISO 9001 and ISO 14001 expert in Advisera.
Dejan Kosutic:He's in the consulting business for thirty five years already now and has performed more than a 100 consulting jobs and close to 100 certification audits. So he has lots of experience with best practices, with continual improvement with various management systems. So in today's podcast, you'll learn what are various methods for continual improvements, how to deal with non conformities, what is the process of corrective actions, but not only for quality standards, also in the context of cybersecurity. So, back to the show, Carlos.
Carlos Cruz:Thank you for having me Dejan. Thank you for having me.
Dejan Kosutic:Great to have you here again. We had already quite many of these podcast episodes and yeah, very, very useful advice And that I've heard from
Carlos Cruz:It's always a pleasure to talk with you.
Dejan Kosutic:So, tell me, what is this continual improvement according to ISO standards?
Carlos Cruz:So, continual improvement. When we see about ISO standards, see always in the first pages of the standard there's always the damning cycle, the improvement cycle, the PDCA cycle, So that's the improvement cycle. And so in continual improvement is the turning of every turn of the cycle. Okay, so it's a systematic improvement of the management system in several ways. There's a saying that I like to use in my consulting practice because it's from a Portuguese football manager that once said, What is true today, tomorrow is a lie.
Carlos Cruz:And in business or with management system, it's really that, okay? So performance today is okay, it's enough, but next year, because context changes, because competitors are more demanding, because customers are more demanding, We need to improve and continual improvement is that okay?
Dejan Kosutic:Okay. But what exactly, what kind of actions are really continual improvement? So, do we actually continually improve?
Carlos Cruz:How do we actually continually improve? So, for example, if you have a management system and if you do some kind of monitoring, okay, the performance. So, you have some kind of metrics and you don't like the performance. So if you don't like the performance, we need to improve. And so that's what we do is follow that PDCA cycle.
Carlos Cruz:So it's something like, okay, what is behind the current performance? Where do we need to make changes? So normally what we do with something like going for example, looking for what is the, sorry for using an example from quality but if we want to reduce complaints, what we do is we look into all the complaints and see, oh, 20% of the complaints or 30% of the complaints are just because of one of these reasons, this particular reason, wrong invoices. Now next part is why do we have wrong invoices? So we're going after the root cause and when we find the root cause then we change something in the system so we change in order to remove that root cause and so that way we wanted in the future the probability, possibility of making again errors in invoicing becomes lower.
Carlos Cruz:So that's continual improvement. So when we speak about continual improvement, it's like and sorry for using an example from quality. So using the example of complaints. So if we want to reduce this, we have an objective of reducing the number of complaints. What we do is we go and we look into the data, we do our analysis and realize that, okay, 30% of the reasons for complaints are for example errors in invoicing.
Carlos Cruz:Now we focus our attention in errors in invoicing and what we do, we go after the cause, We go after the root cause. What are the main causes and what are the most important cause for generating these errors in invoice and when we find the root cause what we do is we do some change in the system to reduce the probability from that error to occur again. That way, so if our action is effective, okay, the probability of errors from invoicing will come down so our performance will improve and that's an example of this continual improvement.
Dejan Kosutic:Okay, but so you mentioned root cause analysis, you mentioned, let's say, improvements in a particular process that needs to be fixed, but is there anything else that is normally a part of continual improvement?
Carlos Cruz:What do you mean by that?
Dejan Kosutic:So, continual improvement for me is, I would say, a kind of top level concept, right? And I assume that you can continually improve a system not only by using, I don't know, root cause analysis, but also by some other methods.
Carlos Cruz:Yeah, okay. Continual improvement is like a culture, okay? It's like a culture so we can improve because we have a problem but we also can look into opportunities so just because we have new technology okay, and oh, if we use this technology, we can reduce cycle time by X minutes or so wherever a response time much shorter and so that's not, it's improvement not because of a problem but because an opportunity. So yep, that's or sometimes what happens is for example, a company receives a message from a customer saying oh I love this that one of your employees did for us, it's oh thank you very much and people in the company look at this and say oh we can do, this was something done just by accident. We can start doing this systematically.
Carlos Cruz:And now what we do is we formalize that, we train people to do that. And so that's not because of a problem, but because of an opportunity, because of a feedback that you receive, positive feedback. So it can be because of, for example, an audit, can be an audit, be because of for example if there are regulation, we know that regulation will come in the future and so instead of waiting for it to be mandatory, to be already law, we can start working to try to do that, to improve that.
Dejan Kosutic:Okay, great. Let's focus a little bit on these non conformities and corrective actions because in many cases companies are focusing on those actually when speaking about continual improvement. So, what exactly are these non conformities and what is the connection between non conformities and root cause analysis?
Carlos Cruz:Okay, so if I use the ISO definition of non conformity is okay, something that isn't okay according to some specification or to what we were expecting or okay, so something that it's not according to that specification, it's a nonconformity, okay? So if we say, for example, if we have a service level agreement that says that we need to answer in ten minutes, if we answer in eleven or twelve, more than ten minutes, we can say that that is a nonconformity. So it's a nonconformity and nonconformity something that we need to eliminate. We need to eliminate that nonconformity. We act, do what we call a correction and the correction is the removal of the nonconformity.
Carlos Cruz:And sometimes that's enough, okay? It's like if you're sick in the sense that you think that you have with temperature, okay? Or with the headache, okay, we take a pill and it passes. It's a correction. But if next day again the headache, again the temperature, oh, okay, something is wrong here.
Carlos Cruz:So if there is some kind of recurring, something that happens again, seems okay now perhaps it's better to investigate what is behind this and in that case what we do is we start investigation. We start the investigation what is behind this and normally is when we go to the corrective action. Now one thing that is that we shouldn't do a corrective action for every nonconformity. What we need to do is, it's mandatory when we have a nonconformity is mandatory to eliminate the nonconformity, handle or manage the consequences of the nonconformity. And then, after that is done, we need to decide, we need to evaluate, do we need to go further?
Carlos Cruz:Do we need to investigate? Because sometimes it's something that happens once per year. Okay. And that's not relevant. Okay.
Carlos Cruz:It's okay. But if it's something that the most important is this recurring, it's happening again, happening again with some frequency, that's an invitation. No, we need to go after the root cause. We need to go after the root cause because corrective action is removing the root cause.
Dejan Kosutic:We'll come to the corrective action just in a couple of minutes, but let's focus now on this root cause analysis. So, do these ISO standards require root cause analysis for each nonconformity or not?
Carlos Cruz:It's like this. So, if you read the ISO standards, what the ISO standard says is that we need to act on the non conformity and then we need to evaluate if we need to do the corrective action, okay? If we need to go after the root cause, okay? Because again, so when we have in a system we have what we call normal variation and we have abnormal or assignable causes working and when we know we have normal variation it's a mistake to make changes in the system. So there's an interesting experiment that people can find in the internet.
Carlos Cruz:It's called the funnel experiment from that quality guru from the '80s and the damning. So this damning funnel, it demonstrates that when we have a normal system as always variance, okay? Variability. And so that variability is controlled, it's just normal. And when we to, when we mess with a system that is in normal state, we introduce more variability and that's wrong.
Carlos Cruz:It's called tampering the system. So we need to evaluate, do we need to really make changes in the system? Because if we do that, for every nonconformity, we'll be changing procedures, we'll be changing, altering this, altering that, and then the system becomes very complex. So, need to evaluate, do we need to, so when I work with a company and when develop the documentation, I always invite them after removing the nonconformity, after managing the nonconformity ask two questions. The first question is, is this systematic or just something that happens from time to time?
Carlos Cruz:If the answer is, no, it's systematic. So we need to go do root cause analysis because it's something that is happening very, very much. So the other one is, it's not systematic but it's something that may be very damaging for our brand or for our reputation, or for example, maybe put in the life of people at risk. So, okay, in that situation, it's also relevant to go after the root cause.
Dejan Kosutic:Okay, so let's say in the context of cybersecurity, if there is a, let's say a large incident or if there is a, let's say a large non conformity related to, I don't know, non compliance to a particular law or regulation, then this would probably require root cause analysis, right?
Carlos Cruz:Yeah.
Dejan Kosutic:Now, what is basically the best method to really uncover this root cause? So how do you actually come to a real root cause?
Carlos Cruz:Okay, so I started working with these topics even before the ISO 9,001. So my background is from the Japanese techniques that they used. For me, the best approach is to first, even before the root cause is to, when I said before that example of the complaint, so going where to focus so is to use the Pareto analysis. So for example, for cybersecurity incidents, we want to reduce the frequency of incidents. So if you classify the incidents by reason, then you can make a distribution what they call the Pareto distribution and you can realize that you have 20 reasons, but from those 20 reasons, there are two or three that represent the most frequent.
Carlos Cruz:So you focus your attention in one or two. Now it's the time for using to going after the root cause and the root cause is okay using what's called the fishbone diagram or the ichikawa diagram. So these are some of the examples that I like to use. So when the system is more complex, I also like to use some approaches related what is called theory of constraints. So where we can, it's not so linear.
Carlos Cruz:So the fishbone is much more linear, but sometimes there's some in English, they say some organizations, they have a wicked mess. Okay, because it's so difficult. It's so many things interconnected. So that situations I like to use that approach, but basically the most common use is going with this Ichikawa diagram, so the fishbone diagram is the most common this kind of situations.
Dejan Kosutic:And how about this asking the five why questions, so basically the method of asking why five times, what about this method?
Carlos Cruz:Yeah, the Five Whys is what's behind this fishbone diagram because it's, yeah, if you ask the why question five times in a row, people will say, okay, why? So for example, one of the things that I as an auditor see and I don't like, I think it's one of the biggest mistakes or biggest errors that I see about continual improvement is when people are doing corrective action and they say, oh the cause is human error and they stop there. And so I say, oh come on, human error because human error is an excuse. Human error is so good for companies because the guilt is not in the company, it's in the worker. So the mistake was made by someone and you say that it is human error but why?
Carlos Cruz:How can your system work? What is wrong in your system that allows the worker start working in a particular job without having the necessary training. Okay so why? Okay why this happens? And then people say oh because of something because the training was not so complete or because there was no evaluation and say why don't you do evaluation and then if we do this five times this why question and answer five times we will arrive at something that is very tangible that we can manage.
Carlos Cruz:In a car, in Europe we use it but in The United States no, an automatic car no but when we have so to change the gears in it's the something that you can act upon, okay? It will have an impact, a tremendous impact on the cause of the problem. So yeah, it's that. So these five whys, okay, yeah, it's that's the this chihikawa diagram.
Dejan Kosutic:And basically this enables you actually to dig really deep into the cause of the problem, right? Like this. Okay.
Carlos Cruz:So that's in our diagram, invite us to ask five different questions. So for example, problems with, it's the five ms's, so it's manpower, so people, okay, maybe problem maybe with people, problem maybe with materials, problem maybe with monitoring, problem may be with machines, probably maybe these five whys and then we say okay about people, what can go wrong or why do you say that people or manpower is a problem or because lack of training or because they are not aware of or because why they are not aware of and then you go okay these different branches of this diagram. Okay.
Dejan Kosutic:Okay, good. And how do you actually, let's say, stimulate the companies to go beyond this first why and actually to ask these questions many times. How do you actually develop this culture that they really try to find, that they really dig so deep to find the root cause?
Carlos Cruz:It's not easy. That's why so many companies decide that the root cause is human error, because sometimes it really is demanding because when I started to work with this, there was a metaphoric image that was presented and I still use it when I provide training on these matters is the onion. When you see an onion, you have a layer and then you take another layer, another layer, another layer and then finally we got the root cause and the root cause is very, it's buried behind or below, okay, so several layers, okay? And so it's not easy. So I'm working with an organisation, so what I do is, okay, is making them answer again and again and again.
Carlos Cruz:So is this something that we can act upon because sometimes they say something that's okay, we cannot act upon this. Oh, is the weather. Okay, can you change the weather? No, you cannot change the weather. Okay, so no.
Carlos Cruz:There's an example that many years ago I saw in a movie, never forget. So it was something like this, shows people how to do it. So there was a monument in The United States, okay, in Washington DC, a monument, and the monument was becoming very degraded because people were always cleaning the monument with soaps and things like that because, okay, now, okay, we need to reduce the frequency of cleaning of the monument. Why are we cleaning the monument so many times? Okay, because there are a lot of bird droppings.
Carlos Cruz:Okay, we cannot, tourists don't like to see these bird droppings. Okay, so why do we have so many bird droppings here in this monument? Oh, they investigate? Okay. Oh, because there are a lot of spiders.
Carlos Cruz:Why do we have a lot so many spiders in this monument? They investigate? Oh, because there are a lot of mosquitoes here. Why there are so many mosquitoes and then they say oh because this monument this particular monument the big lights okay are turned on very early and so the mosquitoes come here oh okay so if we turn the lights later, not so many mosquitoes will come, not so many spiders, not so many birds, not so many bird droppings, not so many cleaning. That's the five whys and arriving at something that we can manipulate very easily and has an impact in the problem.
Dejan Kosutic:Okay, this is a very good example. Okay, and who is usually in the company, the one to report nonconformities?
Carlos Cruz:So if we think in terms of quality, there are two quality in management system that are normally, and there may be some differences for cybersecurity, okay? But there are two kinds of non conformities. There are the non conformities related with what we are making the product and then there are non conformities related with performance like indicators, so one thing is nonconformity can be for example, oh the cycle time is much, it's bigger than what we have in as a target. So need, our system is not so, our production is not so efficient. So we to improve in order to improve our efficiency.
Carlos Cruz:So that's one kind of thing. So some nonconformities will be handled by the quality manager and some nonconformities can be managed by a process owner or department manager.
Dejan Kosutic:But who is actually the one to report the nonconformity that there is a nonconformity?
Carlos Cruz:So if there is a nonconformity, all management systems demand that nonconformity must be recorded, must be recorded what happened,
Dejan Kosutic:Because from my experience, basically anyone in the company should report a nonconformity, so it's not like it's reported only by, I don't know, a manager or let's say an auditor. This can be done by anyone who sees that something is wrong.
Carlos Cruz:Yeah, in an assembly line, for example. You know, I live in Porto, so the land of Port wine. So, wine sellers are, I don't know, five kilometers from here, from where I am. And so once I worked with some port wine producers, bottlers and one thing that when the person that is checking that the labels are okay, so that person, if the label is not okay, that person has the authority to remove the bottle from the assembly line and then it records because they want to have an idea about the frequency of this is not, this is goes against the efficiency. Okay, so if it is within certain limits, okay, no problem.
Carlos Cruz:But if it goes, okay, most of the bottles that is not okay. Okay, we need to check if maintenance what's happening. Yeah.
Dejan Kosutic:Okay. Because very often at least in ISO 20, some 2,001 companies perceive that it is only the internal auditor who raises the nonconformities, right, which is basically a wrong perception. Because everyone in the company should raise a nonconformity, because this is ultimately the best way to resolve a thing. Because this is how you transparently actually show that there is something wrong that needs to be fixed.
Carlos Cruz:Yeah. Okay, so you work mostly with cybersecurity people. So I remember last September working in a company, my manufacturing company, so in the pharma industry and I was working with the IT manager and he told me that during 2025, the number of incidents in terms of attempts to enter the system, so went up by, I don't know, remember, I think I don't want to lie, but something like 200% or something like that. So in those situations, of course that anyone could be a kind of lurator and to be aware of that there is a problem and that they need to inform because it's learning about what's happening with the system.
Dejan Kosutic:Now let's switch now to corrective actions. So, basically, from what you've said before, a company does not need to go for a corrective action. They can actually choose or decide whether they want to raise a corrective action based on nonconformity. But before we go into this, you also mentioned corrections, right? So what is basically the difference between corrections and corrective actions?
Carlos Cruz:So correction is the focus of correction is right now is restoring operations, for example, is restoring operations. Corrective action it's about the future so we want to avoid recurrence it's protect tomorrow in some circles it will be protect tomorrow and correction is about restoring operations, it's about like when we have a cut just put there the band aid, it's that.
Dejan Kosutic:So basically non conformity is about removing the root cause?
Carlos Cruz:Correction is about removing the non conformity and corrective action is about removing the cause of the nonconformity and if we remove the cause of the nonconformity, so it's like raising a new barrier that will reduce the frequency or the probability of that non conformity from happening again. So, that's the difference between the two.
Dejan Kosutic:Yeah, So, if I can use an example of, let's say, in cybersecurity, let's say that, let's say the company finds that people are not following a certain, I don't know, backup procedure. So, basically, a correction might be that, you know, the company or the CEO orders everyone to, you know, let's say, read the procedure again, right? Where this would be a correction, but a corrective action might be that they actually ask these five whys, why are people not following the procedures and the procedure? And it might be that, you know, the procedure is not realistic, that it doesn't really follow the little technology, that it doesn't make sense, that people are not trained, or whatever the reason is. And then basically, when they actually uncover the basically root cause, they can actually then, whatever, do the training or change the procedure or do something else.
Dejan Kosutic:So this would be, let's say, in the cybersecurity, an example. Yeah. Okay. Basically, what is the process that is described in ISO standards for doing these corrective actions? So what kind of steps you need to take as part of corrective action?
Carlos Cruz:So for corrective action, what do we need to do is, okay, so we already spoke about some of the steps, but okay first we need to find the root cause. Then we need to study what's the best, the language, countermeasure that we need to apply to remove that root cause because normally there are more than one way and what we do is to study some are more expensive, some are more easy to apply, some are more, we think that are more effective or faster. So what is the solution that we are going to apply? Solution or countermeasure. Okay, we decide, okay, let's implement and we need to check if it is really implemented.
Carlos Cruz:So we need to control implementation because it's not unusual that people decide yes we will do it and then no one will do it because I thought that it was you, no I thought it was you, okay no and then even after that we need to check that the action was effective because sometimes it's like I used to say we bet on the wrong horse and so it seemed that it was the root cause but no but the system is speaking and say, if the nonconformity is happening again is recurring, okay. We didn't see any change in the frequency. That's it means that we didn't act upon the root, the real root cause. Okay, we need to go back to the drawing board and try to find the root cause.
Dejan Kosutic:And basically all the ISO standards require nonconformities and corrective actions to be documented. Now, from your experience, what is the best way actually to document these without creating, I would say, additional bureaucracy and without, let's say, strangling the companies while doing this?
Carlos Cruz:So that will depend from company to company, okay? Because as I said, it's very easy for an assembly line when there's some kind of situations that an operator can see and he marks there a line and there's a list of possible nonconformities he marks then a line and that's it. And so he makes the decision right away, later he puts there the mark, later someone a manager or someone will look into that data and will look into the performance not just for that particular shift but for that day or for that week or for that month then they may take another kind of decisions. So in terms of non conformities or in that case will be about corrective actions. So what I mean with this is that I cannot tell you that there is a best way because that will depend on each company.
Carlos Cruz:What I normally see is that if you have only one way to record nonconformities, that's not a good sign because for one recording nonconformities in one department may be very easy in a certain way, like for example, going to in the computer, the software and recording there, okay? Yeah, but in another place maybe much easier to record that in another way and so it will depend on the department so it's there's I like to see more than one way so that is the best fit for each situation for in each department and for any kind of problem.
Dejan Kosutic:Yeah, what I found with these, let's say, high-tech companies that we work a lot with regarding ISO 27,001 is that they don't really prefer these kind of corrective action forms, which are typically seen in, let's say, more quality management systems. Rather, they prefer actually to use some kind of a ticketing system they already have for resolving IT tickets. Okay, so whenever, you know, they have a certain problem in an IT system, they typically raise tickets, but this same kind of system can actually be used for non conformities in corrective actions. It just we have to introduce certain fields like, you know, what is non conformities, what is non conformity, what are the causes, you know, who makes the decision about the corrective action, what the corrective action is, you know, follow-up. But if you introduce these fields into such a ticket system, then basically you already have everything in place.
Carlos Cruz:I have some experience of auditing some IT companies using that ticketing system but with quality management systems okay and I know them for quite a while so I have some liberty in my language with what I say to them and normally I say 'ah you are not working so well' because they have several metrics and one of the metrics is the time to close the ticket and sometimes they are more concerned with closing the ticket so with a correction and so they call the correction the corrective action. Come on guys, this is not a corrective action, this is a correction. Because when I for example I think sometimes in some webinars I use that drawing is that when we have a non conformity and when we need to correct I use an image that I draw of a firefighter, okay? Firefighting means urgency, so we have a nonconformity, we need to remove that nonconformity as soon as possible because it's something that is, if someone didn't perform a backup, we need to do a backup as soon as possible because something may happen. Do the backup and after doing the backup or after correcting the nonconformity, we need to again those questions, is this something systematic or just okay happen?
Carlos Cruz:Is this something and if we answer that no, this is something systematic, we need to do the corrective action then time is no issue. So we are no longer with the time counter, we are no longer firefighting, we need to like those television series of the CSI, we need to investigate, investigate this, investigate that and that takes time. That takes time. But that ticketing, yeah, they use that and it can be used correctly or it can be, yeah, when they have that problem with time to close the ticket.
Dejan Kosutic:Okay, it needs to be. Then if they do use such a system, then the timing actually should be measured differently and different matrix should be used for the time to close. Yeah. Okay. Now let's switch a little bit of the topics towards consultants.
Dejan Kosutic:So what when consultants work with their clients for various ISO standards, what should consultants do and what they should not do when it comes to continual improvement or corrective actions or non conformities?
Carlos Cruz:So about non conformities, what I like to see is what kind of recording, what kind of records do you already have today? What kind of records do you already have? Because they must have something and normally they have, may not be perfect but already they have something because this is information that normally managers want to know and so that's my first is what do they already have, okay? What kind of records do they already have? Then what we can see is any information, do we need to add more fields okay for information or make things easier so for example sometimes for in manufacturing they may have two or three times, two or the same problem, the same defect or the same mistake or the same problem may be written, person A writes something like problem with material is missing, but another person comes and from the same problem will say something like, oh, lack of temperature or like, okay, so it's something like using the same legend for everyone.
Carlos Cruz:So everybody using the same legend. So something like that where can we make things much more easier to record to avoid that kind of mistakes so that's the other thing then the other one is okay it's about perhaps use an example of something that needs a corrective action and use that example as a case study to normally people don't know the good practices of how to do this focus of using the Pareto of using or for example another tool that is so important it's like just a simple humble histogram okay so something like that shows the distribution of things can be so easy to show for example that I remember so many situations when we make an histogram and you see okay, we have here two populations, two distributions, what is happening here? And so we realize that this, we have receiving information from two different machines or from two different operators and so, okay, it's not one system, it's two systems now, it's much easier, we can focus on, okay, it's just from this shift, not from the two shifts or the three shifts in the company particular, okay, so something like that, so use a real case develop following good practices to develop corrective action.
Dejan Kosutic:Okay, so if I understood well, can actually help our clients improve the process, give case studies to understand what is this about and what to do, But what consultants should not be doing with regards to non conformities or corrective actions?
Carlos Cruz:I must confess one of the things that I like the most is this investigation about going about the root cause so I like to investigate with them. Sometimes companies that I worked with them for, I don't know, five years ago, four years ago, phoned me and say, oh Carlos, we have your situation that we want your help. We want your help. Okay, so okay, yeah, well, great. So, it's not doing the job for them but it's doing the job with them investigating what is happening or what is because sometimes it's really really difficult you know when I was before being a consultant, I worked as a quality manager in a company.
Carlos Cruz:We were making PC, so printed circuit boards, okay, for automotive, for auto radios, automotive industry and we had a big problem. One of the last operations of a printed circuit board is to dip the printed circuit board in melting solder, okay, 400 degrees Celsius and so the ink make a bubble inside and destroy the part of circuit board or something like that and we investigated and investigated and investigated. We called suppliers to come with us, the manufacturer to study and try to find it and I couldn't find. Two or three years later I was reading something a magazine or something it was there the cause okay so yeah it's like the cakes okay it's the same approach as doing a cake in our kitchen so if the temperature in the initial is too high the initial layer keeps the solvents there but just an example that it's not easy so I to help as long as I work with them I like to help them doing that so yeah.
Dejan Kosutic:Okay and what is the best way for a consultant actually to explain to a client why this continual improvement is important or why corrective actions or non conformities are important? So can you give an example on how to best explain to a client these things?
Carlos Cruz:So, are two or three examples from my life. One example is translate this into money. So, I worked for a company in the chemical industry where everything was sold, okay? Everything, even the product that fell into the, it was a powder, it's a chemical, not cocaine, but it was PVC, so a polymer, even the product that fell into the ground, we cleaned the ground and that was used, but sell by a depot to make carpets for buses. Everything was sold.
Carlos Cruz:So when I made my reports to the general manager, he went to the warehouse and saw the warehouse empty and say, oh Carlos is always exaggerating and so and one day I worked with my colleagues in translating that into money, okay, because if you sell top grade, it's one price, if you sell off grade or second grade is another and I translate that into money. And when I show that to the general manager, I never forget his words were Carlos you never told this to me and I said oh come on I didn't say but my mind I was thinking oh I'm tired of speaking with you about this and so translating that into money okay another thing is was so I was quality manager in that company and attended some training courses okay there was no internet and so we went to training courses so between companies and so some of the people attending the course were from my customers and I remember for example one of them answering me at phoning me and saying oh Carlos we have here a problem and we need so we have take care because the product is not so good and so and so and I always said to those guys, always said, please send them a fax with that.
Carlos Cruz:Really? You don't mind? No, please send a fax. Because if you don't send a fax, it's just me talking. But if it is you, the customer, okay they will say oh this is important so it's trying to I don't know maybe a regulator maybe a customer maybe someone that represents something that managers will say, okay, this is important.
Carlos Cruz:So, it's another way of showing that.
Dejan Kosutic:Great. Okay, let's wrap up the discussion today. So, the last question: What would you recommend to companies? What are the top things to do if they want to continually improve their management system?
Carlos Cruz:So find what are the metrics, okay? What are the best metrics that are really relevant for you? So metrics, so they can be about normally I think in terms of efficiency or in terms of effectiveness. So these are the metrics. I would look into techniques for analysis so study techniques for analysis so something like okay if you don't know what it is study the magic of the Pareto analysis or histograms or for example, one very simple thing that can provide us a lot of information is what we call statistical process control for individual values.
Carlos Cruz:So because people sometimes look into values, so they see the performance and it's a matter if they are in a good mood, they say, oh, everything is okay. If they are upset, oh, everything is wrong. No, but there are techniques, very simple techniques where you can make the process speak. Okay. And also there's sometimes people say, oh, everything is, the system is not okay.
Carlos Cruz:But when we look at that information with the statistical process control, we realize that the system is okay. What is not okay is the targets. The targets are very demanding and the current system cannot provide that performance that they want. So study those techniques, study those techniques for analyzing, okay? And then establish a routine.
Carlos Cruz:Establish some kind of routine for analysis of the opportunities for developing these corrective actions. I remember in beginning when I started to work with quality that I saw some Americans that use something like it's very old but I don't know if they still use but some called the material review board but something that represents a kind of a discipline that from time to time we need to look into the information in a systematic way and decide are there here any opportunity for improvement? Because I don't know in other countries, but in Portugal, of the companies that I sometimes audit some companies that are certified And I say, okay, oh, number of corrective action is so low, okay? It's so low, oh, come on. And corrective actions is a system showing that they can learn.
Carlos Cruz:Corrective action improvement is about learning. And so if you don't do corrective actions, your system is not learning. So those three things really important for this.
Dejan Kosutic:Okay, great and another thing that you said is actually it's good to have corrective actions and recognize non conformities. It's actually a bad thing if there are none, right?
Carlos Cruz:Yeah, yeah, yeah, yeah. So no one believes, I as an auditor don't believe, come on, there are no perfect companies. Okay, there are no perfect companies. So if I find a company that's, no, we don't have a non conformities. That's not possible.
Carlos Cruz:That's not possible. Okay, no, there are, okay, so there's so there, so that may be, they may not be lying, but that may be a sign that they are not using the right metrics or collecting information in the right places. Because? Yes. Yes.
Dejan Kosutic:Great. Okay. Thanks Carlos. And thanks for these insights. It's been a pleasure talking to you.
Carlos Cruz:Okay. Thank you for for the conversation. Bye.
Dejan Kosutic:Yeah. Thanks again. And thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple Podcast. Thanks for making it this far in today's episode of Secure and Simple Podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living.
Dejan Kosutic:On Advisera website you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. White label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, Dora, ISO 27,001 and other enable you to organize training and awareness programs for your clients workforce.
Dejan Kosutic:Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
Creators and Guests
