Auditing ISO 9001 around the world
The value provided by third-party ISO 9001:2000 registration (certification) has been questioned, say Ian Rosam and Rob Peddle. This is equally true for registration against most other standards and frameworks. Registrants across the world are talking with their chequebooks, moving away from registration unless they need it to operate within their market sector. Many of those who keep their registration are challenging their registration bodies (certification bodies) to increase the value or reduce the cost.
There is strong evidence that some of the traditionally highly supportive heads of supply chains, like government departments, are also putting the industry ‘on notice’ to improve. The pressure is therefore well and truly on for change – a change that registration bodies have been unable to bring about in the seven years ISO 9001:2000 has been in existence, despite the 2000 version of the standard requiring significant change from its users.
For many, ISO 9001:2000 registration has been seen as a commodity purchase, driven by the day rate business model that the industry operates – there is little differentiation between the various registration bodies. Most have adopted the 'man-day' approach, quoting as 'lean' a man-day rate as they can, in order to get the job. By doing this, they can adequately demonstrate that they are applying their interpretation of guidance on the number of auditor days required, which seems to be their main concern. Although for many clients cost has been the differentiator between registration bodies, choosing the lowest day-rate has not always provided the lowest real cost – and very rarely the best value.
So, how do registration bodies need to get out of this downward spiral? There are a number of specifics that we believe are needed to rejuvenate the market and deliver the value customers demand:
Audit the real world
A management system can never be fully documented – maps, documents, records and so on are not the real world, they are only pictures of that real world. Registration bodies need to stop auditing bits of paper and start auditing people’s behaviour that drives what actually happens. Over the past seven years registration bodies haven’t changed their auditing approach, but to survive in the future they will have to.
To audit ISO 9001:2000 for both compliance and effectiveness, auditors need to understand marketing, business planning, sales, change strategies, human resources, IT and so on. However, most do not have the experience necessary, and the low cost, commodity-driven model that registration bodies currently employ, ensures that this will never happen. Even worse, registration bodies impose the language of standards, talking about corrective action and quality management systems instead of real world business language that managers use. Questions such as: ’What is your management system?’ simply display a lack of understanding of what a management system actually is and how it is used.
Provide audit reports that identify risk profiles
Text-based audit reports typically provide pages of description of what has been looked at, detailed tactical findings and non-conformances. Will they really grab the attention of the management team, who are there to deliver business performance and manage risk?
Audit reports need to be transformed into ones that provide strategic risk-based information related directly to the organizations objectives (see figures 1, 2 and 3 for examples). They need to help management understand where they need to focus in order to reduce the risk of them not achieving their business objectives. Clause-based non-conformances are important, but only to a limited audience.
 |
|
Click on diagram to enlarge Figure 1 – Performance against performance drivers |
 |
|
| Figure 2 – Identifying risk by sub-clause: overall they comply but where is the risk? |
Clause Number |
Clause Title |
Overall Percentage Score |
4 |
Quality management system |
42.1 % |
5 |
Management responsibility |
40.7 % |
6 |
Resource management |
44.0 % |
7 |
Product realisation |
44.7 % |
8 |
Measurement, analysis and improvement |
34.6 % |
Figure 3 - The big picture: do they comply? Where should improvement be focused
Provide audit reports that offer challenging improvement ideas
An audit report confirms that an organization complies with a standard may give you the badge – but not a lot more. Having created a management system that complies is just the start of the journey, the foundation from which to build. Providing audit reports that stop here are of little benefit to those who want to truly improve or strive for excellence.
Audit reports need to show how the organization matches up against current good/best practice, something that is well beyond mere compliance with the standard. It is this gap between compliance and good/best practice that is the improvement opportunity that the management team can work with to create their competitive advantage. How the organization performs against current best practice application of the eight principles of ISO 9001:2000, for instance, will do a lot more than understanding whether they comply with its individual clauses (see figure 4.1 and 4.2).
 |
|
| Figure 4.1 – Auditing ISO 9001 |
|
Figures 4.1 and 4.2 – Results against drivers of performance: in this case the eight quality principles plus other business issues.
Internationalization of business
Supply chains and international businesses operate across global boundaries, across time zones, where organizations with different cultures work together to deliver products or services. How is this to be audited? Traditionally, each part of the chain would be audited separately and somehow the results patched together. At best, this approach only gives individual tactical pictures of each individual part of that chain. What really counts is identifying the strategic risks to the whole chain of activity. The chain has to be audited as one, taking into the account the unique culture of each part, their language and impact of their individual behaviour on the overall performance of the chain, not just their own individual local performance. How are registration bodies to do this using traditional approaches?
What is needed is to define the drivers or objectives for the chain as a whole, then adopt a behavioural-based auditing approach where all evidence gathered is focused on the delivery of those objectives, providing a strategic risk profile that managers can work with. Of course the first three points in this article also apply – do the registration bodies have the management skills or auditing approaches needed to provide this higher level of service?
Figure 5 – Getting a cross-country view and involvement
So, for third party auditing to survive:
- it needs to meet these challenges and many others.
- it needs to address its own customers’ needs rather than continue to be internally focused.
- it needs to adopt new tools and techniques that can provide what customers actually demand, not what they can provide with their out-dated techniques.
In reality, the whole industry needs to quickly reinvent itself or become the dinosaur many already think it is.
If you want to know about registration bodies that we have identified who are facing up to this challenge, and actually doing something to change the status quo and add more value, then please feel free to contact us.
About the authors:
Ian Rosam and Rob Peddle – from The High Performance Organisation Group
 |
 Give us your opinions now in the Online Forums. |
