Biggest Mistakes with ISO
ISO 9000 has a fairly bad reputation. There are many reasons why this occurred but one of the most important is that in many instances ISO has been implemented poorly and has been generally despised for being nonsensical, overly bureaucratic and unsupportive of business goals.
Here are the seven deadly ISO sins.
Picking the wrong project leader: A touchy subject because I might be talking about you. However, ISO is all about QMS and that is all about running the company. Quality success is very closely aligned with business success and thus the ISO project leader is basically attempting to run the company. The person running the project would ideally be the president, have respect of all people in the organization, authority to mandate change (rather than beg for it) and have a focus on achieving business objectives, profitability, growth, success. This doesn’t have to be the president. So long as the leader has management support then it’s possible for just about anyone to run the project. However, delegated to someone without business focus or experience, and without the constant involvement of management the project is in trouble from the start.
Lack of management commitment: Even with a strong project leader, a lack of management involvement easily develops an ISO system that is separate from the way the company actually operates. Management is keen to get ISO but don’t see it as a way to run the company but rather as something that has to be achieved. Without involvement that misunderstanding is easy and before long the project is pressured to minimize costs, time commitment and overall resources. This concept of a separate ISO system to the way to company actually runs is the biggest problem in the QMS world. Minimum resources are allocated (to ensure ongoing certification) but no time is invested in maintenance and development of the system and documents quickly become out of date and the systems (intended to help and improve) are simply circumvented for things that managers prefer to do. The cause is often either or a combination of these first two issues. The cure: force management involvement, force management understanding, lead the project strongly, ensure the focus is meaningful for the business, be disciplined – don’t allow alternatives (but make sure the systems are meaningful).
Getting the requirements wrong: This is difficult because you don’t know what you don’t know. And worse, the external ISO auditors often get requirements wrong and give poor advice. Without an expert understanding of the standard it is likely that you will put in place a preventive action form, an approved supplier list or a supplier questionnaire. Yes these are valid approaches sometimes but not most of the time. Without a strong knowledge of what the requirements are asking (and indeed not asking), systems develop to meet these misunderstandings and the users quickly dislike seemingly unnecessary activities. Having an expert is not really an option for most companies. It is too expensive and usually the ISO person has (should have) many other responsibilities. ISO is not a full time job. Hiring a good consultant is a great idea although hiring a bad consultant puts you right back in the same situation. Just because someone has done it before or is even an auditor for a registrar does not mean they understand the business perspectives that are essential. That aside, a consultant, even if just at the end of the project to conduct the internal audit, will bring an independent view. Ensure they present findings that are detailed objectively against the standard and subjectively for improvement – and ensure they guarantee your certification success (or don’t trust them).
Doing ISO: Many organizations tell the project contact to “get ISO” or “get us certified”. The problems is that if the goal is to get ISO then that’s what you end up with….ISO. Not a QMS that is valuable to your organization. A set of documents that reflect the standard (because that’s the easy way to do it) and not your organization, that require effort to maintain – but they will get you certified (so it must be good, right?) This approach is another that gives you that separate system situation. This is often difficult to avoid because of management commitment or project leader issues already discussed, but one easy solution is to throw the standard away. Do NOT look at the standard. Break the organization into processes and write procedures for them. Do not look at the standard until they are done. Of course this still requires good, well written management process documentation but the structure you come up with will be yours and not ISO.
Procedures and Documentation: There are actually many problems that occur with procedures and documentation in ISO projects. Here are a few. It is a fairly commonly held myth that a system has to be written by the people in it. Only the people involved can write procedures. There will only be buy-in if they write the procedures themselves. There is a grain of truth in this but generally it’s the opposite. Most people had a career in mind. They joined the organization to do their job. They are good at it. They did not sign up for extra work (and it is extra work) doing what is often considered a chore. They have no patience or time to do a good job with procedures– after all, its only ISO. They are rarely given any training to do the writing and often no support. Most people don’t know how to write a procedure. They haven’t written anything that much for 10 plus years (if ever) and they have never been told what to include, what’s important, what level of detail should be included. The result is poorly written procedures in as many varieties as people you ask to be involved. One person will condense their procedure to five bullet points. Another will write a 22 page novel (without punctuation and in ALL CAPS). Another will never actually get around to writing anything and one more will be in such poor English that it will be hard to understand. You end up rewriting them anyway. The cure for this is to allow a single person to write all procedures. They interview people and write with a consistent style and level of detail. If they are also an ISO expert then ISO requirements can be surreptitiously spread into the procedures at appropriate places. If not then ISO can (and should) only be considered later.
There has been a theory that because ISO mandates only six requirements are documented as procedures, that as few documents should be produced as possible. This is simply wrong. The amount of documentation you produce should not be decided by what it says in a standard (and the standard says this). Rather you should produce documentation that is actually useful to you. This means that your full QMS should be documented so that it can be understood, communicated/trained and verified/audited. If you don’t have a documented procedure describing your key processes and how they meet the ISO requirements, how are you going to explain that to an auditor when the person who originally designed it is no longer around? Basically you need to document the management level of all processes in your organization or your QMS is not a reliable, repeatable process by design.
Flowcharts are often slated as the best way to document processes and that textual procedures are too fussy. Truth is that flowcharts and procedures do different things. Flowcharts easily show relationships and flow (so long as they can be depicted on a single page) but are not very good at showing detail. Procedures also describe flow and relationships (although not as easily) but can also describe the flexibility and detail of processes that cannot be presented in a flowchart without writing a procedure on the chart. Probably the best solution is a general overview flowchart on the front of an appropriately detailed and flexible procedure, although the best tool should be used in the right situation and there is nothing wrong with using both.
Getting the wrong certification body/auditor: Assuming you have a good QMS (which if you didn’t then you would not be in business) then you need an auditor who is going to challenge you. Partly this is about writing nonconformances where the system has issues but it can also be achieved with encouragement and a supportive approach. A good auditor is going to insist on management commitment and a meaningful process based system and on tangible, valuable improvements in the system. If your auditor is giving you unimportant findings while there are systemic issues or things that you know they have missed, then you have the wrong auditor. Probably the wrong certification body. The goal is not to do as little as possible with you ISO system. The goal is to find and fix issues and to constantly improve performance. If your auditor is not pushing that then get a new auditor. Keep asking for a new auditor until you are being challenged. And after you have had a good one for a few years – get a different one.
Ineffective “internal” auditors: The internal audit process is your check to make sure the system is working. Unfortunately it is difficult to find good people to do internal audits. Good people tend to be given important roles and responsibilities in the organization and rarely have time to help out with audits. Audits fall on those who have fewer responsibilities and tend not to understand the organization as well. They are generally unable to identify issues that are meaningful and substantive and are rarely expert enough in the standard to spot issues before the external auditor comes. These internal auditors also generally lack respect, are often overcautious about raising concerns, slow and can be quite disruptive. If your external auditor has any findings at all, ask yourself why your internal auditors didn’t spot them first…..and what else are they missing. What else is problematic with your QMS.
Finally, as a bonus “sin” consider what you invest in your ISO system. Many organizations send multiple personnel for many weeks off-site training in Lean or Six Sigma. Training that costs tens of thousands of dollars each. Then they are given teams of employee time and, rightly, they are expected to find improvements. How much did you invest in ISO? And you have to consider that ISO is QMS and we are talking about what you are prepared to invest to ensure your organization operates correctly and effectively. You definitely don’t need to spend tens of thousands in training but if you want a good system you have to provide resources and time. You will get the return but you have to commit.
Cavendish Scott has been designing and implementing process based management systems based on ISO standard for over 25 years. In that time we have helped many thousands of organizations achieve ISO certification and we have learnt how to do it quickly, easily and in a cost effective manner. We are non-intrusive and provide the best value drive, business focused systems that are non-bureaucratic, low maintenance and cause the organization to operate deliberately and successfully. Over the years we have seen and addressed all the problems ISO can create. We can help you address any or all of these. To learn more about how we can help with your ISO system, start by telling us about what your situation is.