by Christopher Paris
VP Operations, Oxebridge Quality Resources International
(Read part 1 of this article here.)
The Client’s View
The ISO 9001 end user has very valuable insight which should be taught not only to the auditor pools of registrars, but to their top management. (Oxebridge still throws that offer out there, to any US registrar that wants it.)
But what is the “client’s view”? Having spent 10 years in the chemical industry as a manager working with IS0 9001 systems that I developed, and then 13 more years with Oxebridge, seeing first-hand how our clients view the process, I think the following presents a real-world, accurate picture of the customer’s “mind.” Some of it will fly in the face of conventional thinking, and most of it will likely shock the management of certification bodies, but this is nevertheless the product of over two decades of personal observation, from over 200 companies in the US.
IT’S NOT A DATE, IT’S A MANDATE. This is a sad reality, but reality nonetheless. In the US, the overwhelming majority of clients are pursuing ISO 9001 because they have to, not because they understand — and I mean deeply understand — the benefits it will bring. (An analysis of 125 Oxebridge clients found that 95% of them — dating as far back as 2000 — pursued ISO because of a mandate, not as a home-grown improvement initiative.) Most companies in the US are forced into ISO 9001 from a major customer or government contract requirement. Understanding that means the registrar needs to come to the table with some compassion and an understanding that this is an imposed activity. They must strive to not make things worse by poisoning an already bitter pill with cowboy antics, judicial behavior and arrogant posturing. Some sensitivity could go a long way in repairing ISO 9001’s already tarnished reputation (in the US, anyway.)
THE AUDITOR IS THE ISO GOD, UNFORTUNATELY. Registrar management needs to understand that the individual auditor is the face of ISO 9001 for the client. The CB’s sales reps, top management, website marketing spin, newsletters promoting auditor flexibility — they are all nonexistent in the presence of the individual auditor on Audit Day.
The perception extends to all — and I mean ALL — of ISO 9001, through the accreditation scheme, to ANAB right on up to the IAF and ISO itself. On Audit day, that individual auditor’s performance and behavior will affect the client’s perception of not only the registrar, but of ISO 9001 as a standard, the entire ISO standards development process, ISO as an organization, and the credibility of ISO 9001 certifications.
Registrars, your marketing is meaningless if an auditor is a jerk. It’s all about that auditor.
If auditors can tone down the ego, ramp up their flexibility, and (again) avoid imposing their singular views on clients, this benefits not only ISO 9001 as a whole, but the reputation of the registrar … and that means more clients for that CB. Registrar management needs to see follow the dotted line between bad auditor behavior and loss of profits to their organization. The CB that understands this, and responds by carefully monitoring their auditors, and questioning them when their practices or reports don’t meet requirements, will see their bottom line grow, and their reputation shine. The registrars that think that challenging their own auditors is a sign of weakness and allow negligent auditors to thrive, kill their own business and reputation.
CLIENTS ARE SCARED; DON’T MAKE IT WORSE. One thing that CB management never understands is that clients are usually afraid. They are being judged, after all, and that’s not pleasant. It’s uncomfortable at best. Clients have often invested a large amount of money and resources into the implementation of the standard, and then have to undergo a few days of non-stop auditing, watching as someone “pecks away” at their hard work. This eventually leads to fear, and a “fight or flight” response by the client. Some “flee” by expressing utter timidity, and others “fight” through frustrated anger and confrontation. Typically, registrars respond positively to clients who “back down quietly,” heaping praise on them as being “receptive” even though the behavior is not healthy for anyone, and hurts the reputation of the registrar. A client who accepts bogus findings is not “improving their quality system”, they are implementing junk.
On the other end, registrars tend to misunderstand the angry, confrontational client as if they are too strong, too forceful, failing to recognize that this reaction, too, is just a different way of expressing fear.
Both reactions deserve neither praise or criticism, but compassion.
Registrar management should instead train their auditors — and then retrain them over and over — on the fact that clients are nervous, that this will reveal itself in either timidity or aggression, and that this is not something that an auditor should react to in ways that worsen the response. Instead, the auditor must react in a way that brings the client back to neutral — neither pandering nor combative — by being sensitive and calm. Auditors must respond to their client’s concerns or questions with grace and professionalism, not arrogance and power, even if the client’s behavior is not idea. (Clients have not undergone the training that auditors have, and auditor training does include handling “difficult” clients.)
Right now there are “tough guy” auditors and managers reading this and dismissing it as New Age, “touchy feely” stuff. They will say if a client gets mad, they deserve the right to argue back and remain “tough” too. Registrars confuse standing firm after a finding is issued with being as inflexible as the Great Wall of China. I say, look at the ISO 9001 growth rate in the US and come back to me when you can prove that a Cold War style of auditing has helped grow ISO 9001 in the US.
THE CLIENT DOESN’T CARE HOW LOCKHEED DID THINGS. So many auditors bring thier “experience: into an audit, and it’s become conventional wisdom that this is a good thing. It’s even embedded in some parts of the accreditation rules. But what I am about to say may sound radical, hear me out.
The auditor’s experience poisons the audit from the beginning. It’s utter toxicity.
A good auditor should be a blank slate, free of prejudice, previous expectations, and even knowledge of an industry. In a misguided attempt to “qualify” auditors, the rules require them to have previous industry experienced similar to that of their clients. Unfortunately, this does nothing but put an auditor in the situation of comparing the client against the quality systems of previous employers or other clients, instead of comparing the client’s system against the ISO 9001 standard and the company’s unique procedures.
There is a joke at Oxebridge, that you can guarantee hearing the auditor say at least once during an audit, “Well I’ve never seen it done that way before.” Only rarely will an auditor finish that sentence with something like, “I appreciate this new perspective, it’s very creative.” Instead, they get out their “red pen” and try to figure out how to write a nonconformity. It’s funny to watch the mental gyrations they go through to craft a nonconformance purely on the basis of their ignorance to a new approach.
I actually warn clients to avoid auditors whose resumes consist of a decade or more of experience at one single, giant corporation, like Lockheed, NASA, Honeywell, etc. Nothing good ever comes from that. These are the guys and gals who come in and demand to see “form numbers” as part of document control, even if the client only has four employees and a 1/4″ binder of documents… hardly a system needing a Dewey Decimal system to control documents. These are the people who think FOD controls should extend to broom closets in buildings a half mile away from the production area, because “that’s the way we did it at Lockheed.” These are the auditors who can’t understand the more modern notions of embedding quality into the production processes, and still expect to see a QC process as a separate entity. These are the auditors who cannot understand that the notion of a paper, or even spreadsheet-based Approved Supplier List has been surpassed with the far better, and more robust, supplier records within a company’s ERP system. (I have at least five clients I can name that have actually maintained a paper ASL just for their ISO or AS auditor, because the fellow cannot comprehend modern software.)
Experience in this industry is deadly, because it immediately puts the client in a position of defending their approach against that of a huge corporation with an entirely different set of priorities, problems and customer requirements. Most clients, on the basis of timidity, will fold and incorporate the ideas presented by the auditor, condemning their company to an over-bloated QMS that looks a lot like the ones from companies that had to be bailed out by the US government in recent years. When a four man machine shop has to implement a three-man “Material Review Board” to process every bad part, you know you have a problem.
Instead, auditors should use their experience only in very limited ways. It helps to be able to understand the language of an industry, for example. After all, it would be awkward and time consuming to explain to your auditor what an “MRB” or “FOD” is. But that’s about the limit of the benefits of industry experience. More important is the auditor’s experience in auditing, but that is often overlooked. Better yet, what is the auditor’s experience in being audited?
An auditor must be open to the unique and individual interpretation and implementation of a requirement by the client, even if it flies in the face of the auditor’s previous experience with (coff! coff!) Pan Am or Enron. This requires an open mind, open to listening and understanding, and being self-assured enough to know that no matter what one’s age or experience, we can all keep learning. After all, we learn until we die… and then, who knows, we may even keep learning after that. A person’s education shouldn’t stop during an audit.
WE ARE NOT INTERESTED IN YOUR SUGGESTIONS OR “OFI’S”. Clients will almost universally put on a brave face during the audit, so auditors aren’t really to be slammed for not understanding the truth of things here, but after they auditor leaves, clients loathe suggestions.
It’s worth repeating: the client hates your suggestions!
Right now every registrar representative reading this is shaking their head, saying, “this guy is nuts.” That’s because from their side of the table, all they see are pliant clients nodding obediently, telling their auditors they appreciate the OFI’s. The registrars can’t know better, because their clients are lying to them. Only when you sit in my seat, do you hear the truth.
Clients don’t really think the auditors know best. In fact, they get a little resentful that a stranger who has spent all of a day in the company is spouting “great truths” on how to improve the company’s processes and products. They only smile to get through the audit.
Think about it. Most companies go through a rigorous process when hiring even a minimum wage operator, and much more for someone who will make decisions on process improvements and operations management. Yet registrars expect clients to accept the ludicrous notion that an auditor, who hasn’t been interviewed, whose resume hasn’t even been verified, and who knows nothing about the company, its customer base, it’s unique processes, its workforce, its personality, its financial constraints or even details of its products — can walk into a company and immediately know better than anyone. It’s absolute hogwash, and the clients recoil at it. They feel their intelligence is insulted, and it’s a slap in their face when a totally uninformed stranger alleges he or she is somehow smarter than everyone else in their company. (The executive managers of the client company especially hate this, as it confronts their own egos.)
Don’t believe me still? Here’s an actual email I received from a client, after an auditor left them a list of 20+ “suggestions” which were mostly bogus:
I know a lot of what [the auditor] wrote down is not necessary for AS9100, but if I make a show of good faith by doing some of the things, that can only help [the auditor] feel more confident in recommending us for registration.
The client didn’t adopt the OFI’s because they would improve his company, he did it to keep the auditor happy. Period. But since he never told the registrar the truth, they walk away thinking their OFI’s are precious little gems, treasured by the client. You almost can’t fault them. Almost.
Auditors need to keep OFI’s (opportunities for improvement) and suggestions to a minimum, or leave them out entirely. (A few registrars are jumping on this idea, thankfully, limiting their reports only to evidence of compliance and noncompliance.) It may make the auditor feel “relevant” or allow them to have some sense of ease while in an alien environment, or maybe it just boosts their ego … but it’s damaging to the client.
I have pushed for having OFI’s and suggestions disallowed under ISO 17021, and was defeated. (In fairness, I only made this effort through contacts, as I did not personally sit on the committee for that standard.) This was due to politics: the authors of the 17021 come overwhelmingly from the registrars themselves, so they managed to craft a standard that met their needs first, not necessarily the needs of QMS users. Knowing they needed a way to differentiate their services from other registrars (as I mentioned earlier), they embedded the idea of OFI’s as a way to offer “value added” auditing.
Official auditor training actually includes training auditors to say, “here is what I have seen in other companies…”. How many times have you heard that? This is a way of providing consulting while couching it in “weasel words” that pass ANAB scrutiny. Again, this tactic — as sneaky as it is — is actually taught as part of the formal RABQSA training! Maybe, in light of a dwindling market for certifications, these practices will be prohibited in future versions of 17021, to better serve both registrars and their clients. I’m not holding my breath, though.
Auditors: if you have a finding, write it down and make your case. If you have a suggestion, keep it to yourself. Despite what you think, you are not qualified to suggest altering an organization you have only spent a few hours, or days, at. Let the company’s management system drive improvement like it’s supposed to, don’t jump in and try to do an end-run around the very standard you are auditing to.
Another problem is that clients confuse OFI’s with nonconformities, even if the auditor’s script requires him or her to differentiate the two. Even if the auditor follows the rules, and tells the client that OFI’s don’t necessarily need to be addressed, the client will nevertheless expend resources and time to resolve the non-existent problem and adopt the advice of the auditor, often introducing ill-fitting requirements into an otherwise fine QMS. They do this out of fear that if they don’t, the auditor will “beat them up” at the next surveillance.
They have good reason. Some auditors do threaten the client, saying, “I can escalate this to a nonconformity if you don’t take my advice by the next surveillance audit.” Again, auditors: if you have a finding, write it down and support it with evidence. If you can’t do that, move on. Your “good idea” or what you’ve “seen other companies do” doesn’t grow into a nonconformity by virtue of the calendar moving forward.
If you really can’t stop telling the client what to do, through your veiled “suggestions” — which was my primary problem when working as a registration auditor — then do what I did, and start a consultancy.
PUT IT IN THE REPORT PLEASE. Auditors often ask the client to do what I call “Yellow Pad Auditing,” where they ask the auditee to follow them around and write down on a pad of paper every notion, thought or utterance that escapes their lips. Often the auditor will justify this with a warm-and-fuzzy (but somewhat menacing) remark that he or she “is just being nice” by allowing the auditee to write it down, so the point won’t show up in the final report. “You can put that on your list, and I won’t put it on mine,” they say, as if offering a free pass on a potential nonconformity.
Again… hogwash.
The real reason auditors do this is to avoid documenting their bogus findings and having them appear on the official report which will be reviewed by the registrar’s Certification Committee or, God help them, ANAB. So they create a “shadow audit” record that doesn’t exist, is never reviewed by anyone, and therefore the auditor is never held accountable to what appears on it. The “Yellow Pad” exists entirely outside of the accreditation scheme, and I wonder how many registrars would have their accreditation jeopardized if ANAB ever had access to all those yellow pads. But ANAB has no clue about this remarkable phenomenon.
Afterward, the client is left with a jumbled mass of notes which don’t make sense out of context, and present no clear way to address them. Worse, the client is left with the impression that they have to not only react to the official findings in the final report, but 20 or 30 more “tidbits” that never made it into the report.
My advice to clients:take the notes during the audit, if you feel you must placate the auditor on Audit Day, and then throw them out afterwards. The only thing that matters is what appears in the final, official report. That is what gets reviewed by the committee and, possibly, ANAB. That is what decides your certification. The yellow pad is just another extension of the auditor’s ego. For a particularly aggressive “yellow pad” auditor, politely ask that anything they feel is worth writing down be written in the final report. Contrary to what you may think, watch how thin your final report gets.
During a recent AS9100 audit, a client of mine came away with about 25 “yellow pad” notes. On the final report, they received only one minor nonconformity. There you go.
An aside to auditors: it’s rude to require your customer to follow you around like a puppy or underpaid manservant, forcing him or her to jot down your thoughts as if you were a famous writer undergoing an interview for The New Yorker after having won the Pulitzer. Do your own writing, it’s what you are paid for.
DON’T IMPOSE REGISTRAR REQUIREMENTS ON CLIENTS. Another common problem is when auditors impose the accreditation or auditing requirements demanded of registrars onto the ISO 9001 end user, who is not subject to these rules. This typically happens when auditors review the client’s internal audit program. Some examples:
- Auditors ask to see Lead Auditor training for internal auditors. This is not required by the standard; in fact, ISO 9001 presents NO requirements for training of internal auditors. If you want to dunk your auditors in water to see if they float, and determine their competency that way, you can. It’s that wide open. While you should provide some kind of auditor training, enrolling them in a 3- or 5-day RABQSA or ASQ course is not required.
- You must conduct “process based internal audits.” Another fallacy, many auditors are demanding that ISO 9001 end users do “process auditing” even though neither ISO 9001 nor ISO 19011 require this, and the quality world cannot even agree on what the heck “process auditing” means anyway. Yes, under the latest rules, registrars must conduct a process based audit, but there is no such requirement for end users. In some cases, such as small shops with limited resources, a checklist based audit works just fine, and fully meets the letter of the standard.
- Your audit reports must contain objective evidence. This is a shocker to most people, and they can’t believe it when they go back and check their standard to find out that, sure enough, ISO 9001 does not require objective evidence be included in an internal audit report. Leaving out such evidence isn’t the best practice in the world, and I strongly oppose doing so, but if you just check a box for YES or NO to every audit question, you meet the intent of the standard. Again, registrars must include objective evidence per their accreditation rules, and because accreditors like ANAB are looking over their shoulder to verify their work. But for clients, it’s not required.
- AS9100 clients must use AS9101 as an audit checklist. Nope. Not required for end users. Go check!
These problems arise from the fact that CB auditors spend so much time operating to their own rules, they forget where those rules stop and where the client’s rules begin. ISO 17021 is not ISO 9001, and clients cannot be audited to ISO 17021. Accidentally, or intentionally, pulling in standards that are not in the scope of the audit only confuses things, and results in a poorer QMS for the client.
And the registrar can get busted for it.
PART 3: WHAT REGISTRARS CAN — AND SHOULD — DO
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
