Despite the standard on risk management being written as a guidance-only document, multiple certification bodies (CBs) continue to sell certification to ISO 31000. While the practice is common in the underground world of unaccredited “certificate mills,” Oxebridge has uncovered a growing pattern by fully-accredited CBs who offer certification to ISO 31000.

BSI, the largest CB in the world, offers ISO 31000 certification on its website, even as it admits the standard only presents “best-practice recommendations,” and not actual certification requirements.

Mick Maghar

ISO 31000 was intended to be released with a statement “this international standard is not intended for certification purposes,”  but a representative of BSI mounted a successful campaign to have the language stripped in 2014. That effort was led by Mick Maghar, a Programme Manager at BSI, was also the acting Secretary of TC 262, which oversees the development of ISO 31000. Maghar released an interpretation that would allow his company, BSI, to later benefit from issuing certifications against ISO 31000.

When Oxebridge requested clarification of this position, another BSI staffer — Charles Corrie — answered on behalf of ISO, defending the move. Oxebridge was unable to get anyone from ISO who was not also a BSI employee to address the conflict of interest.

About a month later, BSI then issued the first unaccredited ISO 31000 “statement of compliance” to Tata Power in India.

Oxebridge has argued that BSI’s dominance on ISO committees allowed it to alter long-standing rules about standards in order to artificially create new marketing possibilities. Oxebridge has pushed for reform of standards-making practices to remove the influence of bodies who later sell certification, but BSI and other powerful bodies have largely blocked the efforts.

The problem has only proliferated. Now a number of other well-known, accredited CBs have joined BSI in offering the dubious certifications to ISO 31000. These include AENOR (here), TUV SUD (here), URS (here), QCSE (here), and TURCERT (here.) All are fully accredited by IAF member bodies.

One JAS-ANZ accredited CB, Sustainable Certification, withdrew its marketing of ISO 31000 as of January 18th. That decision was not related to any Oxebridge reporting.

The move by BSI had the effect of emboldening the accredited CBs’ primary competitors: the growing population of fake “certificate mills,” which offer certifications to anything, often without any audits. Mills currently offering ISO 31000 certification include Lakshy (here), Systems Assessment Bureau (here), ISO Dubai (here), BQR (here), Equalitas (here), GainISO (here), QMG (here), Gabriel (here), CAW (here), and WQM (here). Such mills largely operate in India and the Middle East, where there is little enforcement of anti-fraud regulations, but the phenomenon is worldwide.

Ironically, certification to the risk management standard ISO 31000 would likely increase risks for the CBs issuing those certificates. Because ISO 31000 only provides guidance, and not requirements, there is no significant reason to believe that certification would result in improved management of risks by certified companies. If ISO 31000 certified companies were later found to have managed risk poorly, this could expose the CBs to legal action and liability.

As a result, the CBs offering ISO 31000 risk management certification appear to have little understanding of risks themselves.

In 2015, the IAF released resolution 2015-14 that demands “IAF Accreditation Body members shall have legally enforceable arrangements with their accredited CBs that prevents the CB from issuing non-accredited management systems certificates in scopes for which they are accredited.”  The resolution stopped short of prohibiting accredited CBs from offering non-accredited certificates entirely, however. The IAF repeatedly claims to have no power over such matters, despite rules which allow it to uphold accreditation rules when actions are taken which jeopardize the trust of accredited certifications.

The problem makes it difficult to distinguish the difference between accredited bodies and unaccredited certificate mills.

UPDATE 26 January 2022: A representative from DQS India indicated that the company does not offer certification to this standard. In a review of the DQS website materials from multiple countries, it appears DQS is offering “external audits” for ISO 31000, but not issuing certifications. See here, here, and here. However, the German website for DQS did offer “certification” to ISO 31000 previously (see screenshot at right), but the most current version of that site (here) no longer has the offer. We removed the mention of DQS from the article as it appears the CB no longer offers ISO 31000 certification.

QCSE was added to the list of accredited CBs offering ISO 31000.

 

Advertisements
Aerospace Exports Inc

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.