[This story is breaking, and may be updated as new information comes in.]

Internal emails obtained by Oxebridge through the ISO Whistleblower Program show that the largest ISO 9001 registrar in the world established a quota for audit nonconformities as a process metric to measure auditor performance and company financial health.

In two February 2018 emails, senior BSI Americas executives circulated information on the performance metrics, requiring managers to “cascade this information to your full-time assessors.” The first email came from Scott Neas, the Service Delivery Director for Aerospace & Core QMS, in which he attached a table showing four main criteria for the company’s “2018 Client Manager Performance Measures.” The four measures were “timely upload of reports, “error-free reporting,” “added value reporting,” and “happy customers.”

Performance metrics table circulated by BSI’s Scott Neas.

For the metric of “added value reporting,”  the measurement goal was listed as “1 NCN per audit day.” In the parlance of BSI and other certification bodies, the abbreviation “NCN” stands for “nonconformance note,” and represents a claim that a client was not in conformity with the given management system standard. These are typically apart from “OFIs,” or “opportunities for improvement,” which are merely suggestions made by the auditor which can thus be ignored by the client.

Scott Neas email

The Neas email then referred to another sent the same day by BSI America’s VP Operations, Tim Green. In that email, Green openly discussed how the measurements were “scientific” and intended to “improve our… financial performance.”

This year’s system is designed to address this issue and drive improvement actions that will enable us to improve our financial and operational performance. The methodology is quite ‘scientific’ but a calibration exercise will be conducted to ensure rankings are fair and take any special circumstances into account.

The Green email then referenced BSI’s “Head of People Development,” Mike Semanchik, saying he had been tasked with “looking into the possibility of a mass upload of the KPIS to eliminate any inconsistencies.” As a result, at least three senior BSI executives appear directly involved in the quota scheme.

Tim Green email.

Nonconformities require that formal corrective action be taken, forcing the clients to spend both time and money on performing root cause analysis, developing action plans, and then implementing them. Failure to adequately respond to an NCN can result in the company losing its ISO certification entirely.  The BSI program would induce auditors to write nonconformities simply in order to hit personal performance goals, whether or not the audit write-ups were valid and based on objective evidence.

The practice raises legitimate doubts about every management system certification audit BSI has done since the program was launched, potentially affecting tens of thousands of clients worldwide. It is not clear when the practice began, nor whether it is still in place today.

BSI is accredited to ISO 17021, which would prohibit nonconformity quotas. That standard warns certification bodies against threats to impartiality, specifically stating that “a concern related to certification, as a threat to impartiality, is financial self-interest.

Clause 5.2.1 goes on to elaborate on these restrictions:

5.2.1 Conformity assessment activities shall be undertaken impartially. The certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality.

Entire clauses within ISO 17021 then require CBs such as BSI to conduct risk assessments for such threats, to ensure they do not compromise certification validity. Clause 5.2.12 extends these rules to senior managers, as well:

All certification body personnel, either internal or external, or committees, who could influence the certification activities, shall act impartially and shall not allow commercial, financial or other pressures to compromise impartiality.

The BSI “quotas” appear to jeopardize this, as it would falsely impose nonconformities on clients in order to ensure “financial performance” of BSI, even if clients were fully conforming. Both ISO 17021 and AS9101 for the aerospace scheme demand that nonconformities only be written when evidence proves a nonconformity exists. The aerospace standard AS9101, for example, requires that CBs’ nonconformity reports, “provide objective evidence of nonconformity against audit criteria.” BSI’s internal financial goals would not constitute “audit criteria.”

BSI has at over 760 clients listed in OASIS as registered by “BSI America Group” for aerospace certifications such as AS9100, and another 852 listed under “BSI.” It is estimated that it has tens of thousands more when counting all the various ISO standard certifications for which BSI is accredited worldwide, such as ISO 9001, ISO 14001, and ISO 45001. The BSI Wikipedia entry claims the company has 80,000 certification clients, but it is not clear how old that information is. The emails put every audit conducted since the “quota” program was instituted into question.

The accreditation bodies ANAB and UKAS have routinely stood by BSI, even as it has weathered complaints alleging it engages in open consulting for its certification clients, through the sale of its “BSI Entropy” consulting software. However, BSI is the largest registrar on the planet, and pays exorbitant fees to its accreditation bodies, likely reducing the accreditation bodies’ enthusiasm for enforcing the rules. Portions of those fees eventually make their way to the IAF, which is tasked with overseeing the global scheme.

Officials with BSI, including Neas, Green, Semanchik and executive Carlos Pitanga did not respond to requests for comment on this report. It is Pitanga’s signature which appears on most ISO management system certifications issued by BSI.

Oxebridge wrote to BSI Chief Executive Howard Kerr and BSI Legal Counsel Grainne Branki, and while Mr. Kerr indicated they would “pick up” the issue, days later they had not followed up.

Oxebridge has filed an official complaint with BSI against the practice, alleging six separate violations of ISO 17021-1, while copying the IAF, ANAB and the regional body EA.

In 2003, a Senior VP within BSI Americas was fired after threatening to kill Oxebridge founder Christopher Paris for his reporting.


UPDATE 18 May 2020: In an unsigned email, BSI has responded by denying the problem exists, but without providing any evidence or explanation for the evidence put forward. See here for that report.