As the Oxebridge Q001 certification movement steamrolls ahead — and no one is more surprised than me — the full picture of what accredited certification audits will look like under the new scheme. It’s really shaping up to be something remarkable.
Remember, the Q001 standard was written to prove that ISO’s bungling of ISO 9001 was unnecessary. It proves that a quality management system standard could be written that isn’t confusing, is easily audited, and doesn’t require a consultant to understand. It’s proven so popular that as I write this, it’s already been translated into French, with editions in Spanish, Mandarin, Croatian, Russian, Arabic and a few of the many Indian languages already underway.
With that wind at our sails, we then wanted to prove that an accredited certification scheme could operate without various problems that currently plague the scheme. I will be the first to admit I have not cracked the biggest problem — clients pay auditors, who pay accreditation bodies — but that will take governmental oversight. I don’t have that kind of power.
But we did address — successfully, I think — some of the other biggest problems. One of those is the conflict of interest between auditors and consultants. We see this in two specific scenarios: a consultant implements a system and then later personally audits it themselves, or the auditor engages in clear consulting during the audit itself.
This seemed insurmountable, until I began working with the Capability Maturity Model Integration (CMMI) appraisal method, managed by the CMMI Institute. Under CMMI appraisals, the training consultant is literally the same person who eventually heads up the audit (called an “appraisal” in CMMI parlance.) And it works.
How did CMMI crack the code on this?
Because the CMMI Models require specific evidence of performance. The company can undergo whatever consulting it wants, by whomever it wants, but at the end of the day the company has to produce the evidence. A consultant may train the client on how to create evidence, but they can’t actually create it. Evidence is generated as a result of the processes being worked. That can’t be easily faked.
(Yes there are scenarios where it can, but the level of effort to do so requires outright fraud and even forgery, at which point we are talking a whole other level of misconduct far beyond what any system audit is going to solve. People need to be sued or arrested in those cases.)
With Q001, we’ve adopted this approach.
A new supporting standard has been developed called Oxebridge Q002 Quality Management System Certification Audit Minimum Evidence Requirements. This document goes line-by-line down the Q001 requirements, and lists mandatory minimum evidence an auditor must verify in order to check off a requirement as being conforming. A simple sampling method is used to scale the amount of evidence with the size of the company. All an auditor need know how to do is run their thumb from the left side of the page to the right, and the sample of evidence is right there, printed for them.
Not every single requirement has a defined sample of evidence, of course. Where risks of conflicts are low — such as requirements to interview staff — the auditor may still determine their own sample size based on their experience and the audit realities themselves. But where it’s critical, the Q002 standard directs the auditor accordingly.
Lazy Auditors Will Hate This
Audit reports that don’t include sufficient evidence will be rejected, either by the CB home office or by Oxebridge, which will review every single audit report. This is in line with how the CMMI Institute ensures their minimum appraisal evidence is captured.
Which means that lazy auditors can’t operate in the Q001 space. They will have to gather the evidence, in the allotted audit time, or they can’t be a Q001 auditor.
Since the Q002 standard will be published openly, clients will know ahead of time what evidence they need to have ready. They still can’t spike the results, as the auditors will select the number of “artifacts” from the evidence pool, but this will dramatically improve a client’s ability to prep for the audit.
Consulting By Anyone?
This also means that a client can receive consulting on Q001 from anyone, even their CB. To crack down on pirates, however, we will require Q001 consultants to be licensed (again, in a manner similar to that of the CMMI Institute). Training services will only be allowed by Oxebridge-approved training bodies.
I am also mulling over the release of a Q001 Template Kit. This sounds insane — clients could download a free set of Q001 documents and still survive an audit that claims to be superior to ISO 9001? The answer is yes, since the kit doesn’t include the evidence.
Frankly, the audits are not as focused on documents as ISO 9001 audits are. We don’t care where you get the documents, provided you follow them and generate the evidence. The evidence is everything.
A company that tries to pass an audit by simply pasting their name into a template will fail. Period.
But a kit will reduce the costs of consulting and implementation, which was another goal of Q001.
No OFIs … Ever
Another way Q001 audits will short-circuit auditors acting as would-be consultants is that under the scheme, Opportunities for Improvement (OFIs) are forbidden. That’s going to shock a lot of people.
The thinking here is that ISO audits were never intended to “drive continual improvement,” because they are ultimately conformity audits. You either conform to the standard, or you don’t. The “continual improvement” shtick was added by CBs to try and differentiate their services from competing CBs who were, in reality, offering the identical service. But auditors are not qualified nor trained on how to “drive improvement,” but were nevertheless allowed to present their homespun, folksy, random comments as some sort of Great Wisdom.
With Q001 we believe a company may improve by implementing the standard; they will then see additional improvements from the certificate itself, likely in the form of reduced customer audits or improved business opportunities. That’s it.
We’re not promising to walk on water, unlike those in the ISO scheme.
So just as in the CMMI scheme, auditors may only write nonconformities and strengths. Better yet, a nonconformity must require corrective action (not preventive), meaning it must be a real lack of conformity to a requirement right now, not one of those “this could turn into something someday” dubious predictions.
This will alter auditors’ behavior during audits dramatically, and seasoned auditors will struggle. In the end, they will see this is a lot easier, and the expectations of what miracles they are supposed to perform will be reduced to reality.
Tweaking Underway
We’re still examining this for weaknesses, which is why the accreditation standards haven’t been published yet. I’m as cautious as you probably are about this approach, since it’s so radical. There’s a lot that can go wrong, so we have to ensure the rules plug all possible loopholes.
If you’re a company or individual that is interested in becoming a Pilot CB offering accredited Q001 certificates, write to accreditation@oxebridge.com for more details.
If you’re a user organization interested in a standard that will help you comply with ISO 9001 in an easier fashion, while setting you up for possible Q001 audits in the future, grab your free standard kit here.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world