There are few things more consistent than death, taxes, and how ISO and IAQG will impose rules on entire nations and industries that they don’t, themselves, abide by. I point you to those pesky “ethics” requirements, for starters.
Now we’re seeing end-user organizations forced to add risks to their various risk tools (COTO Log, Risk Registers, or what-have-you) that are the result of the standards bodies themselves. Specifically, the updates to both ISO 9001 and AS9100 (to be renamed IA9100) have injected unnecessary — and potentially expensive — risks for no reason other than the developers wanted to make a few more bucks and boost their own careers.
As you likely know, both ISO and AS require companies to identify organizational risks related to the QMS as part of the misguided “risk-based thinking” nonsense that Nigel Croft, BSI, and a few others dreamed up. RBT isn’t a real thing, but they put it in the standard, and now we have a whole generation of quality management professionals who think it existed prior to September 2015. It didn’t. Worse, clause 6.1 has no requirements for procedures, records, root cause analysis, or anything that can be proven during an audit; and then they branded it “thinking,” which is something that should never be in a standard intended for conformity assessment, because psychics aren’t real.
Companies have addressed this by adding in their own tangible, auditable, and practical add-ons, like the COTO Log or industry favorite, the risk register. Some companies complain these are make-work exercises, but others (I’m looking at you, Oxebridge clients) get value out of it.
Now, however, you’re going to have to add risks related to the imposition of impossible requirements due to ISO and IAQG themselves. I’ve seen this in the wild and have begun implementing this for our clients, too.
Specifically:
- You will need to add “Standards Development Organizations” (SDOs) to your list of interested parties or stakeholders. Stick with me on this.
- Then, you will need to add the “needs, expectations, and requirements” of the SDOs to your list of issues. These should include this new one:
- SDOs update standards, which then have a significant effect on our company and QMS.
- Next, you will have to add specific organizational-level risks associated with the requirements in step 2.
What are the specific risks that you’ll now have to consider? Try this list on for size:
ISO-related risks:
- ISO updates ISO 9001 to include more out-of-scope requirements related to sustainable development, climate change, or other UN directives; these will add cost to our QMS management and make it more difficult to comply with ISO 9001.
- ISO 9001’s shifting definition of “quality management” away from meeting customer requirements, to pursuing sustainable development, risks us losing focus on the customer and releasing poor-quality products to market.
- ISO 9001’s new changes are likely to be interpreted differently by various CB auditors, adding risk to our certification.
- “Opportunity-based thinking” is not real and will add confusion to our overall QMS.
- ISO moves to a subscription-based “Smart ISO” platform, making access to its standards restrictive and highly paywalled; failure to maintain a subscription will force us to lose access to the standards.
- ISO 9001 updates will require retraining by staff, adding to costs.
- Potential loss of value in holding ISO 9001 certification.
IAQG-related risks:
- IAQG updates AS9100 to IA9100, forcing us to rebrand all our QMS documentation.
- IAQG adds cybersecurity requirements to the QMS standard, forcing us to hire new IT staff and to invest in new IT / OT systems, adding costs to our operations.
- IAQG adopts all of ISO’s new sustainable development requirements, putting us at risk of losing aerospace and defense contracts for concepts outside of the scope of quality.
- AS9100 updates will require retraining by staff, adding to costs.
- Loss of value in holding AS9100 certification.
For AS9100, mind you, they added another clause on risk management, for operational-level (shop floor) risks. There may be more you need to add there, too.
What clients are reporting back to me is that these risks — whether they formally wrote them down or not — have them reconsidering ISO and AS certification entirely. Some have already begun pushing back on aerospace primes and other customers, saying they intend to drop certification and move to self-attestation. The customers will have to choose between wanting a robust supply chain that has served them for decades or remaining enslaved to mindless allegiance to the standards bodies.
Given that neither ISO nor IAQG actually makes parts that go on airplanes or in products, it will be interesting to see how the big customers land on this.
For those at the top of the supply chain, this may lead to a need to increase expensive supplier audits if companies revolt and drop ISO 9001 and AS9100. Ironically, for the CBs like BSI who cooked up these bullshit changes, it will result in them losing clients outright.
Now, a lot of you will say I am panicking and screaming about the sky falling. But then, a lot of you said that when I wrote my 2015 “Public Call” letter to ISO about the ridiculous addition of “risk-based thinking,” everything I said about RBT in that letter proved true.
Anyway, it’s a good day for consultants, I guess. Right?
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
