LRQA Bought a Consulting Company Because Conflicts of Interest Are Cool Now

If you had any pretense left in you that the ISO/CASCO standards for certification bodies, as well as the entire IAF accreditation scheme, actually meant anything, well, let me put a pin in that sad balloon of yours. The ISO certification body LRQA (formerly Lloyd’s Register QA) just outright bought Oxebridge’s number one competitor in the consulting scheme, Core Business Solutions, and immediately began marketing consulting alongside certification.

According to the official LRQA press release, which overtly conflates consulting and certification:

[Core] specialises in technology-driven advisory services that simplify the certification process, with a strong focus on quality, cybersecurity, environmental and IT standards. Its expertise covers core standards, such as ISO 9001 for quality management, ISO 27001 for information security, ISO 14001 for environmental management, ISO 45001 for occupational health and safety, and the upcoming Cybersecurity Maturity Model Certification (CMMC).

The acquisition expands LRQA’s digital capabilities and strengthens its ability to support Small and Medium-sized Enterprises (SMEs) with streamlined compliance solutions. It comes at a time when the certification market is experiencing significant growth due to stricter regulations, globalization, technological advancements and increasing consumer expectations for quality and security. Organizations are increasingly seeking certification not only to meet compliance obligations but also to build credibility and maintain a competitive edge.

Just a reminder. LRQA is accredited by ANAB and others under ISO 17021-1, and here is what that standard says about such things:

5.2.5 The certification body and any part of the same legal entity and any entity under the organizational control of the certification body shall not offer or provide management system consultancy.

And remember where LRQA said the Core offerings will “simplify the certification process“? ISO 17021 has something to say about that, too:

5.2.9 The certification body’s activities shall not be marketed or offered as linked with the activities of an organization that provides management system consultancy. A certification body shall not state or imply that certification would be simpler, easier, faster or less expensive if a specified consultancy organization were used.

But LRQA is going all-in on the language. Over at Spotify, they said this, again tying consulting and certification:

With CBS’s expertise in helping small businesses navigate compliance and LRQA’s global reach, the two companies aim to expand technology-driven solutions for certification, cybersecurity, and supply chain risk management.

And in this press release, Core’s founder, Scott Dawson, went even further:

This partnership empowers us to deliver tailored solutions and drive success in Quality Management Systems and Cyber certification alongside our new colleagues at LRQA.

So there is no ambiguity here. The violation is overt and public. They are not only declining to hide the conflict of interest, they are leaning into it. They are using a prohibited conflict of interest as a marketing tool.

The ISO 17021-1 requirement intends to ensure that ISO certifications are only issued after an “impartial and objective” audit. By selling consulting services, LRQA will now be auditing the clients of its own consulting products. Such certification bodies are under financial and reputational pressure never to issue a nonconformity against their products; the CBS product could be absolute hot trash, and LRQA would certify its clients anyway.

Imagine a scenario where LRQA did write a nonconformity against a QMS powered by CBS: the client would then sue LRQA for selling them a product that their own auditors deemed defective, and LRQA would risk significant lawsuits. ISO/CASCO knew that would never happen, so they wrote the rules accordingly.

Now, I suspect LRQA is being cute on two fronts. First, they don’t use the word “consultancy,” but call it “advisory services” so that we might not notice. They are the same thing.

Next, LRQA will probably argue that CBS is a different “business unit” under its own management (Dawson). That’s the hot take used by certification bodies engaged in these unethical practices. Intertek recently insisted that its training and consulting wings are entirely different organizations, despite dozens of public press releases, websites, and official annual reports showing they all answer to the same corporate CEO.

Again, the standard is clear: the rule applies to the CB and “any part of the same legal entity.” The CBs want to argue that their consulting branches are somehow a different legal entity, but that is unlikely to hold up in court, should it ever land there.

We weren’t always in this position. Long ago, Perry Johnson Registrars was forced to split into two organizations because it had been doing consulting for its own certification clients. Johnson sold the CB wing to another entire party, splitting the consulting wing off as Perry Johnson Consulting.

Even ANAB’s predecessor, RAB, faced a similar scenario. It was forced to sell off its auditing credentialing activities, since it was seen as a conflict of interest with its accreditation activities. The argument was that RAB could write up a CB client for poor auditing and then conveniently offer them training to get them out of the nonconformity. RAB’s auditing wing became RABQSA, and later rebranded as what we now know as Exemplar Global; the accreditation wing became today’s ANAB.

Now, however, the IAF has stopped enforcing the rules, happy to merely accept payments from its members in exchange for providing them protection from complaints. Let’s look at how far we’ve fallen:

• BSI sold QMS software and procedures under its BSI Entropy product.
• British Assessment Bureau sold its Activ Certify QMS software while holding UKAS accreditation. BAB was then bought by Amtivo, which has rolled out the Activ Certify software to countries around the world, all while holding multiple accreditations.
• Intertek shares the same senior management between its certification activities and its training and consulting wings, while holding multiple accreditations. Intertek went on to deny the information published in its annual reports, which shows shared management.
• Dutch certification body EIK Certificering operated EIK Consultancy while holding accreditation by RvA. That only stopped after the consulting body went out of business on its own.
• Husk Registrars‘ owner, John Senter, operated a consulting firm called Senterstone and then certified his own consulting clients. He escaped de-accreditation only when the accreditation body, IAS, accepted unproven claims that Senter had sold Senterstone to an unknown third party. Meanwhile, Senter continues to market both simultaneously.
• NSF-ISR was caught selling both certification and consulting but added some language to the footer of its website saying it doesn’t. Ironically, the footer sits right above the website language where it does exactly that.
• Bureau Veritas entered into a partnership with Green BizCheck to offer both ISO 14001 consulting and certification. BV was accredited by both ANAB and UKAS, and neither accreditation body took action.
• IAPMO SCB allowed its AS9100 auditor to participate in a commercial for the QMS software ProShop ERP. That complaint was shut down by ANAB without explanation.
• Recently, would-be certification body Zertia announced a partnership with the Indian consulting firm Ethically; that case is still under a complaint process.

The last one — about Zertia — is important, since Zertia’s CEO is claiming they got into the partnership based on the fact that other CBs had already done the same thing and gotten away with it.

What none of them are talking about? How this scummy practice destroys the credibility of the very thing they are selling. They are cannibalizing their own products, and have no clue.