There are more than a few dirty secrets in the ISO certification scheme, but one of the most nefarious is that of nepotism. In this context, I am talking about improper relationships between accredited registrars (certification bodies, or “CBs”) and consultants, where the two share family members and work is switched between them.
ISO 17021-1 is the standard that dictates the rules under which CBs must operate in order to be accredited by the Accreditation Bodies such as ANAB and UKAS. The number of clauses in ISO 17021-1 that deal with the prevention of conflicts of interest are too many to discuss in detail here, but suffice it to say that nearly the entire purpose of ISO 17021-1 is to eradicate conflicts of interest. This is so that CB-issued certificates for ISO 9001, IATF 16949 and AS9100 can be trusted. If the CB auditor has an improper relationship with either the client or a consultant, the resulting certificate cannot be trusted, since it may have been issued on the basis of financial incentives (bribes, graft, etc.) or because of explicit or implicit partnerships designed only to drive clients to all involved.
It’s bad when consultants pal around with registrars, and each sends clients to each other. Recently, a British consultancy called QBH Solutions ran a promo post on LinkedIn announcing that one of its clients had just successfully passed an ISO 9001 audit by the UK registrar BAB (British Assessment Bureau.) The only problem is that when I dug deeper, I found that nearly every client listed on the QBH website had been registered by BAB, and QBH boasted of a 100% pass rate. It clearly doesn’t smell right.
British registrar Alcumus ISOQAR had an entire consultant referral program in place which promised consultants cash-value goods and even free booze for referrals, and UKAS ruled that was totally fine, despite it all being literally in violation of ISO 17021-1. A good consulting firm should always remain agnostic as to which CB their clients use. But CBs know that accreditation bodies like ANAB and UKAS don’t really care, so long as the money flows to them through accreditation fees. Heck, BSI issued an entire contract to write QMS documentation — a specific ISO 17021-1 violation — and the entire thing was hushed up, without any action by UKAS.
Vice is Nice, But…. You Know the Rest
But it’s far worse when the relationship is between family members, where the expectation of enforcing any kind of firewall becomes the stuff of science fiction. It’s a poorly kept secret that the ANAB accredited registrar Platinum Registration (Denver CO) is owned by Kerri Williams, who happens to be the wife of Colin Gray, the President of ISO consulting firm Cavendish Scott (also of Denver.) A number of their auditors have swapped roles, working at one moment for Platinum as a registrar auditor and at the same time as a consultant for Cavendish. Dan Nelson had written articles for the Cavendish as one of their consultants, while at the same time performing audits for Platinum. Below is a screenshot of a Platinum audit report which shows both Williams and Nelson as co-auditors:
Cavendish’s “System Project Manager” Scott Liephart was also Vice President of Platinum, and gave a presentation on CMMI and ISO 9001 on behalf of Platinum. According to Radaris, Cavendish’s “Director for ISO Training and Internal Auditing” Emily Myers also worked as a Lead Auditor for Platinum at the same time:
One company, Majestic Metals, ran a press release openly disclosing that Cavendish had conducted its consulting and was later awarded ISO 9001 certification by Platinum. It’s unlikely Majestic Metals understood the potential conflicts of interest in play at the time. Ditto for companies Astek and USAVital, both of which ran press releases announcing they had utilized both companies.
[UPDATE: since original publications, both companies have removed those press releases.]
Cavendish ran a press release about a presentation Williams made to it, mentioning her role in Platinum, but without revealing that the two Presidents were husband and wife.
Again, ANAB has apparently not taken action on this arrangement, despite their full awareness of it. The ISO 17021-1 rules prohibit this arrangement in two clauses, and some careful — dare we say “creative” — parsing of hte rules is probably how they justify this. At first, 17021 says this:
5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.
It is likely that Platinum would argue that Cavendish does not have a “relationship” with it, since the two are separate legal entities, even if the two Presidents are married. That probably wouldn’t hold water in court, since the revenue of both firms is eventually going into a shared bank account of the two executives, and paying their mortgage, but under the light scrutiny of ANAB, it probably works. and of course, on the third year, all bets are off, which has never made any sense, since most QMS records cycles are driven by the three year contract with a registrar. That means in the third year of a CB contract, the consultant can legally audit his own work; but remember: ISO 17021-1 was written by the CBs and ABs themselves, so they made it easy for their team.
Next, however, ISO 17021- says this:
5.2.10 In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy.
Under this rule, Platinum need only switch bodies around to constantly avoid problems, by ensuring that they merely assign a different Cavendish Scott consultant to each client, so that the exact same consultant never acts as the auditor for that client. This is likely what they are doing, and how ANAB buys off on it, but it still violates the letter and spirit of the prior clause, which is not interested in individuals, but the companies themselves.
ANAB appears content that Platinum writes some “policies” about keeping the activities at arm’s length, and engages in some “risk assessments,” and is then happy if the paperwork is complete and, presumably, the fonts are nice. In real life, however, the interactions between Platinum and Cavendish are a tangle. Platinum had won a number of contracts with Oxebridge clients, with typical results: some clients loved them, others not so much. But they had sufficient enough satisfaction with my clients that they made my list of 5 recommended registrars, which I gave out when someone asked. But then one such client told me they were struggling with internal audits, and I offered some training only to be told that Cavendish had come in and taken over the consulting work. Williams offered up some vague excuses about it all being a coincidence and how she was too busy to know what her husband’s company was up to, and promised to file a vigorous internal complaint on my behalf. Then I never heard a thing about it. In my mind, they had poached a client, pure and simple; but if they ever had any other actual explanation, it was never forthcoming. So I stopped recommending any registrars at all, and now just warn clients against which ones to avoid.
Platinum also offers AS9100, but through an arrangement where they use NQA as the accredited registrar. Platinum essentially is a subcontract auditor for NQA in such cases, and NQA has this arrangement with a few smaller registrars who, for one reason or another, can’t get their own AS9100 accreditation. It’s weird, but apparently entirely legal. But it also means that NQA totally knows about the Platinum/Cavendish relationship, and they don’t care either. Since NQA is a huge client for ANAB, that could be why ANAB refuses to shut that whole arrangement down. It’s not like ANAB is going to de-accredit NQA-USA.
But Wait, … There’s More!
But speaking of NQA-USA, the registrar has its own nasty problem in the same area. Now I’m not going to name any names in this case — and trust me, I have my reasons — but one NQA auditor runs certification clients through a consulting firm owned by one of his children. That’s bad enough, but this particular auditor has no filters, and openly boasts to clients that it will be him, personally, that develops the QMS documents while on paper the consulting work will appear under his child’s company name. This same auditor was then found circulating the quality system manuals and procedures of various clients to other clients without permission, ostensibly engaging in widespread illegal distribution of third-party intellectual property and trade secrets, in violation of NQA’s contract and about 1 million laws on the subject. He gave these away as “examples” of his consulting work, and when I called some of the companies themselves, they were furious that someone was sending their QMS documentation to potential competitors without permission.
Oh: and all of this is heavily documented with multiple first hand witnesses. Just sayin’.
As if it couldn’t get worse, this consultant is also pushing some of these clients through a US Federal grant program. These grants prohibit their use for auditing services such as those for NQA, so if the NQA auditor is ultimately receiving the money, a potential for criminal fraud exists. Now you know why I’m treading carefully.
This arrangement has lasted for, by my calculation, at least a decade. It seems impossible that NQA would not be aware of this. Now the problem has surfaced again, as a client who had previously received “zero nonconformities” when audited by our friend a few years back now faces a flood of nonconformities after NQA assigned a different auditor who was witnessed by ANAB. NQA need only do about five minutes of internal record-pulling to find out what really happened, but that would require internal reflection and possibly revealing an internal scandal of significant magnitude, so to date NQA’s Kevin Beard and Arlen Chapman — the same guy who once said it was totally fine for NQA to audit against standards that don’t even exist — have done nothing. ANAB should be wondering how a client went from zero findings to total meltdown when the only thing that changed was the CB auditor, but it’s always easier to blame the customer.
Instructions: Lift Rock, and Look Underneath
From ANAB’s standpoint, this is not hard to uncover. One need only look at a comparison between the registrar and the consultants used by clients, to identify patterns. Most registrars already ask for the names of any consultants used by clients during their initial setup, specifically for this reason. If ANAB isn’t finding problems, it’s because they simply are not looking. In fact, ANAB would literally have to avoid following procedures in order not to find this, which takes effort.
The problems caused by nepotism in the CB/consultant relationships are obvious: it’s unlikely a CB will deny certification to a company that used consulting services provided by a family member. This results in companies with poor, cookie-cutter quality systems achieving certification, whether they deserve it or not. That dilutes the value and trust in accredited certifications, further blurring the distinction between IAF accredited scheme and that of the lunatic fringe of certificate mills, who just openly accredited their own work, or don’t bother to accredit it at all. It turns ISO 9001 into one big printing party, provided families get paid off.
We Can Fix This
Which is why this has to be brought to the attention of Congress, and specifically the US House of Representatives Committee on Science, Space and Technology. I know I’m a broken record, but for those that didn’t know, eventually the US accreditation scheme is run by ANSI (that’s what the “A” in ANAB partly stands for), and ANSI CEO Joe Bhatia testified before that committee, telling them there weren’t any problems. The Congress deserves counter-testimony to call for a more independent review of the entire scheme, which by Oxebridge estimates costs the economy $1.5 billion annually (and much more in a “transition” year such as 2017-2018.) Part of that conversation has to be why ANSI does not hold ANAB accountable for its failure in policing these unethical, and at times potentially illegal, conflicts of interest.
Failing getting Oxebridge to testify (and if you want to help achieve that, click here), the most likely avenue will be the courts. The registrars may need to be sued into compliance, dragged into court, forced to open their records under subpoena, and prove — under oath — that their systems aren’t totally broken. And if they can’t, then they need to be held accountable under the full extent of the law. CB’s like to send nasty sounding cease-and-desist letters — and this article is likely to generate a few — but they rarely actually sue, because they are terrified of what discovery and subpoenas will reveal in open court. That day needs to happen, however. (Click here to see how you can help.)
If you’ve been a witness to nepotism or other conflicts of interest between your CB and their consultant, let me know. The more data points we have, the better.
In the meantime, some advice for ANAB and the other Accreditation Bodies: do your job. Clean this up. Your CBs and their auditors are not only violating the rules, but breaking laws. Failing to do your job will be very, very messy, and very, very public. And this will only hasten the US defection of companies away from certifying their systems, which cuts into your revenue. At one point, someone thought it was a good idea to write rules prohibiting conflicts of interest; it’s time to start enforcing them.
[Full disclosure: I’d been holding off writing this article for nearly two years, partly because the NQA auditor in question was one of my first trainers, and a former friend. In addition, I am aware that one of the managers at Cavendish Scott was having some health issues, and I didn’t want to pile on. Eventually, I came to the conclusion that I had to run the article, or I would be engaging the in very same behavior I was trying to highlight: ignoring problems due to personal preferences or connections. Now, let the chips fall where they may. — CP.]
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.