I’ve written extensively about the “myth of the integrated management system,” or IMS. As I wrote in my book Surviving ISO 9001:2015, the IMS was created by ISO in order to sell standards in bulk under the false premise that companies wanted to join their various systems together into a single, pulsating mass. ISO and its usual sycophants trot out a fact-free claim that the IMS is a worldwide phenomenon, with one CQI supplicant going so far as to claim that the majority of companies worldwide have now implemented an integrated management system. (I debunked that claim here.) In fact, as I had written, it’s likely that less than <0.001% of the world’s organizations have implemented an IMS based on two standards, with the numbers dropping much further to find those that implemented three or more.

The IMS idea also allowed ISO to violate its own rules, and that of the World Trade Organization, which dictate that voluntary consensus standards must be written… you know … by consensus. Specifically, that consensus must come from appointed delegates from ISO’s member nations, who pay annual fees just for that authority. But using the IMS concept as an excuse, ISO violated this core principle and wrote major portions of every management system standard itself, not allowing the world’s delegates to participate at all. The result was what is called “Annex SL” — a mandatory set of requirements written by the ISO home office and then imposed on the delegates. Their choice was to incorporate the Annex SL text in their works (as if they had written it) or face having their committees disbanded. Nearly all of the committees rolled over and agreed, and have since falsely asserted that they wrote the Annex SL text themselves. In reality, the entire ISO 9001:2015 clauses related to “context of the organization” and “risk and opportunity” were not even written by the ISO 9001 committee!

ISO stole the authority of writing standards from the world’s delegates, and took it for itself. To justify this, they insisted — without any data — that the world was demanding ISO standards be aligned and include identical text. It was a lie. No one asked them for this, but auditors and consultants are happy to repeat this lie ad nauseum because they’ve hitched themselves to ISO’s wagon.

Cock-a-Doodle-Doo, Baby

Now the chickens are coming home to roost. As some companies bought into the concept of the IMS and attempted to implement them, they are finding the certification bodies (CBs) aren’t playing along. Originally, ISO pitched the idea of the IMS as being something that would not only allow itslef to sell ISO standards in bulk, but also allow the CBs to sell audits in bulk. It made sense only if you can’t see more than five minutes into the future, which is about the level of foresight the average CB executive has.

In reality, a combined management system audit creates logistical hurdles that the incompetent registrars cannot surmount. For one, combined management system utilizing two different standards requires the CB provide an audit team comprised of auditors with expertise in each; if you’ve integrated ISO 9001 and ISO 14001, then the CB has to send a quality auditor alongside an environmental auditor. Things get a lot more complicated when companies try to implement ISO 27001 (information security management system) alongside ISO 9001, since the number of trained auditors for ISO 27001 is infinitesimal. Now imagine trying to implement ISO 9001 along a more obscure standard, like ISO 20000-1 (information technology service management system), where — in the US, anyway — there are only about two registrars who can even offer certification to the latter standard, with less than ten auditors available to audit it.

Coming up with an audit team that can simultaneously audit multiple standards means those different auditors all have to arrange their individual schedules to appear on the same day at the same client. It means they have to coordinate their report-writing and nonconformance reporting. It means they have to engage in a lot more unpaid work behind the scenes: talking to each other, exchanging emails and reports, collaborating on schedules. In many cases, it’s like asking a bluegrass band to suddenly play in harmony alongside the Boston Philharmonic Orchestra and Motörhead all at once, and without ever having practiced together.

The CBs can barely manage the process of scheduling and conducting audits of a single management system; how many of you have received your audit schedule only 24 or 48 hours before the actual audit day? (It’s supposed to be provided well in advance.) In many cases, you’ve never received a schedule at all, I’d bet. And in such cases, that’s one Lead Auditor providing one schedule against one standard; now add another standard and MS and you see the problem becoming exponentially more difficult.

In some cases, the CBs just refuse. A UK client reported to me just this morning that they have tried for years to have their ISO 9001 / ISO 27001 integrated system audited simultaneously by BSI, to no avail. Instead, BSI reps have pushed them hard to have their systems un-integrated (or, if you prefer, “disintegrated”), and insisted on conducting separate audits. The company is burning up money and time having two different auditors audit the identical clauses which Annex SL promised to streamline.

In other cases, the CBs cannot comply at all, even if they wanted to. One of my Washington DC clients recently tried to have its ISO 9001 quality management system audit combined with its new ISO 27001 information security management system audit, only to find out their current CB isn’t even accredited for ISO 27001. Now they have to fire their registrar and start over with a new one, adding more costs and delays. Worse, they have a government contract pending that relies on them having both ISO 9001 and 27001, and they may lose the opportunity to bid, all because the registrar doesn’t have the right accreditations.

The most common IMS is comprised of ISO’s two flagship management system standards, ISO 9001 and ISO 14001. In such cases, there are auditors who can audit both simultaneously, but typically their strength lies in one and not the other, and they’ve only been able to get work as a “dual” auditor because the training requirements for either are so impossibly low. What this means, then, is even if the CB can provide a simultaneous 9001/14001 audit, it’s likely on half of the QMS will be poorly-assessed, exposing it to risks when new auditors later assigned by the same CB — or, worse, customers! — find nonconformities left undiscovered by the original auditor.

Time to Call Your Lawyer

The problem exposes yet another facet to the eroding ISO certification scheme. Not only is the ISO standards development process corrupted by private consultants who make standards difficult to understand so they can sell consulting services later, but ISO itself has violated WTO regulations in order to slowly steal away control over the content from the world’s delegates and industry experts. At the same time, the accredited CB scheme — led by the conflicted and incompetent IAF — has allowed CBs to run roughshod over the customers who have to pay for the entire thing.

Frustration and disgruntlement with ISO and the certification market are at an all-time high. But ISO and IAF are unlikely to care, since they are private organizations responsible only for paying the salaries of officers, who make their money one way or the other. With their hooks in governments, the destruction of the dubious ISO standards machine is unlikely, even if thousands of companies vote with their wallets and drop the standards and associated audits. Only through legal action — suing the companies and their officers in court — is change likely to happen.

If you are frustrated with this mess, contact your lawyer, and then contact Oxebridge. The fix will be ugly and probably expensive, but it’s fixable. Until these problems are litigate by people with actual authority, and not self-managed by people with authority they granted to themselves, it will continue to pollute international trade.

 

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.