As reported, the ISO Technical Management Board (TMB) is at it again, convening a group to begin an early “fix” of Annex SL, the document that defines the mandatory “high-level structure” (HLS) that all ISO management system standards have to comply with.

Quick history: Annex SL was originally proposed as ISO Guide 83, and was born out of the convoluted efforts by Australia’s Kevin Knight to create a standard on risk management. That eventually happened (as ISO 31000) but Knight — with his foot in the door at ISO — was then successful in convincing TMB that all standards needed to address his baby, risk management. At the same time, the TMB was working on the HLS concept intended create a set of formatting and structure rules so that various ISO standards would look similar. The mandate for this work product was structure only (thus the name “high-level structure“), but soon enough the sub-committee asked for an expansion of their mandate, and permission to write content as well. Under ISO’s own procedures, however, content can only be written by industry experts nominated by the various ISO member nations, through their mirror committees, and only during official standards-writing stages by ISO Technical Committees (TCs). TMB, answerable to no one, ignored this and gave the HLS team permission anyway, and then carried Knight’s water, requiring that any “common core text” include risk, because it was a hot buzzword.

The various TCs would have been within their rights, under ISO’s procedures, to object to this incredible incursion on their “one and only job.” Instead, the various TC chairs — most of whom, if not all, are private consultants or registrar reps — saw the HLS as a means of making some money for themselves, and so they acquiesced to the TMB. Sure enough, TC176 chairs and reps began selling risk management consulting services thereafter.

The HLS was originally developed as an ISO Guide, specifically “Guide 83,” and such guides are developed under certain rules, requiring voting. Guide 83 was submitted for voting, but only 9% of the world’s ISO members even participated in the voting, with the rest being wholly unaware that Guide 83 even existed. This allowed it to just scrape past approval with only 16 countries voting to approve it, despite ISO having 162 member nations. ISO wasn’t happy with this close call, however, so it scrapped ISO Guide 83 in its draft stage, and moved the text over to a document called the “ISO Consolidated Supplement.” This document, which undergoes no voting at all, is a mandatory internal set of procedures for which TCs must follow, lest they be disbanded. Any deviations to the Consolidated Supplement must be requested formally from the TMB, who reserves the right to deny them; in fact, the ISO Consolidated Supplement says so, right in its text.

By putting the HLS into the Consolidated Supplement (inserted as Annex number “SL”), ISO avoided having to submit the HLS for any voting at all, making it — overnight — something the TC’s were forced to adopt. Knowing it would be unpalatable to customers, ISO subsequently branded this move as a response to “worldwide demand” for integrated management systems; these are when companies opt to implement multiple ISO management system standards, side by side, such as simultaneously implementing ISO 9001 and ISO 14001. The argument, according to ISO, was that the Annex SL high-level structure made such integration easier, since the HLS dictated a common paragraph numbering scheme and common “core text.”

Many users were hoodwinked, never knowing that the “common text” appearing in ISO 9001 was not written by nominated quality experts, nor the “common text” in ISO 14001 being written by nominated environmental experts.  Armed with ISO’s mighty publishing empire — ISO is a publishing company, first and foremost, remember — the meme that Annex SL was intended to facilitate integrated management systems went viral.

Now, ISO has leaked that the TMB is working on Annex SL 2.0, and is “soliciting” volunteers from the various member nations to assist. What ISO is not telling anyone is that (a) their recruiting is as half-hearted as it was back when they were working on Guide 83, and (b) nothing the volunteers say will matter anyway since Annex SL and the ISO Consolidated Supplement is never submitted for any voting, period. It is likely that ISO will hold a symbolic vote on a draft, yes, but it won’t matter; read it again: the ISO Consolidated Supplement, including its Annexes, are not subject to any international review or approval. Ever.

Annex SL 1.0 was never formally approved by the TCs, and Annex SL 2.0 won’t be either. It won’t matter how much the various ISO mouthpieces insist otherwise.

Annex SL Was Already Reviewed… and Ignored

As I said, only 16 out of 162 countries voted to approve the original Guide 83. Much of this was due to the member nations and TC Chairs being unaware of Guide 83 when it was out for votes. But later, when various TCs got a real look at Annex SL during the revision of their various standards, they were appalled. For TC 176, for example, the official registry of comments by member nations show that they routinely rejected language imposed on them from Annex SL, and repeatedly requested changes. In all cases, the requests were rejected by the TC 176 secretariat, under the justification that changes to Annex SL were disallowed entirely. The comments were thrown out. Poof.

For example, Italy made the following request for change, and attempted to assist in integrating language between 9001 and 14001, which was denied in whole:

The wording “risks and opportunities” can be misleading and it is not in accordance with ISO 31000 and ISO/Guide 73. The wording used by ISO/DIS 14001:2014 is more clear and it is also in accordance with HLS. Adopt ISO/DIS 14001 wording replacing “risks and opportunities” with “risks associated with threats and opportunities”.

The US chimed in, upset over the adoption of Annex SL’s application of the word “risk,” and calling out ISO on the fact that Annex SL was causing rifts between the management system standards, not creating commonality:

Consideration of the word risk. The US TAG to ISO TC176 supports the use of the word risk and risk-based thinking in ISO 9001. With that said, we are greatly concerned regarding the ongoing debate about the definition of the term, concerns raised by ISO TC 262, and different approaches being undertaken in ISO TC 176 and ISO TC 207. (This includes discussion between the United States mirror committees (US TAGs) for ISO 9001 and ISO 14001). The purpose of Annex SL is to bring commonality for users of more than one management system standard. The different approaches being discussed by ISO TC 176 and ISO TC 207 for ISO 9001 and ISO 14001 has the potential to cause more confusion in the marketplace than to improve understanding. In addition, the definition of risk includes opportunities which seems to be driving much of the discussion related to the term risk.

The Netherlands also balked at Annex SL’s risk terminology:

Only use the term risk in ISO 9001. Delete the term opportunity/opportunities when used in combination with risk.

Poland suggested changes to the language on “context of the organization,” and was utterly rebuffed by TC 176 leadership:

We suggest to add statement that organisation shall use results of external and internal issues monitoring in quality management system planning.
The purpose of determination and later monitoring of external and internal issue is not defined.

ISO’s golden child China was also shown the door with its suggestion on changes to Annex SL’s text on risk-based thinking:

Major goal of risk based thinking is not only to address the risks but also to minimize them. Clause 4.4.f) reads: “the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them.” [Suggest changing to] “the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address “the risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them, and if necessary to reduce them.

It goes on and on: Japan, Ireland, Israel, Argentina, Germany, Brazil and others each suggested changes or issued formal concerns regarding the mandatory text imposed by Annex SL, of which every single one was rejected in whole. In many cases, as noted above, the argument was that adopting the Annex SL language would make integration worse, not better. Another primary source of tension was the overwhelming rejection of Annex SL’s handling of risk and opportunity.

Nevertheless, as the process moved forward, the TCs fell into line despite their comments being tossed, and eventually voted to approve the standard anyway. With, as I said, most of the TC Chairs and major leaders being private consultants, there was money to be had in providing training and consulting if the resulting standard was as confusing as possible. This is why the same people who raised tepid resistance early in the process turned tail and cowardly once ISO let them know it was all a foregone conclusion.

Disintegrated Management Systems

After its publication, Annex SL was rightly blamed for many of the failings of ISO 9001 and other updated standards. Even one of the TMB’s main actors, Dr. Anne-Marie Waris, who was personally responsible for drafting the original Guide 83 text, found herself agonizing over the ensuing problems that Annex SL created for auditors.

Now the TMB finds itself faced with declining ISO 9001 certifications and a flood of bad press from a bungled rollout of Annex SL and the various standards. But whereas most of us realize that repeating a bad thing and hoping it improves never works, ISO never learned that life lesson. So they head into playing out the same scenario yet again, bullheaded in their belief that this time they’ll get it right.

The committee has already leaked that the changes to Annex SL will be largely confined to fixing “risks and opportunities,” the very thing that dozens of ISO member nations told them was hosed up going as far back as 2013 or earlier; remember those hundreds of comments the TC 176 leadership rejected? TC 176 could have pushed back on the TMB, and said, “no, we are tasked with writing ISO 9001, not you,” and fixed the broken text, but cowardly and conflicted leaders opted not to do that. But now, after Annex SL was forced through and granted universal immunity, now they admit they have to fix it.

Which brings us to the next point. Such a move debunks utterly the false argument made by ISO that Annex SL was intended to help companies integrate management systems. In fact, Annex SL was intended to juice up ISO’s bottom line, which is derived from publishing books. Introducing standard content, written by the TMB in a streamlined, non-democratic process, helps cut standards development time. Letting slow-moving TC’s do the work often results in standards taking double the time expected; rather than having a new standard every five years, ISO is lucky if they can get an update in seven or eight.  Limiting debate among ISO members also cuts down time, and having unwritten rules that force a TC secretary to automatically throw out any comments related to Annex SL helps speed things along even more.  ISO only makes money when standards are offered for sale, not when they are in development; with the TMB writing content instead of the TC’s, ISO can get standards to press faster, and then post them for sale earlier.

But how, exactly, will Annex SL 2.0 hurt integrated management systems? Consider this: TMB is promising that standards won’t have to undergo an early update to comply with Annex SL 2.0, which is yet to be seen (ISO lies all the time), but let’s assume it’s true. If the new Annex SL hits in 2020, as promised, then ISO 9001 will be up for its five-year review assessment, and will likely update to comply with the new text. That means that ISO 9001:2022 will be a quasi-major update, causing its own havoc. At the same time, ISO 13485 for medical devices will not be up for review, and so will continue to exist without updating to Annex SL 2.0.  ISO 45001 won’t be up for review many years after that, so it will toddle along under the now-defunct Annex SL 1.0 language for a long time.

So we will thus have a series of standards that are running in parallel, but which no longer align. The various management system standards that Annex SL promised to “integrate” will be de-integrated, overnight, the minute Annex SL 2.0 is published. Some standards will adopt the new language, some will still have the old language. They will all fall out of sync, unless they undergo early revisions. That latter move is sure to cause worldwide outrage, and is not something ISO wants. So de-integrated, de-synchronized standards are a near certainy.

Now look at the fallout: registrars will have to develop special procedures and checklists to audit integrated systems where half of the system is written to comply with Annex SL 1.0, and the other half on requirements dictated by Annex SL 2.0. This means the IAF and accreditation bodies will also have to develop new rules to govern this mess, so the registrars can retain accreditation.

Users will face a nightmare: now their ISO 9001 section on “risk and opportunity” will have to be edited to adopt new language, which may cause conflicts with the old language still being used for their ISO45001 or ISO 13485 systems. Companies will find they have to split their systems, or at least divide their integrated system manuals back into separate sections. Then, they will have to train their internal auditors on how to manage this minefield, as well.

For the various TMB and TC chairs responsible for this mess, they don’t have to worry about this. They don’t work for companies that are actually certified, and stand to make money selling consulting services later. I envision a whole crop of “Annex SL Upgrade” services being born. They really don’t care about ramifications, because they can’t think more than five minutes into the future.

Worse, the Annex SL rewrite is doomed to fail as much as the first one, since it will again lack subject matter experts in all the disciplines affecting the dozens of standards impacted by it. That’s by design, and ISO knows it, but it doesn’t stop TC chairs from being hoodwinked, too. Incoming TC 176/SC2 Chair Paul Simpson said, on LinkedIn, “It will be interesting to see which of the ISO TCs puts forward experts to contribute to this work.” More cynically, US TAG 176 Chair Paul Palmes said, “ISO standards are made by those who show up.”  The attitude of these leaders is that it’s your fault if you don’t show up, they are going to publish this thing anyway.

But that’s not how it works. ISO is under obligations driven by its own procedures and regulations put forth by the World Trade Organization to ensure that standards are made by industry experts; simply opening up a half-hearted invite, and then proceeding if no one attends, is a violation of that core concept. ISO must have a quorum of experts, and can’t push through standards if the only people who “show up” are conflicted consultants and full-time ISO staffers. This is exactly why Annex SL screwed up risk and opportunity, and why they have to fix it: they never got consensus from actual risk managers on the terminology, and relied nearly solely on Kevin Knight’s lunatic ravings.

Take a look at this quote from the official ISO website:

When the World Agrees: One of the strengths of ISO standards is that they are created by the people that need them. Industry experts drive all aspects of the standard development process, from deciding whether a new standard is needed to defining all the technical content.

ISO can’t, with any straight face, make this claim if their standards are written not by industry experts, but only by those “who show up,” and even then by a non-elected committee answerable only to the TMB, which only allows 15 of the world’s nations in its doors. That’s not “when the world agrees” by any stretch.

If you’re frustrated by the TMB’s latest hamfisted move, then write to TMB head Sophie Clivio and let her know that not only should Annex SL revision be abandoned, but the requirement that standards comply with it be retracted entirely. ISO standards must be written by industry experts, not the TMB.


About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


Traditional Tri-System