Winter Haven FL — A number of online companies offer “ISO-in-a-box” solutions to implementing ISO 9001, packaging a number of documents and forms that have been pre-written as boilerplate templates, with the thinking that if you just customize them yourself, you will have a compliant ISO 9001 system that can pass scrutiny during an accredited ISO 9001 audit.Likewise there are similar pre-packaged bundles for ISO 13485, AS9100 and even TS 16949.
Oxebridge has been opposed to this approach, not because it fears competition (as we always say, there’s enough work in ISO 9001 to go around for everyone), but because our direct experience — through that of clients who have attempted implementing ISO 9001 with such templates — tells us these packages don’t work, and result in many companies failing their first audit. That introduces new “hidden costs” such as the fee for an entire additional audit by the registrar, along with all those associated travel and incidental expenses charged by the auditors.
To date, Oxebridge has been hired to “clean up” over 15 such systems, after they failed an audit by an accredited* registrar. Oxebridge had been brought into the company with the intent of correcting the major nonconformities, and upon seeing the use of such “store-bought” template packs, Oxebridge was forced to re-write much of the documentation from scratch, because the documents did not come close to complying with ISO 9001 or AS9100. This resulted in unnecessary expenses to the client, who thought they were saving money by buying a cheap package that promised compliance, and didn’t deliver.
Here are seven reasons such pre-packaged programs do more harm than good to companies that attempt to use them:
- THEY DO NOT COMPLY. Despite claims to the contrary, these pre-packaged kits do not generally comply with their standards (ISO 9001, AS9100, etc.) as they pertain to the user’s company. They may address all the requirements of the applicable standard, but “addressing” and “complying” are two different things. According to accreditation rules under ISO 17021 (the rules which govern registrars), a Stage 1 audit (often called a document review or on-site readiness review) must be first performed to determine if the client company has addressed the requirements. Such kits help in this regard only. The Stage 2 audit performed by the registrar confirms compliance to the applicable standard. Having documents which only address the requirements, but which do not prove the client complies with the standard, may inevitably lead to major nonconformities issued during the Stage 2 audit. That means the client must fix the problems, and undergo a completely new Stage 2 audit (and in some cases, a Stage 1, too) effectively doubling registration costs. This is because the documents are written generically, for any organization, and therefore do not address how a specific company has interpreted and implemented each “shall clause” of the applicable standard. A clear giveaway, and typically an instant nonconformance, is how these kits handle ISO 9001 clause 4.1, which requires you to identify and then manage your processes. this is an exercise that is intimate to each company, and cannot be handled by a generic document; you must define your processes and then apply clauses 4.1 (a) through (f) to them, and a kit boilerplate cannot ever hope to achieve that. Only do these kinds of systems pass an audit when the auditor him/herself does not fully understand the process approach, a common problem plaguing the ISO 9001 and AS9100 world.
- THEY ARE TOO GENERIC. Documents that are written once, for any type of organization, cannot be specific enough to prove to an auditor how your company does business. The worst form of these are the cut-and-paste type templates, that prompt you to literally replace every instance of “YOUR COMPANY NAME HERE” with (of course) your company name. Such templates usually give themselves away immediately when the company name appears in ALL CAPS throughout the documents, alerting auditors that templates were used. (Worse offenders are those ISO-kit providers that include their logo at the top of every page! Such generic documents make no distinction between whether their client is a manufacturing facility, a service provider, a municipal agency, a government body or any other possible user of ISO 9001. These documents tend to pass the registrar’s Stage 1 document review, but will either fail at the on-site assessment portion of Stage 1, or fail at the full Stage 2 compliance audit portion.
- THEY DEMAND RESOURCES IN ORDER TO COMPLY. Most of these ISO-in-a-box kits offer prompts throughout each boilerplate on what your people need to fill into the document in order to customize them properly. The problem here is that a single sentence or two of prompt cannot hope to yield the same result as someone who writes a custom document based on ISO 9001 training and experience. As a result, the prompts themselves are often misunderstood, and soon the company realizes they need to send their ISO team employees to outside, additional training on the ISO or AS standards themselves, which can run $1,500 per head. In short, in order to properly customize such templates, your employees need ISO training first. The end result otherwise is, as before, too generic and generally non-compliant with the particular standard, resulting (again) in a failed third-party audit.
- THEY DO NOT ACCOUNT FOR EMPLOYEE TIME AND SALARY. Companies who purchase an ISO 9001 “kit” may only spend hundreds to a few thousand dollars for such a kit, and then fail to recognize that the time and human resources it takes to customize documents properly, and to write additional documents that may be required outside of what is provided by the kit, equals costs outside of the price of the kit. This means taking people off of their daily duties and putting them on tech writing assignments, to customize the documents. Often managers forget to ask themselves how much is this extra work impacting not only the person’s daily tasks and responsibilities, but what impact is it having on that person’s wages? Lost wages, due to working on ISO projects, must be factored into the overall cost of an ISO implementation program. With ISO-in-a-box kits, nearly 100% of the work must be done in-house, meaning a large drain on daily productivity and lost wages. Compared to a consultancy that writes custom documents, from scratch, for you (as in Oxebridge’s Rapid ISO 9001 and Rapid AS9100 programs), the kit approach may actually cost the company more money in the end, while increasing the risk of failing an audit.
- THEY REQUIRE IN-HOUSE TECH WRITING EXPERTISE. Your employees are hired for certain tasks based on their abilities. Suddenly, when purchasing an ISO 9001 template kit, you are asking your staff members to become expert word processors and tech writers. Any manager who works with government contracts knows that developing a proposal in response to a government RFP requires tech writers of very high caliber, and that not everyone has that skillset. this is true when drafting ISO 9001 documents, as well, as it requires technical writing as it pertains to ensuring that each ISO 9001 or AS9100 “shall clause” is clearly addressed and represents the truth, in a technical manner. Managers who throw the kit at employees with poor writing skills and no tech writing background may find themselves with a compliant set of documents, but a set that cannot be understood by the auditors or employees because they are so poorly written. Having intelligent employees does not always equal out to having good writers. This means, in some cases, the company must hire additional temporary staff just to complete the boilerplate documents.
- THEY FORCE THEIR SYSTEM ON YOU. The ISO kit approach assumes you will use all, or at least most, of their provided forms and documents, since the documents and forms tend to cross-reference each other. This means that if your company has used a certain type of inspection report for 15 years and is happy with it, you must now switch to the inspection report included in the purchased kit, whether you like it or not. Taken to the extreme, this can mean that an anonymous writer of a generic kit has decided what is best for your company, and is forcing you to change all the things you have done for years, despite the fact that these historical activities may not only already meet ISO 9001, but exceed it. Without a human being assessing the need for documents and records, you could replace a nearly-compliant and fully customized system that you have now for one that actually steps your company backwards, away from ISO 9001 compliance, by mandating you use new forms and procedures.
- YOU MAY NEED A CONSULTANT ANYWAY. As mentioned before, Oxebridge has had to come in and “fix” such systems many times, after clients failed an audit using a template-based system. This is an additional cost, making the money and time spent on the work using the templates wasted entirely. Often we tell clients that their original documentation, forms or methods were fine as-is, and that the template documents drove them away from compliance, rather than towards it. In our case, Oxebridge has gained the nickname “The Fixer” – the company that is called in to fix the disasters left by other consultants or ISO-in-a-box template approaches.
If your intention is to not only implement a natural, organic ISO 9001 or AS9100 system that meets the full requirements of the applicable standard, and which can pass the scrutiny of an accredited third-party certification audit, the use of ISO-in-a-box, “store-bought” systems may sound appealing, but will generally result in numerous minor, if not major, nonconformities during the audit.
Your two alternatives are to either train your employees on ISO 9001 using one of the many available courses across the country, or hire an implementation firm like Oxebridge to assist in the effort. The urge to reduce spending may be strong, and the appeal of cheap ISO kits is thus evident, but between hidden costs and high risks of failure, the other options should be considered first.
(*NOTE: throughout this article we have used the term “accredited registrar”. This is because the growth of unregulated, unaccredited registrars is becoming more and more of a problem, and such registrars — who are not recognized by your customers, generally, making their certificates worthless — may well let ISO-in-a-box systems pass an audit, even if the system does not comply with ISO 9001 or whichever standard is being audited. Readers are advised to always and only use registrars accredited by ANAB, UKAS or another IAF-signatory accreditation body.)
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.