(This post will be updated regularly; updates appear with most recent updates first.)

August 12, 2014:

UKAS has submitted their reply on the LRQA investigation. This one is much, much more troubling for ISO 9001 end users. While the overall response was as expected (they sided with LRQA!), the amount of work they put into getting to that twisted decision was remarkable. This time they ignored some key points of the complaint, and stretched both definitions and common senses to beyond any reasonable breaking point. UKAS actually came up with an official position that says CBs are within their rights to cut off processing complaints a valid step when processing complaints.

As mentioned, this is as expected. If you jump down this post to the end (see the first entry dated January 16) you will see the blueprint played out pretty much as predicted.

I am betting much of UKAS’ “investigation” time was spent not on actual investigation, but rather on having the entire mess vetted by its attorneys to see if (a) they could sue Oxebridge to stop this kind of thing from going public again, and (b) if they could be held culpable for any resulting fallout. We will see soon enough if UKAS sues, but the fallout factor is more unpredictable. If a Hoerbiger Hungary product winds up getting recalled or, heaven forbid, killing someone, UKAS is going to have to answer to how it enabled an environment where counterfeit certificates are not punished, but instead rewarded with freshly minted, accredited ones.

Of course the unaccredited certificate mills are loving this. This proves that accreditation has no purpose whatsoever, and that it’s just a game to ensure ABs get a piece of the pie. That will create two potential problems for the ABs, UKAS. If CBs are not held accountable to the rules, then why have them? Why would any CB continue to feel the need to pay those expensive AB fees for every client? So if we suddenly see some of the bigger CB’s bolt from UKAS, this would not be a surprise. And this will only hasten the growth of the unaccredited certificate mills, who sell certificates for $500 without the need for an audit. If accreditation is meaningless, why not save the money and just buy a cert online?

Well done, UKAS. You just shot yourself in the face, in front of the entire planet, all for a few extra bucks from some Hungarian guy.

August 1, 2014:

UKAS has submitted their report on the BSI investigation. While the end result is not surprising (siding with BSI), the amount of work put into the investigation is, at least, unexpected.

Read here for more.

July 23, 2014:

UKAS has written indicating a need for more time on the LRQA complaint, extending it to August 15th.

July 22, 2014:

Time’s up. The 90-working-day window for investigating the complaint against LRQA has run out. UKAS hasn’t updated me on the status yet. There’s been little movement on the issue, at least visibly. The LRQA ban on Oxebridge emails remains in effect and the re-bidding for the contract that Hoerbiger wants is still underway (or concluded — not sure.)

Meanwhile, I am in touch with an EU attorney who suggests that the LRQA/Hoerbiger/Company X arrangement may be a violation of a number of local laws, including those against fraud, unlawful favouring, and abuse in “public procurement process.” These are criminal offenses, punishable by up to five years in jail for those found guilty.

spoilersNow to be clear: it’s not certain who in that triumvirate would be held accountable to those laws. Hoerbiger would be a good place to start, but if LRQA was enabling them to use a counterfeit certificate to gain access to a contract illegally, they could be treated as an accessory. But who knows, maybe Company X faked the cert, and Hoerbiger didn’t know it? Anything’s possible.

Either way, if LRQA had done its due diligence under ISO 17021, it wouldn’t be in this hot seat. If UKAS drops the ball, too, then it’s heading toward the real endgame. Which is…

… no, wait. I can’t tell you that part yet. No spoilers!

June 2, 2014:

After a long — really long! — stretch of silence, some news is coming in on the status of the two complaints.

For the BSI complaint, UKAS notified Oxebridge of their need for an extension. Technically their deadline was up today, but they have extended it “an additional working month” which would put us at August 6th, since they don’t count weekends. It looks like if anything BSI has upgraded their Entropy website with some new graphics, and not exactly reined in their marketing, but maybe I never noticed some of the animations and photos before. Either way, there is no visible action happening with BSI’s co-marketing of consulting and auditing, which leads me to think the time is being spent on how, exactly, UKAS can appear to be “standing tough” with BSI, but while ensuring they can do whatever the hell they want. We will see.tumblr_lohzms4iWp1qame3z

As for the LRQA complaint, that’s even darker. Sources in Hungary and Croatia indicate that something is afoot. Recall that the complaint started when “Company X” (to me unknown) received a counterfeited LRQA ISO 9001 certificate from a division of Hoerbiger. The complaint was pretty much ignored by LRQA, and then it landed in my lap. When I took it on, LRQA responded by threatening a lawsuit, and blacklisting my email domain, cutting off all communication. That resulted in Oxebridge escalating the complaint to UKAS.

So the three of them appear to be in bed — Hoerbiger for falsifying the cert, Company X for accepting it even though they knew it was fake, and LRQA for just granting Hoerbiger a real cert after the ploy was revealed.

Now Company X seems to be bending over backwards to give Hoerbiger that contract, by dropping the requirement to have ISO 9001 for its vendors, thereby doing an end run around the whole problem. But LRQA is still on the hook, thanks to yours truly, now that we have UKAS investigating them.

But here’s where it gets ugly. According to EU law — of which I don’t pretend to fully understand, but now have lawyers in Croatia, Hungary and Austria working with me on — the counterfeiting was illegal, and if prosecuted, could result in criminal charges and ultimately jail time for those involved. Unlike in the US, where CB’s and AB’s get to shrug if anything happens to their clients, EU regulations put LRQA and UKAS in the hot seat, if it’s proven that they knew about the circulation of counterfeit certs, and didn’t report it.

ListenSo UKAS is in a real pickle. If they don’t slap LRQA’s Austrian office hard — like REAL hard, by revoking their accreditation — and it’s later proven that LRQA and Hoerbiger conspired to cheat in order to get Hoerbiger that Company X contract, lots of people could be going to jail.

You listening now, Denis Ives?

And UKAS could then be held in violation of EU laws which govern the operation of accreditation bodies.

The easiest, if not happiest, solution is for UKAS to just do it’s job and cite LRQA, and we can all move on. LRQA gets investigated for 12 months or so, and after that they get their accreditation back.

But Accreditation Bodies are like snowmen. They melt when exposed to light, and they have no balls.

April 2, 2014:

waitingBoth complaints remain in the hands of UKAS, with no further notification to date. This is probably not surprising, seeing the severity of the allegations made against both BSI and LRQA. UKAS has a lot of work to do, whatever their motivation may be.

If anyone’s interested, the UKAS complaints process is defined here.

March 5, 2014

UKAS has acknowledged the LRQA complaint, and it’s now underway for processing.

March 3, 2014

In what can only be described as an absolutely monumental exhibition of stupidity and arrogance, LRQA has instituted a server side blacklist on any mail sent to it from the Oxebridge.com domain. See this:

This was discovered after I sent them a copy of the complaint escalated to UKAS. As soon as I saw this, I had to contact my folks here and amend the complaint to add this new data point. You can read the final, amended version here.

I can’t imagine what Denis Ives and the folks at LRQA were thinking. This would provide clear evidence of their willful intent to deny due process of a formal complaint, which is an utter contradiction to ISO 17021. It’s also totally useless maneuver, since I just sent it to them using a Gmail account thirty seconds later. So it only acted to exacerbate an already toxic problem facing LRQA.

Did they seriously believe this would somehow get them out of this mess, and not worsen it? Amazing.

In any event, the complaint now rests with UKAS.

February 28, 2014

I received a strange report that one of my sources received some pressure from their management for having contacted LRQA about the Hoerbiger Hungary problem. I don’t have all the information yet, but if true, it appears someone from LRQA contacted the company and may have made some disparaging comments about the source, prompting their manager — who probably doesn’t know anything about the situation, so therefore is just getting all of this out of context — to warn off my source from contacting LRQA again. I am trying to find out if this amounts to a threat or not. Whatever it is, it’s weird and unprofessional. Let’s hope it’s just some miscommunication.

However, I will escalating the complaint against LRQA next week to UKAS. They’ve had a month to acknowledge it, and have failed to do so. I think I’ve been patient enough.

Poor UKAS.

February 23, 2014

UKAS has confirmed that the BSI complaint has been assigned reference number 225611.

Still nothing from LRQA. Given how quick they were to fire off that lawsuit threat, I can only imagine they are having their Legal Department scour over this site, and the complaint, for some new angle to try to get this site shut down. That still won’t explain away their Hoerbiger Hungary problem.

February 18, 2014

UKAS has confirmed receipt of the BSI complaint and is assigning the issue to an investigator. Per their notice, “We aim to complete our investigations into complaints of this nature within 90 workings days of receipt.” So that sets a rough timetable.

What’s frustrating is that by pure coincidence, UKAS will be getting two such complaints from us (when we add the LRQA one, which seems pretty inevitable) and we run the risk of not being taken seriously. Hitting UKAS with two separate escalations in the same month makes us look like trolls, and could hurt their objective review of the issues at hand. Oh well, nothing we can do about it. This was just a result of timing.

February 17, 2914

Running low on patience, I’ve notified Denis Ives that if a response isn’t forthcoming soon, we will be escalating the LRQA complaint to UKAS, and adding a few other allegations related to their inability to process complaints properly. I also blind cc’ed every senior manager at LRQA, so it tomorrow should be an interesting morning at Lloyd’s.

February 15, 2014

As reported, we escalated the BSI complaint to UKAS. I suspect UKAS will focus on the Entropy thing, and ignore all the other various services BSI is openly marketing to certification clients. Let’s see.

Meanwhile LRQA is blowing us off entirely. More than two weeks in, and they haven’t even acknowledged receipt. After their last stunt, my patience is officially worn out, so they’d better get cracking.

February 10, 2014

The LRQA thing gets weirder. Now we found out that the office that issued the “legitimate” LRQA certificate isn’t even listed on the LRQA site as an official branch, nor does it appear on the UKAS list of accredited CB’s. It’s probably just a set of coincidental website muck-ups, but it’s another black eye for Lloyds.

Read the strangeness here.

February 9, 2014

BSI has written back (finally) and the result is underwhelming to say the least. It almost reads like a form letter (do they send a lot of these?) While the entire response can be read in 30 seconds, here’s the three-second summary: BSI is claiming that software tools aren’t really “consulting services” and that everything is just fine, thank you, because the accreditation bodies signed off on it.

Let’s be real clear: BSI’s Entropy™ software is being used to craft quality systems. It’s not only responsible for telling clients how to implement nearly every clause of the ISO 9001 standard — including internal audits, management reviews, corrective & preventive action, and process measurements — it’s even providing the client the procedures on how to do this. This is the exact functional equivalent of BSI writing the Quality Manual, then certifying it, but saying it’s all just fine because they never provided a typed hardcopy, and instead just delivered everything over email.

Now there’s no way BSI will ever convince anyone that Entropy™ isn’t a conflict of interest. The only way to win, therefore, is for them to have the conflict of interest officially endorsed. Their response basically shows that this is their intended defense strategy.

Will it work? Of course. Early word is that ANAB is just fine with all this, so we are escalating to UKAS. I did, however, give a heads up to Randy Dougherty of ANAB and IAF, as well as IAF’s Norbert Borzek, that we fully expect UKAS to punt, and the whole fiasco to get escalated to the IAF. I have been clear about what the (inevitable?) IAF sign-off on this conflict of interest will mean: CB’s will be given the green light to do unrestricted consulting, and finally receive the authority to certify their own systems, in the same manner as all those certificate mills. 

No one — not UKAS or the IAF — are about to take on BSI, and those thinking otherwise are deluding themselves. Even ISO wouldn’t take on BSI. BSI has the resources to just start a competing standards body, and they have the historical grounds to do just that.

So as a result, I am already two or three steps ahead. But I don’t want to give away the endgame just yet, that would suck all the drama out of this adventure. Suffice it to say, there are ways to get this resolved by parties who don’t kowtow to BSI, and who have actual authority to enforce it.

So stay tuned.

February 5, 2014

It’s now three weeks since the BSI complaint was submitted, and we haven’t received even the formal acknowledgement, as required by ISO 17021 clause 9.8.7. I’ve sent an email reminding them.

Likewise, the LRQA complaint has not been acknowledged, although we’ll give them some more time.

Jan 28, 2014

We have revoked our previous complaint against LRQA and replaced it with a new one, granting LRQA the benefit of the doubt that Denis Ives’ account of the Hungary events are truer (more true?) than those of his counterpart, Bjoern Mueller. The thrust of the complaint (which can be downloaded here in its entirety) is that LRQA somehow certified the Hoerbiger plant while being informed of that it was distributing a certificate which LRQA confirmed was counterfeit.

I expect the defense will be that they resolved the problem with Hoerbiger, but the dates are worrisome. Ives claimed the audit was completed on October 31st, which is the exact same date as which appears on the final certificate. That means that LRQA finished the audit, had it internally reviewed, closed all nonconformities and prepared the certificate on the same day — which would be a miracle — or they back-dated it. If they did back-date it, that’s fine, but it’s still remarkable: Mueller wrote on November 21st about the auditing having been completed, so assuming he wrote on exactly the date when the cert was issued, LRQA used 21 days to accomplish all that. Seems hardly likely they would have cited Hoerbiger with a major nonconformance over the counterfeit, and potentially illegal, certificate distribution, and have closed it and issued the cert in just 21 days. Something stinks.

In the hopes that cooler heads prevail, we’ve demanded that both Mueller and Ives recuse themselves, as they are named in the complaint. ISO 17021 prohibits those names in a complaint from taking part in its response. We’ve removed all the references to the previous article, meeting LRQA’s original demands, so if they are intent on suing they will have to come up with an entirely new argument.

On the BSI front, there’s no response yet. Time’s ticking; it’s nearing two weeks without the formal confirmation we were promised. Not a good sign.

Jan. 24, 2014

I contacted Jim Harrison at LRQA’s Legal Department in the UK, and made him aware that no one can honor an anonymous legal threat sent by email. Today I received a signed copy of the previously Slenderman-authored demand, now signed by LRQA’s EMEA Business Manager Denis Ives. Unfortunately, Mr. Ives just doubled-down on the legal chain-rattling, rather than explain the glaring differences between his account and that of LRQA’s Bjoern Mueller.

For now I’ve taken down the original report, while we look it over and edit it with the latest information. Suffice to say, the new article will now make sure to report the fact that LRQA responded to this complaint with a lawsuit threat. Not sure how that is better for their PR than merely fixing this mess, but that’s up to them to figure out.

Let me clear. My view on lawsuit threats has always been bring it on. To date, we’ve had 11 threats and defeated them all before any reached court. But there’s also a sense of doing what’s right. If our reporting doesn’t reflect the facts, it has to be corrected. Unfortunately for LRQA, that doesn’t mean they get a free pass. The new reporting might well end up making them look worse, especially given Mr. Ives’ ill-advised penchant for committing public relations suicide.

Meanwhile, our investigation into the counterfeit certificate continues. LRQA was notified of the fake cert as early as August 2013, they conducted some form of audit on Hungary thereafter in October, but never apparently cited the Hungarian office with false use of logo, per ISO 17021 clause 8.4.3. If they did, they only issued a minor nonconformance that did not hamper the company’s certification status. Then LRQA was notified by a Hoerbiger customer again, in November 2013, and asked how it could have issued a cert to a company it claimed was in posession of a counterfeit certificate, but a reasonable answer was never given. This may shift the story to one of “did LRQA certify a company it never audited,” to “why doesn’t LRQA care if companies circulate counterfeit certificates under their name?”

All for an issue that LRQA should have just fixed when it was first reported by the supply chain.

Jan. 22, 2014

LRQA has responded to the complaint by threatening Oxebridge with a lawsuit. I’ll have more on that shortly, as we work it out, but that’s the essence of it. In their response they show certificates for Hoerbiger that they say are totally legitimate, and claim that the earlier one we presented “did not originate with LRQA.” This seems to contradict LRQA’s own Bjoern Mueller, who wrote that they did an investigation, conducted an audit, and only then were the certificates “now valid.”

So why do we have to wait to figure this out? Because LRQA sent their response from an anonymous internal email address (“enquiries@LRQA.com”) and didn’t sign it. Even the attachment, threatening the lawsuit, wasn’t signed.

I’ve told LRQA we are more than willing to update the reporting with the latest data, but that we have to get a formal request from a real human being, not some shadowy anonymous figure. I quoted some ISO 17021 clauses just in case.

More as this develops. In the meantime, read LRQA’s anonymous response here. (PDF)

Jan. 18, 2014:

It wasn’t made clear in the original post, but the LRQA complaint was sent to Bjoern Mueller, the General Manager of LRQA’s Central Europe Area, on January 15th. We haven’t gotten a confirmation of receipt yet.

However, in the first piece of weirdness, I did get a blank email from Simon Batters, VP Business Development of LRQA’s Hong Kong office. It had no message in the body nor subject line, and only Mr. Batters’ signature line. I responded asking if he meant to send something, but haven’t heard back. This does, however, seem to indicate that LRQA is snooping around.

On the BSI front, the complaint was sent to Natalie Bennett, EMEA Regulatory Systems Manager, Compliance & Risk from the BSI UK office, who was very quick to reply and tell me that a formal confirmation would be coming soon. 

A friend of mine recently spoke with a high ranking ANAB official (they didn’t mention the name, so I don’t know who) and they told me that ANAB is aware of BSI’s Entropy™ software, and — according to my friend — “they do not consider it consulting  and a conflict of interest.” Of course this would be true, since it would be nearly impossible for BSI to roll out a massive product offering, with all its associated marketing, like Entropy™ without ANAB knowing about it. The problem is ANAB’s impossibly lax interpretation of what constitutes consulting, especially when compared to its tightly restrictive view on what constitutes certificate-issuing by consultants. The equation is grossly tilted in the favor of CB’s: they are allowed to consult, but consultants are not allowed to issue certs. In an ideal world, ANAB would be completely independent, and agree that BOTH scenarios are to be equally discouraged, but the CB’s pay ANAB, so they themselves are embedded in a conflict of interest. Consultants don’t pay ANAB a dime.

The BSI marketing materials, including their damning YouTube videos, show without a doubt, that Entropy™ is being used to craft the management systems. The marketing language is explicit in this. But, because of the huge investment on their part, I expect BSI to punt on this one, and for the issue to be escalated to UKAS. (We won’t go to ANAB, since they’ve telegraphed their response already, unless pushed to do so by UKAS.) While I fully expect UKAS to have the same pro-CB view, maybe they will surprise us all. 

If the AB’s fail to act, the IAF isn’t likely to be a helpful final step. After all, we remember that last decision they came up with.

Jan. 16, 2014:

As readers may know, Oxebridge recently filed two simultaneous, albeit unrelated, complaints against ISO 9001 certification bodies (CBs) Lloyds Register and BSI. What a way to start 2014, eh?

The Lloyd’s complaint alleges that it certified a facility in Hungary it never actually audited; the BSI complaint alleges that BSI is offering simultaneous consulting and certification services, against ISO 17021 rules.

Now I’ve done this lots of times, and the process is never smooth, never without drama, and never without a dramatic crescendo that ends is a sudden-thump, less than satisfying climax. Imagine watching a Michael Bay film with the last reel cut out, and you get the picture. But so many people have written me recently saying they hadn’t seen anyone file a complaint against a CB before, and how this was somehow heroic. It’s not. It’s everyone’s right, codified right in ISO 17021, and the entire thing should be a dull, paperwork driven process with a conclusion that feels satisfactory.

But if this is anything like the last few I’ve filed, it will have some unexpected fireworks, melodramatic skullduggery, resolving with a whimper.

Here’s probably how it will play out, not necessarily in this sequence:

  • The CB’s will attempt to resolve this over the phone, or through emails, rather than their documented CAPA systems. This, they think, will prevent the ABs from knowing about it. I won’t allow it.
  • The CBs will re-write the complaint in a way that makes it easier to answer, leaving out critical points. I won’t allow it.
  • Someone in the CB will get personally offended and do something stupid. I mean career-ending stupid, like make a threatening phone call, send a bogus lawsuit threat, “blacklist” Oxebridge or post a fake, anonymous Ripoff Report story about Oxebridge (oh wait, too late!)
  • Oxebridge will escalate the problem to the AB, adding in the stupid thing the CB rep did.
  • The AB (UKAS or ANAB) will re-write the complaint to a single paragraph, stripping out nearly all the details and problems, and then suddenly claim the problem was solved through their 24-hour investigation. No proof will be offered, and any interpretations the ABs will provide will glaringly contradict with the actual language of ISO 17021, but will be upheld anyway. The ABs will curiously side with the CBs, although offer some language that gives the impression that the CB will be held accountable in the future.
  • The AB’s response will ignore the stupid thing the CB rep did entirely, even if its criminal.
  • There won’t be any evidence that the complaint ever existed, either in the CB’s CAPA program on in the AB database of complaints. If the AB does list it, it will be stripped of any meaning to be pointless.
  • Everything will continue as before.

So that everyone can enjoy this pleasantry, and to keep an ongoing record of how CB complaints evolve into the meaningless, ethereal mist that seems their inevitable fate, I thought I’d provide regular updates on the progress of each complaint in this post. I will update it regularly.

Stay tuned.


About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


Traditional Tri-System