Surviving ISO 9001 in the Age of Scandal

If you’re a reader of the Oxebridge website, you must be conflicted and possibly confused. If you’re new to the ISO 9001 or AS9100 scheme, and just found Oxebridge, then you’re probably wondering why a consultancy like Oxebridge would be consistently publishing news reports and commentary on the scandals which threaten to destroy the entire certification scheme If, on the other hand, you’re a seasoned user of the standards, you might be so overwhelmed with the torrent of bad news that you want to throw in the towel.

So let’s unpack this together.

As I’ve written in the opening pages of my book Surviving ISO 9001:2015, the ISO 9001 scheme started with a Grand Promise. It would accomplish two things simultaneously, with the intent of improving trade between companies: first, it would provide a common, basic blueprint for what a quality system should look like, and second, certification would do away with costly and redundant customer quality system audits. As I wrote, ISO has failed in both these endeavors, having let the standard’s content be developed by private consultants who personally benefit from making ISO 9001 as confusing as possible, and by allowing the IAF accreditation pyramid to turn into a… well, massive international pyramid scheme. Customer audits are on the rise once again, and companies involved in deadly accidents and product failures are often found sporting ISO 9001 certificates both before and after their scandals.

The IAF scheme has failed utterly, and may now be responsible for a massive, international abuse of government funds from many of the world’s nations, including the United States. Through ISO’s relationship with ANSI, the US Dept. of Defense has been told that IAF-supported certificates mean enough to ensure the quality of products and services so that Federal contracts should include such certifications as requirements for bidding companies. That has been proven over and over as a complete falsehood. We have seen IAF certificates at the heart of national disasters such as the Deepwater Horizon explosion and the Space Shuttle Columbia disaster. We have seen these certificates issued to the companies involved in the release of deadly products, such as Takata airbags and defective PIP breast implants. We have seen the IAF logo slathered on companies responsible for massive fraud, such as the VW emissions scandal and Kobe steel inspection falsifications. The Dept. of Defense itself has debunked the value of such certifications, finding dozens of major AS9100 nonconformities at companies certified by NSF-ISR, NQA, Bureau Veritas and SAI Global, and then watched as those registrars continued to certify the offending clients even after the DOD’s reports were published.

We have watched as officials within ISO, ANSI, IAF, ANAB and UKAS twist and lie to support their self-invented certification scheme. We have watched them ignore violations of laws, both domestic and international. And we have watched their agents engage in defamation, harassment, threats and intimidation against critics, including Oxebridge.

We’ve reported here that the “transition deadlines” cooked up by ISO and the IAF are entirely arbitrary, designed to sell standards and audits, and have no basis in either industry need nor fact. We’ve reported here how the ISO author committees intentionally falsify the industry classification of their members to hide the dominance by private consultants, who personally benefit by making ISO standards as complex as possible in order to sell “deciphering” consulting services later.

We’ve also watched as our industry press, led by Quality Progress, Quality Digest, Quality Magazine and others, refuse to report on these problems, reserving precious column inches instead for official ISO press releases or fluff pieces written by consultants and ISO apologists.

But what happens if you still want to pursue ISO 9001? If you still believe in the Grand Promise?

The situation can be fixed. The solution is complex, as it has a number of moving parts with a host of organizations involved. The short version looks something like this:

• ISO must work to enforce the procedures it currently to break the control of private consultants and registrars, such as BSI, in the standards development process.
• Registrars must be held accountable for certifying companies that are not actually in compliance with the standards.
• Registrars must cease all consulting activities and any partnerships with private consultancies.
• Accreditation bodies such as UKAS and ANAB must change their cultures so they begin to enforce the accreditation rules, per their mandate, and de-accredited registrars who fail to comply.
• The IAF must enforce accreditation rules by de-listing any accreditation body that fails to enforce the rules on their registrars.
• Long term: A universal “pool” structure must be developed which assigns registrars to clients rather than letting clients select their auditors; clients would pay the pool, rather than the registrar, thus breaking the “pay your traffic cop” conflict of interest.
• Each level of the scheme — ISO, the IAF, the accreditation bodies and the certification bodies — must have an independent Ombudsman which seeks out stakeholder feedback, processes complaints, and publishes a semi-annual report on the body’s performance.
• Auditor training must be dramatically improved, with courses on auditing at least doubled in length, with registrars forced to hold auditor training sessions even for their subcontract auditors.
• User groups must start to explore class action lawsuits against the certification and accreditation bodies, for rampant corruption, breaches of contract, tortious interference in trade, and wholesale malpractice.

But that’s all theoretical. Much of it is unlikely to happen.

So how do you survive ISO 9001 in this age of scandal? What if your customers are demanding you get certified and you are compelled to comply?

First, you must recognize that third-party certification is currently meaningless, with one exception: it satisfies those customers who want a lazy way to put you on their approved supplier list. They want to see the certificate, so use the registrars to get the certificate. Forget all their claims of “adding value” and “improving your business.” The registrars are not qualified nor even allowed to do any of that, and it’s meaningless marketing fluff. Implement your system, and get certified, if only to keep your customers happy. That’s it.

Once you’ve dropped all illusions about your registrar, you can get to the real work of improving your QMS for you. ISO 9001 and AS9100 provide basic skeletons of what a QMS should look like, and not much else; in modern times, the latest versions are not even particularly good at that. But it’s a start.

Once you’ve implemented the structure, focus on the key points that will improve your company, your processes, and your products or services. These are the ISO/AS requirements related to process management (4.4) and corrective action (10.2). I’m going to go one further and suggest you put back in the preventive action requirements of the older versions (ISO 9001:2008 and AS9100 Rev C), since taking it out was a bad idea that will end up getting people killed.

If you focus on managing your processes, your products and services will improve. If you use formal methods of corrective action response, your processes will improve. If you engage in robust and progressive preventive action — and not that garbage risk-based thinking mumbo-jumbo — your entire QMS will improve.

Use the best elements of ISO 9001 and AS9100, and focus on those. Don’t ignore the other clauses of the standards; keep yourself in broad compliance with them so you can survive audits and keep the cert on the wall for your customers, but focus on those three: corrective action, preventive action and process management.

This simple approach will save you tremendous headaches, and you can start to glean value out of your otherwise toxic ISO 9001 or AS9100 certification.

No other consulting firm will tell you this. No other firm will lay its money on the line to support end users by fighting the bad actors in court, pressing for reform, and asking uncomfortable questions of the incumbent authorities. No one but Oxebridge. This is not grandstanding; it has the benefit of being true because our profession is so lacking in leadership and courage, that it allows a tiny US-based consulting firm from Tampa to rise up as its de facto watchdog.

We can survive ISO 9001 in the age of scandal. Let’s do it together.