Oxebridge may have started as an ISO 9001 consulting company, but in recent years I’ve pushed us deeper into consulting for ISO certification and accreditation bodies. The years of late nights with my nose stuck in ISO 17011 and ISO 17021 (and their much older “ISO Guide” ancestors) in order to support clients against bad-acting certification bodies has yielded unexpected benefits: an understanding of these obscure texts in great detail.
There’s one question I always ask organizations who are looking to get into the CB/AB/3PAO game before they even begin. First, remember that certification bodies (CBs) certify things, and the accreditation bodies (ABs) then accredit those CBs to make the whole thing operate with some level of legitimacy. And by “legitimacy” we mean to reduce fraud. Despite the protestations by CBs and ABs to the opposite, fraud prevention was the entire purpose of the “accreditation pyramid.”
Before ISO certifications were a thing, companies would self-attest — typically to government customers — that their quality was great, and their quality systems totally fine. Later, governments would find out that the companies were lying. This often came too late, after defective products were delivered and wound up on battlefields where soldiers discovered their bombs were “duds” or, worse, blew up their own guys.
A system of auditing was set up, originally by government inspectors and later by third-party certification bodies, because companies couldn’t be trusted with self-attestation. An entire industry sprung up overnight, with auditors, trainers, consultants, CBs and ABs. The International Accreditation Forum (IAF) emerged after ISO itself abandoned a plan for it to oversee the accreditation scheme.
(Those paying attention to CMMC should notice how history is repeating itself.)
But the structure is built by private companies engaged in selling products and services. Despite many being “not-for-profit” organizations, they are still primarily involved in selling something; the only difference is where the money eventually ends up (to shareholders, or to the salaries of non-profit executives.) This injection of money brings with it conflicts of interest and corruption, the very thing the scheme was originally intended to root out. Now, instead of companies falsely attesting to their own compliance, they hired third parties who falsely attest to their clients’ compliance.
This must be fixed, and it requires a change in mindset by the CBs and ABs.
So the question I ask each of them up front? It is: do you have the fortitude to de-certify a client?
De-certification — or, in the case of ABs, de-accreditation — is the most important power a CB or AB has. Anyone can certify someone because giving good news is easy and makes us feel nice. The real trouble comes from giving bad news, such as denying certification or accreditation; no one feels good about it.
Worse, de-certification risks loss of the client, and thus loss of revenue. As a result, CBs and ABs are trapped issuing certificates to companies engaged in outright criminal practices — like heroin smuggling, human trafficking, or bribery — because denying them certification could put a dent in the books.
This doesn’t mean that new CBs or ABs should mimic the aging dinosaurs who are rapidly steering their reputations off the cliff, however.
The Three Powers
CBs and ABs have three specific powers when it comes to de-certification: suspension, withdrawal, or denial.
“Suspension” refers to the temporary lifting of a certification or accreditation. It’s supposed to be invoked when a company isn’t responding properly to audit nonconformities, thus bringing into question if the resulting management system functions effectively. (Public records, however, show the majority of suspensions come from an organization not paying their CB or AB bill on time; as soon as the bill is paid, the suspension is lifted.) As soon as the original problem is cured, the suspension is lifted, and certification/accreditation resumes normally. Suspension is sort of a “first warning” to a company that further action may be needed to prevent the next step.
That next step is “withdrawal.” In this case, the CB or AB permanently withdraws the certification or accreditation, typically after a failure to resolve whatever may have caused an active suspension. Rarely, a withdrawal may happen without an initial suspension, such as when the organization is proven to be involved in some dramatic violation or scandal. As you might suspect, withdrawals are very, very rare; again, the few records we have available show that the primary reason for this is the organization refusing to pay a CB/AB bill. A less common reason is when an organization is caught using the CB/AB’s logo or mark illegally.
Under a withdrawal, the only way for an organization to regain its certification or accreditation is to start from scratch. That can be costly.
The final power is “denial.” In this case, the CB/AB can deny certification/accreditation outright. This would only apply to companies approaching them for the first time. This presumes that during initial auditing, the findings were so egregious, that the CB/AB recognizes that granting certification would be a wholesale violation of the rules. The truth is, however, that financial pressures make this very, very difficult. From the CB/AB perspective, they want to “lock” a new client into a multi-year contract, and kicking them off at the very first audit pretty much shuts down that opportunity. The bigger the client, the more pressure the CB/AB auditors are in to “make sure the client passes,” with the dirty secret being that CB/AB sales reps tell their auditors “we can address findings down the road,” at later audits. “Just get them on the books first.”
Do You Have the Stomach For This?
And so I ask my CB/AB clients if they have the stomach for this. Will they become the next BSI or Bureau Veritas and spit out certificates to anyone who can pay, ignoring all ethics and enabling international crimes? Or will they help move the scheme forward, past these corrupt practices, and try to make the world a better place?
For those that say they want to do the right thing, we then put in place strict procedures on how and when the Three Powers will be invoked, and how any deviation from those rules would require some form of independent approval. In short, the VP of Business Development is hobbled, and cannot override the evidence-based decisions of the body’s audit team.
Next, we minimize “opportunities for improvement.” Yes, I know they are technically allowed, but a strict reading of ISO 17011 or ISO 17021 shows that the language allowing “OFIs” is in contradiction to the language prohibiting the CB/AB from offering “specific solutions.” If ISO were ever sued on this, they’d likely be forced to resolve this conflict. (ISO is “superlegal,” however, and not subject to any legal oversight, so that won’t happen.) By taking a proactive position and limiting — if not outright disallowing — OFIs, a CB/AB can dramatically reduce conflicts of interest that later complicate decisions related to their Three Powers. If the client is consistently taking your OFI “advice,” you find you have a harder time later de-certifying them without making yourself look like part of the problem.
No matter if you use a consulting company to help implement your ISO 17011 or ISO 17021 system, you must ask yourself the most important question you will face: “do you have the fortitude to de-certify a client?”
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.