Since it was first released, ISO 9001 has been touted as a tool that would drive a company’s senior management to care about quality. Every subsequent revision has been met with an avalanche of cries from ISO and its various volunteer spokespeople that this time — finally! — the standard will force management to take responsibility for quality. This perpetual mythology ignores the fact that clauses regarding management responsibility have been in the standard since the beginning, and the changes over 30 years have been largely over wordsmithing and burdening ISO 9001 with an ever-growing list of what are, essentially, gripes about management.
Let’s start by looking at the wordsmithing aspect. Below is a table showing how management has been referred to, by name, in all the versions of ISO 9001 since it was published.
What we see from that simple exercise is that since the very beginning, management was clearly defined, and in many ways the first 1994 term “management with executive responsibility” was far less ambiguous than the current phrase “top management.”
Now let’s do the same with the titles of the clauses related to “top management”:
Here we see, clearly, that ISO has only “refreshed” the words used, with little contextual differences. “Management” became “Leadership,” and “responsibility” became “commitment.” Poets and the leather-elbow crowd will argue the changes are significant, but in the context of a standard designed for third-party assessment and certification, they are largely meaningless since “responsibility” is no more verifiable than “commitment.” They’re all just fluff words that can’t be audited.
For certain the number of words dedicated to “management” has increased. Much of this is due to the mushrooming size of the ISO 9001 standard itself, a trick perpetrated by ISO to inflate the cover price of the standard, since ISO calculates prices by page count. If we temporarily cut ISO some slack on that point, we nevertheless see that references to management have increased. The 1987 and 1994 versions had about 200 words dedicated to management’s responsibilities, if we include the clauses on management review and management representative. The 2000 and 2008 versions increased this to just under 300 words. The 2015 edition now falls in at just under 500 words.
But even this is an illusion. In fact, the latest 2015 edition mentions management directly only seven times, whereas the previous 2000/2008 edition mentioned management eleven times. So references to management are actually decreasing over time, not increasing.
Examining Actual Words on Paper
What has led some to believe ISO’s marketing spin that 9001 finally — finally! — tackles top management, is that the clause on management responsibility has ballooned into a massive bullet-list of traditional middle management gripes against their bosses, one which would take up multiple PowerPoint slides if you tried to project them on a wall, unless you used a 6 point Arial Narrow font. This next graphic shows how the number of words used in the management responsibility clause and the management representative clause have grown over time:This appears, at first glance, to be a significant change … right? However, if we analyze the bullet points line-by-line and compare against each revision, we find instead that the basic requirements remained largely the same, and ISO simply used longer sentences to describe the same, exact requirements. This next illustration shows how the identical concepts simply were reworded from the 1987 standard (shown in blue); and the how a few of the additional 2000 clauses (in green) were simply morphed over to the 2015 edition. Only the non-highlighted portions of the 2015 edition are “new” requirements related to management:
a) taking accountability for the effectiveness of the quality management system;
This is new language — “accountability” never appeared in the standard before — but is largely just a rephrasing of old language that required management to take “responsibility” for the QMS. Some would argue “accountability” is a bit more stronger a term, but once again, it’s entirely unauditable and therefore has no effective place in a standard intended for third-party certification. How can an auditor determine if management is “accountable” or not? How would they justify writing a nonconformity if they felt the management was not accountable? What objective, verifiable evidence could they generate to support such a finding? If a clause can’t be audited, then it exists only as fluff in the standard, and is not an actual requirement.
c) ensuring the integration of the quality management system requirements into the organization’s business processes;
This new reference to “business processes” was highly contested during the ISO 9001 drafting periods, as two camps formed in ISO TC 176: disgruntled ex-quality managers (now consultants or CB reps) who were using their role on TC 176 to spitefully force quality management into the c-suite, and the other camp a more reasoned group that realized that a quality management system is not a “business management system,” and that TC 176 had not authority to invade other aspects of a company’s business, such as finance or accounting. Nevertheless, the first camp won out, and the disgruntled managers got their words on paper, but again, they are entirely un-enforceable, and contradict the scope definition which appears in clause 1 of the ISO 9001:2015 standard itself; that clause indicates ISO 9001 is only to be used to develop a QMS that produces products or services that meet customer requirements, and which conform to customer, statutory and regulatory requirements; that’s a far more limited scope than the “business management system” the authors are hinting at. So bullet point (c) was a political edit only, aimed to satisfy disgruntled ex-quality managers, while (again) not including any actual requirements that can be assessed by a third party.
d) promoting the use of the process approach and risk-based thinking;
Here the new requirement repeats a previous requirement — to implement the process approach — so that part of the clause isn’t new, but then the authors bolt on “risk-based thinking” alongside it. This is another curious clause in that risk-based thinking is mentioned nowhere in the standard’s requirements at all, other than this clause, so the clause is essentially asking management to enforce something that doesn’t appear in the requirements. Instead, “risk-based thinking” appears only in the introductory text of ISO 9001, which does not include any actual requirements, and which is itself merely a somewhat deceptive attempt to rewrite history by making the concept of risk-based thinking appear to be derived from Deming. (That’s a whole other story, and you’ll have to read my book to understand the full depth of that one.) This was another cynical add-on, an attempt by ISO to enforce compliance with a thing they totally made up out of thin air (risk-based thinking) in order to give it some authority. But you can’t “promote” something that doesn’t exist, and you certainly can’t audit whether the company does it or not. This is akin to demanding management promote “dream-based wish management” or “rapid response ethereal plane transmission.” Good luck with that.
h) engaging, directing and supporting persons to contribute to the effectiveness of the quality management system;
This clause perhaps provides the most meaningful change, although it’s still dilute: the words “engaging, directing and supporting” are new, but again struggle from being largely unauditable. It also invites middle managers to use the ISO 9001 audit as a platform for complaining about their bosses, a phenomenon that any seasoned auditor or consultant sees on a regular basis, and which is never healthy. In every company, there’s someone who thinks if they can sink the ISO 9001 audit, they will send a message to management about how effed-up the company is, and then they will finally be taken seriously. This clause panders to that paranoia, but at least it appears to mean well. Unlike the other clauses, there exists a tiny possibility that an auditor could write a valid nonconformity against the clause, if he or she found consistent evidence of the QMS failing to meet goals due to top management actions which cripple the staff; but it’s rare, and unlikely.
j) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
This, again, is a pie-in-the-sky, feel-good sentence that really can never be verified one way or the other, and invites the auditee to use the audit as a gripe session. It demands that management support other people’s leadership, but the standard doesn’t define “leadership” anywhere, so it’s not clear what they are asking. Again, this is another sentence that was added to expand the bullet list, but which doesn’t include an actual auditable requirement.
So, if we’re being gracious, only bullet point (h) “engaging, directing and supporting persons to contribute to the effectiveness of the QMS” has any aspect to it which could be audited, and only under very rare conditions. The other “new” requirements are not requirements at all, but merely amorphous platitudes. Which means, these clauses have barely changed since the original 1987 version, despite the weed-like growth of the number of words.
We also see the role of management representative has expanded over time, too. This morphed the most under ISO 9001:2015, when TC 176 finally realized it violated ISO rules on prescribing that a company should only have one representative of the QMS; why not two? What if the company has ten plants spread out across the world? It never made sense, and the new revision fixed this error. But other than the change from prescribing a single management rep, to letting top management delegate it as appropriate, what else changed?
Primarily, we again see the word count expanding. ISO 9001:1987 used only 31 words to define the MR’s duties, which then expanded to 92 words (including a note) and finally to 109 words in the 2015 edition. In reality, however, only a single new responsibility was added:
e) ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.
This is keeping with the ISO 9001:2015 standard’s new emphasis on change management, which is a welcome addition, but most of which impacts on top management not at all; the actual clause on control of changes, 6.3, doesn’t mention management even in passing.
This latter point is where ISO 9001:2015 failed: in every place you’d expect to see some mention of top management — especially given ISO’s breathless insistence that this time, finally!, they are getting the c-suite on board — you don’t see management mentioned at all. When it comes to resources (clause 7.1), the resources simply and magically appear and are maintained. Communication (7.4), awareness (7.3) and even documents all exist without any management input whatsoever, if ISO 9001:2015 is to be believed.
In fact, this is just a result of the writing process used by TC 176. When drafting the standard, they split up into groups which tackle separate clauses. As a result, the “voice” and language of clauses differ from one section to another, and ISO doesn’t employ a single, final editor to make the end product homogeneous. So while the team that wrote clause 5 stressed management, the teams that wrote all the other clauses (4, and 6 through 10) didn’t think that maybe they should insist management be involved. In the real world, however, top management is already engaged in nearly every aspect of a QMS, but the cynical, paranoid middle-manager rejects at TC 176 don’t see it that way; the fact that they symbolically relegated top management to the ivory tower of clause 5, and didn’t embed them throughout the standard, shows how prehistoric their thinking is, and how they created the exact scenario they whine about: management’s alienation from the QMS.
Dutiful Dupes Duping Dupes Dutifully
Of course, the ISO hype machine ignores the actual text and literal truth of what’s on paper, in exchange for using its massive marketing machine — with the support of ASQ, CQI and a host of other easily-duped international players — to fabricate nonsense and fool people that there’s meat where there’s actually just an air-on-white-bread sandwich. The first edition of ISO 9001:1987 was intended to be a contractual tool to be used between a company and its suppliers, and having a single point of contact was important back then. In 1994, though, ISO realized that limiting the standard for use only as a contract tool would hurt sales, so they revamped the scope and insisted that anyone could use it, even if their customers didn’t demand it. Clever.
And at the same time, ISO’s marketing efforts began to dip their feet in the pool of hyperbole. Only one year later, dutiful ISO droogs began imagining that this time — finally! — the ISO 9001 standard addressed top management. In June of 1995, Italian consultant M.E. Donowa wrote, in Medical Device Technology:
The role and responsibility of management in implementing and maintaining a quality system is one of the most important elements of [ISO] 9001. Unless top management recognizes its quality-related responsibilities, it is virtually impossible for all levels of a company to implement and maintain a successful quality system. This article will discuss the management responsibility provisions of the 1994 quality system standards and point out the modifications that were made to the previous version of the standard.
And so began what is now a decades-long tradition of lying to folks, telling them that each iteration of ISO 9001 improves management’s role, even if the words on paper don’t reflect this one whit. For the 2000 release, the usual suspects howled at how finally — finally! — ISO 9001 was going to get “top management’s” attention. Back in March of 2000, former TAG 176 members Jeanne Ketola and Kathy Roberts wrote an article for Quality Digest that the standard now shifted overall responsibility from “quality assurance to top management” even though — as we’ve seen — it did nothing of the sort:
Management responsibility takes on a new dimension with the proposed revisions in the draft international standard (DIS) of ISO 9001:2000. One key criticism of ISO 9001’s previous versions has been that management had a minimal role that didn’t require them to move beyond maintenance into the improvement arena. In fact, the 1994 version of ISO 9001 is often viewed as a foundation only and isn’t considered a vehicle for moving a company to world-class status. ISO 9001:2000 is designed to transfer the responsibility for the quality management system from quality assurance to top management.
In a subsequent QD article published in October of that same year, Ketola and Roberts emphasized the point yet again, saying, “Top management will be required to take a more active role in the quality management system.” In both cases, the authors simply ignored the similar language of the previous 1987 and 1994 editions, and attempted to rewrite history.
So continued this meme right up until 2007, when Thomas Cutler wrote another article in Quality Digest, nearly plagiarizing the earlier Ketola and Roberts piece:
Responsibility for the quality management system has now shifted from the quality assurance department to top management.
Permanent furniture stalwarts like Jack West and Charles Cianfrani chimed it, too, of course:
For every dimension of the QMS there should be a leadership presence assuring that all internal and external processes are being structured and operated in a way that maximizes internal productivity and external customer satisfaction.
One would imagine, from all this heavy breathing, that no ISO 9001 version had ever mentioned top management before. Since most readers hadn’t compared previous editions line-by-line, they just believed whatever they were told, and history was rewritten.
The 2008 edition was only an “amendment” and made minor changes to language and formatting, so nothing was changed relative to management responsibilities. As a result, history remained rewritten until such time as it needed to be rewritten yet again, when ISO announced it was changing the standard one more time for 2015.
Ignoring all the previous times the usual suspect said the same exact thing, over and over, the same usual suspects said the same exact thing one more time, insisting that this time — finally! — ISO 9001 had gotten top management’s attention.
CQI’s Andrew Holt insists, “In ISO 9001:2015 Clause 5, previously ‘Management Responsibility’, now becomes ‘Leadership’, which is perhaps the most significant change contained within the standard.”
The always-terrible Chad Kymal of Omnex hits the nitro boost button on his hyperbole racer, saying (in Quality Digest of course), “Top management might be surprised to learn that the standards hold them accountable for the effectiveness of the QMS. This expanding role in management system accountability is considered by some to be the biggest change in the standards, and the biggest challenge for compliance.” To Kymal, the idea that top management should be responsible for managing is a shocker. Presumably, up to this point in human civilization, top management thought it was responsible for changing the coffee filters in the break room.
BSI just makes up shit to sell a training course that promises to teach students “the new role of Leadership and Management in ISO 9001:2015,” and “the role of Leaders in the new age of Management Systems.” Notice the word “new” appearing a lot; apparently back in 2014, companies didn’t have managers, and operated on a mix of fairy dust and coal fumes.
ASQ, which seems to exist solely to convince the world that TC 176’s Jack West is somehow relevant in the profession, allowed West to make the same made-up arguments.
The requirements for leadership in ISO 9001:2015 have been enhanced from earlier editions of the standard. These enhancements include:
- Expansion of the specific requirements.
- Requirement of policy and objectives to be compatible with strategic direction.
- Expansion of the requirements (communicated, understood and applied) related to quality policy.
- Integration of the QMS into business processes.
- Active participation in management review.
The list of top management responsibilities in clause 5.1.1 provides a lot of opportunity for quality professionals to enhance processes by getting direct involvement of top managers. Quality professionals must take ownership of this to ensure top management is constructively engaged in the development and deployment of the QMS.
Read that last paragraph again, because it’s just bizarre. West says that that while top management must be “constructively engaged in the development and deployment of the QMS,” it’s the “quality professionals” that “must take ownership of this to ensure” the bosses do their job. So in the West version of reality, it’s management’s responsibility, but it’s quality’s responsibility to ensure management’s responsibility. Got it? Again, if you read this from the point of view of a former middle-manager who obviously had an axe to grind with his top brass, it starts to make sense; West is the archetypal pissed-off quality guy who thinks he has all the answers, and is irritated the bosses don’t invite him to meetings.
One guy — one! — seems to get it. Mark Hammar of Advisera wrote:
In many ways, the leadership requirements in the draft version of the 2015 update to ISO 9001 are not new. ISO 9001 has always had the leadership importance of top management as one of the seven quality management principles that form the basis of the standard… Most of these requirements are very close or identical to those covered in the current version of the standard under the management responsibility requirements.
Hammar is right, the new standard doesn’t present much “new” related to top management. Where the changes exist, these are just a growing list of tacked-on grievances by former middle managers who are still pissed at the bosses they had when they previously worked in a corporate setting. Unfortunately, many ISO users are in that situation now, feeling underappreciated as they are buried in a Quality Assurance department somewhere, and so this meme that ISO 9001 will save them resonates.
It doesn’t make it true, though.