Readers of this site see on a weekly basis, if not daily, how companies retain their ISO X001* certifications despite huge scandals, product recalls, criminal arrests and even consumer deaths. There seems to be no limit to how badly an ISO certified company can act and still retain a certificate that boldly claims they have a fully-compliant management system that has been attested to by an objective third party. We know it’s hogwash, but why do they do it?
Like most things, we have to follow the money. When ISO 9001 was being dreamed up in the 1980s, it was pitched as a replacement to endless customer “2nd party” audits. In those days, companies underwent individual audits by each major customer, which seemed redundant and wasteful. BSI — and soon ISO — promised that creating both an auditable standard and accredited auditing scheme would do away with the need for redundant 2nd party audits, and replace them with a single annual 3rd party audit. The third party would be accredited, trusted, and valued, making 2nd party audits extinct. BSI, of course, wanted that to be itself, but soon yielded to international competition, and threw its lot in with ISO and the rest. (That’s a whole other story, for another day.)
ISO pitched the idea to the World Trade Organization, who had the power to scuttle their plans before they even launched. And WTO was rightfully skeptical. They saw this as a possible barrier to trade, but ISO promised on bended knee that this would not be the case. When ISO 9001 and ISO 14001 were launched in the late 1980s, the WTO grew more concerned. A decade later, it finally called ISO to testify. ISO was asked specifically what assurances it could give that they had not created a complicated, unnecessary bureaucracy that could have “potential negative effects on competition and market access.”
Sensing its own blood in the water, ISO had a plan. In response, ISO told the WTO that it would create an over-arching accreditation body called “QSAR” (Quality Assessment Recognition System), run by ISO itself, to manage the resulting registrar bodies, accreditation bodies and audit activities. According to official minutes of a WTO meeting in 1996:
[The ISO representative] said that the ISO General Assembly had approved the following principles to be followed for its establishment: (i) openness to all accreditation bodies worldwide; (ii) autonomous peer evaluation among accreditation bodies; (iii) uniform assessment criteria and procedures for all branches of certification bodies, using ISO, IEC or ISO/IEC consensus documents; (iv) financial autonomy vis-à-vis other ISO and IEC programmes; (v) avoidance of conflict of interest in assessment functions; (vi) use of the ISO/IEC QSAR logo to signify worldwide recognition; and (vii) balance of the ISO/IEC QSAR Board among accreditation bodies, certification/registration bodies, suppliers and purchasers. It had been decided by the ISO Council to form the QSAR Board at the beginning of 1996. The Board would consist of a Chairman and twelve Members, three representatives from each of the following groups: accreditation bodies, certification/registration bodies, suppliers, and purchasers.
WTO was satisfied.
But ISO lied. They immediately scrapped the QSAR concept, bending to pressure from UKAS and the US accreditation body RAB (now called ANAB.) UKAS and RAB argued that they didn’t need oversight from ISO, and ISO was more than willing to drop the idea, fearing legal liability if they were involved at all in certification activities. So ISO returned to book publishing, and let UKAS and RAB, along with some European accreditation bodies, form their self-management organization, the International Accreditation Forum (IAF). There would be no independent oversight at all, despite their promises to WTO.
For decades, RAB/ANAB controlled the IAF, using it as merely an extension of its own operations, and only to lose it in recent years when IAF Chair Randy Dougherty handed his seat over to Xiao Jianhua of ANAB’s Chinese counterpart. Xiao has handily taken control away from ANAB, and is already steering the organization to support Chinese national goals and the promotion of the country’s “Made in China 2025” initiative.
But have no doubt: prior to Xiao, ANAB ran IAF, which itself was a massive conflict of interest.
With the idea of a truly independent overseer disabled before the system could even be set up, the course was doomed from the start. IAF could never really enforce any rules on Accreditation Bodies, lest RAB/ANAB be sued in US courts for anticompetitive behavior or, worse, cause the US to face sanctions from the WTO itself. So a decades-long system of wink-wink-say-no-more “peer audits” was allowed, without the oversight promised by the original QSAR program. The IAF took the legal system designed by ISO, but then threw out the judges.
(In fact, it’s not even clear these days if IAF members are performing peer audits at all, since they don’t have to provide those records to anyone. If no one can check, why bother doing the audits?)
Race to the Bottom
Then there was the overall financial structure which ensured the system would never work. Client companies would pay their certification body (CB), or “registrar.” The CB would then pay their Accreditation Body (AB), such as UKAS or ANAB. The ABs would then pay membership fees to IAF. The money flowed upward.
The scheme took the shape of a pyramid. While not quite a “pyramid scheme,” it certainly endeavors to be one; CBs who rope in more clients get favored treatment by their AB; ABs with lots of CB clients get favored treatment by IAF. Such structures ensure that those at the top of the pyramid, who have the most responsibility, have the least incentive to carry out those responsibilities.
Now let’s acknowledge another reality. Because all of this is private sector, gung-ho competition, mom-and-apple-pie capitalism at work, those at the bottom of the pyramid have one superpower: they can switch registrars. Ultimately, the certified company is a client, and the CB a supplier, so they can fire and hire CBs at will. This, then, creates a race to the bottom, and clients seek out — sometimes intentionally, sometimes without knowing better — the “easiest” CB they can find. Clients spend tens of thousands of dollars on implementing a quality system, and they don’t want to lose it on Audit Day. So they seek out the auditors and CBs who will perform the lightest, easiest audit possible. An “easy” certification body is the one that doesn’t write nonconformities.
This reality — which everyone knows is true, but everyone will deny anyway — thus pushes CBs to compete by “adding value” through friendly, conversational audits that nearly always ensure a client passes no matter what, while the auditor spews a host of undocumented “opportunities for improvement” rather than actual nonconformities. If a CB issues too many “NCRs” to clients, they risk having that client fire them and find an easier CB. So they engage in softgrading, yellow pad auditing, off-book consulting, and a host of other scummy tricks to make the client think they received a fair audit, but which was really designed to ensure the CB retains the contract for another year. Auditors chew up hours of each audit day blathering on about their personal histories, prior business success, and their last fishing trip. They’re just burning up time, because it’s all a big show, and you’re the hapless dupe from the audience who’s been dragged on stage to help saw the lady in half.
Auditors who break ranks and write too many NCRs are “de-scheduled” or, worse, fired. Auditors who consult ad nauseum and spew undocumented “opportunities for improvement” get more audit days put on their calendars, and thus make more money. The worst auditors are the busiest, and they get the least complaints.
But really, what client is going to ask for a hard auditor? Some of you reading this are saying, “well, we want a tough audit!” But now go ask your company President what he or she thinks. I’m betting you get a different answer.
Meanwhile, Back in Giza…
Now let’s look at numbers.
A given CB can have thousands — and sometimes tens of thousands — of certified clients. For each client, the CB pays a fee to its AB for the certification it issues. They have to pay for oversight audits by the AB as well, and the larger they are, the more they pay, because they issue more certificates and undergo more AB audits. So the ABs like the larger registrars better, and thus the smaller registrars not so much.
A given AB, however, will only have CB clients numbering in the tens, not hundreds or thousands. ANAB has 77 registrars accredited to issue ISO 9001 certs, as of this article; smaller ABs have less than 10.
One of ANAB’s CB clients is BSI, perhaps the largest registrar on the planet. What this means is that BSI could, if it wanted, de-certify a client and lose the revenue associated with it, and still toddle along happily. Losing a single client out of a pool of tens of thousands has no significant impact.
ANAB, however, can’t afford to lose BSI. I estimate it would result in about a loss of 15-20% of ANAB’s annual revenue, overnight. Nor can it afford to lose the other big CBs in its pool, such as NSF or NQA.
In short, the structure means that if ANAB were to do its job, it would put itself out of a job. It cannot do the one thing it was formed to do, which is to oversee its accredited CBs. It can never push back on BSI or NSF or NQA no matter what shenanigans they get into, no matter how they much they violate accreditation rules. If they did, ANAB would cease to exist.
Which essentially means accreditation is wholly worthless. Or, if you’re an optimist, symbolic.
BSI, by the way, knows this. They are famous for ping-ponging between UKAS and ANAB, making them dance for their precious annual payments. ANAB has BSI’s contract now, presumably because it’s the most compliant to BSI’s demands to shut the fuck up about any problems it notices.
Meanwhile, controlled by ABs, the IAF isn’t about to upset the apple cart either. Complaints filed with CBs are thrown out by the CBs, and then escalations to the AB and eventually IAF result in whacked-out rulings that always support the CB, no matter how strong the evidence. Even when a CB has been found to have helped “cover over” a literal crime. They will continue to operate this way until one of three things happens:
- A CB or AB is clearly implicated in a high-profile crime or mass fatality that gains the attention of mainstream reporting or politicians, and can’t be ignored.
- The WTO wakes up and sanctions ISO for violating the TBT regulations that govern it, forcing them back to the table to re-discuss QSAR.
- A single politician, somewhere, finally takes notice of the fact that the IAF logo is slathered on the certificates of companies involved in crimes, fatal product releases, deadly disasters and huge scandals, and launches an investigation.
Understanding all of this explains why so many companies report they received “zero nonconformities” during recent audits. It explains why your auditor talks so much during audits, and does so little actual auditing. It explains why an Accreditation Body never seems to do anything even after their CBs have been demonstrably proven to be overwhelmingly incompetent. It explains why complaints about CBs go nowhere, no matter how strong they are. It explains why companies continue to be certified even when they make really terrible products.
The fix must be to create a single oversight body that is both structurally and financially independent of the entire ISO scheme actors. This should probably replace the IAF entirely because such a body would make IAF pointless. That body would be funded by a single pool paid into by the member nations’ governments and would audit ABs. The ABs would continue to pay the fees for auditing and other expenses. The oversight body would have the power and freedom to de-accredit any AB that didn’t properly enforce the rules on their subordinate CBs.
ISO’s QSAR would probably not have worked because it still would have been tied to an organization that made money on certifications (no matter what ISO says, it still benefits from certifications, which require companies to buy their standards.) This new body would be independent of ISO, too. And because its overall operating costs would be low, the 170+ member nations of ISO could pay into it without raising the ire of taxpayers, since the annual donation would be pennies.
This can work, but the CB/AB/IAF structure will not go into this without a fight. But given the number of people affected by deadly products, explosions, scandals, and other disasters caused by ISO X001-certified companies, we deserve better, and should press on regardless.
*I’m coining the phrase “ISO X001” because it’s easier to type than listing all the various standards and certification schemes individually. It’s not a typo.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.