ISO Stuff: The Audit

I went through my third party ISO 9001 assessment recently. That got me thinking a little bit about the experience. I thought I'd share some of what I've learned over the years about this unique experience. First, some background. There are three "registration" avenues that a company can follow. Those are:

Self-Declaration, 2nd Party Assessment, and 3rd Party Assessment.

The difference between these is dramatic so let me explain a little about each.

Self-Declaration is just what is sounds like. If you believe that you have a good solid Quality Management System that, in your opinion and assessment, meets the intent of the relevant quality standard, you can self-declare that your organization complies with the standard. The benefit of this is mainly cost and effort. No cost associated with hiring a registrar to come in and spend several days assessing your system, and no lost time associated with the aforemetioned audit visit. The drawback of this approach is that no one will believe the declaration. It's akin to the "fox watching the henhouse" euphemism.

Second Part assessment is assessment by a customer. The benefits of this approach are similar to Self-Declaration above. No cost. However there is the time component that is in play. You will have to spend time preparing and conducting the assessment. The downsides of this approach are many. Starting with the portability issue. If one customer assesses you, will other customers accept the results or will you find several other customers at your door wanting to conduct an assessment visit also? Additional negatives of this approach are that you won't want to reveal anything except the best parts of your QMS to any customer, for fear of a negative impact to purchasing decisions. This inhibits improvement of the QMS.

Third Party registration is by far the most common approach around the world. There are several reasons why third party is the preferred approach. Third party registrars are independent and accreditted by an international body that ensures their competence, thoroughness, and impartiality. Third party registrations are pretty much universally accepted by any customer. Third party registrars have a unique relationship that presents either a downside or an opportunity, depending on the maturity of the QMS, the attitude of management towards the QMS and the confidence of the Quality Manager. Let me explore this area in more detail.

The relationship with the registrar is a strange symbiotic relationship. The registering company is hired by the company seeking registration, which from a buiness standpoint creates a desire to continue the business. Afterall, we are all in business to make money, even registrars. So the registrar must walk a fine line between "finding" too many things that might harm the relationship and letting the QMS off too easy. This is a big challenge for auditors, again, depending on the maturity of the organization being auditted. Third party registrars are prohibited from "consulting" as this is a conflict of interest that undermines their impartiality. Individual auditors can and do, share information on a one on one basis about potential improvement opportunities that they observe but may not include in their report.

Lets spend a few minutes on maturity. What I mean by this is that different organizations are motivated by different things to achieve registration. Many are interested in getting the certificate on the wall to satisfy a customer demand. Once this demand is met, some organizations stop there and really don't mature much more. On the other hand, some companies enter into the registered quality management system with the motivation of improving their business or perhaps start from a demand from customers and mature into a more enlightened attitude about the value of their QMS. Those with a mature approach to their QMS registrar relationship understand that the registrar works for them and that the third party audit is a tool in their toolbox to help drive improvement in the QMS. The Quality Manager is the key player in making this happen by sharing information with the registrar about weaknesses in the system. Through enabling the third party auditor, the Quality Manager can leverage findings from them to force improvement in areas that may have been resistant to participating.

Third party registration is by far the most common approach used. Customers and competitors universally recognize an independent registrars findings. Due to the business relationship that exists, registrars are interested in adding value for the registered company by helping them mature and improve the QMS beyond just getting a certificate hanging on the wall.