Pros and Cons of an ISO 9001 Compliant Quality Management System (QMS)

In my last article I discussed why a ‘good’ QMS internal auditor will want to have a learning roadmap. Specifically, a learning road map:

• is a plan for how to gain and sustain knowledge, skills, and a set of work behaviours that are relevant for a desired job/role. 
• will help an auditor to:
  • become as knowledgeable as the champions and practitioners of the processes they audit.
  • gain relevant experience in the technologies their workplace is built or is being built upon.
  • embrace change to the delight of the organization, its customers, suppliers, and their fellow co-workers/peers.

In this article I discuss some of the ‘pros’ and ‘cons’ an organization will encounter once it becomes certified as compliant with the ISO 9001 standard by an authorized 3rd party registrar.

This article is based on my own work experiences and reflections thereof. It is also a bit of my own “Al Pacino Scent of Women flame-thrower” moment towards “things QMS” so I hope you not only find it stimulating but that you use it to become an agent of change by embracing it 😊.

Background Remarks about having a QMS that is compliant with ISO 9001

ISO 9001 is the world’s most recognized quality management standard. That being said, not every business organization has chosen to have its QMS certified to it. For example:

• less than 90% of all businesses in the world possess a QMS certified as compliant with the ISO 9001 or one if its sector specific QMS ‘adder’ standards such as AS 9100 {aerospace}, TL 9000 {telecom}, ISO 13485 {medical device}, or ISO 16949 {automotive}. 

• although the majority of senior management teams/business owners are likely to agree that their organization’s ability to be successful at generating fair and reasonable profits in safe and legal ways is predicated upon their effective management of the processes, product/service offerings and the people within their organization to the delight of their customers it is also true that many of those teams/owners continue to disagree that a having a 3rd party certified QMS is a necessary let alone an efficient method towards reaching those goals.

Despite not having a 3rd party certified QMS many organizations do, in fact, try to create and then sustain a QMS that complies with ISO 9001.  That is, these organizations feel that defining and maintaining a traceability compliance matrix between the latest revision of their QMS/quality manual and the ISO 9001 standard is the only cost of business they need to embrace. However, without an actual certification by an approved ISO 9001 QMS registrar, I feel that these organizations are only admitting to themselves that their actual compliance is neither complete nor effective, let alone, efficient. 

This dichotomy exists in my opinion because organizations are easily distracted from adequate and timely discussions on the cost of quality. These distractions often have their source in a propensity of misconceptions about and the subsequent negative behaviours/attitudes towards the cost of quality (assurance and control activities); whereas when an organization has their QMS certified to ISO 9001 by an authorized 3rd party then there is not only a re-occurring requirement to provide evidence of its use as well as its regular assessment for need of improvement, but also increased awareness to ‘good’ quality assurance and control mechanisms that are capable of bringing the results intended and desired.

The Pros of having a 3rd Party Certified QMS

Although it is true that the ISO 9001 standard provides organizations with a framework for achieving operational effectiveness and the improved reliability the processes and products implicated, it is also true that gaining and sustain a 3rd party certification of the organization’s QMS only guarantees one benefit. That is, the single most important ‘pro’ of possessing a QMS that has been certified by an authorized 3rd party as compliant with the SIO 9001 standard is that it guarantees the organization the ability to submit bids/quotations for business circumstances in which the implicated client requires that organization to be ISO 9001 certified in order for it to be considered for the award of a contract/purchase order.

Other ‘pros’ of possessing an ISO 9001 compliant QMS are very much possible and the extent of their value will be a function of the definition and robustness of the culture of quality throughout the organization, its customers, suppliers, employees as well as (when applicable) the input (and sometimes even the approvals) of the implicated statutory and regulatory authorities. These other ‘pros’ align with the purposes of a QMS (… which I’ve elaborated upon in several of the articles I posted earlier this year and a brief list …) of which includes but is not limited to:

• reductions in waste, prevention of defective/non-conforming outputs/results.
• more reliable and repeatable product design/development and manufacturing results.
• more predictable and responsive supply chain.
• more knowledgeable workforce.

For those interested in a quick refresher on the intended benefits of having an ISO 9001 compliant QMS please consider reading the following two brochures produced by the ISO group as means of stimulating conversations on yet other ‘pros’ on having a third-party certified ISO 9001 capable QMS:

• ISO 9001 – Debunking the Myths … available for free, published in 2015 and is 4 pages in length.
• ISO 9001:2015 For Small Enterprises – What to do? … available for less than $100 USD, published in 2016 and is ~190 pages in length.

The Cons of not having a 3rd Party Certified QMS

Any organization can assess its QMS for compliance with ISO 9001 as well as monitor/measure itself for improvement but in order to efficiently create and sustain a ‘good’ culture of quality 3rd party assessments of the organization’s QMS are a necessity especially if the organization intends to:

• use industry defined methods and best practices for meeting it goals/objectives.
• be honest and timely with how it measures as well as assesses its own performance data.

That is, although the customer (and/or an awareness to/understanding of their satisfaction) provides an accurate and usually very timely indication of the organization’s success, self-bias might skew its customers or the organization’s own assessment of how well it complies with all its requirements and obligations. That self-bias might also reduce the robustness of the organization’s risk/opportunity management activities and results … especially during those periods of time in which direct customer feedback is lacking or is only relevant to the organization’s currently approved and qualified products/services.

Also, and currently, without a 3rd party certification the validity and amount of improvement in an organization’s ability to efficiently obtain its stated goals/obligations is determined by self-appraisal (often by the organization’s own senior management). In other words, the sources of the data that the organization’s competitive and supply chain management analysis is built on does not currently include any significant contribution from the ISO standards or QMS registrar groups (other than a statement of the organization’s own compliance status as well as its suppliers’ compliance status with an implicated QMS standard).

In short, the two most important ‘cons’ that will exist against an organization that professes by itself that its QMS is compliant with the ISO 9001 standard (without having obtained an authorized 3rd party certification) are:

1. the amount of feedback given to the organization from its existing customers, suppliers, and employees is often sparse. As such the organization often finds itself on its own for identifying risks/opportunities as well as newer best practices for the products and implicated processes it uses. For example, customers are sure to complain (when appropriate) but they do not always praise or compliment (out of respect of losing their negotiation positions/leverage). Equally importantly, best practices exist in the (lessons learned, root cause, etc.) data that is collected by the QMS registrars and the ISO standards group itself. However, access to that data is too restrictive and untimely. For example, and currently, the ISO QMS standards group relies on its own committees to determine when to revise the ISO 9001 standard. They also rely upon other regulatory and statutory as well as subject matter expert groups (e.g., IPC, SMTA, NadCap) to update their guidance literature timely … whereas the very QMS certification and subsequent surveillance audit results data can contain and/or provide timely insight to everyone into what works and what doesn’t. Or putting it another way, the ISO and other ‘adder’ QMS standard group owners typically lag the best performers by years in their ability to revise the implicated standards and guidance documents to reflect knowledge and methods of those best performers (whereas sector and business type specific results/data are being captured real-time by QMS standards and registrar groups).
2. the ISO organization does not do anyone a favour by letting organizations identify for themselves the frequency of their ISO 9001 management review activities. That is, compliance with ISO 9001 management review requirements could be achieved with as few as a once per year management review activity regardless of the size and complexity of that organization. So yes, smaller sized organizations or organizations whose operating domains (and the respective business inputs, processes, outputs, regulations, best practices, etc.) are not complex could be effective with once per year management reviews but it is questionable whether or not they would be efficient NOR could they (or any organization of any modest or large size and/or complexity) pro-actively scale or

   improve themselves to leverage most recent best practices should their contract “wins” position them into a significant growth need or actual circumstance (in advance of the implicated ISO standard and guidance documents being revised). Highly coupled to this lack of specificity by the ISO standards group for a requirement upon the frequency of management reviews (currently) is the lack of (at least) one measurement for the (key) process(es) implicated by ISO 9001’s management responsibility requirements.

Note … I readily concede that other ‘cons’ exist but I only wish to speak further to these two as to respect the reader’s time and my goal of encouraging the reader of being an agent of change. To the latter point, Annex-1 herein lists some suggestions for how I think these two short-comings can be minimized if not eliminated.

Summary and Conclusion

In summary:

• ISO 9001 is a standard with focus towards defining, measuring/monitoring, and improving the effectiveness of the organization’s QMS. Although it does not guarantee improvements in efficiency it does allow an organization that holds a certification to bid upon contract circumstances in which the possession of an ISO 9000 compliant QMS is required or preferred.

• Having a 3rd party certified ISO 9001 compliant QMS will position an organization for success especially if the organization’s culture of quality is defined and practiced at all levels of the organization’s planning and operation. For example, the ISO 9001 standard offers a comprehensive methodology for how an organization can identify and obtain strategic, tactical, and operational success effectively. The fact that the organization’s QMS is certified means that its processes … including its (internal and surveillance) audit programs … are being assessed for effectivity regularly (whether the organization has clients or not).

• More organizations would choose to obtain an ISO 9001 compliant QMS that is certified by an authorized 3rd party if the ISO group:
  • became more transparent and accountable to its end-customers. More specifically, ISO 9001 QMS group’s end customers are not just the authorized QMS registrars but also the organizations that are willing to gain and sustain a 3rd party certification of their QMS.

revises the ISO 9001 standard to flow-down at least one measurement requirement to organizations of an appropriate size and/or complexity and/or type. More specifically, the lack of such a requirement continues only to discredit the ISO 9001 standard as well as the ISO group itself in how best to keep senior management/business owners fully engaged in a culture of quality. Without such a requirement it is all too easy for members of an organization’s senior management team to dismiss (e.g., lesson the priority for/time spent on identifying as well as embracing all their) ISO 9001 obligations.

To conclude, I believe that the ‘pros’ and ‘cons’ described herein (of having an ISO 9001 compliant and certified QMS) are suggestive that improvements to how the ISO 9001 standards and registrar groups can better contribute to the culture of quality in an organization are needed. I have provided some suggestions herein on how improvements can be made/obtained.

And now, a sneak peak into my next article

In my next article I will discuss Human Resource Management (HRM) and its role in a ‘good’ QMS as well as the shortcomings of the ISO 9001 QMS requirement standards to address this topic space. For example:

• a generic QMS requirements standard like ISO 9001 will always need to be supplemented by sector specific QMS ‘adder’ standards (like AS 9100, TL 9000, ISO 13485 and ISO 16949) because the types of products/services and the various regulatory and statutory requirements to get them qualified and/or released as well as the number of processes used to complete that work is too large to be discussed in a single generic standard. However, with respect to the HRM topic space, ISO 9001 can be improved a bit – as the goals/needs for the effective and efficient management of people by an organization does have a lot in common regardless of the industry sector, product/service offerings, and design/test/release processes implicated.

has ISO 9001 put enough emphasis towards/requirements for human capital? Specifically, should ISO 9001 have more requirements or minimally, more emphasis on people management systems and requirements such as those that can be traced to the ISO 304xx and ISO 10667 groups of requirement and guidance documents?

Annex-1 … Candidate solutions to address the ISO 9001 shortcomings (identified above)

The following are suggestions in how the two ‘cons’ listed here can be minimized (if not eliminated).

Proposed Solutions to Mitigate/Eliminate Con#1

To provide more transparency and accountability to the organization’s certified as compliant with the ISO 9001 standard, the ISO 9001 group should:

• expedite the creation of and access to a QMS registration status portal (for the authorized and certified organizations). Furthermore, that portal should provide information in anonymous and appropriate ways that will:
  • include the registration status information about organizations that possess QMS ‘adder’ requirement certifications.
  • be fully searchable by authorized users on QMS registration particulars including but not limited to:
    • scope statements
    • and generic (surveillance) audit determined data such as non-conformance data specific to the clause(s) implicated and a root cause code value of each non-conformance that was closed and monitored for effectivity.
• provide unlimited and for free access to e-copies of any of the ISO standards, guidance, and best practices documents to the currently registered ISO 9001 third party accredited organizations as to ‘walk the talk’ about knowledge transfer mechanisms as well as to improve the time in which industry standards and best practices are embraced and used. This function could also include (for free) listings of the titles of which ISO standards are likely to be of interest to organizations of which NACI codes.
• include the relevant and appropriate registration status (as determined by the authorized 3rd party registrars) in such a repository. In this way, minimally the perception that the ISO group itself is effectively monitoring each QMS registrar is improved.
• have (minimally) once per year survey inputs and subsequent summary reports/action plans from the responses of all customers (or minimally flowing this requirement to gain feedback down to the QMS registrars to enforce with each of their registered ISO 9001 clients). In this way senior management/business group owners will see how the ISO group itself endeavors to gain timely improvement recommendations as well as provide a more transparent approach to discussions on the changes to the ISO standards, guidance, and best practice documents.

None of these proposals would weaken the integrity of the ISO groups/committees nor would it put at risk the competitive advantages held by organizations from which the best practices originate. To this second point, information could be made available to certified organizations without identifying its source AND it could be presented in manners respectful of its true owners’ intellectual property rights and patents.

Proposed Solutions to Mitigate/Eliminate Con #2

To ensure an organization’s senior management/business ownership team members remain regularly and appropriately engaged in the use and improvement of their QMS, the ISO 9001:

• standard should be revised to include a flow-down requirement specifying the minimal frequency of the organization’s management review activities. That frequency specified would be a function of several factors including but not limited to the organization’s size (e.g., head count, square footage), domain and business purposes (e.g., NACI code, charitable versus non-charitable organization). It would remain the case the ‘small’ and less complex organizations would sustain a frequency requirement of management review of “at least once per year” (but other than those types of organizations, larger sized or more complex ones) could easily be mandated to have quarterly if not monthly management reviews. Currently, ISO 9001 does expect an organization to assess its own frequency of need of management review so yes, its possible many organizations already have a management review process that self-imposes higher frequency of management reviews. However, in those cases, it really comes down to how well the (surveillance and internal) QMS auditors can influence the organization’s management team into improving their management review (frequency of use).
• group should define a mandatory measurement of the effectiveness of organization’s activities used to comply with the management responsibility requirements of the ISO 9001 standard. For example, a ‘perception of customer satisfaction’ measurement would align well with one of the main purposes/benefits of the ISO 9001 standard itself as well as provide a common framework in which ISO 9001 certified organizations would be assessed by. More specifically, the ‘perception of customer satisfaction’ could be determined by an assessment of several factors including but not limited to: 
  • the absence of customer complaints
  • the absence of suits against the organization by any of its customers, implicated regulatory or statutory authorities
  • the presence of repeated business engagements from existing customers
  • the presence of increased business engagements from existing customers
  • the presence of positive feedback from any of its current customers implicated by its ISO 9001 obligations/goals
  • market segment analysis, benchmarking, and performance information from approved and independent 3rd party sources

Annex-2 … Release History of the Referenced Standards

The following table lists the release history of the ISO 9001 and QMS sector specific ‘adder’ standards relevant to this article. It also lists the release history of pertinent/relevant to this article EMS, OH&S and HRM standards.

It is noted that the ISO standards are assessed by their owners for any need of change on a three-to-five-year basis.

The following table provides a (non-linear) timeline of the release dates of the QMS requirement, HRM, EMS, ISMS, and OH&S standards listed in this article. Please note that the ISO group is targeting 2025 for the release of the next revision of the ISO 9001 standard.

Annex-3 …  A list of some of the URLs that provide ISO 9001 Registration Status

There is a plan/effort within ISO group to provide a centralized repository for ISO 9001 certification status information. Until such a registry is implemented and made accessible, you should continue to use information provided by QMS registrars or the other QMS ‘adder’ requirement standard ownership groups. For example, the following table lists some of the current URLs that I have used to determine the ISO 9001 QMS registration status of an organization. Please note some of the links may have recently become ‘defunct’ (as the organization implicated has been merged with another or the data retained formally has now been placed into an ISO/IAF group-controlled repository or the organization implicated has recently created a newer portal or access requirements to it).