It appears (to me) to be a commonly held view that companies working to an internationally agreed standard will be better than those not working to it: an ISO9001 certified company must be better than a company not certified, all else being equal, of course – but it’s the “all else being equal” that is often forgotten. A company may be meeting the standard but hasn’t felt the need to apply for certification, for example. But that’s not the point of this article. I want to think about what the Standard (and you can take that to infer ISO9001 if you wish – it’s certainly the focus of most of my comments below) actually means.
When representatives from across the world get together an agree a Standard, are they agreeing on an aspiration or reality? Are they agreeing on the highest standard achievable or on the lowest they can accept? That’s not to call anyone’s professional ability or integrity into question but, if there is to be agreement (whether unanimous or by a majority), the lowest expectations will have an influence on the final agreement. Certainly the Standard will ask for more than the lowest but I would question if it asks for what should really be the objective: it is, after all, an international agreement that has to take into account the different cultures, economics, technologies, legal frameworks and actual laws, dare I say sophistication, and a host of other factors that differ from country to country. That is not to say that the Standard is wrong or bad, just that it might not be asking for the best that may be possible, or even desirable, in all markets.
For some areas (whether country, industry, market, etc) the Standard will be a good measure of achievement but, for others, it is below what should be expected or needed. There is a reluctance on the part of the standards committees to consider localisation or “plug-ins” (to use a fairly widely recognised computer term) to tailor a Standard to the actual need. For ISO9001 that means that customers have to either accept the risk it may not be sufficient (especially if they rely on third party certification) or establish their own additional requirements – the latter taking us away from the original purpose of the Standard (certainly if we look back at BS5750 when it was first published in 1979).
Agreement, and the desire to make it universally applicable, has meant some vague requirements that need to be interpreted according to the context – something I’ve said above that is needed but I would like to see some rationalisation and agreement over such interpretation, not an individualistic and, at times, convenience oriented approach. I can’t help feeling we should get back to first principles and establish a basic standard for assessment – the current ISO9001 is a fine starting point (and probably not far from the ideal). We may need a bit more adjustment if we want to bring in HS&E aspects (but only to integrate the management system parts from OHSAS18001 and ISO14001). The key consideration must be to have an assessment standard – not one specifying the design of a system. Assessment should then always need external input from context (be it market sector, HS&E considerations, etc). It makes the third-party certification business harder because you could no longer issue a certificate to a company without knowing the context for their deliverables (both the local environment and the end-user needs) – but it might result in certificates being more meaningful and useful to customers, and in customers actually doing more (effective) verification themselves.
In thinking this way, we also move away from letting international standards dictate how we should be meeting the Standard – move away from prescription to goal-setting.