After only a few years managing an ISO-compliant QMS program, I began to notice something. When interacting with new staff, and even the occasional prospective customer, I would hear commentary about our Quality Management System. The wording would vary, sometimes it was, “Wow, you have an actual program,” while other times it was just the comment that our “system ties together” or even a short sentiment like, “We had SOPs at my last job but no one used them.” The words may have differed, but the intonation was always the same: Invariably they were saying, “You take this ISO stuff seriously.” And, more importantly, that a lot of companies with certifications don’t.
After hearing this over and over, curiosity got the better of me. Who were these companies that managed a certificate without a program? I began quietly digging into ISO-registered companies large and small. The harder I looked, the more I began to see a clearly developed trend emerging: There were two types of “ISO companies.” There was a clear contingent of companies who legitimately worked toward meeting the goals set forth by their respective standards, and they remained in constant effort toward continual improvement. And there was the other half, the companies who fly the ISO banner, and hang the certificate on the wall, but manage to slip by when it comes to the crucial details of maintaining a functional ISO program. The lesson learned was, “Just because a company has a certificate, it doesn’t mean they have an effective program.”
The reasons for how these companies maintain a certificate range from poorly trained or overscheduled auditors, to entire facilities that fall under the umbrella certification of a parent facility but slip by during the audits. Registrar audits utilize a very small audit sample for certification, and, as a result, it’s quite easy for a company to demonstrate a local adherence without actually implementing a functioning system.
Regardless of the reasons, in all cases, the end result is the same: Customers approach a company thinking they will find value based on a certificate, and then find out too late that the value was all just window dressing. And so the question became, “How do we leverage what we know about ISO to ensure we don’t get snagged by a company who stops the work as soon as the auditor leaves the building?”
As a result, I’ve worked spent some time working out an “ISO Smell Test.” While this is not a full audit or even a thorough review of a program, it does cover minimums a company must have in place to maintain a meaningful ISO program. Coincidentally, these points also seem to be the frequently overlooked sections for companies who are less than engaged with the tenets of ISO systems. As you wade into new company relationships, if you see an ISO certificate on the wall or a flag, banner or other promotional material, take the time to dig a little deeper. If they maintain a strong program, the answers are easy and will take no time. If you find them lacking, struggling or making excuses for missing items you asked for, consider yourself fairly warned.
Ask these 5 QMS-Related Questions:
- Quality Manual 9001:2015 – section 4.2.2
- This is a simple, straightforward requirement of any registered 9001:2008 company. Ask for a copy and for them to point out their “Procedures established for the QMS” or the interactions of those procedures. For extra credit, see if they can show you the scope and exclusions. Note: 9001:2015 does not require a Quality Manual; however, they will need to identify the information elsewhere in their system.
- Management Review 9001:2015 – section 5.6
- Another easy answer from a sincere program. How often do they meet and who participates? Of course, records are required; ask to see evidence of the reviews or the attendance record. Review of a Quality Policy & Quality Objectives is also required. Reading this policy and understanding their objectives (product conformity, on time delivery, etc.) will be useful in determining what business you may (or may not) be willing to do with them in the future.
- Internal Auditing 9001:2015 – section 8.2.2
- Not only is auditing required, it is the lynchpin of most earnest programs. Ask to see records of a recent audit. Do they use the process methodology? What records of the audits do they maintain, and how do they go about fixing audit findings?
- Supplier Controls 9001:2015 – section 7.4
- How do they track and evaluate their suppliers? What documentation can they produce to back up what they tell you?
- Corrective Actions & Product Nonconformance Tracking 9001:2015 – section 8.3 & 8.5.2
- Corrective Actions and all Nonconforming Product requires record documentation, which must include cause analysis and actions to resolve the issues. If they can’t produce evidence of a single nonconformity record, or say they’ve never had one, it’s time to run. Everyone makes mistakes—not everyone admits to or fixes them.
What if they have all of the above? Congratulations, you’ve found a company that takes their certification seriously. How seriously? Run down the following 5 questions with them and see how you feel about their answers. I don’t need to explain further; you’ll know when they’re being forthright and when they’re making it up on the fly.
- How does you company convey process on customer specification changes internally?
- What records does your company maintain to show you are meeting (or attempting to meet) your identified quality objectives?
- What is the last process failure or nonconformance the company experienced?
- How was the nonconformance fixed and where is it documented?
- How do you maintain and document continual improvement?
My final piece of advice: Take notes and go with your gut. A company with a solid QMS system will be happy to share with you, and you will likely be stuck in the chair while they run on about their procedures and reviews. A company with little or no system in place will simply not have answers or depend almost entirely on their ability to sell with smoke and mirrors.
QMS Program Manager