ISO Certification – Is it Right for Us?
How can you decide whether third party certification to an international (ISO) management system standard is the right thing to do? What are the likely costs? Will the benefits significantly outweigh the costs?
This article provides answers to those questions.
1. Setting the Scene
Discussions about “ISO” and “getting certified” tend to be muddled because there are three different but connected areas of decision making (see Fig 1). So, let’s set the scene by examining each.
The first area concerns the management system itself. For all but the smallest business, there comes a point in growth where some formality becomes essential in order to control key activities effectively and prevent things going wrong. Theoretically, with the right skills and knowledge, building a management system could be done from first principles. However, very few organisations have that kind of system-building know how. Besides, it would be doing it the hard way. Instead, why not use the model set down in a management system standard? Vast amounts of experience will have gone into developing that standard. A well designed a management system should be a real asset, even without certification. That brings us to the third area of decision making. Should we take the extra step of getting the system certified to the same ISO standard?
2. Purpose of Third Party Certification
The framework we see in place today globally for third party certification of management systems was first devised in the UK in the 1970’s. The British standard BS 5750 was the first national quality management system standard applicable to any type or size of organisation (although it had a distinctly industrial flavour). Companies which implemented BS 5750 could voluntarily submit their management systems to be assessed by independent third party bodies and, if successful, gain an ISO 5750 certificate. This worked very well for all concerned. For suppliers it meant that the one national standard certificate could be accepted by their many customers. Hence they would no longer suffer numerous, disruptive audits by different customers’ auditors using different audit criteria. Customers were glad not to pay for so many audits. Also, customers’ procurement departments were able to write BS 5750 into their contracts – much easier than specifying many prescriptive quality controls. Naturally, third party certification bodies were happy because their businesses grew rapidly. Later BS 5750 was, in effect, adopted as the global standard ISO 9001. Subsequently, ISO 9001 has been joined by a growing number of international management system standards associated with the process of third party certification.
3. External Drivers for Certification
The most common reason to seek third party certification is that it is required by a customer as a condition of contract. It may be (and usually is) non-negotiable. So if you want the contract, you must have it. In only a few cases around the world, governments have mandated that government departments and commercial companies must achieve certification. In all other circumstances, the decision is voluntary and it rests with top management. There are other drivers for certification. Let’s consider first the external drivers.
3.1 Customer Perceptions and Intentions
If customers are not demanding certification now, they may be thinking about it and dropping hints. Once it was the case that procurement departments wrote only ISO 9001 into invitations to tender. Increasingly customers are applying more rigorous risk assessment to their suppliers and are citing ISO 14001 to avert environmental incidents or OHSAS 18001 to obtain safety assurance from their contractors. Customers are also concerned about issues such as information security and business continuity which bring standards like ISO 27001 and ISO 23001 into the frame.
In these circumstances, top management may be wise to anticipate the shape of things to come and be proactive.
We should be thinking beyond our traditional customers to also consider potential future customers. Without knowing our track record, new customers would probably make ISO certification a condition of award of contract. This is especially the case when planning to export goods and services.
Marketing and sales functions should have a keen eye on competitors here and abroad. What kinds of certification do they have? What are they aiming for right now?
3.3 Pressure from Other Stakeholders
As mentioned previously, ISO management system standards were, in effect, invented by customers to prevent suppliers from letting them down. Of course, customers are not the only entities who matter and quality is not the only issue. Regulators, government departments, investors and other stakeholders have a voice. They too are seeking assurance that organisations are not going to find themselves in breach of the law, that they can demonstrate sound governance, conserve energy wisely, manage costs effectively over the whole life cycle of an asset and so on.
While stakeholders may not stipulate it in contract, they often urge in their policies and, do in other ways, encourage organisations to implement appropriate standards. Sometimes they commission independent consultancies to carry out audits. In a pattern which is being repeated, they are also sending the message that the additional step of third party certification would give them more peace of mind.
3.4 Do as I Do
Few things irritate a suppler more than a customer who imposes certification requirements which the customer does not even attempt to apply within. Many would see this as unethical, unjust or plain unfair. For the sake of our reputation, doesn’t it make good business sense to say “Do what I do” rather than merely “Do what I say”?
4. Internal Drivers for Certification
What if our customers are not be insisting on certification and we are not planning to export. Perhaps also other stakeholders are not voicing their thoughts on the subject and we have not bothered to ask them. Perhaps we do not see any evidence of our competitors seeking certification or to enlarge their scope of certification. Does that mean we should not bother?
The answer to this one is less straightforward. Implementing a particular ISO standard skilfully to establish an excellent system and reaping the benefits in terms of reduced risk, greater profitability and so on, may be enough. However, it would be wise to consider internal factors which may make certification the right thing to do. Here they are.
4.1 Employee Engagement
Usually, the best management systems emerge when they are led by top management and are provided with all the necessary resources. If commitment among top management is variable and if other business activities compete for resources, it may be difficult to get adequate employee engagement. This will impede progress during the system development phase. It will also create issues during system implementation due to lack of ownership and so on.
Setting ISO certification as a corporate target and keeping it on the radar screen, gets and retains everyone’s attention. In addition, when departments know that an external auditor will visit at some point, it’s positively motivating! Nobody wants to let the side down. Moreover, the award of a certificate (often done with due ceremony, followed by celebrations) provides tangible recognition of everyone’s efforts.
4.2 Adding Value to the Business
We may not realise it immediately, but a good management system is a valuable asset. However, would anyone external to the system know that it’s good? Credibility is what you are paying for when you achieve and maintain certification. Organisations become yet more aware of the value when it helps to win more business. Management of small companies learn especially to appreciate certification when they look to retire and wish to attract a company to manage or acquire the business.
4.3 Maintaining and Improving the System
Regular third party audits are initially perceived as the price paid for keeping a certificate. In fact, certification bodies try to claim that their auditors add value through their audits and so they should. A good auditor will deliver audit reports in a professional and helpful manner which identify unseen or untreated risks, point to better ways or working and other opportunities for improvement. Even where an external audit highlights a known problem area, it often succeeds in revealing it to a level of management which ensures that it finally gets sorted.
5. Weighing the Costs, Opportunities and Benefits
The case for having an excellent system which is right for your business is almost self-justifying. If the business environment is such that third party certification is non-negotiable, then only one decision can be made. However, if certification is optional, an assessment of costs risks and benefits should determine whether it is right for us.
Estimating the cost of certification requires only simple arithmetic. The basic elements are:
5.1 The Costs
Estimating the cost of certification requires only simple arithmetic. The basic elements are:
Fee for the initial audit plus the annual + annual fee for surveillance visits
Audit visit preparation + assisting the auditor during the audit + making improvements after the audit
5.2 Opportunities and Benefits
Estimating the benefits derived from third party audits, in financial terms, is not quite as simple. It can be done using a model which includes tangible and intangible elements:
- Savings due to prevention of reported actual and potential nonconformities
- Enhanced compliance due to awareness that external audits may detect noncompliance
- Access to new customers and new markets which require certification
- More effective internal audit programme (a favourite focus area for external auditors)
- Engagement of managers at various levels on management system matters
- The auditor’s support and valued advice on opportunities for improvement
In practice, most organisations do not bother to do the arithmetic. They have a strong gut feeling that the system delivers more than it costs to maintain. Of course, these calculations are based on certain assumptions. These include the assumption that the external auditor is proficient and diligent. For a discussion on that point, see the article Getting Value from Your Certification Body.
Underpinning all of the aforesaid is one vital fact. The greatest benefits and opportunities arise from having an excellent management system. That does not happen by accident.
If you would like to discuss how Gablesmead can help you to develop an excellent management system and achieve first time certification, feel free to Contact Us.