Featured Product
This Week in Quality Digest Live
Standards Features
Mark Hembree
Rumors about ball performance meet quality assurance
Grant Ramaley
FDA seeks to align Part 820 with ISO 13485:2016; why that may not be enough.
MSMEs are encouraged to uphold the highest standards
Steven Brown
21st-century standard candles at NIST

More Features

Standards News
US Dept. of Commerce issues seven grand challenges
Requesting quotes for ‘Baldrige Reimagined’
Standards-based audit checklist and best practices provide support for growing technology in aerospace
Accelerating the adoption of digital twins in building industries
Tactics aim to improve job quality and retain a high-performing workforce
Demonstrating a commitment to keeping people safe and organizations running
Making the new material freely available to testing laboratories and manufacturers worldwide
Run compliance checks against products in seconds
Aug. 25, 2022, at 3:00 p.m. Eastern

More News

Arun Hariharan


Certifying Body: Partner or Police Force?

The benefits of continuous improvement for its own sake

Published: Wednesday, October 7, 2015 - 15:43

In my previous article, “Is Poor Quality ISO 9001’s Fault?” I shared the example of the chairman of a large company who ridiculed ISO 9001, saying, “Even the municipal office of this city is ISO 9001-certified. And we all know how bad the municipality is. I don’t believe ISO 9001 can do my business any good.” The chairman was equally severe in his views about other quality methodologies and models. His comment was really about quality management systems or practices as a whole, not about ISO 9001 alone.

I also wrote about the discussion on LinkedIn’s ISO 9001 group, where more than 150 responses expressed members’ views about the chairman’s comment.

We saw in the last article how the largest number of respondents seem to think that poor quality is the fault of the organization—particularly its leaders. Here, we’ll look at some of the other categories of responses.

It’s the certifying body’s fault

A number of respondents lay the blame for poor quality on the certifying body (CB) that does the external audit and certifies or recertifies an organization to ISO 9001. The number of respondents with this view is significant and second only to the number who hold the organization itself responsible. These respondents point out that the CB has a business to run, and it gets its revenue from the client organization that it audits and certifies. According to this view, a vast majority of organizations and their management react in a hostile manner to nonconformances reported by the CB on the audit report, and even issue veiled (or not so veiled) threats to discontinue the CB’s contract. And there is always another CB hungry for their “business.” This group believes that there is a conflict of interest because the CB is expected to be independent, even though it depends on the organization (i.e., the auditee) for its revenue and survival.

“Audits where the payer is the audited and has a chance to choose the CB don’t work,” says one respondent. Revenue earned by CBs from client organizations isn’t restricted to audit fees, but could also include consulting and training fees, so according to this view, there’s too much money at stake for the CB to remain independent.

“CBs should be professional and ethical, and not certify some organizations, but if they do that, they may go out of business,” says another respondent.

A third respondent asks, “How many companies have been decertified or at least warned of losing their certificate?”

A fourth respondent finds nothing wrong as long as it’s business for the CB and improvement for the organization. He uses an interesting metaphor: “Many people buy exercise machines,” he says. “But how many of them actually use the machine to work out daily?” He compares the exercise machine to the business of the CB, and the daily workout to the organization’s effort toward continuous improvement—obviously, you need both.

I especially liked this comment: “Challenge the CB [to find opportunities for improvement] and select a CB that challenges your organization.”

I once took the external auditors to task for not pointing out serious nonconformances that were discovered through the organization’s own internal audit, and also through customer complaints. This was one of the world’s largest and oldest CBs, but it admitted that this was the first time any client was upset for not pointing out opportunities for improvement. “Most of our other clients just want the certificate,” a CB employee told me privately.

Experience taught me that it’s important for the company being audited to make it clear upfront to the CB or external auditors that it does not need the ISO 9001 certificate for image purposes, but only for continuous improvement. Organizations that do this—and truly mean it—are really able to benefit from ISO 9001.

“ISO 9001 is a really good framework to set up a management system (not only for quality), but certification is just a business for a CB,” says one commenter. This reminds us that following the ISO 9001 standard and the certification process are two different things. An organization can follow the standard for continuous improvement and choose not to go for certification.

To me, this seems logical because a company that uses the standard for genuine improvement is more likely to be serious about quality than one that merely wants the certificate. My own experience with several companies supports this view. We found that, without exception, the company’s own internal audit using the ISO 9001 standard threw up far more opportunities for improvement (provided we were brutally honest with ourselves) than any external audit by a CB.

Earlier, I shared the example of a company for which I had to reprimand the CB for giving a “clean” audit report with zero nonconformances at a time when many customers were complaining of poor processes and poor service. Once the CB was given a clear, unambiguous message that the organization was not interested in merely getting the ISO 9001 certificate but keenly interested in the CB identifying opportunities for improvement, the CB got the message and has been playing a value-adding role ever since.

It helps to treat the CB as a partner that can help the organization with continuous improvement, rather than a policing agency from which to hide poor processes or shoddy quality. You also need to tell this to the CB. In fact, for one company I had to tell this to the CB auditor several times and threaten to cancel the contract before he actually believed me.

What’s the point of trying to hide poor quality from the CB? After all, we can’t hide it from the customer.

To draw a parallel with physical health, if you hide certain symptoms from your doctor and con him into giving you a “good” medical report, are you cheating the doctor or yourself? In the context of ISO 9001, the CB is the doctor, the organization is the patient, and the CB’s audit report is the doctor’s report.

Role of the quality person or department

A common theme in many of the comments is the importance of setting the expectations of the organization’s leadership. In other words, educating the CEO and board directors about what ISO 9001 can and can’t do for their business, and the need for leaders to get involved. This is the job of the organization’s quality person. Personally, I’ve found this responsibility to be the most important and challenging. If it’s successful, it’s also the most rewarding for the organization and, professionally, for the quality person.

Often, I find that an individual or group will have higher conviction about the importance of quality than the rest of the organization. Irrespective of whether they belong to the quality department, this individual or group is in a position to play an influencing role in motivating the rest of the organization, including senior management, to reach the same level of buy-in.

“Quality managers often turn quality into an exercise in documentation and bureaucracy,” says one respondent. “This is giving quality management and ISO 9001 a bad name.”

Another respondent stresses the role of quality professionals in championing improvement: “As quality and improvement professionals, we need to educate the CEO and senior managers to buy into the goal of improving the business, instead of a goal of certification.”

Let me share a real story. A company was ISO 9001-certified. Then there was a change of CEOs. A few months after the new CEO came, it was time for the annual CB audit. “Why do we need this ISO audit?” the CEO questioned. “Does it really help the business?”

Perhaps the new CEO wasn’t familiar with ISO 9001, or perhaps he wanted to test his people.

“Oh, if we don’t get the audit done, we’ll lose our ISO 9001 certificate,” someone from the team answered. This turned out to be the wrong answer. The CEO’s next question was, “But why do we need that ISO 9001 certificate?” There was no answer to that.

What would have been the right answer?

When the person who answered the CEO reflected a bit, she realized why she hadn’t been able to convince the CEO. She sought a meeting with the CEO the next day and explained how, a few years previously, the company had almost no standardized processes, no performance measurements, and no customer focus. It was losing customers and business rapidly. She explained how standardized processes had helped the company rapidly scale up its operations and business during the past few years. She also explained, using supporting data, how measurements related to quality, processes, and customers helped keep the business healthy and contributed to financial results.

In business, CEOs best understand the language of money, so it may be helpful to try and translate how quality and process excellence (or any strategic initiative that doesn’t bring immediate revenue) can help the business over a period of time.

Today, this company is among the leaders in its industry not only in business, but also in customer-satisfaction scores. And that CEO is a big champion of ISO 9001.

In my experience, it’s important for those driving quality and customer focus in the organization to help the CEO and other stakeholders see this link between ISO 9001 and how it can help their business. Otherwise, many business leaders will continue to be skeptical, and this shouldn't surprise us.

I’ve seen organizations where the quality person wasn’t able to speak the language of business or “see the big picture” (a pity, because some of them are strong in the technical and tool aspects of quality). Some people might argue that “this isn’t the quality person’s job” or that “quality shouldn’t be the responsibility of the quality department alone,” but the fact remains that in many organizations someone  must play the role of a catalyst—ideally, someone who understands quality, ISO 9001, and process improvement. This person must be able to articulate repeatedly how they are all relevant to the business.

During my nearly three decades of experience as a quality professional, I’ve spent much of the last 15 years trying to play this catalyst role. Like many other jobs, the quality role also must progress from “tools and techniques” roles in the earlier stages to more strategic and culture change agent roles subsequently.

Who must document your processes?

“We had a heated discussion and put the [process] manual in the bin and started again,” says one respondent. “We rewrote the procedures, each process documented by its owner, i.e., the management team. At the end we had a very similar manual to the one we binned, but this time everyone understood why we needed ISO 9001, what the procedures and internal audits were for, and how that affected the business. After that, they would request audits, point out nonconformances themselves, and give team leaders the time and resources to correct them.”

In this organization, as with many others, the processes weren’t documented originally by the owners or the people who used the processes, but by the quality department or a consultant. My own experience with organizations corroborates this point: People will own processes that they write themselves; the quality department or a consultant can provide a standard format or blank template to ensure standardization across the organization for process documentation, but the actual process must be written by the process owner.


If you earn your ISO 9001 certificate by genuine process excellence and continuous improvement, the standard can be a great tool. On the other hand, if you hoodwink or arm-twist your CB into giving you an ISO 9001 certificate without real quality processes to support it, your customers will soon notice the difference and take their business elsewhere. Your choice.

For interested readers, my book Continuous Permanent Improvement (ASQ, 2014) contains more detailed treatment of several of the topics contained here, including the role of top management in quality, the role of quality professionals, and detailed guidelines for process standardization and continuous improvement.


I’d like to acknowledge and express my gratitude to all the respondents who shared their valuable comments in the discussion “Is this ISO 9001’s fault?” in the ISO 9001 group of LinkedIn. Due to space constraints, I’m unable to name individual respondents here. Readers are encouraged to read the entire discussion (see link at the beginning of this article) to see the names of all the participants and their comments. The discussion is still going on; your own comments are welcome, too.


About The Author

Arun Hariharan’s picture

Arun Hariharan

Arun Hariharan, author of Continuous Permanent Improvement (ASQ 2014), and The Strategic Knowledge Management Handbook (ASQ 2015) is a strategic quality, knowledge management (KM), and performance management practitioner with nearly three decades of experience in these fields. He has worked with several large companies and helped them achieve substantial and sustained results through quality and customer focus. He is the founder and CEO of The CPi Coach, a company that provides partnership, consulting, and training in business excellence and related areas. Former roles held by Hariharan include president of quality and knowledge management at Reliance Capital Ltd, and senior vice-president of quality and knowledge management at Bharti Airtel Ltd, India. He is a frequent speaker at quality and KM events around the world. He is also the author of more than 50 published papers on quality and KM.


Thank you

Thank you for the valuable comments. You may also wish to post the same comments in the ongoing Linkedin discussion which is the basis of this article. The link to the Linkedin discussion is given in the article. This way, your comments would reach an additional audience, and benefit more people.

ISO 9001

I have been a part of ISO 9001 in two different companies with two different external auditors. I am a big proponent of lean processes and controls and accountability but ISO in practice is none of these things. ISO is only good for making sure your paperwork is right and paperwork is a waste of time. Yes you need written standard work, yes you need a documented calibration process but there is much wasted time and money that goes into unnceccesary paperwork and bureaucracy. You stated "“Quality managers often turn quality into an exercise in documentation and bureaucracy,” says one respondent. “This is giving quality management and ISO 9001 a bad name.”" I disagree it is not the quality managers that are doing this, it is the customers that drive the ISO certification which is just a useless bureaucracy. I was employed at a 3rd company that practiced lean and standard work with excellance and they would have never passed an ISO audit but they were much better at lean than either of the other two certified companies. ISO is a joke b/c I can pass an audit without being lean or I can be lean w/o passing an audit. For the record I do not think API is any better.

ISO 9001

My perspectives about the timely article and survey findings:

  • Processes should be scoped and mapped by the Process Owner (ISO 9000.1:1994)

  • Processes will then have Procedures 'documented' to enable them to be performed

  • ISO 9001:2015 requires the organizations processes to be so defined and it specifically states a requirement that an organizations management system should not reflect the Clauses of the Standard nor its Terminology

  • Should organizations 'document' their ISO 9001, 14001, 55001, 45001, AS9100C, ISO/TS 16949 etc. systems by the headings or clauses of these standards then you have about 18 months to re-document them under your processes, conduct Internal Audits and complete all by the 3 year transition period for ISO 9001 and ISO 14001

  • ISO has a Guidebook that is most useful in developing a process-based approach to Integrating Management Systems and will be reviewed in 2016 – it is called “The Integrated Use of Management Systems Standards”.

  • Annex SL in the revised ISO 9001:2015 only seeks to align the clauses for commonality and will be the based for so structuring ISO Standards. Annex SL is NOT the means or format to so document one or multiple Management Systems into an Integrated System, neither is PAS99 either.

  • The falling popularity / Google Searchers rate of Lean and more so Six Sigma (the Trade and Service Mark of Motorola's Quality Program not statistically correct +/-6 ST DEV aka Walter Shewhart's calculation and formula for Control Charts - that is another argument my colleague Dr Anthony Burns is more qualified to address) is because such process-based initiatives normally decouple from their ISO 9001 QMS

  • This is usually because such Processes are not identified aka Clause Based non-Value Adding Quality Systems which are sadly certified by the CB's as that was what the organization presented and probably as the article finds, the QMS adds no business value)

  • Any Lean, Six Sigma, BPM, BPR, Jishuken, 8D, Kaizen, Quality Circle, TPM, PDCA, PDSA intervention needs to start with the Processes which should have so located in a Management System if so documented by its Processes, so that when the improvements are so made and audited change and downstream impacts are / validated, back into the Procedures and then within the linked Processes - see APQC PCF as it has a few Industry Process Frameworks as a start

  • All Business Excellence Models and the revised ISO 9001:2015 7 Quality Principles have Processes at their heart

  • Any ERP like SAP has Processes likewise Balanced Scorecard the “Process perspective”

  • Likewise, so should all Management Systems.  Just go and pick-up any Certified Quality or other Management System and see if the Contents page has the clauses of the relevant standard that System seeks to meet those requirements. Sadly, it will be about +/- 2 Sigma in statistical terms of course. So if they are so documented, that is what the CB’s will audit, even if they do not add value to the business and other interested parties / stakeholders

  • It is anticipated that ISO 9001:2015 revision will usher in an exciting time for the Quality and ISO Community to make themselves more relevant for organizations (even Local Governments), CB's and the Customers they expect to see Big Q (Juran) now more relevant for Interested Parties.