Does everyone hate ISO?
Most of the time, any mention of ISO is met with a general disdain. It’s gotten a reputation, at least in a lot of GovCon circles, as just a useless paperwork drill to get a certification. That’s not actually true.
ISO can help your organization or program… but only if it’s setup in the right way. I’m sharing these thoughts to hopefully help someone avoid all the time I’ve wasted over the years on misguided ISO efforts.
The first time I heard about ISO it was described to me as, “It’s a process standard or something. It’s lame, but you need the certification for some government contracts.” I accepted that view, and it was reinforced by most of the corporate implementations that I saw. From my vantage point in Ops, someone would show up to ask me a few questions and then tell me there were new forms I had to fill out. Those forms generally had no real value to me, and probably not to anyone else, but were labeled as “necessary for ISO.”
Anything that’s necessary for a quality standard but doesn’t provide any actual value certainly feels pretty lame. I didn’t start to change my view of ISO until I was directly involved in the scoping and implementation. The big myth here is that ISO tells you how to do something. It doesn’t tell you how to do anything… it offers best practice governance on how to make sure you’re following what you already decided to do that’s important to your program or business. That’s where it usually goes wrong.
Why ISO is often implemented “wrong”
All ISO standards are intended to provide you with value. They accomplish this by establishing control mechanisms to help you verify that you’re following the processes, procedures, and policies that you’ve defined as critical to your organization. The problem arrives when ISO is assumed to show up like “Value in a Box.” I’ve been involved in a lot of ISO implementations that were architected by the quality team with no engagement from Ops, the program, or the business. Now, it isn’t because the quality team wants it that way… it’s because those teams have been conditioned to think ISO won’t help them or out of a lack of general understanding of the ISO standards.
This sets up a scenario where the ISO standard asks for your process for an area of your business: Let’s say organizational training. Sounds boring? Well, that’s the topic that asks how you verify the people that you’re hiring are qualified for their role. That seems like something that’s probably important.
The Lame Way – Here’s how that topic often gets setup when there’s no correlation to real value
·????????Aim organizational training at the training provided by the company to all employees
·????????All employees have different jobs so there isn’t really a common theme to train everyone
·????????Quality creates an “Organizational Training Plan” that requires an annual update (probably with no value)
·????????The Organizational Training Plan says that there needs to be an annual assessment of upcoming training requirements (this has to be documented and there’s no real value)
·????????The assessment needs a forecast of what skillsets the company plans to hire over the next year. A real forecast compared to the pipeline would take a massive effort so there’s a minimally compliant effort completed based on the types of people hired last year
·????????The Organizational Training Plan is updated by the quality team for those kinds of jobs and they do some theoretical analysis and documentation
·????????This process is repeated every year and is purely pushing paper around
Outcome: You’ve wasted days of productive time writing plans that don’t help your business and then finding ways to track a useless plan. No one is happy that they are working on something that’s useless.
领英推荐
A Better Way – Here’s how that same requirement can be setup to actually provide value
·????????Aim organizational training at your IT organization, at your annual compliance training, and at the certified positions on your contracts.
·????????Document what you want your IT team to know (think cyber skills), what you have to deliver to be compliant with state/federal laws and rules (Timesheet guidance, proper use of government data, workplace ethics), and maintain your facility clearance (foreign travel, insider threat)
·????????Consolidate those requirements into your training plan that now protects your organizational interests and complies with mandatory guidelines
·????????Establish internal auditing to verify adherence to the plan – this means that you’ll know if you’re behind on security training before you get a visit from your government security audit team
Outcome: Now you’ve got someone helping you keep track of your real training requirements and making sure you’re on track to achieve your mandatory and discretionary training goals. You’re also ISO compliant and you’re compliant in a way that didn’t make anyone create useless paper and forms.
This is just a start.
This is just my introduction to using ISO to add value to your business. Some key areas of value include:
Scaling – As your organization grows, you’re going to run into new challenges. Moving from individuals performing a function to a department full of people requires coordination and control. ISO processes can help you by offering governance and maturity.
Critical Actions – There are some things in your organization that absolutely must be done and done correctly. ISO doesn’t care what those things are, but it provides checks and controls so that whatever you defined as critical is done correctly and verified by someone.
Protecting your organization – There are lots of ways to lose information. Version control problems. Cyber threats. Simply never writing down the answer and having to develop it again. ISO has guidance and controls to help you handle those threats and verify that they are being addressed.
?It would take way more words than anyone would likely want to read to walk through an integrated implementation of all the ISO standards. Over the next few posts, I’ll address the key business value areas of several ISO standards with strategies to implement them with minimal effort and maximum value to your company, organization, or program including:
·????????ISO9001 – Foundational Quality
·????????ISO20001 – IT Service Management
·????????ISO27001 – Risk & Security Management
·????????ISO44001 – Collaborative Business Relationship Management
·????????ISO56001 – Innovation Management
Business Development, Strategy, PTW/PTE, Capture
2 年Sometimes ISO crazy implementing these standards..... You are correct, if implemented for the sake of implementation they can be detrimental.