Running on Hope - An ISO9001 Story

For the last week, I’ve been caught in the midst of phone calls trying to get people to help me with a “data update” request. There’s a data error with an unnamed government agency that’s causing me a challenge. Here’s the thing – everyone I’ve talked to has been nice, motivated, and wants to help me. They all say it shouldn’t be that difficult. No one knows how to help. Why? Because there’s a process that isn’t mapped and none of them has any way of figuring out who owns the process. Their organization does things correctly because 95% of the time, everything works ok. The other 5%? They have to try something and hope it fixes it. They have to hope ‘someone’ fixes it… but they don’t know who to ask for help. I estimate that about 5% of their operations are running on hope.

Now to be honest, there have been plenty of times when hope was a big part of my strategy. I’m just saying you can’t rely on hope if you’re leading a program or organization or company. ISO9000 is a starting point to try to make sure that you get the operations results you’re looking for… and it pairs really well with hope.

A quick moment on terminology… ISO9000 is the family of standards related to Quality Management. ISO9001 is specially the best practice for a quality management system (think of a quality program & processes) for an organization. There are other standards in the 9000 series. I often use the family number – 9000, 44000, etc when talking about the standards, but I really shouldn’t. The official citation would include a year like 9001:2015. That 2015 refers to the version/year of the standard. That’s important for an auditor but generally not relevant to a discussion of the standard.

So what does ISO9001 do for me? At the core, ISO9001 means that you’ve got:

·????????a strategy with goals and objectives

·????????a plan to meet those goals and objectives

·????????the policies, processes, and procedures to do the work that accomplishes the plan

·????????a mechanism to check on the work to make sure it’s being completed correctly

Now a quick call back to my last article (an overview of ISO), you can achieve all of these ISO objectives by documenting arbitrary things. When you do that, ISO has nothing to do with how you run your organization. You can be 100% compliant and be ISO certified but get no value from the certification. Some of my ISO comments likely sound obvious… but I’m saying them because I’ve seen so many organizations not implement ISO focused on business value.

Strategy with Goals & Objectives

ISO wants to know what you’d like to accomplish as an organization. A key benefit of identifying the strategy in cooperation with your ISO9001 implementation is that you can take advantage of the senior management communication requirements to make sure everyone is on the same page. When you identify the strategic plan as an ISO9001 controlled document, you’ll find yourself referring to it more frequently and it becomes a more living part of the organization.

A Plan for the Year

I’ve read a lot of strategic plans that articulate the What & Why but don’t say anything about How. ISO9001 asks you to document a How. Now, it doesn’t mean that your How is correct, but it’s good to have the How written down. That How (your plan to meet your goals and objectives), needs to be discussed and improved on a continual basis. We are all better off when all the company leadership knows the plan and can offer feedback to improve and align the plan with the reality of daily business.

Policies, Processes, & Procedures

Consistency is critical for an organization. It’s important for productivity, and it’s also important for morale. People get quickly frustrated when they try to accomplish the same task and get different results because someone didn’t know ‘how we do things around here.” There are lots of other benefits like managing organizational risk, facilitating easier training, and avoiding reinventing solutions.

ISO9001 says you need to have these things documented. There’s real business value to having it all documented, and you’ll never do that documentation unless there’s a reason. If an organization doesn’t do it because of ISO, then policies and procedures are probably reactively documented. The documentation is completed in response to a problem – a lawsuit, an employee complaint, a monetary loss, a data leak. There’s real value to documenting policies and procedures that are critical to the organization, program, or business.

Checking on the Work

If an organization isn’t doing internal audits, it’s hoping that people do what they are supposed to and that they know how to do the right thing. As I said before, hope isn’t a great strategy. I also operate on the philosophy that everyone should be allowed to have a bad day or make a mistake. The ISO9001 internal auditing requirement is a great way to make a list of things that are important to the organization and make sure those things are being addressed correctly.

What does it take to get ISO9001 certified?

I can give you an estimate of time to meet the documentation and certification requirements. What I can’t estimate is how long it will take to develop the business thoughts that make all this relevant. The following is a summary of what it takes to get ISO9001 certified assuming the organization has the maturity to articulate a plan, goals, objectives, and strategy.

·????????Find an external auditor/registrar (8 hours) – you need to find an external audit company (registrar)

·????????Schedule your Stage 1 and Stage 2 external audits. Stage 1 is basically a review of your documents. Stage 2 is a full audit of your documents and interviews with key stakeholders. You should expect about a week total for these audits (depending on the size of your organization).

·????????Write your governance document. The primary control document for ISO9001 is usually called your Quality Manual. This takes a month with an experienced consultant. They need to understand your organization and map the ISO processes.

·????????Establish and operate your internal auditing. This is also another month’s worth of work. The internal audits need to cover the specifics of your quality program and need to include both document/artifact reviews and interviews with stakeholders. That dual focus makes sure that the work if being done correctly (the work artifacts are correct) and that the person doing the work knows why they were doing things (the interview proves it wasn’t correct by accident.)

·????????If there are findings from your external audit, you’ll have to resolve those issues to be certified. That’s generally not a lot of work assuming you’ve done the previous steps in a reasonable way.

As always, this is just a general guide and some thoughts related to the topic. Every organization is different, but those estimates are consistent throughout my experiences in GovCon.