Are issues with registrars causing a credibility problem with ISO 9000? I received many e-mails from ISO 9000 advocates suggesting this.
What generated these often heated e-mails was my October column, "ISO 9000: More Hindrance than Help," pg. 64. I discussed several problems that I saw with the standard, but I did not discuss registrars. Many of the e-mails that strongly supported ISO 9000 also acknowledged that there are problems with it. The most common problem ISO supporters suggested was ineffective registrars that pass companies not meeting the standard¿s requirements. One reader¿s e-mail said he was astounded and embarrassed to see his company pass its initial ISO audit as he watched the auditor congratulate them on the great processes in place. Prior to the audit, the reader thought that there was absolutely no way the company could pass.
While auditing potential suppliers, I too was shocked to learn that some of them were ISO 9000 registered with a "prestigious" registrar, despite elements of a quality system that were weak or almost nonexistent. Stories of ISO 9000 registered companies with extraordinarily poor quality seem to be commonplace.
Many reader¿s fault registrars for issuing certificates to undeserving companies and thus degrading the value of their own ISO registration, which they say was used to upgrade and validate an already good quality system.
Not good enough
Another thread that ran through many e-mail responses was that ISO 9000 does not guarantee good quality. You know what? It should. Why bother if it doesn’t? Many people feel that the root problem resides with registrars that don’t guarantee compliance; not with a standard that does not guarantee quality.
I tried to collect data on this issue from the ISO Web site, but the results were inconclusive. In 2000, the latest data available on the site, there were 35,018 ISO 9000 certificates in the United States, and during that year, only 17 or 0.049% were withdrawn for failing a recertification audit.
At face value, this is alarming, but this data is clouded by the category, "Organization Discontinued Because: Other Reasons/Reason Unknown" that accounts for another 6.4% of U.S. certificates. I don’t think it is clear how many U.S. companies had their certificates pulled in 2000, but many quality professionals, including strong ISO advocates, think it is not enough.
Registrars might be holding back because they are in a classic Catch-22 business. The willingness to pull a certificate is fundamental to their service, but it is countered by the need to maintain happy customers, a healthy business and their own job. Another Catch-22 is that for the many companies that just want the certificate, an "easy" auditor is more likely to benefit than an auditor doing a good job. Registrars doing the most damage to the reputation of ISO 9000 are in the greatest position to prosper in the sea of companies that just want the certificate to meet a customer requirement. Just a few of these undeserved registrations tarnish ISO’s reputation for all manufacturers.
The fact that registrars are in a competitive business, unlike other auditors such as Underwriters Laboratory (UL) or the FDA, makes it worse. The UL auditor who does quarterly surprise audits on my plant is not in a competitive business and is willing to pull my UL mark.
Even if this issue with registrars is addressed, I’m still not a big ISO supporter. I’m passionate about using quality as a major strategic tool and differentiator to fuel business success, but to my mind the ISO bar just isn’t high enough to justify the time it takes to become certified.
With that said, though, if people are going to use ISO 9000 as a measurement of the quality management system, then the measurement should be valid. I don’t like ISO’s pass/fail measurement, but if that is the way it works, then companies that don’t meet the standard should fail. I’ve yet to meet a quality professional that feels that this is working well.
Put simply, the Registrar Accreditation Board and registrars need to change and start pulling certificates from organizations that do not meet stringent requirements. Registrars also need to better develop well-trained auditors that do fair, consistent and thorough beyond-the-paperwork audits. Until then, the ISO certificate, by itself, will continue to be somewhat meaningless to customers in the United States. That’s a shame because ISO compliance re-quires so much work from the people that comply.