E
very once in
a while we hear of a company that claims to have a self-certification to ISO
9001 — or some other management system standard. The company “certifies†that
its organization conforms to the requirements of ISO 9001. It sounds pretty
good until you start to ask what this self-certification actually means.
For a quality management system (QMS)
to be considered certified, the certificate must be received from an
independent, accredited certification body upon completion of an assessment
against specific documented criteria. It’s possible to be certified by an
unaccredited certification body, but these certificates are of questionable
value since they don’t carry the backing of an accreditation body. (More about
this later.)
For the time being, we’ll assume that
certification means by an accredited certification body. Without the
certification body, there’s no unbiased appraisal and no evidence that a
thorough assessment has even been conducted by competent individuals. Bottom
line: There is no such thing as self-certification. It’s just an attractive
catchphrase with no substance.
There are also organizations that self-declare
that they are ISO 9001 compliant. This phrase is at least not dishonest. In
this case, the organization freely acknowledges that it has not incurred the
expense of third-party certification. It has determined (through its own
internal audit process, which is not certified) that it believes itself to be
compliant with the requirements articulated in ISO 9001. It doesn’t purport to
have a certificate. This declaration has more candor, in that it says: “We have
a pretty good system. We aren’t certified. But, we believe that we comply with
ISO.†Although it is a truthful statement, it still doesn’t carry much weight
in the world of certification.
Why is
certification so special?
What stands behind that framed
certificate?
Certification audits are conducted by
auditors who have had their qualifications vetted by the certification body
(CB). CBs are also referred to as registrars, and the terms are used
interchangeably.
Auditors are required to be trained and
go through a provisional period in which their skills are witnessed by the CB
or by training providers. The training providers who offer certifications such
as Lead Assessor credentials must have their courses approved by certifying or
accrediting bodies. The training that auditors undergo covers audit planning,
developing checklists, time management, auditor attributes, interviewing
techniques, evidence sampling, process approach, statistical methods,
comprehension of requirements, writing up findings, generating audit reports,
and post-audit follow-up.
Auditors must also demonstrate
competence in the organization’s field or industry. An individual whose only
background is in healthcare does not have the requisite competence to assess a
chemical manufacturing facility. The CBs are required by their accrediting
bodies to ensure that auditors have both the necessary auditor skills and
experience in their clients’ various fields.
Having audits conducted by competent,
trained auditors is important for both the CB and the client organization. The
CB has the confidence that the auditor will represent it by conducting credible
and reliable audits. The auditor conducts the audit, but it’s the CB that
issues the certificate. It’s the registrar’s name and logo that appear on the
certificate. That certificate is based on the auditor’s recommendation. If the
auditor is incompetent or lacks the requisite knowledge, the integrity of the
recommendation and therefore, the certificate is impugned. Third-party
auditors, meaning the ones doing certification audits, are required to ascribe
to a code of conduct that includes objectivity, truthfulness, confidentiality,
and freedom from personal interest that would bias the outcome. This is why
auditors generally sign non-disclosure agreements and are upfront about the
fact that they agree not to consult during the course of the audit or for a
defined period afterwards.
An organization that “self-certifiesâ€
can’t begin to demonstrate this rigor in terms of training, competence,
performance, or impartiality.
Well conducted audits provide
organizations with significant benefits beyond the certificate on the wall.
Individuals increase their understanding of their own role in the fulfilment of
organizational goals through the audit process particularly when they are being
interviewed. Well trained auditors are able to frame questions in a manner that
elicits productive and informative responses. Responding to auditors,
demonstrating various activities, and providing evidence are all facets of the
audit process that serve to reinforce the importance of the entire quality
system. So, a good audit should be a learning experience for everybody
involved.
Audits provide value. Organizations
shouldn’t look upon them as painful events that are riddled with accusation and
punitive consequences. Auditors produce audits reports that contain useful
information about the organization. A well balanced report should highlight
positive features of the quality management system; provide observations of
risk, which are usually articulated as opportunities for improvement; and
findings of non-conformity, which indicate something is wrong that imperils the
integrity of your system and ultimately your ability to serve your customers.
It is due to this fact that ISO 9001 and similar management system standards
require the inclusion of the results of audits as part of the management review
process.
What else
do registrars bring to the table?
Why is it important to have an
accredited registrar or CB assessing your system and certifying your quality
management system?
Registrars are required to play by
internationally established rules that are promulgated by such organizations as
CASCO, the conformity assessment committee of the International Organization
for Standardization (ISO). Some of the more commonly known standards that are
used are ISO 17021, “Conformity assessment—Requirements for bodies providing
audit and certification of management systems†and ISO 17023, “Conformity
assessment—Guidelines for determining the duration of management system
certification audits.â€
Since I’ve brought up CASCO, which is
an ISO committee, it’s appropriate to clarify here another misconception: ISO
does not issue ISO 9001 certificates. It is not a certification body. It
oversees the development of thousands of standards, among which are found some
of the most popular management system standards, including ISO 9001. Saying
that you have an ISO certificate is perhaps a tiny unintentional
misrepresentation. In actuality, organizations have certificates that indicate
that they have a system that conforms to ISO 9001.
CASCO develops criteria that CBs are
required to conform to. These requirements mean that they must expend time and
resources to ensure the competence and impartiality of auditors. They have to
establish procedures for their own organization, develop audit plans, verify
the scope of clients’ QMS, review audit reports for completeness, deal with
corrective actions and other assessment follow-up, and retain adequate evidence
to present to their accrediting body. All of these activities are
internationally agreed upon and lend credibility to the entire conformity
assessment industry. It means that certifications have value that is recognized
around the world. Generally, certificates issued by one CB are recognized by
another due to the consistent conformance to accrediting body requirements. A
self-certification has none of this foundation.
What,
then, are the accrediting bodies?
Accrediting bodies (ABs) ensure that
CBs conform to the rules. Just as CBs audit companies, ABs audit CBs. They
conduct assessments and periodic surveillance audits that look at CBs’ records
dealing with myriad issues, including auditor competence, impartiality,
planning, adherence to rules concerning audit days, review of audit reports,
issuance of certificates, and follow up of audit findings. They even go out on
audits to witness the CB’s auditors in the field.
It’s worth noting that CBs are required
to pay fees to the ABs for these services—which is part of the cost of an
organization’s certification. The CBs also pay a fee for each certificate they
issue.
So, it’s cheap and easy for an
organization to self-certify or self-declare because it doesn’t have to deal
with any of these costs. But, it also doesn’t have any of the credentials,
expertise, and objective scrutiny that make the certification process a
meaningful organizational asset. As the saying goes, you get what you pay for, in
this case, a worthless certificate.
Where do
the accrediting bodies get their authority?
Accrediting bodies participate in the
International Accreditation Forum (IAF). The IAF is made up of organizations
around the globe with an interest in conformity assessment. Its focus is “...to
develop a single worldwide program of conformity assessment which reduces risk
for business and its customers by assuring them that accredited certificates
may be relied upon. Accreditation assures users of the competence and
impartiality of the body accredited.†The IAF has liaison status with CASCO and
provides input into the development of its standards.
What this all boils down to is a
certification to ISO 9001 or any comparable management system standard is
backed by tiers of carefully monitored and verifiable processes and
organizations. It means that certificates issued anywhere from Bolivia to
Botswana to Belgium to Barbados to Britain carry the same level of reliability.
How does
all this information flow down to the end-user?
Organizations that choose to become
certified to ISO 9001 have a right to know that the registrar they have
selected is accredited.
There are multiple factors to consider
when selecting a registrar. Probably the single most important is to make sure
that it is accredited by a recognized body. This is very important.
There are still organizations that
purport to provide certification but have no recognized credentials. Remember:
Accreditation means that your certificate will be recognized both nationally
and internationally. Other registrars and their customers will acknowledge your
certificate. When selecting a registrar, ask who its accrediting body is. There
are many. A few of the more common ones
include ANAB (ANSI-ASQ National Accreditation Board), UKAS (United Kingdom
Accreditation Service), and RvA (Raad voor Accreditatie).
If your customers require you to be
certified to ISO 9001, they’re probably expecting that certificate to come from
a reputable organization. As a customer, you may accept evidence of
certification to ISO 9001 as the criterion for approving some of your
suppliers.
Accreditors’ logos are always displayed
on the certificate along with the registrars’ own logo. Absence of an
accrediting body’s logo is an indication that the certificate has been issued
by an organization that lacks accreditation and will probably not be recognized.
That means that all the money you’ve invested in the actual assessment (on-site
audit, travel expenses, etc.) has been wasted.
If you’re looking at a certificate from
a potential supplier and the accreditation mark is missing, you may want to
reconsider doing business with the company.
Unfortunately, there still are
organizations that will sell certification services without having an
accreditation to back it up. It might keep a few customers content, but the
more discerning ones will recognize the bogus certificates for what they are wallpaper.
Ironically, some auditors working for
unaccredited CBs may actually conduct good audits. But their work is tarnished
by the fact that they aren’t forthcoming about the limitations of their
unaccredited certificates. It would be more candid to say, “I’ve conducted an
audit, and based upon my expertise in this field and my skills as an auditor, I
have determined that this quality management system conforms to the
requirements of ISO 9001:2008. However, this statement does not constitute nor
is it intended to imply certification.†I’ve seen these statements at one or
two organizations in the course of my years auditing. And, I found their
customers accepted the statement, despite its limitation, probably because of
the honesty it reflected.
Bogus certifications and
“self-certifications†devalue the work of tens of thousands of organizations
that have opted to have their systems assessed and continually monitored by an
impartial third party. They undermine the entire conformity assessment
community.
About The
Author
Denise Robitaille
Denise E. Robitaille is a member of the
U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000
family of standards. She is committed to making your quality system meaningful.
Through training, Robitaille helps you turn audits, corrective actions,
management reviews, and processes of implementing ISO 9001 into value-added
features of your company. She’s an RABQSA-certified lead assessor,
ASQ-certified quality auditor, and ASQ Fellow. She’s the author of numerous
articles and several books, including The Corrective Action Handbook and The Preventive Action Handbook, and a co-author of The Insider’s Guide to ISO 9001:2008, all published by Paton Professional
.