(ab)using ISO9001 for fun and profit
I don’t know if you have ever read ISO9001, but it is about as exciting as getting a root canal or trying to listen to a Ricky Martin album with a straight face. But hey, if they were actually interesting, ISO compliance wouldn’t be such a billion dollar industry. Does anybody else use SharePoint for ISO compliance purposes? I’ve done several of them now.
First up, I’ll give you the Cleverworkarounds’ version of ISO9001 and then I’ll teach you how to use it to get your own way 🙂 .
ISO9001 is an internationally recognised standard that provides an organisation with the guiding principles, means and methods to improve their internal quality. If you are wondering what or which quality, then I can’t give you an answer because it depends on your organisation. So for example, Microsoft might use ISO9001 to improve their ability to release a desktop operating system that people actually like. McDonalds may use ISO9001 to ensure that your calorie-laden burger is *consistently* calorie-laden no matter which store you visit.
Why do they do this? At the end of the day, implementing a quality framework and therefore developing a culture within the organisation to *think* quality has obvious bottom line benefits. Profit improves through internal efficiency gain, customer satisfaction and happy employees.
Now that is all well and good, but how do you as a customer differentiate an organisation with a commitment to quality from one that has not made the effort?
That’s where the logo comes in.
Organisations that put a quality management system in place are then subject to regular audits to ensure they are compliant. This is supposed to give you, the customer, assurance (dang there is that word assurance again), that the organisation has a commitment to quality that has been independently audited. That’s what the logo is for and is seen on the marketing materials of many an organization.
Quality for the rest of us
My initial naive impression of quality initiatives that I was involved in was a lot of documentation for no tangible gain. (Mind you, I am wiser now and the same can be said for many SharePoint governance plans – teehee). I still think this attitude is actually valid for many quality initiatives because anything that requires discipline and rigour tends to fall off after the initial interest fades and requires constant communication, reminders, incentives and inducements.
But for geeks reading this who are frustrated with say, the security awareness/posture of the organisation, or if they are asked to do something that they are uncomfortable with (such as installing unlicensed software), or they simply can see that something is risky or problematic but they are getting no traction in getting the problem addressed, then ISO9001 is for you!
In short, ISO9001 kung fu is well worth learning.
Recon first…
Here is the whole “kids, please do not try this at home” warning. Now before you undertake your own evil plan, you need to think carefully. Like all evil plans (such as implementing SharePoint), you need to lay your foundation. Armies don’t rush blindly into battle – they always do a bit of reconnaissance first. You have to know your enemy.
There are two types of companies that implement an ISO9001 quality management system.
- Those that have a genuine interest in managing, improving and committing to quality in their organisation
- Those who want the logo on their marketing material
The latter is obviously an easier target in relation to the fireworks that will ensue, but sometimes “genuine interest” only goes so far as well.
If you work in a registered ISO9001 company, you need to be aware of what has been done to achieve this. Here are your recon steps.
- First up, someone will have written a quality policy. This will typically be one of those documents that no-one has read – even the CEO who signed it off. But the first step of your recon is to find and read this document. It will set the scope and aspirational principles of what the quality management system is supposed to achieve. From an evil plan point of view, the bigger, more touchy-feely and more idealistic it is, the better for you 🙂
- The quality policy should refer to a bunch of quality goals. These will be measurable goals defined by the organisation and this is one of the things that quality auditors look at when they perform their regular compliance assessment. A typical quality goal is reducing the number of non-conformances over a period of time, or how many of the incidents of non-conformance has been addressed. You need to find out what these goals are and understand them.
- Next comes the bulk of the QMS – the procedures, work instructions that document processes. Although the majority of procedures and work instructions will likely not be relevant to you, you still need to check if there are any. To execute your evil plan means that you might be going up against someone who also knows ISO9001 kung-fu. So to prevent being sprung by your own trap, ensure that you are aware of any procedures and work instructions that relate to you or your department.
So armed with these three weapons, you now need to understand the parts of ISO9001 that will allow you to achieve your ends.
Now the next thing that you need to be aware of is one of the requirements for ISO9001 is management must demonstrate that not only has the above steps been done, but that they are continually monitored and improved upon in a verifiable way. There should be data collected about how the QMS has performed, and that management review meetings have been held to review the QMS, examine opportunities for improvement and needs for changes to be made.
So although there is a lot more to ISO9001 than what I have outlined above, it should be enough for you to get an idea of the whole point of it all. Now we get to the good bit!
Product Realization and non conformance
Basically, “product realisation” in ISO9001 says the organisation needs to ensure that a product which does not conform to product requirements is IDENTIFIED, and CONTROLLED TO PREVENT ITS MISUSE OR DELIVERY. Responsibilities for dealing with the product must be defined in a procedure (see number 3 above showing the role of procedures in a quality policy).
Now do not be mislead by the word “product” either. A product is the output of a process. Thus, products can be tangible or intangible.
For reference, ISO 9000 lists four generic product categories: services, software, hardware, and processed materials.
ISO is very specific about how product defects are handled. Section 8 of ISO9001 is called “Measurement, Analysis and Improvement” and the goodies that you need to arm yourself with are here:
8.3 Control of a nonconforming product
8.5.2 Corrective Action
8.5.3 Preventative Action
Nonconformity, according to Praxiom, refers to a “failure to comply with requirements. A requirement is a need, expectation, or obligation which can stated or implied by an organization, its customers, or other interested parties. There are many types of requirements. Some of these include quality requirements, customer requirements, management requirements, product requirements, and legal requirements.”
Remember! As far as ISO9001 is concerned (and therefore the auditors examining compliance of it), whenever your organization fails to meet one of these requirements, a nonconformity occurs.
Executing your evil plan…
So if I have managed to do a decent job of explaining everything above, you should now start to see the kind of weapon that you are wielding. Just like SharePoint itself, when used properly with a bit of forethought, ISO9001 can be your friend.
So, if you come across a problem that concerns you greatly (let’s say – poor or negligent SharePoint governance/planning and you see major risk), raise a nonconformance via the QMS! There will be a form to fill in, of course, and that’s where all of your reconnaissance efforts come in. If you know the quality policy and the quality goals that the organisation aspires to, you can be a major fly in the ointment, all in the name of quality!
Remember, part of implementing the quality management system and remaining compliant is to identify, control and track issues of nonconformance and their corrective/preventative actions! By raising it via the Quality Management System, you, by definition, give it visibility and now the organization must deal with it. Unlike the usual office politics, where it is easy to find creative ways to ignore a problem, within the framework of the QMS, the decision to ignore has to be justified. Not only that, an independent auditor will eventually be examining this nonconformance as well.
Visibility and transparency tend to change the way in which the problems are handled in organisations.
The inevitable blowback
Now you have to be careful when playing the QMS nonconformance card. You are basically pulling the rug off the usual office politics that thrives in a world of ‘off the record’ conversation, meetings that were not meetings, doublespeak and the like. In this type of organisational environment, visibility and transparency are in short supply. Raising a quality issue via the QMS is not likely to get you sacked, but the blowback from executing an action like this, is that you may well make yourself an enemy for life in the process. – But that’s okay half the time because if you are raising a previously swept under the carpet issue, chances are you don’t like the offender anyway!)
But remember, the same weapon can be used against you, so like any good politician, you’d better be squeaky clean yourself. Don’t go whining about a process not followed if you don’t follow them yourself! If you manage to avoid being hit by retaliatory fire, you also have to watch out for this one – one common way to lob the grenade back your way by politically savvy management is to say “That’s a great suggestion, Paul. I authorise *you* to fix it. Please write us a detailed report…”
What is more telling, however, from an organizational point of view is the reaction of the QA or Senior Management. After all, they put this system into place to create an organisation with a shared commitment to quality so if they get mad at you, then it tells you a lot of about how they view a QMS.
One final note – in honour of the typical organisational politics that we often find ourselves a part of, you never heard any of this from me! 🙂
Thanks for reading
Paul Culmsee
Great article Paul. There is another type of company that goes through the ISO process – the ones that don’t want it, wouldn’t want the badge but are forced to conform in order to undertake work in a particular industry (NHS, MOD for example).
I would agree that using ISO non conformance is a very good way to get things noticed and fixed, but if your resorting to this approach it would suggest that you really don’t fit into the organisation anyway.
I do like your thought process though, keep writing it down 🙂
I absolutely adore reading your blog posts, the variety of writing is smashing.This blog as usual was educational, I have had to bookmark your site and subscribe to your feed in ifeed. Your theme looks lovely.Thanks for sharing.