It's Hallowe'en. Once again, it's time for something spooky.
This year I'm going to quote a commercial product. It's a Demotivational® poster from the folks over at Despair Inc. It starts with one of the basic commonplaces of the Quality business, and spells out the awful consequences of taking it literally.
The race for quality has no finish line;
so technically, it's more like a death march.
Click here to jump to their site, where you can order these words of wisdom on a poster or a mug.
Last week I wrote about the peculiar fact that multinational corporations seem able to avoid unwelcome regulation, at least in certain cases, by the expedient of quitting the country to go elsewhere. This approach is admittedly a bit extreme, so today I want to talk briefly about another—much more common—way that some companies try to get around rules that forbid them to do Bad Things: hire a scoundrel as an external supplier to do the Bad Thing for you. That way your hands are clean … well, more or less … and dealing with the regulators becomes his problem.
This approach has become so common in international trade that it almost passes without comment. If your company makes widgets, and if you are regularly undersold by competitors because wages in your country are so high or environmental regulations add extra costs, someone is sure to suggest that you relocate your factories to another country where neither of these considerations is in play. Alternatively you can outsource the actual manufacturing to a supplier in the other country. That way youaren't paying the low wages, and youaren't causing the adverse environmental effects; but you still get your widgets a lot cheaper than before.
Of course, any such gains are temporary. If you can save money by moving your manufacturing to Ruritania, so can your competitors. Then some other country comes into view, with even lower wages and even worse environmental protections, and everyone moves there instead. Soon countries are competing against each other in a "race to the bottom." As I have discussed in an earlier post, in the long run nobody wins such a race. But in the short run, some companies find it compelling; and after all, "In the long run we are all dead."*
I assume that the same dynamic probably operates domestically as well. That is to say, I have no personal knowledge of any domestic companies who exist so that their clients can skirt inconvenient legal or ethical constraints, but it wouldn't surprise me. Some people don't mind sketchy work, and some people will do anything for a price.
The good news is that ISO 9001 explicitly disallows this! Clause 8.4.2(a) of ISO 9001:2015 states clearly that:
The organization shall ensure that externally provided processes remain within the control of its quality management system; ….
So if you design and sell a product, but you outsource its manufacture to someone else, you are still responsible for what they do.
Most of the time, this responsibility is for very practical reasons. Maybe you do much of your own manufacturing, but there's one specific process that you outsource. Well if you require that all your manufacturing equipment must be calibrated to a specific tolerance, don't you want to flow down that same requirement to the supplier who is executing this one special process? If you don't, their uncalibrated equipment might ruin all the exactitude you achieved with your carefully-calibrated equipment, and you'll have to scrap the whole lot. Nine times out of ten, or 99 times out of 100, this is the kind of "control" that really matters. Mostly ISO isn't afraid that you are going to try to do Bad Things in an underhanded way, because most people just don't do that. But ISO is concerned that when your process is executed, you get what you want.
To be clear, this clause does not mean that you have to know your supplier's business better than they do. It does not mean that you have to define the details of their operating procedures. The whole reason you are hiring them should be that they are experts in whatever you want them to do.
Nor does it mean that if your company has to be certified to AS9100 because you are building aerospace parts, then the caterer that you hire to provide lunch has to be certified to AS9100 as well. (I hope that's obvious.)
But if you have any overall constraints that apply to all of the work inside your QMS—like the calibration example I just gave—then (where it is relevant and meaningful) you have to flow down those requirements to your supplier.
And if you happen to be the one case in 1000 who wants to get away with a Bad Thing by hiring a scoundrel to do it for you, … don't. Just don't.
__________
* John Maynard Keynes, A Tract on Monetary Reform, 1923. Quoted many places around the Internet, for example here.
This morning, Quality Digest published my article, "When ISO 9001 Fails." It's their article now so I won't post the text of it here, but you can find it by following the link. I hope you find it useful!
And now, if I may digress momentarily from the main stream of this evening's symposium,* … I'd like to raise a question which relates more to regulatory compliance than to Quality per se, but which has bothered me from time to time, and which seems to lurk on the margins of other—more normal—Quality topics. (In fact I plan to discuss one of these next week, in a follow-on essay.)
The background is this: First, we all know there is such a thing as global trade. In fact, the whole point of international standards is to facilitate global trade. As I explained once in this forum a couple of years ago, "A standard is like a common language: it allows us to do business with strangers, because we know that we are both talking about the same thing."
Third, we all understand more or less how companies are regulated. Some authority codifies a set of rules: those rules might be voluntary (like ISO 9001) or legally mandatory (like health and safety regulations). Then the company decides whether they want to abide by these rules. (In the case of mandatory legislation, we should assume that the answer is always Yes.) If yes, the company takes steps to implement the rules; and if they fail, there is some kind of system in place whereby someone can complain. When the authorities get a complaint they check the facts; and if the company has indeed failed to meet the requirements, the authorities react accordingly. In the case of ISO 9001, the responsible Certification Body can decertify the company; in the case of legal noncompliance, the relevant government can impose civil or criminal penalties.
Now finally here's the question: How do you regulate an international company?
I fear that the answer may be: Mostly you can't. I'll explain why, but I would be delighted if you can show me where I am wrong.
Let's say that some local company violates a local regulation. Government inspectors come out to check the status, and—depending on the severity of the issue—they might give the company written notice to correct the problem in a defined time, or they might padlock the doors. If company personnel try to interfere with the government inspectors, they can be arrested. And since it's a local company, that's all it takes to stop them doing whatever Bad Thing they were doing. Problem solved.
Suppose that the company has multiple branches in the same state: then, depending on the nature of the Bad Thing that Law Enforcement is trying to stop, they might have to take a heavier approach. Or they might leave the branches alone but target headquarters. If the company has branches all over the United States, Law Enforcement has to get more ambitious still, because sometimes state laws disagree (so the Bad Thing might be legal in another state). Also, local Law Enforcement is unlikely to have jurisdiction in another state, and so will have to coordinate with other agencies in order to stop the Bad Thing once and for all.
But if the company has offices all over the world, then what? The very most that American Law Enforcement authorities can possibly do is to arrest whichever company personnel happen to be located inside the United States. But they are powerless over the offices in Ruritania or Grand Fenwick.
In the ordinary course of things, a multinational company will probably find it convenient to comply with routine local regulations, because they will see those regulations as just a cost of doing business. As long as the opportunities in a country are bigger than the costs, they are likely to cooperate. But this cooperation is strictly a voluntary choice on their part. In an extreme case, they can always shut down the local offices and leave.
This strategic departure from a country because you don't like the laws is what I call the Braganza gambit. The Braganza family ruled Portugal and the Portuguese Empire from 1640 until 1910. During the Napoleonic Wars in the early nineteenth century, Napoleon Bonaparte installed many of his relatives in thrones across Europe. His method—used for example in the Peninsular War against Spain—was to defeat a country and capture the royal family; then he could force them to abdicate in favor of one of his relatives and move on to the next country.
But not in Portugal. The Braganzas saw what Napoleon was doing and realized they were next. So they moved the entire royal court to Brazil, which was at that point part of the Portuguese Empire. When Napoleon conquered Lisbon, the royal family was nowhere to be found. (In the end they liked it in Brazil, and didn't move back until 1821—long after Napoleon was no longer a threat.)
So there you have it. Multinational corporations have the privilege—unavailable to local corporations—that they can (within limits) decide which legal regulations they feel like following. And in case any regulation is too burdensome for them to tolerate it, they have the option of leaving the country.**
If a multinational corporation decides to use the Braganza gambit to avoid an onerous regulation, about the only leverage the abandoned country has is to close its markets. "If you won't abide by our rules, you can't sell your goods here." Whether that's a meaningful threat depends very much on the particular details, and of course sometimes the same maneuver plays out in reverse: a company might refuse to sell into a certain country until this or that policy is changed. It is hard to generalize about how effective either tactic is.***
What do you think? Am I wrong? Is there something I've neglected?
Or can multinational corporations escape troublesome regulation just by moving abroad?
** There's even a related line of thought that protects international organizations. Concretely, if you or I (as private citizens) feel wronged by some decision from an international organization like the WEF or the ISO, we may find it hard to sue them for redress because it's not at all clear which court—if any—has the appropriate jurisdiction.
*** Certainly this is the logic behind international economic sanctions, where—in this case—one government requires all the companies subject to it to avoid business in another country until that other country changes its policies. When small countries are subjected to coordinated sanctions, the effects can be crippling. When large countries are subjected to them, the results are not so immediate. Consider, for example, this recent video by a YouTube creator "Eli from Russia," who publishes travel information (and strictly avoids politics). She describes the impact of sanctions on Russia, and the results have been (to say the least) not uniform.
When the ISO 9001 standard requires you to take action to address your risks and opportunities, it includes this admonition in clause 6.1.2: Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.
OK, I guess that's fine, but what does it mean? What does it take for your actions to be "proportionate" to the risks they address?
The word is never defined—or at any rate, neither ISO 9001 nor ISO 9000 define it. But intuitively I think we all have a sense for what it means, don't we? The basic idea is ancient: Nothing in excess.* If you face a risk that might, at worst, cost you $100, then it is foolish to spend $1000 to prevent it. That cost, or that level of effort, is disproportionate to the $100 downside that you face from the unmitigated risk. Most of the time, we probably don't need a definition more exact than that.
But "sometimes the clearest way to explain what a rangatang [sic] is, is to 'tell what it ain't.'"** A couple of months ago, I stumbled upon a blog post from 2016 that explains the concept of disproportionality with crystal clarity. The author of the post—Quinn Dunki of Blondihacks—just wanted to set up an automated cat feeder, so that her cat would be fed on time and she didn't have to watch the clock every day. Simple, right?
Turns out her cat had a different idea. Her cat's idea was, "How do I get this machine to give me more food than Quinn wants me to have?" So Quinn had to make some adaptations to her automated cat feeder, to protect it from the prying paws of her cat. As she says at the opening of her blog post, "The trick is to be smarter than the animal with a brain the size of a walnut."
But of course, Quinn worked on this problem part-time, and her cat worked on it full-time.
In the end, Quinn won. But I'm pretty sure nobody would say that the effort she expended was proportional either to the benefits she gained or to the risks she was avoiding.
Verbum sapienti sat.
__________
* "Μηδὲν ἄγαν" was one of the three proverbs said to have been inscribed at the entrance to the Greek temple at Delphi. See here for more information.
** Owen Ulph, The Fiddleback: Lore of the Line Camp (San Francisco: Browntrout Publishers, 1995), p. 23.
How many times have you seen departments do things that don't help them any, just because it's easier for the auditor once a year? I've seen it too often to count, and it's never the right thing to do. Oh sure, in a sense I appreciate it when I'm the auditor. But also, it's really unnecessary. I've audited a lot of departments over the years, and they've done things a lot of different ways. If it works better for you the other 364 days of the year to do this rather than that, … well, as long as it meets the rules I can probably figure it out.
I was thinking about this recently while talking to someone about the rules for management review. Right now, ISO 9001:2015, clause 9.3.2 states, "The management review shall be planned and carried out taking into consideration"—and then there follows a long list of topics, (a) through (f), where item (c) is further divided into seven subtopics. It's a comprehensive list. Anyway, my friend was saying he wishes the ISO would change this requirement to say that management review must explicitly include all these topics, because "How are you supposed to prove consideration to an auditor?" What he meant, of course, was that if the agenda for management review were required to include every one of these topics and subtopics, it would be easy to show that you had "considered" them all.
Long-time readers may remember that I think this is a terrible idea! The biggest risk in any management review is that the participants are likely to get bored. To avoid boring them, cut out everything you can. Discuss only the pain points that have to be resolved by the specific participants of this meeting. That means that if your internal audits or your supplier evaluations are all green, it's enough to wave your hand and say so; you don't have to drag the attendees through an itemized list of each one. Spend your time instead explaining that it's time to buy a new widget-stamping machine, because the old one slides out of alignment once a month like clockwork and the rework costs are eating you alive.
But of course you still have to pass that audit once a year, so how are you going to do it? It's all very well for me to say that you shouldn't rearrange your whole management review just for the convenience of the auditor, but you are going to have to show some kind of objective evidence. What will it be?
Do it like this.
First, as you prepare the meeting, go through every single one of those topics listed in clause 9.3.2, and document where it stands right now. (You have to do that anyway in order to find out where your pain points are, since those are the topics you will discuss.)
Second, while you are conducting the meeting, keep all this material handy where you can reach it. Maybe this means it's stored electronically just one click away, or maybe it's on paper in a notebook on the desk next to you. But just in case someone brings up a question about one of those topics you thought you could afford to skip, make sure the data is immediately available.
Third, store all this data as a permanent Quality record, together with the minutes from the management review meeting that it supported.
Fourth, ask your internal auditors to look for this data when they audit the management review process, just to keep you honest. 😃 Naturally whoever audits the Quality function doesn't work for you—do they??—so if you make a mistake they won't be shy about writing it up.
And finally Fifth, when the external auditor visits, pull out all this stored data as proof that you really did consider all the topics listed in the standard. Then you can explain why you tailored the agenda to address the problems that really needed management attention, and why you skipped over all the topics that were functioning smoothly because they were just business as usual.
Simple. Straightforward. And you don't need to "include" all those topics in the review in order to "consider" them.
Last week, a friend of mine got a new electric stove. But that was only the beginning of the story.
Once it was installed, she learned that her new stove wasn't compatible with her cookware. I didn't know that was possible, but she explained it to me as follows:
Turns out all electric stoves manufactured since 2018 need to meet a safety standard to reduce fire risk which cycles the burner off when a pan is not in contact with it.
In complete contact with it; to work on my "sensi-temp" burners, pans have to have a completely flat bottom.
My only 2-quart saucepan was warped.
So, this morning I purchased a new one. Stainless steel, $28, sigh.
But at least I can cook rice tonight!
This is the kind of outcome that makes people believe conspiracy theories. To her credit, my friend didn't start yelling that the stove-manufacturers must be in cahoots with the cookware-manufacturers to drive up sales—at least, she didn't say it around me—but I would have understood if she had. For myself, I began to wonder how such a defective outcome came to pass in the first place.
Should I take a minute to explain what it is that makes this update to new stoves an impairment and not an improvement?
It's unexpected. Maybe there was coordination inside the kitchen-appliance industry, but I don't remember seeing any communication to the general public back in 2018 that stoves were changing in a fundamental way. Nor does my friend, obviously.
It requires additional actions from consumers, unrelated to the stove itself. When the auto industry introduced anti-lock brakes, they didn't insist that drivers start braking differently. Rather, they started from the known facts about how drivers react in panic situations, and redesigned the brakes to fit the drivers. By contrast, telling home-cookers that they have to buy new cookware to fit their new stoves is completely backwards.
It requires additional and unexpected costs. This is basically the same point, hitting your wallet as well as your habits.
It's going to break. Every feature that you add to a product is one more thing that can break. But what happens if the sensor breaks on this new stove, while the shutoff-mechanism for heating elements remains intact? Then the stove will fail to detect a pan on the burner even when a pan is there, and the burner won't heat up. Result: the stove won't work. Any change that makes a product more fragile and less resilient is an impairment and not an improvement.
Sure enough, people hate it. There are long discussion threads on Reddit (see here, for example) about how to replace your brand-new "sensi-temp" burners with the old style, where to buy old-style burners as replacement parts, and so forth. Of course, buying old-style burners from some random site on the Internet means you have to spend even more, but plainly some people think it is worth the expense.
Ironically, I bet that dismantling your stove to replace the heating elements with ones you ordered online may introduce some safety risks into your day; and yet I guarantee that when GE and other manufacturers did a safety analysis on this change before implementing it, they never considered the risks from home retrofits by angry customers. But this change to stoves has created a market and a community for exactly this kind of home retrofit.
Why did they do it?
I wish I knew. I would love to see the FMEA carried out on this change before it was implemented.
It would be easy to blame ignorance. Maybe the engineers never actually do their own cooking, and didn't realize that this new feature could pose a problem. But that can't be the whole story, because GE (at least) provides an information sheet that warns explicitly about non-compliant cookware. You can download this sheet from the GE website here. (Also I have archived a copy locally here, in case the GE site is ever rearranged.)
To prevent them, we have to prevent pans on the stovetop from getting too hot.
To measure how hot a pan is, we have to have a sensor touching the pan.
But this approach could fail if the sensor doesn't touch the pan. So to avoid that case, if the sensor doesn't touch the pan we will cut off power to the burner. (According to this article, the stove should not cut off power completely; but my friend's experience was exactly that.)
It's logical, as far as it goes. But the whole line of reasoning exemplifies what another friend has called "lazy compliance": that's "where they make changes required for safety without bothering to make compensatory changes so the thing works as well as it did before."
Of course, you might think, So what? It's safer, and that's what counts. And to some extent, naturally that's true. But in the rest of our lives, we are often willing to make trade-offs where we sacrifice a measure of safety to secure nothing grander than convenience.
For example, if all automobiles had to observe a strict maximum speed limit of 20 miles per hour, the number of fatal car crashes in a year would drop to nearly zero. Shall we take a vote? Never mind, I guarantee the measure would fail. Even though "car crashes are the leading cause of death in the United States for people ages 1 to 54," we'll never get a voting majority willing to eliminate those deaths by lowering the speed limit so far.
So why stovetops? And why didn't those of us who use stoves regularly get a vote? (If you remember last week's post, that's called "stakeholder engagement," and it's important.)
I wish I knew. If you know more about it than I do, please leave a note to help explain.