Where do you start?

"Congratulations, and welcome to WhizzBang Corporation! We're so glad you accepted our offer. It's good to have you aboard, and it's great to know you'll be taking over our Quality system. Now that you're hired, let me be completely candid. Things aren't where we want to see them. You'll find there are ... issues. I won't go into the details now. Better you look at it all with fresh eyes. But we know you're talented. Your previous experience is really impressive. So I'm sure you'll have everything shipshape in no time. Just remember, we're all counting on you."

Just what you wanted to hear, huh? You've just now taken over responsibility for a Quality system somewhere. Things are wrong and it's your job to set them right. But you don't actually know what's wrong, and it doesn't look like anybody's going to tell you. Besides, even if someone tells you where he thinks the problem is, how do you know that he's right? Maybe he doesn't see the whole picture. Or maybe the real problem is in his area, and he's trying to deflect your attention. What information can you trust, and what is just shadows in the fog?

Where do you start?

Audits. Start by doing internal system audits.

The thing is, unless you are prepared to tell everyone to scrap everything they are doing today and start over, you need information. But it has to be objective information. Confidential remarks that "Frankly, it's all Fred's fault" aren't good enough. A complete system audit won't catch every single problem, but it should highlight the areas of real concern and give you a good overall map that will let you plan your next steps.

What's more, you know you are going to get pushback when you try to correct things. People will tell you that you just don't understand—this is the way they've always done it, and it has always worked fine. But an audit gives you objective evidence. With that evidence, you can plainly show that the process is supposed to generate one kind of result but in fact it is generating another. It's not working. It has to be corrected.

Where you go next depends on what you find, of course. But start with a review of the whole system's status, backed up by objective evidence. Start with audits, and then go from there.

P.S.: I am assuming in all of this that the management system you work to actually provides for some kind of internal system audits. If your organization is governed by ISO 9001, ISO 14001, ISO 45001, or many others like them, it does. The same is true for most other management systems that I know of. In the unlikely event that you somehow find yourself in a situation where there is no standard provision for internal auditing, implement them anyway in an ad hoc way. If anybody asks, you can always claim that you're doing a gap analysis.    

      

Asking about goals

After a discussion like the one that stretched across the last four posts, maybe we can afford to take a minute for something more light-hearted.

The following conversation really happened, in an audit where I was the company's internal Quality representative, accompanying an external auditor on his interviews.

Parasitic certifications? Part 4, Standards eating the world

My last two posts (here and here) discussed Scotlyn's charge that the proliferation of formal standards actually degrades Quality rather than enhancing it. But that is only half of her argument. Her other major point is that jobs in Quality are parasitic on the productive economy, replacing (and thereby eliminating) jobs that make things or add value, and therefore that the Quality business as a whole will ultimately destroy the economy that it lives on.

How far is this true?

Quality as parasite

In a strictly literal sense, of course, it is absolutely true that Quality is parasitic on productive jobs, in exactly the same way that Management is. Neither Quality nor Management is involved in the creation of value (unlike Design, Manufacturing, Logistics, or Service). Both Quality and Management are involved in the organization and monitoring of other people's work. In that sense, they have a lot in common.* 

So the first answer to the charge that Quality is parasitic should be, "Yes, but is that a problem?" If told that it is, we should pursue the analogy with Management to understand why it is a problem. Scotlyn expresses concern that Quality jobs can push out productive jobs, by consuming the resources that would otherwise have paid for them. In the same way, there are some companies where the members of Management assign themselves a disproportionate share of the proceeds, so that the firms cannot pay their other bills and go belly up. We know this sometimes happens, but nobody thinks that such failures invalidate the general concept of Management. All they prove is that — as a manager — you can't afford to get greedy. While it is possible for Management to ruin the enterprise, the answer is to do a better job of implementing Management, and not to do away with it altogether.

Does the analogy hold? I think it does. I have argued before in support of clerical staff, because they offload important work from people who should really be doing something else. And I propose that the same thing is true of Quality staff. Somehow there is an optimal level of administrative functions (by which I mean management, quality, and clerical work all bundled together) — in other words, a level at which the organization flourishes. With too few people in these functions, the organization trips and falls because there is no infrastructure to clear simple obstacles out of the way;** with too many, the organization chokes on its own bureaucracy and runs out of money by paying too many unproductive salaries. Somewhere in the middle has to be a Goldilocks point where the size of the administrative staff is just right.   

That, then, is what we should do. That is how we should implement Quality systems. And as you may have noticed, that has been the approach I have tried to advocate throughout this blog. But Scotlyn makes one final argument: regardless what we should do, she predicts, in fact "the global standards and certification industry will eventually eat production and the economy, and bring the whole thing to a collapse from too much top-heaviness, and too little bottom sturdiness."

Is she right?

Eating the world

The answer depends partly on the number of new global standards that are written, and partly on the number of industries that make them mandatory. On the first point, I think she may be on the right track; on the second, I am a little more sanguine.

What encourages the proliferation of standards is that there are no known limits on the number of things that can go wrong. And whenever something goes wrong, the easiest solution is to make a rule so that it can't happen again. So I see no obvious reason why the number of global standards — the number of rules — should ever level off, until the day comes when our whole current economic system turns obsolete and is replaced by something else that we can't imagine today.

Of course the problem with reflexive rule-making is that the first time you do it, you look decisive. After the twentieth time, you start to wonder whether you have unintentionally tied yourself in knots.   

Bear in mind, though, that any company which hires too many people into non-productive functions will sooner or later go bust. This is why I say I am more sanguine about the question how many industries will make these standards mandatory. In industries with wide profit margins — like aerospace, aviation, or the high-technology industries generally — we should expect global standards to be ubiquitous, because those industries can afford them. But in other industries, those with narrower profit margins, I think we can expect that standardization will get next to no foothold at all, because none of the firms in those industries can afford to hire the personnel. In other words, after the highly profitable industries are saturated with global standards, I tend to think that the spread of standardization will slow or stop. This may help to postpone the collapse that Scotlyn foresees. 

Thunderous noise

If Scotlyn is right — if the whole system does collapse and "make thunderous noise as it falls" — will that really be a problem?

For those of us with jobs in the Quality industry, it will likely mean unemployment. At a personal level, yes, that generally counts as a problem. But for the rest of the world?

It would be a serious setback to global trade if buyers and sellers stopped using uniform weights and measures, or if the specifications for ball bearings and light-bulb sockets were no longer reliably standard around the world. But those standards are the least likely to be abandoned, for exactly that reason.

It would be nice to think that some acceptable level of safety standards for food and appliances will remain in force internationally, but I don't know enough to make an argument that it's certain. Maybe it's not certain, and — if true — that would be a sad fact.

As for the management system standards, the ones that I know best, these would probably trigger the least immediate harm if they suddenly vanished. (For professional reasons, naturally I wish I could say otherwise. But no such luck.) In that sense, they are probably the most optional of the lot. If the global system of standardization collapses, the best case for the management system standards is if they remain as guidelines to best practices for managing organizations. That way, at least they could still benefit organizations who chose to implement them, even if external certification were no longer available or meaningful.

Summary

Where does this leave us? Let me summarize briefly the main points of Scotlyn's argument, and my replies to each, in order:

• "The relationship between certified standards and actual quality is fictional."
• It is certainly non-deterministic.
• "The standards will never be the products, nor ever be able to satisfactorily describe them."
• True.
• "It follows that the more standards, the less quality. Standardisation is, in fact, an essential component of the “crapification of things."
• Not so fast. Some level of standardization has its place — e.g., for critical health and safety aspects.
• Also the management system standards are valuable guidelines to good basic business practices.
• But yes, there is certainly a risk that too much standardization can undermine product quality.
• "The relationship between certified standards and the actual economy is parasitic, ...." 
• True. Just like management, no more and no less.
• "... in that the more jobs that are created to certify, to inspect, to manage, to comply, to produce documentation ..., the more that productive jobs ... are destroyed."
• Yes, all true. 
• But some non-zero number of administrative and Quality jobs are needed to allow the organization to function. 
• The key is to find the magic Goldilocks number, and the great trick is never to exceed it.
• "The global standards and certification industry will eventually eat production and the economy, and bring the whole thing to a collapse from too much top-heaviness, and too little bottom sturdiness."
• There are forces pushing in this direction, and others pushing against it. I don't know which forces will win. But you might be right.
• "Out of which, small, light, and fast non-compliant producers and purveyors who can stay below the radar and out of the limelight, will emerge and begin to create whatever comes next."
• From your lips to the ears of Heaven. 

Answering Scotlyn's remarks has been my longest single exercise of analysis and exposition since I started this blog, and I thank her — deeply and sincerely — for pushing me to do it. At the same time, I am well aware that other readers might disagree with some (or all!) of what I have written here. As always, please add your comments so we can make this a living discussion. The only way we can achieve continual improvement in our theory and practice of the Quality business is to talk to each other.

As always, let's talk.             

__________

* As an aside, I note that I've heard complaints about the uselessness of Quality far more often than I have heard the equivalent complaints about Management. I'm not sure why.   

** In The Restaurant at the End of the Universe, Douglas Adams characterizes this extreme as the point at which the entire Golgafrinchan population dies off from an infectious disease contracted from an "unexpectedly dirty" telephone.

        

Parasitic certifications? Part 3, Certified systems vs. quality

Just as a reminder, I am still discussing a broad-based critique of Quality standards and certifications from Scotlyn, a reader whose fundamental challenge you can find here. 

Scotlyn began by arguing that "the relationship between certified standards and actual quality is fictional," and that "it follows that the more standards, the less quality." Last week I discussed whether and how far I can support this critique with respect to product standards. In what follows below, I address management system standards.

How far the charge is true

When we turn to management system standards, it is certainly true that certification to a quality management standard like ISO 9001 does not guarantee all your products are good. Just following the right rules won't give you Quality.

In the same way, it is perfectly possible for a company to turn out excellent work, on a reliable and repeatable basis, without ISO 9001 certification. I once worked for a small regional outpost of a huge, global company. One of our regular suppliers — a firm we had worked with for years — was not certified to ISO 9001. Our global headquarters issued a directive that no company could be rated as a Preferred Supplier unless it met a variety of criteria, including certification. At first our local Purchasing Manager tried to protest that this was the only supplier from whom we had never had a major problem — and even when there were minor issues they were always perfectly responsive. Headquarters was unmoved; the regulation had to be implemented worldwide, with no exceptions. So our local Purchasing Manager dutifully categorized this supplier as "Non-Preferred," and then went right on ordering from them exactly as before. I joked that we should have a special category for "Non-Preferred Suppliers That We Like a Lot."

But I almost think this supplier counts as a special case, rather than a simple counterexample against ISO 9001. It was obvious to anyone who did business with them why their work was so consistently excellent. This was a family firm owned by a man who had put everything into it, and who identified with it totally. He was personally committed to flawless workmanship, most of the employees were relatives, and nobody was willing to let down the family. It was a powerful combination, but not one that many companies are in a position to imitate.

This is one reason, though, that I have spent some of my time in this blog posting about topics like employee engagement, competence and attitude. While management systems are important, no system can do all the work by itself. So I have been happy to highlight the work of specialists like Jeff Griffiths, Dawn Ringrose, and Angie Alexander, who study and teach ways to encourage that personal connection between the people doing the work and the felt desire to do it right.

That said, this forum is primarily about Quality systems. And I'm not prepared to write them off yet.

In what ways the charge is false

In the first place, most of the requirements of a standard like ISO 9001 are little more than formalized common sense. With a standard or without it, companies that don't keep meeting minutes or do design reviews will have trouble sooner or later. And while it catches our attention when we see an uncertified company doing flawless work or a certified company shipping garbage, the times that quality and certification align are less striking — precisely because they are more expected — and therefore harder to see. But we have to take account of that side of the ledger as well.

I've worked in startups where there are no systems in place. They are energetic and creative places; the ones where I worked made solid and useful products. And normally everyone got along fine without a lot of system overhead. But when something went wrong, nobody knew how to react; when an unexpected bug brought one of our software products crashing to the ground, nobody knew where to find it, because the code wasn't modular and there had been no unit testing. I don't say that ISO 9001 by itself made all our problems go away. But the introduction of some kind of system was key to making them more manageable. And ISO 9001 is a perfectly decent framework for the kind of system I mean. (Note that ISO 9001 is only a framework. You still have to design your own system for yourself, or hire someone to do it for you. But ISO 9001 tells you what kind of shape it should have when you are done.)

Another story

Here's another example, and maybe a deeper or richer one. Recently I was talking with a woman who owns a small, local business that fills a very specialized niche. In her line of work, certification is now effectively mandatory: if you aren't certified, you have no customers. But it wasn't always so, and she has been in business long enough to remember the changeover. She told me that when certification became available — and then mandatory — it was a huge help to her because it enabled her to require a wide range of good practices that she had wanted for a long time but had been unable to implement effectively. Suddenly she didn't need to listen to any Good Reasons™ from her employees about why this or that practice would never work; her answer to all of them was, It has to be done by the time the auditor gets here, or we fail the audit and go out of business. Discussion closed. Then as she continued to reminisce, she casually mentioned that before certification became a requirement she knew of 250 small companies just like hers doing the exact same kind of work; then, as certification became mandatory, the owners of 100 of them decided that the burden imposed by certification was too much for them in either time or money, so they closed their doors. When the dust cleared, a field of 250 small businesses had shrunk to 150, a loss of 40%.

The reason that I call this example deeper or richer than the first one is that it makes two points very clearly.

On the one hand, the imposition of a Quality system has to potential to improve a business in a meaningful way. Potential to improve. No Quality system will ever guarantee that a company becomes good; but it can in any event make the company better than it was before. And sometimes that's a great achievement anyway. Moreover, as always, the standard does nothing by itself; it does nothing without the engagement and support of the people using it. The value comes when the systematic approach required by the standard becomes second nature, when it is fully incorporated into a company's way of working. If some company just wants to game the system so that they can get a certificate without having to change, they might be able to get away with it for a little while (probably not forever). There is no system in the world that cannot be gamed. But that fact is less a reflection on the standard and more a qualification of what the certificate means.   

On the other hand, nothing in life is free. Implementing and maintaining a Quality system requires effort. That effort costs money, because you have to pay somebody to do it; and it costs time, because that person can't do something else while working on this. You surely can't ask your existing staff to implement a Quality system on top of their regular jobs without affecting their productivity. 

This last point is entirely valid. It is important. And it leads us directly into Scotlyn's next charge, which I will take up next week.

      

Parasitic certifications? Part 2, The crapification of things

In last week's post, we looked at a broad and fundamental criticism from a reader named Scotlyn, indicting the whole system of global standardization and certification as (in essence) fraudulent and parasitic. Now I want to examine each of Scotlyn's points carefully, to see how far I agree with her. 

Please note that I actively encourage your participation too. Add your feedback in the Comments. Tell us what you think.

Scotlyn's first charge is that "the relationship between certified standards and actual quality is fictional," and that "it follows that the more standards, the less quality." Is this true?

There are two sides to this charge, which I want to treat separately: product standards, and management system standards. I will discuss product standards here, and management system standards next week.

Part of the difficulty in discussing product standards is that many of the most basic ones have become so ubiquitous in the industrialized world that they are almost invisible. I'm thinking of the kinds of basic safety standards for food or equipment that were unheard-of 150 years ago but that we take for granted today. Whatever else might be said for or against the modern meatpacking industry, for example (and it is not a specialty of mine), I'm pretty sure that practices are more sanitary than they were back when Upton Sinclair wrote The Jungle. You can probably think of other examples on your own. And I assume that nobody will argue for abandoning the most basic safety standards, except perhaps as a rhetorical exercise. But as the number of product standards proliferates, we begin to see at least two problems. 

The first problem is that each standard imposes constraints on the design of a product, and requires some non-zero fraction of the designer's attention. The more standards there are, the more of the designer's attention has to go into meeting basic requirements, leaving less attention available to put towards the inherent quality of the design. The only way to counter this effect (to the extent that it can be countered at all) is to take longer designing the product. Once upon a time, maybe it took a month for a small team at WidgetCorp to design and test a really good widget. But after the introduction of a lot of Mandatory Widget-Industry Standards, it might take twice as long to design the very same widget. The designers now have to read all the standards, and confirm that their design meets them in theory; and then testers have to run tests for every single standard to make sure each one has been met. The end result might not be any different from what it would have been otherwise, although the team will know a lot more facts about the product than they would have without the standards, and they will have recorded all those facts in a huge stack of documents. But all this work takes time and effort, with the result that WidgetCorp now takes twice as long to bring a new widget to market, and charges twice as much for them to recoup the added development costs. And as a direct result of this hefty increase in time and cost, ....

The second problem is that a competing manufacturer (Fly-By-Night Widgets) will enter the market designing widgets that strictly comply with the standards, but that are in other respects as slapdash as possible. With this approach, Fly-By-Night brings out their widgets faster than WidgetCorp does, and sells them for cheaper. And we all know that — other things being equal — the market favors whichever competitor is faster and cheaper. After a while, Fly-By-Night drives WidgetCorp out of business, and the market is saturated with widgets that comply with standards but are otherwise worthless. This long-term process is what Scotlyn describes as the "crapification of things." (See also this Dilbert cartoon for a summary of the same observation.)

Is there a solution to this dynamic? At a theoretical level and in the general case, no, I don't think so.* I believe the best we can hope for is one or another pragmatic settlement.** By a "pragmatic settlement," what I mean is two things. 

• First, some companies will continue to make products which are so obviously superior that customers will willingly pay more for them. (I once audited a VP of Sales who said his department's whole job was to explain to potential customers why they should pay five times as much for one of this company's products as for a competitor's. Mostly they succeeded in doing so.) 
• Second, maybe we can come to some kind of agreement around a basic level of standards (for, e.g., health and safety) which clearly represent a bare minimum — maybe we can agree not to sell laudanum as a cure for a broken leg, for instance  — and then stop there. If it were clear that "meets standards" is not the same as "good enough," we might be able to hold back the threat of encroaching crapification, at least for a while.

Or perhaps this answer isn't good enough, in which case I invite your contributions. How would you address the conundrum? 

Next week I'll talk about management systems.

__________

* Or if there is a solution, it involves modifying some of the assumptions behind this description (for example, the principle of economic competition) in ways which are far beyond the scope of this blog and even farther beyond my competence as an author.

** For the distinction between solutions and settlements, see Bertrand de Jouvenel, The Pure Theory of Politics, "Addendum: The Myth of the Solution."      

Parasitic certifications? Part 1, The challenge

Just about a week ago, I got a comment on one of these posts that (in a sense) I had been waiting for since I started the blog. The comment, by a reader named Scotlyn, was in response to my post asking whether the Russo-Ukrainian War might bring about the end of the global standardization and certification schema, but it raised issues that go far beyond even as broad a topic as the war. 

As for saying that I've been waiting since the start of this blog, you remember that right in my very first post I explained that my fundamental goal here is to encourage people to talk back to their Quality systems, forcing the Quality systems to justify themselves in ways that make sense. I said I wanted to discuss "what works and what doesn't work" – and I tried to make the point that if a Quality system can't justify itself in rational terms, then we should change it or get rid of it.

This is the challenge that Scotlyn takes up. She suggests point-blank, on the basis of personal experience, that formal Quality systems and formal certification add no value whatever, and are in fact parasitic on productive work. I don't  think I quite agree, but we have all heard people say these things before. If we can't discuss the question honestly and give a decent defense of the Quality business, we can't ask anyone to take us seriously.

Scotlyn's comment is fairly long, so for convenience I'm going to reproduce it here. Then in next week's post, I'll start to answer it. Meanwhile, if you have anything to add to the discussion on your own account, please feel free to comment as well. We can make this conversation as broad and general as it has to be.

So, to begin, Scotlyn wrote as follows:

I have a great personal interest in the theme of standards and certifications, since I worked for many years as compliance officer for a local fish processing company. That is to say, I was the person in the company that interfaced with the global standards and certification industry. By the time I left my job I was convinced of these things:

(1) that the relationship between certified standards and actual quality is fictional. Making the product is one domain that is stubbornly incommensurate with the quite separate domain of documenting, and monitoring compliance with product standards. (in almost exactly the same way as the Tao Te Ching states that the names we can give a thing are not the thing). The standards will never be the products, nor ever be able to satisfactorily describe them.

(2) that, because of (1), it follows that the more standards, the less quality. Standardisation is, in fact, an essential component of the “crapification of things”.

(3) that the relationship between certified standards and the actual economy is parasitic, in that the more jobs that are created to certify, to inspect, to manage, to comply, to produce documentation (including my own entirely non-productive job), the more that productive jobs (the making, transporting of goods, and the providing of services) are destroyed.

(4) that, because of (3), the global standards and certification industry will eventually eat production and the economy, and bring the whole thing to a collapse from too much top-heaviness, and too little bottom sturdiness. Out of which, small, light, and fast non-compliant producers and purveyors who can stay below the radar and out of the limelight, will emerge and begin to create whatever comes next.

I have to tell you that the prospect of a set back to the global certification industry would not cost me a hair’s worry. It contains enough of its own contradictions and unstable weight to collapse without help. Although, to be sure, those employed in its giant documentation fabricating enterprises will resist being made redundant. And it will make thunderous noise as it falls.

On the whole, I'd call that critique pretty thorough. Next week I will take up these points to discuss them. Stay tuned.

        

"Sage powers" and learning to listen

Last week I attended another great webinar. It was hosted by Angie Alexander, of Corporate Catalyst Consulting, and she was interviewing Jeff Griffiths of WorkForce Strategies International. Regular readers will remember that I wrote about Griffiths last fall: in this post where I described his webinar "People Before Process," and then in follow-on posts (here and here) where I picked up a later question that he and I discussed afterwards and worked my way through it.

This webinar was called "Getting Sh*t Done! – Optimizing Performance through Human Centric Sage Leadership."* Ms. Alexander's starting point is the recognition that our internal attitude towards our work has a huge impact on our outcomes. Maybe that doesn't sound controversial when I state it so broadly, since the general message dates at least to the time of Epictetus. But Alexander then developed the point in some detail by identifying ten "saboteurs" (ideas or attitudes that get in the way of our working well) and five "sage powers" that combat the saboteurs and allow us to work with calm, clarity, and happiness. These five sage powers are:

• empathy, an unconditional love of yourself and others
• exploration, based on a love of learning
• innovation, a creative willingness to think of all the possibilities
• navigation, a search for purpose and meaning that asks "What's really important?"
• activation, moving forward without all the distractions

During the subsequent conversation, Griffiths picked up each of these themes in turn and gave examples from his own career. To take just the very first one, he explained that without empathy it's easy to react to a difficult situation by feeling you are surrounded by idiots. But if you slow down, take a deep breath, and accept them unconditionally, then you can start to see where these people are coming from and they no longer look like idiots. Then you can work with them in a productive way. 

For my part, I spent the whole webinar thinking about the Quality business. I saw at least two places where the crossover is very strong.

One of these is in the area of problem-solving. You remember back in January I discussed the principle that "There is no such thing as human error." At the time I called this a "motivational slogan," and I emphasized how it is a useful approach if you want the cooperation (which you need) of people who were on the scene when an accident occurred. But this approach is just empathy in action, a willingness to see the events through the eyes of another person as a first step towards error-proofing the operation for the future. And after all, if your problem-solving exercise comes up with a solution that would work for you (if only you were the one on the scene) but that won't work for the people who actually do the job – in other words, if your solution lacks empathy for the people who have to implement it – then you really haven't solved anything and you can count on the problem to recur.

The other is in the area of auditing. One of the most dangerous temptations for an auditor is the desire to start telling your auditees how to do everything differently. In your mind it's simple: you know the management system standards, you've seen how those standards are implemented by hundreds of other companies, and these folks are simply doing it all wrong! And from the other side, pretty much every organization that goes through regular external audits has met one or more auditors who give into this temptation. I've talked before about how the line between auditing and consulting gets particularly fuzzy during internal audits; but during external audits it is important to keep it clear. And even in internal audits, you can't abuse your authority as an auditor just because the manager of this department stubbornly insists on doing things in a way that looks crazy to you.

For this reason, I have found it very useful when conducting audits to slow down, keep quiet, and listen. I'll ask how this or that part of the system works, and then just let the auditees talk. At first glance I might think they are doing it all wrong; I tell myself, "If I had designed their system, I would have done it differently." But it's their system, not mine. So if I wait and listen, after a while I can start to see the system through their eyes. I can start to see how the strange bits all hang together as a system. And I can see that my first objections were often based on my own failure to understand. At this point I may have some thoughts about how certain aspects can be improved – "Is there a risk because you aren't keeping minutes from this or that regular meeting?" – but I'm no longer going to ask them to redesign the whole thing from the beginning.

At its best, then, auditing deploys – or should deploy – all five of Alexander's "sage powers": empathy, to understand the client's system on its own terms; exploration and innovation, to look past the auditor's own preconceptions and see what the client is trying to do; navigation, to understand which topics really can put the client's system at risk; and activation, to proceed from there and find the nonconforming gaps (if any) which it will really add value for the client to fix. Of course if you find other nonconformities along the way you have to report them. But you provide the best service if you focus where it hurts.

It's not always easy, and at the end your list of findings may be shorter than it would have been doing it in a more directive way. But it's more helpful to work this way, which is the whole point. Besides, we're not paid by the finding.  😀        

__________

* Yes, the second word in the title really did have an asterisk instead of the vowel.