[This article originally appeared in LinkedIn. You can find that copy of it here.]
Every so often during an ISO 9001 audit, I'll find a (to me) common-sense omission. If it's trivial I might just discuss it and move on, or write an Opportunity for Improvement. But if it's something basic to the system, I might write a Nonconformity.
Once in a while I get the reply, Where does it say I have to do that? Or, more completely, In which company directive is it written that I have to do that?
When I hear this objection, I never know where to start — because there are no right answers to wrong questions.
A compliance audit (for companies that have to deal with those) is, yes, focused on checking our compliance with corporate or legal directives with a fine-toothed comb.
But that's not a Quality audit.
For Quality audits — notwithstanding years of ISO jokes — following the rules is secondary. The important thing is to have an effective way to get what we want. Of course we need procedures and rules for the complicated stuff. In a big company we need plenty, because everything one department does affects others. We need clear directives just to keep from stepping on each other's feet.
But we can follow all the rules in the world and still ship garbage. Just following the rules doesn't get us Quality. Or, to put it another way: We all know that following the rules is no excuse for doing the wrong thing. So too, the absence of a rule is no excuse for failing to do the right thing.
OK, Mister, that's nice, but I've got two problems with everything you just said.
1. You want to go by the book? A "nonconformity" means there's some rule I have failed to comply with. That's what the word means. Show me the rule.
2. You want to talk about the real world? My team has a lot of work to do. Sure, there's stuff we'd love to do to make the world a better place. But our requirements come first. So if you can't show me that this cool idea is actually a requirement, frankly we're going to deprioritize it into next year because we've already got too much real work to do.
This objection is completely fair. Let me answer it.
1. The latest edition of the ISO 9001 standard explicitly requires us to check for risks in what we are doing, and to take action as needed to mitigate those risks, even if they aren't listed (yet) in our written procedures. The main reference is in clause 6.1, though you can find cross-references in 9.1.3 and 10.2. So if I see something obviously missing, even if there is no rule telling anyone to do it, that is a nonconformity against clause 6.1.
2. We can't do everything. That's true. But the way to pick and choose is by assessing risk. It says that too, also in clause 6.1: "Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services." If there's no risk, do nothing.
Hold up a minute! Don't your remarks in #2 cancel what you said in #1? What if you write me up for not doing something, but we do a risk analysis that says it's no big deal?
Could be. Show me the risk analysis, and let's discuss it. The answer will always be a judgment call, on somebody's part. There is no algorithm for a perfect decision … the same way there's no set of rules guaranteed to give us Quality.
All we can ever do is talk to each other. So let's talk.