Thursday, December 29, 2022

What do you buy, when you buy a Tesla?

I thought I was all done writing about the place of customer requirements in Quality, but last week I saw an article that put an interesting spin on the subject. Publishing in Fast Company, Anne Marie Squeo wrote, "Tesla owners didn’t buy a car: We bought a set of beliefs Elon is trashing." Of course my first thought was, Wait, I thought Teslas were cars. But then I read her article and began to see her point.


Fundamentally, Squeo is writing about branding; and she makes the point that a brand can have a value or weight of its own, independent of this or that product carrying the brand. And of course this is true. Brands can imply a lot, and those implications can often stretch far beyond the domain where the brand nominally lives. Squeo identifies a number of attitudes and beliefs that she finds common among Tesla-owners
—attitudes and beliefs that have nothing to do with cars or even transportation per se, but which are so common that she sees them as clear elements of the Tesla brand. People who disagree strongly with these attitudes and beliefs, she adds, are really not likely ever to buy a Tesla. 

By the same token, for example, when I was a kid Cadillac was a brand that implied the very best of everything, not just cars. If you were part of a group trying to fix a problem and someone said, "We don't need a Cadillac solution," he meant that the solution didn't have to be perfect so long as it was good enough. The implication was always that the "Cadillac solution" would indeed have everything you could ask for, but it would also be very expensive. And of course GM worked to reinforce that association in the mind of the public.

Critically, a brand can become a good in its own right, something that customers will pay for. Customers who bought a Cadillac expected it to be expensive, and would have scorned it if it weren't; because in fact the very expense—and the social cachet they hoped to acquire by being able to afford it—was part of what they wanted out of the car.

One consequence, though, is that if the brand has a value all its own then you have to take care of it. Recognize that the integrity of your brand is part of the value proposition that you offer your customers*, and build guardrails in your Quality Management System to keep it intact. In an earlier post, I described how the Bosch corporation responds with swift and visible action to violations of the Bosch Code of Business Conduct or the principle of legality; and Bosch responds this way in part because a reputation for ethical and legal business behavior is a fundamental component of the Bosch brand. The company literally cannot afford to let violations slide if there is any risk that the brand might be sullied.

The alternative is that you can make a conscious decision not to bother. This is the situation that I discussed four weeks ago with respect to Boeing. Boeing has chosen to use a certain amount of its institutional weight to push the spread of the AS9100 aerospace quality management system standard, but has not chosen to get a third-party certification of their own. In the abstract, this decision might be construed as a risk to the brand, because it generates confusion: Which is it? Do you support AS9100, or don't you? That precise point is the subject of Chris Paris's criticisms of Boeing, as I described in the earlier post. What allows Boeing to make the decision they have made is a calculation that the risk to their brand doesn't mean much risk to their business, since there is only one other company on the planet (Airbus) which constitutes any kind of credible competition.

In short: once your brand acquires a value in its own right, you have to take account of it. Either put measures in place to protect your brand, or make a conscious decision not to bother. What you cannot afford to do is to ignore the question, and to treat your brand inconsistently by accident.

It is interesting that, in the rest of Squeo's article, this is exactly what she accuses Elon Musk of doing. She argues, that is, that Musk's actions since buying Twitter harm the brand identity she had earlier described for Tesla, and that he seems to be causing this damage negligently, as if unaware that there is any issue. I have no idea what's going on in the mind of Elon Musk, so I have to recuse myself from that part of the discussion. I always think it is worthwhile to check out alternative hypotheses—maybe Musk is pivoting on purpose from one brand identity to another, rather than doing anything by accident—but it is always possible that Squeo has it exactly right. Perhaps Musk is genuinely unaware that the Tesla brand has (or had) a value independent of the specific cars sold with that logo, so that he failed to implement any safeguards (including restrictions on himself) to protect that value.

But if that's what is happening, don't try this at home. If your brand has an independent value, take care of it. 

__________

* For example, during your Context of the Organization (COTO) analysis. You can consider it along with other non-product requirements, as discussed here.

     

Thursday, December 22, 2022

Rest and refresh

I thought of publishing something useful this week, but I'm also in the middle of last-minute shopping, baking, ... all that stuff. Likely enough, many of you are too. So let's take a break to rest and refresh.

Also, keep an eye on the weather and stay safe! I've seen no end of severe weather warnings for many places across the country. Winter weather can be dangerous and scary. 

Image by David Mark from Pixabay

(Strictly speaking we've recently had our own "severe weather warning" here in Santa Barbara, in the form of a surf report warning us of rip tides. But it's not the same thing.) 

Be well, and we'll pick this up again next week. And if you are fortunate enough to have some time off at the end of the year, please enjoy it!

     

Thursday, December 15, 2022

Quality Auditors: "What my friends think I do"

It has been more than two months since I posted anything light-hearted here. Time for something funny.

Here is a meme that I created many years ago, back when "What my friends think I do" was actually current across the Internet. I hope you like it.


      

Thursday, December 8, 2022

Should you MEET or EXCEED your customer requirements?

It's not uncommon to see a Quality Policy that boasts, "We will always exceed our customers' expectations!" And that's great. It sounds enthusiastic, ambitious, and challenging. Surely if Quality involves (at least in part) meeting customer expectations, then exceeding them must be even better than that. Maybe it counts as Super-Quality, or something equally special! And the idea takes many forms. Here's a post from LinkedIn which argues that the very definition of Quality in the present day requires exceeding (not merely meeting) customer expectations. 

But is it a good idea?

There's a sense in which it is hard to promise something like this, because you have no control over what your customer actually expects. You may know what requirements he has communicated to you in writing. But his real expectations might go well beyond those. In fact, if you have done business with him before, he may have gotten so accustomed to you over-delivering that now he expects you to over-deliver! If you ever simply meet his stated requirements, he might be secretly disappointed. But of course I'm playing games when I say this. There are other factors to consider.

Most critically, nothing is free. It might be nice to exceed expectations, but make sure you can afford it.

I once worked on a project that suffered seriously from overperformance. The development was late and badly over budget, and all the while the engineers continued to design the product to be better than the customer had asked for. Finally, in a desperate attempt to stop the bleeding, the Project Office instituted a formal policy of Designing to the Requirements. Stated like that it doesn't sound controversial, but right away the engineers dubbed it the "Just Good Enough" Initiative. One of them complained to me, "My boss just bawled me out for doing too good a job." It was almost as if they had forgotten that all their time and effort cost money, and that at the end of the day the company had books to balance. 

In the end, the final product was magnificent. But it was really tough to get there.

The same discussion comes up in very different contexts. Recently I have seen a spate of articles on the subject of "quiet quitting." Different authors use different definitions, but several have argued that "quiet quitting" is no more than "meeting the expectations" of the job: giving an honest eight hours of work for eight hours of pay, but then going home. Not looking for ways to go above and beyond. Not offering that little bit of extra, unpaid effort that pushes a job over the edge from adequate to superior. Not exceeding expectations. And whether this kind of "quiet quitting" is a good thing depends powerfully on the context and on myriad details: the company, the job, the employee, the home situation, the prospects for the future, and on and on. No one size fits all.

I think that has to be the general answer to the challenge of consistently exceeding customer expectations. It sounds great. It is surely impressive. But no one size fits all.    

      

Thursday, December 1, 2022

Wait ... did Boeing just take my advice?

Forgive me for interrupting myself. I was going to follow up my last post about customer requirements with one about meeting or exceeding expectations, but that has to wait. Right now there is a contretemps in the ISO 9001 community on LinkedIn, and it relates directly to a point I made in this very blog a few months ago. How can I resist such an opportunity?

It all started when Alan Daniels of Boeing gave an interview in a podcast where he discussed (among other topics) the importance of AS9100. You wouldn't expect this to be controversial. But when the podcast was advertised through a post in LinkedIn, a vigorous discussion broke out in the comments of that post between Christopher Paris, of Oxebridge International, and Doug French, retired from Boeing.

Paris asked, If Boeing thinks AS9100 is so important, why don't they hold an AS9100 certification, validated by external auditors?

French replied, We do think the standard is important, and we follow it carefully; but we've made an internal business decision not to spend the money for the certificate at this time.

Paris: Why should I believe you, if you don't back up your words with an objective certificate?

French: What part of the words "internal business decision" do you not understand?

And it kind of went downhill from there. 

What delights and fascinates me about this discussion is how exactly it echoes points that I've discussed in this blog. For example, Paris's objection that there is no reason to believe Boeing follows the rules of AS9100 without a certificate could have been copied verbatim from the last paragraph of my post two weeks ago about why we have standards in the first place. [Note: because Boeing is in aerospace, the discussion between Paris and French revolves around AS9100. My post is about ISO 9001. But the issues involved are identical.]

But what really caught my attention is that Boeing seems to be following the very advice I posted last March, in this post here, about whether or when to seek certification. If you remember, what I said was this:

"[W]hile every company benefits from doing things well, not every company benefits from having a certificate to hang on the wall attesting that they do things well. If having this certificate will bring you more new business than it costs you to get it ... then it is worth the money to get the certificate. If not, not."
That's exactly what Doug French said. 

How does this advice apply to Boeing? Companies often seek certification for a couple of reasons. One is that a customer demands it; another is that it sets them apart from the competition. But who exactly is Boeing's competition? There are only two major airplane manufacturing companies in the world that sell commercial jetliners: Boeing and Airbus. [Reference.] Yes, of course there are smaller manufacturers as well, but for all practical purposes no other company can compete with these two. So Boeing has no need to set themselves apart from competitors by seeking certification. And there are no customers demanding to see a certificate, because the relevant customers know that they don't have a wide choice of vendors. There is simply no compelling economic reason for Boeing to seek certification.

To be fair, Paris recognizes this. While he chastises Boeing for not seeking certification, the reason he offers is not economic. His reason is moral: noblesse oblige. While recognizing that of course Boeing can get along just fine economically without certification—business has gone swimmingly up till now, after all—he argues that if Boeing is going to champion the AS9100 standard (which they do), and if Boeing is going to require all their suppliers to be certified to AS9100 (which they do), then they should feel morally obligated to lead by example. So long as they don't, Paris argues, their protestations about the importance of standards and certification sound hollow.

Is he right? I guess it's a matter of opinion. But the way the airplane manufacturing business looks today, Boeing is probably safe in doing what they do. Even if a lot of people end up agreeing with Paris, how far will that cut into their sales? I predict that the effect will be negligible compared to the ups and downs of the worldwide demand for aircraft—and I'm certain Boeing is paying a lot of attention to that.

And if things change one day? If suddenly there is a material risk that Boeing will be penalized in the marketplace for not holding a third-party certificate of compliance to AS9100? The day that happens, Boeing will contract with a Certification Body and get their certification. That's what any company would do. If having this certificate will bring you more new business than it costs you to get it ... then it is worth the money to get the certificate.

I'm still tickled to think that Boeing is following my advice on this point.

                   

Thursday, November 24, 2022

Requirements: theirs and yours

Quality is often defined as "meeting customer requirements" or "meeting customer expectations." (Longtime readers may recall that I discussed that definition along with others in this early post last year.) But in a post a couple weeks ago, when discussing how to handle ethical questions in your organization, I described the Bosch Product Development Code, an element of the Bosch Code of Business Conduct which states clearly that "Legality and the Bosch values take precedence over customers’ wishes." How can this be Quality? If Quality means "meeting customer requirements," what grounds does any company have for saying that other considerations are more important?
Image by Edar from Pixabay

At one level, this is easy. Any responsible company will review orders before accepting them, to make sure they can actually fulfil what is asked. (ISO 9001:2015 requires such a review in section 8.2.3.) If this review reveals customer requirements that the company is unable or unwilling to fulfil, the latter is generally within its rights to reject the order. The order might be impossible, or it might be illegal, or it might just be a bad fit for the kind of work the company does best: in any of those cases, the right response is, "I'm sorry but that's not for us."

This highlights why it is inadequate to define Quality merely as "meeting customer requirements." Your organization likely has rules or considerations of its own that also have to be taken into account. These organizational considerations are the boundary conditions inside of which you operate. But critically, they count as requirements, and they have to be considered along with the other requirements that come externally, from the customer. Then you evaluate whether the whole package is something you can achieve or not.

Another way to describe your organizational requirements is that they are part of the Context of your Organization (COTO), and they should surface during your COTO analysis. But this means that your COTO analysis is in essence a requirements review for the organization. That is to say, ... well, we all know what a requirements review is for a product: you get the right people together in a room, and you generate a list of everything the product has to fulfil. You work through the list to ensure that it is consistent, that it complies with all applicable regulations or boundary conditions, and that it is achievable.

But that's exactly what you do in your COTO analysis: you identify all the interested parties who want something from you, list what they want, itemize any other issues you have to address, and then figure out what you are really going to do. In the end, your final list of constraints that form the framework of your management system has to be consistent (or else different departments will pull in different directions, guaranteeing failure); it has to comply with applicable regulations (if only to ensure nobody goes to jail); and it has to be achievable (or else, again, you guarantee failure). In other words, your COTO is the requirements list for your organization.

And that means that, conceptually, the rejection of this or that customer requirement on the grounds of ethics—or legality, or profitability, or anything else—is no big deal. It's just a case where one requirement conflicts with another. This happens all the time, and the answer is always to analyze the conflict until you figure out which requirement takes priority. That's what you are doing here.  

    

Thursday, November 17, 2022

Why do we have standards, anyway?

Last week's post triggered a lot of discussion, mostly on LinkedIn. One of the topics was over the fundamental purpose of the ISO 9001 standard: is it primarily a tool to use internally (for continual improvement), or externally (for certification)? In the end, Christopher Paris resolved the question by explaining in detail the history of the standard's development, and showing that external certification was baked into the concept from the beginning. 

But I'd like to suggest that the same conclusion should have been clear even without knowing the history in a lot of detail. It all stems from the basic nature of standards in general.

Why do we need standards? A standard is like a common language: it allows us to do business with strangers, because we know that we are both talking about the same thing. Whenever a market gets full or busy or complex, whenever there are many people buying and selling from each other, you need standards that everyone can align on. The alternative is chaos. This is many times truer when trade crosses international borders.

The Last Day of the Sale, by George Bernard O'Neill

And in fact many of the standards issued by the ISO are technical standards whose whole purpose is to ensure that common products align to uniform specifications around the world, so that you can buy them anywhere. ISO 3290-1 and ISO 3290-2 specify the uniform characteristics of ball bearings. (ISO 3290-1 covers steel ball bearings, while ISO 3290-2 covers ceramic ones.) As a result you can buy your ball bearings from any manufacturer, anywhere in the world, who complies with these standards—and you are guaranteed that they will fit your application interchangeably with the ball bearings you already have. Knowing you can rely on this uniformity is tremendously valuable.

In the same way, if a company follows ISO 9001, then we think we know something about them even before we place our first purchase order. We are not guaranteed that their products are flawless! But if they follow ISO 9001, then at the very least they should have (for example) some kind of system in place to evaluate orders before accepting them. They should have other systems in place for handling customer complaints, in case there are any. And so on. Knowing these things gives us greater confidence about doing business with them, or it should. (In exactly the same way, the whole point of the proposed management system standards to support the UN's sustainable development goals, which I discussed at some length last month, is to provide a common and uniform frame of reference so that companies who want to explain what they are doing to advance these goals can trust that they will be understood.)

But wait—if a company tries to persuade us that they have reliable systems in place because they follow ISO 9001, why should we believe them? Because they say so? People can say anything. The only way that the ISO 9001 standard can possibly do its job as a standard—the only way it can make good on its promise of uniformity—is if there is some objective way to tell the difference between companies that have implemented it and companies that have not. This is the point of certification (or it is supposed to be). Someone external, someone objective, someone who does not have a stake in the success or failure of the company under evaluation—that person has to come out, look around, and then tell us whether the company's implementation of ISO 9001 is real or sham. Without that step, ISO 9001 can no longer be a standard; and whatever residual value it might still have as a source of moral exhortation, it has always been sold to the world as a standard.

So I think the need for external certification is necessarily part of the whole concept behind ISO 9001. And it does not surprise me, therefore, to learn that the history bears this out. 

       

Thursday, November 10, 2022

So how DO you talk about ethics?

Last week I wrote about whether ISO 9001 should be revised to address questions of ethics. In reply, Krishna Gopal Misra of Qualitymeter.com published a detailed essay on LinkedIn about the role of ethics in relation to any management system. I am grateful for Mr. Misra's essay, which makes the important point that ethical principles are not so much a part of a management system as logically prior to it. A management system tells you how to organize in order to get what you want; but it cannot tell you what to want. That is the job of your Vision, and thereby of your strategy and policies. Without a Vision, the management system itself is blind,* and the organization is directionless. At that point there is nothing to stop the organization from doing very bad things, and Mr. Misra gives some chilling examples in his essay. 

What should you do instead? If you want to avoid the moral aimlessness that Mr. Misra warns against, how do you talk about ethical principles in your organization if not in the management system? Or to put the question another way, the management system defines a framework for how to run your organization: where in that framework do your ethical principles belong?

They have to come right at the beginning, so that they become ground rules to inform everything else. This means that your ethical principles have to be part of the Context of your Organization (COTO). They have to be among the fundamental requirements that you are in business to satisfy in the first place.

I used to work for Robert Bosch; and while I normally avoid discussing previous employers by name, I always admired Bosch's explicit and stated commitment to ethical behavior. This commitment grew out of the deep personal beliefs of Herr Bosch himself, back when he was still alive and steering the company personally. He once said—in a remark that every Bosch employee must surely know by heart—"I would rather lose money than trust." (If you are interested, you can find a copy of the Bosch Code of Business Conduct at this link here.)

And it has to be more than slogans. In order to be worth anything, a policy of corporate ethics has to be reinforced with action at every turn. Bosch promoted its ethical policies in several ways. One prominent way was through a corporate training program, which required every employee to take classes on specific topics. These classes repeated at stated intervals: some every year, or every two. The longest interval between repetitions was three years. The classes themselves covered topics like recognizing and avoiding conflicts of interests, or respecting the principle of legality in all daily work. Mr. Misra explained that sometimes companies resort to bribing government officials to get what they want; Bosch had a separate class all about how Bosch employees are strictly forbidden to engage in bribery. The instructors even explained that there are some countries in the world where bribery is expected as a normal part of doing business; and they freely admitted that Bosch's strict anti-bribery policies make it harder to compete in those markets. When someone asked "So what are we supposed to do in those countries?" the instructors just smiled and said the only thing to do was to make the products even better, so they would sell despite interference from disgruntled government officials who expected bribes but didn't get them.

No training program will ever turn men into angels. Somewhere along the line, somebody will make a mistake and do something wrong—even at Bosch. When that happens, it is important to take swift and visible action. You may remember back in 2015, when news broke about the Volkswagen emissions scandal (sometimes called "Dieselgate"). Volkswagen had been caught using software to circumvent laboratory emissions testing, so that their cars could be passed by the EPA and sold into the United States even though their NOx emissions in normal driving far exceeded the legal limits. Volkswagen was the company that perpetrated the illegal activities, not Bosch. But Bosch had sold them the software, a decade earlier. (Bosch even warned them not to use the software in the way Volkswagen used it, because that would be illegal.) 

When it became known what had happened, the Bosch Board of Directors addressed Bosch's (apparently peripheral) role in the scandal by issuing a new Product Development Code. This code had several parts; but among other things it prohibited Bosch from designing any product for any customer with features that a reasonable engineer could expect that customer to use illegally. If a customer asks for such features, even if the features themselves are (strictly speaking) perfectly legal, Bosch is now required to reply, "I'm sorry, Mr. Customer, but we can't do that for you. If that's what you want, we don't want your business." To implement this new Code, Bosch required training classes for every employee worldwide involved in product development, product management, project management, engineering, marketing, or sales. Bosch also required explicit changes to the product release process—enforced by an independent Quality organization—to ensure that the Code has been complied with before any product is released to the market. (This news article discusses Bosch's rollout of the new Product Development Code.)

That's what I mean by "swift and visible action." And it was taken, remember, to respond to a scandal where Bosch was only peripherally involved—so that in the future the company can avoid even the appearance of illegal or unethical behavior.

It's not easy, but it's possible. However, to come back to the original point, these commitments belong in your COTO, along with information about the kind of work that you do and who your major customers are. These commitments are part of the content that is managed by the management system, and not part of the structure of the management system itself.     

__________

* This pun was not exactly intended, but I think it is pretty much inevitable in the present discussion.            .

Thursday, November 3, 2022

Does ISO 9001 need a regulation about ethics?

"The key principle in selling is honesty. Once you know how to fake that, you’ve got it made."
— from Richard M. Huber, The American Idea of Success, cited by Quote Investigator.

Back in 2020, the ISO Technical Committee 176—they are the ones responsible for publishing ISO 9001 and its family of related standards—wrote a planning document N1308, called Future concepts. It identifies and explains a number of concepts which have to be considered in future revisions of ISO 9001, either because they have not been mentioned before (like "emerging technologies") or because stakeholders have found the existing treatment too thin (like "knowledge management"). Fair enough. This is exactly the kind of planning that you would hope to see.

But one of the topics listed is "Ethics and integrity." And I have to admit, I didn't expect to see that. It made me wonder, Does ISO 9001 need a regulation about ethics?

The report gives five reasons that ethics and integrity are important to Quality management:

  • If people in the organization lie to each other (or, especially, if they lie to their managers) then top management won't know what is really going on and will have trouble making good decisions.
  • If people in leadership roles do not model ethical behavior (if they are not seen to be ethical), then internal and external stakeholders won't trust them.
  • Auditors have to be able to provide audit results to top management without partiality or bias and without fear of retribution, or their audits are worthless.
  • If internal and external communications aren't honest, there is no way to maintain the effectiveness and integrity of the organization's activities and systems.
  • No organization can ever have enough resources to force its people to comply with the Quality Management System if they don't approach their jobs with basic integrity. 

All of these statements are true. All of them are perfectly valid reasons why a concern for ethics and integrity has to be at the root of any Quality system.

So where's the issue?

There are three things about the proposal to add ethical requirements into ISO 9001 that give me pause. I don't exactly disagree, but the proposal raises some questions for me.

My first concern is the simplest: The assumption of truthfulness and integrity is already implicit in the current standard. 

  • When clause 4.1 says, "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system," that requirement is formally synonymous with saying, "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system, and shall not lie about them."
  • When clause 9.1.3 says, "The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement," that requirement is formally synonymous with saying, "The organization shall analyse and evaluate appropriate and truthful data and information arising from monitoring and measurement, that have not been twisted or misreported by unethical employees or other intermediaries."

For that matter, when a cake recipe in a cookbook lists the required ingredients, there is never a note saying, "Do not substitute flour with sawdust, and do not substitute vanilla extract with battery acid." In general, whenever we read any kind of instruction or requirement anywhere, I think we always assume that the meaning is that we should really do whatever the thing is we are being told to do, and not just pretend. So it's fair to ask, What makes ISO 9001 any different? Why do we have to make the requirement for ethical behavior explicit here, when we never think of doing the same thing in a cake recipe?

My second concern is a little more delicate: How do we plan to audit ethical requirements, and to avoid the risk that ethical topics become politicized? Audits, after all, require objective evidence so that any observer can agree on the facts. But some ethical topics (at least in the United States) are also political topics, where such agreement cannot be assumed in advance. For example, the document Future concepts states that one element of ethical behavior is to "treat others fairly, courteously, with dignity, and without prejudice or discrimination." I assume everyone agrees with that principle. But this country has seen some difficult and painful litigation around the question of exactly what behavior counts as treating others "without prejudice or discrimination." And I do not look forward to a time when individual auditors might feel authorized to rush in where the courts fear to tread. We auditors are like everyone else: our personal opinions are all over the map. So if we are allowed to write audit nonconformities against ethical topics, I hope that we can be given some kind of guidance to ensure we do it in a uniform way.

My third concern is maybe the most fundamental one: With respect to the topic of ethics and integrity, if you have to spell out the requirements in words, you've already lost the battle. We all know that as soon as any requirement is codified in words, people will start weighing the words on a balance scale to figure out how little they can get away with and still comply. We have all seen this, one time or another, whenever there is a written Quality Management System. I'm not saying that every organization just skates by! Not when you look at the big picture. (Of course there are always a few that do.) But even in the best organization, somebody in some department is having a bad day ... and is feeling overworked ... and is asking himself what's the bare minimum he has to do before he can go home. It's the way of the world. Put ethical requirements into the standard, and they become just one more requirement to be niggled to death. It's like the quote at the top of this essay.

Of course, maybe we've gotten to the point that we really need to require ethics and integrity in the standard, because we can't take them for granted otherwise. In other words, maybe the proposal to add ethical requirements should be seen as a symptom of a larger picture about the condition of organizations as a whole. But if that were true, it would make me very sad. And I think that's the kind of situation that no written standard can overcome, precisely because people treat standards as obstacles to be parsed and niggled and lawyered. I hope that ethics and integrity are broader and grander than that, but I might be disappointed.

"When the great Tao is in decline,
Benevolence and loyalty appear.
As wisdom arises, so does hypocrisy.
Only in a feuding family do filial piety and parental doting become conspicuous.
Loyal ministers emerge whenever the country is in chaos."

"When Tao is lost, there is goodness.
When goodness is lost, there is kindness.
When kindness is lost, there is justice.
When justice is lost, there is [compliance to standards]."

— from Lao Tzu, Tao Te Ching, chapter 18 [translated by Han Hiong Tan] and chapter 38 [translated by Gia-fu Feng and Jane English, 1989]    

         

Thursday, October 27, 2022

What's sustainable development? Says who?

Last week I learned that there is a proposal afoot for a brand new ISO management system standard, specifically to support organizations who are trying to address one or more of the United Nations' 17 Sustainable Development Goals. Monday I had a chance to sit in on a webinar that gave some information about this proposal. Here's what I learned. 

Basics

What exactly has been proposed?

The proposal is to create an "International Standard [which] specifies requirements for a Sustainable Development Goals Management System."

What do all those big words mean?

An "International Standard ... for a ... Management System" is any standard like ISO 9001, ISO 14001, or ISO 45001. 

More basically, a management system is the collection of policies, processes, and procedures, plus the corresponding assignment of roles and responsibilities that makes your organization run. I give a brief description of what management systems are in this post here. 

A management system standard is a generic standard that tells you how to set up your management system. It doesn't tell you exactly what words to write or exactly whom to assign to do what; but it says that you have to make sure to cover these topics and those activities, somehow or other. Then it leaves the details to you, because the operational processes for an aircraft manufacturer will be different from the ones for a laundromat.

The phrase "Sustainable Development Goals" refers to a set of 17 goals adopted by the United Nations back in 2015 as part of the 2030 Agenda for Sustainable Development, which the UN website describes as "a shared blueprint for peace and prosperity for people and the planet, now and into the future." These goals represent "an urgent call for action by all countries - developed and developing - in a global partnership," and the list of all 17 is as follows:

  • No poverty
  • Zero hunger
  • Good health and well-being
  • Quality education
  • Gender equality
  • Clean water and sanitation
  • Affordable and clean energy
  • Decent work and economic growth
  • Industry, innovation, and infrastructure
  • Reduced inequalities
  • Sustainable cities and communities
  • Responsible consumption and production
  • Climate action
  • Life below water
  • Life on land
  • Peace, justice, and strong institutions
  • Partnership for the goals

Therefore a management system standard to support the UN's sustainable development goals is a generic standard to tell you how to organize your business (or other group) in order to help you make progress towards one or more of the goals on this list.

Who proposed it?

The Danish Standards Foundation, one of the member bodies of the ISO.

Who wants it?

Companies are asking for guidance. Their stakeholders are asking them to work more sustainably, and then to prove it.

What good will it do? (Or, what needs will it satisfy?)

Some companies are being asked to prove that they work sustainably. Other companies have recognized that if they can offer proof of sustainable operations proactively, that will give them a competitive advantage. But how do you prove something like that? By comparing to a standard.

Then there are companies that don't (yet) feel forced to prove anything to someone else, but they care about the SDG's and want to help them forward. But they don't know where to start, and are asking for some kind of systematic guidance. 

Since there is no established standard right now, multiple private sources are issuing their own. But of course this means there is no consistency in requirements or reporting, so nobody can tell what this or that certification really means without reading all the fine print on each one. ISO is recognized as an international authority. So if ISO issues a standard, that common framework will clear up a lot of confusion. 

What will this involve?

Will organizations be able to certify to it?

Yes.

Will organizations be required to certify to it?

No. It will be a voluntary standard, like ISO 9001.

Let me say that a little more precisely. Some organizations find themselves required to certify to ISO 9001 because their customers insist. But there is no legal requirement anywhere to certify to ISO 9001. In the same way, if your customers ask you to certify to this new standard that's between you and them. But there is no intention that your government will require it.

How will this standard be structured?

Just like all the other modern ISO management system standards.

If we already have an established management system, will we have to scrap it and create a new one to comply with this standard?

Of course not. You should never do that anyway. Set up your management system in whatever way works for you. Just make sure it covers the things that the standard asks it to cover.

Since this one will be structured exactly like ISO 9001, ISO 14001, and the rest of them, it should be very easy for you to plug a few extra requirements into your existing management system and scarcely notice the difference. 

What will this standard actually require an organization to do?

We haven't written it yet, so it's hard to be sure of the details. 😀 But our proposal is that you don't have to address all 17 SDG's to get certified. Pick the ones that are relevant to your business. 

On the other hand this means you have to have a defined process for selecting which SDG's are relevant, not just that you pulled numbers out of a hat. You should have a systematic way to define a sustainable strategy for your business, and then be able to deliver to that strategy.

How will progress be measured?

Already today, each SDG has several "targets and indicators" defined to measure the status of the goal. (Go to the SDG website, and click on each goal in turn for more information, including the complete list of targets and indicators defined for that goal.) These targets and indicators will have to be built into the KPIs for this standard, to keep the measurements consistent and objective, and to avoid the risk of "SDG-washing."

How does this relate to any other standards or committees?

We already have ISO 37101, which is a management system standard for sustainable communities. How does this relate to that?

There will be overlap, to be sure. But sustainable communities are only one of the 17 SDG's. Certainly the committee writing this standard will appreciate all the help we can get from other existing sources.

Will this standard end up replacing ISO 9001?

It shouldn't. They are about different things.

ISO 9001 is still about the quality of goods and services. Yes, it has some very valuable requirements that help your organization run in a successful way: identifying key stakeholders, defining a strategy, settling KPIs, and so on. And ISO 9004 is a great standard for assessing your organizational maturity. But neither of those is really focused on the content of the SDG's, the way this standard would be.

Or did you mean "Will this standard end up becoming the most popular management system standard, the ISO flagship standard, the way ISO 9001 is today?" Well of course we don't know. We do know that the UN SDG's are coming ever more clearly into focus in markets clear across the global economy. We know that people understand how important they are. But I don't think the committee that writes ISO 9001 has anything to worry about.  

Is there already an existing ISO committee who will be responsible for this?

No. If the proposal is accepted, a new committee will have to be created.

Is there already an existing national standard that covers the same subject, so the committee can just copy it and be done?

No.

What is the timeline?

How does the process look from here? What is the timeline?

From now until December 8, 2022, the national standards bodies that comprise ISO will collect input and vote on the proposal. (ANSI's deadline for comments is October 28!)

December 8, 2022, ISO counts the votes. If a majority vote "No," that's the end of it. If a majority vote "Yes," then ISO will establish a committee.

Early 2023, the committee holds meetings on scope, title, and content.

September 1, 2023, the committee circulates the first working draft to experts for comments.

November 1, 2024, the committee submits a Draft International Standard.

November 15, 2025, ISO publishes the completed International Standard.

Wait, ... you don't expect to publish until 2025, and the UN's SDG's are supposed to be due in 2030? That's just five years. How do you expect that timeline to do any good at all?

None of the proposers believes that the SDG's will expire in 2030. They might be updated or reissued or renamed. But if anything, they are likely to become even more important after 2030. So there should be plenty of time for this standard to offer support.

Final questions

How do I join the committee?

Talk to your national standards body and tell them you are interested in helping. Work with them to meet whatever requirements they have in order to make that happen. Or if you already belong to some other entity that will need to establish a liaison with tis committee, approach that entity and this committee directly.

Where can I get more information?

The Danish Standards Foundation has set up a website for the proposal here. That website contains a lot of information, including a flyer, plus recordings and presentations from the information webinars. It also contains links to other information sources.

There will be another informational webinar on November 2, 2022, from 8:00-9:00am UTC. That's the middle of the night here in the United States, but in other parts of the world it is a friendlier hour. You can join it by clicking this link.

ANSI's announcement about the proposal is located here.

A complete copy of the proposal can be found here.

I hope this helps.       

      

Thursday, October 20, 2022

Can ISO 9001 stop climate change?

By itself? No, of course not. But can it support the work of others? I'm still dubious, but on that point opinions differ.*

Image by Gerd Altmann from Pixabay

Last year the ISO published the London Declaration. According to the ISO website, "the London Declaration to combat climate change through standards defines ISO’s commitment to achieve the climate agenda by 2050." Among other things, the London Declaration states formally and unequivocally that the ISO will "Foster the active consideration of climate science and associated transitions in the development of all new and revised International Standards and publications." [Emphasis added.] This means that whenever ISO 9001 is next revised, the relevant committees will have to consider climate science and "associated transitions" when writing it.

What will this look like? I've emailed people who know more than I do, to get some idea of what the current thinking is. I haven't heard back from them yet. One person suggested in casual conversation** that there might be no more than a line added to clause 4.1 that the organization "shall consider the implications of climate change" when identifying the "issues ... relevant to its purpose" that make up its Context. But somebody else answered back that, "Some aspects affecting climate change should be addressed in design and development of products and services. Otherwise it's too late." So I have no idea where this will end up. 

My own opinion—and I emphasize, for reasons spelled out below, that this is a personal opinion—is that ISO 9001 should stay in its lane. In the first place ISO 9001 is a Quality management system standard. It's directly focused on the satisfaction of customers and other interested parties. But a company can satisfy its customers without taking any action on climate change, ... unless the customers themselves demand such action, in which case presumably the company is already working on it. In this sense, adding requirements to consider climate change is a distraction from the standard's true job. 

In the second place, ISO 9001 is a generic Quality management system standard, equally applicable to a global manufacturing concern or to a neighborhood five-and-dime. If a local hamburger restaurant wanted to implement ISO 9001, they should be able to do so. But small enterprises like that are unlikely to spend much time or effort considering the implications of climate change. So depending on what new requirements are finally added to the standard, I can see a couple of possibilities.

The requirements might be deep and substantive. In this case, we should expect small and medium-sized enterprises to opt out, because meeting the requirements will be too difficult. If we follow this route, the number of companies who seek new certifications—or maintain their existing ones—will drop significantly. A result like that won't be good for the ISO brand.

The requirements might be superficial. In this case—if the requirements can be satisfied by adding a few words to your Quality Policy and then taking literally no other action—companies probably won't opt out. Quality Policies are easy to edit. But in this case, we should expect the customers of ISO 9001 to get pretty cynical about the exercise. They'll get the idea that they can take credit for fighting climate change just by updating a document that hangs on the wall; they'll know how ineffective that action is; and then how seriously will they take anyone else's statements about climate change? How seriously will they take the ISO brand? This result won't be any better than the last one.

Maybe there's a sweet spot between these two bad outcomes. I sure hope so. But it seems like the easiest way to avoid this dilemma is to stay out of the arena. If ISO 9001 never had to say anything about climate change in the first placeif ISO 9001 left consideration of climate change to other standards that are directly focused on the topic—then it could continue to focus on the areas where it really does some good: on the quality of processes, products, and services; and on the satisfaction of customers and interested parties.

Just an opinion.  

__________

* In the interests of strict compliance with all applicable regulations, it is my duty to inform you that I recently joined TAG 176: that's the American component of ISO/TC 176, who are responsible for writing the ISO 9001 family of standards. As a result, there are formal rules about what information I am allowed to discuss about the committee's work. In particular:

  1. I'm not allowed to reveal the personal data of any other committee member. But that's fine, because I have no interest in talking about individuals. My topic is always the ideas and principles.
  2. I'm not allowed to reveal how any particular individual or National Standards Body voted. But that's fine too. See above.
  3. I'm not allowed to share any presentations or working documents. But I never planned to.
  4. I am allowed to share my personal opinions, so long as I clearly identify them as such (and to be clear everything in the body of this post is hereby identified as a personal opinion), and so long as I don't criticize the committee. But that's fine too, because you should absolutely not take anything I say here as a criticism of the committee. I am confident that the committee will do the best it possibly can, given the parameters that have been mandated by the ISO central authorities.
** This discussion took place during the 2022 ISO/TC176 Plenary Meeting, which is going on this week.

      

Thursday, October 13, 2022

What if ISO had to explain their changes?

Last week, Al Smith posted a suggestion to the ISO 9001 community in LinkedIn as follows:

When a change to ISO 9001 is under consideration, should it require a clear and understandable documented statement of the actual value the change will provide to the user and the QMS performance? Should it also be a requirement that this documented statement be made public [and easily accessible] and also be a required item before approval can be considered?

Would not this aid in [eliminating] the risk of change just for the sake of change?


It's a really good idea; and the longer I thought about it, the more use-cases I came up with. In the first place, of course, it would help the process of rolling out changes to the standard, exactly as Smith described. It seems like there should be less risk of frivolous changes in case each change had to be justified in public. And when a change is made, it should cause correspondingly less trouble to persuade the international community of its necessity. Surely both of these consequences are wins.

But let's take it farther. Suppose we extend the requirement for public justification to cover not only changes but the full clauses themselves, so that requirements for document control or corrective action would have to be accompanied by boxed text explaining why they are a good idea.* In some cases it would be pretty easy: anyone who has ever tried to do business without a functioning system for document control or corrective action will know why immediately. Other clauses might require more words, especially if they introduce new concepts like "risk-based thinking" or "context of the organization." But the availability of explanations or examples would make it a lot easier for companies to implement ISO 9001 (or any other management system standard) because they would have a much better idea than they do today what each requirement is for.

This also means that companies could see right away when requirements don't apply. After all, it is simply not true that every clause applies to every organization. The standard may require that such-and-such a function has to be handled in a certain way; but if your organization simply doesn't have that function or anything like it, those clauses don't apply to you. Anyone who is truly familiar with the standard understands this implicitly. The problem is that many organizations who seek to implement ISO 9001 and to be certified to it aren't familiar with the standard. So they end up implementing procedures that they don't need, to protect against failure modes that will never happen because those failure modes pertain to functions that these organizations don't have. This is pure waste.

In some cases, maybe an organization like this will hire a Quality Manager or a Quality Consultant who can tell them they are wasting their time. If he can get them to back off from the unnecessary measures, maybe he can justify some of his salary in the form of cost savings. But (as things stand today) there is always the risk that the company will be assigned an external auditor who doesn't understand the point either, and who writes them up for failing to do something they don't need to do. In that case the Quality Manager or Consultant has a chance to justify a little more of his salary by rejecting the findings, and either educating the auditor or appealing over his head.**

But think how much simpler life would be if all companies understood what the requirements of the standard are there for, and when they apply! All of the added complication, the arcane specialization, and the clerical disputations over transcendental principle could be eliminated. It might put people like me out of a job, but not for long. We're all clever, and we'd find somewhere else to add value. But it would simplify the entire Quality enterprise enormously.

We can always dream.

Of course in the real world it sometimes happens that reforms have unintended consequences. I can imagine a reform like this one going wrong if the people tasked to write all that explanatory text just write for each other, and not for the outside world. Then we'd get "explanations" full of shorthand and unreferenced acronyms, and that wouldn't help anyone. So I guess this idea is not a panacea after all, at any rate not unless we figure out how to put some guardrails around its implementation.

Too bad. I kind of liked it.   

__________

* This is not exactly a new suggestion. Writing in the 4th century BCE, Plato recommended that legislation should always be preceded by an explanatory introduction to say what problem the law was supposed to solve, and to encourage people to follow it. See, in particular, the discussion of "preludes" in his Laws, Book 4, starting around 721B and continuing for several pages. 

** Strictly speaking it is also possible that the company might hire an unethical Consultant who knows perfectly well that they don't need to address this or that clause, but who develops a system that addresses it anyway in order to secure more billable hours of work. I don't like to think about this possibility, so I won't discuss it any further. I hope it is vanishingly rare. But there is nothing today which actually prevents it.   

      

Thursday, October 6, 2022

"A gang with a logo ...."

Back in April I wrote about how the current Russo-Ukrainian war could lead to the unraveling of the system of global certification. Just recently I got the chance to discuss this very issue live, with Kyle Chambers of Texas Quality Assurance and Christopher Paris of Oxebridge International. It was a lot of fun. Kyle brings an infectious energy to any conversation he's a part of, and Chris has a wealth of knowledge about the international certification scheme; so the two of them together fleshed out my original thesis in ways I hadn't expected. (The fun quote in the title is an adaptation of something Chris says, but you have to listen to the podcast to find out who he's describing and what his actual words are!)

So please check us out, and leave a comment!

You can find the podcast version here: #QualityMatters episode 151.

Or there's a version on YouTube that also includes video, which you can find here:


I look forward to hearing your feedback!

     

Thursday, September 29, 2022

Quality policy meme

You may remember I wrote about Quality Policies in a post last year. Then a couple of weeks ago, Kyle Chambers and I discussed them on his #QualityMatters podcast. Here I take one more pass, this time in meme format.

Feel free to let me know if you think I should stick to essays, and leave memes for people who are funnier and more creative ....  😀



Thursday, September 22, 2022

Things change

A few weeks ago I was writing about the Context of the Organization (COTO), and there's one final point I'd like to make before I drop the subject. Your analysis is not a one-time exercise, because your context will change. Therefore you have to review the results and update them from time to time.

Image by Gerd Altmann from Pixabay
Intuitively this should make sense. Things change around you, and it's only natural that you will change to accommodate them. In 2019, only the smallest percentage of American companies had emergency plans in place to address a global pandemic; and the fraction of office jobs that could be done from home was tiny. By the dawn of 2021, every business in the country had figured out how to respond to a pandemic (regardless whether they had formalized the results in a document); and work-from-home had become a lot more common.

You can expect smaller changes, too. One of the outputs from your COTO analysis, after all, is a list of risks for your business. Then once you have a risk list, the basic principles of risk management say that you go to work addressing the most important ones: either take action to prevent them, or to mitigate them, or at least to define contingency actions after the fact in case one of them takes place.

But those very actions themselves now change the risk profile that you face. Maybe when you did your COTO-and-risk analysis you found five high-priority risks. But over the next few months you took steps to prevent two of them outright; you made two of the others a lot less likely (even if still possible); and you defined a recovery plan in case the last one happens. Are you still facing five high-priority risks? Of course not. The list has dropped to three, and (depending how you evaluate the likelihood and impact of those three after the measures you put in place) they might not all be high-priority any more.

Or you might have changed your company's strategy to focus on different products for a different market. Many years ago I worked for a small startup in the B2B space: we made products that we sold to other businesses. But one year we saw an opening and reoriented the company towards making smaller, individual-sized products for the home office market. That was some years before we got ISO 9001 certification, so we didn't have a written scope statement at the time. But if we'd had one, it would have changed. And COTO is directly tied to scope.

So set up a regular schedule to review and re-evaluate your COTO. It's simplest to make this part of your periodic Management Review, since the ISO 9001 requirements for Management Review include checking most of the elements of your COTO anyway. And then, based on the results of your review, propagate the changes to your risk lists and scope statement as well.

Bear in mind that it's a lot less work to revise your COTO than to set it up in the first place. Yes, things change; but mostly they don't all change at once. So it should be pretty simple to read through what you've already got and look for the places you have to edit.

__________

P.S.: This is probably not a burning concern of yours; but one consequence of the foregoing is that, since your QMS is based on your COTO and your COTO changes, there is no such thing as the perfect or final QMS. Everything can change, because everything depends on what you need—under changing conditions—in order to get what you want.    

          

Five laws of administration

It's the last week of the year, so let's end on a light note. Here are five general principles that I've picked up from working ...