Is ISO 9001 really worth it?

At the very end of my last post, I talked about the possibility that an organization (in that case, a university) might seek to apply ISO 9001 for the sake of intrinsic benefits: not because anyone required it, but for its own sake. But is that possible? Are there any intrinsic benefits to ISO 9001, benefits other than getting a certificate because your customers demand it? Often I get the same question posed in slightly different words: "Is ISO 9001 certification really worth all that time, effort, and money? Where's the payback?" 

Of course there is nothing magic about certification. An ISO 9001 certificate won't guarantee success, and it doesn't prove that your products and services are any good; at best it attests that you have systems in place to react when they are bad, and to improve over time. Likewise, as I have said before, there is nothing magic about following any system blindly; the rules are at best just techniques to help you get the right results, but you still have to know what you are doing and to care about it. With all that in mind, is ISO 9001 really worth it?

It's a fair question. ISO 9001 really does require a certain amount of time, effort, and money to implement, and no business should have to spend those without a reason. But the answer starts by pointing out that it is really two questions.

The first question is whether it is worth the time and effort to run your company in the way it would have to be run so that you could be certified any time you choose. This means doing all the things that the ISO 9001 standard requires: identifying your interested parties, their needs, and your risks; and then implementing accountability and control, process and review, conscious decision and continuous improvement. And the answer to this question is that every organization benefits from these things, so this part is always worth it.

As an aside, a month or two ago I saw this point picked up in an article in Quality Digest, called "Quality 2022: Two Big Changes Ahead." The author argues precisely that Quality can be a profit center, or at any rate a value-adding activity. He writes:

... rather than using ISO 9001 as a compliance tool, we’re seeing it embraced as a strategy for business excellence. Some fearless quality teams are asking: “Why should we deal with ‘risk management?’ Why don’t we focus on risk avoidance? Why can’t our processes be set up to completely sidestep risk altogether? Why do we have the equivalent of a line item in our consumer products division’s product liability budget to cover the cost of killing two people annually? Let’s not have to plan for that! Let’s make very sure we don’t.”

When you start thinking about risk avoidance that results in not just saving, but creating piles of money, you in fact are thinking of quality as a profit center.

The second question is whether it is worth the money to get formal certification: this means paying for an external auditor to look you over and write a report, and then it means paying a certification body to act on that report so you can get your certificate. These costs are not prohibitive, but they are certainly not trivial. And the answer to this question is that while every company benefits from doing things well, not every company benefits from having a certificate to hang on the wall attesting that they do things well. If having this certificate will bring you more new business than it costs you to get it — because more new customers will be willing to trust you, or because your major existing customers have announced that all their suppliers must henceforth be ISO 9001 certified — then it is worth the money to get the certificate. If not, not.