Requirements: theirs and yours

Quality is often defined as "meeting customer requirements" or "meeting customer expectations." (Longtime readers may recall that I discussed that definition along with others in this early post last year.) But in a post a couple weeks ago, when discussing how to handle ethical questions in your organization, I described the Bosch Product Development Code, an element of the Bosch Code of Business Conduct which states clearly that "Legality and the Bosch values take precedence over customers’ wishes." How can this be Quality? If Quality means "meeting customer requirements," what grounds does any company have for saying that other considerations are more important?

Image by Edar from Pixabay

At one level, this is easy. Any responsible company will review orders before accepting them, to make sure they can actually fulfil what is asked. (ISO 9001:2015 requires such a review in section 8.2.3.) If this review reveals customer requirements that the company is unable or unwilling to fulfil, the latter is generally within its rights to reject the order. The order might be impossible, or it might be illegal, or it might just be a bad fit for the kind of work the company does best: in any of those cases, the right response is, "I'm sorry but that's not for us."

This highlights why it is inadequate to define Quality merely as "meeting customer requirements." Your organization likely has rules or considerations of its own that also have to be taken into account. These organizational considerations are the boundary conditions inside of which you operate. But critically, they count as requirements, and they have to be considered along with the other requirements that come externally, from the customer. Then you evaluate whether the whole package is something you can achieve or not.

Another way to describe your organizational requirements is that they are part of the Context of your Organization (COTO), and they should surface during your COTO analysis. But this means that your COTO analysis is in essence a requirements review for the organization. That is to say, ... well, we all know what a requirements review is for a product: you get the right people together in a room, and you generate a list of everything the product has to fulfil. You work through the list to ensure that it is consistent, that it complies with all applicable regulations or boundary conditions, and that it is achievable.

But that's exactly what you do in your COTO analysis: you identify all the interested parties who want something from you, list what they want, itemize any other issues you have to address, and then figure out what you are really going to do. In the end, your final list of constraints that form the framework of your management system has to be consistent (or else different departments will pull in different directions, guaranteeing failure); it has to comply with applicable regulations (if only to ensure nobody goes to jail); and it has to be achievable (or else, again, you guarantee failure). In other words, your COTO is the requirements list for your organization.

And that means that, conceptually, the rejection of this or that customer requirement on the grounds of ethics—or legality, or profitability, or anything else—is no big deal. It's just a case where one requirement conflicts with another. This happens all the time, and the answer is always to analyze the conflict until you figure out which requirement takes priority. That's what you are doing here.  

    

Why do we have standards, anyway?

Last week's post triggered a lot of discussion, mostly on LinkedIn. One of the topics was over the fundamental purpose of the ISO 9001 standard: is it primarily a tool to use internally (for continual improvement), or externally (for certification)? In the end, Christopher Paris resolved the question by explaining in detail the history of the standard's development, and showing that external certification was baked into the concept from the beginning. 

But I'd like to suggest that the same conclusion should have been clear even without knowing the history in a lot of detail. It all stems from the basic nature of standards in general.

Why do we need standards? A standard is like a common language: it allows us to do business with strangers, because we know that we are both talking about the same thing. Whenever a market gets full or busy or complex, whenever there are many people buying and selling from each other, you need standards that everyone can align on. The alternative is chaos. This is many times truer when trade crosses international borders.

The Last Day of the Sale, by George Bernard O'Neill

And in fact many of the standards issued by the ISO are technical standards whose whole purpose is to ensure that common products align to uniform specifications around the world, so that you can buy them anywhere. ISO 3290-1 and ISO 3290-2 specify the uniform characteristics of ball bearings. (ISO 3290-1 covers steel ball bearings, while ISO 3290-2 covers ceramic ones.) As a result you can buy your ball bearings from any manufacturer, anywhere in the world, who complies with these standards—and you are guaranteed that they will fit your application interchangeably with the ball bearings you already have. Knowing you can rely on this uniformity is tremendously valuable.

In the same way, if a company follows ISO 9001, then we think we know something about them even before we place our first purchase order. We are not guaranteed that their products are flawless! But if they follow ISO 9001, then at the very least they should have (for example) some kind of system in place to evaluate orders before accepting them. They should have other systems in place for handling customer complaints, in case there are any. And so on. Knowing these things gives us greater confidence about doing business with them, or it should. (In exactly the same way, the whole point of the proposed management system standards to support the UN's sustainable development goals, which I discussed at some length last month, is to provide a common and uniform frame of reference so that companies who want to explain what they are doing to advance these goals can trust that they will be understood.)

But wait—if a company tries to persuade us that they have reliable systems in place because they follow ISO 9001, why should we believe them? Because they say so? People can say anything. The only way that the ISO 9001 standard can possibly do its job as a standard—the only way it can make good on its promise of uniformity—is if there is some objective way to tell the difference between companies that have implemented it and companies that have not. This is the point of certification (or it is supposed to be). Someone external, someone objective, someone who does not have a stake in the success or failure of the company under evaluation—that person has to come out, look around, and then tell us whether the company's implementation of ISO 9001 is real or sham. Without that step, ISO 9001 can no longer be a standard; and whatever residual value it might still have as a source of moral exhortation, it has always been sold to the world as a standard.

So I think the need for external certification is necessarily part of the whole concept behind ISO 9001. And it does not surprise me, therefore, to learn that the history bears this out. 

       

So how DO you talk about ethics?

Last week I wrote about whether ISO 9001 should be revised to address questions of ethics. In reply, Krishna Gopal Misra of Qualitymeter.com published a detailed essay on LinkedIn about the role of ethics in relation to any management system. I am grateful for Mr. Misra's essay, which makes the important point that ethical principles are not so much a part of a management system as logically prior to it. A management system tells you how to organize in order to get what you want; but it cannot tell you what to want. That is the job of your Vision, and thereby of your strategy and policies. Without a Vision, the management system itself is blind,* and the organization is directionless. At that point there is nothing to stop the organization from doing very bad things, and Mr. Misra gives some chilling examples in his essay. 

What should you do instead? If you want to avoid the moral aimlessness that Mr. Misra warns against, how do you talk about ethical principles in your organization if not in the management system? Or to put the question another way, the management system defines a framework for how to run your organization: where in that framework do your ethical principles belong?

They have to come right at the beginning, so that they become ground rules to inform everything else. This means that your ethical principles have to be part of the Context of your Organization (COTO). They have to be among the fundamental requirements that you are in business to satisfy in the first place.

I used to work for Robert Bosch; and while I normally avoid discussing previous employers by name, I always admired Bosch's explicit and stated commitment to ethical behavior. This commitment grew out of the deep personal beliefs of Herr Bosch himself, back when he was still alive and steering the company personally. He once said—in a remark that every Bosch employee must surely know by heart—"I would rather lose money than trust." (If you are interested, you can find a copy of the Bosch Code of Business Conduct at this link here.)

And it has to be more than slogans. In order to be worth anything, a policy of corporate ethics has to be reinforced with action at every turn. Bosch promoted its ethical policies in several ways. One prominent way was through a corporate training program, which required every employee to take classes on specific topics. These classes repeated at stated intervals: some every year, or every two. The longest interval between repetitions was three years. The classes themselves covered topics like recognizing and avoiding conflicts of interests, or respecting the principle of legality in all daily work. Mr. Misra explained that sometimes companies resort to bribing government officials to get what they want; Bosch had a separate class all about how Bosch employees are strictly forbidden to engage in bribery. The instructors even explained that there are some countries in the world where bribery is expected as a normal part of doing business; and they freely admitted that Bosch's strict anti-bribery policies make it harder to compete in those markets. When someone asked "So what are we supposed to do in those countries?" the instructors just smiled and said the only thing to do was to make the products even better, so they would sell despite interference from disgruntled government officials who expected bribes but didn't get them.

No training program will ever turn men into angels. Somewhere along the line, somebody will make a mistake and do something wrong—even at Bosch. When that happens, it is important to take swift and visible action. You may remember back in 2015, when news broke about the Volkswagen emissions scandal (sometimes called "Dieselgate"). Volkswagen had been caught using software to circumvent laboratory emissions testing, so that their cars could be passed by the EPA and sold into the United States even though their NOx emissions in normal driving far exceeded the legal limits. Volkswagen was the company that perpetrated the illegal activities, not Bosch. But Bosch had sold them the software, a decade earlier. (Bosch even warned them not to use the software in the way Volkswagen used it, because that would be illegal.) 

When it became known what had happened, the Bosch Board of Directors addressed Bosch's (apparently peripheral) role in the scandal by issuing a new Product Development Code. This code had several parts; but among other things it prohibited Bosch from designing any product for any customer with features that a reasonable engineer could expect that customer to use illegally. If a customer asks for such features, even if the features themselves are (strictly speaking) perfectly legal, Bosch is now required to reply, "I'm sorry, Mr. Customer, but we can't do that for you. If that's what you want, we don't want your business." To implement this new Code, Bosch required training classes for every employee worldwide involved in product development, product management, project management, engineering, marketing, or sales. Bosch also required explicit changes to the product release process—enforced by an independent Quality organization—to ensure that the Code has been complied with before any product is released to the market. (This news article discusses Bosch's rollout of the new Product Development Code.)

That's what I mean by "swift and visible action." And it was taken, remember, to respond to a scandal where Bosch was only peripherally involved—so that in the future the company can avoid even the appearance of illegal or unethical behavior.

It's not easy, but it's possible. However, to come back to the original point, these commitments belong in your COTO, along with information about the kind of work that you do and who your major customers are. These commitments are part of the content that is managed by the management system, and not part of the structure of the management system itself.     

__________

* This pun was not exactly intended, but I think it is pretty much inevitable in the present discussion.            .

Does ISO 9001 need a regulation about ethics?

"The key principle in selling is honesty. Once you know how to fake that, you’ve got it made."
— from Richard M. Huber, The American Idea of Success, cited by Quote Investigator.

Back in 2020, the ISO Technical Committee 176—they are the ones responsible for publishing ISO 9001 and its family of related standards—wrote a planning document N1308, called Future concepts. It identifies and explains a number of concepts which have to be considered in future revisions of ISO 9001, either because they have not been mentioned before (like "emerging technologies") or because stakeholders have found the existing treatment too thin (like "knowledge management"). Fair enough. This is exactly the kind of planning that you would hope to see.

But one of the topics listed is "Ethics and integrity." And I have to admit, I didn't expect to see that. It made me wonder, Does ISO 9001 need a regulation about ethics?

The report gives five reasons that ethics and integrity are important to Quality management:

• If people in the organization lie to each other (or, especially, if they lie to their managers) then top management won't know what is really going on and will have trouble making good decisions.
• If people in leadership roles do not model ethical behavior (if they are not seen to be ethical), then internal and external stakeholders won't trust them.
• Auditors have to be able to provide audit results to top management without partiality or bias and without fear of retribution, or their audits are worthless.
• If internal and external communications aren't honest, there is no way to maintain the effectiveness and integrity of the organization's activities and systems.
• No organization can ever have enough resources to force its people to comply with the Quality Management System if they don't approach their jobs with basic integrity. 

All of these statements are true. All of them are perfectly valid reasons why a concern for ethics and integrity has to be at the root of any Quality system.

So where's the issue?

There are three things about the proposal to add ethical requirements into ISO 9001 that give me pause. I don't exactly disagree, but the proposal raises some questions for me.

My first concern is the simplest: The assumption of truthfulness and integrity is already implicit in the current standard. 

• When clause 4.1 says, "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system," that requirement is formally synonymous with saying, "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system, and shall not lie about them."
• When clause 9.1.3 says, "The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement," that requirement is formally synonymous with saying, "The organization shall analyse and evaluate appropriate and truthful data and information arising from monitoring and measurement, that have not been twisted or misreported by unethical employees or other intermediaries."

For that matter, when a cake recipe in a cookbook lists the required ingredients, there is never a note saying, "Do not substitute flour with sawdust, and do not substitute vanilla extract with battery acid." In general, whenever we read any kind of instruction or requirement anywhere, I think we always assume that the meaning is that we should really do whatever the thing is we are being told to do, and not just pretend. So it's fair to ask, What makes ISO 9001 any different? Why do we have to make the requirement for ethical behavior explicit here, when we never think of doing the same thing in a cake recipe?

My second concern is a little more delicate: How do we plan to audit ethical requirements, and to avoid the risk that ethical topics become politicized? Audits, after all, require objective evidence so that any observer can agree on the facts. But some ethical topics (at least in the United States) are also political topics, where such agreement cannot be assumed in advance. For example, the document Future concepts states that one element of ethical behavior is to "treat others fairly, courteously, with dignity, and without prejudice or discrimination." I assume everyone agrees with that principle. But this country has seen some difficult and painful litigation around the question of exactly what behavior counts as treating others "without prejudice or discrimination." And I do not look forward to a time when individual auditors might feel authorized to rush in where the courts fear to tread. We auditors are like everyone else: our personal opinions are all over the map. So if we are allowed to write audit nonconformities against ethical topics, I hope that we can be given some kind of guidance to ensure we do it in a uniform way.

My third concern is maybe the most fundamental one: With respect to the topic of ethics and integrity, if you have to spell out the requirements in words, you've already lost the battle. We all know that as soon as any requirement is codified in words, people will start weighing the words on a balance scale to figure out how little they can get away with and still comply. We have all seen this, one time or another, whenever there is a written Quality Management System. I'm not saying that every organization just skates by! Not when you look at the big picture. (Of course there are always a few that do.) But even in the best organization, somebody in some department is having a bad day ... and is feeling overworked ... and is asking himself what's the bare minimum he has to do before he can go home. It's the way of the world. Put ethical requirements into the standard, and they become just one more requirement to be niggled to death. It's like the quote at the top of this essay.

Of course, maybe we've gotten to the point that we really need to require ethics and integrity in the standard, because we can't take them for granted otherwise. In other words, maybe the proposal to add ethical requirements should be seen as a symptom of a larger picture about the condition of organizations as a whole. But if that were true, it would make me very sad. And I think that's the kind of situation that no written standard can overcome, precisely because people treat standards as obstacles to be parsed and niggled and lawyered. I hope that ethics and integrity are broader and grander than that, but I might be disappointed.

"When the great Tao is in decline,
Benevolence and loyalty appear.
As wisdom arises, so does hypocrisy.
Only in a feuding family do filial piety and parental doting become conspicuous.
Loyal ministers emerge whenever the country is in chaos."

"When Tao is lost, there is goodness.
When goodness is lost, there is kindness.
When kindness is lost, there is justice.
When justice is lost, there is [compliance to standards]."

— from Lao Tzu, Tao Te Ching, chapter 18 [translated by Han Hiong Tan] and chapter 38 [translated by Gia-fu Feng and Jane English, 1989]