Does ISO 9001 need a regulation about ethics?

"The key principle in selling is honesty. Once you know how to fake that, you’ve got it made."
— from Richard M. Huber, The American Idea of Success, cited by Quote Investigator.

Back in 2020, the ISO Technical Committee 176—they are the ones responsible for publishing ISO 9001 and its family of related standards—wrote a planning document N1308, called Future concepts. It identifies and explains a number of concepts which have to be considered in future revisions of ISO 9001, either because they have not been mentioned before (like "emerging technologies") or because stakeholders have found the existing treatment too thin (like "knowledge management"). Fair enough. This is exactly the kind of planning that you would hope to see.

But one of the topics listed is "Ethics and integrity." And I have to admit, I didn't expect to see that. It made me wonder, Does ISO 9001 need a regulation about ethics?

The report gives five reasons that ethics and integrity are important to Quality management:

• If people in the organization lie to each other (or, especially, if they lie to their managers) then top management won't know what is really going on and will have trouble making good decisions.
• If people in leadership roles do not model ethical behavior (if they are not seen to be ethical), then internal and external stakeholders won't trust them.
• Auditors have to be able to provide audit results to top management without partiality or bias and without fear of retribution, or their audits are worthless.
• If internal and external communications aren't honest, there is no way to maintain the effectiveness and integrity of the organization's activities and systems.
• No organization can ever have enough resources to force its people to comply with the Quality Management System if they don't approach their jobs with basic integrity. 

All of these statements are true. All of them are perfectly valid reasons why a concern for ethics and integrity has to be at the root of any Quality system.

So where's the issue?

There are three things about the proposal to add ethical requirements into ISO 9001 that give me pause. I don't exactly disagree, but the proposal raises some questions for me.

My first concern is the simplest: The assumption of truthfulness and integrity is already implicit in the current standard. 

• When clause 4.1 says, "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system," that requirement is formally synonymous with saying, "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system, and shall not lie about them."
• When clause 9.1.3 says, "The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement," that requirement is formally synonymous with saying, "The organization shall analyse and evaluate appropriate and truthful data and information arising from monitoring and measurement, that have not been twisted or misreported by unethical employees or other intermediaries."

For that matter, when a cake recipe in a cookbook lists the required ingredients, there is never a note saying, "Do not substitute flour with sawdust, and do not substitute vanilla extract with battery acid." In general, whenever we read any kind of instruction or requirement anywhere, I think we always assume that the meaning is that we should really do whatever the thing is we are being told to do, and not just pretend. So it's fair to ask, What makes ISO 9001 any different? Why do we have to make the requirement for ethical behavior explicit here, when we never think of doing the same thing in a cake recipe?

My second concern is a little more delicate: How do we plan to audit ethical requirements, and to avoid the risk that ethical topics become politicized? Audits, after all, require objective evidence so that any observer can agree on the facts. But some ethical topics (at least in the United States) are also political topics, where such agreement cannot be assumed in advance. For example, the document Future concepts states that one element of ethical behavior is to "treat others fairly, courteously, with dignity, and without prejudice or discrimination." I assume everyone agrees with that principle. But this country has seen some difficult and painful litigation around the question of exactly what behavior counts as treating others "without prejudice or discrimination." And I do not look forward to a time when individual auditors might feel authorized to rush in where the courts fear to tread. We auditors are like everyone else: our personal opinions are all over the map. So if we are allowed to write audit nonconformities against ethical topics, I hope that we can be given some kind of guidance to ensure we do it in a uniform way.

My third concern is maybe the most fundamental one: With respect to the topic of ethics and integrity, if you have to spell out the requirements in words, you've already lost the battle. We all know that as soon as any requirement is codified in words, people will start weighing the words on a balance scale to figure out how little they can get away with and still comply. We have all seen this, one time or another, whenever there is a written Quality Management System. I'm not saying that every organization just skates by! Not when you look at the big picture. (Of course there are always a few that do.) But even in the best organization, somebody in some department is having a bad day ... and is feeling overworked ... and is asking himself what's the bare minimum he has to do before he can go home. It's the way of the world. Put ethical requirements into the standard, and they become just one more requirement to be niggled to death. It's like the quote at the top of this essay.

Of course, maybe we've gotten to the point that we really need to require ethics and integrity in the standard, because we can't take them for granted otherwise. In other words, maybe the proposal to add ethical requirements should be seen as a symptom of a larger picture about the condition of organizations as a whole. But if that were true, it would make me very sad. And I think that's the kind of situation that no written standard can overcome, precisely because people treat standards as obstacles to be parsed and niggled and lawyered. I hope that ethics and integrity are broader and grander than that, but I might be disappointed.

"When the great Tao is in decline,
Benevolence and loyalty appear.
As wisdom arises, so does hypocrisy.
Only in a feuding family do filial piety and parental doting become conspicuous.
Loyal ministers emerge whenever the country is in chaos."

"When Tao is lost, there is goodness.
When goodness is lost, there is kindness.
When kindness is lost, there is justice.
When justice is lost, there is [compliance to standards]."

— from Lao Tzu, Tao Te Ching, chapter 18 [translated by Han Hiong Tan] and chapter 38 [translated by Gia-fu Feng and Jane English, 1989]