Thursday, March 30, 2023

The Ramanujan paradox

Last week's post triggered a flurry of angry or disapproving comments (many of them on LinkedIn), but I think I must have expressed myself badly because most of the points that my critics made are things I agree with. So clearly I misled readers into misunderstanding me. Let me try again.

The criticisms that I saw repeated three general points:

  1. Audits add value to the organization. Employees should not fear them.
  2. Auditors should never sleepwalk through an audit.
  3. Organizations should never lie to their auditors.

To be crystal clear, I agree with all three of these points! I never meant to say anything different. What I was trying to talk about was something else altogether. But obviously I failed to make myself clear. So let me take up each of these points in order, and explain what I was trying to say.

1. Remember what it is like to be an auditee

Yes, of course in the big picture audits add value to the organization, or they should. We all know this. It's part of why we work in this field in the first place. And maybe the top management of the audited organization believes it too; sometimes they do. In fairness, though, I have also seen organizations where top management gave lip service to the idea that audits add value, but at the same time they sent a message to their employees was "There better not be any nonconformities." It's sad, but we've all seen organizations like that, too. It takes all kinds.

But even if top management takes the most generous possible approach, none of that helps the line employee who is about to face an auditor. You can repeat until you are blue in the face that no-one will be punished for findings, and the individual line employee still wants to make sure the auditor finds nothing to write up in his area. Go write up somebody else, but not me! Even after you tell your employees not to be afraid of the audit, some of them are anyway—they just hide it from you, because they know you don't want to see it.

So over the years I have had to develop advice that I can give to line employees before an audit, to make them feel that they have some control over what is going on so that they feel less afraid. That's why I tell them to be confident and trust the system. In last week's post, I said, 

... don't look like you are nervous or afraid. When the auditor says "Show me," you say "Sure, that's easy. It's right here." Then you pull out a file that looks like it is supposed to look, ....

Advice like this helps to take the edge off when an auditee is nervous (as they often are). And that makes the audit go better for everyone.

2. Of course auditors don't really sleepwalk

A lot of people hated my use of the word "sleep". One critic said firmly, "If my auditor fell asleep I would send him packing and bring one in that is wide awake and looking to find areas where he can add value." OK, I was trying to be a little funny and it looks like the word wasn't well-chosen. But I thought I went on to explain what I meant by "sleep." What I tried to say was that every auditor has to think along multiple tracks at once. 

  • Along one track, he is asking questions and listening to the answers. 
  • Along another track, he is planning what questions come next, and what direction he wants to turn the investigation. 
  • Along yet another track, he is correlating these answers with answers to similar questions in other departments, to see if they confirm a common system or point to discrepancies. 
  • And along a fourth track he is monitoring the time, to make sure he can be done by the scheduled close. 

All this means it is normally impossible for the auditor to give full attention to the immediate questions and answers—all those other tracks have to be considered as well. So that's why I jokingly talked about the auditor being "asleep" ... because he is only listening to the answers with part of his attention. But this "sleep"—in other words, this multi-track thinking—is not a flaw or a vice. It is an absolute requirement of the job. If you cannot think along multiple tracks at once like this, you cannot be an auditor!

The other thing that some readers seem to have missed is that this multi-track thinking lasts only so long as all the evidence is in order. The most important part of what I said last week is that as soon as the auditor sees something that looks wrong, all the other tracks disappear and he becomes laser-focused on the evidence in front of him. Everyone who has ever audited has experienced this moment: you know what something should look like ... and it doesn't ... and suddenly you forget about the schedule and about your other plans and about everything else except understanding the artifact in front of you. This is the lived experience of every auditor in the world. I called it "waking up" but you can call it something else if you like. The point is that we know what it feels like when it happens. And we know, as auditors, that we won't let anything stop us until we get to the bottom of the discrepancy we have just seen. That's just how auditing is.

3. The Ramanujan paradox

Maybe the most serious misunderstanding is that several people thought I was telling organizations to lie to their auditors. No! Never lie to an auditor. There are a lot of reasons, and maybe someday I'll write a post just about this one point. (If you want to see one, tell me in the comments.) Yes, it's true that I said you should make sure everything looks right. But what some people seem to have overlooked is that the easiest way to look like you are in compliance with a standard is really to be in compliance with it. This is important, so I'll say it again.

The easiest way to look like you are in compliance with a standard is really to be in compliance with it!

Doing it right is always easier than faking it. If you try to fake it, you'll just get caught anyway. And the only way to avoid getting caught is to put in five times as much effort on the fake as it would have cost you to do it right the first time. So make life easier on yourself and everyone else. Do it right the first time. It's less trouble, it's less stress, and you'll sail through your audit.

This principle—I mean, that the easiest way to look like you are in compliance with a standard is really to be in compliance with it—is an important one. I call it the Ramanujan paradox, because it echoes so exactly the story of how G.H. Hardy discovered the great Indian mathematician Srinivasa Ramanujan. Do you know the story?

One morning early in 1913, he [Hardy] found, among the letters on his breakfast table, a large untidy envelope decorated with Indian stamps. When he opened it, he found sheets of paper by no means fresh, on which, in a non-English holograph, were line after line of symbols. Hardy glanced at them without enthusiasm. He was by this time, at the age of thirty-six, a world famous mathematician: and world famous mathematicians, he had already discovered, are unusually exposed to cranks....

.... The script appeared to consist of theorems, most of them wild or fantastic looking, one or two already well known, laid out as though they were original. There were no proofs of any kind. Hardy was not only bored, but irritated. It seemed like a curious kind of fraud....

.... At the back of his mind, ... the Indian manuscript nagged away. Wild theorems. Theorems such as he had never seen before, nor imagined. A fraud of genius? A question was forming itself in his mind. As it was Hardy's mind, the question was forming itself with epigrammatic clarity: is a fraud of genius more probable than an unknown mathematician of genius? Clearly the answer was no. 

—C.P. Snow, from the Foreword to G.H. Hardy's A Mathematician's Apology, pp.30-32.

As with mathematicians, so with management systems. Fraud is far more difficult than doing things right the first time, so take the easy way and do it right.

Conclusion

In the end, I stand by last week's essay, as far as the meaning is concerned. But I really misjudged how to say it. And I apologize to all of my readers for leaving you with misunderstandings. I hope this clarification has helped a bit.

          

Thursday, March 23, 2023

Put the auditor to sleep

One piece of advice that I regularly give organizations when they are facing an upcoming audit—along with more normal advice like "Answer the question that the auditor asked, but you don't have to volunteer anything else"—is, "Put the auditor to sleep."

But I always have to explain what I mean by that.

Image by muntazar mansory from Pixabay

The point is that when you are an auditor, your mind is usually running along several tracks at once. You've got a list of questions you want to ask the auditee who is standing in front of you right now. But you are also keeping one eye on the clock, because you spent longer than planned talking to the folks in Purchasing and now you have to make up the time somewhere else while still covering the organization in an adequate way. Plus there may be some loose ends from interviews earlier in the day and you are trying to decide if they are worth following up or not. So while the auditee is nervous about being on center stage, the auditor is really only halfway following the discussion. So as long as everything looks normal, routine, even boring ... the auditor will probably be fine with it and willing to move on.

This means everything should look the way it's supposed to look. If the auditor asks for records, you've got them; if you mention a regular meeting, you can produce minutes; records always show the date they were created and the author's name; ... all that kind of thing. Also don't look like you are nervous or afraid. When the auditor says "Show me," you say "Sure, that's easy. It's right here." Then you pull out a file that looks like it is supposed to look, and the auditor gets bored pretty quickly. Before you know it, he's telling you "Thanks for your time, it looks like you're doing a great job." Then he heads back to the conference room to check if it's time for lunch yet.

There is a flip side to this advice, however. It's just to point out that the one thing you want to avoid at all costs is that moment when the auditor has just handed something back to you and then says, "Wait ... can I look at that one again?"

Those words mean that something on the document caught his attention at a subliminal level. He just doesn't know what it is yet. But something was out of place, or missing, or just didn't look right according to the kinds of patterns that auditors look for. And he wants to look at the record again to figure out what it is that flagged his attention.

Those words mean that the auditor just woke up.

All of a sudden, he forgets about the schedule, he forgets about those loose ends from the earlier interviews, and he forgets about the long-winded guy in Purchasing who put him behind. He forgets about lunch. He comes fully awake, and he will scrutinize every line of that document until he figures out what it was that bothered him. Maybe it's something simple, so he can make a note and fall back into semi-somnolence. Or maybe it's a piece of evidence that flatly contradicts all the stuff your CEO said about the company when welcoming him at the Opening Meeting. Maybe it's the beginning of a trail that will lead to him canceling the afternoon's schedule so he can follow it. You just don't know, and in that moment neither does he. But once he's awake, he will make sure to find out.

Don't let this happen to you. Make sure everything looks like it is supposed to look, and you will be in a much securer place. Put your auditor to sleep. 

      

Thursday, March 16, 2023

ISO's rules of confidentiality

Not the same as TAG 176!
For the original cartoon,
see here
.

Last year I joined TAG (Technical Advisory Group) 176: that's the American delegation to ISO's TC (Technical Committee) 176, which is in turn the committee that writes ISO 9001 and related standards. This lets me join discussions about upcoming developments in the standards, but it also imposes some strict limits on what I am allowed to say. I've alluded to these rules briefly in a couple of earlier posts, but maybe it would be useful for me to take a minute and spell them out clearly.

The point behind the rules is straightforward. On the one hand, it's only natural for people to want to talk about their work; and for people on any of the ISO Technical Committees, their committee contributions are an important part of their work in general. On the other hand, when the ISO publishes an international standard, that standard has (by definition) a very wide impact. A lot of people care about what goes into the standards. And it can be hard to focus on a technical discussion if your friends and neighbors are clamoring for you to take one side or the other ... or if opinion columns on the air or in the newspaper are bickering about it. There's also a good chance that the people arguing the loudest might have a weak grasp of the actual technical issues at stake. So for all these reasons it is clear that common sense requires some level of confidentiality for any discussions that are still under way.

The ISO has defined a set of rules governing communication of committee work, and published them in a booklet. You can download it for free from this link here. The booklet covers multiple topics, including how to participate in committee work and how long to retain documents, but I want to focus specifically on one area: what rules govern the communication of information about the work of committees and working groups, from committee members and to external parties.

(Note that the scope of the regulations is limited to committee members. If you go to a fortune-teller who uses psychic powers to divine what's happening inside the ISO committees, I'm pretty sure the pamphlet doesn't apply. At any rate, there's no reference to psychic powers anywhere in the pamphlet—I checked. 😀 But then you have to decide how accurate you think that report is likely to be.)

With all that said, here are the rules that apply to anything I say or write:

  • I am not allowed to reveal the personal data of any other committee member. That's fine with me, because I have no interest in talking about persons. All I care about in this context are the ideas and proposals.
  • I am allowed to say whether a specific vote passed or failed, but I'm not allowed to reveal how any particular individual or National Standards Body voted. But that's fine too. See above.
  • I am not allowed to speak on behalf of any National Standards Body. That's fine; I wouldn't dream of it.
  • I am not allowed to share any presentations or working documents. And I won't. If I mention that there was a discussion about this or that topic, I will base my remarks strictly on my own memory or my own notes. And I'll never say who was involved in the discussion, or who else agreed.
  • If a committee finally arrives at a consensus opinion, I am allowed to say so.
  • And I am allowed to express personal opinions, provided: that I identify them clearly as personal opinions; that I do not criticize or expose the views of others, that I do not speculate on the outcome of future decisions, and that I do not criticize the committee. But, as noted, I never want to talk about persons anyway. And I am confident that the committee will do the best that it can on any of the questions facing it.

These rules are on my mind because there is a Plenary Meeting of TAG 176 ongoing today and tomorrow, and one of the speakers reminded us of them. This speaker was talking about the status of one particular topic that has gotten a lot of attention lately, and urged us to be careful how we spoke about it so that people in the outside community didn't get the wrong idea. Among the specific pieces of advice we were given were these:

  • Don't mislead anyone into thinking that changes to this or that standard are imminent. Even if we do decide to change something someday, there's a long process to go through before we get there.
  • Don't mislead anyone into thinking that TAG 176 has an official position on the issue. Certain committee members have been involved in this or that discussion, and likely they all have personal opinions. But the TAG itself has not taken a position yet.
  • Don't tell your friends they have to make radical changes to their businesses starting tomorrow, when we don't even know if anything will ever be decided ... or how.

All this sounds very practical to me. And it's good to be reminded.


Thursday, March 9, 2023

How do you comply with MANY standards at once?

Since the beginning of the year I've been writing about management systems; and for the last three weeks I've specifically discussed management review. Before I shift to talking about something else, let me touch on one more question. What do you do when you have to comply with several different management system standards all at once?

This is not uncommon. Many companies whose Quality systems are certified to ISO 9001 (for example) also have Environmental systems certified to ISO 14001; many also have Health and Safety systems certified to ISO 45001. And there are many more management system standards than these. Depending on your line of work, there might be yet another—or even several—that apply to you. How do you keep up?

The first step is to simplify. And to my mind that means folding all your multiple management system standards into one Integrated Management System.

After all, there are several features that every management system standard requires. They all require some way to manage documents and records; they all require some definition of management responsibility; they all require training; they all require an internal audit program; and yes, they all require management review. So if you have to comply with three different standards that all require document control, do you set up three different document control systems? I hope not! Whenever requirements overlap, just do it once. Then if there are special details that apply to one standard but not the others, introduce it as a feature of the common system.

This means that you set up one employee training system, but then you can have a matrix to identify which employees need which classes. Everyone gets trained on company policies and fundamentals; but only these people have to get trained on calibration, and only those people have to get trained on how to analyze environmental aspects and impacts.

It means that you set up one document control system, with a simple indexing method that allows you to retrieve the documents you need for this or that special purpose.

It means that you plan out one master audit schedule for the year. The individual auditors might have to change depending on their respective specialties. But with one master schedule you know that you've covered the whole organization, and you minimize the risk that some department has all their internal audits accidentally cluster in the same month.

And it means that you plan for one program of management reviews. Here you might balk. Doesn't management review have to be focused? Don't we need to have different people in the room to review the QMS than we need for the EMS? If we merge all the management reviews together, won't that waste the time of people who are only needed for one part but have to sit through all the rest?

No. If you design your management review in the ways I've already described, it will be fine.

Of course the technical details out of the QMS will be different from those out of the EMS or some other system. But for the most part you shouldn't bring technical details into the meeting in the first place! If your systems are running correctly, the technical details should (mostly) all have been handled as part of routine operations. And I've already said that you shouldn't bring to the meeting anything that can be handled by routine operations.

The only issues that you have to address in the meeting are things that aren't working, and that cannot be handled anywhere else. These are the topics that require the action of senior management to resolve them. And as long as the topics genuinely require the attention of senior management, it doesn't matter that this topic relates to the QMS and that topic relates to the EMS. Senior management is already used to addressing topics all across the organization, from marketing strategy to financial performance to personnel legislation. They can handle variety here too, so long as you are careful not to swamp them with unnecessary details. Let them deal with the forest; there are plenty of other people who can tackle the trees.

And so far as possible, give yourself one Integrated Management System to follow, not a truckload of special-topic systems for this and that. Keep it simple.

           

Thursday, March 2, 2023

What should you LEAVE OUT of Management Review?

Last week we asked why Management Review gets such bad press. While the activity is fundamental to any Quality Management System, many people in many organizations will do seemingly anything to get out of it. And I summarized the points of a discussion by Bill Hackett of QBD Strategies that listed several common failings. But there is one that didn't make Bill's list, and I think it is important enough to give it a post of its own.

You don't have to report everything you know. Let me explain what I mean.

The ISO 9001:2015 standard identifies in clause 9.3.2 a long list of mandatory topics, issues that have to be considered during management review. You know the list as well as I do, right? Status of actions from previous reviews; changes in internal and external issues; trends in customer satisfaction; quality objectives; process performance; product conformance ... I'm not even halfway through the list yet. It goes on and on.

And many organizations, in order to make things simple for their auditors, use this list verbatim as an agenda for their management review meetings. That way the auditors can quickly check that yes indeed, the organization really did consider all these topics. And to be fair, the list truly is comprehensive. Reviewing all those topics really does ensure that you have gotten a systematic look at your QMS.
Image by Magnet.me from Pixabay

The problem is that it is also mind-numbingly dull. And it is totally unnecessary.

Wait, what? That list comes from the standard. How can it be unnecessary?

Simple. The standard never says that you have to report on all these issues. All it says is that "The management review shall be planned and carried out taking into consideration ... [blah, blah, blah]."

What does that mean?

Well to start with, you have to know where each of these issues actually stands. Is it green or red? On-track or off? So when you are preparing the meeting, you still have to do all the same work you do today.

More than that, you have to check: if a metric is red, or if some process is off-track, is it already being handled in the normal course of business? Did your existing systems already pick up the deviation and address it? Again, make sure you know the status of every single point. 

Collect all this data and file it somewhere as the background to the meeting. That way you can show it to your auditor to prove that yes, you really did "take into consideration" each of the required topics.

But when you plan the actual meeting itself, don't waste your time reporting any metric that's green, and don't waste your time explaining any deviation that's already been handled by your regular business operations. You should have the data at your fingertips, of course. If anybody asks about it, you should be able to answer the question with a single mouse click. And if any of that data shows disturbing trends (that haven't been handled yet), naturally you want to bring those trends forward to discuss them.

But the only topics you should plan to address during your management review meeting are topics that cannot be handled anywhere else: topics that are going badly, and that require the intervention of senior management to set them right. 

Yes, you have to "take into consideration" the entire scope of your QMS, to make sure you don't miss something. But there is no law that says you have to give valuable meeting time to things that are going fine. Focus where it hurts.

This way the meetings are shorter, and each topic has an urgency. That makes each topic meaningful. Your attendees will care, and they will listen. It's better this way.

           

Five laws of administration

It's the last week of the year, so let's end on a light note. Here are five general principles that I've picked up from working ...