This year I'm going to quote a commercial product. It's a Demotivational® poster from the folks over at Despair Inc. It starts with one of the basic commonplaces of the Quality business, and spells out the awful consequences of taking it literally.
Click here to jump to their site, where you can order these words of wisdom on a poster or a mug.
Happy Hallowe'en, everyone!
Last week I wrote about the peculiar fact that multinational corporations seem able to avoid unwelcome regulation, at least in certain cases, by the expedient of quitting the country to go elsewhere. This approach is admittedly a bit extreme, so today I want to talk briefly about another—much more common—way that some companies try to get around rules that forbid them to do Bad Things: hire a scoundrel as an external supplier to do the Bad Thing for you. That way your hands are clean … well, more or less … and dealing with the regulators becomes his problem.
Of course, any such gains are temporary. If you can save money by moving your manufacturing to Ruritania, so can your competitors. Then some other country comes into view, with even lower wages and even worse environmental protections, and everyone moves there instead. Soon countries are competing against each other in a "race to the bottom." As I have discussed in an earlier post, in the long run nobody wins such a race. But in the short run, some companies find it compelling; and after all, "In the long run we are all dead."*
The good news is that ISO 9001 explicitly disallows this! Clause 8.4.2(a) of ISO 9001:2015 states clearly that:
The organization shall ensure that externally provided processes remain within the control of its quality management system; ….
So if you design and sell a product, but you outsource its manufacture to someone else, you are still responsible for what they do.
Most of the time, this responsibility is for very practical reasons. Maybe you do much of your own manufacturing, but there's one specific process that you outsource. Well if you require that all your manufacturing equipment must be calibrated to a specific tolerance, don't you want to flow down that same requirement to the supplier who is executing this one special process? If you don't, their uncalibrated equipment might ruin all the exactitude you achieved with your carefully-calibrated equipment, and you'll have to scrap the whole lot. Nine times out of ten, or 99 times out of 100, this is the kind of "control" that really matters. Mostly ISO isn't afraid that you are going to try to do Bad Things in an underhanded way, because most people just don't do that. But ISO is concerned that when your process is executed, you get what you want.
To be clear, this clause does not mean that you have to know your supplier's business better than they do. It does not mean that you have to define the details of their operating procedures. The whole reason you are hiring them should be that they are experts in whatever you want them to do.
Nor does it mean that if your company has to be certified to AS9100 because you are building aerospace parts, then the caterer that you hire to provide lunch has to be certified to AS9100 as well. (I hope that's obvious.)
But if you have any overall constraints that apply to all of the work inside your QMS—like the calibration example I just gave—then (where it is relevant and meaningful) you have to flow down those requirements to your supplier.
And if you happen to be the one case in 1000 who wants to get away with a Bad Thing by hiring a scoundrel to do it for you, … don't. Just don't.
__________
* John Maynard Keynes, A Tract on Monetary Reform, 1923. Quoted many places around the Internet, for example here.
This morning, Quality Digest published my article, "When ISO 9001 Fails." It's their article now so I won't post the text of it here, but you can find it by following the link. I hope you find it useful!
And now, if I may digress momentarily from the main stream of this evening's symposium,* … I'd like to raise a question which relates more to regulatory compliance than to Quality per se, but which has bothered me from time to time, and which seems to lurk on the margins of other—more normal—Quality topics. (In fact I plan to discuss one of these next week, in a follow-on essay.)
The background is this: First, we all know there is such a thing as global trade. In fact, the whole point of international standards is to facilitate global trade. As I explained once in this forum a couple of years ago, "A standard is like a common language: it allows us to do business with strangers, because we know that we are both talking about the same thing."
Second, we all know there are global (or at any rate multinational) corporations. Over the course of my career I've worked for at least two companies headquartered in Europe (LM Ericsson and Robert Bosch), even though both times my local office was in southern California.
Third, we all understand more or less how companies are regulated. Some authority codifies a set of rules: those rules might be voluntary (like ISO 9001) or legally mandatory (like health and safety regulations). Then the company decides whether they want to abide by these rules. (In the case of mandatory legislation, we should assume that the answer is always Yes.) If yes, the company takes steps to implement the rules; and if they fail, there is some kind of system in place whereby someone can complain. When the authorities get a complaint they check the facts; and if the company has indeed failed to meet the requirements, the authorities react accordingly. In the case of ISO 9001, the responsible Certification Body can decertify the company; in the case of legal noncompliance, the relevant government can impose civil or criminal penalties.
Now finally here's the question: How do you regulate an international company?
I fear that the answer may be: Mostly you can't. I'll explain why, but I would be delighted if you can show me where I am wrong.
Let's say that some local company violates a local regulation. Government inspectors come out to check the status, and—depending on the severity of the issue—they might give the company written notice to correct the problem in a defined time, or they might padlock the doors. If company personnel try to interfere with the government inspectors, they can be arrested. And since it's a local company, that's all it takes to stop them doing whatever Bad Thing they were doing. Problem solved.
Suppose that the company has multiple branches in the same state: then, depending on the nature of the Bad Thing that Law Enforcement is trying to stop, they might have to take a heavier approach. Or they might leave the branches alone but target headquarters. If the company has branches all over the United States, Law Enforcement has to get more ambitious still, because sometimes state laws disagree (so the Bad Thing might be legal in another state). Also, local Law Enforcement is unlikely to have jurisdiction in another state, and so will have to coordinate with other agencies in order to stop the Bad Thing once and for all.
But if the company has offices all over the world, then what? The very most that American Law Enforcement authorities can possibly do is to arrest whichever company personnel happen to be located inside the United States. But they are powerless over the offices in Ruritania or Grand Fenwick.
In the ordinary course of things, a multinational company will probably find it convenient to comply with routine local regulations, because they will see those regulations as just a cost of doing business. As long as the opportunities in a country are bigger than the costs, they are likely to cooperate. But this cooperation is strictly a voluntary choice on their part. In an extreme case, they can always shut down the local offices and leave.
This strategic departure from a country because you don't like the laws is what I call the Braganza gambit. The Braganza family ruled Portugal and the Portuguese Empire from 1640 until 1910. During the Napoleonic Wars in the early nineteenth century, Napoleon Bonaparte installed many of his relatives in thrones across Europe. His method—used for example in the Peninsular War against Spain—was to defeat a country and capture the royal family; then he could force them to abdicate in favor of one of his relatives and move on to the next country.
By Lumastan - Own work, CC BY-SA 3.0, Link But not in Portugal. The Braganzas saw what Napoleon was doing and realized they were next. So they moved the entire royal court to Brazil, which was at that point part of the Portuguese Empire. When Napoleon conquered Lisbon, the royal family was nowhere to be found. (In the end they liked it in Brazil, and didn't move back until 1821—long after Napoleon was no longer a threat.)
So there you have it. Multinational corporations have the privilege—unavailable to local corporations—that they can (within limits) decide which legal regulations they feel like following. And in case any regulation is too burdensome for them to tolerate it, they have the option of leaving the country.**
If a multinational corporation decides to use the Braganza gambit to avoid an onerous regulation, about the only leverage the abandoned country has is to close its markets. "If you won't abide by our rules, you can't sell your goods here." Whether that's a meaningful threat depends very much on the particular details, and of course sometimes the same maneuver plays out in reverse: a company might refuse to sell into a certain country until this or that policy is changed. It is hard to generalize about how effective either tactic is.***
What do you think? Am I wrong? Is there something I've neglected?
Or can multinational corporations escape troublesome regulation just by moving abroad?
Please leave me a comment with your perspective.
__________
* Tom Lehrer, introduction to "The Elements," Reprise/Warner Bros. Records, track 4 on An Evening Wasted With Tom Lehrer, 1959, LP record.
** There's even a related line of thought that protects international organizations. Concretely, if you or I (as private citizens) feel wronged by some decision from an international organization like the WEF or the ISO, we may find it hard to sue them for redress because it's not at all clear which court—if any—has the appropriate jurisdiction.
*** Certainly this is the logic behind international economic sanctions, where—in this case—one government requires all the companies subject to it to avoid business in another country until that other country changes its policies. When small countries are subjected to coordinated sanctions, the effects can be crippling. When large countries are subjected to them, the results are not so immediate. Consider, for example, this recent video by a YouTube creator "Eli from Russia," who publishes travel information (and strictly avoids politics). She describes the impact of sanctions on Russia, and the results have been (to say the least) not uniform.
When the ISO 9001 standard requires you to take action to address your risks and opportunities, it includes this admonition in clause 6.1.2: Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.
OK, I guess that's fine, but what does it mean? What does it take for your actions to be "proportionate" to the risks they address?
The word is never defined—or at any rate, neither ISO 9001 nor ISO 9000 define it. But intuitively I think we all have a sense for what it means, don't we? The basic idea is ancient: Nothing in excess.* If you face a risk that might, at worst, cost you $100, then it is foolish to spend $1000 to prevent it. That cost, or that level of effort, is disproportionate to the $100 downside that you face from the unmitigated risk. Most of the time, we probably don't need a definition more exact than that.
But "sometimes the clearest way to explain what a rangatang [sic] is, is to 'tell what it ain't.'"** A couple of months ago, I stumbled upon a blog post from 2016 that explains the concept of disproportionality with crystal clarity. The author of the post—Quinn Dunki of Blondihacks—just wanted to set up an automated cat feeder, so that her cat would be fed on time and she didn't have to watch the clock every day. Simple, right?
Turns out her cat had a different idea. Her cat's idea was, "How do I get this machine to give me more food than Quinn wants me to have?" So Quinn had to make some adaptations to her automated cat feeder, to protect it from the prying paws of her cat. As she says at the opening of her blog post, "The trick is to be smarter than the animal with a brain the size of a walnut."
But of course, Quinn worked on this problem part-time, and her cat worked on it full-time.
You can read the results here.
In the end, Quinn won. But I'm pretty sure nobody would say that the effort she expended was proportional either to the benefits she gained or to the risks she was avoiding.
Verbum sapienti sat.
__________
* "Μηδὲν ἄγαν" was one of the three proverbs said to have been inscribed at the entrance to the Greek temple at Delphi. See here for more information.
** Owen Ulph, The Fiddleback: Lore of the Line Camp (San Francisco: Browntrout Publishers, 1995), p. 23.
How many times have you seen departments do things that don't help them any, just because it's easier for the auditor once a year? I've seen it too often to count, and it's never the right thing to do. Oh sure, in a sense I appreciate it when I'm the auditor. But also, it's really unnecessary. I've audited a lot of departments over the years, and they've done things a lot of different ways. If it works better for you the other 364 days of the year to do this rather than that, … well, as long as it meets the rules I can probably figure it out.
But of course you still have to pass that audit once a year, so how are you going to do it? It's all very well for me to say that you shouldn't rearrange your whole management review just for the convenience of the auditor, but you are going to have to show some kind of objective evidence. What will it be?
Do it like this.
First, as you prepare the meeting, go through every single one of those topics listed in clause 9.3.2, and document where it stands right now. (You have to do that anyway in order to find out where your pain points are, since those are the topics you will discuss.)
Second, while you are conducting the meeting, keep all this material handy where you can reach it. Maybe this means it's stored electronically just one click away, or maybe it's on paper in a notebook on the desk next to you. But just in case someone brings up a question about one of those topics you thought you could afford to skip, make sure the data is immediately available.
Third, store all this data as a permanent Quality record, together with the minutes from the management review meeting that it supported.
Fourth, ask your internal auditors to look for this data when they audit the management review process, just to keep you honest. 😃 Naturally whoever audits the Quality function doesn't work for you—do they??—so if you make a mistake they won't be shy about writing it up.
And finally Fifth, when the external auditor visits, pull out all this stored data as proof that you really did consider all the topics listed in the standard. Then you can explain why you tailored the agenda to address the problems that really needed management attention, and why you skipped over all the topics that were functioning smoothly because they were just business as usual.
Simple. Straightforward. And you don't need to "include" all those topics in the review in order to "consider" them.
