ISO 9001 & the Law

A colleague who is an attorney and an ISO 9001 advocate requested my comment to his recent blog post.  In his post he asserts that several recent defense contractors settled law suites with the Department of Justice because “their ISO 9001 Quality Management Systems were broken.”  He also goes on to state that “it also raises questions about the financial liability of their registrars.”  Below is my response/comment to his post:

Tall assertions here. “Their ISO 9001 Quality Management Systems were broken” seems like a very superficial or way too general an assumption/assertion. This is particularly true for the Pratt & Whitney example where bad parts were “knowingly” shipped. No management system can prevent willful negligence or malice.

Perhaps the real issue is that organizations frequently have flawed or even non-existent business operating systems (BOS). This is much different than an ISO 9001 Quality Management System. ISO 9001 can serve as the foundation for a BOS, but it does not intend and does not claim to assure quality or business excellence. Certainly, companies should be held accountable for failures and flaws of the BOS. Labeling these failures or flaws with ISO 9001 belittles the true nature of the problem.

While I am not a defender of registrars, as a former manager and executive at a few, I can state with some authority that a registrar’s mandate is to assess that the ISO 9001 foundation has all of the minimal required elements. Nothing more.

External auditors are mere mortals. They have varying levels of experience and expertise. To expect an external auditor (that only sees a company for a few days every year) to provide the deep perspective and understanding required to ensure that the BOS is evolved to some undefinable level of excellence is idealistic at best and reckless at worst.

Furthermore, one needs to have a realistic perspective of what an ISO 9001 surveillance audit really is. Like any audit, it is a sampling exercise. An external auditor comes in for a few days a year and samples different areas of the company to find evidence that the minimal ISO 9001 requirements are being met. The auditor cannot see or judge everything. Typically, systemic problems are the focus, not momentary, non-repetitive, or individual failures in an otherwise stable process.

Finally, registrars should be considered corporate confessors. Companies that have constructive relationships with their registrar (relatively rare, I know) encourage their employees to be as open and forthcoming as possible with the auditors. Consequently, auditors and registrars should be treated with a similar level of privilege as attorneys or priests.

Kirill Liberman, President

4 Responses to “ISO 9001 & the Law”

  1. ISO9001 Certification says:

    Thank you for your article. However, ISO9001 is the Laws, or not?

  2. Kirill says:

    Hi ISO 9001 Certification.

    ISO 9001 is not Law. It is simply a international standard that describes the minimal elements of a quality management system.


  3. Richard says:

    ISO 9001 is enshrined in some laws. For example the Safe Loading and Unloading Regulations enforced by the MCA. This regulation makes it a legal requirement to maintain certification if a Port wants to operate a Bulk Terminal. It also for the first time opens the gate to ship owners seeking to recover cost of a ship lost at sea from a terminal that fails to prove compliance. Any one got any more examples?

  4. Kirill says:

    Welcome the the Blog, Richard.

    You make a good point. There is legislation around the world that references and/or requires ISO 9001 certification. Some additional examples include importation requirements of some nations that require ISO 9001 certificatioin.


Leave a Reply