Decades ago I worked for Philips Telecommunications. I remember very well when the CIO of our IT department decided to pursue ISO 9001 certification. A young graduate was appointed to get us ready for the certification audit. This “enthusiast” was soon perceived as an annoyance and a geek. I need to add that the word “geek” was unknown to us in the mid-80s, but nowadays, that’s what we would call him…
What was so annoying? Well, anytime we received a memo from him (we didn’t have e-mail in those days), we knew that we had to document yet another (piece of a) procedure. Or, review something others had come up with that we were supposed to do from now on. In other words, more work. As if we hadn’t enough on our plates already and had nothing better to do. And, for what purpose…? Well, to keep our bosses happy, we guessed?
The first time I felt some anxiety was during the weeks leading up to the certification audit. We were all coached, sometimes (drilled) individually, on what to say, what not to do, and how to respond to certain questions of the auditors. Several long memos were spent on this and more of this fear mongering. Well, in all fairness, by all means you wanted to avoid getting the blame of failing the certification audit. That would have been pretty much the trigger to look for a job elsewhere.
I remember the days of the audit. One avoided walking by the room where the interviews took place that whole week. The last thing you needed was to get dragged into a conversation with these scary auditors. We were told that they could call for anyone in the IT department, so why take the risk unnecessarily.
Oh what a relief it was when they were gone. No more hiding and “can we go back to normal now”? I must add though that we all felt some pride when news arrived, that we were now ISO 9001 certified. And, I didn’t know that the young graduate could pull off an ear-to-ear smile. No wonder. His bonus and career just got a boost.
Now that I fulfill this role of the “annoying geek” when getting my customers ready for ISO/IEC 20000 or ISO/IEC 27001 certification, or being the internal auditor, I am grateful for having experienced being on the other side of the fence.
What can we learn from this experience?
First, (IT) organizations have many “moving parts”. In other words, there is a lot that has to be taken into account when making an effort to stabilize, standardize and mature existing practices and the organization, its services and products as a whole. The “parts” that “move” the most and are the least predictable, let alone repeatable, are the people in the organization. No matter the number of, or the lengths, of e-mail “memos”. They will only do a very small portion of the “trick”. More is needed; much more. The “why getting certified” needs a healthy dose of WIIFM – What’s In It For Me. Or what’s in it for my service, my product, or, last but not least, for my customer and my business. If that’s lacking, the “annoyance” will last and linger for a long time. Even better, and having said all this, it is not about getting certified. The certification is just a vehicle, a tool. The bigger picture is what matters. Your business case behind achieving certification is what matters.
Second, ISO 9001, ISO/IEC 20000, ISO/IEC 27001 and many other ISO audits are capability assessments of a management system. For ISO 9001 this is a Quality Management System (QMS). For ISO/IEC 20000 this is a Service Management System (SMS). For ISO/IEC 27001, this is an Information Security Management System (ISMS).
The word “system” implies that every “moving part” that makes up the system will be placed under a magnifying glass to determine the improvement it needs and when. I am referring in particular to “parts” such as requirements that are to be met.
• Think of a vision, a mission, goals and objectives one is attempting to meet and accomplish;
• Think of customer and business requirements, regulatory, statutory and legal requirements, contractual agreements, requirements of standards , etc.;
• Think of policies, plans, processes and procedures that are needed, and the necessary people and technology that is needed to meet these requirements, goals and objectives;
• And the list goes on…
Given all these variables, a management system audit is not a “check-the-boxes” kind of audit. How can it be? Granted, a number of evidentiary documents, records and its contents are required no matter what. However, assessing the capabilities of a management system goes much further than that. It becomes a matter of “what works for the organization”. In other words, what is important for the customers that are on the receiving end of the management system? Or, what is important at this moment in time for the business and the market it is in? Or, what is important for the people working for the organization?
This is where the “management” portion of the “management system” comes into play. Management sets priorities. Management drives behavior and culture. Management defines what is “success”? Management enables, it steers, it guides, it encourages, etc. An (internal) auditor of a management system takes all this in account.
Does this make the audit of a management system subjective? Most certainly not! Remember, we’re talking about a management “system”. All the wheels of the system need to spin. Need to spin in the desired direction. In other words, the auditors need to look at the management system with the appropriate perspective in mind; a perspective, that is driven by the identified, documented, and agreed needs of the customer and the business.
And this leads me to the third lessons learned. Intrinsically, management systems have incorporated the principle of continuous improvements. This is why so many ISO standards have incorporated Deming’s Plan-Do-Check-Act (PDCA) cycle. Every “memo”, i.e. improvement step, should serve the purpose of happier customers, happier employees, a more successful business, and so on. While it may seem “more work” initially, in the long run, it should be “less rework” and “less repeat work”. Who doesn’t want to get the job done faster, easier, and with even better results? Hey, sign me up for that!
I applaud management that rewords a culture of continuous improvement. Granted, for many of us who grew up in an operational environment, it is not an easy shift from operational to tactical to strategic thinking. And with all the hectic craziness that is going on these days of instant gratification, who is thinking six to twelve months ahead of time? Who has, or rather takes, the time for that?
To round it all up, I guess the “annoying geek”, who just graduated, did have a lot of time during his days at the University to envision the bigger picture. Maybe, I should have paid closer attention so it didn’t take me decades to see it too…