After interviewing a couple dozen auditors, we heard the expression “Buying Certificates” quite a lot. It basically comes down to companies only caring about the certificate and not about the management system. In general, it happens more often with smaller companies than bigger ones—but it happens everywhere.
Most of the time, ISO certification is simply forced upon by a new customer that requires an ISO certificate. The real question is, is it worth it? It depends on the industry you are in, of course, because some industries you simply cannot do anything without. In general, it isn’t really worth all the things you are required to do if you really only care about the certificate.
A new project or customer requires ISO certification, and the company starts to look into the requirements. A consultant gets contacted and a plan is created. Most companies have some form of Quality and Safety controls, so these are extended and adjusted to fit more into the requirements of the standard. A responsible person is appointed internally and he/she is working together with the consultant to get the management system in place.
Because of the lack of support and awareness of the importance of the Quality and Safety management, it will start to feel like a big burden on the company. During the audit there should be some sort of proof that the team follows the procedures and processes described and that they are somehow involved in the stakeholder analysis and risk management. This can be quite challenging and lead to lots of irritation, with the most common phrase:
“We have to do it for ISO”
This of course is nonsense because the standard doesn’t write
If you only do it to get a project/customer, which we don’t recommend, then it should at least make economical sense. Getting certified isn’t really hard, the real pain lies in maintaining the management system. Let’s make a small calculation. (These figures highly fluctuate among sectors and countries and therefore you should always make your own.) Just make sure you not only include the certification and the auditor but also the internal resources.
We expect 3 months of consulting by an in-house consultant.
|Year 1||Year 2||Year 3|
|Consultant||€ 10000 ,-||€ 4000,-||€ 4000,-|
Resources 200 hours 1 year (100 hours year 2 & 3)
|€ 9000,-||€ 4500,-||€ 4500,-|
|€ 2000||€ 2000||€ 2000|
|Grand Total||€42000,-||For 3 years|
This is just a simple, relatively small company but it already turns out to be some significant costs.
The Real Implications
Because the management system isn’t really part of the company and not integrated into the operation, the audits will be a real pain every year. Things will be forgotten or aren’t up to date and control measures aren’t checked on effectiveness or simply don’t exist. This will lead to very frustrating situations during the audits.
A Good Thing
To finish with a positive note, we do see lots of companies that start to see and embrace the value of the management system when they have to implement it. They start to use it as a vehicle to improve Quality and Safety and structure their organization. If this is what you plan for, ISO is most definitely a good framework to do this and the ROI on the certificate will be great. So even if a company starts off as a Certification Buyer, it can still become a company that really leverages the standard to improve the business.