Thanks for your comments. You have actually echoed a sentiment that I have been leaning towards for a while, that is that 3rd party audits should take a leaf out of the 2nd party book. I have been thinking this way for a couple of reasons

1. They are unquestioningly more thorough. Probably as there is more at stake, and there will be consequences if a poor job is done (not so on a 3rd party audit, I’d suggest)

2. They are by definition aligned to actual customer requirements, whereas 3rd party audits tend to take a literal and/or superficial view of the ISO standard and for the most part ignore any specific contract requirements a company is supposed to be working to

This has given me some food for thought. Thanks Rob

Being on the receiving end of LOTS (and I mean LOTS) of 3rd party audits, I can say that almost without question they add very little value to the company, system, process, people or procedures. By their very nature they skip across the company at a high level, resulting in a few non-conformances about things you already know about. 1st party audits tend to throw-up routine issues. For me 2nd party audits are where you get real value. Here the customer is saying, this is how you can add value to my processes, this is what I want and expect.

Also, can you please change the link in your sidebar from learnsigma.com to learnsigma.blogspot.com? I’m moving away from a self-hosted blog: too expensive and it got massively bloated.

Thanks!

I hope my comments are going to be helpful – apologies in advance for the length of them, but this is a critical topic! Just read through the post a few times and I will only try to address the ‘added value’ issue, as this seems to be the one you are asking about, although, the solution is tied closely to answering the first part as well… Adding value can only be achieved if we look at the overall audit process and tools being used – as you so rightly say, adding value by doing audits in the same way we always have is not going to happen.

If we do not fundamentally address the way we plan and carry out audits and report findings, then we are merely tinkering at the edges. Too often, people have tried a tweak here, tweak there to improve auditing, but this has only been able to deliver minimal benefit. There is a need to stand back and look at the whole process and the way it is carried out if we are to discover the ‘golden nugget’ of ‘added value’ auditing.

I agree that third party audits have never been designed to deliver added value – just a confirmation of suitable application of a standard was taking place. However, auditing should always have been about both conformance and effectiveness, although too often it stayed firmly at the conformance end of this continuum. I think what organisations are really saying when they talk about ‘added value’ is that they want much more of the effectiveness auditing than in the past – more information about how effectively the application of the standard is supporting their business.

I would argue that the third party certification is not only there for the benefit of the customer of the organisation, but it is also for the benefit of the organisation itself. Generally speaking, what is good for one is also good for the other. The problem is that conformity alone is not good enough for either of these parties, hence the demands from both for ‘added value’.

So what do these two want by way of ‘added value’ from auditing (both internal and third party)?

Customers want to know the risk of their supplier not being able to (continue to) deliver what they need from them i.e. the right ‘product quality’ to specification, on time and to agreed cost. Increasingly, they also want to be assured that the environmental, social and ethical impacts of the supplier are being managed alongside these ‘product quality’ areas. This means that they want to be assured that the supplier is operating in a mature way, balancing and managing their business risks. Some may also want to know specific areas of interest, such as that they are working with a company that is ‘pushing boundaries’ in development areas that are relevant to themselves, etc. What they are looking for is an indication of the mature application of the standard being assessed (9001, 14001, etc.), beyond pure conformance into effectiveness alongside all of the other things they are applying, and that they are likely to continue to do so or improve further in the future.

The old ‘tick in the box’ compliance ‘pass or fail’ result is no longer adequate, as you so clearly show in the 5 star hotel example, the World is getting ever more complex with increasing numbers of requirements that have to be applied alongside each other. When 9001 auditing and certification was initiated, it was almost alone, so could have a focus just on itself, but this is no longer the case. Customers need a much more strategic report from a third party certification, showing how mature the supplier is compared to a continuum that goes well beyond conformance, which is just a step towards effectiveness, not the end game that too many registration bodies seem to see it as. Better still, they need to be able to benchmark different suppliers against each other in a meaningful way, which certification currently cannot do.

Not surprisingly, those suppliers getting the registration actually need to know the same information, as described above for the customers. They need this to be able to manage their operations in this increasingly complex business World. So by satisfying customer needs from the ‘added value’ certification, you also satisfy the supplier as well. One small problem may be that some suppliers do not want to let their customers know their real level of maturity beyond conformance, but I suspect that once customers know it is possible, they will be demanding to see it anyway ….

So, going back to the earlier part of the reply above, if we think about the process and tools we use for auditing, then we can start to address the ‘lack of value’ issue. You rightly say we cannot send in a Tom Peters to every certification audit – indeed, even Tom Peters himself could not really get to the bottom of the real risks in the time available. We therefore need to find assessment tools that by pass the inevitable shortcomings we get by expecting auditors to go much beyond compliance. To do so would require far too much evidence gathering (especially for the soft issues and the way different standards and frameworks are embedded into the day-to-day business) and auditors that have a very wide knowledge of different business disciplines. And even then, how do we ensure consistency in evaluation of the evidence gathered one day to the next, one organisation to the next?

The solution we have created is to develop IT-based tools that collect behavioural-based evidence in a 360 degree confidential and non-threatening way from anyone with direct experience of the organisation (the more the merrier!). This evidence is then consistently analysed in a knowledge-based analysis engine, reporting what it sees in two or more directions (against the clauses of the standard itself and also against good practice business drivers, such as the 8 principles of ISO9000). Finally, the result is reported against a scale where compliance with the clause of a standard (the typical level at which certification is given) is set at 40%, with higher levels indicating the maturity of the application of the standard in a whole-business context.

This reporting in reality provides the ‘added value’ that both customers and the organisation being audited need to help them move beyond the tick box into risks to effectiveness. I am more than happy to share more details of what we have done if it would be useful – equally, I hope our version of ‘added value’ will be useful in your thoughts for the presentation in Japan.