How to make certification work for you
The benefits of certification are clear. But what do organizations need to do to get started?
Know what standard you want, then read it
The vast range of management system standards that are available to companies highlights the importance of fi rms knowing what they want to get
out of the certification process. Neil Hannah, global operations director, BSI Group, says: “Companies getting started in certification need to have a clear view of what they want to achieve, for what scope of activities they seek certifi cation and when.” There may be a contractual or regulatory requirement, as in the automotive industry. Or companies may wish to improve the procedure of work for employees so they are more productive. This aim could be achieved by identifying processes within the organization and considering where improvements could be made.
Roger Bennett, the International Accreditation Forum’s director for conformity assessment bodies, says that it is the responsibility of a company’s quality or regulatory department to obtain the standards appropriate to its sector, and then read them. Phil Shaw, accreditation manager at UKAS, adds: “The organization will, in light of the standard, need to review its operating practices and organizational structure to ensure that it has a demonstrable system and arrangements that comply.” This means the company must understand the scope of the standard.
The standard can be implemented in-house, and there are consultants available to help establish the standard, as Roger points out. However, certification bodies are not allowed to consult on the implementation as this would be a conflict of interest if that body were also certificating the standard. Consultants should not impose a standard system in the company – it should be tailored to fit the company’s current system and specific needs. Relevant people in the organization should be involved in the process of documenting what they do.
Evaluate several certification bodies
The next step is for companies to consider what kind of certifi cation they require. Roger says there are several different kinds of clients: “badge
hunters looking for the cheapest possible solution”, “the normal business hoping to improve its processes”, and “those at the top end looking for something well beyond what ISO 9001 offers”. Roger suggests that small certifi cation bodies that offer certification in one country are often “best placed to meet the needs of the badge-hunters”. Larger clients, who may be international, usually look for a large, global certification provider to
conduct audits in many disciplines and countries.
However, Roger says that clients should always look for a certification provider that is accredited by a reputable accreditation body which is part of the IAF’s Multilateral Recognition Arrangement – the mechanism by which accreditation bodies are evaluated. “This gives a measure of confidence that the accreditation body has been peer assessed by auditors from other accreditation bodies under the control of the IAF.”
Jackie Burton, business and customer relations manager at UKAS, adds: “Certification bodies should be impartial and competent for the areas in which they offer certification. This is why certification bodies themselves become accredited – to demonstrate that they are capable of offering the kind of robust assessment needed in order for certifi cation to be meaningful and that they will do so in a fair and competent way.”
Furthermore, says Neil Hannah, organizations should also choose a brand which they, and their stakeholders, trust. “All reputable certification bodies with accreditation from an IAF member can deliver certifi cation to a similar standard but not all certification bodies are the same,” he says. “When faced with a difficult choice, many of us rely on the recommendation of another purchaser.” Companies should also ensure that they establish whether the certification body has auditors with experience in the organization’s sector of activity.
The certification process
Certification bodies usually carry out an initial audit of the system, when it is first certified, which will look at the complete system. This will be followed by a surveillance audit, where there is a “cycle of shorter audits in which a snapshot of the system is taken”, according to Vince Desmond,
executive director of business development at CQI. “There will be a sampling of activities, for example, getting the views of 50 customers, or
levels of product recall,” he says. “[The certification body] is not looking at everything the organization does.”
The length of time the auditing process takes depends on the size and type of organizations. Catherine Golds notes how, in a small organization, it may take just one day, but could take a number of weeks in a larger organization.
Organizations should prepare for the assessment, because it is the certifi cation body which decides on whether they meet the assessment or not.
Certification bodies will report back on the systems and processes which are not working in line with the management system standard.
They may decide that the company is not conforming to the system standard, but this can take a variety of forms – it may be minor, in which case it is described as a “single observed lapse” or it may be major in that an aspect of the system is not being addressed. In this case, the company would need to take action to rectify what is not being addressed within the company’s management systems and processes.
Which standard should I use?
| Stakeholder |
Applicable management systems standards |
| Customers |
ISO 9001 - quality management
ISO/IEC 27001 - information security management |
| Shareholders |
FS 9000 - financial services industry management
ISO/IEC 27001 - information security management |
| Employees |
OHSAS 18001 - occupational health and safety
Investors in People - people management |
| Suppliers |
ISO/IEC 27001 - information security management |
| Society |
ISO 14001 - environmental management
SA 8000 - social accountability/human rights |
When a standard gets updated
While achieving a certifi ed standard should not be an excuse for companies to rest on their laurels when it comes to the development and success of
their management systems, they will need to be aware of what is required when standards get updated. They are reviewed every fi ve years by ISO to ensure that they stay relevant to companies.
ISO 9001 was updated in 2008, and it is now in its fourth edition. The update has been relatively small, so there were no new requirements – just minor editorial changes to the wording of the standard.
Certified organizations have a transition period in which they can ensure they remain compliant with the standard. In the case of ISO 9001:2008, this period runs from 14 November 2008 for one year. They will then be audited in line with the new standard when their next assessment takes place. By 14 November 2010, ISO 9001:2000 certifi cates will not be valid.
It depends on how much a standard has changed as to what a company needs to do in terms of updates – they should look at the amendments to a standard and consider what changes may need to be made to their management system (if any). The certification body will also need to adapt, as Roger says: “If the changes have been significant – with new requirements – the certification body may need to retrain the auditors, re-brief sales staff and redraft product manuals and marketing materials.” However, Roger explains that signifi cant changes are introduced through a transition period agreed with the IAF and clients have an agreed time to change their management systems and processes to meet the revised standard before certification bodies carry out audits.