Auditor
back end IT incompetence
customer service
ISO Auditing
outsourcing
Registrar
Uncategorized
Factors to Consider while Choosing an ISO9001 Registrar
A key part of the first-time ISO certification process is choosing an ISO9001 registrar. The client company (you) have an opportunity to choose the registrar you want to use.
I’ve worked as an auditor for three registrars. I “get audited” in my role as quality manager by a fourth. My consulting clients “get audited” by 5-6 others. Therefore I, a person with exposure to 10 different registrars, have something to contribute on the topic of choosing an ISO9001 Registrar.
So the question of the day is, how to choose an ISO9001 registrar that best suits your needs?
What is a Registrar?
I guess we should start with this. The registrar is the “certifying body” that is the third-party organization that does your certification. They schedule the auditors, they review the objective evidence and determine conformity, and then they publish your registration publicly.
Theoretically, these registrars should all be the same. You should be able to get a quote, have your audit, it is an international standard, so there should be standardization.
But, there is not standardization.
Some of these organizations are huge international operations that audit dozens of standards in addition to ISO9001. They range all the way down to boutique registrars that are specific to a certain city or industry.
To that, you can add that certain registrars have certain reputations. Some are regarded more highly that others.
How you select your registrar is an important part of your ISO9001 registration experience. Here are some things to think about when choosing an ISO9001 Registrar.
They are respected by your customers
In a substantial percentage of cases, you are being asked to get third-party registration by a customer. They have an underlying business reason for this. They want you to be a strong supplier that is responsive to customer complaints, and is committed to continual improvement.
Depending on what industry you are in, different registrars have different levels of respect among the major customers.
Registrar Bias
Things being what they are, certain registrars are viewed more positively by customers and clients. I do not have any formal data on this, unfortunately, but I would love to conduct a survey because I think this is widespread.
You don’t want to make a major investment in ISO registration, jump through all of the hoops, and then have your customers not respect the certificate because it came from a lesser registrar.
How to avoid this? Ask your customers who their preferred registrar is. They may even be using a registrar themselves who they are happy with. Choosing an ISO9001 Registrar may benefit from customer input.
You can talk to a human
Chances are, unless you are working with a registrar that is based locally, you will never actually meet the registrar’s sales person. The most customer-facing person in the whole system is the auditor. But, the auditor may be a contractor (like me) who is not even an employee.
So if you have a billing issue, or a scheduling issue, or there is some other problem what do you do? You would like to speak to someone who can help you. Here is a rule of thumb: The bigger and more international your registrar is, the worse they are at this.
Customer Service
It is desirable to have a working relationship with someone at the registrar’s place. That way there is a human you can reach out to if you need some kind of guidance. An additional problem is that customer service in any business is a high-turnover activity. Even though you may have an assigned person, that person may be inexperienced and not even understand what ISO registration is.
How to know this? Ask to talk to them. While you are in negotiations with the sales department, ask to talk to the customer service person that will be working with you.
Auditing your Scope
Your “scope of registration” is basically the business you are in. The different registrars have different levels of experience when it comes to certain industries. The reason for this is that ISO9001 developed for manufacturing. At the very least, your registrar is required to run an audit program that is capable of auditing your “scope.” The more familiar they are with your industry, the better job they will do of this.
It’s not just the auditor. The technical reviewers within the registrar actually issue your registration. They should know some fundamentals about your business model as well.
How can you tell if a registrar has experience in your industry? Go to the website of one of your ISO9001 certified competitors, and see what registrar they use. Since they have been through the process of choosing an ISO9001 registrar, they may save you some work.
The Registrar’s Scope
Nowadays, certain industries such as automotive (IATA-16949) and Aerospace (AS9100) have separate standards. These are based on ISO9001 but have more stringent requirements. The individual registrars are required to have these standards in their scope of approval in order for them to be able to do audits.
What happens sometimes is that a client will have their initial certification in ISO9001 and then “upgrade” to one of the higher level standards, and if that is the case, it makes sense to start with a registrar that is capable of auditing the higher standard.
Another thing that is happening right now is combined ISO9001 and ISO14001 (Environmental Standard) audits. This was made easier by the change to ISO9001:2015. If you see a need to get the ISO14001 registration, it makes sense to be choosing an ISO9001 registrar who can do “combined audits” of those two standards.
They have qualified auditors
The assignment of your auditor, and scheduling your audit are both done by your registrar. So, it is important enough for a registrar to have a pool of qualified auditors. You, as the company being audited, have an IAF code. This is a code that describes what business you are in. Here is a link to the official list of IAF codes.
The auditor also has an IAF code. What that means is that the registrar had some screening process to determine if the auditor is at least minimally conversant in that industry. One of my registrars gives a little quiz to make this determination. The other makes me do an interview with someone else with that code.
Why I am a fossil
As a younger person, I worked in the printing plant for the town newspaper. From that, I got experience in the “publishing industry” as it applied to the mailroom, which is where the newspapers came out after printing. But I knew enough about the linotype machines, and press cylinders, and galley proofs, and the actual presses that I was able to pass the registrar’s quiz about publishing. By the way, most of that stuff is digital now which makes me a fossil.
When a piece of equipment that was dominant in an industry where you worked, and it is now in a quaint museum somewhere, you are a fossil.
My Auditor Scope
So publishing, which is IAF-8, is in my scope, and I can audit companies whose scope is IAF-8. I do not have “nuclear fuel” which is IAF-11 in my scope, so if you are in that business, I won’t be your auditor at this point. I have plenty of other IAF-codes in my auditor scope. This includes the one for beverages, which I appreciate during Auditor Miller Time. I think for the two main registrars I work for, I have a slightly different list of IAF codes for each, for some reason.
So as we said above, the registrar needs to have enough qualified auditors that can audit your scope. Furthermore, there need to be enough auditors with that scope so that you don’t run into auditor shortages. Example: A few years ago in the aerospace business, they increased the qualifications for AS9100 auditors, and about 50 percent of the auditors were no longer able to work. There was an industrywide shortage and this caused scheduling issues.
Choosing your ISO9001 Registrar: How do you find this out?
How to find this out? Once you know your IAF code, you should ask your registrar how many other customers they have with that same code, and also, how many auditors they have. They should be able to give you that information without violating anybody’s confidentiality.
If you are running a machine shop, and the registrar has 150 customers that are in your IAF code, and 150 auditors are available, you won’t have any problem. If you and 10 other companies are in the nuclear fuel business and there is only one overworked IAF-11 Auditor, you may have trouble scheduling your audit.
However, your registrar has this information, and can be questioned on this issue very specifically.
They don’t treat their auditors like a Commodity
This is probably a topic for a completely separate post. Most registrars use contractors like me to do their audits. In many cases, despite the fact I am not an employee of the registrar, I am the most customer-facing member of this team.
So the relationships between auditor, registrar and client are very important and should be professional and mutually respectful.
The registrar’s treatment of the auditor has a big influence on this. All three relationships need to be stable.
The Auditor/Registrar Relationship
The relationship between the auditor and the registrar is difficult to manage. I would have to say that 95% of the communication I get from my two registrars is negative in tone. This is usually because they need me to refine some of my reports, because of some error on my part. Most auditors hate being corrected. They are annoying that way.
Registrars have differing attitudes toward this relationship. It is the openly stated policy of one of the registrars I work with that auditors are a “commodity” and therefore interchangeable. One auditor should be able to do the same job as another.
This has ramifications as it applies to scheduling and auditor assignments. A stable relationship between auditor and client is an important aspect of customer satisfaction.
Non-contract employee auditors
It is possible that your auditor is an employee of the registrar, rather than a contractor. The primary difference from the auditor’s point of view is that they get paid a salary, rather than being paid by the job like I am. They do it for the benefits as well.
I am not sure the relationship between the registrar and the auditor is any better under that situation. The auditor is under relentless pressure to do as many audits as possible for their salary. They are rated on “efficiency,” defined strictly by the numbers of audits they do.
Of course, this depends highly on the registrar. It is quite possible in the case of one of the smaller registrars it works better. I will listen to arguments either way.
Auditor Turnover
In my contract job as a quality manager, the company I work for has had six auditors in the last 8 years. This makes it very difficult to anticipate how the auditor is going to interpret the standard and what I can expect. This is because of what we said earlier, the area of the biggest variability in the whole system is the auditor.
From the point of view of the registrar, it may be a conscious strategy to make the auditors as expendable as possible. This allows them to adjust the pay scale to be economically efficient i.e. pay the auditors the least they can get away with. This leads to auditor turnover, and higher auditor variability. It is also a form of reverse-natural selection where the survivors are the least fit, if you know what I mean.
The registrar owns the means of scheduling, but the auditor owns the means of production.
From the point of view of you, the customer, you may lose out on having an extended relationship with an expert. This is someone from the field of quality systems who can (presumably) be valuable in helping you evolve and improve. An auditor that audits you repeatedly can dig deeper into your system.
The question of Changing Auditors
I should also say this: There is also an underlying benefit in changing auditors once in awhile. This is because of the differences in auditor style, and that will help your evolution as a company. If this happens too often, you are subject to a moving target.
How the registrars manage the relationship with their auditors and clients is an important aspect of this system. Also, how they manage their auditor turnover and/or stability of their auditor network is also important.
A way to find this out while choosing your ISO9001 Registrar would be to ask the registrar: “how often can I expect to change auditors?” and see what they say.
Side Note: How the auditors get paid.
How the auditors get paid is an important aspect of this. The two registrars I work for are very prompt and efficient about paying me, usually within a week of doing the job. There are registrars, from what I understand, that wait until they themselves are paid by you, the client, and sometimes this can take several months.
From the auditor’s point of view this is really annoying because there could be a lot of expensive airplane tickets and hotel bills on their invoice, and if this goes on, the auditor is “carrying the float”.
So the registrar needs to respect the auditor enough not to tick him or her off by not paying them promptly. A very knowledgeable customer will ask the registrar that question as well. There is nothing worse than working with a ticked off auditor.
The Auditor as a Representative of the Registrar
I also have to say from the auditor’s point of view it is equally responsible for them to be a positive representative of who their registrar is. This is based on the fact that the registrar is doing the booking and providing the paycheck. It is the auditor’s responsibility to be a team player, follow the work instructions, and otherwise follow the guidelines for the customer relationship and that includes refraining from whining about the registrar.
I personally try to keep this in mind. This keeps me from ticking off the registrar (usually).
They have functioning systems
The role of the registrar as a business is to schedule the audits, do the technical review, and maintain the certificate database. For this, they charge you money.
The job of scheduling the audits, and tracking the corrective actions is a major activity and is very complex.
Back in the stone age, all of this was done manually using pieces of paper. Now, there is an attempt for all of it to be done in some fashion by a computerized work flow.
Sometimes the accounting system and billing is integrated with this.
“System Issues”
Unfortunately, or fortunately, the development and maintenance of this “system” is a major undertaking. For a huge registrar, this is a super major undertaking because of the size and complexity of the business. It is much worse if it is global because it needs to translate into several languages and is impossible to change without a global effort.
For a smaller registrar this is a major effort costwise as a fraction of their revenue, so the tendency is to oversimplify and have it not be as efficient.
Some of these systems have customer access, and they expect you, the customer, to be able to go in, make entries as to your corrective actions, and access reports. This has an element of convenience, but it also requires expenditure of time and energy on your part. This is because you need to be able to understand and operate the software.
Learning the Software
From the auditor’s point of view, it is a significant activity as well. They need to learn the high level system of reporting and documenting the audit. They also need to learn and understand the functioning, or lack of, of this underlying work flow. This is a major component of the auditor’s scheduling, and client communications. This is training time that is unpaid if you are a subcontractor like me. Guess how much extra time I devote to this, when I could be blogging.
Whose Idea Was This?
Quite often, and in fact I would say 100 percent of the time, the “system” was developed by some IT person with little or no experience as an auditor, or technical reviewer, or scheduler. Therefore it is practically impossible for the designers to understand the nuances of the system. I feel sorry for them.
Add to that the fact that no two clients are exactly alike, no two audit programs are the same.
System Risk
Add to that the fact that there is some risk. If you train your customers to do all of this, and the system blows up, it makes you, the registrar look stupid as a business.
So if this system breaks down, or functions crappily, the registrar can’t schedule their audits. They also can’t schedule auditors, administer the audits and certificates, do their billing, or pay anybody.
Even worse, if the system devolves to something all-electronic, it raises the possibility of them losing something and not knowing the difference.
So since nothing happens in isolation, this is a relatively easy thing to check. Usually there is some online application that you have to fill out. If you do that, and if at any time in the first week someone says “we’re having trouble with our system” that is a red flag because it means that they will have trouble with their system when you need it.
The Bottom Line
There are plenty of other factors involved in choosing an ISO9001 registrar, and the list is by no means exhaustive. The benefit to doing a little work up front on this is that the easier your relationship is with the registrar, the better your experience.
Keep in mind that the negative consequences of a bad choice while choosing an ISO9001 registrar are not severe. Transfer audits happen all the time, and it is quite possible that if you don’t have a positive experience with one registrar, you may change.
I would love to hear of your own experiences in selecting a registrar. Feel free to contribute.