In the last issue of CERM Risk Insights #238 Greg Hutchins wrote an article “ISO 31000 Certification: Next Big Thimg”. In the article he discussed the ISO 31000 certification of Cholamandalam MS General Insurance Company India. As is noted, there is technically no such certification.
ISO 31000 is an Enterprise Risk Management standard. ISO has not created a 31000 certification. What is this all about? Is it the next big thing for ISO and Certification Bodies, or is it a symptom of certification dry rot? This article explores this question in a little more detail.
Why Certify?
The crux of the issue is certification and its importance. Certification is big business. In many cases it is a legal or regulatory requirement. It is also an economic imperative which provides a competitive advantage to the certified company. Thus, for a company it can mean the difference between success and failure. This is particularly true if the company sells its products in a global market.
Certification is Big Business
For the organizations providing the certification auditors (CBs) and the certification certificate, it is big business. The companies providing the certification audits charge around $1,200 -$1,500 per day. While the number of days will depend on the organization’s size, a certification audit generally takes 13 days and the follow-up surveillance audit four days. Thus, a company may spend between $20,000 and $25,000 to become certified. With over one and a half million certifications issued in 2017, the certification market is about $30 billion worldwide.
With a market this big what is the problem? Greg touches briefly on the key issues, but it is a little more complex than dry rot, VUCA and a movement towards risk, all of which is true by the way.
Dry Rot
In August 2018, ISO published the global certification numbers for 2017. The numbers show an overall decline of one percent, with a four percent loss in the ISO 9001 certifications. What is important is that ISO 9001 makes up 68% of the 2017 certification numbers. Given the small market for most of the other ISO certifications, continued loss of 9001 certifications reduces the market and puts pressure on the Certification Bodies (CBs) and those organizations, such as ISO and ASQ which depend on the growth of ISO 9001 certifications.
The numbers represent several underlying problems. One is that the fear factor over a lack of product quality, which drove the certification number ever higher in the 1980’s and 1990’s is not as great. For instance, after a presentation on innovation, the author asked the speaker, H. James Harrington, why he was switching from quality to innovation. His response was quality has become commoditized.
In short, quality management is increasingly becoming digitized. Computer systems are being used to identify variances and make corrections almost instantaneously. An examination of the U.S. Department of Labor’s employment forecast for the next ten years, shows that quality related jobs are in the decline.
This trend would not necessarily affect certifications except there is a growing concern that certifications no long mean much. Christopher Paris of Oxebridge Quality Resources, in his blog, regularly reports on companies with certifications that had major accidents or have been found by authorities to be out of compliance, even though the CB issued a compliance certificate. He also discusses instances where organizations claim certification, when they have none and the oversight bodies are doing nothing.
Now some may claim that Mr. Paris is cherry picking small instances to support his position. He is, after all, some what of a gadfly in the quality arena. However, where there is smoke, their may be fire. A case in point is the December 2017 finding of the Department of Defense’s Inspector General evaluation of the Evolved Expendable Launch Vehicle (EELV) Program Quality Management System. The audit found that ULA, SpaceX and AR did not perform adequate quality management assurance. They identified 181 nonconformities to AS9001C.
If companies fail to maintain the certification standards, or as Mr. Paris claims, CB and oversight bodies do a shoddy job in evaluating and maintaining the standards, then the standards soon become meaningless.
This brings us to VUCA and the increasing concern for risk management.
VUCA
VUCA stands for Volatile, Uncertain, Complex and Ambiguity. It is a common term used to describe the dynamic globally interconnected economy. This interconnectedness means that an economic or natural disaster in one country can affect other countries around the world. For instance, in 2011, Thailand experienced significant flooding. The United Nations estimated that the flood reduced global industrial production by 2.5% and that the top three non-life insurance companies paid out $5.3 billion in claims. That is more than was paid out for Japan’s 2010 earthquake and tsunami.
This interconnectedness, the volatility of the environment and the costs resulting from risk events has heightened risk awareness.
Risks
The World Economic Forum annual conducts a risk assessment survey. The respondents for the 2019 survey listed extreme weather events as one of the risks with the highest impact and the most likely to occur. Other most likely to occur risks were; Data fraud and theft, Cyber-attacks, Man-made environmental disasters and Asset bubble in a major economy.
Regardless of whether one agrees with the types of risks listed, what is important is that world leaders are recognizing that all organization, be they public or private, face multiple risks. Further these risks have substantive costs. For instance, PGE, California’s largest power company, is declaring bankruptcy. This is the result of its liability for an employee’s starting of the 2018 wildfires. It is estimated that without bankruptcy, the company would be liable for $30 billion in damages. The company’s wildfire insurance for 2018 is only $1.4 billion.
Because of California’s push to reduce emission it encouraged electric companies to fund clean-energy initiatives. As a result of the bankruptcy, solar, wind power and electric vehicle companies, who receive money from PGE, may find their revenue reduced. This could threaten the viability of these companies. It could also hinder state environmental goals. A clear demonstration of the interconnectedness, volatility and complexity of today’s environment. It also shows why risk management is becoming a greater priority for companies than quality management. The fear factor is the risks and organization face, not its quality management system.
The growing awareness of the risks an organization faces, and their cost is focusing attention on ways to proactively and on an enterprise wide basis manage these risks.
Risk Management
There are two dominant enterprise wide risk management (ERM) models. One is the Committee of Sponsoring Organization’s COSO ERM model. The other is ISO 31000. While ISO did include Risk Based Thinking (RBT) in ISO 9001:2015, RBT was not defined, nor has ISO used RBT in the most recent revisions of its standards. Instead, it has used risk management. Further, 9001:2015 does not provide the comprehensive risk management implementation sequence that is provide by COSO ERM and ISO 31000. This means that ISO 9001:2015 is at a comparative disadvantage with respect to COSO ERM and ISO 31000 in providing a comprehensive ERM guide.
Where are We Going?
Greg postulates that many quality consultants will move to risk and that ERM, like occurred with Cholamandalam MS General Insurance Company India ISO 31000 certification, will become a certification. I agree that there will be a shift from quality to risk and the field will ultimately be flooded with, as Greg says, quality consultants who “can’t spell risk.” I do not, however, believe that any ERM certification move will be successful. ISO 31000 has been an active standard for years. In the public sector, ISO 31000 is already being used. Given limited funds, it is doubtful that those already using ISO 31000 would need or want certification.
Unlike a product which someone else is buying, ERM is an administrative process which helps an organization manage its own risks. Why pay $25,000 to have someone come in and say, you are using an international standard. For the organization, the pay off is the results of the ERM process, not the impact of a certification. The governing body and stakeholder can see the payoff for themselves.
For ERM certification to work, national governments would have to mandate ERM. This has occurred in the public sector. Local governments in the United Kingdom and South Africa are under an ERM mandate. U.S. Congress has also mandated that state departments of transportation implement a Risk Based Asset Management Plan by 2019. While it is likely that the public sector will continue to be encouraged to adopt ERM, an ERM mandate for the private sector is not likely any time soon.
In summation, as ERM is increasingly implemented, a corresponding drop in ISO 9001:2015 certifications are likely. That means that ISO, CB and organizations which depend on a huge ISO certification market are being disrupted and a substantive shake out is going to occur.
BIO:
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has work for federal, state and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. jeffreyk12011@live.com.