It’s the dumbing down of standards. If experience, knowledge, wisdom (and the occasional test) suggest a set of actions or measurements are needed to mitigate risks, who are we to hold our broken mirror up against requisite variety and chop off the bits that we can avoid seeing by holding the mirror just so? Tacit knowledge has been distilled into the explicit, don’t slice away at the result as you risk (sic!) losing the hooks that will fuse that knowledge to your own idiosyncrasies…and cutting yourself on Occam’s razor into the bargain. Never standards ‘lite’ (even the trendy spelling has all the attraction of low rise jeans). But sitting at the fork of risk treatment (do we don’t we) there are two ways to go…
There’s IASME (www.iasme.co.uk) and AccreditUK (www.accredituk.com) who build up their standards from the objectives and keep the security and quality objectives in view all the time. It’s a question of keeping an eye on the horizon, not sighing relief as you pass the flotsam of others’ failure. Attitude is everything. Then there is the full picture for organisations – from loose supply chains to tight, life-critical attractors – that recognise the complexity with the complexity of solution. You can live with complexity – second order project management (Cavanagh, 2012) demands it – but sometimes you need a route map. The essence is not to blame the route map if it doesn’t tell you about every pot hole and expect diversions. Myers (1979) warns us never to test with the expectation of the test being passed first time.
What is reasonable, measured, and trustworthy is to boil down the complexity of some standards into route map that will take you to their objectives sooner rather than not all. Avoid the jetsam of audit reports that don’t take your forward – they will peg you to the past. So here’s a summary of the key points of ISO 9001. It should be all you ever need – if your attitude to quality is right, then security, business continuity, sustainability etc. should chase after you, over take you and be waiting for you every time you arrive. So before you reach for the manual, can you say yes to:
- Do you have processes which are monitored to assure the continuous delivery of your objectives that meet the expectations of regulators and citizens? Is enough written down to make sure everyone knows what they should be doing?
- Is your top management involved in setting the review criteria for these objectives and the processes that implement them.
- Do you allocate resources – including trained staff – to implement these processes?
- Can you put your hand on the evidence to show that these processes are operating effectively?
- Do you capture feedback (including complaints) on the effectiveness and efficiency of the processes and services and use of this feedback for process improvement?
- Do you have a strict process of ensuring that products and services acquired for the delivery of your objectives are clearly specified and checked for compliance with these specifications?
- Have you a clearly-defined and audited system where by purchasing responsibilities are allocated according to authorised levels of budget or competency to understand the product or service being acquired?