Compliance Certifications – Part 1

Compliance Certifications a Rubber/Wax Stamp or a By-Product of Organizational Maturity and Excellence?

Part 1: Compliance Certifications – Intent and Interpretation

The natural place to hang compliance certificates is usually on walls within the reception area, or inside conference rooms. What do they really mean and what type and level of expectations should a customer have when they see them?

If we reflect on the intent of creating standards or models (which are the basis for compliance), we’ll find that it is to provide a set of requirements around a certain discipline (e.g. quality management system, risk management, software development) that acts as a baseline. This baselined set of requirements enables a certain level of industry governance over what activities should organizations be performing within those disciplines to achieve an industry acceptable level of performance to reach a certain level of capability. These standards are used by certification bodies as a consistent baseline against which they assess different organizations’ adherence to those requirements. When a service provider/vendor obtains its compliance certificate, it indicates to customers that the vendor has ‘ticked’ the adherence box to the requirements associated with this discipline. This, in turn, establishes a certain level of expectation by the customer of this vendor’s capability within that discipline.

In addition to documenting WHAT organizations should do to achieve that industry acceptable level of performance, best practices in a lot of cases also promote the continual improvement of organizational activities (documented in process documentation) which should, in turn, lead to an improvement in their service quality.

Unfortunately, when embarking on their compliance and certification journey, many organizations see this certificate as a piece of paper that they must obtain, frame and hang on their wall because it allows them to submit a bid or because their competition already has one! Often this type of organizations tries to look for that ‘silver bullet’ that can get them from A-Z in 2 days. I’m not talking about efficiency here! Further, once they get the piece of paper, frame it and hang it on their wall, they forget the improvement work they’ve accomplished to date and go back to their old habits until the following surveillance audit!

Few are the organizations that see the value of the certificate as an indication of having achieved the level of performance and capability excellence intended. Those companies which could be referred to as mature organizations will do everything they can to make sure that the performance and capability excellence that they achieved do not degrade over time.

We talked about the WHAT part of compliance certifications, now let us talk about HOW some organizations prepare for it.

I have spent a good part of my career working in quality assurance, conducting quality and process audits, ITIL and ICT Infrastructure Management (ICTIM) assessments, informal CMMI appraisals in addition to participating in formal CMMI appraisals within Australia and New Zealand. I’m not bragging, I’m just stating that what is being discussed here is based on actual experience.

While mature organizations understand the benefits of, believe in and live the principles of quality, process and service improvement activities, less mature organizations – which I’m afraid to say are the majority, number wise – don’t! Prior to an audit, project managers and/or quality personnel mobilise many of their resources to work real hard in order to ensure they plug as many gaps in their process and/or project documentation as they can, going to the extent, at times, of backdating those in order to tick as many boxes as they can to achieve their compliance certification or recertification goal. The more audits they are subject to, the better they get at doing that and the more audits they pass with flying colours! My point is, they develop high levels of capability to fake or game the audit results. Experienced auditors can pick up on that, but not all auditors are that experienced!

Isn’t that defying the intent of the certification in the first place? I’m not discussing this because I have anything against compliance certification. I’m merely trying to highlight the need to change cultures and mindsets to encourage organizations see beyond the piece of paper in order to get an adequate ROI of the budget they dedicate to their compliance activities and get value on their investment in that compliance journey. Unless the documented practices are institutionalized and become how organizations and their personnel do things (without even thinking about it), organizations will not reap the benefits of these best practices, neither would their customers!

Many employees and managers see that documenting their activities, processes and procedures (which is an important element for compliance audits) as follows :

  1. is a distraction from delivery activities
  2. is an expensive burden
  3. Is a waste of time because they don’t use them!

Many managers, I’m sorry to say, are the first to ignore the process or circumvent it rather than enforcing it during normal operation. This behaviour inevitably turns into a ‘permission’ for staff to do the same. Further, when tough gets tougher, and when the organization is facing a crisis, instructions to ‘drop the process and just fix it’ are usually issued. This is one of the major symptoms of ‘low maturity’ organizations! By the way, the process should be the best way to get out of the crisis, IF it is a good process!

Committed managers and employees should understand the real value of compliance and of certification. They need to recognise that documenting their processes while is a compliance requirement, it is not meant to be a nuisance. They need to believe that documenting the processes they use to deliver the service and following these processes is in their organization’s best interest which is also in their own best interest. Documentation of these processes will secure continuity of the service in case employees (key or not) become unavailable or worst case scenario, leave the organization. These processes and activities represent the organization’s know-how which needs to be preserved and improved over time to improve the organization’s competitive advantage!

Often, low maturity organizations have many ‘heroes’ that replace documented processes. Some of the heroes love it because they are indispensable and because it makes them feel needed, powerful and important, others hate it because it usually puts too much pressure on them. Some of these unhappy heroes feel trapped because due to them being so indispensable within their role, it is very hard for them to take breaks, they may find themselves working long hours or they may even realise that they have little prospect of progressing or being promoted within the organization as no one else can do what they do!

Does this sound familiar?

If you can relate to what’s discussed above, please look for my article next week called: ‘Part 2: Compliance Certification – A By-Product of Mature Organizations’. I will continue this discussion and move on to how can organizations overcome this issue organically.

Thank you for your attention!

Nevine Iskandar