Perhaps the core elements of the IAF piece are these:
"There is no such thing as self-certification. It?s just an attractive catchphrase with no substance. There are also organizations that self-declare that they are ISO 9001 compliant. This phrase is at least not dishonest."
And
"Without the certification body, there?s no unbiased appraisal and no evidence that a thorough assessment has even been conducted by competent individuals. Bottom line: There is no such thing as self-certification. It?s just an attractive catchphrase with no substance."
The author - a certified lead assessor - quotes no evidence for this second statement. One wonders whether it's a statement of belief or the result of having audited a sample of self-certified organizations.
The thrust of the piece is that organizations that self-certify are dishonest, and that's objectionable without hard evidence.
The substance behind self-certification is simple: some clients - including substantial chunks of the British Government - will accept self-certification, treating it like an assurance. Whether that's right or wrong is a different debate, but they do it, so for many, self-certification is the way to go. Not only is it cheaper, you don't have strangers wandering around asking questions and writing findings that might, or might not, be useful. If you are confident in your own governance, why bother?
It's not just small companies either. Large organizations self-certify too; the idea that since they're large they can afford to is a myth. It's not so much the money, it's the organizational turmoil that poor auditors and findings can cause - evidenced to some extent by some of the questions here at Elsmar.
According to the Oxford English Dictionary, to certify is "to formally attest or confirm."
Neither ISO nor the IAF can claim the sole exclusive right to use words from the English Dictionary, whether Oxford, Websters, Longman, or Chambers.
To claim self-certification might be disingenuous, misleading possibly, but dishonest? No. Dishonest is claiming accredited certification when you don't have it.
Some indeed do claim self-certification, knowing they'll mislead ignorant clients. But like any claim, until one looks behind it, one does not know if it can be substantiated or not. Nor is there evidence that all claims of self-certification are dishonest, because they aren't.
Several years ago the Board of the company I worked for fired its CEO and brought in a new one. He looked at my plans for getting us certified to ISO 9001, promoted me from something that sounded junior to Quality Director, reporting to the CEO - and said, "Pat, we're going to do everything we have to to get Certified - except we will not call in the auditors." He did not trust them, did not believe they were competent enough (he wasn't wrong; we'd had visits from two auditors from a leading accredited CB, one incompetent, the other fine). He had learned quality with Crosby and knew it well, I had learned auditing from the SEI, different style from ISO but ok, and the CEO demanded independence of mind from me - which won me few friends at work, and that was fine too. Had we gone ahead and claimed self-certification (we didn't because I had evidence we were missing key elements like contract review, planning and design review) and had I been accused of dishonesty, I would have been insulted.
Over the last seven years I've taught monthly accredited lead auditor classes in the UK. There are many companies and government institutions over here that have many, many customer requirements, some for formal certification, some for things like "treat patients and cure them" and "don't lose confidential data," and many for assurances regarding quality and information security that welcome formal certification but do not mandate it. Due to European "austerity" they are very low on funds. They can't do everything. So many self-certify - they "formally attest or confirm" that their system conforms with ISO 9001, or ISO 27001. Sometimes, their internal auditors were on my courses to learn the formal audit methods that we use in the ISO world; most passed the exam with grades commensurate with those of people entering the accredited certification world. So, contrary to the IAF writer, I have anecdotal evidence that self-certifying auditors are competent to the extent that they can pass an accredited lead auditor exam. My feeling for many of them, not all, but many, was that they would do as good a job as a CB assessor, because they knew their stuff and had personal integrity.
Middle managers, faced with too many targets, sometimes decide to forgo accredited certification. They knowingly take the risk, agree that it's not perfect but say that other programmes (e.g. caring for patients) take priority.
Some of these self-certifying organizations were short of cash due to bullying by either politicians or sociopathic commercial managers. The IAF should target these people, not the auditors doing their best in difficult circumstances.
If there are so many self-certifications, sufficient to warrant this kind of treatment, maybe they're an indication that the claims made by the accredited certification industry lack sufficient evidence of adding value and auditing itself effectively, all of which was taken as an article of faith in the IAF piece.
I think that while formal accredited certification has a useful function for some, it needs to improve its game in providing evidence it works and an open system of governance in the accreditation system. The recent ISO survey was not nearly enough because all it said, really, was that lots of people use ISO systems; it did not say how much quality had been improved as a result, or by how much exposure to security risks had been reduced.
Accusing hard-working people who choose not to use accredited CBs of dishonesty is shameful.
Just my 2c,
Pat
