The PDCA Cycle: Your Blueprint for Continual Improvement

Markets shift, customer expectations evolve, and competition grows. To stay relevant, U.S. businesses must continually adapt. The PDCA cycle—Plan, Do, Check, Act—is the core model driving continual improvement in ISO standards.

Breaking Down the PDCA Cycle

  1. Plan – Identify objectives and processes.

  2. Do – Implement changes on a small scale.

  3. Check – Measure results against expectations.

  4. Act – Standardize improvements or adjust further.

This iterative cycle ensures organizations don’t stagnate but evolve systematically.

How the PDCA Cycle Benefits U.S. Businesses

When used effectively, the PDCA cycle continual improvement approach delivers:

  • Reduced waste and cost.

  • Faster problem-solving.

  • Stronger compliance and audit readiness.

  • Better alignment with customer needs.

One QMII client used PDCA to streamline supplier evaluations, cutting procurement delays by 25%.

Why PDCA Is Central to ISO Standards

Every ISO management system—9001, 14001, 45001—uses PDCA as its backbone. This ensures organizations embed continual improvement into their DNA rather than treating it as optional.

Embedding PDCA Into Culture, Not Just Compliance

The real challenge is making PDCA part of everyday work. Leaders must encourage teams to use the model for problem-solving, innovation, and decision-making—not just for audits.

How QMII Helps Companies Apply PDCA

At QMII, we teach companies to apply PDCA practically:

  • In management reviews.

  • During corrective actions.

  • In daily operational decisions.

This turns PDCA from theory into results.

Conclusion: PDCA as a Blueprint for Growth

For U.S. companies, the PDCA cycle is more than a tool—it’s a blueprint for agility, compliance, and long-term success.

With QMII’s support, organizations embed continual improvement at every level.

Ready to make PDCA the heartbeat of your QMS?
Explore our ISO 9001 services at www.qmii.com and turn continual improvement into a competitive advantage.

Internal Audit vs External Audit: What’s the Difference?

Many U.S. companies new to ISO standards ask the same thing: What’s the difference between an internal audit and an external audit? Understanding this distinction is critical to maintaining compliance and achieving certification.

Both audits evaluate management systems, but their purpose, conduct, and impact are very different.

What an Internal Audit Really Means

An internal audit is performed by trained employees or independent consultants on behalf of the organization. Its purpose is to:

  • Evaluate whether processes meet ISO requirements.

  • Identify weaknesses before external audits.

  • Support continual improvement.

Internal audits are often called first-party audits—a tool for learning and preparation rather than judgment.

What an External Audit Involves

An external audit is conducted by certification bodies (third-party) or customers (second-party). Their purpose is to:

  • Verify compliance with ISO standards.

  • Decide if certification should be granted or maintained.

  • Provide independent assurance to customers or regulators.

These audits carry more weight—nonconformities can delay certification or even jeopardize contracts.

Why Both Audits Are Essential for ISO Success

  • Some U.S. companies mistakenly focus only on external audits, cramming last-minute fixes. But without strong internal audits, issues go undetected.

    In fact, QMII data shows that clients who invest in thorough internal audits see 50% fewer findings in certification audits, saving both cost and stress.

How QMII Helps Balance Internal and External Audit Readiness

At QMII, we provide:

  • Internal auditor training to build in-house capacity.

  • Mock external audits to simulate certification reviews.

  • Consulting to integrate audits into continual improvement.

This ensures companies treat internal vs external audits as complementary—not separate—tools.

Conclusion: Turning Audits Into Opportunities

For U.S. businesses, understanding the role of internal and external audits helps shift the focus from “passing” to truly improving.

With QMII’s guidance, audits become opportunities to strengthen systems and build customer confidence.

At QMII, we empower teams to master both sides of the audit process. Whether you need internal auditor training, mock audit support, or help interpreting findings from a registrar, our experts are here to guide you. Don’t wait for the next audit to get ready—build a culture of readiness year-round. Explore our internal auditor training programs and tools at www.qmii.com and turn every audit into an opportunity for growth.

The Role of Leadership in ISO Management Systems

No ISO standard succeeds without leadership. In fact, ISO 9001:2015 made leadership in ISO management systems a central requirement. Why? Because leaders set priorities, allocate resources, and model behaviors that drive compliance and culture.

In U.S. businesses, where competition and regulation are intense, leadership commitment can mean the difference between a “paper system” and a living, effective one.

How Executives Shape Quality Culture

Employees follow what leaders do, not just what they say. When executives champion ISO, it signals that quality, safety, and improvement are priorities. Examples include:

  • Attending management reviews.

  • Participating in audits.

  • Communicating the value of ISO beyond compliance.

One QMII client’s CEO personally led the opening meeting of an ISO 9001 audit. The result? Auditors found an engaged, aligned organization—no “just for show” system.

The Practical Role of Leadership in ISO Systems

Leaders must:

  • Align ISO objectives with strategic goals.

  • Ensure resources and training are available.

  • Review performance regularly and act on findings.

When leaders are active, ISO systems drive results instead of sitting idle.

Why Leadership and Continual Improvement Go Hand-in-Hand

ISO isn’t static. Standards are built on continual improvement, and leadership provides the vision. By encouraging problem-solving, rewarding improvements, and holding teams accountable, leaders embed ISO as part of culture, not a separate initiative.

How QMII Develops Leadership in ISO Systems

QMII offers leadership workshops for executives to understand their roles in ISO systems. We emphasize:

  • Linking ISO to business performance.

  • Communicating effectively with employees.

  • Using management reviews as a leadership tool.

This ensures leaders don’t delegate ISO away but take ownership.

Conclusion: Leadership as the Cornerstone of ISO Success

For U.S. organizations, leadership in ISO management systems is not optional—it’s essential. Without it, systems fail. With it, ISO becomes a driver of culture, efficiency, and trust.

QMII helps leaders step confidently into this role, ensuring ISO systems deliver real value.


Explore QMII’s Leadership Awareness Workshop and take the next step in building a quality culture that starts at the top and resonates throughout your organization.

 

What is a Quality Manual and Do You Still Need One?

Documentation might not sound exciting, but for U.S. companies, a quality manual system is a critical foundation. It defines how processes are managed, responsibilities are assigned, and standards are maintained.

Without it, organizations risk inconsistencies, compliance failures, and confusion among employees.


What a Quality Manual Really Includes

A quality manual is not just a binder of policies. It’s a living document that outlines:

  • The scope of the quality management system.

  • Key processes and their interactions.

  • Roles, responsibilities, and authority.

  • References to procedures and supporting documentation.

For U.S. manufacturers or service providers, this serves as both a guide for employees and a point of reference for auditors and customers.


How a Quality Manual System Benefits U.S. Businesses

Properly implemented, a quality manual system offers:

  • Clarity: Employees know what’s expected.

  • Consistency: Processes are followed uniformly.

  • Credibility: Customers and auditors see documented control.

One QMII client in Pennsylvania used their quality manual as an onboarding tool, cutting new employee training time by 25%.

The Evolution of Manuals in Modern ISO Standards

While ISO 9001:2015 no longer mandates a traditional manual, many U.S. companies still maintain one. Why? Because it provides structure and communicates commitment to quality. The key is flexibility—manuals must evolve with the business, not become shelfware.


How QMII Helps Build Practical, Useful Manuals

We help companies avoid “paper for paper’s sake.” At QMII, we:

  • Draft manuals aligned with ISO 9001 and client operations.

  • Train teams to maintain and update manuals effectively.

  • Ensure documentation adds value rather than bureaucracy.

Conclusion: The Quality Manual as a Roadmap

For U.S. companies, a quality manual system is more than documentation—it’s a roadmap for consistency and improvement.

With QMII’s guidance, organizations create manuals that support compliance and drive performance.

How to Build an Effective Corrective Action System (CAS)

Every U.S. company faces recurring problems—whether it’s defective products, customer complaints, or compliance findings. Without structure, these issues keep coming back.

That’s why building an effective corrective action system (CAPA) is essential. It prevents recurrence, saves costs, and demonstrates a culture of accountability to regulators, auditors, and customers.

The Difference Between Quick Fixes and True Root Cause Analysis

Too often, companies treat corrective actions as short-term fixes. Replace the faulty part, retrain an employee, move on. But without digging into root causes, problems resurface.

An effective system uses tools like the “5 Whys” or fishbone diagrams to identify the underlying reason. For example, a QMII client in Virginia traced repeated machine breakdowns not to operators but to poor preventive maintenance scheduling—a deeper issue only uncovered through analysis.

How an Effective Corrective Action System Reduces Risk

For U.S. companies, CAPA systems do more than solve problems. They:

  • Reduce liability by documenting proactive responses.

  • Build customer trust through visible accountability.

  • Lower costs by preventing expensive repeat errors.

According to NIST, U.S. manufacturers lose 20–30% of revenues annually due to inefficiencies and quality issues—many of which could be prevented with robust CAPA systems.

Integrating Corrective Actions Into ISO Management Systems

ISO standards like ISO 9001 and ISO 45001 require structured corrective actions. By aligning CAPA with these standards, companies not only comply but also build resilience.

This means documenting findings, verifying effectiveness, and closing actions only when results are sustainable—not just when auditors leave.

How QMII Helps U.S. Companies Build Effective CAPA Systems

At QMII, we train teams to treat corrective actions as learning opportunities. Our approach includes:

  • CAPA workshops with hands-on problem-solving.

  • Root cause analysis coaching.

  • Integration of CAPA into management reviews and audits.

Conclusion: Corrective Action as a Driver of Continual Improvement

For U.S. companies, an effective corrective action system is more than compliance—it’s a competitive advantage. It reduces risks, saves costs, and strengthens trust.

With QMII’s support, businesses turn problems into opportunities for improvement.

We’ve seen clients cut repeat nonconformities by 50% or more after adopting structured systems.

Ready to strengthen your corrective action process? Contact QMII and take the first step toward a more resilient, compliant, and high-performing organization.

CAPA Missteps: Common Root Cause Analysis Errors and How to Avoid Them

Planning Strategy Work Management Concept

Why CAPA is Often Poorly Implemented Despite Being Widely Used?

After more than 25 years of collaborating with various organizations—from maritime shipping firms to aerospace manufacturers—on implementing management systems, I’ve noticed a recurring theme: Corrective and Preventive Actions (CAPA) are often misunderstood. It’s quite ironic that something so crucial for continuous improvement is frequently one of the most misused tools in the ISO management systems toolkit. CAPA isn’t merely a bureaucratic checkbox; it’s a mindset, a methodology, and ultimately, a culture of accountability.

Unfortunately, many organizations treat it as just another piece of paperwork to appease auditors. They may go through the motions, but they fail to instigate genuine change.

Let’s take a closer look at why that happens—and more importantly, how to fix it.

The Cost of Superficial Fixes:

I remember a time when I was called in to help a major mass transit agency that was struggling with ongoing maintenance problems. Each time something went wrong, the solution was always the same: retrain the operator. But guess what? The issues kept coming back. It turned out that the maintenance procedures hadn’t been updated, and the work instructions were outdated by months.

It was easy to point fingers at the operator, but that was just plain wrong. Superficial fixes might look good on paper, but they don’t tackle the real problems. It’s like putting a band-aid on a leaking pipe without checking for other underlying issues. The outcome? The same problems keep popping up, resources get wasted, and everyone walks around with a false sense of security.

Common Errors in Root Cause Analysis:

Jumping to Solutions

We’re all guilty of this at times—spot a problem and rush to fix it. But without understanding the “why,” we risk solving the wrong issue. In one case, a logistics firm experiencing delays due to system outages assumed the software was buggy. After proper analysis, the real cause was network throttling due to unauthorized video streaming on company bandwidth!

Lesson: Solutions without root cause understanding are just guesses.

Blaming People Instead of Systems:

In one manufacturing plant I worked with, a new hire mistakenly loaded the wrong metal alloy into the CNC machine, leading to costly rework and a delayed delivery. Management’s first reaction? “He should’ve known better.”

But when we stepped back and looked at the process, here’s what we found:

  • The labeling on the raw material bins was faded and inconsistent.
  • There was no standardized material verification step before machining.
  • The onboarding training skipped over the material identification process because “it’s common sense.”

Blame fixes nothing. Systemic fixes change everything.

Using the Same Method for Every Problem:

The 5 Whys are fantastic—for simple issues. But try applying them to a supply chain failure involving multiple vendors, customs delays, and technical documentation errors? You’ll be asking “why” until you’re blue in the face.

Not every problem is a nail. Don’t always reach for the same hammer.

Choosing the Right RCA Tool:

Depending on the complexity and scope of the issue, we have a rich toolbox at our disposal:

  • 5 Whys – Great for linear, single-cause problems.
  • Fishbone Diagram (Ishikawa) – Excellent for visualizing categories of causes.
  • Fault Tree Analysis (FTA) – Ideal for safety-critical, high-risk industries.
  • Pareto Charts – Help prioritize based on frequency or impact.

When dealing with aviation or space projects, for example, I always recommend tools taught in our AS9100 Lead Auditor Training, which delve into aerospace-specific risk analysis techniques.

Match the tool to the problem’s complexity and impact—not the other way around.

Getting the Problem Statement Right:

You can’t fix what you can’t clearly define. Vague problems lead to vague solutions. A good problem statement is:

  • Specifically – “Three customer complaints about product X’s connector” is better than “Product issue.”
  • Observable – Use facts and evidence.
  • Measurable – Define the extent of the issue (e.g., “Occurred in 20% of units”).

Avoid assumptions like “we think” or “it might be.” Using the what Is / Is not analysis is a great tool to better define the problem. Those are great for brainstorming—not for RCA.

Digging Deep into Causes:

Problems rarely have a single root. Like an iceberg, the visible issue is just the tip.

In one factory I worked with, a rejected shipment of components wasn’t due to operator error alone. Digging deeper revealed outdated work instructions, a backlog of maintenance tickets, and a perverse incentive scheme that rewarded speed over quality.

To truly solve a problem, gather data, build a timeline, and identify all contributing factors. Be like an investigator, not a judge.

Validating Root Causes:

Before implementing a fix, ask: “If we fix this, will the issue recur?” If the answer isn’t a confident “no,” you haven’t found the true root cause.

This is where engaging front-line personnel becomes invaluable. They know the process intricacies that top management often overlooks. I’ve seen junior machinists point out insights that saved companies millions. Invite their input. Validate assumptions. Test hypotheses. And if you’re not sure how to go about it, our Root Cause Analysis Problem Solving Workshop is a great place to get hands-on with these techniques.

Corrective and Preventive Actions:

Corrective: Fix the Issue

Corrective actions address the immediate problem. They are reactive and necessary. But stopping there is like drying the floor without fixing the leak.

Preventive: Make Sure It Never Happens Again

Preventive actions are proactive. They address systemic weaknesses before failure occurs. A preventive culture requires foresight, data analysis, and sometimes, bold changes.

Mistake-Proofing Techniques

Use poka-yoke (error-proofing) wherever possible. In a shipboard application, we installed a foolproof valve handle shape that could only turn one way—no room for operator confusion. Automation, too, helps eliminate manual error (though it introduces its own risks if not carefully controlled).

CAPA must do more than fix. It must transform

Conclusion: CAPA as a Culture, Not a Form:

At its heart, Corrective and Preventive Actions (CAPA) isn’t about forms, checklists, or satisfying auditors. It’s about embedding resilience, learning, and continuous improvement into your organization’s DNA.

By avoiding RCA missteps and using the right tools, we move from reactive firefighting to proactive risk management. We stop blaming people and start improving systems. We evolve from fixing problems to preventing them altogether.

The most effective organizations I’ve worked with don’t see CAPA as a task. They see it as a way of thinking—one that builds institutional memory, elevates performance, and wins the trust of customers, regulators, and employees alike.

And that, I’d argue, is the real measure of quality.

Systems Thinking in Action: Solving Cross-Functional Problems Without the Blame Game

Successful organizations—like seaworthy vessels—are built on systems that work harmoniously. But too often, when problems arise, the knee-jerk reaction is to find someone to blame. Instead, if we bring systems thinking to the forefront, especially in ISO-driven environments, we not only solve problems—we prevent them from recurring. Let’s explore how.

What Is Systems Thinking and Why It Matters in ISO-Driven Environments

Systems thinking is an approach that views an organization as a cohesive whole rather than a collection of isolated parts. In the world of ISO management systems—particularly ISO 9001, AS9100, and ISO 14001—systems thinking is not just a buzzword. It’s embedded in the standards themselves. Clause 4 of ISO 9001, for instance, urges organizations to understand their “context” and identify internal and external issues impacting their system. That’s systems thinking in action.

In environments driven by ISO standards, systems thinking is critical because the standards mandate interrelated processes that must deliver consistent, quality outcomes. Take AS9100, for instance. In the aerospace sector, one missing bolt or procedural oversight can have catastrophic consequences. Integrating systems thinking through QMII’s AS9100 Lead Auditor Training not only enhances compliance but drives real-world performance.

The Dangers of Siloed Problem-Solving

In organizations that operate in silos, departments function like separate compartments on a ship—each one doing its part, but often unaware of how their actions impact the entire vessel. When issues arise, the blame tends to fall on whoever seems to be “in charge” of the problem. This could be procurement, logistics, or quality control. Yet, we seldom pause to consider, “What’s the real system failure at play here?”

How did the system let down the individual? Take, for instance, a manufacturing company I worked with where quality issues kept surfacing. Most of these problems were attributed to “operator error,” but the deeper issues were rooted in poor communication between design and production, mismatched supplier expectations, and insufficient risk assessments. Trying to fix just one operator’s process was like trying to patch a single leak on a hull riddled with holes.

Characteristics of Cross-Functional Problems

Cross-functional problems have certain telltale signs:

  • Multiple Causes: These issues rarely have a single point of failure. Instead, they stem from breakdowns across various functions. One department’s shortcut becomes another’s nightmare.
  • Misaligned KPIs and Ownership Confusion: When each team is measured in isolation, KPIs become counterproductive. Sales may celebrate high volumes, while production struggles with unrealistic timelines. Nobody “owns” the overall customer experience.

In my maritime days, we had a saying: “Every leak has a story.” Cross-functional issues are like leaks with ten storytellers—each pointing in a different direction.

Shifting from Blame to Curiosity

One of the most powerful shifts systems thinking brings is from blame to curiosity. Instead of asking, “Who messed up?” we start with, “What’s happening in the system that allowed this to occur?”

Consider a delayed product delivery. A traditional response might be to reprimand the shipping department. But a curious, systems-oriented approach asks:

  • Was procurement late in ordering materials?
  • Did the production line face bottlenecks due to unanticipated demand?
  • Were quality checks slowing down dispatch due to rework?

This mindset shift encourages transparency and continuous improvement.

Tools That Enable Systems Thinking

To support this shift, a number of tools help visualize and analyze systemic issues:

  • 5 Whys: A deceptively simple tool that drills down to root causes.
  • Ishikawa (Fishbone) Diagram: Maps potential cause categories—man, method, material, machine, and more.
  • SIPOC (Suppliers, Inputs, Process, Outputs, Customers): Clarifies end-to-end process flows.

Using these tools fosters holistic problem-solving that sticks. 

Case Study: The Curious Case of Delayed Deliveries

Let me share a real-world example. A client in the defense manufacturing space faced repeated late deliveries. Initially, logistics bore the brunt. But when we applied systems thinking, using a Value Stream Map and 5 Whys, a different picture emerged:

  1. Logistics wasn’t notified until the final production stage—too late to arrange optimal shipping.
  2. Production schedules were unpredictable due to fluctuating part availability.
  3. Procurement lacked real-time visibility into stock levels.
  4. Planning was reactive because sales forecasts were inaccurate.

The “fix” involved cross-departmental process mapping, better data integration, and realigned KPIs. The result? On-time delivery rates jumped by 40% in six months—and not one person had to be blamed or replaced.

Enabling Systems Thinking Culturally

To embed systems thinking, organizations must foster it at every level:

  • Training Across Levels: Not just managers, but frontline employees must understand how their work affects the system. Training like QMII’s Lead Auditor Course cultivates this awareness by linking audit findings to system-level insights.
  • Leadership Role Modeling: Leaders must model the behavior they wish to see. That includes admitting when they don’t have all the answers and encouraging system-level reflection.

In my experience, cultural change begins when leaders ask “what happened in the system?” instead of “who dropped the ball?”

Using ISO 9001 as a Backbone

ISO 9001 naturally supports systems thinking through:

  • The Process Approach (Clause 4.4): Encourages understanding interactions between processes.
  • Performance Evaluation (Clause 9): Drives use of data to assess system effectiveness.
  • Continual Improvement (Clause 10): Promotes learning from failures.

When Clause 4 (Context of the organization) is used in tandem with Clause 10 (Improvement), organizations close the loop. They adapt not just policies and processes, but the system’s capacity to evolve.

KPIs That Support Whole-System Health

Traditional KPIs often pit departments against each other. A more systems-thinking-aligned approach starts with the vision and policy of the organization. Further determining measurable organizational objectives and sub-goals helps align the organization working to the same goals.

In one project, shifting from “defects per station” to “right-first-time rate across the full process” unified departments around shared goals.

Conclusion: Solving Problems Without Turf Wars

Systems thinking isn’t just a problem-solving approach—it’s a cultural orientation. When organizations move from finger-pointing to process-mapping, from silos to systems, they unlock resilience and agility. In ISO-driven environments, this is not just beneficial—it’s essential.

Let systems thinking become your organization’s default operating mode. The next time a crisis hits, don’t ask “Who’s at fault?”—ask “What does the system reveal?”

By embracing systems thinking, we move from chaos to clarity—together.

Internal Audits That Drive Value: Moving From Policing to Partnering

For many organizations, internal audits often come with a collective sigh—just another box to check, a “necessary evil” to keep that ISO certificate in good standing. I’ve witnessed the anxious glances, the frantic last-minute document shuffling, and the pre-audit nerves. It’s a bit like being on a blind date, isn’t it? It feels as though the auditors are arriving with magnifying glasses and gavels, on the hunt for any little flaw. But this kind of thinking not only diminishes the real value of audits—it also deprives organizations of one of their most powerful tools for improvement.

As a consultant with years of experience in the maritime and manufacturing industries, I’ve navigated the audit process, endured tense debriefs, and seen how audits can transform from fear-filled events into valuable conversations. The key to this transformation? Shifting from a mindset of policing to one of partnership.

Perception of Audits as a “Necessary Evil”

The term “audit” often brings to mind scrutiny, judgment, and paperwork. This perception is rooted in how audits have traditionally been conducted: checklist-driven, compliance-obsessed, and focused on what’s wrong rather than what can be better. Perhaps more inspections and perhaps from inspectors moved into auditor roles without any formal training such as QMII’s ISO 14001 Lead Auditor training. For some, audits feel punitive, as if the aim is to catch people failing rather than help systems succeed.
I recall a manufacturing facility where the internal audit was treated like a fire drill. Staff scrambled to “look compliant,” while actual process improvement took a backseat. Unsurprisingly, audit fatigue was high, and few saw the value in the exercise. Something had to change.

Repositioning Audits as Improvement Catalysts

The first step to transforming audits into valuable tools is to change how we view them—not just as ‘compliance’ checks, but as chances for improvement. Internal audits should spark conversations about what’s working, what’s not, and how we can enhance our processes.

For instance, one manufacturing client revamped their strategy by integrating auditors into process walk-throughs, prompting them to ask: “How does this process contribute to our goals?” This simple shift—from merely enforcing rules to delving into relevance—led to enlightening discussions and genuine innovation.

Defining the Auditor’s Role: Partner, Not Police

To create value, internal auditors must adopt the role of a partner, not a policeman. The goal is not to “catch” people but to coach them. Auditors should walk in as critical friends—those who care enough to be honest, but who also seek understanding before judgment.
This “critical friend” mindset requires emotional intelligence. It means balancing candor with curiosity and being willing to say, “Help me understand why this is done this way,” rather than, “This doesn’t comply.”

Designing Value-Driven Audits

Traditional audits often reduce processes to checkboxes. But in a dynamic, risk-filled world, checklists cannot capture complexity. Valuable internal audits are process-based, exploring how work flows across departments, where handoffs occur, and where risk hides.
For instance, in a logistics operation I supported, a process-based audit revealed that delays weren’t due to faulty documentation (the checklist item), but due to misaligned scheduling between inbound and outbound teams. The issue wasn’t conformance—it was communication.
Equally important is to make audits risk-focused. Instead of asking “Are we following the procedure?”, ask, “Where could this process fail—and what would be the impact?” This moves the conversation from hindsight to foresight.

Audit Planning with Purpose

Not all processes need the same audit attention all the time. Value-driven audits begin with strategic planning—choosing audit topics that align with business objectives, customer feedback, or recent changes. This targeted approach makes audits relevant to leadership and operational staff alike.
Rotating internal auditors is another powerful lever. When fresh eyes look at familiar processes, blind spots become visible. A new auditor may ask questions that long-timers have stopped considering.

Conducting Insightful Audits

During the audit itself, the tone matters. Avoid the trap of interrogation. Instead, engage in a constructive dialogue. People are more forthcoming when they sense genuine curiosity and trust.
Rather than focusing solely on inputs (“Do you have a procedure?”), audit outcomes and interfaces. For example, are the intended results being achieved? How does this department’s output affect the next? This approach surfaces systemic issues—not just isolated gaps.

Post-Audit Follow-Up: Driving Sustainable Change

An audit’s impact depends on what happens next. Action plans must be co-created with process owners, with clear timelines and responsibilities. Ownership drives accountability.
But more importantly, focus follow-ups on systemic improvements, not just quick fixes. I often ask clients, “What failed in the system that allowed this issue to occur?” This is where tools like root cause analysis become critical. (Explore our Root Cause Analysis Problem Solving Workshop).

Building Auditor Capability

A good auditor is not just trained—they’re coached. Organizations should invest in auditor development that emphasizes not only the ISO standards, but also empathy, systems thinking, and curiosity.
At QMII, our ISO 9001 Lead Auditor Training equips auditors not just to assess compliance, but to facilitate improvement conversations. We teach them to listen deeply, question intelligently, and navigate complex organizational dynamics with tact.

Conclusion: Internal Audits as Management’s Mirror

Internal audits, when done right, reflect the truth of how the system operates—not how it was designed to operate. They act as a mirror for management, revealing blind spots, cultural barriers, and improvement opportunities.
Let’s move away from audits that induce fear toward those that inspire insight. Let’s make audits sought-after activities—not just tolerated ones. By embracing the partner mindset, designing risk-based audits, and investing in auditor capability, we can make internal audits not just a means to keep certification, but a catalyst for transformation.

Domestic Passenger Vessel Accidents Are Preventable Using a Management System (Part Two)

Dr. IJ Arora:

In the first part of this two-part article, we began to consider the key commonality of accidents involving domestic vessels such as the Conception and the Spirit of Boston, namely, the absence of a fully functional management system. Here in part two, we will examine this in more depth from the perspective of the Plan-Do-Check-Act (PDCA) cycle.

Emphasizing a proactive safety culture and systematically addressing risks can greatly enhance safety in the domestic passenger vessel industry. By being vigilant and forward-thinking, companies can significantly reduce the likelihood of accidents and ensure the well-being of both crew and passengers. A comprehensive systems approach that prioritizes safety at all levels is essential for fostering a resilient maritime environment.

As a consultant with almost four decades of experience, I feel that my emphasis on fostering a proactive safety culture within the domestic passenger vessel industry is both timely and essential. The sector has historically witnessed incidents that stem not just from operational failures but from lapses in systematic risk management. The simple PDCA cycle makes risk appreciation essential and helps create a proactive management system. A proactive safety culture is not reactionary, but anticipatory. It is focused on identifying and mitigating risks before they evolve into incidents.

In domestic passenger operations, where crew and passengers coexist in dynamic and sometimes unpredictable environments, the safety culture must be leadership-driven, with management exemplifying and enforcing safety values. It must also be behavior-based, encouraging crew to speak up about near-misses or unsafe practices. An environment for quality, health, safety, and security must be built and maintained. The overall management system must be systems-supported, with procedures that make it easy to report, track, and correct hazards. A genuine safety culture is evident when every level of the organization—from executives to deckhands—considers safety an integral part of their responsibilities, not an afterthought.

Right at the start of the PDCA cycle, at the Plan stage, organizations must commit to identifying, evaluating, and mitigating risks. This is not just a best practice, but a requirement under clause 6.1 of ISO 9001:2015, which requires “… actions to address risks and opportunities.” It emphasizes understanding internal and external issues and planning actions accordingly to mitigate risk. In a similar vein, clause 8 of the ISM Code requires organizations to evaluate all identified risks to their ships, personnel, and the environment and establish appropriate safeguards. Failure to account for risks at this stage can cascade into the Do stage, with flawed procedures or untrained personnel resulting in increased chances of accidents.

In a systems approach it should be completely unacceptable to transfer uncertainty to the crew. Uncertainty in procedures, poorly defined emergency roles, or ambiguous hazard controls lead to hesitation and confusion during critical moments. The vessel crew should never be the first line of discovery for unanticipated risks. The shore-based organization must do the heavy lifting in identifying, documenting, and training for these risks. This principle aligns with clause 5 of the ISM Code, which mandates the establishment of safe practices in ship operations and a safe working environment.

Systemic safety as a shield against repetition must be created from lessons learnt. Clause 7.6 of ISO 9001 on knowledge is relevant and a requirement. As can be seen from various NTSB investigation reports, many vessel accidents share common causal factors: complacency, procedural lapses, miscommunication, or design flaws. These can be mitigated when a systems approach is employed linking technical systems, human factors, procedures, and training into one cohesive safety net. Lessons learned from past accidents are institutionalized not just in the safety management system (SMS) but in organizational memory and training routines.

Most importantly, risk appreciation must be the foundation of resilience. The ability to appreciate (not just assess) risk is what distinguishes a compliant company from a truly resilient one. Appreciating risk means embedding foresight into the organizational DNA, training teams to ask, “What if?” before a situation turns critical. This should holistically lead to and support the creation of maritime systems that do more than tick boxes—they save lives.

Applying the PDCA Cycle

Connecting these insights to the 2019 Conception tragedy not only reinforces the urgency of implementing a proactive safety culture but also illustrates precisely how systemic failures in risk appreciation, planning, and organizational accountability can lead to devastating outcomes.

As you will recall, the dive boat Conception caught fire while anchored off Santa Cruz Island, California. This resulted in the deaths of 34 people, which was the deadliest domestic maritime disaster in modern California history. The victims were asleep in a bunkroom below deck, and none of them survived. Only five crew members escaped. This tragedy was a catastrophic failure of planning, risk management, and safety culture.

The Conception disaster links clearly to a breakdown in the PDCA cycle, as follows:

  • Plan. Inadequate risk appreciation was a vital failure. There was no comprehensive risk assessment identifying the dangers of leaving charging lithium-ion batteries unattended overnight in a confined space. The lack of clearly marked and accessible escape routes was a known risk that was neither mitigated nor escalated. There was no SMS, nor was one legally required for that vessel. Still, a proactive operator would have voluntarily implemented one. As has been said, “Failing to plan is planning to fail,” and in this case, a lack of foresight into fire hazards, emergency egress, and nighttime watchkeeping was fatal.
  • Do. Lapses in implementation are apparent and have been pointed out in the NTSB report. A night watchman was required by regulation and the vessel’s certificate of inspection but was not on duty. The crew had no fire detection system below deck that could alert sleeping occupants of danger. Emergency drills and preparedness procedures were either nonexistent or insufficiently enforced.
  • Check. The investigators saw no monitoring or audit mechanisms. The vessel operator, Truth Aquatics, had no self-checking mechanism for compliance with watchkeeping requirements. There was no internal audit or reporting structure that caught repeated violations, such as skipping the night watch.
  • Act. This final stage of the PDCA cycle is intrinsically connected to leadership both ashore and at sea. However, there was almost a complete absence of any corrective action, despite past observations and near-miss warnings about battery charging risks and poor escape routes. The organization normalized deviation, operating under the illusion of safety through habit.

Failure to appreciate risk is a violation of ISO 9001 and ISM principles. The Conception incident demonstrates how not appreciating risk in the Plan stage—especially related to emerging threats like battery fires—can result in fatal vulnerabilities. Had a formal risk-based approach been followed, battery charging, watchkeeping, and egress issues would have been flagged and corrected.

Mitigating risks with an SMS

Although not mandated for this class of vessel, the absence of an SMS and risk-based approach violated the spirit of the ISM Code. Clause 8 calls for evaluating all risks and preparing for emergencies. The lack of a nighttime watch, poor escape design, and no contingency procedures represent failures in both design and culture.

The failure to appreciate hazards and risks by the organization on shore was passed to the crew and passengers, who paid for it with their lives. Passengers had no idea there was no overnight watch, a basic safety expectation. The crew was not empowered with procedures or tools to manage an emergency, placing them in an impossible position once the fire began. I therefore emphasize “companies cannot pass uncertainty to those on board.” The burden of risk must be identified, mitigated, and managed ashore, before the ship even leaves port. All that was required was a proper management system, resourced and implemented effectively and efficiently.

By not having an SMS, organizations are ensuring that there is no safety net in case the worst occurs! A comprehensive, systems-based approach could have identified the risk of charging batteries and flammable materials in confined quarters and ensured continuous watchkeeping practices were in place. The SMS would have required mandated drills, escape route evaluations, and fire detection systems. Simple internal audits would have perhaps given the management the inputs to ensure continual improvement and planned a system to ensure compliance. This would have embodied the PDCA cycle, where each stage feeds the next with learning, foresight, and action.

Conclusion

My final thought on lessons written in loss and tragedy are that having a system is the least those charged with entertaining people can do to guarantee that lives are not lost. The Conception tragedy in particular is a grim testament to what happens when safety is assumed rather than engineered. The call for a systems approach rooted in proactive risk appreciation is exactly the kind of thinking needed to prevent another such disaster.

My argument for the mandated or voluntary adoption of an SMS in the domestic passenger vessel sector draws on evidence from NTSB investigations and international best practices. Domestic passenger vessels, though subject to U.S. Coast Guard inspection regimes, are often not required to implement a formal SMS. This omission has led to repeated safety lapses where identifiable risks were not systematically mitigated. As we have seen, the consequences of such lapses can often be fatal.

It is time for the overall national policy to encourage the U.S. Coast Guard to extend SMS requirements to large domestic passenger vessels and establish tiered SMS models scalable by vessel type and operation. To the industry czars my recommendations are to encourage industry bodies to provide incentives and recognition for SMS adopters and promote voluntary adoption through education and resource support. To the organizations and companies operating in the domestic U.S. waters, I suggest these company-level actions:

  • Begin voluntary SMS implementation aligned with ISO or ISM principles.
  • Train personnel in the PDCA methodology.
  • Perform internal audits and hazard reviews regularly.

The tragedy of the Conception and the other incidents we have discussed reveal that compliance alone does not ensure safety. Only a structured, systems-based approach can prevent recurrence. It is time for the domestic passenger vessel industry to adopt SMS—not only as a regulatory checkbox but as a foundational safety ethos.

Note – The above article (Part 2) was recently published in an Exemplar Global publication – ‘The Auditor’

Click here to read the article.

Click here to read part 1 of the article

The Hidden Costs of Ignoring Risk-Based Thinking in Management Systems

What Is Risk-Based Thinking and Why It Matters

Risk-based thinking is more than a procedural requirement; it’s a mindset shift that organizations must embrace to survive and thrive. Defined within ISO standards such as ISO 9001 and ISO 14001, risk-based thinking requires organizations to proactively identify and address potential threats and opportunities that could impact their ability to achieve objectives. The concept is not new.

In one of my early consulting projects in the manufacturing industry, I was part of a team helping a small machine shop align their operations with ISO 9001. Though certified, they lacked a framework for anticipating quality failures. The real issue wasn’t poor workmanship, it was the absence of a proactive, structured way to assess and mitigate risks. This experience drove home the importance of risk-based thinking not just as a compliance checkbox, but as a strategic advantage.

Cost of Non-Compliance vs. Cost of Reactive Management

Organizations that adopt ISO standards sometimes focus narrowly on compliance. But the greater cost comes not from failing an audit, but from waiting until something goes wrong.

Compliance-related penalties (e.g., fines, sanctions) are visible and immediate. But the costs of reactive management; lost time, rushed fixes, disrupted operations are often far greater and longer lasting.

ISO standards advocate for preventive planning over reactive response. Clause 6 of ISO 9001, for instance, requires organizations to “determine risks and opportunities that need to be addressed” to ensure the quality management system achieves its intended results.

Types of Risks in Organizations

ISO management system standards recognize that risks come in different forms and require different strategies to address. Two of the most significant categories are:

Strategic Risks

Strategic risks are long-term and affect the organization’s mission, vision, and market position. ISO identifies these as risks that could:

  • Derail the achievement of objectives
  • Misalign the organization’s purpose with stakeholder needs
  • Affect the viability of the business model

Examples include:

  • Entering a new market without proper analysis
  • Failing to adapt to climate and other regulations
  • Shifting away from customer-focused innovation

Strategic risks require top-level leadership engagement and often intersect with broader governance and environmental planning efforts.

Operational Risks

These are day-to-day risks that affect how work gets done. ISO links operational risks to the “performance of processes” and the “delivery of conforming products and services”. They are typically localized, immediate, and easier to control.

Examples include:

  • Machine breakdowns
  • Supplier delays
  • Human errors in production or inspection

Operational risks are typically owned by middle managers or process owners and require timely mitigation using process controls, training, and monitoring.

Emerging Risks: Cybersecurity, Supply Chain, and ESG

In line with Clause 4 (Context of the Organization), ISO encourages awareness of external and emerging risks, including:

  • Cybersecurity threats (especially relevant in ISO 27001)
  • Supply chain instability due to geopolitical shifts or pandemics (relevant in ISO 28000)
  • Environmental, Social, and Governance (ESG) trends influencing investor and consumer behavior

Organizations that fail to anticipate and plan for these types of risks often experience cascading failures that affect both strategic and operational layers.

Direct Costs of Ignoring Risk

The financial impact of ignoring risks shows up quickly and painfully:

  • Product Recalls

In one renowned case, a food manufacturer lacked robust supplier risk assessments. A contaminated ingredient batch led to a full product recall. The consequences weren’t limited to the cost of disposal and refunds; it included shelf space loss and reputational harm that took months to repair. We have seen similar examples in the medical device industry as well.

  • Customer Dissatisfaction

Service businesses often overlook operational inconsistencies. A failure to plan for peak demand or under-trained frontline staff can quickly erode customer satisfaction, leading to loss of loyalty and negative reviews.

  • Downtime and Disruption

Ignoring equipment wear-and-tear or failing to conduct proper hazard analyses leads to unplanned downtime. Each hour of disruption in critical industries (e.g., aviation, medical manufacturing) can result in enormous opportunity costs.

Indirect and Long-Term Costs

Ignoring risk-based thinking also causes deep, long-term damage that isn’t always captured in financial statements:

  • Brand Erosion

Negative headlines or safety incidents can reduce customer trust overnight. Rebuilding a brand damaged by poor foresight is time-intensive and costly.

  • Talent Turnover

Employees want to work in organizations where their safety and professional risks are acknowledged and addressed. If teams feel their concerns are ignored, turnover increases, taking valuable knowledge and continuity with them.

  • Innovation Paralysis

In cultures without risk-based thinking, teams are punished for failure rather than rewarded for initiative. This kills innovation. ISO’s emphasis on addressing both risks and opportunities encourages organizations to take calculated, informed risks that drive growth.

How ISO Standards Embed Risk Thinking

ISO standards don’t just encourage risk thinking—they structurally embed it into the management system framework.

Clause 6: Planning Actions to Address Risks and Opportunities

This clause requires organizations to:

  • Identify risks that could affect product conformity or customer satisfaction
  • Evaluate their significance
  • Plan actions proportionate to their impact

For ISO 14001, this means evaluating risks related to environmental impact. For ISO 9001, it involves risks to product or service quality. The result is a cohesive, organization-wide approach to managing what matters most2.

Clauses 9 & 10: Monitoring, Learning, and Improving

Clause 9 (Performance Evaluation) calls for:

  • Monitoring whether risk responses were effective
  • Auditing risk controls
  • Reviewing trends in performance

Clause 10 (Improvement) closes the loop:

  • Non-conformities trigger investigations
  • Lessons learned from failures feed back into planning
  • Risk registers are continuously updated

Together, these clauses help organizations evolve from static compliance to dynamic foresight.

Enabling Risk Thinking in Teams

Risk-based thinking must live beyond the boardroom. Empowering operational teams is essential:

Training in Early Detection

Teams should be trained to identify weak signals—those early indicators that something might go wrong. In a plant I worked with, rising absenteeism flagged deeper issues in work conditions, preventing a potential labor crisis.

Using Root Cause Analysis Proactively

RCA tools such as the Ishikawa diagrams shouldn’t be limited to incident response. Used proactively, they can prevent escalation of small issues into systemic failures.

Cross-Functional Risk Reviews

Risks often span functions. A procurement delay can become a customer complaint; a security loophole can become a safety incident. Cross-functional reviews foster transparency and collaboration, encouraging joint ownership of risk.

Conclusion: From Firefighting to Foresight

Risk-based thinking is not just a best practice; it’s a competitive advantage. Organizations that wait for risks to materialize will always be in “firefighting” mode, while those who embrace foresight will innovate, adapt, and grow.

As ISO continues to evolve, so must we. Risk is no longer something to avoid, it is a lens through which future-focused organizations make better decisions. ISO helps lay that foundation. The rest is up to us.