Hope Is Never A Plan

Wishful thinking is fine, but it rarely achieves positive results in professional settings. The best path to reach a desired outcome is to implement a structured, process-based management system. It is not a guarantee of success, but if implemented by competent and motivated teams, such a system allows the organization to produce conforming products and services and embrace continual improvements.

I often hear from leadership about their faith in the power of hope, but my experience tells me that hope is never a plan. For those who believe in hope, my advice is to base it on a well-designed management system. There is no need to re-invent the wheel. ISO standards exist for management teams to use.

In organizations of every size, across industries and borders, there is often an invisible reliance on hope. Leaders hope customer complaints will decline. Managers hope processes will perform as intended. Teams hope risks won’t materialize.

Hope can inspire, but it cannot control outcomes. It is not a strategy, and it is certainly not a plan. In contrast, a good management system transforms that hope into structured action, measurable results, and continual improvement.

A Better Way

At my organization, we have long stressed (and said) “Hope is never a plan.” The plan—the real plan—is embedded in the process-based management approach that underlies ISO 9001 and other international standards. This approach replaces uncertainty with understanding and reactivity with resilience.

The problem with hope as a strategy is there is no plan. In times of uncertainty—economic shifts, market volatility, supply chain disruptions—many organizations fall back on hope as a substitute for planning.

However, in my experience, success is built upon the foundation of a process-based management system. Remember the wise words of Deming: “A bad system will beat a good person every time.” The process approach, central to ISO 9001 and mirrored in ISO 14001, ISO 45001, and numerous other ISO standards, recognizes that results come from well-managed processes.

The journey from wishful thinking to structured management is embodied in the process approach, which was first formalized in ISO 9001:2000 and reinforced in ISO 9001:2015. The standard recognizes that consistent, predictable results arise from well-defined and managed processes, not from chance. In particular, sub-clause 4.4 of ISO 9001:2015 requires organizations to establish, implement, maintain, and continually improve a management system, including the processes needed and their interactions.

Where hope says, “Let’s see how it goes,” a process-based system asks:

  • What inputs are required, and what outputs are expected?
  • Who is responsible for the process?
  • What resources and controls are necessary?
  • How will we measure performance?

This thinking moves an organization from reacting to problems to controlling the variables that create success. Rather than managing departments or reacting to problems, organizations use the process approach to:

  • Define interrelated processes that deliver outputs valuable to customers and stakeholders (sub-clause 4.4.1).
  • Identify inputs, activities, and controls within each process (sub-clause 4.4.1).
  • Establish measurable objectives and performance indicators (sub-clauses 6.2 and 9.1.3)
  • Use data and analysis to drive decisions.

This approach replaces hope with evidence, accountability, and continual improvement.

Plan, Do, Check, Act (PDCA) and the Importance of Leadership

The PDCA cycle implies planning as the basis for turning vision into reality. Clause 6 emphasizes “Planning,” i.e., the transformation of organizational context (subclauses 4.1 and 4.2) and risks (sub-clause 6.1) into actionable objectives and opportunities for improvement:

  • Risks and opportunities (not just reacting to issues)
  • Resources and competence needed to achieve results
  • Process interactions that maintain flow and consistency
  • Measurable outcomes that guide continual improvement

In this framework, hope is replaced by proactive thinking, i.e., identifying what could go wrong and preparing responses before it happens. This is far superior to a reactive approach. Of course, in the initial functioning of the management system, any non-conformances (NCs) found will drive corrective action. However, once data accumulates (based on closed NCs and other monitoring and analysis) then those data will drive risks and trends and enable proactive system.

Leadership plays a very important part in the success of an organization. From slogans to systems, true leadership is not about motivational statements but about embedding systems that work even when leaders aren’t watching.

Leaders demonstrate commitment by:

  • Integrating the management system into business strategy (sub-clause 5.1.1c)
  • Promoting process ownership and accountability
  • Ensuring alignment of policies (sub-clause 5.2), objectives (sub-clause 6.2), and actions

A strong system outlives individual personalities—it ensures the organization runs effectively on principles, not just people. What employees learn during their work life at the organization is captured as lessons learned and forms the organization’s corporate knowledge (sub-clause 7.1.6).

Continual improvement (sub-clause 10.3) is the antidote to complacency. Even good systems fail if they stop evolving. ISO’s process-based model ensures continual improvement through:

  • Audits and reviews that identify gaps and inefficiencies
  • Corrective actions that prevent recurrence
  • Performance metrics that inform decision making

Hope says, “Things will get better.” A good management system says, “Here’s how we’ll make them better—and how we’ll know it worked.”

Conclusion

My advice to leaders is to replace hope with a system. Every organization faces uncertainty, but those that succeed do not count on hope—they rely on structured management, clear processes, and evidence-based decisions. Leadership is responsible for maintaining customer focus (sub-clause 5.1.2), understanding customer requirements and associated risks, having thorough knowledge of their products, and carefully selecting vendors.

Uncertainty and hazards must not be passed to employees, users, or other stakeholders. Instead, they should be converted into manageable and low-impact risks. Those risks can then be addressed and/or converted into opportunities for improvement.

In an uncertain world, replacing hope with a system is a must. Hope may be emotionally comforting, but it is operationally dangerous. A good management system, based on ISO 9001’s process approach, gives structure to intention and reliability to performance. It enables organizations to anticipate risks, seize opportunities, and deliver consistent value. It creates confidence among customers, regulators, and employees that the organization is not merely hoping for success—it is planning, executing, and improving toward it.

The above article was recently featured in ‘The Auditor’, an Exemplar Global publication

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Cost-Benefit Analysis: ROI of ISO 9001 Registration for U.S. Manufacturers

For some U.S. manufacturers, registration to ISO 9001 raises one question: “Is it worth the investment?” In other words, how can an organization maximize the benefits of ISO 9001 registration and convert them to a solid return on investment (ROI)?

Analyzing ROI

A consideration of costs and benefits must be included in an ROI analysis to allow manufacturers to make good decisions about ISO 9001 registration. Calculating the value of an effective quality management system (QMS) must include integrating quality and the overall management of the organization (as seen in clause 5.1.1 of ISO 9001). This would include the costs and payoffs that create the real ROI of ISO 9001 registration.

Mere compliance to the language of the standard is not enough; what is required is that ISO 9001 registration leads to competitive advantage. The intent for any manufacturer is to boost efficiency and revenue. In this new environment, where a considerable amount of manufacturing is being re-shored to the United States, ISO 9001 registration matters more than ever. Registration to ISO 9001 is worth it if it brings a clear ROI, such as cash in the bank in the form of cost savings or revenue increases. The answer lies in understanding the ROI that comes from building a strong QMS based on ISO 9001 or other relevant industry-specific standards such as AS9100, etc.

There is no free lunch. In other words, there are costs associated with ISO 9001 registration. Therefore, manufacturers should budget for:

  • Consulting and training. Staff must be prepared to align processes with the requirements of ISO 9001.
  • System development. This may include documenting procedures, implementing software, and updating workflows.
  • Certification audits. Certification bodies (CBs) require fees for initial certification and surveillance audits.
  • Time and resources. These may include employee hours spent on training, process improvements, and audits.

Costs vary depending on company size and can run from tens of thousands of dollars for small factories to much more for large, multi-site operations. The good news is that the benefits of working systematically using a process-based management system (as per clause 4.4.1 or ISO 9001) drive the ROI as the system implementation reduces waste and other production inefficiencies.

Although there can be significant upfront costs, the benefits of ISO 9001 registration often compound over time. These can include operational efficiency with streamlined processes which reduce waste, downtime, and rework, leading directly to lower production costs. Customer confidence and market access improve as the manufacturer consistently produces confirming products and services. Many U.S. manufacturers find ISO 9001 and/or relevant industry-specific standards to be a “ticket to entry” for bidding on contracts, especially in sectors such as automotive, aerospace, and military/defense.

Reducing Risk

Documented processes and corrective action systems reduce the likelihood of costly failures or recalls. Employee engagement improves, resulting in highly motivated teams working within clearly defined roles. Appropriate training oriented toward competency (as seen in clause 7.2 of ISO 9001) reduces errors and boosts productivity. Continual improvement is an added benefit of ISO 9001 as the implementation of the standard promotes a culture of ongoing improvement, helping companies stay competitive in fast-changing markets.

Calculating the ROI of ISO 9001 registration can be assessed by comparing costs against measurable gains such as:

  • Reduced scrap/rework = cost savings
  • Improved on-time delivery = fewer penalties and more repeat orders
  • Access to new markets/contracts = increased revenue
  • Enhanced reputation = long-term customer retention

Example: If a manufacturer spends $50,000 on registration but reduces rework costs by $80,000 and gains $200,000 in new contracts, the ROI is clear and compelling.

Then there is the real-world impact. Studies consistently show manufacturers that achieve ISO 9001 registration experience:

  • 5–15% cost savings from efficiency gains
  • Revenue growth due to market access
  • Improved customer satisfaction scores, leading to stronger long-term partnerships
Final Thoughts

Initially, ISO 9001 registration may seem like a simple expense. But when viewed as an investment, the ROI to be found in ISO 9001 registration becomes clear. It brings definite improved efficiency, stronger customer trust, and measurable financial gains. For U.S. manufacturers competing in global markets, the payoff often far outweighs the cost.

The above article was recently published in an Exemplar Global publication ‘The Auditor’.

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Building a Quality Culture: The Role of Leadership

When the leadership at a U.S. industrial plant makes the strategic decision to roll out certification to ISO 9001, their first instinct is often to focus on documentation, audits, and procedures. They start by looking for a consultant who often (for quick money) provides a template. That is the start of misery for an organization.

A Better Way To Begin

The “As-Is” of the management system should be the start of this process. What has been developed over the years should not be forgotten or lost! The truth is that no checklist or manual can build a true quality culture. The secret ingredient in implementing ISO 9001 is the involvement of leadership in developing the system. As per sub-clause 5.1 (“Leadership and commitment”), their total involvement and commitment is required, in addition to others who assist them in this role, as per sub-clause 5.3 (“Organizational roles, responsibilities and authorities”).

Why leaders can make or break ISO 9001 effectiveness is an important question, and taking positive action to do so is therefore a vital decision. Employees don’t take their cues from policies—they take them from people. If leaders treat ISO 9001 as “just another certification,” that’s exactly how the workforce will see it. On the other hand, when leadership is visible, engaged, and committed, quality stops being a buzzword and becomes a way of working. A system that has the support of leadership has the best chance to produce conforming products and services and also ensure continual improvement.

ISO 9001 makes this clear. Clause 5 (“Leadership”) puts accountability squarely onto the leadership. It’s not just the quality manager’s responsibility anymore—it’s a business-wide effort, and leaders must own it. It is leadership that matters in ISO 9001 and is an important aspect of the process.

Clause 5 emphasizes that leaders must:

  • Demonstrate commitment to the quality management system (QMS)
  • Align quality objectives with organizational strategy
  • Promote a culture of continual improvement

The View From The Shop Floor

In U.S. industrial plants, where efficiency and production targets often dominate discussions, leadership involvement ensures quality doesn’t get sidelined. Leaders act as role models, showing that meeting quality objectives is as important as meeting delivery deadlines.

When auditors look at the implementation of a management system standard like ISO 9001, they need to be able to clearly evidence what leadership involvement looks like in practice. There are numerous indicators, most of them based on ISO 9001 subclauses 5.1, 5.1.2 (“Customer focus”), 5.2 (“Policy”), 6.1 (“Actions to address risks and opportunities”), 6.2 (“Quality objectives and planning to achieve them”), and 10.3 (“Continual improvement”). To generalize these into simple language I would say these would include the following:

  • Setting the tone. A plant manager who opens every team meeting with a quality update shows that it matters as much as production numbers.
  • Walking the floor. Leaders who regularly join quality reviews or stop by the line to ask about issues send a strong signal of support.
  • Connecting quality to strategy. Instead of treating ISO 9001 as paperwork, leaders can frame it as a competitive edge, leading to fewer defects, happier customers, and stronger market position.
  • Celebrating wins. Recognizing teams for continuous improvement projects—no matter how small—builds momentum and pride.

Culture is caught, not taught. We can train employees on ISO 9001 requirements, but culture is shaped by what leaders actually do. Creating an environment of quality is a leadership accountability issue. When executives understand the value of nonconformities as the drivers of corrective action and improvement, follow procedures, welcome audits, and act on feedback, employees naturally mirror those behaviors. Over time, this creates a culture where quality isn’t “extra work”—it’s simply the way we work. It is then that the organization can go from a reactive to a proactive manufacturing entity.

The return on investment in ISO 9001 can be traced to sub-clause 6.2 and the achievement of specific quality improvement objectives. Industrial plants that embrace ISO 9001 leadership involvement don’t just pass audits. They see less rework, stronger customer trust, and a workforce that takes pride in doing things right the first time. In today’s competitive manufacturing landscape, that’s not just compliance—it’s survival.

Bringing It Forward

Five practical steps leaders can take to lead the industry may include the following:

  1. Communicating the vision. It is important to clearly articulate why ISO 9001 matters—not only for certification, but for customer trust, employee pride, and long-term competitiveness.
  2. Allocating resources. Quality initiatives fail when they’re underfunded. Leaders must ensure sufficient training, technology, and staffing to support ISO 9001 compliance. Where they cannot provide resources, they must assume the risk and adjust objectives.
  3. Engaging with the employees. This includes walking the floor, participating in quality meetings, and recognizing contributions. All of these actions reinforce that quality is everyone’s responsibility.
  4. Integrating quality into the organization’s strategy. Quality goals should not be separate from business goals. For example, reducing defects can be tied directly to cost savings and improved customer satisfaction.
  5. Leading by example. Leaders who adhere to procedures, value data-driven decisions, and embrace audits demonstrate that ISO 9001 is part of the plant’s DNA.

ISO 9001 isn’t a binder sitting on a shelf. It’s a leadership-driven culture shift, and when leaders lead the way, the entire plant follows. Just keeping the binder on the shelf is no good. It may get the organization a certificate but will not result in a positive return on investment.

Without leadership involvement, ISO 9001 may become the missing link in the success of U.S. industrial plants. Your involvement as leaders at every step of your organization matters more than checklists. You must drive the culture of change.

In concluding, I would opine that rolling out ISO 9001 in U.S. industrial plants requires more than technical checklists; it requires leadership. By committing to involvement in the implementation of ISO 9001, plant managers and executives can transform their organizations into a quality-driven powerhouses that thrive in today’s competitive market.

The above article was recently published in “The Auditor” (an Exemplar Global publication).

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Keeping Your Management System ‘Ordinary’ in the Age of AI

We’re living in an era where every week seems to bring a new AI tool or software promising to “transform” your business. Predictive analytics, digital twins, algorithm-driven risk models; the buzzwords are endless. And while some of these advances do have their place, I argue that companies must not forget their basics. In a previous career as a mariner, as technology evolved and found their way on ships there was still some value to a simple visual bearing and the information it could give you.

Call me old-school, but I still believe in systems that are owned by people, not platforms. In fact, I’d argue that now more than ever, we need to protect the ordinariness of our management systems, because that’s where the real strength lies.

Don’t Mistake “Ordinary” for “Outdated”

I’ve worked on ships and in boardrooms, with multinationals and mom-and-pop shops. Across the board, the systems that work best are not the flashiest, they’re the ones that are understood, used, and respected. I’ve used fancy preventive/planned maintenance systems and then a simple excel spreadsheet with macros built in. Perhaps surprisingly, the company using the ordinary excel spreadsheet had better maintained equipment.

An “ordinary” system means:

  • Everyone knows their roles and responsibilities.
  • Processes are documented clearly, not buried in folders.
  • Documentation is clear and concise.
  • Records are maintained and can be trusted.

You don’t need artificial intelligence to tell you your maintenance wasn’t done. You need a culture where someone owns the task, completes it, and checks the box honestly.

When the Tool Becomes the Boss

I’ve seen organizations spend small fortunes on digital platforms that promise complete “management system automation.” These platforms often come with dashboards no one reads, workflows no one updates (because they don’t know how to), and training modules people click through just to make them go away. (Let’s be honest, you know how effective your CBT program are!)

Compare that to a simple 8D form built in Excel, yes, plain old Excel. When it’s used properly by a team that understands the process, it becomes a great tool for problem-solving. No licenses, no AI, no data scientists required.

If you’re curious, QMII’s Root Cause Analysis workshop teaches this practical approach. And it works because it’s rooted in thinking, not tech.

PDCA: Still the Smartest Loop in the Room

You don’t need AI to plan, do, check, and act. You need discipline. In a world full of reactive fixes and AI-generated insights, PDCA still calls on people to pause, observe, think, and improve. And frankly, we could all use more of that.

A well-run PDCA cycle doesn’t care whether your data comes from a sensor or a clipboard. What matters is how your team reflects, learns, and adjusts. If you want to sharpen that loop, QMII’s ISO 9001 Lead Auditor Training doesn’t just teach clauses. It teaches systems thinking, real auditing skills, and how to see the story behind the numbers.

Use AI? Sure. But Stay in the Driver’s Seat

I’m not against AI. Let me be clear on that. It’s a tool that, when used wisely, can absolutely support your management system. It can help you analyze patterns in data and generate reports that are helpful. But that’s exactly the point. AI is a tool, not the system itself, and certainly not the leader of it.

I’ve seen organizations fall into the trap of trusting algorithms more than their own people. They install AI to identify when personnel are not using PPE, to generate solutions based on data analysis and when errors occur. But no one stops to ask the most important questions: Does this make sense? Is this what’s really happening? Who validated this? Why did the person not use PPE?

The danger is that we start to mistake output for understanding. AI doesn’t know your organizational culture. It doesn’t know that one department always closes their nonconformities just to get them off the list. Only your team, using their judgment and grounded in your process reality, can make those distinctions.

If you’re going to use AI, integrate it into the PDCA cycle. Feed its outputs into your management review. Use it to inform, but not to dictate. And perhaps most importantly, teach your team to question it. Train them to ask, Where did this data come from? What assumptions are built into this model? What’s missing from the picture?

Own Your System. Keep It Ordinary.

There’s something refreshing about an audit checklist that an auditor actually helped write. Not an AI generate one. That’s real ownership. That’s engagement.

Management systems aren’t meant to be high-tech puzzles. They’re meant to be frameworks that help people do their jobs better. They are not a compliance burden, they’re a strategic asset, but only when they belong to the people who use them.

So here’s my message in conclusion: Keep your system ordinary. And make it extraordinary in how well it’s embraced and used.


About the Author
This article was written by Dr. Julius, Senior Consultant at QMII. With over 25 years of experience in ISO and aerospace quality systems, Dr. Julius has trained and advised hundreds of U.S. defense contractors in aligning with AS9100 and DoD requirements. He specializes in turning certification into a competitive advantage for suppliers.

 

Domestic Passenger Vessel Accidents Are Preventable Using a Management System (Part Two)

In the first part of this two-part article, we began to consider the key commonality of accidents involving domestic vessels such as the Conception and the Spirit of Boston, namely, the absence of a fully functional management system. Here in part two, we will examine this in more depth from the perspective of the Plan-Do-Check-Act (PDCA) cycle.

Emphasizing a proactive safety culture and systematically addressing risks can greatly enhance safety in the domestic passenger vessel industry. By being vigilant and forward-thinking, companies can significantly reduce the likelihood of accidents and ensure the well-being of both crew and passengers. A comprehensive systems approach that prioritizes safety at all levels is essential for fostering a resilient maritime environment.

As a consultant with almost four decades of experience, I feel that my emphasis on fostering a proactive safety culture within the domestic passenger vessel industry is both timely and essential. The sector has historically witnessed incidents that stem not just from operational failures but from lapses in systematic risk management. The simple PDCA cycle makes risk appreciation essential and helps create a proactive management system. A proactive safety culture is not reactionary, but anticipatory. It is focused on identifying and mitigating risks before they evolve into incidents.

In domestic passenger operations, where crew and passengers coexist in dynamic and sometimes unpredictable environments, the safety culture must be leadership-driven, with management exemplifying and enforcing safety values. It must also be behavior-based, encouraging crew to speak up about near-misses or unsafe practices. An environment for quality, health, safety, and security must be built and maintained. The overall management system must be systems-supported, with procedures that make it easy to report, track, and correct hazards. A genuine safety culture is evident when every level of the organization—from executives to deckhands—considers safety an integral part of their responsibilities, not an afterthought.

Right at the start of the PDCA cycle, at the Plan stage, organizations must commit to identifying, evaluating, and mitigating risks. This is not just a best practice, but a requirement under clause 6.1 of ISO 9001:2015, which requires “… actions to address risks and opportunities.” It emphasizes understanding internal and external issues and planning actions accordingly to mitigate risk. In a similar vein, clause 8 of the ISM Code requires organizations to evaluate all identified risks to their ships, personnel, and the environment and establish appropriate safeguards. Failure to account for risks at this stage can cascade into the Do stage, with flawed procedures or untrained personnel resulting in increased chances of accidents.

In a systems approach it should be completely unacceptable to transfer uncertainty to the crew. Uncertainty in procedures, poorly defined emergency roles, or ambiguous hazard controls lead to hesitation and confusion during critical moments. The vessel crew should never be the first line of discovery for unanticipated risks. The shore-based organization must do the heavy lifting in identifying, documenting, and training for these risks. This principle aligns with clause 5 of the ISM Code, which mandates the establishment of safe practices in ship operations and a safe working environment.

Systemic safety as a shield against repetition must be created from lessons learnt. Clause 7.6 of ISO 9001 on knowledge is relevant and a requirement. As can be seen from various NTSB investigation reports, many vessel accidents share common causal factors: complacency, procedural lapses, miscommunication, or design flaws. These can be mitigated when a systems approach is employed linking technical systems, human factors, procedures, and training into one cohesive safety net. Lessons learned from past accidents are institutionalized not just in the safety management system (SMS) but in organizational memory and training routines.

Most importantly, risk appreciation must be the foundation of resilience. The ability to appreciate (not just assess) risk is what distinguishes a compliant company from a truly resilient one. Appreciating risk means embedding foresight into the organizational DNA, training teams to ask, “What if?” before a situation turns critical. This should holistically lead to and support the creation of maritime systems that do more than tick boxes—they save lives.

Applying the PDCA Cycle

Connecting these insights to the 2019 Conception tragedy not only reinforces the urgency of implementing a proactive safety culture but also illustrates precisely how systemic failures in risk appreciation, planning, and organizational accountability can lead to devastating outcomes.

As you will recall, the dive boat Conception caught fire while anchored off Santa Cruz Island, California. This resulted in the deaths of 34 people, which was the deadliest domestic maritime disaster in modern California history. The victims were asleep in a bunkroom below deck, and none of them survived. Only five crew members escaped. This tragedy was a catastrophic failure of planning, risk management, and safety culture.

The Conception disaster links clearly to a breakdown in the PDCA cycle, as follows:

  • Plan. Inadequate risk appreciation was a vital failure. There was no comprehensive risk assessment identifying the dangers of leaving charging lithium-ion batteries unattended overnight in a confined space. The lack of clearly marked and accessible escape routes was a known risk that was neither mitigated nor escalated. There was no SMS, nor was one legally required for that vessel. Still, a proactive operator would have voluntarily implemented one. As has been said, “Failing to plan is planning to fail,” and in this case, a lack of foresight into fire hazards, emergency egress, and nighttime watchkeeping was fatal.
  • Do. Lapses in implementation are apparent and have been pointed out in the NTSB report. A night watchman was required by regulation and the vessel’s certificate of inspection but was not on duty. The crew had no fire detection system below deck that could alert sleeping occupants of danger. Emergency drills and preparedness procedures were either nonexistent or insufficiently enforced.
  • Check. The investigators saw no monitoring or audit mechanisms. The vessel operator, Truth Aquatics, had no self-checking mechanism for compliance with watchkeeping requirements. There was no internal audit or reporting structure that caught repeated violations, such as skipping the night watch.
  • Act. This final stage of the PDCA cycle is intrinsically connected to leadership both ashore and at sea. However, there was almost a complete absence of any corrective action, despite past observations and near-miss warnings about battery charging risks and poor escape routes. The organization normalized deviation, operating under the illusion of safety through habit.

Failure to appreciate risk is a violation of ISO 9001 and ISM principles. The Conception incident demonstrates how not appreciating risk in the Plan stage—especially related to emerging threats like battery fires—can result in fatal vulnerabilities. Had a formal risk-based approach been followed, battery charging, watchkeeping, and egress issues would have been flagged and corrected.

Mitigating risks with an SMS

Although not mandated for this class of vessel, the absence of an SMS and risk-based approach violated the spirit of the ISM Code. Clause 8 calls for evaluating all risks and preparing for emergencies. The lack of a nighttime watch, poor escape design, and no contingency procedures represent failures in both design and culture.

The failure to appreciate hazards and risks by the organization on shore was passed to the crew and passengers, who paid for it with their lives. Passengers had no idea there was no overnight watch, a basic safety expectation. The crew was not empowered with procedures or tools to manage an emergency, placing them in an impossible position once the fire began. I therefore emphasize “companies cannot pass uncertainty to those on board.” The burden of risk must be identified, mitigated, and managed ashore, before the ship even leaves port. All that was required was a proper management system, resourced and implemented effectively and efficiently.

By not having an SMS, organizations are ensuring that there is no safety net in case the worst occurs! A comprehensive, systems-based approach could have identified the risk of charging batteries and flammable materials in confined quarters and ensured continuous watchkeeping practices were in place. The SMS would have required mandated drills, escape route evaluations, and fire detection systems. Simple internal audits would have perhaps given the management the inputs to ensure continual improvement and planned a system to ensure compliance. This would have embodied the PDCA cycle, where each stage feeds the next with learning, foresight, and action.

Conclusion

My final thought on lessons written in loss and tragedy are that having a system is the least those charged with entertaining people can do to guarantee that lives are not lost. The Conception tragedy in particular is a grim testament to what happens when safety is assumed rather than engineered. The call for a systems approach rooted in proactive risk appreciation is exactly the kind of thinking needed to prevent another such disaster.

My argument for the mandated or voluntary adoption of an SMS in the domestic passenger vessel sector draws on evidence from NTSB investigations and international best practices. Domestic passenger vessels, though subject to U.S. Coast Guard inspection regimes, are often not required to implement a formal SMS. This omission has led to repeated safety lapses where identifiable risks were not systematically mitigated. As we have seen, the consequences of such lapses can often be fatal.

It is time for the overall national policy to encourage the U.S. Coast Guard to extend SMS requirements to large domestic passenger vessels and establish tiered SMS models scalable by vessel type and operation. To the industry czars my recommendations are to encourage industry bodies to provide incentives and recognition for SMS adopters and promote voluntary adoption through education and resource support. To the organizations and companies operating in the domestic U.S. waters, I suggest these company-level actions:

  • Begin voluntary SMS implementation aligned with ISO or ISM principles.
  • Train personnel in the PDCA methodology.
  • Perform internal audits and hazard reviews regularly.

The tragedy of the Conception and the other incidents we have discussed reveal that compliance alone does not ensure safety. Only a structured, systems-based approach can prevent recurrence. It is time for the domestic passenger vessel industry to adopt SMS—not only as a regulatory checkbox but as a foundational safety ethos.

Note – The above article (Part 2) was recently published in an Exemplar Global publication – ‘The Auditor’

Click here to read the article.

Click here to read part 1 of the article

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Domestic Passenger Vessel Accidents Are Preventable Using a Management System (Part One)

Think of any accident, mishap, or tragedy involving a passenger vessel through history (or in recent times) and then look at the post-event investigation report. If you do this, you will find one shortcoming common to these tragedies: a poor appreciation of risk and the practical nonexistence of a management system. Occasionally, in slightly less disastrous events, you may see the existence of a system, but it is usually poorly implemented.

This two-part article considers the domestic passenger vessel industry in the United States, where there have been several tragedies. I hope (although hope is not a plan) that this work will inspire the industry to look at the proper implementation of management systems. In trying to narrow the discussion, we will analyze and learn lessons from the 2019 sinking of the Conception and to a limited extent the 2023 fire aboard the Spirit of Boston cruise ship. I will mention a few other incidents as well to make the connection and bring out the failure of the various systems that broke down.

A systems-based approach in analyzing accidents in the domestic U.S. passenger vessel industry involves looking at the various components and process interactions that could potentially lead to incidents. This can include factors such as crew training, vessel design, regulatory compliance, maintenance practices, and emergency preparedness. However, the major factor is usually the absence of a management system (or a badly designed and/or poorly implemented one). This is a tragedy in the making.

I am studying these accidents to demonstrate how a systems approach could have helped prevent many of these mishaps. The reluctance to implement an effective management system pains me, not to mention primary investigation agencies like the National Transportation Safety Board (NTSB), the United States Coast Guard (USCG), and other responsible bodies.

Note that I am not discussing technical processes here. Yes, those often fall short of the mark as well, but the bigger issue is the failure to apply simple systematic thinking based on existing management system standards. This reluctance to work systematically surprises me. I’ve recently expressed my views on the Baltimore Bridge collapse, the implosion of the Titan submersible, the collision between an American Airlines flight and a military helicopter over the Potomac, and the Boeing 737 Max inspection failures. In all cases, I cannot understand why a simple, cost-effective action such as properly implementing a management system should be such a critical weakness within so many different organizations. It is a leadership flaw, for (as W. Edwards Deming said) “A bad system will let down a good person every time!”

Titanic and Herald of Free Enterprise

When discussing this topic, many will think back to the Titanic tragedy which goes back more than 100 years. This is of course perhaps the most well-known sinking of all time, so I will not rehash the details, which are easily available online. However, I do want to mention that events like the sinking of the Titanic create the ultimate push—it caused a reaction and, ultimately, the creation of a workable system to help save lives and the vessels themselves. Depending on owners, operators, and masters, to use their judgment and do the right thing at the time of crisis was no longer enough. What the Titanic demonstrated was that the industry needed enforceable regulations and requirements. The result was the Safety of Life at Sea (SOLAS) Convention, which formalized a systematic approach to safety.

Before studying incidents occurring in U.S. domestic waters, I also want to mention the tragedy of the Herald of Free Enterprise, which occurred on March 6, 1987, at Zeebrugge, Belgium. The Herald of Free Enterprise was a roll-on/roll-off ferry owned by the Townsend Thoresen company. On that day, the ship capsized shortly after leaving port and 193 people lost their lives. It had departed with its bow doors open, allowing seawater to flood the car deck. Within minutes, the ship was lying on its side in shallow water.

The tragedy exposed severe deficiencies in the company’s safety culture and operational practices. Justice Barry Sheen was appointed to head the official inquiry into the disaster. His report, published in October 1987, was scathing and unprecedented in its criticism of the ferry operator, management, and the broader safety practices in the maritime industry. Justice Sheen’s report identified a “… disease of sloppiness and negligence at every level of the hierarchy.” This became one of the most quoted phrases from the report. Sheen emphasized that the disaster was not due to a single act of negligence but rather a “… catalogue of failures…” including the failure to ensure the bow doors were closed, poor communication between crew and bridge, inadequate safety procedures, and the absence of proper checks before sailing.

The report placed heavy blame on the senior management, asserting that safety was not a high priority for the company. It also noted that management failed to implement procedures that could have prevented such a tragedy.

It is indeed shocking and surprising that even today, decades later, investigations reports are still pointing out these same drawbacks. Lessons learned seem to be forgotten. I particularly wanted to focus on this incident because Justice Sheen’s report was a turning point in maritime safety regulation. It directly influenced the creation of the ISM Code under the International Maritime Organization (IMO), which mandated formal safety procedures and accountability in international shipping operations.

Conception

The Conception was a dive boat that caught fire off the coast of California, resulting in the deaths of 34 people in 2019.

Investigations into this disaster revealed several deficiencies, including inadequate fire safety procedures, lack of a proper emergency escape route, and insufficient crew training. There were also issues related to the vessel’s sleeping arrangements, where most of the passengers were asleep below deck at the time of the fire.

A systems approach would emphasize the need for comprehensive safety protocols, regular training for crew members, proper vessel design for evacuation, and effective regulatory oversight to ensure the robust implementation of safety measures.

Spirit of Boston

This incident involved a fire that broke out on the dining cruise ship Spirit of Boston while docked in 2022.

The fire was linked to a potential electrical malfunction, but it highlighted issues related to maintenance practices and emergency response protocols.

By applying a systems approach, stakeholders could focus on root cause analysis, looking into how maintenance schedules, crew training, and emergency responses are integrated and managed.

Overall recommendations for the systems approach

There are several important elements to consider in favor of the systems approach, as follows:

  • Interdisciplinary collaboration. Promoting collaboration among various stakeholders, including regulatory bodies, ship management companies, and safety experts, to share information and best practices
  • Root cause analysis. Encouraging investigations that go beyond the immediate causes of accidents to identify systemic failures that could contribute to unsafe conditions
  • Regular training and drills. Implementing continuous training and emergency drills for crew members to ensure readiness, competence and enhance situational awareness
  • Maintenance and safety protocols. Establishing stringent protocols for vessel maintenance and safety checks, with thorough documentation and compliance checks
  • Regulatory oversight. Advocating for robust regulatory frameworks that require adherence to safety standards and proactive risk management strategies
  • Cultural change. Fostering a safety-first culture within organizations that prioritize safety above operational pressures

We can see in these two recent incidents that, as with the case of the Herald of Free Enterprise, a systems approach enables a comprehensive understanding of the complexities involved in maritime operations, leading to better prevention measures and enhanced safety outcomes in the passenger vessel industry.

Other examples

Over the years, the NTSB has investigated numerous accidents involving passenger vessels. A few notable examples follow:

  • Estonia. Although this accident occurred in European waters, its implications affected international passenger shipping, including practices adopted in the United States. The Estonia sank in the Baltic Sea in 1994, resulting in the deaths of 852 people. The investigation revealed that the key issues were related to vessel design, including hull integrity and cargo securing. This incident led to enhanced safety regulations regarding passenger vessel construction and operational safety protocols.
  • Andrew J. McHugh. This collision involving the ferry Andrew J. McHugh and another vessel occurred in the narrow Houston Ship Channel, leading to the deaths of 17 passengers in 1980. The key factors included poor visibility, navigational errors, and inadequate communication between vessels. Subsequent recommendations from the NTSB aimed at improving navigational practices and vessel traffic control in critical areas.
  • Benson. The Benson, a tour boat in New York, capsized during a sudden storm. A total of 10 people died in this 2000 incident. The investigation pointed out questionable weather assessment practices and inadequate safety measures for handling sudden weather changes. The NTSB recommended better training for crew members regarding weather evaluation and emergency response.
  • Dawn Princess. A fire aboard this cruise ship in the South Pacific led to emergency evacuations in 2003. Although there were no fatalities, more than 150 passengers were affected. The fire was linked to flaws in electrical systems. The NTSB emphasized improved fire safety systems and crew training on firefighting and evacuation protocols.
  • Emotion. This fishing vessel capsized near Alaska in 2010, resulting in several fatalities. The investigation pointed out structural problems and issues with the vessel’s stability while loaded. Recommendations focused on vessel stability assessments and the importance of adherence to safety regulations during fishing operations.
  • Explorer. In 2007, the Explorer ran aground off the coast of the Antarctic Peninsula, leading to evacuations. All passengers were saved, but the incident raised alarms about navigational practices and inappropriate response to weather changes. The NTSB highlighted the need for enhanced navigational training and real-time communication.

For each of these incidents, a systems approach would involve comprehensive training programs for crew related to emergency preparedness, rigorous maintenance and operational checks, research and implementation of advanced technologies for navigation and safety, and collaboration among regulatory bodies to create uniform safety standards that encompass all aspects of vessel operation. These historical examples underscore the importance of a proactive stance on maritime safety, highlighting that every component of the system must work together to prevent accidents and improve safety outcomes in the passenger vessel industry.

A poor approach that fails to be proactive can significantly contribute to accidents such as these. When risks are not systematically identified and appreciated, several detrimental consequences can arise. Without a systematic approach to risk assessment, potential hazards may go unnoticed, increasing the likelihood of incidents. Vessels may not be adequately equipped to handle specific risks, such as extreme weather or equipment failures. There is a requirement for safety protocols, adequate training, and improvement of communications.

On the other hand, a reactive approach undermines effective communication within the organization and between vessels. Without established systems for reporting and discussing risks, lessons learned from previous incidents may be ignored.

The other factors are regulatory compliance lapses. In the absence of a proactive culture, vessels may not adhere to regulatory requirements consistently or may develop a compliance mindset that prioritizes minimum standards over comprehensive safety practices. Neglecting lessons learned from past incidents is another flaw. A failure to learn from past accidents can lead to repetitive mistakes. If organizations do not analyze historical incidents and implement changes based on those insights, they risk encountering similar situations again and again.

In the second part of this article, we will discuss the importance of using the Plan-Do-Check-Act cycle in embracing a safety management system.

To read Part 2 of the article – Click here

Note – The above article was recently published in an Exemplar Global publication – ‘The Auditor’

Click here to read the article.

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

What Is Risk-Based Thinking in ISO Standards?

Over the past two decades of working closely with clients in both the manufacturing and service sectors, I’ve witnessed firsthand the transformation that occurs when organizations stop treating compliance as a checklist exercise and start thinking in terms of risk and opportunity. With the 2015 revisions to many ISO standards, particularly ISO 9001, we saw a deliberate shift away from siloed “preventive actions” toward an integrated, strategic approach known as Risk-Based Thinking (RBT). 

This wasn’t just a semantic change. It marked a cultural evolution, an acknowledgment that uncertainty is inherent in every business process, and that success belongs to those who plan for it, not those who simply react to it. RBT has empowered organizations to navigate complexity with greater confidence, embedding foresight into their planning and decision-making at all levels. 

In this article, I’ll draw from real-world consulting experiences across diverse industries to demystify Risk-Based Thinking. We’ll explore what it really means, why it matters, how it supports proactive leadership, and what tools you can use to bring it to life within your own management system. Whether you’re guiding a mature enterprise or a fast-scaling startup, the principles of RBT are not only practical, but they’re also essential.

What Is Risk-Based Thinking (RBT)?

Risk-Based Thinking (RBT) is the proactive approach embedded in ISO standards like ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018. Rather than treating risk as a separate component, RBT integrates it into every facet of an organization’s management system. This shift moves organizations from a reactive stance to a proactive culture, where potential issues are anticipated and addressed before they escalate. 

In my consulting journey, I’ve observed that organizations embracing RBT don’t just prevent problems, they identify opportunities for improvement and innovation. For instance, a manufacturing client leveraged RBT to streamline their supply chain, resulting in reduced lead times and increased customer satisfaction.

How Risk-Based Thinking Supports Proactive Decision-Making:

  • Identifying Potential Risks and Opportunities: By assessing both internal and external factors, organizations can foresee strategic and operational challenges and capitalize on opportunities. 
  • Integrating Risk Assessment into Planning: This ensures that objectives are achievable, and resources are allocated effectively. 
  • Enhancing Stakeholder Confidence: Demonstrating a proactive approach to risk management builds trust among customers, suppliers, and regulators.

A service industry client I worked with implemented RBT in their project management processes. This led to improved project delivery times and a significant reduction in unforeseen issues.

Key Objectives of Risk-Based Thinking:

The primary goals of RBT include: 

  • Enhancing Organizational Resilience: By anticipating potential disruptions, organizations can develop contingency plans. 
  • Promoting Continuous Improvement: Regular risk assessments lead to ongoing enhancements in processes and systems. 
  • Aligning Risk Management with Strategic Objectives: Ensuring that risk considerations are integral to achieving business goals. Read clause 6.1 connected to clause 4.1 and 4.1 per ISO harmonized structure. 
  • Fostering a Culture of Risk Awareness: Encouraging employees at all levels to consider risk in their daily activities. Clause 7.3 drives awareness to employees on how they can contribute to the system.

Practical Application of Risk-Based Thinking:

Implementing RBT involves: 

  1. Contextual Analysis: Understanding the organization’s internal and external environment. 
  2. Risk Identification: Recognizing potential events that could impact objectives. 
  3. Risk Assessment: Evaluating the likelihood and impact of identified risks. 
  4. Risk Treatment: Determining appropriate actions to mitigate or capitalize on risks. 
  5. Monitoring and Review: Continuously tracking risk factors and adjusting strategies accordingly.

Comparison: Preventive Action (Old) vs. RBT (New):

Previously, ISO standards emphasized preventive actions as separate clauses. However, this often led to a checkbox mentality, where organizations implemented measures without truly integrating them into their processes. 

With RBT: 

  • Integration: Risk considerations are embedded throughout the management system. 
  • Proactivity: Organizations anticipate and address potential issues before they occur. 
  • Flexibility: RBT allows for tailored approaches based on the organization’s specific context. 

This evolution encourages a more dynamic and effective approach to risk management. 

Tools & Techniques to Support Risk-Based Thinking:

1. SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats) 

Use: SWOT analysis helps organizations evaluate their internal strengths and weaknesses, alongside external opportunities and threats. It’s particularly useful during strategic planning sessions or when entering new markets or launching new products. 

When to Use: Early in the business planning process or during the review of the organization’s context. 

Clause Alignment: ISO 9001:2015 – Clause 4.1 (Understanding the organization and its context) and Clause 6.1 (Actions to address risks and opportunities). This tool ensures that strategy and quality objectives are grounded in a realistic assessment of the internal and external environment. 

2. Failure Mode and Effects Analysis (FMEA) 

Use: FMEA systematically evaluates potential failure points in a product, process, or system and ranks them by severity, occurrence, and detection. It’s widely used in manufacturing, healthcare, and aerospace sectors. 

When to Use: During product design, process development, or when implementing changes that could introduce new risks. 

Clause Alignment: ISO 9001:2015 – Clause 8.3 (Design and development of products and services) and Clause 6.1 and 8.1. It supports risk-based planning and preventive strategies by analyzing “what could go wrong” and mitigating those risks before implementation. 

3. Risk Registers 

Use: A risk register is a living document that captures identified risks, assesses their likelihood and impact, and outlines mitigation actions and responsible parties. It provides transparency and traceability for risk management activities. 

When to Use: Continuously throughout project lifecycles or operational management, especially in industries like construction, logistics, or IT. 

Clause Alignment: ISO 9001:2015 – Clause 6.1 and Clause 9.1 (Monitoring, measurement, analysis and evaluation). It helps document ongoing risk review processes and links actions to strategic and operational plans. While not a requirement it is beneficial. 

4. Root Cause Analysis (RCA) 

Use: RCA investigates underlying causes of nonconformities, defects, or failures to prevent recurrence rather than just treating symptoms. It’s a staple in corrective action processes. 

When to Use: After incidents, near misses, or nonconformities—often triggered by audit findings or customer complaints. 

Clause Alignment: ISO 9001:2015 – Clause 10.2 (Nonconformity and corrective action). It supports continual improvement by ensuring lessons are learned and corrective actions address the source of problems. 

5. ISO/IEC 31010 – Risk Assessment Techniques 

Use: This standard outlines a variety of risk assessment tools including brainstorming, checklists, fault tree analysis, and bowtie analysis. It offers structured approaches tailored to industry-specific needs. 

When to Use: Depending on organizational maturity, criticality of operations, or regulatory environment. 

Clause Alignment: Supports ISO 9001:2015 – Clause 6.1, as well as clauses in ISO 14001 and ISO 45001 related to risk and opportunity planning. This framework provides flexibility for choosing appropriate methods suited to specific organizational risks. 

These tools, when chosen and applied correctly, don’t just satisfy audit checklists, they cultivate a culture of resilience and foresight. Over the years, I’ve seen organizations evolve by not just using these techniques mechanically, but integrating them into daily decision-making, making risk-based thinking a true operational philosophy rather than a compliance exercise. 

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.

Internal vs External Audits: What Every Business Owner Should Know

The Strategic Importance of Audits for Business Owners

Audits are more than compliance checks; they are strategic tools that provide insights into performance, risk, and improvement opportunities. Engaged business leaders use audit results to drive better decision-making and long-term success. When conducting well, they provide leadership insights into where they may have to re-prioritize or allocate resources, where policies may be in conflict, what may be working well and where the system needs their leadership intervention.

What Are Internal and External Audits?

Internal Audits: Performed by or for the organization to check its own processes. These may be process audits or full system audits.

External Audits: These could be supplier audits (second party) or certification regulatory audits (third party). Third party audits are conducted by a third-party or certification body to verify compliance with standards.

Internal and external audits differ in breadth and depth of the audit based on scope and objective.

  1.  
  1.  

Why External Audits Should Be Taken Seriously?

External audits affect certification, reputation, and client confidence. A successful external audit demonstrates credibility and reliability.

Tip: Be prepared, be honest, and see auditors as partners in your improvement journey.

How to Prepare for Both Audits?

  • Keep documentation current
  • Review and close previous findings
  • Train staff on audit processes
  • Conduct mock audits
  • Engage leadership in the audit process

Conclusion:

ISO audit and their findings are not to be feared. They are valuable tools for identifying weaknesses and driving continuous improvement. With the right mindset and preparation, audits can move beyond mere compliance and become a core part of your strategic growth. Organizations that stay audit-ready show that they are not only compliant but also committed to excellence.

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.

Top 10 Common ISO Audit Findings and How to Avoid Them

Importance of Being Audit-Ready:

Audits serve a critical role in verifying that an organization’s processes are aligned with established standards and functioning as intended. Far from being a punitive exercise, audits offer valuable insight into the strengths and weaknesses of a management system.

In my three decades of working with organizations across industries, one universal truth remains. An audit is not a surprise inspection, it’s a mirror. It reflects your organization’s systems, leadership engagement, and cultural commitment to quality and improvement. 

However, many organizations approach audits reactively, preparing only when one is imminent. This mindset often leads to unnecessary stress, inefficiencies, and missed opportunities for improvement. Being audit-ready means that compliance and performance monitoring are built into everyday operations, not treated as one-time events.

When an organization maintains a state of readiness, it reflects a culture of discipline, transparency, and continual improvement. Employees are aware of their responsibilities and of their processes, documentation is up-to-date, and leadership is engaged in the oversight of the system. This proactive approach not only supports successful audit outcomes but also enhances organizational resilience, stakeholder trust, and long-term sustainability.

Understanding ISO Audit Findings: What They Are and Why They Matter:

ISO audit findings are the documented results of an audit. Specifically, they identify areas where an organization’s management system either conforms to or deviates from the requirements of the ISO standard being audited. Findings can range from conformities, to observations (areas for potential improvement), to nonconformities, which indicate a failure to meet a specific requirement.

Audit findings are like diagnostic tools. Much like a physician’s report, they highlight where systems are healthy and where they need attention. Nonconformities, in particular, require careful attention. They are typically classified as minor or major. Left unaddressed, even minor nonconformities can escalate and lead to reputational damage, customer dissatisfaction, or even loss of certification.
In essence, audit findings are not setbacks, they are stepping stones toward improvement.

1. Poor Document Control

Uncontrolled, outdated, or missing documents can quickly lead to findings. Document control is critical for ensuring staff use the correct and current information. Organization can avoid this ISO Audit finding by implementing version control, limiting access to documentation, voiding printed copies of documentation, training employees on document management and regularly reviewing and updating procedures

2. Incomplete or Missing Records

Auditors expect to see evidence that procedures are being followed. If records are absent, it creates doubt about system effectiveness. Was the work really done? Further incomplete records are not able to evidence if the process step was followed as required by the procedure.

Organization can avoid this ISO Audit finding by automating recordkeeping, performing regular record audits, employee awareness and assigning clear ownership for maintaining records

3. Lack of Management Review

Without regular management reviews, there’s no top-level oversight of the system’s performance and alignment with strategic goals. Clause 9.3 of the ISO standards requires these reviews to be done at planned intervals. In some cases the organization may evidence the inputs provided to management but the outputs (decisions and actions) fail to get recorded.

Organizations can avoid this ISO Audit finding by scheduling periodic reviews, using metrics to guide discussions, making sure the leadership participates and documenting decisions and follow-up actions.

4. Ineffective Internal Audits

Weak internal audits fail to uncover problems and leave issues for external auditors to find. This could be caused by  poorly trained and qualified auditors, poor audit planning, using ‘canned’ checklists and a fear of audits and non-conformities causing personnel to hide issues.

Organizations can avoid this ISO Audit finding by training auditors from recognized training providers like QMII, auditing processes and not just documents, closing out internal audit findings promptly.

5. Unclear Roles and Responsibilities

When staff are unsure of their responsibilities, process gaps and accountability issues arise. In companies I have worked with there sometimes arises a confusion from where it is not clear which operator will conduct the task since all have the same job descriptions. 

Organizations can avoid this ISO Audit finding by defining roles and responsibilities in a RACI matrix or in the documented procedure, communicating changes clearly and verifying understanding during onboarding and training.

6. Non-Conformance Not Properly Addressed

Failure to analyze root causes or verify corrective actions can lead to repeat findings. A common cause of this may be a poorly written non-conformity as also a lack of structured root cause analysis training.

Organizations can avoid this ISO Audit finding by following a structured corrective action process, using tools like 5 Whys or Fishbone diagrams and reviewing the effectiveness of corrections

7. Lack of Risk-Based Thinking

ISO standards expect organizations to identify and manage risks proactively. Many still rely too heavily on reactive approaches. In some cases, risks are known, but are not passed up the chain because no structure exists for this to occur. Organizations can avoid this ISO Audit finding by including risk assessments in the planning phase, training staff on risk identification and maintaining a risk register that is updated on a regular basis. 

8. Insufficient Training or Competence

Staff who aren’t trained properly or lack required skills pose a compliance risk. Organizations can avoid this ISO Audit finding by developing and using a skills matrix, providing refresher training, linking training to performance reviews. Once the training is complete organizations must have a process to verify that training resulted in competence. 

9. Failure to Meet Customer or Regulatory Requirements

Not understanding or failing to meet these requirements can lead to major nonconformities. This occurs when organizations do not have a robust process for determining new requirements that may impact them and planning ahead to mitigate the risks. 

Organizations can avoid this ISO Audit finding by reviewing customer contracts and regulations, staying updated on evolving regulations, conducting compliance checks and keeping requirements visible to relevant teams.

10. Lack of Continual Improvement Evidence

Without records of improvement, your ISO system can appear stagnant and ineffective. Organizations can demonstrate to auditors that they meet the intent of continual improvement by trending and tracking KPIs, logging and reviewing improvement initiatives and recognizing and rewarding improvements

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.

How to Retain Auditor Training Knowledge When You Can’t Apply It Immediately 

Completing an auditor training course is an exciting milestone. You walk away with frameworks, methodologies to create checklists, audit question techniques, and—if you’re like most professionals-a head buzzing with new knowledge. Ideally, you’d jump right into an audit and apply your skills, reinforcing what you’ve learned while it’s still fresh. But what if that opportunity doesn’t come right away? 

At QMII, we recognize this common challenge among our alumni. Let’s explore effective strategies to bridge the gap between training and practice—so that knowledge doesn’t fade but instead becomes a solid foundation for your future audit work. 

1. Simulate Real-World Scenarios 

Action: Design mock audits for yourself or with peers. 

Even without access to an organization’s system, you can simulate an audit process by reviewing publicly available quality manuals, environmental reports, or sample procedures including your own. Pretend you’re preparing for an audit: write an audit plan, create checklists, additional documentation you would request and practice conducting document reviews. 

Tip: Use scenarios from your training or past experience and ask yourself: 

  • What would I ask as an auditor? 
  • What evidence would I seek? 
  • What risks could be present? 

2. Start a Learning Journal 

Action: Reflect on key concepts, standards clauses, and audit techniques by writing them down in your own words. 

Journaling isn’t just for reflection, it’s a brain-anchoring technique. When you write out what you remember and how you would apply it, you’re reinforcing neural pathways tied to that knowledge. 

Include: 

  • Summaries of ISO clause requirements. 
  • How you would handle nonconformities. 
  • Sample non-conformities within your organization and write down your assessment of them as also the effectiveness of corrective actions. 

3. Teach Others What You Learned 

Action: Participate in knowledge-sharing sessions. 

There’s no better way to solidify your understanding than teaching others. Reach out to other auditors in your organization and discuss applicability and interpretation of a clause. Participate and contribute to discussions on LinkedIn forums. Search the web for interpretation of clauses and see the differences as opined by various different personnel. 

Bonus: You’re also building your credibility and visibility as an auditor. 

4. Stay Active in the QMII Alumni Network 

Action: Engage with blog articles, LinkedIn posts, ask questions, and share insights. 

QMII’s alumni network offers a treasure trove of experience. Staying engaged keeps you in the loop on best practices and might even lead to mentoring or shadowing opportunities. React to blogs written by QMII, contribute articles for QMII blog, comment on QMII posts and connect to QMII alumni. 

Don’t hesitate to: 

  • Ask others how they’re maintaining their skills. 
  • Request mock audit partnerships. 
  • Share resources and templates you’ve created. 

5. Continue the Learning Loop 

Action: Sign up for webinars, read audit case studies, and revisit your course materials regularly. 

Audit skills are built not just on knowledge, but on judgment, observation, and communication. You can sharpen these even while waiting for your first official audit assignment. 

Suggested activities

  • Attend QMII webinars or ISO updates. 
  • Subscribe to quality-focused newsletters. 
  • Read ISO audit case studies and identify what went wrong—and why. 

6. Request to Observe Internal Audits 

Action: If you’re part of an organization, ask to shadow an experienced auditor. 

Even if you’re not leading, observing an audit helps you internalize the structure, flow, and behavioral nuances of auditing. Jot down observations on auditor behavior, techniques, and interaction styles. Create your own checklists and then compare it to that prepared by the lead auditor. Discuss the differences after the audit. 

If your organization doesn’t have an active program, this is a great opportunity to propose starting one—a value-added initiative from a proactive auditor-in-training. 

Final Thoughts: Don’t Let the Gap Become a Gully 

Skills fade when left idle, but they flourish with even light engagement. Whether it’s through simulation, teaching, journaling, or community interaction, there are numerous ways to keep your audit knowledge sharp and ready. 

At QMII, we believe that continual improvement isn’t just for organizations, it’s a personal practice. Stay connected, stay curious, and keep that audit mindset active until your next assignment arrives. 

Have your own tips for retaining training knowledge? 
Join the conversation by commenting on this blog or drop us a line-we’d love to feature your story! 

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.