Domestic Passenger Vessel Accidents Are Preventable Using a Management System (Part One)

Dr. IJ Arora:

Think of any accident, mishap, or tragedy involving a passenger vessel through history (or in recent times) and then look at the post-event investigation report. If you do this, you will find one shortcoming common to these tragedies: a poor appreciation of risk and the practical nonexistence of a management system. Occasionally, in slightly less disastrous events, you may see the existence of a system, but it is usually poorly implemented.

This two-part article considers the domestic passenger vessel industry in the United States, where there have been several tragedies. I hope (although hope is not a plan) that this work will inspire the industry to look at the proper implementation of management systems. In trying to narrow the discussion, we will analyze and learn lessons from the 2019 sinking of the Conception and to a limited extent the 2023 fire aboard the Spirit of Boston cruise ship. I will mention a few other incidents as well to make the connection and bring out the failure of the various systems that broke down.

A systems-based approach in analyzing accidents in the domestic U.S. passenger vessel industry involves looking at the various components and process interactions that could potentially lead to incidents. This can include factors such as crew training, vessel design, regulatory compliance, maintenance practices, and emergency preparedness. However, the major factor is usually the absence of a management system (or a badly designed and/or poorly implemented one). This is a tragedy in the making.

I am studying these accidents to demonstrate how a systems approach could have helped prevent many of these mishaps. The reluctance to implement an effective management system pains me, not to mention primary investigation agencies like the National Transportation Safety Board (NTSB), the United States Coast Guard (USCG), and other responsible bodies.

Note that I am not discussing technical processes here. Yes, those often fall short of the mark as well, but the bigger issue is the failure to apply simple systematic thinking based on existing management system standards. This reluctance to work systematically surprises me. I’ve recently expressed my views on the Baltimore Bridge collapse, the implosion of the Titan submersible, the collision between an American Airlines flight and a military helicopter over the Potomac, and the Boeing 737 Max inspection failures. In all cases, I cannot understand why a simple, cost-effective action such as properly implementing a management system should be such a critical weakness within so many different organizations. It is a leadership flaw, for (as W. Edwards Deming said) “A bad system will let down a good person every time!”

Titanic and Herald of Free Enterprise

When discussing this topic, many will think back to the Titanic tragedy which goes back more than 100 years. This is of course perhaps the most well-known sinking of all time, so I will not rehash the details, which are easily available online. However, I do want to mention that events like the sinking of the Titanic create the ultimate push—it caused a reaction and, ultimately, the creation of a workable system to help save lives and the vessels themselves. Depending on owners, operators, and masters, to use their judgment and do the right thing at the time of crisis was no longer enough. What the Titanic demonstrated was that the industry needed enforceable regulations and requirements. The result was the Safety of Life at Sea (SOLAS) Convention, which formalized a systematic approach to safety.

Before studying incidents occurring in U.S. domestic waters, I also want to mention the tragedy of the Herald of Free Enterprise, which occurred on March 6, 1987, at Zeebrugge, Belgium. The Herald of Free Enterprise was a roll-on/roll-off ferry owned by the Townsend Thoresen company. On that day, the ship capsized shortly after leaving port and 193 people lost their lives. It had departed with its bow doors open, allowing seawater to flood the car deck. Within minutes, the ship was lying on its side in shallow water.

The tragedy exposed severe deficiencies in the company’s safety culture and operational practices. Justice Barry Sheen was appointed to head the official inquiry into the disaster. His report, published in October 1987, was scathing and unprecedented in its criticism of the ferry operator, management, and the broader safety practices in the maritime industry. Justice Sheen’s report identified a “… disease of sloppiness and negligence at every level of the hierarchy.” This became one of the most quoted phrases from the report. Sheen emphasized that the disaster was not due to a single act of negligence but rather a “… catalogue of failures…” including the failure to ensure the bow doors were closed, poor communication between crew and bridge, inadequate safety procedures, and the absence of proper checks before sailing.

The report placed heavy blame on the senior management, asserting that safety was not a high priority for the company. It also noted that management failed to implement procedures that could have prevented such a tragedy.

It is indeed shocking and surprising that even today, decades later, investigations reports are still pointing out these same drawbacks. Lessons learned seem to be forgotten. I particularly wanted to focus on this incident because Justice Sheen’s report was a turning point in maritime safety regulation. It directly influenced the creation of the ISM Code under the International Maritime Organization (IMO), which mandated formal safety procedures and accountability in international shipping operations.

Conception

The Conception was a dive boat that caught fire off the coast of California, resulting in the deaths of 34 people in 2019.

Investigations into this disaster revealed several deficiencies, including inadequate fire safety procedures, lack of a proper emergency escape route, and insufficient crew training. There were also issues related to the vessel’s sleeping arrangements, where most of the passengers were asleep below deck at the time of the fire.

A systems approach would emphasize the need for comprehensive safety protocols, regular training for crew members, proper vessel design for evacuation, and effective regulatory oversight to ensure the robust implementation of safety measures.

Spirit of Boston

This incident involved a fire that broke out on the dining cruise ship Spirit of Boston while docked in 2022.

The fire was linked to a potential electrical malfunction, but it highlighted issues related to maintenance practices and emergency response protocols.

By applying a systems approach, stakeholders could focus on root cause analysis, looking into how maintenance schedules, crew training, and emergency responses are integrated and managed.

Overall recommendations for the systems approach

There are several important elements to consider in favor of the systems approach, as follows:

  • Interdisciplinary collaboration. Promoting collaboration among various stakeholders, including regulatory bodies, ship management companies, and safety experts, to share information and best practices
  • Root cause analysis. Encouraging investigations that go beyond the immediate causes of accidents to identify systemic failures that could contribute to unsafe conditions
  • Regular training and drills. Implementing continuous training and emergency drills for crew members to ensure readiness, competence and enhance situational awareness
  • Maintenance and safety protocols. Establishing stringent protocols for vessel maintenance and safety checks, with thorough documentation and compliance checks
  • Regulatory oversight. Advocating for robust regulatory frameworks that require adherence to safety standards and proactive risk management strategies
  • Cultural change. Fostering a safety-first culture within organizations that prioritize safety above operational pressures

We can see in these two recent incidents that, as with the case of the Herald of Free Enterprise, a systems approach enables a comprehensive understanding of the complexities involved in maritime operations, leading to better prevention measures and enhanced safety outcomes in the passenger vessel industry.

Other examples

Over the years, the NTSB has investigated numerous accidents involving passenger vessels. A few notable examples follow:

  • Estonia. Although this accident occurred in European waters, its implications affected international passenger shipping, including practices adopted in the United States. The Estonia sank in the Baltic Sea in 1994, resulting in the deaths of 852 people. The investigation revealed that the key issues were related to vessel design, including hull integrity and cargo securing. This incident led to enhanced safety regulations regarding passenger vessel construction and operational safety protocols.
  • Andrew J. McHugh. This collision involving the ferry Andrew J. McHugh and another vessel occurred in the narrow Houston Ship Channel, leading to the deaths of 17 passengers in 1980. The key factors included poor visibility, navigational errors, and inadequate communication between vessels. Subsequent recommendations from the NTSB aimed at improving navigational practices and vessel traffic control in critical areas.
  • Benson. The Benson, a tour boat in New York, capsized during a sudden storm. A total of 10 people died in this 2000 incident. The investigation pointed out questionable weather assessment practices and inadequate safety measures for handling sudden weather changes. The NTSB recommended better training for crew members regarding weather evaluation and emergency response.
  • Dawn Princess. A fire aboard this cruise ship in the South Pacific led to emergency evacuations in 2003. Although there were no fatalities, more than 150 passengers were affected. The fire was linked to flaws in electrical systems. The NTSB emphasized improved fire safety systems and crew training on firefighting and evacuation protocols.
  • Emotion. This fishing vessel capsized near Alaska in 2010, resulting in several fatalities. The investigation pointed out structural problems and issues with the vessel’s stability while loaded. Recommendations focused on vessel stability assessments and the importance of adherence to safety regulations during fishing operations.
  • Explorer. In 2007, the Explorer ran aground off the coast of the Antarctic Peninsula, leading to evacuations. All passengers were saved, but the incident raised alarms about navigational practices and inappropriate response to weather changes. The NTSB highlighted the need for enhanced navigational training and real-time communication.

For each of these incidents, a systems approach would involve comprehensive training programs for crew related to emergency preparedness, rigorous maintenance and operational checks, research and implementation of advanced technologies for navigation and safety, and collaboration among regulatory bodies to create uniform safety standards that encompass all aspects of vessel operation. These historical examples underscore the importance of a proactive stance on maritime safety, highlighting that every component of the system must work together to prevent accidents and improve safety outcomes in the passenger vessel industry.

A poor approach that fails to be proactive can significantly contribute to accidents such as these. When risks are not systematically identified and appreciated, several detrimental consequences can arise. Without a systematic approach to risk assessment, potential hazards may go unnoticed, increasing the likelihood of incidents. Vessels may not be adequately equipped to handle specific risks, such as extreme weather or equipment failures. There is a requirement for safety protocols, adequate training, and improvement of communications.

On the other hand, a reactive approach undermines effective communication within the organization and between vessels. Without established systems for reporting and discussing risks, lessons learned from previous incidents may be ignored.

The other factors are regulatory compliance lapses. In the absence of a proactive culture, vessels may not adhere to regulatory requirements consistently or may develop a compliance mindset that prioritizes minimum standards over comprehensive safety practices. Neglecting lessons learned from past incidents is another flaw. A failure to learn from past accidents can lead to repetitive mistakes. If organizations do not analyze historical incidents and implement changes based on those insights, they risk encountering similar situations again and again.

In the second part of this article, we will discuss the importance of using the Plan-Do-Check-Act cycle in embracing a safety management system.

To read Part 2 of the article – Click here

Note – The above article was recently published in an Exemplar Global publication – ‘The Auditor’

Click here to read the article.

The Hidden Costs of Ignoring Risk-Based Thinking in Management Systems

What Is Risk-Based Thinking and Why It Matters

Risk-based thinking is more than a procedural requirement; it’s a mindset shift that organizations must embrace to survive and thrive. Defined within ISO standards such as ISO 9001 and ISO 14001, risk-based thinking requires organizations to proactively identify and address potential threats and opportunities that could impact their ability to achieve objectives. The concept is not new.

In one of my early consulting projects in the manufacturing industry, I was part of a team helping a small machine shop align their operations with ISO 9001. Though certified, they lacked a framework for anticipating quality failures. The real issue wasn’t poor workmanship, it was the absence of a proactive, structured way to assess and mitigate risks. This experience drove home the importance of risk-based thinking not just as a compliance checkbox, but as a strategic advantage.

Cost of Non-Compliance vs. Cost of Reactive Management

Organizations that adopt ISO standards sometimes focus narrowly on compliance. But the greater cost comes not from failing an audit, but from waiting until something goes wrong.

Compliance-related penalties (e.g., fines, sanctions) are visible and immediate. But the costs of reactive management; lost time, rushed fixes, disrupted operations are often far greater and longer lasting.

ISO standards advocate for preventive planning over reactive response. Clause 6 of ISO 9001, for instance, requires organizations to “determine risks and opportunities that need to be addressed” to ensure the quality management system achieves its intended results.

Types of Risks in Organizations

ISO management system standards recognize that risks come in different forms and require different strategies to address. Two of the most significant categories are:

Strategic Risks

Strategic risks are long-term and affect the organization’s mission, vision, and market position. ISO identifies these as risks that could:

  • Derail the achievement of objectives
  • Misalign the organization’s purpose with stakeholder needs
  • Affect the viability of the business model

Examples include:

  • Entering a new market without proper analysis
  • Failing to adapt to climate and other regulations
  • Shifting away from customer-focused innovation

Strategic risks require top-level leadership engagement and often intersect with broader governance and environmental planning efforts.

Operational Risks

These are day-to-day risks that affect how work gets done. ISO links operational risks to the “performance of processes” and the “delivery of conforming products and services”. They are typically localized, immediate, and easier to control.

Examples include:

  • Machine breakdowns
  • Supplier delays
  • Human errors in production or inspection

Operational risks are typically owned by middle managers or process owners and require timely mitigation using process controls, training, and monitoring.

Emerging Risks: Cybersecurity, Supply Chain, and ESG

In line with Clause 4 (Context of the Organization), ISO encourages awareness of external and emerging risks, including:

  • Cybersecurity threats (especially relevant in ISO 27001)
  • Supply chain instability due to geopolitical shifts or pandemics (relevant in ISO 28000)
  • Environmental, Social, and Governance (ESG) trends influencing investor and consumer behavior

Organizations that fail to anticipate and plan for these types of risks often experience cascading failures that affect both strategic and operational layers.

Direct Costs of Ignoring Risk

The financial impact of ignoring risks shows up quickly and painfully:

  • Product Recalls

In one renowned case, a food manufacturer lacked robust supplier risk assessments. A contaminated ingredient batch led to a full product recall. The consequences weren’t limited to the cost of disposal and refunds; it included shelf space loss and reputational harm that took months to repair. We have seen similar examples in the medical device industry as well.

  • Customer Dissatisfaction

Service businesses often overlook operational inconsistencies. A failure to plan for peak demand or under-trained frontline staff can quickly erode customer satisfaction, leading to loss of loyalty and negative reviews.

  • Downtime and Disruption

Ignoring equipment wear-and-tear or failing to conduct proper hazard analyses leads to unplanned downtime. Each hour of disruption in critical industries (e.g., aviation, medical manufacturing) can result in enormous opportunity costs.

Indirect and Long-Term Costs

Ignoring risk-based thinking also causes deep, long-term damage that isn’t always captured in financial statements:

  • Brand Erosion

Negative headlines or safety incidents can reduce customer trust overnight. Rebuilding a brand damaged by poor foresight is time-intensive and costly.

  • Talent Turnover

Employees want to work in organizations where their safety and professional risks are acknowledged and addressed. If teams feel their concerns are ignored, turnover increases, taking valuable knowledge and continuity with them.

  • Innovation Paralysis

In cultures without risk-based thinking, teams are punished for failure rather than rewarded for initiative. This kills innovation. ISO’s emphasis on addressing both risks and opportunities encourages organizations to take calculated, informed risks that drive growth.

How ISO Standards Embed Risk Thinking

ISO standards don’t just encourage risk thinking—they structurally embed it into the management system framework.

Clause 6: Planning Actions to Address Risks and Opportunities

This clause requires organizations to:

  • Identify risks that could affect product conformity or customer satisfaction
  • Evaluate their significance
  • Plan actions proportionate to their impact

For ISO 14001, this means evaluating risks related to environmental impact. For ISO 9001, it involves risks to product or service quality. The result is a cohesive, organization-wide approach to managing what matters most2.

Clauses 9 & 10: Monitoring, Learning, and Improving

Clause 9 (Performance Evaluation) calls for:

  • Monitoring whether risk responses were effective
  • Auditing risk controls
  • Reviewing trends in performance

Clause 10 (Improvement) closes the loop:

  • Non-conformities trigger investigations
  • Lessons learned from failures feed back into planning
  • Risk registers are continuously updated

Together, these clauses help organizations evolve from static compliance to dynamic foresight.

Enabling Risk Thinking in Teams

Risk-based thinking must live beyond the boardroom. Empowering operational teams is essential:

Training in Early Detection

Teams should be trained to identify weak signals—those early indicators that something might go wrong. In a plant I worked with, rising absenteeism flagged deeper issues in work conditions, preventing a potential labor crisis.

Using Root Cause Analysis Proactively

RCA tools such as the Ishikawa diagrams shouldn’t be limited to incident response. Used proactively, they can prevent escalation of small issues into systemic failures.

Cross-Functional Risk Reviews

Risks often span functions. A procurement delay can become a customer complaint; a security loophole can become a safety incident. Cross-functional reviews foster transparency and collaboration, encouraging joint ownership of risk.

Conclusion: From Firefighting to Foresight

Risk-based thinking is not just a best practice; it’s a competitive advantage. Organizations that wait for risks to materialize will always be in “firefighting” mode, while those who embrace foresight will innovate, adapt, and grow.

As ISO continues to evolve, so must we. Risk is no longer something to avoid, it is a lens through which future-focused organizations make better decisions. ISO helps lay that foundation. The rest is up to us.

Integrating Multiple ISO Standards into One Coherent Management System

Over the past three decades working with management systems implementation in several industries including maritime, manufacturing, and service, I’ve witnessed firsthand the evolution of ISO standards and the increasing challenge of maintaining multiple certifications. Primarily conflicting policies and responsibilities. ISO 9001 (Quality Management), ISO 14001 (Environmental Management), ISO 45001 (Occupational Health & Safety), and ISO 27001 (Information Security) are more commonly pursued in tandem today, driven by global supply chain expectations and stakeholder pressures.

A client I once worked with—a large aeronautical facility—maintained separate management systems for ISO 9001 and ISO 14001. The result? Duplicate documents, siloed responsibilities, and audit fatigue. They were spending more time managing the systems than actually improving performance. That’s when we introduced the concept of an Integrated Management System (IMS).

The Case for Integration: Efficiency, Consistency, and Strategic Alignment

When systems are fragmented, efficiency suffers. Integration streamlines documentation, eliminates duplication, and enables unified audits. But beyond efficiency, integrated systems foster consistency in decision-making and better alignment of strategic objectives.

Environmental management, for instance, shouldn’t operate in isolation. It intersects with operational quality (ISO 9001) and workplace safety (ISO 45001). ISO 9001 captures the processes and ISO 14001, and ISO 45001 help assess the environmental and safety risks to these processes. Integrating these perspectives supports sustainable performance, an approach increasingly expected by investors and customers alike.

Understanding Common Frameworks

Annex SL Structure: The Backbone of Integration

At the heart of modern ISO management standards is the Annex SL structure—a common high-level structure introduced by ISO to facilitate alignment. Annex SL defines 10 clauses that form the skeleton of all modern ISO standards. These include:

  1. Context of the organization
  2. Leadership
  3. Planning
  4. Support
  5. Operation
  6. Performance evaluation
  7. Improvement

This structure makes it easier to align, for example, the risk and opportunity clauses in ISO 14001 with similar requirements in ISO 9001 and ISO 45001.

Shared Clauses: Context, Leadership, Risks/Opportunities, Support

Clauses like context (Clause 4) and leadership (Clause 5) are nearly identical across standards. For instance, ISO 9001 and ISO 14001 both require organizations to identify internal/external issues and stakeholder needs. Recognizing these overlaps helps unify strategic planning across environmental, quality, and safety concerns.

Planning Integration

Gap Analysis Between Existing Standards

The first step in integration is a detailed gap analysis. When conducting a gap for an integrated management system the organization will need to identify overlaps, conflicts, and unique elements across existing systems. This not only highlights integration opportunities but also helps avoid redundancy.

Mapping Overlaps and Identifying Conflicts

Mapping reveals areas where procedures can be harmonized. For example, document control procedures under ISO 9001 and ISO 14001 can be merged, while roles defined under ISO 45001 may need alignment with other standards to avoid confusion.

Stakeholder Engagement and Cross-Functional Ownership

Buy-in from leadership and cross-department teams is crucial. In one project with a medium-sized paper manufacturing mill, resistance from the safety team initially stalled integration. Through workshops and shared performance metrics, we eventually fostered a sense of shared ownership across departments.

Implementation Strategy

Creating a Unified Documentation Structure

A common document structure enables centralized control and easy access. Using a process-based approach (e.g., Plan-Do-Check-Act) across all standards ensures consistency.

Integrated Risk and Opportunity Management

Risk-based thinking is foundational across ISO standards. Organizations should establish a unified risk register that includes environmental risks (like regulatory non-compliance), quality risks (like defective products), safety risks and information security threats.

Cross-Trained Teams and Common Audit Mechanisms

Cross-functional training builds awareness and reduces duplication. Integrated audits, where auditors assess compliance with multiple standards in a single visit, reduce disruption and provide a holistic view of performance.

Challenges and Pitfalls

Cultural Resistance

One of the biggest obstacles is organizational culture. Teams often view their standard (especially environmental or safety) as a domain-specific fortress. Breaking down silos requires patient change management and clear communication about benefits. By appreciating existing management systems and not using a cookie cutter approach QMII makes the changes more embraceable.

Over-Engineering vs. Under-Documentation

Too much integration can result in a bloated system that’s difficult to manage. Conversely, under-documentation risks non-conformities. Striking the right balance is an art, guided by the People – Process – System approach of QMII.

Certification Body Expectations

Not all certification bodies prefer to conduct integrated audits. Be sure to select a registrar experienced in integrated systems and let them know of your desire to conduct integrated audits. This will save your organization time and money.

Real-World Examples of Integration

One of the most compelling transformations I’ve seen was at a shipyard that integrated ISO 9001, ISO 14001, and ISO 45001. Post-integration, their audit time was reduced by 35%, and customer complaints dropped by 25%—largely due to better process visibility and ownership.

In the service sector, a hotel chain integrated ISO 14001 and ISO 9001, creating eco-conscious guest experiences tied directly to quality objectives. Environmental impact reports became a value-added feature in their marketing strategy.

KPIs and Metrics Post-Integration

Integrated systems enable better performance tracking. Examples of key metrics include:

  • Combined audit findings (number, severity, recurrence)
  • Resource savings from reduced duplication (time and cost)
  • Stakeholder satisfaction scores (employees, customers, regulators)

Conclusion: The Future of IMS (Integrated Management Systems)

Integrated Management Systems are not just a trend; they are a necessity in an increasingly interconnected and regulated world.

Environmental management must be embedded within a larger performance ecosystem. It should influence and be influenced by quality, safety, and information security. Organizations that succeed in this integration journey will not only reduce waste—both physical and procedural—but also build agility, trust, and long-term value.

The Importance of Continual Training in Quality Management

Pensive Indian business trainer listening to audience questions after presentation. Serious confident speaker working with audience and answering questions. Sales forecast concept

Quality Management Systems (QMS) like ISO 9001 are more than just certificates on a wall—they are the backbone of consistent performance, customer trust, and operational excellence. At the core of a thriving QMS lies one often underestimated element: continual training. No matter how comprehensive your system is, it is only as effective as the people managing it.

Throughout my decades working with maritime companies and small to mid-sized enterprises, I’ve seen the impact of ongoing training firsthand. Businesses that prioritize continual learning not only avoid stagnation but also elevate their standards. There is a direct link between continual improvement and business success, and training is the vehicle that is a key support in that journey.

Why Continual Training Matters in Quality Management

Keeping Up with Evolving Standards

ISO standards aren’t static. ISO 9001 itself has undergone several revisions over the years. Businesses that don’t train their teams regularly risk falling out of conformity. However this is not all that is evolving. Compliance obligations are evolving and as a result risks to the process which lead to changes to the process to mitigate these risks. The importance of quality management training becomes critical when standards evolve—because what worked yesterday may not satisfy today’s expectations. Further additional training such as FMEA and problem solving prove valuable assets in an employee’s skill set.

Addressing Changing Customer Expectations

Customer expectations today are higher and more fluid than ever. Continual training helps quality management teams adapt to these changes by enhancing their ability to identify trends, analyze feedback, and implement responsive changes. One client in the logistics sector updated its training modules and noted reduction in user errors.

Reducing Errors and Improving Consistency

Mistakes in quality management usually stem from a lack of awareness or understanding. In one engineering services company I consulted for, inconsistent recordkeeping was leading to frequent audit findings. After implementing training for ISO standards, non-conformance reports dropped by 40% within six months. Continual training instills consistency and reduces costly errors.

Core Areas to Focus on During Quality Management Training

Internal Audits

Effective internal audits are a pillar of any ISO 9001 system. Providing internal audit training empowers staff to identify gaps before external auditors do. For instance, a food packaging SME trained their department heads as internal auditors and saw a 50% reduction in minor non-conformities during certification renewal.

Risk Management

Modern QMS frameworks emphasize risk-based thinking. Employees should be trained in identifying, evaluating, and mitigating risks. Structured risk management training helps businesses anticipate disruptions and make data-driven decisions. A UK-based electronics firm credits their stable growth during Brexit to scenario planning introduced through risk-focused training modules.

Customer Satisfaction Improvement

Training teams to effectively track, analyze, and respond to customer feedback ensures that quality doesn’t just meet but exceeds expectations. One case in point is an IT services company that held quarterly feedback analysis training. Within a year, they saw customer complaint resolution time cut in half.

Document Control

Poor documentation can unravel an otherwise sound system. Proper training ensures that document management is consistent, accessible, and aligned with regulatory requirements. When a ship maintenance contractor implemented a document control training module, audit time was reduced by two days due to quicker access and better version tracking.

Benefits of Regular Training for Employees

Increased Employee Engagement

When staff feel invested in, they reciprocate through higher ownership and accountability. Employee training benefits include stronger morale and lower turnover. A maritime safety company I worked with reported a 25% drop in staff attrition after launching a quality-focused training initiative.

Improved Efficiency and Product Quality

Skilled employees waste less time and deliver higher quality outputs. A Swiss manufacturing firm using Lean principles alongside ISO 9001 saw productivity rise 20% after implementing skill-based development paths.

Higher Customer Satisfaction Rates

Customers notice when a business is responsive and consistent. Continual training enhances the service culture, as knowledgeable employees handle queries and issues more effectively. Improved quality leads directly to happier customers.

Best Practices for Implementing Continual Training Programs

Regular Workshops and Refresher Courses

Schedule recurring workshops to ensure that staff stay updated. These can be quarterly or semi-annual, based on system complexity. One health care distributor holds monthly ISO huddles and credits it with their 98% audit readiness score. This also helps build memory muscle and increase knowledge retention.

Online Training Platforms

Digital learning tools are cost-effective and accessible. QMII has worked with clients to develop custom ISO 9001 training courses tailored to various industry needs. The elearning is an effective tool to develop blended with in-person workshop reinforcement.

Certification Renewals and Upgrades

Make sure employees know that training doesn’t end with initial certification. Renewal cycles often introduce updates, and staff must be prepared. Invest in quality management training programs that include updates on ISO revisions and emerging practices.

Tools and Resources for Quality Management Training

  • Online Courses: Contact QMII to learn more about how we can develop custom eLeaning modules for your organization. We also provide all our classes in a virtual instructor-led format.
  • Webinars: QMII frequently host free webinars on trending QMS topics.
  • Consultants: Working with experienced consultants accelerates learning and contextualizes standards for your business. QMII consultants are all field experienced and bring that experience to the classroom to enhance your learning.

Conclusion

Training isn’t an expense—it’s an investment in the stability and future of your QMS. A quality management system that is static soon becomes obsolete. Continuous improvement is only possible when learning is continual too.

Whether you’re aiming to reduce audit findings, improve product consistency, or boost customer trust, the answer often lies in a better-trained team. Don’t wait for non-conformities to force change.

Invest in continual training today and future-proof your quality processes for tomorrow.

How Management System Standards Help Small Businesses Scale

Businesswoman wearing earphones when watching presentation on tablet computer

 today’s competitive landscape, structured growth is not just an advantage for small businesses—it’s a necessity. Without a clear framework, businesses risk chaotic expansion, inconsistent quality, and missed opportunities. This is where Management System Standards (MSS) come into play. Standards like ISO 9001, ISO 14001, and ISO 45001 provide small businesses with the structure needed to scale sustainably and confidently. Their structure also allows the flexibility needed to allow the small businesses to be agile and adapt.

Over my 25+ years working within the maritime industry and supporting businesses, startups, and service organizations, I have seen firsthand how implementing process based standards such as ISO standards for small business transforms not just operations but also mindsets. Whether it’s a marine engineering firm or a boutique consulting firm, Management System Standards lay the foundation for scalable success.

What Are Management System Standards?

Management System Standards (MSS) are structured frameworks that help organizations manage and improve their processes, ensure quality, meet regulatory requirements, and achieve strategic objectives. These business management standards provide a “blueprint” for how to run your business more effectively.

Some well-known examples include:

  • ISO 9001: Focused on delivering consistent Quality
  • ISO 14001: Focused on improving Environmental performance
  • ISO 45001: Focused on Occupational Health and Safety 
  • ISO 27001: Focused on Information Security 

By adopting Management System Standards like ISO 9001, ISO 14001, ISO 27001 and ISO 45001, small businesses can create an operational backbone that supports consistent delivery, sustainable practices, and workplace safety. They become more resilient, adaptable, and attractive to clients, providing a strong competitive advantage in crowded markets.

Key Benefits of Implementing Management System Standards

Improved Operational Efficiency

When I helped a small manufacturing company, providing parts to a large shipyard, implement ISO 9001, their operational bottlenecks became immediately visible. By mapping processes and applying continuous improvement practices, they reduced their non-conforming outputs by 25% within a year. They also retained the business of the shipyard and grew to win more contracts. Management System Standards encourage clarity in workflows, reduced waste, and smarter resource use—essential factors if you’re looking to improve business operations.

A great real-world example is the case of Precision Micro Ltd., a UK-based manufacturer that reported a 15% productivity boost after ISO 9001 implementation, according to the British Assessment Bureau. Their streamlined processes directly contributed to significant cost savings and faster turnaround times.

Enhanced Customer Satisfaction

Clients notice consistency. They notice responsiveness. MSS like ISO 9001 place a sharp focus on customer feedback loops and satisfaction monitoring. Working with a credentialing provider, we were able to reduce the time it took to produce credentials from 4 months to less than a month. Happy customers mean repeat business and glowing referrals—a prime example of the benefits of ISO 9001.

Similarly, The Italian Food Company, a small deli supplier, increased their customer base by 20% after achieving ISO 9001 certification. They attributed their success to improved product consistency and faster complaint resolution, showcasing how ISO standards can directly impact business growth.

Better Compliance and Risk Management

Navigating environmental and safety regulations can overwhelm small teams. ISO 14001 and ISO 45001 help businesses manage compliance proactively. By systematizing risk assessments, my maritime clients could avoid regulatory penalties and significantly improve workplace safety. These standards also engage the leadership in the system and place more accountability on them for the effectiveness of the system. These strategies showcase how crucial risk management for small business is to sustainable growth.

The case of Skyform Ltd., a Scottish construction company, is notable—they reported a 70% reduction in workplace incidents after implementing ISO 45001. Additionally, they saw a notable increase in contract awards, thanks to their enhanced safety credentials.

How Management System Standards Enable Small Business Growth

Building Trust and Credibility

Certifications like ISO 9001 signal professionalism to clients and partners. It’s a game-changer for credibility. QMII has supported hundreds of clients in achieving first time certification including a government contractor that then won a major contract largely because their ISO 9001 certification assured the client of their reliability. This is a clear example of how to scale small business operations effectively.

According to research by ISO.org, organizations that are ISO 9001 certified are 54% more likely to achieve successful contract bids compared to their non-certified counterparts.

Streamlining Internal Processes

Clear documentation, responsibility assignments, and continuous improvement loops lead to a leaner, more agile operation. Internal teams spend less time firefighting and more time delivering value, supporting smart business growth strategies. For example, Advanced Engineering Ltd. reduced their internal quality issues by 40% after implementing ISO 9001, creating more time and resources for strategic initiatives.

Access to Bigger Markets

Many government agencies and corporate giants require small businesses to have specific certifications before awarding contracts. MSS opens doors to new revenue streams. Small business certifications like these are often the ticket to playing in larger arenas.

Research from the International Accreditation Forum (IAF) found that certified companies are 62% more likely to enter new markets and expand their client base successfully.

Case Studies: Small Businesses That Scaled with MSS

  • BIZZY B Management Systems (South Africa):
    After achieving ISO 9001 certification, Bizzy B saw a 30% increase in business efficiency and a significant reduction in client complaints. According to the South African Bureau of Standards (SABS), their improved processes helped them win several new contracts with government agencies.
  • Premier Foods Ltd (UK):
    According to BSI Group, Premier Foods implemented ISO 9001 to tighten quality controls across their supply chain. This led to a notable 20% reduction in customer complaints and supported their expansion into new international markets.
  • TNT Express (Italy):
    TNT Express leveraged ISO 9001 certification to streamline its logistics and customer service processes. ISO reported that after implementation, TNT Express improved on-time delivery rates by 18% and reduced operational errors, giving them a significant competitive advantage.

How to Get Started With Management System Standards

Step 1: Gap Analysis

Identify where your current processes fall short of standard requirements. This initial assessment prevents wasted effort later and is the critical first step in how to get ISO certification. Contact the QMII solutions team to learn how our Gap Assessment can set your system up for success. Grounded in a tailored approach that appreciates your existing management system, the QMII approach delivers maximum benefits with minimal change.

Step 2: Implementation

Develop and roll out the necessary policies, procedures, and processes to align with the chosen Management System Standards. This includes documentation, assigning responsibilities, conducting internal audits, and embedding a culture of continual improvement. Use QMII’s Action Planning Checklist to guide you. 

Step 3: Training

Educate your team on the standards and why they matter. Everyone must be on the same page for successful adoption. QMII’s Awareness Leaders Training is a great starting point.

Step 4: Certification

Choose an accredited body to certify your system. Remember, certification isn’t just a one-time event; it’s a commitment to continual improvement. Following the correct ISO certification steps can set your small business up for long-term success.

Step 5: Maintenance

Post-certification, regular audits and reviews keep your systems sharp and aligned with your growth trajectory. Certification for small business initiatives is only as strong as their ongoing maintenance.

Importance of Professional Consultation: Partnering with experts, like QMII, can dramatically simplify this journey. We bring perspective, proven tools, and the experience to help you avoid common pitfalls and tailor your approach to your specific industry needs.

Conclusion

Scaling a small business requires more than ambition; it demands structure, consistency, and credibility. Management System Standards provide the scaffolding small businesses need to grow sustainably, improve operational efficiency, and access bigger markets.

Start simple: pick one standard that aligns with your immediate goals. Implement it well. Then build from there. Structured today, successful tomorrow!

What Is Risk-Based Thinking in ISO Standards?

Over the past two decades of working closely with clients in both the manufacturing and service sectors, I’ve witnessed firsthand the transformation that occurs when organizations stop treating compliance as a checklist exercise and start thinking in terms of risk and opportunity. With the 2015 revisions to many ISO standards, particularly ISO 9001, we saw a deliberate shift away from siloed “preventive actions” toward an integrated, strategic approach known as Risk-Based Thinking (RBT). 

This wasn’t just a semantic change. It marked a cultural evolution, an acknowledgment that uncertainty is inherent in every business process, and that success belongs to those who plan for it, not those who simply react to it. RBT has empowered organizations to navigate complexity with greater confidence, embedding foresight into their planning and decision-making at all levels. 

In this article, I’ll draw from real-world consulting experiences across diverse industries to demystify Risk-Based Thinking. We’ll explore what it really means, why it matters, how it supports proactive leadership, and what tools you can use to bring it to life within your own management system. Whether you’re guiding a mature enterprise or a fast-scaling startup, the principles of RBT are not only practical, but they’re also essential.

What Is Risk-Based Thinking (RBT)?

Risk-Based Thinking (RBT) is the proactive approach embedded in ISO standards like ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018. Rather than treating risk as a separate component, RBT integrates it into every facet of an organization’s management system. This shift moves organizations from a reactive stance to a proactive culture, where potential issues are anticipated and addressed before they escalate. 

In my consulting journey, I’ve observed that organizations embracing RBT don’t just prevent problems, they identify opportunities for improvement and innovation. For instance, a manufacturing client leveraged RBT to streamline their supply chain, resulting in reduced lead times and increased customer satisfaction.

How Risk-Based Thinking Supports Proactive Decision-Making:

  • Identifying Potential Risks and Opportunities: By assessing both internal and external factors, organizations can foresee strategic and operational challenges and capitalize on opportunities. 
  • Integrating Risk Assessment into Planning: This ensures that objectives are achievable, and resources are allocated effectively. 
  • Enhancing Stakeholder Confidence: Demonstrating a proactive approach to risk management builds trust among customers, suppliers, and regulators.

A service industry client I worked with implemented RBT in their project management processes. This led to improved project delivery times and a significant reduction in unforeseen issues.

Key Objectives of Risk-Based Thinking:

The primary goals of RBT include: 

  • Enhancing Organizational Resilience: By anticipating potential disruptions, organizations can develop contingency plans. 
  • Promoting Continuous Improvement: Regular risk assessments lead to ongoing enhancements in processes and systems. 
  • Aligning Risk Management with Strategic Objectives: Ensuring that risk considerations are integral to achieving business goals. Read clause 6.1 connected to clause 4.1 and 4.1 per ISO harmonized structure. 
  • Fostering a Culture of Risk Awareness: Encouraging employees at all levels to consider risk in their daily activities. Clause 7.3 drives awareness to employees on how they can contribute to the system.

Practical Application of Risk-Based Thinking:

Implementing RBT involves: 

  1. Contextual Analysis: Understanding the organization’s internal and external environment. 
  2. Risk Identification: Recognizing potential events that could impact objectives. 
  3. Risk Assessment: Evaluating the likelihood and impact of identified risks. 
  4. Risk Treatment: Determining appropriate actions to mitigate or capitalize on risks. 
  5. Monitoring and Review: Continuously tracking risk factors and adjusting strategies accordingly.

Comparison: Preventive Action (Old) vs. RBT (New):

Previously, ISO standards emphasized preventive actions as separate clauses. However, this often led to a checkbox mentality, where organizations implemented measures without truly integrating them into their processes. 

With RBT: 

  • Integration: Risk considerations are embedded throughout the management system. 
  • Proactivity: Organizations anticipate and address potential issues before they occur. 
  • Flexibility: RBT allows for tailored approaches based on the organization’s specific context. 

This evolution encourages a more dynamic and effective approach to risk management. 

Tools & Techniques to Support Risk-Based Thinking:

1. SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats) 

Use: SWOT analysis helps organizations evaluate their internal strengths and weaknesses, alongside external opportunities and threats. It’s particularly useful during strategic planning sessions or when entering new markets or launching new products. 

When to Use: Early in the business planning process or during the review of the organization’s context. 

Clause Alignment: ISO 9001:2015 – Clause 4.1 (Understanding the organization and its context) and Clause 6.1 (Actions to address risks and opportunities). This tool ensures that strategy and quality objectives are grounded in a realistic assessment of the internal and external environment. 

2. Failure Mode and Effects Analysis (FMEA) 

Use: FMEA systematically evaluates potential failure points in a product, process, or system and ranks them by severity, occurrence, and detection. It’s widely used in manufacturing, healthcare, and aerospace sectors. 

When to Use: During product design, process development, or when implementing changes that could introduce new risks. 

Clause Alignment: ISO 9001:2015 – Clause 8.3 (Design and development of products and services) and Clause 6.1 and 8.1. It supports risk-based planning and preventive strategies by analyzing “what could go wrong” and mitigating those risks before implementation. 

3. Risk Registers 

Use: A risk register is a living document that captures identified risks, assesses their likelihood and impact, and outlines mitigation actions and responsible parties. It provides transparency and traceability for risk management activities. 

When to Use: Continuously throughout project lifecycles or operational management, especially in industries like construction, logistics, or IT. 

Clause Alignment: ISO 9001:2015 – Clause 6.1 and Clause 9.1 (Monitoring, measurement, analysis and evaluation). It helps document ongoing risk review processes and links actions to strategic and operational plans. While not a requirement it is beneficial. 

4. Root Cause Analysis (RCA) 

Use: RCA investigates underlying causes of nonconformities, defects, or failures to prevent recurrence rather than just treating symptoms. It’s a staple in corrective action processes. 

When to Use: After incidents, near misses, or nonconformities—often triggered by audit findings or customer complaints. 

Clause Alignment: ISO 9001:2015 – Clause 10.2 (Nonconformity and corrective action). It supports continual improvement by ensuring lessons are learned and corrective actions address the source of problems. 

5. ISO/IEC 31010 – Risk Assessment Techniques 

Use: This standard outlines a variety of risk assessment tools including brainstorming, checklists, fault tree analysis, and bowtie analysis. It offers structured approaches tailored to industry-specific needs. 

When to Use: Depending on organizational maturity, criticality of operations, or regulatory environment. 

Clause Alignment: Supports ISO 9001:2015 – Clause 6.1, as well as clauses in ISO 14001 and ISO 45001 related to risk and opportunity planning. This framework provides flexibility for choosing appropriate methods suited to specific organizational risks. 

These tools, when chosen and applied correctly, don’t just satisfy audit checklists, they cultivate a culture of resilience and foresight. Over the years, I’ve seen organizations evolve by not just using these techniques mechanically, but integrating them into daily decision-making, making risk-based thinking a true operational philosophy rather than a compliance exercise. 

Understanding ISM Code Compliance for Maritime Operators

ISM

Having spent over 15 years in the maritime and compliance world, and a further decade working with various international Flag Administrations, I’ve seen firsthand the shift from traditional shipping operations to a more safety- and systems-driven industry. One of the major forces behind that transformation? The International Safety Management (ISM) Code. For maritime operators today, ISM Code compliance isn’t just about ticking boxes, it’s about embedding a culture of safety, responsibility, and continual improvement into every layer of their operation.

What is the ISM Code?

There is a saying that regulations are written in blood. The ISM Code was born out of hard lessons learned from major marine accidents. The major event that acted as a catalyst in its development was the MV Hearld of Free Enterprise. Introduced by the International Maritime Organization (IMO) under the SOLAS convention, the code mandates that every shipping company operating SOLAS compliant vessels implement a Safety Management System (SMS), a system that governs practices for the safe operation of ships and prevention of marine pollution.

I remember when the ISM Code first rolled out in the ’90s. Many shipowners were skeptical, and some even resistant. Back then, I was sailing with a company who was navigating the early implementation. The real challenge was shifting the mindset, from reactive firefighting to proactive risk management. From a documentation exercise to a shift in the way operations were done. That’s where I learned: policies are easy to write, but real compliance starts with people.

Why ISM Code Compliance Matters More Than Ever

Today, ISM Code compliance is not optional—it’s foundational. For operators navigating increasingly complex global regulations, it offers several key benefits:

  • Safety First: The SMS serves as a blueprint for safe operations at sea. I’ve seen it reduce incidents dramatically when implemented properly.
  • Environmental Responsibility: With public scrutiny and environmental regulations tightening, having structured pollution control measures is non-negotiable.
  • Credibility & Trust: In one of my past sailing tenures with a major operator, ISM compliance helped secure long-term contracts with charterers. Clients want to work with companies that can prove they’re managing risks responsibly.
  • Operational Clarity: When roles, responsibilities, and procedures are clearly outlined, decision-making becomes faster and more consistent.

The Core Objectives of the ISM Code

The ISM Code objectives listed in clause 1.2 remain as relevant now as when the code was first introduced. Clause 1.2 is about outcomes, not just documents. It’s about creating a system that actually prevents harm, not just reacts to it.

For me, ISM Code compliance under Clause 1.2 isn’t just about passing an audit, it’s about building a culture where every person onboard understands their role in safeguarding lives, the vessel, and the environment. It requires integrating risk assessments into planning, ensuring safe working practices, maintaining the ship properly, and always being prepared for emergencies.

I always emphasize these objectives when training ship and shore staff. It’s not about overwhelming them with paperwork, it’s about aligning them with a purpose. The code provides the structure; we provide the commitment.

Key Elements of ISM Code Compliance

A fully compliant SMS includes:

  • Safety and Environmental Protection Policy
  • Defined Roles and Responsibilities
  • Safe Operating Procedures
  • Emergency Preparedness
  • Reporting and Analysis of Incidents
  • Internal Audits and Continuous Improvement

One of the best implementations I facilitated was for a regional bulk carrier. We not only developed the vessel SMS but aligned office procedures, and built an SMS that didn’t just sit in a manual, it lived on the bridge, in the boardroom and in the daily practices of personnel.

The Compliance Process for Maritime Operators

Getting compliant involves more than a checklist. Here’s a simplified roadmap:

  1. Gap Analysis – Review what you already do and what the code expects. Does it reflect the operational reality or is it a fictional system?
  2. SMS Development/Update – Build or refine your safety management system. Comprehensive reviews when done after many years can lead to a reduction in documentation by over 20 percent.
  3. Training & Awareness – Everyone onboard and ashore must know their part. How do they contribute to the effectiveness of the system.
  4. Certification – Obtain the Document of Compliance (DOC) and Safety Management Certificate (SMC) through audits.
  5. Ongoing Monitoring – Regular internal audits and management reviews keep the system alive and evolving.

Common Challenges in ISM Code Compliance

Let’s be real, compliance has its hurdles:

  • Top-down Disconnect: Without leadership buy-in, the SMS becomes a box-ticking exercise.
  • Crew Resistance: “We’ve always done it this way” is a common attitude.
  • Training Gaps: If your crew doesn’t understand the ‘why’ behind procedures, they won’t follow them.
  • Audit Fatigue: Poor recordkeeping and rushed preparation can derail audits.

My advice? Keep it simple. Make procedures practical, not bureaucratic. Involve the crew in developing routines. That’s how you make compliance sustainable.

The Future of ISM Code Compliance and Technology’s Role

The maritime industry is changing fast. Digital tools are making compliance easier and smarter:

  • Cloud-based SMS systems offer real-time updates and reduce paperwork.
  • Remote audits became mainstream during the pandemic—and they’re here to stay. Where a full remote audit is not feasible consider hybrid audits.
  • Data analytics can identify patterns in incidents and help prevent them.
  • Mobile apps for onboard reporting are empowering seafarers to be active players in the compliance process.

Look at mistake proofing of the system. So even if a human wanted to make an error the system would prevent it.

In Conclusion, ISM Code compliance isn’t just about certificates. It’s about creating a safety culture that protects your people, your assets, and the environment. For maritime operators willing to invest the effort, the returns in safety, efficiency, and reputation are well worth it.

If you’re a maritime operator looking to simplify or strengthen your ISM safety management system, I’m happy to share more from my experiences. As someone who’s walked ship decks, sat in boardrooms, worked with Flag Administrations and led audits, I believe that compliance done right isn’t a burden—it’s a competitive advantage.

Internal vs External Audits: What Every Business Owner Should Know

The Strategic Importance of Audits for Business Owners

Audits are more than compliance checks; they are strategic tools that provide insights into performance, risk, and improvement opportunities. Engaged business leaders use audit results to drive better decision-making and long-term success. When conducting well, they provide leadership insights into where they may have to re-prioritize or allocate resources, where policies may be in conflict, what may be working well and where the system needs their leadership intervention.

What Are Internal and External Audits?

Internal Audits: Performed by or for the organization to check its own processes. These may be process audits or full system audits.

External Audits: These could be supplier audits (second party) or certification regulatory audits (third party). Third party audits are conducted by a third-party or certification body to verify compliance with standards.

Internal and external audits differ in breadth and depth of the audit based on scope and objective.

Why External Audits Should Be Taken Seriously?

External audits affect certification, reputation, and client confidence. A successful external audit demonstrates credibility and reliability.

Tip: Be prepared, be honest, and see auditors as partners in your improvement journey.

How to Prepare for Both Audits?

  • Keep documentation current
  • Review and close previous findings
  • Train staff on audit processes
  • Conduct mock audits
  • Engage leadership in the audit process

Conclusion:

ISO audit and their findings are not to be feared. They are valuable tools for identifying weaknesses and driving continuous improvement. With the right mindset and preparation, audits can move beyond mere compliance and become a core part of your strategic growth. Organizations that stay audit-ready show that they are not only compliant but also committed to excellence.

Top 10 Common ISO Audit Findings and How to Avoid Them

Importance of Being Audit-Ready:

Audits serve a critical role in verifying that an organization’s processes are aligned with established standards and functioning as intended. Far from being a punitive exercise, audits offer valuable insight into the strengths and weaknesses of a management system.

In my three decades of working with organizations across industries, one universal truth remains. An audit is not a surprise inspection, it’s a mirror. It reflects your organization’s systems, leadership engagement, and cultural commitment to quality and improvement. 

However, many organizations approach audits reactively, preparing only when one is imminent. This mindset often leads to unnecessary stress, inefficiencies, and missed opportunities for improvement. Being audit-ready means that compliance and performance monitoring are built into everyday operations, not treated as one-time events.

When an organization maintains a state of readiness, it reflects a culture of discipline, transparency, and continual improvement. Employees are aware of their responsibilities and of their processes, documentation is up-to-date, and leadership is engaged in the oversight of the system. This proactive approach not only supports successful audit outcomes but also enhances organizational resilience, stakeholder trust, and long-term sustainability.

Understanding ISO Audit Findings: What They Are and Why They Matter:

ISO audit findings are the documented results of an audit. Specifically, they identify areas where an organization’s management system either conforms to or deviates from the requirements of the ISO standard being audited. Findings can range from conformities, to observations (areas for potential improvement), to nonconformities, which indicate a failure to meet a specific requirement.

Audit findings are like diagnostic tools. Much like a physician’s report, they highlight where systems are healthy and where they need attention. Nonconformities, in particular, require careful attention. They are typically classified as minor or major. Left unaddressed, even minor nonconformities can escalate and lead to reputational damage, customer dissatisfaction, or even loss of certification.
In essence, audit findings are not setbacks, they are stepping stones toward improvement.

1. Poor Document Control

Uncontrolled, outdated, or missing documents can quickly lead to findings. Document control is critical for ensuring staff use the correct and current information. Organization can avoid this ISO Audit finding by implementing version control, limiting access to documentation, voiding printed copies of documentation, training employees on document management and regularly reviewing and updating procedures

2. Incomplete or Missing Records

Auditors expect to see evidence that procedures are being followed. If records are absent, it creates doubt about system effectiveness. Was the work really done? Further incomplete records are not able to evidence if the process step was followed as required by the procedure.

Organization can avoid this ISO Audit finding by automating recordkeeping, performing regular record audits, employee awareness and assigning clear ownership for maintaining records

3. Lack of Management Review

Without regular management reviews, there’s no top-level oversight of the system’s performance and alignment with strategic goals. Clause 9.3 of the ISO standards requires these reviews to be done at planned intervals. In some cases the organization may evidence the inputs provided to management but the outputs (decisions and actions) fail to get recorded.

Organizations can avoid this ISO Audit finding by scheduling periodic reviews, using metrics to guide discussions, making sure the leadership participates and documenting decisions and follow-up actions.

4. Ineffective Internal Audits

Weak internal audits fail to uncover problems and leave issues for external auditors to find. This could be caused by  poorly trained and qualified auditors, poor audit planning, using ‘canned’ checklists and a fear of audits and non-conformities causing personnel to hide issues.

Organizations can avoid this ISO Audit finding by training auditors from recognized training providers like QMII, auditing processes and not just documents, closing out internal audit findings promptly.

5. Unclear Roles and Responsibilities

When staff are unsure of their responsibilities, process gaps and accountability issues arise. In companies I have worked with there sometimes arises a confusion from where it is not clear which operator will conduct the task since all have the same job descriptions. 

Organizations can avoid this ISO Audit finding by defining roles and responsibilities in a RACI matrix or in the documented procedure, communicating changes clearly and verifying understanding during onboarding and training.

6. Non-Conformance Not Properly Addressed

Failure to analyze root causes or verify corrective actions can lead to repeat findings. A common cause of this may be a poorly written non-conformity as also a lack of structured root cause analysis training.

Organizations can avoid this ISO Audit finding by following a structured corrective action process, using tools like 5 Whys or Fishbone diagrams and reviewing the effectiveness of corrections

7. Lack of Risk-Based Thinking

ISO standards expect organizations to identify and manage risks proactively. Many still rely too heavily on reactive approaches. In some cases, risks are known, but are not passed up the chain because no structure exists for this to occur. Organizations can avoid this ISO Audit finding by including risk assessments in the planning phase, training staff on risk identification and maintaining a risk register that is updated on a regular basis. 

8. Insufficient Training or Competence

Staff who aren’t trained properly or lack required skills pose a compliance risk. Organizations can avoid this ISO Audit finding by developing and using a skills matrix, providing refresher training, linking training to performance reviews. Once the training is complete organizations must have a process to verify that training resulted in competence. 

9. Failure to Meet Customer or Regulatory Requirements

Not understanding or failing to meet these requirements can lead to major nonconformities. This occurs when organizations do not have a robust process for determining new requirements that may impact them and planning ahead to mitigate the risks. 

Organizations can avoid this ISO Audit finding by reviewing customer contracts and regulations, staying updated on evolving regulations, conducting compliance checks and keeping requirements visible to relevant teams.

10. Lack of Continual Improvement Evidence

Without records of improvement, your ISO system can appear stagnant and ineffective. Organizations can demonstrate to auditors that they meet the intent of continual improvement by trending and tracking KPIs, logging and reviewing improvement initiatives and recognizing and rewarding improvements

How to Retain Auditor Training Knowledge When You Can’t Apply It Immediately 

Completing an auditor training course is an exciting milestone. You walk away with frameworks, methodologies to create checklists, audit question techniques, and—if you’re like most professionals—a head buzzing with new knowledge. Ideally, you’d jump right into an audit and apply your skills, reinforcing what you’ve learned while it’s still fresh. But what if that opportunity doesn’t come right away? 

At QMII, we recognize this common challenge among our alumni. Let’s explore effective strategies to bridge the gap between training and practice—so that knowledge doesn’t fade but instead becomes a solid foundation for your future audit work. 

1. Simulate Real-World Scenarios 

Action: Design mock audits for yourself or with peers. 

Even without access to an organization’s system, you can simulate an audit process by reviewing publicly available quality manuals, environmental reports, or sample procedures including your own. Pretend you’re preparing for an audit: write an audit plan, create checklists, additional documentation you would request and practice conducting document reviews. 

Tip: Use scenarios from your training or past experience and ask yourself: 

  • What would I ask as an auditor? 
  • What evidence would I seek? 
  • What risks could be present? 

2. Start a Learning Journal 

Action: Reflect on key concepts, standards clauses, and audit techniques by writing them down in your own words. 

Journaling isn’t just for reflection, it’s a brain-anchoring technique. When you write out what you remember and how you would apply it, you’re reinforcing neural pathways tied to that knowledge. 

Include: 

  • Summaries of ISO clause requirements. 
  • How you would handle nonconformities. 
  • Sample non-conformities within your organization and write down your assessment of them as also the effectiveness of corrective actions. 

3. Teach Others What You Learned 

Action: Participate in knowledge-sharing sessions. 

There’s no better way to solidify your understanding than teaching others. Reach out to other auditors in your organization and discuss applicability and interpretation of a clause. Participate and contribute to discussions on LinkedIn forums. Search the web for interpretation of clauses and see the differences as opined by various different personnel. 

Bonus: You’re also building your credibility and visibility as an auditor. 

4. Stay Active in the QMII Alumni Network 

Action: Engage with blog articles, LinkedIn posts, ask questions, and share insights. 

QMII’s alumni network offers a treasure trove of experience. Staying engaged keeps you in the loop on best practices and might even lead to mentoring or shadowing opportunities. React to blogs written by QMII, contribute articles for QMII blog, comment on QMII posts and connect to QMII alumni. 

Don’t hesitate to: 

  • Ask others how they’re maintaining their skills. 
  • Request mock audit partnerships. 
  • Share resources and templates you’ve created. 

5. Continue the Learning Loop 

Action: Sign up for webinars, read audit case studies, and revisit your course materials regularly. 

Audit skills are built not just on knowledge, but on judgment, observation, and communication. You can sharpen these even while waiting for your first official audit assignment. 

Suggested activities

  • Attend QMII webinars or ISO updates. 
  • Subscribe to quality-focused newsletters. 
  • Read ISO audit case studies and identify what went wrong—and why. 

6. Request to Observe Internal Audits 

Action: If you’re part of an organization, ask to shadow an experienced auditor. 

Even if you’re not leading, observing an audit helps you internalize the structure, flow, and behavioral nuances of auditing. Jot down observations on auditor behavior, techniques, and interaction styles. Create your own checklists and then compare it to that prepared by the lead auditor. Discuss the differences after the audit. 

If your organization doesn’t have an active program, this is a great opportunity to propose starting one—a value-added initiative from a proactive auditor-in-training. 

Final Thoughts: Don’t Let the Gap Become a Gully 

Skills fade when left idle, but they flourish with even light engagement. Whether it’s through simulation, teaching, journaling, or community interaction, there are numerous ways to keep your audit knowledge sharp and ready. 

At QMII, we believe that continual improvement isn’t just for organizations, it’s a personal practice. Stay connected, stay curious, and keep that audit mindset active until your next assignment arrives. 

Have your own tips for retaining training knowledge? 
Join the conversation by commenting on this blog or drop us a line—we’d love to feature your story!