Fairfax, VA – In June 2019, Highlight successfully renewed their ISO 9001:2015 certification for Quality Management. To receive the renewal, an external audit was conducted by ISO registrar SRI, an internationally accredited registrar for ISO standards.

The audit consisted of reviewing Highlight’s Quality Management Processes to verify services are delivered in accordance with company policies and procedures and meet ISO 9001:2015 standards. Achieving the ISO 9001:2015 renewal demonstrates that Highlight consistently defines, measures, and continuously improves the quality of services it provides government customers.

“ISO 9001:2015 is the foundation of our Hi-WAY ™ framework to deliver better services to the Federal government. This renewal demonstrates our continued commitment to quality and to our customers,” said Adam McNair, COO of Highlight Technologies. “The company has worked hard to implement the appropriate amount of process control that reduces risk and allows for flexibility and agility.”

About Highlight

For over ten years, Highlight has provided development and modernization, secure IT, and mission solutions for our U.S. federal government customers. Using our HI-WAY™ best practices framework, we design and deliver solutions that integrate current systems and procedures, address all stakeholders, and seamlessly advance the mission. Highlight is an award-winning woman-owned, ISO® 9001, ISO 20000, ISO 27001, ISO 44001 certified, CMMI-DEV Level 3 and CMMI-SVC Level 3 appraised small business that provides critical services to more than 20 U.S. federal government customers. For more information please visit www.highlighttech.com.

Episode #7 | ISO, CMMI, and Process Improvement 

Announcement: Broadcasting from Fairfax, VA you are now tuned in to the highlight cast with your hosts
Adam McNair and Kevin Long .

Adam McNair: Well, welcome back to the highlight cast. This is here from highlight and joined today by again.

Kevin Long: How’s it going?

Adam McNair: And also special guest this week is our manager for operational excellence and I’ll explain what that means is Devon Dufur.

Kevin Long: Right.

Devon Dufur: Here.

Adam McNair: So we are a little bit non traditional in that we don’t have just a quality manager. We have titled the role as the Operational Excellence manager because. Typically a quality office will go in and audit a program, but a lot of times they’re not there to really help the program advance the services that they’re delivering. So we’ve named it a little bit differently along the thought process. That when you call something a term that it it impacts the behavior. So we try to make sure that when we go in and we are working with the project, we’re actually helping the project deliver services better and not just trying to show them where they did something that was a gap. So we talk about a couple of things today. Catch up on some updates with the company, but also the the main topic today is going to be ISO 9000. We’ve talked a little bit about the Isos in the past as we’ve passed certification audits and so. But wanted to delve into that a little bit more today. So the first thing, if you go out and look on our social media out on our LinkedIn page for highlight, we recently did a video where we were interviewed by Fairfax City and we talked a little bit about. The experience of being a business here in Fairfax City and it really has been very positive from our perspective as we’ve moved into Fairfax City, the Economic Development Organization has. Monthly meetings for the different businesses in the city. They are a really good resource. What we’ve found is a lot of times when you reach out to any of the. Businesses in the. City for a place to have an event or for catering or something. There’s a they. They do what they can as far as discounts and really customer service. For city businesses, so that’s a growing. It’s a growing business community and the ability to have the cue bus drop people off at our office and that interns can come from George Mason for free and all of that’s been very good. So I was impressed with the job that Fairfax City did on that video.

Kevin Long: And they turned Adam into a YouTube star. It’s great.

Adam McNair: They did. I they didn’t. They didn’t do much for my, for my, for my looks. I wish they could have done something. I mean, I think they could have found somebody as a stand in or. You know.

Kevin Long: You accept voice acting and and lip syncing. That would be amazing.

Adam McNair: Yeah, you. Lower light or something would have been great but.

Devon Dufur: Ohh.

Adam McNair: You find out how big the beard looks when you’re on video, you’re just like, wow, that’s a massive beard. Yeah. So, so we did that. So that’s up on our LinkedIn site and.

Kevin Long: It looks amazing. It looks. It looks amazing.

Adam McNair: That’s part of our partnership with Fairfax City. And then the other. Thing we’re going to talk about today was ISO 9000, so we, as we’ve talked about a little bit, we have a custom framework that we’ve developed to deliver services to the. Government that we call highway, which we view as the way to deliver services for the government for a lot of reasons. And we’ll delve into more of that on a on a future episode, but. It is a collection of tailored best practices from ISO and CMMI, so we are ISO 9020 thousand, 27,000 certified where the first one in America to have be 44,000 certified, which is for stakeholder engagement and applying.

Devon Dufur: 44.

Adam McNair: Our processes into a customer environment. And then also CMI Level 3 for both services and development. So there’s a lot to unpack is a bunched unpack there, but 9000 specifically we have a. In addition to maintaining our own certification, we have over the past year or so been approached and engaged with companies that we work with or that we are the mentor of to help them get ISO certified.

Kevin Long: And previous lives, we’ve helped customers do it too, so.

Adam McNair: True. True back. Back in the day, we’ve. Done our.

Kevin Long: Yep, 20,000 in and. No. Was it? Did we do 9000 for anybody? I know we. Did 20K we.

Adam McNair: Did 20,000 at State Department, certainly.

Kevin Long: So it’s good for everybody you.

Devon Dufur: Know. Yeah and.

Adam McNair: It does help as well. You know, one of the the digitization projects that we did for the Small Business Administration, those processes leveraged a lot our ISO certified processes and you know things like that sound rather boring until you find out that somebody. Digitizes 1,000,000 documents the wrong way and then all of a sudden you really wish that you’d spent the time to do that the right way, which which gets us to. What is ISO exactly now? Devin is an expert in all things process and quality and so forth. And so the way that we really do ISO is usually Devin just tells us what we need to do and it it works pretty well from that perspective. But so did you want to talk about what ISO actually is?

Devon Dufur: Sure. ISO the term ISO just means it’s the international Organization for Standardization. It’s French and so that’s why the lettering is out of. Order.

Adam McNair: Ah.

Devon Dufur: OK, but there you go. What it is is it’s it’s a standard that specifies.

Adam McNair: You learn things every day.

Devon Dufur: The requirements for a quality management system, not quality assurance, but how to manage a quality management system and organizations use this standard to demonstrate to themselves or to a customer or whomever the ability to consistently provide. Products and services that meet our customers expectations and. Regulatory requirements. So that’s really what it does, but it also contains fundamental management and quality assurance practices that can be applied by any organization. So that’s in essence what Israel really does from the 9001 perspective. It’s the only one, the 9000. Areas that’s associated with quality management.

Kevin Long: So it shows that you have a system. It doesn’t. It doesn’t prescribe that you’re actually doing the insurance. That’s correct.

Adam McNair: And one of the things that I found. Almost every time we’ve gone in from consulting engagement to go talk to somebody about ISO, when we talk about a quality management system. We’re not talking about a computer system. There’s not some software tool installed someplace that is driving what you’re doing when you’re saying a quality management system. It is a collection of processes that you’re going to follow to achieve a certain thing. Now, another thing that I it has also been interesting to me. About ISO 9000 is. Because it is not prescriptive in the detailed work instruction of what you’re doing, it’s used in a really wide range of of industries. It’s used in the automotive industry. It’s used in manufacturing.

Kevin Long: M. A startup I worked with my first IT job was healthcare and there was a nurse. That nurse practitioner that they brought in as our ISO, a expert to come in to get us put in with that. So it was a nurse telling software people, you know, hey, here’s how you do have a quality management system to put across that start up there because we were doing, we were doing quality stuff for, for healthcare. So it’s all over that.

Devon Dufur: It it’s it’s a good standard to overlay on because on other ISO standards like we have in our company here. Automotive has their own set of ISO standards, as does the healthcare industry. From healthcare, like wheelchairs and and all kinds of things that for that our equipment. OK, so it is so. There’s. Probably hundreds of ISO standards for a variety of topics that this standard is sort of has that flow down field to it. If you establish a quality management system, it actually helps you manage. It helps us. Manage our other credentials that we have for IT, security for service delivery to our collaborative business relationship standards as well as CMI. And it’s all mapped together and that’s what’s kind of unique about what we do here, even though we call things the highway framework now, it is still in fact an integrated business management system because the place it just helps us with this standard to organize and manage these other credentials that we have.

Kevin Long: So 9 thousand 9001 is really the foundation on which you can build all of these other certifications and processes to make sure that you’re doing all of those other things the right way.

Devon Dufur: Yes you could. Yeah, but that doesn’t mean everybody does it that way. But they certainly could. And because it can get really complex, it’s it’s sort of the easiest standard to start with, at least from my experience, it’s got this standard 9000 ones got a lot of flexibility. And now we’re in the we’re we’re several versions down, OK, there were things that were required under 999000 one 2008 where the current version is 2015. They took away a lot of nonsense and they tried to make the. Because it started out as more automotive, if you’re manufacturing, I should say, but now it has sort of reached out and understands that there’s other industries out there and we can certainly say that the IT industry is no small insignificant industry in this country today, so. It’s it’s become very flexible, you know, to understand the needs, wants and desires of companies like ourselves, right?

Adam McNair: Yeah. And one of the things that took me a long time to figure out was that. The numbers after the ISO standard, the year that it was published, so the 2008, 2015, that’s how they indicate version control. So that you know what version of the standard you’re supposed to look at. So when people get ready to get started being certified. The knowledge gap of in what do I do now? There’s really not an easy playbook that I’ve seen. For where do I start? Because there is no. So. Because they are not prescriptive and because they are flexible, so that’s great. But that means that all they give you is the standard, the artifacts that you have to create and the quality manual that you have to write. You’re starting from a blank page unless you come to someone like us. Yeah, you. Find Devin and you say I know you’ve got a dozen different formats for this. Why don’t we start with one? Otherwise you’re really starting from a blank page now.

Kevin Long: Super intimidating.

Adam McNair: When you, then when. You look at the kind of the starting foundational things in the standard, you know, what are the major areas, big document, you open up the standard. It says a whole bunch of stuff. What’s the first thing that a person needs to go to? Look at well.

Devon Dufur: First thing needs to look at is getting. Someone that understands has the experience and understands what the standard is saying to them because a lot of it’s interpretive, much like CMS. This standard contains roughly 117 shout statements through sections 4 through 10. The example for 2008 version it only went through nine clause 9, so there’s these 117 shells within. Causes 4 through 4 through 10. OK, the 10th being the process improvement kinds of activities that you.

Adam McNair: Want to have and so those those shell statements are essentially. That means there’s 117 things that we have to be doing.

Devon Dufur: You. To do.

Kevin Long: Next.

Adam McNair: Not a one time thing. The majority of them. I mean a few of them are write a policy and one could theoretically write a policy and keep it unchanged for many years. That that would be OK, sure. But a lot of them are ongoing requirements where they are things that you need to be doing on A at least annual or. Sometimes more frequent basis.

Devon Dufur: Yes, there are, and a lot of times it will say in there you’ve got to do this. As needed. Well, philosophically the the formation of the Executive Steering Committee kind of provides the guidance for that as to. To what do we want to do long term? That’s maintainable because quite often what happens is a company will start down this path and then they’ll get carried away. It’s because they don’t understand. It’s like an accordion. OK. It it? Yeah, for example. And maybe you all don’t even know this.

Kevin Long: Policy for policy sake.

Devon Dufur: Because I really haven’t spoken to her technically, a quality manual is not required.

Adam McNair: Really.

Devon Dufur: No, but experiences show me over the last 30 years that if you don’t have a playbook. OK, the quality manual is just a very convenient place. Now many companies use called manuals in part because I forced them to. But it’s it’s it’s the playbook of what we’re going to do and how we’re going to. Meat. And address all of the shell statements and the clauses and subclauses within standard so it becomes a very it’s a playbook and that’s the best definition I can for it and what we try to do now is go in there and say let me do address this stuff logically like it’s outlined in the standard. There’s two good reasons for that, because you’re going to get audited against all those shell statements and you want to make sure that you have them all. OK, because you don’t want to show up on stage two, your registration audit and you forgot, you know, sub clauses, this, this and this and now you have major findings and you’re not going to get certified, OK, you’ve spent a lot of time and effort through all the people that are involved in it. So it’s it can be really thought of you’re it’s an investment. We’ve made it a point that we sort of organize everything and we’ve proven that time after time after time, so that. When we get to, whether it’s an ISO certification or we get to CMMI appraisal. I already know what the solution is because I don’t want to. Spend the money again so.

Kevin Long: You mentioned a phase two there, so I assume that this being a process oriented thing that there’s a process in terms of going through through this. If there’s a phase two, I assume there’s a phase one, maybe a phase three.

Devon Dufur: Mm-hmm. Well, it’s.

Kevin Long: So what? What is what is it that you have to go through if you’re gonna do this?

Devon Dufur: OK, let’s assume you’ve got there’s stages and not stages. Phases. OK, a little background on the staging was is prior to the 2015 time. Our version of this we would guys like myself would prepare all this stuff. Required documentation, there’s some required. Documentation. They had to have that we would send it to the auditors and they were supposed to review this. Whatever you know, and when they showed up to do the audit, they supposed to know all this stuff. About our company and.

Kevin Long: That’s it.

Devon Dufur: That stage one. That’s no, that was before stage one was enacted by.

Adam McNair: Used to be a used to be a single stage type of thing maybe.

Devon Dufur: Did they just show up and do it? OK, So what we found out or or I so realized finally was.

Adam McNair: Showed up and audited.

Devon Dufur: That when these auditors show up, they really don’t know anything about the company and chances are most of them never even looked at any of the documentation. That we sent. Down so the registration body advice so. So we’re going to we got to take care of this. So they they turned it into a two stage event stage. One is typically and the and the auditors are supposed to come on site, so that means they can’t just send it to me and I’ll take care of it. No, no, no, you have to. Go up. OK. And and it does really give them an opportunity to speak with executive management and others that are involved in the program and we get an idea of what this company is all about. We’re all different. OK. And the last thing we want is and it’s happened to me, we get an auditor that shows up that has no background in IT. They know everything about the automotive industry, but they’re going to, as they previous registrar we had here, wanted us to to inventory all of our pencils and paper clips and pads of paper and stuff and that’s. Crazy. OK. And that’s what they do in the.

Kevin Long: Ah.

Adam McNair: Automotive industry, right. And so as an example, when we went in for the stage one for current partner that we’re doing the ISO support for now, OK, your auditor is going to come in to stage 1 is really about meeting that auditor. Well, so we have to explain our business. You mean with specific customers we have and exactly you know we providing service desk are we providing infrastructure. Start from you do professional services. You don’t manufacture things like. Oh yeah, the the, the auditor that we have coming here last week was in Detroit in an automotive factory verifying blast furnace temperatures for making.

Kevin Long: Super.

Adam McNair: Car parts. Because if what you’re controlling is a process to verify what’s important and what’s being done correctly, the ISO 9000 standard just says document your process and what metrics are important, and we’re going to verify that you’re doing it. So whether for us, it’s when you are selecting a professional. Services employee to provide to a customer. Does their resume meet the requirements of the labor category so that the contract is in compliance? It can mean that or it can mean. If you’re going to make a Fender for a pickup truck, the steel needs to be at at least a certain number of degrees, and so the process by which you measure that you need to have one person measure it, and then you need to make sure that they have calibrated the instrument that they’re using. ISO 9000 can do either one or both. Not that we do both in our facility, but if if we did, it could do both.

Devon Dufur: And that’s an important thing to bring up also because. These call these things exclusions, so they’re now called exceptions, and there are things in the standard that an organization such as ours that provides professional service that we just cannot do. We don’t have calibration equipment, you know to to calibrate in a silo scope or something like that. We don’t do that kind of thing. There’s other things that we can’t do them. We just have to bring those out. Make sure that the registrar and the auditor understand that well, these are out of bounds because we really can’t do them. So we list those in our in all of our paperwork that when we get our registration is that these are the things we can do, but they also know there are some things we absolutely. Yeah, yeah, it’s just not possible.

Kevin Long: So.

Adam McNair: Yeah. So that fundamental that stage 1 process is a lot of getting the auditor to really understand. Right what it is that you do and what things they should be looking for, and because they’re they’re not prescriptive, they ice are not prescriptive and what you call certain things, a lot of it is mapping terminology of what you call a thing to what the ISA standard calls out. And so just as a. Behind the curtains technique of something that we do. Every document that Devin and I ever work on, we put the ISO reference in parentheses right after the the topic in the document, whether that be an agenda item on, on a meeting agenda, whether those being in notes, whether that be in a quality manual, or any other standard operating procedure because. Six months from now, you don’t end up remembering why you put that paragraph in and you think you know control of records doesn’t seem like a thing we need over here. And then you realize that that was an ISO requirement and you get ready to go get audited. And they say, hey, where do you talk about this? And you’re like, I, I guess when we ironed this document out and tried to make it a little bit. Sound a little bit better? We must have lost that. So it’s to maintain that kind of traceability. The other thing that happens in the stage. 1. Is agreeing on the scope of the appraisal, and did anyone talk about the kind of that scope process?

Devon Dufur: Yeah, the scoping is is you know when you’re getting a certification or something on something, you have to outline exactly what that is. So you’re marrying up whatever for, we use our back office operation is example of what the scope of our appraisal is or or our. Not our our registration, I should say. OK. So there’s certain things in there. The proposal process and we’ve got IT involved in contracts and HR and and recruiting all these things are tied together and they are specific to clauses in this standard. So we’re being when we get that certificate, it’s going to have that scope. But not to that level of detail, it’s going to say something like we do professional services or we were doing software development or we were building this and that and everything. So that when when somebody and that’s on our certificate, OK. OK, it’s there so that our customer or whomever is looking at it says OK, what you’re doing and what you’re certified to do or your certification covers, it applies to what we do, OK, our product in that system is a proposal.

Adam McNair: And the the importance of. Your scope is that. I’ve where I’ve seen a lot of people go down very difficult path is they start scoping around the entirety of their business without the awareness that there’s usually a lot of things that you cannot control. So in a consulting environment such as ours. So think about physical security. We can control the physical security here at our headquarters, but every one of our customers has their own security. Plan, strategy, operations, etcetera. That’s essentially none of our business. We have to comply with it. And so if we wrote the scope statement to say everything that we do, which would be very simple and you could, you could say it very easily, then when the auditor shows up, they end up so. All right. Well, show me the security logs for where your folks are going into the Pentagon every day. Well, we don’t have access to that. We’re going to need that because it says that you make everybody sign in. So we need to see that well. But the Pentagon’s not going to give that to us and go, oh, OK. Well, then we’ll just have to come back when you can get that or you’re going to have to modify your scope statement. And so that really planning out your scope. And then honing that in so that the auditor also understands what those constraints are at that stage, one is the biggest indicator of success on an ISO certification.

Devon Dufur: And the beauty of it is a good auditor is going to talk with the senior leadership of a company to make sure that you know, let’s tweak this, let’s. Let’s get this so it’s right and you’re comfortable with it. And I, as the auditor are in our comfortable. With it, we get all that stuff laid out once they check all the documentation that they want, make sure that we’ve dotted all our I’s, crossed all our T’s, if you will. Then we’ll then declare, you know, or we can ask. Or like, typically we’ll just come right out and ask, can we move on to stage two? OK. So stage 2 then. Is actually the audit that is for the registration or certification if you will. OK, this is where the auditor is going to come back and it’s usually could be anywhere from depending on how many things you do or do not have to fix after stage 1. Uh. It may be a month, it may be two months or whatever. Give us time to do it. There’s no harm, no foul at stage 1 because you’re you’re not trying to be certified stage 1, so they look to the rules, change a little bit. Now they talk to the specific people. If you were in charge of the proposal process, they’re going to talk to you about. Explain because you should have a set of work instructions right on how we do this proposal process. I’ll highlight not somebody else, but how we do it or recruiting or HR or contracts and finance and all they talk to those people specifically tell me what you do and it’s a conversation.

Kevin Long: So phase one. They. Stage one. Sorry, Stage 1 talks with the quality team about what they’re doing, whereas stage two talks and looks at the exact same things but actually talks to the people that are responsible for doing this right. But stage one is also its focus is on the quality manager at that point is really a coordinator.

Devon Dufur:  It’s with senior management. It’s the engagement with senior management, except for the documentation. The QA person can point them in the right, right. They usually will review the quality manual, OK. And that’s where that quality manual comes in, because it’s, it’s your playbook. It’s just and and it’s recognized as that.

Kevin Long: Sure. Sure.

Devon Dufur: Most companies have what they call a quality man or something like it. On our CMI side of the House, for example, we have this thing called the OSP. The organizational standard processes it’s all mapped together because what the quality manual doesn’t address. For CMMI, it’s addressed in the other, but they cross over and that’s where we get this integration. Stuff involved and it’s all mapped. So stage two as we sit down and we talk to the people that perform the processes, OK.

Adam McNair: So when you’re looking at. Walking into a stage two, you’re going to have to demonstrate that there are some specific things that you do as a company or as an organization. Now the ones off the top of my head that I mean that I just kind of if you were going to say what are the things that you have to do for ISO 9000, what it feels like to me that you have to do is that you #1 need to have some sort of quality policy and and executive or senior management organization that sets the quality policy? And talks about strategic quality issues on at least an annual basis, right? That’s the thing that it feels like we have to do. It feels like control of documents and records. Any document that is part of that quality system needs to have a little table in front of it that says what version you’re on and who changed it. So you have some traceability and then. There needs to be. Some internal audits related to. If we said we were going to do things, at least I don’t know. Once a year or something, somebody needs to come along and verify that we’re doing that. So that the combination of well we said we were going to do the internal audits and those processes we’ve documented, the auditor is going to come. In and look at. When you think about, here are some things that here are the major practice areas or process areas. However, you would call it a of 9000. What are the? What are the main behaviors that we have to exhibit compliant?

Devon Dufur: It’s that’s a really it’s a good question and it’s outlined very well within the the ISO standard. For example, we’ll start out with leadership. In the case of ISO 9000, senior management in their leadership role, you can’t back away from you. Stuck with that. OK, if you’re going down this path. So senior leadership just can’t separate themselves, where I’m not involved in this at all. We have this thing that we do and it kind of goes by a variety names of the. Executive Steering Committee, where the quality manager then reports to that committee of the State of our Quality Management System. And there’s the standard outlines exactly at a minimum, what has to be covered, and it’s a variety of thing, from internal audits to process improvement to objectives to all kinds of of items. OK, so that’s the inputs, the outputs are. The senior management can’t be like a bump on a log. They actually have to respond to that and say, well, that seems to be good. But could you look into this? Could you look into that? How about if we do do this, we want to improve things, OK, so everything is method. Michael. OK, it’s methodical. And then we have our internal auditing, which makes sure that if yes, it’s the documents have to be reviewed at least annually or more often as necessary. We’re making sure that that’s the follow.

Adam McNair: Through. So is it is it that traceability where you’re you’re saying we’re going to have some quality objectives? We’re going to move forward on some things and then we need to show meeting minutes or some kind of notes that demonstrates that we’re churning through them is that is that basically the important. Part.


Devon Dufur: Absolutely, because that for for whatever kind of meeting you’re having, you don’t have to have one for everything. But for the FCC, as the deputy, you do. Because the calling manual says that’s a document, it says we’re going to have quarterly ESC meetings and that there’s going to be meeting minutes. OK. OK. So the meeting minutes then become the record. Of fact that that ESC meeting did take place, OK and all of the ceiling points that were covered, but it also gives that that quality assurance person. And. Guidance where senior management wants to take the company by way of quality issues or programs or what we try to do better each time, right?

Adam McNair: So if we have that.

Kevin Long: Try to.

Adam McNair: Meeting. Then we follow up on it. And we internal audits and things.


Devon Dufur: Yep.

Adam McNair: Is that enough? Or are there other things we have to do to be ISO compliant?


Devon Dufur: Oh, there’s lots of things you have to do. OK, Section 8, for example. Section 8 is really covers all the production kind of stuff that we do, but for a company like ours, most people say well, I I don’t produce anything. Well, yes you do. Our back office operations. I I said earlier is we produce a proposal, don’t we? That’s our product, OK.

Adam McNair: It’s a solution for a customer.

Devon Dufur: It’s a solution and it’s based on the requirements. Well, there’s all kinds of things that the in, in, in the. And clause eight that deals with the product can talk production of a product or service. But in this case the service would come after if we won this proposal. OK, so it. Tracks all the ceiling and things that we have to do. We have team reviews. Those are records we have to be able to demonstrate that. OK then we have a let’s say we get. That’s just a proposal process itself from the time we start this thing at the BD part. All the way to the time that we have the last review we we’ve done this compliance matrix against that to make sure that we’re delivering a proposal that is actually compliant with the requirements of the RFP, OK, we deliver this thing, but there’s all these support people that have gotten bits and pieces of things that they do. We couldn’t do our jobs without it. We need to have computers. We need to have, you know, keeping those things running. We have people that do pricing and making sure that we’re we’re touching all those things that the RFP spells out. So there’s a variety of things. If you go down through there’s. There’s. Everything from. Identifying the scope to the normative references in this particular case, the normative reference is the ISO standard itself. OK, we’re talking about terms and definitions. The context of the organization you have to outline all these things. The major role, as I indicated earlier, is leadership leadership just can’t separate itself from it. It’s got to be involved. OK, then there’s the planning, there’s the support, all the support activities that happens, the operations which is that product development and delivery and then we have to evaluate what we’re doing. Our processes.

Adam McNair: And so I guess that that’s the metrics angle because I I guess you know one of the things also that I see when we go in and do some of these consulting engagements is.

Devon Dufur: Yes.

Adam McNair: You do have to be ISO compliant. You do have to track some metrics, but they basically say.

Devon Dufur: Yeah.

Adam McNair: Pick some metrics that are important to you and then demonstrate that you’re look at them. Yeah. And now, like Kevin, when you look at your across your programs, what kinds of things from a metric standpoint are you really usually monitoring?

Devon Dufur: Correct. Right.

Kevin Long: Customer satisfaction. That’s easy and you know. Profitability. That’s another one. MHM. Employee retention or attrition? Look at that.

Adam McNair: And on our thing that we’ve done from an ISO perspective is so certainly customer satisfaction is one of ours that we look at. And then because we’re trying to use ISO to better run our company, a lot of the metrics that we’ve identified from an ISO stand. Point are what I call capacity and velocity, meaning do I have enough people in each individual department to handle the things that have to happen? Do I have enough recruiters to handle the number of racks that we have open? Do I have enough contracts people to handle the number of contracts? Actually do have enough IT people to support the IT tickets that we’re getting and then velocity for. Anytime there are requests, what I’m looking for, this is in the IT organization. This is in contracts. This is on in onboarding and off boarding requirements, yeah. Can we keep pace with the requests as they come in? I’m not really concerned about how long it takes us to. On board a person because there’s some variables in there, right? I don’t want to get wrapped around the axle on a metric that says I can’t believe we didn’t get this done in four days and it’s like, well, because we were onboarding somebody and they were. On vacation and. They couldn’t send us their stuff and we had to wait. What I care about is. Are we building up a backlog that we cannot address or every time we open a job, BRAC, every time we onboard some, we get a ticket for an onboarding? Are we closing that? At some rate, so that we those lines are tracking together that’s.

Devon Dufur: That’s very true. And and the important thing really here is that the the quality manual that out our playbook, if you will outlines that’s normal operations and we’re always going to have peaks and valleys. That happen, we’re going to have surges. If we were fortunate enough to win a sizable contract that all of a sudden now we got on board 50 people. Say, yeah, that’s going to cause a a spike for HR, for recruiting for IT. If we have to provide that the computers all ordered and spun up and ready to go, but the the processes themselves from the quality manual back down to our product that brings us back to normal. It gives us a place to come back to. So that we’re not missing things, if you will. OK, we’re always going to have bumps in. The road so.

Adam McNair: So from a certification process then the actual official certification process then. So we’ve done a stage 1, they’ve come in and they’ve looked at some documents and we’ve talked about the scope and they’ve understood what it is that we do. Then the stage two, they come in, they’ve interviewed everybody at that point, assuming we are compliant. Great. Are we certified? No. OK. So what?

Devon Dufur: Are we gonna double talk? OK, what happens is the auditor can’t certify us.

Adam McNair: What do we have to do then?

Devon Dufur: It takes a registrar to do that, So what happens is the auditor has to write up a very formal report, very detailed report. But basically you can map to all those shelves and that this this assuming we meet all the shelves in the.

Adam McNair: Standards. So theoretically there’s there’s 117. Things they had to prove that we.

Devon Dufur: Yeah. Do we had to prove that we?

Adam McNair: Well, yeah, so we had to prove.

Devon Dufur: And they have to so they’ll they’ll finish this report up and then they send it to the registrar. So then when the registrar has a team that vets the.

Devon Dufur: That they’re really looking for, they’re not trying to second guess the auditor, they they hired that auditor for a reason, he or she. Is. Very well qualified to be doing what they’re doing, but they make sure that the auditor caught everything because we’re all human. We can miss something here and there. OK, so they sort of do cross checks to make sure. That when they say yes, we believe you are certified and we’re going to put a NAB or Rab or whoever the the official stamp on this thing. Then they send it to the ISO body. That causes another review to take place. So then they go. Yes, you may have fixed the ainab stamp or the Rab stamp or whatever stamp there is, which is a very important thing that you’re going to find on the upper right hand corner. You’re going to see the on the left side. You’re going to see the registrar stand, but. For those that are those standards that are recognized by the International organization. And we’ll also get that’s where the real weight of it is, OK? They send that back once they send that back, then we’re authorized to say we are certified. OK, you got to have that thing.

Kevin Long: So.

Devon Dufur: In your hand.

Adam McNair: So you get. An auditor who is a person that works for a registrar, which is an organization.

Devon Dufur: Yes.

Adam McNair: So the auditor writes the report and sends it to the registrar, the Registrar.

Devon Dufur: Crochet.

Adam McNair: They cross check and then they they they and then they. So is it the registrar that puts the there all these accrediting bodies, the anab or whoever. So they then have the anab stamp and can put on it to say.

Kevin Long: Just quality assurance, perhaps you do.

Adam McNair: That. It’s been certified.

Devon Dufur: Yeah, we see a a registrar can actually certify things. OK, but it doesn’t necessarily mean that anab. Recognizes it. We want something that’s enable Arab the the ISO body recognizes. OK, there are some standards out there that are not anab, for example recognized.

Adam McNair: So. So basically then the that ainab stamp or the the that certifying body.

Devon Dufur: Right.

Adam McNair: They’re really the registrar.

Devon Dufur: Of the registrar.

Adam McNair: Service fire. Yeah. So they’re the ones that say, OK, this registrar is a real registrar and when you are buying this. It’s kind of like the, you know, the the green energy, you know, Energy Star type, stamp on something that says, yeah, this isn’t just an energy efficient TV, it’s a we. We checked it out. There’s a standard we comply. OK. So the auditor sends it to the registrar, the registrar certifies it.

Kevin Long: 


Adam McNair: And then affixes because they themselves are under some sort of scrutiny, they affix the the stamp to it. Then it goes to ISO and then ISO.

Devon Dufur: Are. And they can’t fix the stamp until ISO says it. Yes. OK, so once ISO the ISO organization says yes.

Adam McNair: And then I said.

Devon Dufur: Everything looks really good. We have no objections. We’re going to. You’re authorized to fix the NM stamp and we stand by that. It becomes a matter of record, but we all have to remember very one very important thing is we’re only borrowing that certificate. OK. Because in our industry, if we were in automotive industry, we would be surveilled every six months or even more. But because of the type of work we do, we. Yet. We have a surveillance audit. They come back, the registrar has to come back at least every 12 months, which they do. They come back to make sure. We’re following all the things that we said we were following at the time that we were registered, OK. They come back and verify that, unlike unlike CMMI, OK, you get a three-year. Credential and whatnot. And. Which means you could literally and this happens. You could literally say, well, OK, I got this little thing I can declare now, but I’m not going to do all this stuff because it costs too much money or it’s too much effort or whatever it does. So you can’t do that because when that auditor.

Adam McNair: And that absolutely happens. In a lot of places, yeah.

Devon Dufur: Comes back and uncovers these defects. Things that we’ve decided to ignore. We’re not going to have ESC meetings. We’re not going to do internal auditing. They’re going to write us up for either minors or major Viola. Minor violations that going to give us maybe 30 days to fix it depending on the number of those minor nonconformities, but a major non conformity. The registration or ISO body can take your certificate away from.

Adam McNair: You it’s basically the same way when you read about the restaurant inspections that they have in the paper and they’ll say, you know, they came in and we realized that the ice water is not. Like cold enough. And they said you need to fix that.

Devon Dufur:That’s right.

Adam McNair: And then sometimes they come in and they’re like what we are officially closing the restaurant down. Exactly. Exactly so.

Kevin Long: How many ratings are allowed in this kitchen?

Devon Dufur: You’re done, yeah. The thing of it is when when auditors, just my experience is they come back and then when they. Find one thing. They dig deeper. OK, so if they find one, it’s human nature, maybe. Well, if there’s one. One, you know where there’s smoke, there must be fire. Let me dig deeper and deeper and deeper. So now it it just it just means we wasted a lot of our time, a lot of money. We didn’t get any value out of it because we didn’t follow through with what we said. We were going to. Do and that’s a waste.

Adam McNair: Yeah. And and Kevin, I guess one of. The questions I have for you is. You know, I always had the perception that you’re going to work in an ISO certified environment. There’s all kinds of extraneous paperwork and from the job that you have running, 1/2 of the operations of the service delivery of the company, do you feel like there are?

Kevin Long: Hmm.

Adam McNair: There are a lot of documentation requirements spun off by ISO that are just kind of make work.

Kevin Long: No, I’ve worked. I I’ve worked places that had documents for document sake. We we. Don’t. Which is. Really great. It’s I think we’ve done a really good job at putting in documents that capture things that are necessary, things that are important and things that we need to remember or track or or be able to communicate to other people. They give us value.

Devon Dufur: If there’s no value, then why do it? They bring value to what we’re doing and that’s ultimately delivering products and services that meet the expectation of that customer and the contract and. Regulations, statutory regulations, those things that we have to maintain, whether it’s HR stuff, statewide, federally, whatever it is, we it’s that’s checks and balances. So we get value out of our stuff and we’ve embraced the concept of that.

Kevin Long: Yeah.

Adam McNair: Yeah. And then there are just as a federal contract, there are so many random requirements that we have about the sign in logs and verifying this and protecting that kind of information. So there’s there’s a fair amount of of that that we’ve wrapped into ice. And I guess the last thing that I was just going to mention that is.

Devon Dufur: So as ISIL.

Kevin Long: Oh my goodness. Yeah.

Adam McNair: That I think is important in this process is the first one is something that Devin already said, which is if you’re going to go down this path, it really behooves a company to find someone, whether you hire them directly or you get them as a consultant. That has done this before just because as we’ve seen before, it can be. A time sink of years. I mean, what? One of the engagements that we’re in right now where this company is going to have their ISO certification, likely by the end of this month. They’d worked on it for a year or better, trying to get down a path, a path that it is possible to do, an infinite amount of work that is all compliant with the standard, but yet not yet be compliant with the standard enough to be ready to be audited and phrased.

Kevin Long: And not deliverable as a business. And yeah, the whole conversation around what you scope your certification around is so critical. And I was saying earlier the first the start up I worked at the ISO process. There was just awful.

Adam McNair: Right.

Kevin Long: Because. In in healthcare, at least, they were used to having to. You know, I mean, and thank goodness, you know, you, the doctors and nurses you want them to do all of these different things. I mean, we were literally a software startup. And and the the amount of burden that was placed on everybody and trying to figure it out and still not be compliant to be not 9000 certified was just. Just egregious. I mean we we worked nine months on it throughout everything that we were doing honestly hired a different person that that was that didn’t understand healthcare as much but understood software more to be able to then understand and put the scope appropriately around it. It was. Yeah, it’s it is. It could be really painful.

Devon Dufur: Yeah.

Kevin Long: If you didn’t do that, right? Yeah.

Adam McNair: So that’s that’s one area that I think it’s. It’s you need to get somebody that knows that has some experience and has done it before. I think the customers where we’ve gone in and engaged to get somebody ISO certified, we have likely saved them 5 or 10 times what they’ve ever paid us to support them in in avoided work on their side. The other thing is.

Kevin Long: Yeah.

Adam McNair: The Registrar and auditor that you select is really important and whether you reach out to a professional network and ask people who they’ve used that they like, whether you call us and talk to us about who we’ve used. It, and it’s not about ohh we know this auditor that fills out phony surges and they’re not going to really look at anything. It has nothing to do with that. What it has to do is finding an auditor that has the right experience to be able to understand your business sector, the auditor that we use. If we were in ******** chemical manufacturing, I’m not sure that she’s necessarily the right person.

Devon Dufur:Right.

Adam McNair: But she’s great for us, for professional services and similarly. The registrar that you select the price differences, it’s interesting the way they price these things is by how many people are going to be involved in the overall certification and and and appraisal process. So it it’s not a, it’s not these aren’t big price drivers. I mean getting an ISO 9000 certification that the the registrar is that’s the least of your cost.

Kevin Long: Really. Yes.

Adam McNair: I mean, it’s a couple $1000 every year. It really is not that big a deal, but. Finding one that’s responsive, it’s interesting. The number of times that we’ve tried to just get on somebody’s calendar and a lot of these organizations. Are. Networks of remote part time people that operate as these registrars, and you simply can’t get them to lock you in on a calendar and. When you’re going to have somebody show up to your company and they say we’re going to need essentially almost untethered access to interview and look at artifacts and talk to most of the people that are running your business for two days, having some certainty about when those two days are is a big deal and just vacations or customer requirements or anything. Some of these register.

Kevin Long: Theirs, they’re they’re at their convenience, not ours.

Adam McNair: It’s at their convenience and a lot of that also I think comes back to their background. If it’s manufacturing, every factory is always on. So if you’re going to go check what time the ketchup bottles are, you know being made, they do it 24 hours a day and that assembly line does the same thing all the time and you’re always going to have.

Speaker 3


Adam McNair: Every roll on site, so you’re going to have an on site quality guy. You’re going to have an on site production manager to have on site all of that all the time. We don’t run that way and because these standards kind of grew up in manufacturing. I think that’s still a gap. So those are a couple of things to consider. ISO 9000 can be as hard or as easy as you want it to be, and you know you can be looking at starting from nothing with the right consultant or support and being certified in four or five months. Or you can take two or three years and spend $1,000,000 and not be ready yet. Yeah, it really is. It’s a a wide gamut, but.

Devon Dufur:It’s a real disheartening for all of the staff that are involved in these things to spend a. A silly amount of time in in many cases and then get nothing out of it based on when you’re supposed to be getting these certifications and whatnot. So yeah, it’s really important that whoever’s running this operation for your your company has the wherewithal to be able to. Explain all this stuff to all the different facets of your your scope or your processes that you’re doing and then being able to make it fit into the standard because it’s why waste time. But as many companies just do that.

Adam McNair: Yeah. Yeah. And so that that in.

Devon Dufur:What?

Adam McNair: A nutshell is the ISO 9000 process and it’s the way that we do it. And so this was really meant informationally. I mean, I I would, you know. Probably be remiss if I didn’t say if anybody is interested in knowing more about it, you can always contact us and whether it’s as a professional services engagement or just for some advice, we’re always happy to do that, but but so that’s the that’s ISO 9000. So thank you to Kevin and thank you to Devin and thank you to Matt Dotson for for running the recording and we. Will talk to you next time.

The views and opinions expressed in this episode are those of the host and do not necessarily reflect highlight technologies and Oregon any agency of the US government.