Can, or Must?

Why it’s important to understand the effect of standards’ changes on costs

by Robert Freeman, Jennifer Drown and Byron Black

The latest set of revisions to standards, including ISO 9001:2015, ISO 14001:2015 and AS9100D, address changes to organizations’ management systems.

Ensuring these changes are fully understood in an organization is important. The effective application of adopted standards and potential effects on the cost of doing business as part of the implementation is paramount to establishing a position the organization can sustain. Not doing so can lead to unsustainable costs arising from a failure to fully evaluate the impacts that arise from the approach used to transition its current management system to one or more of the updated standards.

When assessing the validity or necessity of a change, ask the individual or organization identifying the perceived need for change to explain the reasoning behind it. These requestors can be from within an organization or from interested parties outside of the organization. Interested parties can be customer representatives or other representatives—such as auditors, regulators, stock holders or advocacy groups—but are limited to those the organization recognizes as relevant. By understanding the purpose of the change and knowing what the requestor believes to be required or expected, an organization can better understand how it will be affected by the change.

Supporting a change, whether it is requested by those in the organization or by an interested party, is as important as ensuring the organization’s actions live up to the requirements and expectations to which it has committed. Sources of identified changes include verifying or validating a specific clause in a regulation or standard.

Additionally, the perceived need for a change can be identified from a point of reference where a clear description of why something is seen as a deficiency may need to be acted upon. This is especially important when assessing and implementing standards or directives. Without a verifiable and, when appropriate, validated source or point of reference, the significance of the change cannot be fully understood, and any action taken could have the potential to add unnecessary costs.

Untested statements or expectations intended to be acted on as requirements therefore could be harmful to the organization or those directly affected by it. Defining the words "standard" and "directive" clarifies this.

Understanding what’s required

In general, a standard is a set of requirements or guidelines defining something that can be conformed to. The use of the word "can" instead of "must" is significant because each organization will need to determine the applicability of these requirements, including any guidelines the organization chooses to apply, implement and maintain as requirements.

While the intent is for the entirety of a standard to be applied, the context or world in which the organization exists can affect the standard’s applicability. The key is to recognize that if a requirement of a standard can be applied, the expectation is it will be applied. Any requirements the organization believes are inapplicable should be justified as such so they can be reassessed in the future.

Directives, sometimes referred to as rules, are another type of requirement and can be derived from external sources such as regulatory bodies, customer requirements (or expectations) extending beyond the requirements of the product or service, industry or sector-specific group requirements, or requirements defined by the organization.

Directives are often driven by interested parties an organization has identified or accepted as relevant. Directives can be based on legislation, regulations, industry-specific requirements or customer-specific requirements related to the fulfillment of a process, product or service. They also can be policies the organization has chosen to impose on itself with the intent of being an industry leader, or in support of an ideology or set of principles important to the organization.

Understanding the requirements associated with a standard or directive is important because they establish a point of reference for decisions made by the organization in relation to its purpose. An organization’s purpose is its central position and tends to be about making money today and maintaining future financial stability.

While it can be something other than profit or retained assets, the purpose still will be about what the organization values. This means an organization’s decision to implement a requirement must be rooted in sound business practices or operating principles. A decision based on anything else is simply a cost that has no value to an organization or its relationship with interested parties.

After the applicable requirements of the standards and directives have been identified, an organization must understand the degree to which it will conform to those requirements and the actions required to implement them.

This decision is driven by the distinction between "can" and "must." As defined by ISO 9000:2015 subclause 3.6.11, conformity is "fulfillment of a requirement."1 The level and degree of fulfillment is not absolute, but relative and relational to an organization’s requirement to fulfill its purpose. This means requirements to be fulfilled can be diverse and must be fully understood to allow for appropriate use and application.

Conforming to the requirements

At a minimum, conforming to or fulfilling a requirement starts with an organization identifying its approach to implementing the requirement. ISO 9001:2015, for example, establishes requirements, but not in a way considered to be prescriptive. This means the organization decides what constitutes conformity. As long as what an organization does is similar enough to the specific ISO 9001:2015 requirement it’s trying to fulfill, the expectation is that it’s acceptable.

While an organization can, for the most part, interpret the standard as it sees fit, the ability to convince others (customers, auditors and inspectors, for example) to accept its interpretation can be challenging. This is important because an organization’s approach to implementation should be a point of reference for or component of its costing model. If that is the case, any new or differing requirements imposed on an organization by customers, auditors or inspectors can affect costs.

After an organization identifies its approach, the next step is to act. An organization must prove it is accomplishing what it said it would and demonstrate that its approach to implementation truly conforms with the requirement.

This is sometimes referred to as compliance and is generally used to state conformity when the employed approach is exactly what is called for and expected. Fulfillment of regulatory or legal requirements or specific expectations from other interested parties is another form of conformity seen as compliance. This type of conformity tends to be absolute or prescriptive and is often stated as, "This is what you have to do," "This is how you will do it," and "This is the method you will use to complete the required information."

While these distinctions may seem arbitrary, they are important when determining how to meet an expectation. If conformity is something other than fulfillment of a clearly defined expectation, conformity is at the discretion of the organization.

The approach used by an organization to fulfill a requirement or expectation changes only if a compelling argument identifies the need to do so. In other words, the eye of the beholder is the one defining beauty—in this case conformity in the form of compliance—unless the organization can prove the point of reference lacks details regarding the applicable requirement.

If conformity means the approach employed—including the specifics of the evidence called for by those setting the expectation—must match the requirement exactly, this is commonly seen as compliance.

Understanding the interaction of and conformance to stated requirements and directives provides a point of reference for the organization to identify the processes and costs associated with implementing and maintaining the requirements and directives. Doing this provides a starting point from which change can be evaluated. When customers or others identify requirement changes, the impact on an organization can be discussed with a voice of reason.


1. International Organization for Standardization (ISO), ISO 9000:2015, Quality management systems—Fundamentals and vocabulary, subclause 3.6.11.

Robert Freeman is president of Practical Perspectives in Dallas, TX. He is a U.S. technical expert on the next revision of ISO 9004, a member of the U.S. Technical Advisory Group (TAG) to ISO Technical Committee (TC) 176 and a member of Project Committee (PC) 302—Auditing standard (ISO 190011). Freeman is a senior member of ASQ, a registered lead auditor for ISO 9001 and an ASQ-certified quality improvement associate.

Jennifer Drown is a partner with Practical Perspectives. She is an ASQ member and an alternate member of the U.S. TAG to ISO TC 176 and PC 302. Drown, a senior process and quality engineer, is an ASQ-certified Six Sigma Green Belt.

Byron Black is president of QualWerx, Inc. in Wylie, TX. He is an ASQ member and a management systems practitioner, assisting organizations with their implementation, registration and maintenance efforts. Black, an industrial engineer, is a registered ISO 9001 auditor.

Average Rating


Out of 0 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers