Louis Hannigan is president of Superior Quality Systems Corp., where he serves as a consultant and contract auditor for certification bodies, enabling organizations of all types to benefit from quality management system standards. He has 25 years of experience in construction, engineering, and manufacturing.
Hannigan is an Exemplar Global-certified lead auditor for ISO 9001, ISO 13485, and ISO 14001; an ASQ Certified Quality Engineer, Certified Quality Manager, and Six Sigma Green Belt; and the author of The Non-Idiot’s Guide to the ISO 9001:2015 Quality Management System Standard.
Prior to his auditing career, he served as a Master Mariner and Commander in the U.S. Navy Reserve for 25 years, holding senior management positions in petroleum transportation, military logistics, and ship finance.
In this conversation, we discuss why ISO 9001 is the best framework for organizational excellence, how a military background helps with auditing, and the importance of bringing top management into improvement by speaking the language of finance.
EXEMPLAR GLOBAL: Tell us a bit about your beginnings in this field. Did you find auditing or did auditing find you?
LOUIS HANNIGAN: My credentials include an MBA from the University of Chicago in addition to being a U.S. Coast Guard licensed Master Mariner and a Commander in the U.S. Navy Reserve, both of which I’m now retired from. During my first profession, for 20 years, I focused on maritime and finance, and I sort of fell into ISO 9001. A colleague in the Navy recommended that I should check it out, and when I did, I found it was quite compatible with all the experiences that I had in the maritime, finance, and military world. I started out working with Raytheon, getting my feet wet, learning how to audit and implement quality management systems. Then I started out on my own implementing quality management systems, consulting, and working for third-party registrars. That was around 1995. Since then, I’ve audited thousands of companies and I’ve implemented a good number of quality management systems for a variety of businesses and organizations. I think I’ve audited every type of organization, every type of service organization, government organization, and manufacturing organization. I’m not specialized in any particular industry, but I’m specialized in being able to go to an organization that might have a very exotic process and understand how to implement a viable quality management system.
EG: It sounds as if you bring a high degree of flexibility to the auditing process, with the idea that the auditee can implement the standard, in this case ISO 9001, in the way that best suits their specific context and processes, providing that they meet the requirements.
LH: Exactly. I wrote The Non-Idiots Guide to ISO 9001:2015 with that theme in mind, emphasizing that auditees aren’t idiots. They already have a good operating system and all they need to do is look at ISO 9001. I ensure that organizations, whatever status they are in, understand the purpose of the standard and are able to implement, maintain, and use it to help them improve. As an auditor, you cannot consult, but you can certainly present your questions, your approach, and the explanations of your observations that are nonconformances or potential nonconformances. The role of the auditor is to ensure that the auditee understands the basic nonconformance as well as the requirement. If they correct the issue in the proper manner, the organization will benefit.
EG: It’s understood that this is not a consultative process. In other words, the auditor isn’t going in there to say, ‘OK, here’s what you have to change to comply with the requirements of the standard.’ However, the role of the auditor is not just to call balls and strikes, but ultimately to play a role in driving improved output for the organization. The auditor can’t just say, ‘Well, your system is not in conformance’ and leave it at that. The auditee needs more to go off of if they are truly interested in improvement.
LH: What I’ve learned over the past 20 years is not to just go in there and consider the job successful once you’ve discovered a certain number of nonconformances. For example, a common finding I had was when the company misinterpreted a requirement and put in a quality procedure that they didn’t need—quite often at the suggestion of a previous auditor. They didn’t need the process and they didn’t follow it. I would say 75 percent of my early findings were based on that very scenario.
I then shifted gears and looked at the findings that maybe on the surface seemed minor, but when the organization took a closer look at the issue, they might come to realize that it’s just a small opening into a much more important issue. For example, once again, I’m not supposed to be a consultant, but I had a finding where one of the auditee’s documented procedures had a relatively minor error, but a bona fide noncomformance. When I presented the finding to them, I said, ‘This is just the tip of the iceberg. You have a very unwieldy document control system, and this is just an example of it.’ In considering that nonconformance, they can take it as an opportunity to look at—and improve—their entire documentation system.
EG: In the lexicon of the Toyota Production System, overprocessing is one of the seven wastes that quality people don’t always consider, but it’s exactly what you’re talking about when you refer to unnecessary quality procedures that aren’t always followed. Again, without being consultative, can you as an auditor try to help the auditees be more efficient by looking at their overprocessing and their wastes from the standpoint of compliance with a given standard?
LH: It’s funny you should mention the Toyota Production System because I’m quite familiar with those programs, particularly 5S. I find every one of them to be too focused, and some have deadly components. For example, Just In Time can be deadly for you if a natural catastrophe happens.
I found from day one that the structure of ISO 9001 had almost a perfect combination of very strict requirements, guidelines, and then suggestions. I’ve used it as a tool for implementing quality management systems, and certainly as a tool for auditing. If the auditees would just understand the principles and requirements for ISO 9001, they wouldn’t have to focus on a consulting program like 5S or Six Sigma. I don’t want to sound too critical of these programs, but in no way are they as comprehensive as standards like ISO 9001 and ISO 14001 that offer guiding principles compatible with most organizations; especially for the 2015 versions, I think these are among the best instruments that any organization can use, whether they’re getting certified or not, to develop their own management system.
EG: Just in Time is an excellent example of the lack of flexibility inherent in some of these programs, as your natural disaster example shows. Risk-based thinking is now explicit in ISO 9001:2015. From that perspective, a natural disaster like the Fukushima earthquake and tsunami might have been anticipated, but those reliant on Just in Time systems saw their supply chains get destroyed, and it took many months to fix them.
LH: The gun that they shot themselves in the foot with was called Just in Time.
EG: It’s a fair criticism. A lot of those suppliers and OEMs got away from first quality principles, and they paid for it.
LH: You know, quality wasn’t really an established, discrete discipline until maybe 20 or 30 years ago, and now they’re offering degrees in it. But we were quality before quality was cool. (laughs)
EG: Exactly! You have an interesting background through your experiences with the military and the merchant marine. Coming from the military imparts a certain discipline of mind that is helpful to auditors. What are some of the skills one gets from a military background or an engineering background? What are some of the various skill sets that people who are currently outside of auditing can bring into it as a career?
LH: As you mention, my own baseline of experience came through serving in the military, working in the oil industry, and participating in Operation Desert Storm back in 1991. For more than a decade, I lived and breathed all the requirement of ISO 9001, only on a more rigid level—the organization, the communication, etc. Every procedure meant something, every fact meant something, and every item of risk meant something. The risk items were particularly well evaluated and determined. All that is obvious for military activities, but it also applied to the oil industry, which is also a high-risk business. Risk determination was a key element.
Given that background, I can go into an organization and try to help them as an auditor (once again, without consulting). There is a defined, profitable method for determining legitimate and meaningful risk. Many companies struggle to identify risk, and they either totally ignore it, or they go crazy in trying to account for every type of risk imaginable, like the risk of going out of business or the risk of all the employees quitting at one time. I think there’s a real weakness, outside of medical device and pharmaceutical companies, in not understanding what risk really is. A company might have only just a very slight risk.
EG: True, but as slight as those risks may be, almost any customer-facing product has a failure mode that could potentially kill somebody.
LH: Yes, but if it’s captured already in a procedure, then it’s a risk that’s been addressed. What’s needed is a medium that entertains, firstly, all the risks that they are in the process of mitigating or have on a stand-by mode if the risk is realized. Secondly, they need a method or a process to determine risk to begin with. Of every company I went to over the last year or two, not one of them recognized that Covid-19 was a risk, even though the Federal Emergency Management Agency (FEMA) identified Covid as one of the top two of three risks both nationwide and locally. For example, in California, earthquakes were the number-one risk, and Covid was number three. In the Bible Belt, tornados are number one and Covid is number three. But Covid was mentioned quite definitively in all the FEMA advice. Yet not one company that I visited since the start of Covid even knew that they could look at the FEMA results and show all the risks that might affect their business.
When it comes to risk, maybe ISO 9001 and all the standards are focusing on it, but aside from high-level engineering firms or pharmaceutical companies, I don’t think organizations understand the concept of risk as it applies to their business, number one; and number two, they don’t have any method of determining risk, and they don’t have any method of evaluating how well they’ve done on examining risk. Not one company asked the question, ‘Why did Covid catch us by surprise?’
EG: Sometimes the benefits of proper risk management are hard to capture financially, and if they’re hard to capture financially, it can be difficult to get the attention of top management. Companies understand financial risk well enough when deciding when to recall a product, but that’s not far enough upstream. The goal should be to prevent these things from happening, not mitigating them after they happen.
LH: Having a degree in finance, I can appreciate the importance of finance and monetizing decision making, but then I also appreciate where you just can’t quantify something—or if you want to quantify it, the framework is flexible enough that you can put any number you want on it. Some of it just boils down to the wisdom and culture of the organization and what’s important to them. Coincidentally, I’ve seen two similar organizations that had the exact same product under the same situation. It had to do with forgeries by the same criminal gang. One company went out and recalled everything and publicized it; the other company, who had more lawyers, shielded it, protected it, and went in the complete opposite direction. So how do you make a financial analysis of that?
EG: That’s such an excellent point. Culture really determines so much about how organizations respond to these types of risks. Too many times we think about organizations and companies as things, but they are really a collection of people that do the work, that make the decisions that affect employees, customers, partners, and suppliers. Top management generally decides on the music, so to speak, and everybody else dances to it. In that way, there needs to be a sense of the type of organization that you want to have, and everything else flows from those decisions.
LH: I have to confess, the culture and attitude of top management at an organization is one area that is very difficult to audit, evaluate, and certainly quantify. You can’t see it, you can’t trace it, and you can’t document it, but their attitude and character flow through the whole company. I’ve always found it very strange how one key leader leaves and another one comes in and within 30 days, it’s a completely different company. Even though nothing has changed, everything has changed.
EG: Broadly speaking, how do you believe that a more generalized knowledge of quality can help change companies for the better?
LH: I’ve witnessed the very positive development where quality is no longer just relegated to the back room of the manufacturing floor. We’re getting closer and closer to the boardroom, and I think that’s where we need to go.
EG: Right. The CQO function is high up in many org charts now. It’s an important role.
LH: I’ve seen companies where the president and the quality manager are one in the same person.
EG: The traditional role of top management has tended to be a financial one, but increasingly quality is driven by financial metrics. At one point it was looked at as a cost center and expense, but the tables have turned now and the realization has come that not only can a real commitment to quality save a lot of money for the organization, it can also create outcomes that drive a lot of revenue, too.
LH: I worked with a CFO who, on his own, focused greatly on quality and the corrective action process. This was a division of a major corporation, and this CFO once told me that the hurdle rate for investors was 15 percent. In other words, the investors wouldn’t fund anything unless the plans in question would achieve a return of 15 percent or greater. This CFO would go around with a quality manager during audits and look at the existing nonconformances and the costs of the corresponding corrective actions, and he said the return on fixing the nonconformances was tremendous. Mind you, these nonconformances tend to be evergreen problems that just go on and on and on until somebody stops them.
Fortunately, I earned an MBA in finance, so I know how to calculate a return on investment. In this case, as I mentioned, the returns can be tremendous, especially if you cost out the management time and get them to realize that fixing problems and dealing with customer complaints is NOT your line of business. When you consider management time, shipping costs, and the general back and forth to deal with problems, the cost of poor quality is stunning. But in many companies, they are just looking at the cost of quality in terms of salaries for doing internal audits or the cost for a registrar to come in and do an audit. Those costs are peanuts as compared to the hundreds of thousands of dollars or more that can be saved. I’ve triggered many of those savings myself just by recognizing very simple, obvious, cheap-to-fix nonconformances. And if the finance people really understood that we would be flying.
EG: Part of the problem is that too many people, even managers at fairly high levels in the organization, will receive opportunities for broad improvement and say, ‘That’s not my job—I just want to improve what we’re doing in our department.’ That’s fine, but they may be missing out on 80 percent of the potential for improvement if they can just understand how much time is being wasted by these silos and the lack of handoffs and cross-functional support.
LH: I don’t think the accounting systems are fixed for that. Accounting systems, unless the organization is working on a particular government contract, don’t track people’s times that accurately. A person is given a job and told to work eight hours a day and get things done. Nobody quantifies the positive and the negative. Very few companies allocate management overhead to lines of businesses or maintenance activities. The accountants just don’t recognize the way to capture the benefits that good quality brings.
I’ve suggested to companies, for just for one day, make a check mark for every 10 minutes you spend on something that didn’t go right the first time. And they would come back the next day and that time would tally up to thousands of dollars wasted through poor quality for just a half-dozen managers. In one day, in one facility! As I say, it’s absolutely stunning.