ISO Proof of Quality
Print Issue: March 2005
Quality service. Every company claims to provide it. How can a company make its claim meaningful to prospective clients? One way is to achieve certification by meeting requirements of the International Organization for Standardization (ISO). Although most of the companies that have done so are not in the security field, the process is equally applicable to security providers. The case of Industrial Security Services, Inc., (ISSI) a mid-sized guard-services company based in Ohio, illustrates how security could benefit from adopting an ISO approach.
About ISO. ISO has been developing voluntary technical standards over almost all sectors of business, industry, and technology since the mid-1940s. It has many different types of certification categories. The one applicable here that ISSI chose to apply for is the ISO 9000 category.
In ISO 9000, quality management is defined as the processes an organization puts in place to ensure that its products or services satisfy the customer’s quality requirements and comply with any regulations applicable to those products or services. The company being certified is responsible for setting its own objectives to measure the success of its quality management system. (ISO 9001:2000 is the latest version. The company was certifying to the 9000 standard, when 9001:2000 was released and it decided to certify to the new standard.)
To become ISO 9001:2000 certified, an organization must receive written certification by an independent, external body that has audited the organization’s management system and verified that it conforms to the requirements specified in the standard. The auditing body then records the certification, which is good for three years, in its client register.
Going for the goal. ISSI’s decision to go for the ISO 9001:2000 certification marked a milestone in senior management’s vision for bringing a once nontechnical company into the technical age. For ISSI, there was no contractual, regulatory, or even clear market requirement to become ISO certified. However, management strategy called for establishing a formalized, ongoing quality assurance program that would improve the company’s efficiency and enhance service to customers, which would help the company to grow and become more profitable.
ISSI began investigating certification by networking with several of its clients who had gone through the process to get a better understanding about the ISO system, the advantages to a company, and whether certification was worth undertaking. The company discovered that there were clear advantages to becoming certified and senior managers decided to take the next step. Managers then met with consultants from Cuyahoga Community College in Highland Heights, Ohio, and outlined a two-year plan for the company’s ISO certification process.
Challenges. ISSI’s road to certification held numerous obstacles, such as keeping everyone within the company focused on what they would need to accomplish throughout the two-year process. The development of measurable objectives alone stretched out over a year. Other key factors that had to be addressed included the development of a nonconformance report, a quality-management system, a customer satisfaction survey, and an officer retention program.
Nonconformance reports. A major component of an ISO management system is the nonconformance report (NCR). The most substantial operational effects from ISO certification have come from the NCR concept, having employees work off of the same processes and use the same forms.
The purpose of an NCR is to identify, document, and investigate the root causes of performance problems and to provide information that can help the company correct those problems by improving operations. Once the problem is corrected and documented on the NCR, the operations staff investigates whether there are proactive measures that can be instituted to prevent the situation from occurring again.
ISSI had already documented many of its policies and procedures. For example, the company had computerized its primary operational and administrative processes such as post orders and other work instructions—including formalized hiring policies and procedures—before pursuing ISO implementation.
Though the company already had policies and procedures in place, ISO certification requires that companies pull that information together in the several ways. First, the company must implement a standard process for handling NCR issues.
The NCR process requires, as noted earlier, not just that the company find a solution, but that it conduct an investigation into the root cause of the problem. The goal is to prevent the problem from recurring.
ISO requires that senior managers reexamine all NCRs twice annually in the management review process. For ISS, which has operations in six states, this enables management to spot trends that may have taken longer to recognize without the process.
“Service companies all run into occasional customer complaints,” says ISSI CEO John Andrews. “But the NCR system forces management to look at the issue and see if there are ways of keeping the problem from occurring again, or equally important, from occurring elsewhere.”
Quality management. ISO certification requires that the company develop a quality-management system to ensure that products and services conform to customer requirements. The system must be subject to continual performance improvement.
To meet this requirement, ISSI has six internal auditors, two of whom are Registration Accreditation Board (RAB) certified lead auditors. All six were company employees before the ISO process was undertaken. Besides their certification duties, one works in security, two are operations managers, and three are human resource managers.
Yearly audits of the company’s three corporate offices, as well as three to four client-site audits per region, are conducted. The auditors look at the whole process but their independent knowledge of the business is particularly helpful at the job-site audit. At the job site, they inspect documentation such as post orders and training reports. They also audit the branch office for documentation, adherence to hiring standards, and employee knowledge of the system.
All quality-related documents are stored on the company’s file server to which quality-management employees have access. Changes to the company’s ISO system go through a formal process and are made through the company’s CEO, who also serves as the company’s quality-management representative to the ISO.
Survey. One key measure of performance that has come out of the ISO process is customer satisfaction. The company is now mandated to send a customer satisfaction survey annually to all customer contacts within each client company.
The customer survey alerts ISSI to individual client service concerns and to customer complaint trends that can result in opportunities for improvement. For example, in the three years since implementing the survey, ISSI has been able to establish a service baseline for each client. The company reviews all survey responses to identify service discrepancy trends and proactively address specific concerns.
The survey asks each client contact to rate ISSI’s overall performance on a scale of one to ten. The company has seen overall customer satisfaction rise steadily each year. Scores are broken down by territory, allowing each branch manager to address issues and set individual performance goals.
The survey also asks respondents to list ISSI’s strengths and weaknesses and offer additional comments, providing a vehicle for thoughts, concerns, or needs that may otherwise have gone unmentioned. Any service-related issues identified in the survey are written up as NCRs and addressed with individual clients immediately.
When the company’s clients hire new decision-makers, the customer surveys help identify and meet needs specific to that person’s responsibilities. The strengths and weaknesses section helps ISSI spot trends. Some of these issues viewed individually might not seem significant, but taken together over time, these client comments reveal changing customer needs.
Officer retention. Turnover is always a major concern for security officer service providers. ISO-mandated measurements focus on officer retention trends and the need to plan for continuous, high-quality service.
When ISSI began studying data on this issue, it found that the company’s core of experienced, trained officers was growing but so was the overall turnover rate. These numbers seemed at odds with each other.
Looking further into the data, the company found that turnover for new officers was greater in the first 90 days of employment. The company used the ISO system to measure and improve that number.
First, the company established procedures to have human resources personnel check on new officers at the end of the first day, first week, and first month. The company then developed a questionnaire that was sent to all new officers to help measure how the officers felt about their employer.
The survey has allowed the company to address individual problems and spot trends in overall satisfaction, correlating that to retention rates. After years of speculating, the company now has hard data on which to base development of retention policies.
“If a new employee has a legitimate issue with us that we learn about in our employee questionnaire,” says Andrews, “we write up an NCR and deal with it as a team. Then, the problems don’t repeat themselves because there is a new level of accountability.”
For example, at one management review session, where new employee surveys were examined, senior managers noticed that several security officers had complained about company uniforms. Several new officers noted that the patch on the uniform was not staying in place.
Senior managers checked on the problem and found out that the uniform supplier had changed from double stitching the patch to a single stitch. With early warning, the company was able to have the new uniform patches restitched and alert the uniform supplier of the problem before it grew in scope.
The bottom line. ISSI began the process of becoming ISO certified in 1999. After a successful external ISO audit in December 2002, ISSI officially received its ISO 9001:2000 certification in February 2004.
ISSI has benefited in several ways from becoming ISO certified. It not only experienced an increase in operational efficiency, but it has also seen a measurable rise in customer satisfaction. In addition, ISSI has gained insight into security officer retention trends, and has identified ways to reduce its indirect costs.
Although the company has not changed its pricing structure as a result of its ISO certification, it has been able to better justify its existing pricing. And while many companies claim high quality service, ISSI has verified processes and procedures in place to support these claims.
One of the most important bottom-line effects has been the ability to cut indirect costs. Because some of the ISO-mandated measurements help the company track profit margins, the company now knows when costs veer from the norm with a particular client, allowing it to remedy the situation immediately.
These combined changes and benefits have afforded management the opportunity to transition itself smoothly from a small, single-site company into a multisite company with three corporate offices and more than 650 security officers. Continued growth is anticipated.
In an economy where all services deemed unnecessary are eliminated, it is essential to be able to demonstrate return on investment. There is perhaps no better way to demonstrate return in a service industry than through measurable quality of service. ISSI has found ISO certification to be a powerful tool in measuring and maintaining customer satisfaction.
Joseph Ricci is CEO of Ricci Communications LLC in Alexandria, Virginia. He is a member of ASIS and serves on the ASIS Private Security Services Council. ISSI is a client company.