ISO 9004:2018 – little known but highly useful

The standard ISO 9004:2018 Quality management – Quality of an organisation – Guidance to achieve sustained success provides guidance rather than requirements for achieving sustained success, so organisations cannot be certified as conforming with it. This, however, allows much more freedom in how we see its application.   

It provides a pathway with no binary pass or fail in the mind of the auditee, as encountered with the more popular standards – such as ISO 9001, ISO 45001, etc – which gain formal certificates of conformance from conformity assessment bodies.   

In fact, ISO 9004 is a welcome alternative, as a non-threatening assessment of which the auditee has ownership. It is not as easily ‘massaged’ as the more human-centred Total Quality Management (TQM), which the Europeans tried to tame and standardise – some would say unsuccessfully, as the European Centre for Total Quality Management closed in 2009 and the Obama administration erased all reference to TQM following the global recession of 2008–09.

Plan, Do, Check, Act

ISO 9004 uses the classic ISO four-stage cyclical process of Plan, Do, Check and Act (PDCA), the same as applied to all standards that can be certified against, such as quality, information security, occupational health and safety, and so on. This not only provides a sensible business process, but also initiates an organisation into the PDCA cycle, thereby reducing anxiety about possible ISO certifications later on. 

Superficially, ISO 9004 looks more like a business assessment or performance excellence model. Within each of the PDCA parts of the cycle there are specific question sets or assessments (Figure 1). There are 7 in Plan, 13 in Do, 7 in Check and 4 in Act, giving a total of 31 assessments to be carried out. 

​

Where ISO 9004 really differentiates itself from other ISO standards is that within each of the four PDCA parts of the cycle there are specific question sets or assessments. Each of the 31 elements – ie the sub-clauses, or self-assessment criteria –  is given a maturity grading of 1 to 5 – with 1 being the lowest score possible (base level) and 5 being the highest score (best practice).

There is no traditional binary audit scoring of ‘Conforms’ or ‘Does not conform’, which is often looked at as a pass or fail. This has been replaced with a more subtle, non-binary grading scale. Even more granularity is achieved because each of the maturity levels comes with its own bespoke criteria or question sets. Grouping the elements, or sub-clauses, into PDCA in this way enables a better overview of performance and also makes it more relatable to ISO standards that do have requirements that mirror the PDCA model. 

After the assessment – by the organisation itself, as a first-party internal audit, or by a trained assessor or auditor, as an external third-party audit – each of the 31 elements can be tabulated to show overall scorings.

“Where ISO 9004 really differentiates itself from other ISO standards is that within each of the four PDCA parts of the cycle there are specific question sets or assessments.”

Carew Hatherley, Managing Director of IT consulting company IQM Group

Evidence-based decisions 

In this case (Figure 2) we have used common colour coding for each of the four parts of the PDCA cycle. Not only does it graphically show the maturity scores, but it also allows for easier benchmarking against other organisations or against acceptance criteria, such as filtering of companies bidding for contracts. In this way, ISO 9004 can be seen as a much more nuanced way of selecting providers, rather than bluntly requiring, for example, the compulsory pre-qualification criteria of holding certificates of conformance with, for example, ISO 9001 or ISO/IEC 27001.  

It also allows for two further outputs. First, peak organisations – such as franchises, associations and membership or industry groups – can compare across their membership and see where best practice is evident and where assistance may be offered or required. Second, scores can be anonymised to allow individual organisations to see how they measure up against their peers. 

The 31 individual scores can be grouped back into PDCA baskets so that evidence-based decisions can be made about where resources could be focused to achieve the best return on investment, or to ensure they support the objectives of the organisation. 

​

Tracking results and trends

ISO 9004 is not beholden to an annual audit cycle, so it offers the freedom to be a one-off assessment or a regular one (monthly, quarterly, annual). Results and trends can be tracked, but at the auditees’ pace and in sync with their business rhythm and timelines – so it could be used as a diagnostic tool.

As this is not an ISO standard that can be certified against, it also allows the experience of the assessor or auditor to come to the fore. They can make recommendations in a consulting-type capacity without falling foul of International Accreditation Forum (IAF) regulations or requirements placed on conformity assessment bodies (CAB). What becomes obvious is that a great pathway to improving maturity scores is the implementation of ISO standards, where the terms and definitions are familiar because they were used in ISO 9004. 

There is a lovely irony here: one of the least binary ISO standards is probably one of the best suited to an increasingly digital world.