Will ISO 9000 improve my records management program?

If I had been asked a year ago "What do you think about ISO 9000?" I would have been very perplexed. The name ISO 9000 would have seemed to imply something exotic or romantic, something in the same category as a new automobile model or a robotic barber in a science-fiction thriller or one of many siblings in a family of alien ISOs. Then, from reading the October 1993 RMQ article by Carl Weise and Peter G. Stamoolis entitled "ISO 9000: An Opportunity for Records Management Professionals," I learned that it is really the set of international standards for quality assurance systems.

From Weise and Stamoolis' article--supplemented by two books: Jack Kanholm, ISO 9000 Explained and James L. Lamprecht, ISO 9000: Preparing for Registration--I went on to learn something of ISO 9000's history. It began at the end of World War II as an effort by many governments and organizations to promote international trade. Although fifty-five countries, including the U.S., have adopted some version of the standard, it has been championed especially by the European Economic Community (EEC) in order to facilitate Common Market unity. Particularly important for European trade is a registration program that has been established to achieve common quality standards so that consumers in one country know what to expect from products imported from another country. Registration is accomplished through an audit by an independent registrar who audits a company's quality system against the ISO 9000. This process will become increasingly important to U.S. companies because the U.S. currently exports over one hundred billion dollars worth of products to the EEC. By the year 2000, 30% of these exports must meet ISO 9000 directives.

From my perspective, all of this information on ISO 9000 would have fallen into the category of "casually interesting bedtime reading," had not Weise, Stamoolis, and Kanholm so convincingly argued the opportunity ISO 9000 affords for records managers to advance in their discipline. As Weise pointed out, the clearest message of ISO 9000 is the necessity for "Good Records Management" in documenting an organization's quality system. To us records managers who often seem to measure our lives in boxes of yellowing, vermin-infested paper, this is exciting news. Having a penchant towards daydreaming, my mind began linking records management, ISO 9000, and Europe into a blue-sky fantasy: Which European government, I wondered, will be first to request my presence as a records management consultant for ISO 9000 compliance?

INITIAL DISAPPOINTMENT FOR AN IMPATIENT RECORDS MANAGER

With such daydreams in the back of my mind, I became intrigued: What type of records management system does ISO 9000 require or recommend? I became so interested in it that I volunteered in ARMA International's Education Committee to work on ISO 9000 as a potential Education Module. I began to read the ISO 9000 standards--very slowly. No matter how excited, a reader does not rush through ISO 9000. The language and concepts are so compressed that you begin to think that it must be a secret code which everyone adopted rather than admit they couldn't understand. Then, as your brain labors to decipher the concepts, another feeling sets in: Boredom. Consider the following study in dry prose from ISO 9004.6.3.3:

External assurance quality costs are those costs relating to the demonstration and proof required as objective evidence by customers, including particular and additional quality assurance provisions, procedures, data, demonstration tests and assessments...

To exacerbate the situation, boredom is compounded by tedium, as you begin to realize that the same information is repeated from one part of ISO 9000 to the next. Thus, ISO 9001 is, in many respects, duplicated by ISO 9004; ISO 9002 is really an abbreviated version of ISO 9001; and ISO 9003 is an even more abbreviated version of ISO 9002. Yet each is slanted just enough differently that you cannot get away with just reading the larger ISO 9004.

Moreover, because it is an international standard, ISO 9000 must be very generic, avoiding technological and procedural specificity. Consequently, ISO 9000 does not include specific standards for products. and services, nor even describe a model or standard quality assurance program. It merely stipulates which of these elements are required in different contractual situations, as well as how rigorous and extensive the various elements need to be in these situations. In other words, as explained in ISO 9000.1, the ISO 9000 series tells you which kinds of standards you need, but you must provide the actual standards yourself. With regard to records management, it states that such a program is necessary, but does not describe any particular model for it.

From my perspective, an even more immediately disappointing aspect of the ISO 9000 series was its orientation towards contractual obligations for quality, rather than opportunities to improve quality. Clearly the primary purpose of the ISO 9000 series is to fulfill two contractual needs: (1) the need of the suppliers to reduce liability for product deficiency and (2) the need of the customer to ensure quality assurance contractually (9004.0.4). Thus, "ISO 9000" (which is the introduction to the series and which bears the same title as the whole set) explains to which contractual situation each standard applies. ISO 9001 outlines the quality assurance contractual requirements for organizations involved in design, development, production, installation, and servicing. ISO 9002 provides the requirements for organizations involved only in production and installation. Most limited of all, ISO 9003 provides the requirements for organizations that need a quality assurance program only in final inspection and testing. Thus, most of the ISO 9000 set is geared towards defining how to satisfy quality contractual obligations or how to become registered, rather than how to achieve quality management for its own sake.

RECORDS MANAGEMENT TAKES A SECOND LOOK

However, when I began reading ISO 9004, my evaluation of the series started to change. For here was a section that seemed dedicated to quality assurance for its own sake, as opposed to just a way to increase market share while limiting liability. I discovered that, despite the highly compressed, contractual slant of ISO 9000, the series does contain some exciting concepts for the idealistic records manager eager to support total quality management (TQM). Obviously, this distinction between the contractual and the idealistic can be overemphasized: Without the commercial success provided by contractual arrangements, the idealist will endure a very hungry existence. Nevertheless, for TQM-oriented records managers more interested in "what it takes to have an ISO 9000 records management system," than in "what an organization has to do to become registered," the orientation of ISO 9004 is much more appealing. Indeed, ISO 9004 displays its close relationship with TQM in several major respects. It defines quality in terms of "meeting the customers' requirements" (9004.0.1-3; 9004.5.1; 9004.8.5.2). It emphasizes the need for "continuous improvement" (9004.7.3; 9004.9.1). Finally, it calls for the commitment to quality by all levels of the organization--in particular, top management (9004.4).

TRADITIONAL RECORDS MANAGEMENT IMPLICATIONS

Once introduced to the TQM aspects of ISO 9004, we are inspired to reread the whole series for some indication of the specific implications of ISO 9000 for records management. AB Weise and Stamoolis pointed out, initially the most important and exciting aspect of the ISO 9000 standards for records managers is the emphasis upon "documentation" Over and over again, we learn that the quality system must be systematically, carefully documented, including the identification, distribution, collection, and maintenance of quality documents and records (9001.4.16). No particular documentation, or actions need to be delineated. However, it is apparent that the supplier must clearly identify the procedures, policies, and documentation that will be used to ensure the quality of his product.

Careful rereading of the standards verifies Weise and Stamoolis' contention that much of what ISO 9000 demands is simply good, traditional records management. For instance, in its usual abbreviated manner, the standard discusses the requirement that organizations must have a system for identifying and disposing of documentation and records that are no longer useful (9004.17.2). It is difficult to imagine anything more traditional than the records retention and disposition program that is suggested here. Only the inventorying, scheduling, and periodic purging of "quality system" records is specifically required; however, the fact that quality records series are intermeshed with other series means that the rule needs to be applied to all of an organization's records.

The traditional records management implications of ISO 9000 for records management--tersely stated though they may be--go far beyond the traditional records retention scheduling and disposition. ISO 9004.17 and 9001.4.16 describe several records management requirements for all quality records pertaining to quality:

* They must be legible.

* They must be identifiable and dated.

* They must be easily retrievable.

* They must be orderly arranged and indexed.

* They must be stored appropriately and securely.

* The records management policies and procedures for producing these results must be documented and compiled.

These rules seem obvious and simple; however, just like so many of the rules in ISO 9000, they are the compressed cryptograms for an extensive traditional records management program. Legibility, for example, is not just a matter of "printing neatly in large letters." It entails a complex records management science involving careful analysis of the media chosen, evaluation of the reading equipment available, determining processing procedures, and ensuring an appropriate storage environment. Thus, microfilm must be quality controlled for resolution, density, and residual processing chemicals; the reduction and magnification ratios must match. Data tapes or disks which can no longer be read by existing equipment are equally illegible and must be transferred. The list is nearly endless. Similarly, the classification systems involved in "orderly arranged and indexed" are complex enough to justify a college major. The third requirement, retrievability, is no surprise to records managers who know that records which are not easily retrieved do no good to either a company or its customers. According to Jack Kanholm (ISO 9000 Explained, p.57), the lack of retrievability is the biggest cause for organizations to fail in receiving ISO 9000 registration.

NEW CONSIDERATIONS FOR RECORDS MANAGEMENT PRACTICE

I. A NEW KIND OF APPRAISAL

Although ISO 9000 does not detail any of these traditional records management programs, the very fact that it requires them as strongly as it does is significant. For me, even more exciting than ISO 9000's insistence upon documentation per se and traditional records management objectives is the revision--almost reengineering--of certain records management methods.

The first of these is linked to the principle that organizations must say what they do and do what they say. This principle is nothing new for records managers. How long have they tried to convince their organizations that not destroying records as scheduled on the retention schedule could cause a great deal of trouble even if no wrongful motives were involved! However, this principle is put forward by ISO 9000 in a unique manner to explain how the quality system must be both defined (or "documented") and implemented as defined.

In conjunction with this idea, it distinguishes two types of documents: documentation, as "program description or blueprint" and records. These two types of documents represent the twin, mutually supporting pillars of the ISO 9000 quality assurance program:

* Documentation provides the "Say what you do."

* Records provide the "Do what you say."

To be sure, the series (especially in the initial standard) does not always clearly distinguish between "documentation" and "records" (ISO 9000.8.3). However, the distinction is so basic in ISO 9004.17 and elsewhere that separation of "documentation" and "records" along these lines seems central to the standard.

Documentation includes those writings which explain the organization's quality system. Examples of quality management documentation that specifically pertain to the quality system include:

* Quality system policy statement;

* Organization charts defining responsibility;

* Appointment of Quality Representative;

* Procedure defining management reviews;

* Master list of all documents;

* Internal audit plan;

* Procedure for statistical techniques.

The second group, records, are not particularly "quality system documents" but nevertheless demonstrate the existence--or lack--of an effective quality system. This group includes the written materials which have operational purposes, while also evidencing the performance of the organization's quality system. Examples of such records are inspection reports, test data, audit reports, calibration data, and cost reports (9004.5.3.4 and 9004.17.2-3). ISO 9004 leaves no doubt that the documentation of the quality system is what the organization says about its quality system and the records are evidence that it did what it said. These records are the meters of system performance. In Jack Kanholm's words, "The records generated by [the organization's] actual processes are necessary to demonstrate the performance of the quality system."(11) (Kanholm, 9001.4.16.)

Although quality auditors and registrars may pay more attention to the documentation of the system, such as the Quality Manual, ISO 9000 emphasizes that this documentation must reflect actual practice--as demonstrated by records. (Lamprecht, 61-63,97.) According to Sharon Hyder, a records management consultant in the area of ISO 9000, applying the "do what you say and say what you do" principle is the place where records management consultants are most likely to become involved. For they have extensive experience in auditing to see if a company practices what its retention schedule states. With regard to quality assurance, the critical records management question is how to identify which records demonstrate the "performance of the quality system." The traditional records management inventory offers the solution, but it requires modification. In particular, we need to appraise the records for their value in evidencing the organization's quality system.

"Evidentiary value" is a concept that records managers have inherited from their archives background. It is derived from the realization that the same records often serve different purposes. The primary purposes (or values) of a record are those uses for which it was created. But as a secondary function, records often tell us (or "evidence") something about the organization that created them. The archival evidentiary value of a record is its ability to evidence the organization's history and its success in achieving its mission. The "quality-system evidentiary value" is similar to "archival evidentiary value," but it is not quite the same. A record's quality-system evidentiary value is its usefulness in demonstrating the efficacy of the organization's system for ensuring quality service and products.

As mentioned above, ISO 9000 contains lists that provide examples of the records that would have this kind of value, including records of design, inspection, testing, and auditing. It also provides a discussion of all of the processes that need to be so documented. These processes are described in ISO 9004's "Quality Loop," and include Design, Procurement, Production, Distribution, Installation, and Marketing. The importance of records keeping in each of these areas is also emphasized in Weise and Stamoolis. However, neither ISO 9004 nor any of the other ISO 9000 standards identify precisely which documents should be selected from each process to demonstrate the quality system. As with everything else, ISO 9000 only states the need for a certain quality-assurance component; it does not limit our individuality by describing that component in detail. Each organization is responsible to do this for itself. Without hesitation, records managers will recognize that the appropriate tool to accomplish this task is the records management inventory. Records managers have always coordinated with the legal department in appraising "legal value," with Finance, in appraising "fiscal value," and with the concerned department in appraising "administrative value." Now they must coordinate with the quality assurance department in appraising "quality-system evidentiary value."

II. CONTROL OF QUALITY SYSTEM DOCUMENTATION: CONFIGURATION MANAGEMENT

As explained above, ISO 9000 is concerned not only with the records that demonstrate the quality system's performance, but also with the documentation that explains what that performance is supposed to be. Documentation, of course, can have many meanings. To some, who are carried away with modern office technology, documenting something is merely a matter of copying everything having to do with a certain subject, combining it within an impressive cover, and "Voila!" If the materials in the package are in an electronic format, the task is even easier: A few merge commands, and you have a product with a professional appearance of which anyone would be proud.

Is this what ISO 9000 is suggesting? Hardly. ISO 9000 calls the primary documentation of the organization's quality system its "Quality Manual." This manual has two purposes: To describe the quality system for auditors and customers and to serve as a working reference for staff. ISO 9000 requires that a procedure be developed which will clearly indicate how the Quality Manual, as well as secondary quality system documentation, are handled. In particular, this procedure must include provision for adequate

* Identification of the documents; * Distribution of the documents; * Collection of the documents; * Maintenance of the documents.

The emphasis of this requirement (ISO 9004.5) is that the procedure is to be systematic, not just the haphazard assemblage of a photocopy machine or word processing program.

Just as ISO 9000 requires a new twist on traditional records management appraisal to manage quality-system records, it requires a new variety of traditional configuration management systematically to control the quality system's documentation. Of all the records management tools ISO 9000 references, configuration management receives the most extensive discussion. Indeed, both ISO 9001 and 9004 spend a relatively large amount of time in demanding the elements of configuration management in controlling design and production documentation. The need to define the baseline; support design reviews; control change documentation in both design and production stages, and preserve an audit trail of every step is emphasized in extensive detail--at least "extensive" relative to the usual abbreviated, condensed fashion of ISO 9000 (9004.8.6-8; 9001.4.5, and 9004.17).

However, the intriguing aspect of ISO 9000's treatment of configuration management is not that this discipline is a required element of design and production (although this in itself is significant), but rather that ISO 9000 openly applies the principles of configuration management to the documentation of the quality system. In extending the application of configuration management beyond the sphere of engineering, design, and construction, ISO 9000 treads new ground--and does so convincingly.

At this point, let us review the basics of configuration management as it exists in the engineering environment. Central to the application of configuration management techniques for document control is the establishment and maintenance of a "baseline." "Baseline" is really just a jazzy way of identifying the active version of those critical documents which you have decided to control. Note that configuration management does not attempt to control everything, for it would be prohibitively expensive to attempt to control rigorously all of the myriad of records that are generated. Controlling the baseline provides four critical advantages:

* It enables all concerned to identify the current status of a system or project and eliminates any question as to which is the current version.

* It enables all concerned to have current documents available at all times so that no one is working with out-of-date information.

* It ensures that no changes are made to the project baseline without proper review and approval, so that the project's intended purpose, schedule, and cost are preserved.

* It provides an audit trail for everything that happens in the project's history.

To achieve these four benefits, configuration management employs four interrelated processes:

* A formal procedure for controlling any changes to the baseline;

* A set of procedures for controlling distribution of baseline documents after each change to them;

* A set of procedures for identifying revisions to, and different versions of, baseline documents; and

* Maintenance of a comprehensive history file.

ISO 9000 is able to adapt these techniques almost without modification for the control of quality system documents. This is discussed in ISO 9004.5.3 and 17.2, as well as in ISO 9001.4.5. The first three configuration management rules specifically required by ISO 9000 are:

* Only the party that issues a document is authorized to change it (9001.4.5.2).

* Changes to documents must be distributed with a clear manifest, and obsolete sheets must be removed (9001.4.5.1).

* A master log must be maintained which lists all documents and revisions to them (9001.4.5.2).

Although the last of the four rules, maintenance of a history file to provide an audit trail, is not explicitly required, it is implicit throughout the standard's requirement of being able to produce a full documentary history of any product. (9001.4.6-12)

ISO 9000 never explicitly limits the application of these rules to the documentation of the quality system. ISO 9004.5.1 is especially vague in this regard. However, our assumption is that the distinction we have made earlier between documentation, which defines the quality system, and records, which evidence its performance, also acts to limit the application of configuration management controls to a body of material that is manageable in size, i.e., to quality system documentation. Following this line of reasoning, formal document control would be applied only to the organization's quality manual and the relatively few secondary documents authorizing and laying out the quality system's parameters. (9004.17.2) This assumption would also be in line with the admonition in 9004.5.3.1 to "limit documentation to the extent pertinent to the application."

III. ARE QUALITY SYSTEM RECORDS VITAL RECORDS?

Another area of records management that could conceivably be modified by ISO 9000 is the concept of Vital Records. Traditionally, records managers have limited the designation "vital" to those records "immediately necessary for the resumption of business in the wake of a disaster." As a result, only slightly more than 5% of an organization's records are normally identified as "vital," and this 5% would not usually include quality assurance documentation.

Two elements in ISO 9000 would seem to run counter to this definition. First, ISO 9004.17.3 requires that quality documentation and records be "protected from damage, loss, and deterioration due to environmental conditions." While it can be argued that this requirement does not necessarily betoken the "special protection" given to vital records, the second consideration, ISO 9000's contractual implications, might indeed indicate that precaution. For, as we discussed at the beginning, ISO 9001 through 9003 explicitly make an organization registered under ISO 9000 standards contractually obligated to adhere (and demonstrate adherence) to its documented quality system. Thus, for a registered organization, the quality system documentation is as vital as any of its contracts. When we consider the litigation-prone consumerism that is becoming so predominant, organizations with wide exposure to these perils would seem wise at least seriously to consider classifying their quality system documentation as vital.

IV. DOES COMPLIANCE WITH ISO 9000 REQUIRE AN IMAGING SYSTEM?

All of us have seen the electronic-imaging-system advertisements which suggest that purchasing an imaging system is the way to become compliant with ISO 9000. We might well ask what ISO 9000 really has to say about imaging systems. The answer is, as far as I have been able to determine, nothing. Actually, mention of terms like "file equipment" would indicate that a paper-based system was what the authors envisaged. They do not even reference microfilm, much less electronic documents.

There can, of course, be no doubt that an electronic image management system (EIMS) would help organizations achieve the requirements for legibility, identification, and especially retrievability. Whether the support provided by electronic imaging in these areas justifies the expense of an EIMS would depend upon the particular situation of the company. However, there are two advantages of many electronic document control systems that seem to be almost tailored to meet the requirements of ISO 9000.

First, ISO 9000 requires that quality system documentation and records be both locally accessible for departmental use and centrally retrievable. (ISO 9001.4.5.1; ISO 9001.4.16; Kanhold 9001.4.16.) Certainly, even with an effective configuration management program, an electronic document control system can perform this function far better than attempting to distribute paper copies or maintaining decentralized paper files with a centralized index. Such duplicate files and indices are notoriously error-prone, and there are many times that auditors or other departments need immediate access to the actual document, not just an index reference to it or a copy that may be out-of-date.

However, here again it is important to differentiate quality system records from quality system documentation. With regard to the latter, an electronic imaging system is not as effective in providing multiple access to the same controlled documentation, as is the maintenance of a networked text (or character-based) data base. To be sure, text data bases contain only the documents' information content, as opposed to the pictorial elements (such as signatures) found in image data bases. But why would such pictorial elements be needed if the documentation were controlled by configuration management? When we are checking how the quality system is supposed to function, we need only the information content of the system's documentation, not a pictorial image of its performance. The hypertext (hierarchically indexed) variety of text data base, which is easier to manage, faster to search, and requires less space to store is almost the perfect solution for quality system documentation.

Of course, ISO 9000 also requires that the records evidencing the quality system's performance be accessible to auditors as "quality system records" (9001.4.5.1; 9001.4.16). It is important that not only the department responsible knows the whereabouts of product records; the auditor needs to be able to review the complete record of any product or service. This requirement is best satisfied by an electronic imaging system which pictorially stores records bearing signatures in a central electronic image file but makes them instantly available to all departments. The electronic imaging system reaps the advantages of decentralization by assigning the indexing and retrieval to the departments that know the most about the documents; however, for quality assurance and organization-wide administrative needs, centralized retrieval is always available.

As we have discussed, such records often have multiple functions. Consequently, the Quality Assurance Department will have--at best--only a secondary or tertiary claim to control a record. Once again, electronic imaging provides the optimal solution. For many EIMS enable us to place the same record in multiple "logical folders." Classification as "quality system Record" can be one of those folders. With this approach, the Quality Assurance Department will be able to view the latest version of any quality system record at the same time it is being accessed for other purposes elsewhere.

To summarize, ISO 9000 does not mandate electronic document management as it did configuration management. However, there can be little doubt that a company considering the application of hypertext documentation and/or electronic imaging can quite legitimately list compliance with the international quality assurance standard as a partial justification.

CONCLUSION

It is important to remember the basic purpose of any set of standards and to ask the question, "What is this standardization committee trying to standardize?" In the case of ISO 9000, the intention is to describe at a high level the general elements of a quality system that should be present in different business situations and contractual arrangements. To try to force these standards to provide a detailed mold for Total Quality Management or even an "ISO 9000 Records Management Program" is not too different from using Webster's definition of "automobile" as the design blueprint for a sports car. Nevertheless, I do not believe we violate the intended purpose of ISO 9000 when we point out how certain records management methods are especially apropos to the quality system parameters to delineate:

1. Quality systems always require the traditional records management programs for retention scheduling, records creation, records storage, and records classification.

2. The management of records that demonstrate quality system performance will require records appraisal based upon a new type of value, which I he termed "quality system evidentiary value."

3. The management of the documentation that describes the quality system will require the application of configuration management techniques developed in the control of engineering documents.

4. The link welded by ISO 9000 between quality systems and contractual obligations will necessitate our evaluation of the possibility of including quality assurance documentation as a vital record.

5. The need to identify and access records with quality assurance significance beyond their primary purpose supports the use of electronic image management. Similarly the need for quality system documentation to be immediately accessible both departmentally and centrally suggests a hypertext application.

The relationships presented above between ISO 9000 and records management are depicted in the accompanying table.(Table omitted)

No one will suggest that ISO 9000 will ever be on the bestseller list. In fact, no one would be too surprised if it were nominated for the "Most Boring" or "Most Tedious" award. However, to return to the question with which we began, there does seem to be reason to believe that ISO 9000 will improve my records management program. To be sure, I work for a local government agency that will never export anything to Europe and so has no contractual need for ISO 9000 registration. Yet my agency--like a great many organizations today--does subscribe to Total Quality Management, and ISO 9000 does appear destined to become the standard for quality systems. The role described for the records management program that supports such a system is no longer menial or insignificant. With ISO 9000, records management becomes an acknowledged key ingredient in an organization's efforts to achieve total quality management.

Copyright Association of Records Managers Administrators Inc. Oct 1994
Provided by ProQuest Information and Learning Company. All rights Reserved