ISO certification, how much does it cost to establish and implement a management system and to get certified? In this article I’ll try to answer an unanswerable question.
DIY – Do It Yourself
So the simple answer is that it can cost you anywhere from nearly nothing to lots and lots. Let’s start with the DIY approach.
The cheapest way to do it is to do it yourself. Buy a copy of the relevant standard, read it, and away you go! Its not rocket science and many companies do this. If you know nothing about these standards in the first place however, it will likely take a lot longer than it could or should, and in some cases may cost you more if you end up doing or implementing things that you don’t need to do or implement.
There’s also the possibility of failing the initial certification audits. But, in theory, this will cost you around $200 or less, plus the costs associated with the certification audit.
Templates
In keeping with the low cost approach, since all management systems require certain documentation, it is often a good idea to purchase some standardized templates for customization.
This can save a lot of time, effort, and also go a long way to help ensure that you are doing and documenting the important stuff.
Template quality will vary and cost likely go from being free and up in to the $1,000s. Once you purchase your templates you’ll have to spend time customizing them to fit with your own company.
However, without expert knowledge this can still be a huge leap, time consuming, and you can still potentially fail an audit if something is wrong. Still, you’re now spending somewhere around $1,000, plus the certification audit fees, and you will eventually get certified. Its not a bad deal!
Training
Adding to our budget approach, let’s consider training. Most companies who undertake a certification project will send key staff for “implementation” training, management and others will often undertake a shorter course at the “awareness” level, and then there is the more specific knowledge and skills of internal auditors who are sent on “internal auditor” or ”lead auditor” courses. There are other types of training, but these three categories are pretty core to most implementation projects. As a generalization, all are necessary; however, none are explicitly required.
If you were to do only one course, I’d highly recommend an auditing course. The reason is that the knowledge and skills relating to audit are not obvious to your typical member of staff, so when you select your [uninitiated] internal audit team they’re likely not going to have any idea what it means to plan, conduct, and report an audit.
For the implementer (or project manager), you can pick an awful lot up about what is expected of a management system and how an external certification auditor will view your management system from attending an audit course; as well as learning the skills specific to auditing too. Another good reason is that although it is not required by any of the standards, some certifications bodies expect internal auditors to have been formerly trained, pointing to the competency requirements. So if you can attend one course and one course alone… hmm, but an implementation course is invaluable too!
Clearly, costs associated with training have the potential to dramatically increase the budget, with publicly run commercial courses selling in the region of $700 – $3,000 per student.
So, a generalized and minimal expectation for a reasonable sized project for training might be as follows:
- Project manager/lead implementer: 1 day awareness training course; 2-3 days implementer training; 2 day auditor course.
- Internal audit team of two members: 1 x 5 day lead auditor course; 1 x 2 day internal auditor course.
- Top management and senior staff: 5 x 1 day awareness course.
Total budget estimate for commercial public training: $12,000 – $15,000.
Note that many companies will be able to offer in-house training and with large numbers often provides for a cheaper option than public training. Online training is also a good option when looking at generalized ISO training options.
Consultants
We've seen to this point that with a bit of effort and self discipline your implementation and certification project can be achieved under your own steam and at a reasonable cost. However, for a first timer, its not always easy, so an additional cost that many organizations traditionally opt for is that of the consultant.
The idea of bringing in the consultant, at first suggestion, might appear to be an expensive option, but this is not necessarily so; though it will depend very much on what the consultant’s role will be and of course their pack numbers, as well as, and probably most importantly, their level of competence.
Here’s a couple of reason why a well selected consultant may be useful and could save you money:
- Experience and in-depth knowledge of the standards and requirements for certification and the audit process. A good project plan will be focused on completing all of the necessary steps to achieve your policy goals and certification; no less, and no more, unless you specifically require it. In comparison, many internal implementation projects often drag on for much longer than necessary, so projects last longer and could cost more.
- Consultants will often deliver most, if not all of the required training as a part of the implementation project. This means that typically more people will be trained for less cost.
- A knowledgeable consultant will be able to guide you with regard to any purchases, such as for equipment, hardware, software, facilities, etc. This is no small point. I have personally seen companies spend extortionate sums of money over and beyond what they should be spending based on ill-judgement or worse, poor consulting advice! Most companies have everything they need, anything more is an improvement.
- As we will see later in this article, a poorly defined certification scope could cost you dearly by potentially doubling or tripling your audit costs. A competent consultant should help to define a scope which includes everything as necessary, but not necessarily includes everything!
The cost of a consultant, like everything else, can vary exponentially. But to have an idea what we are talking about, there is the hourly or daily fee, x the number of consultants, + logistics, expenses, etc, etc, and consultants being consultants will often quote for as much as they can grab of your project, even offering to do all of the work for you (not a good idea!). But to generalize from personal experience, a good consultant will typically take on the role of a project manager, provide guidance and advice, deliver all necessary training, plan and lead the first internal audit, provide support and transfer knowledge throughout the project with an average day rate being somewhere between $400 and $1400 per day plus expenses. The big brand type consulting firms could be a lot higher. And of course this all depends on many other factors, such as location in the world, consultant experience and competencies, and the standard you are implementing.
To put an estimate out there, for the total consultancy cost based on my own projects and experience, time spent on a typical project has averaged 20-25 consulting days (one consultant) for an entire project; that is from beginning through to successful certification. That’s what I would consider typical and less typical projects have included 4 man-days over a two month period and on the bigger scale, 40 days over a 9 month period.
Let’s estimate a total then of somewhere around $8,000 - $25,000 for our consultant on a small/medium sized project. Apparently more expensive than the DIY approach, although not necessarily so. As mentioned previously I’ve seen companies who have spent more than $100,000++ on things that they would not have spent on given the proper advice!
Other Ad Hoc Implementation Costs – The Unknown Factor
Depending on the management system you are implementing, be it ISO/IEC 27001 for information security, ISO 22301 for business continuity, or ISO 9001 for quality management, there may be additional costs that will come up for things like equipment, hardware, software, etc. However, these costs are difficult to predict before starting the project, especially for an outsider. Never-the-less, it is certainly a good idea to budget an amount to cover these unknowns, but difficult to know exactly how much will be enough.
Once you have established your management system policy, scope, and objectives, and conducted a thorough gap analysis, potential costs will become a little more clear. In general, the more you can budget in, the better.
The reality is that you likely won’t need it all. Why? Well these unpredictable costs often become evident at the point of the actual implementation, and the implementation of a management system basically all about going about your everyday business and doing what you've said you are going to do. Translated, most organizations already have what they need to do business! In most cases, it is unlikely to be the case that anything significant is missing from the mix.. otherwise you would have gone out of business and closed down before reading this post. This is probably true to a greater degree with quality management, and to a lesser degree with a badly run company implementing business continuity management. But as a generic statement to an internet audience of a couple of billion, its probably about right.
The point is, none of the standards actually require that you purchase anything in-particular, they simply tell you to spell out what you are trying to achieve and demand that you implement a management system in whatever form suits you, as long as it works. That means, you still call the shots! Standards do not require “perfection,” and it is time not well spent trying to achieve perfection when you first implement your management system. What is required is continual improvement, so you can consider a lot of your wants and desires as future improvement opportunities – something to plan for and to implement as a next step.
Remember, these standards specify requirement for management processes and control, not retina-scanning devices, remote hot-sites, and state of the art machinery.
In summary, this is where a misinformed or misled organization will often spend a lot of time, and even more money!
Budget under this topic will vary greatly of course, but a small/medium business might consider amounts in the range of $5,000 – $50,000. This is entirely speculative and is provided as a fair guess; in most cases, a small/medium size business will be able to complete the project and achieve certification with very little expenditure from this purse, but its is of course always a good idea for it to be there in case it is needed.
Certification
The last $ on the list that I’ll mention here is certification (also known as registration). The cost of accredited certification is ongoing, and it starts with the initial certification audit. The certification audit is carried out in two stages; the first stage is an audit of the documentation and the second stage is an audit of the implementation.
The stage one audit is typically conducted onsite in a single day by the lead auditor, but could be as long as two or even three days. The stage two audit is always conducted onsite and its duration could be anywhere from a single day to weeks, either with a single or multiple auditors. The team size and duration of these audits depends on things such as the management system scope, number of employees, type of business, and the organization’s geographic set-up.
Clearly the bulk of the cost here is in the number of auditors x the number of days. There are other associated costs, such as administrative fees, but these are small in comparison. Other large costs could be travel and accommodation if the auditor is coming from out of town.
It is also important to realize that the initial certification is not the end of the journey, it is the beginning, and surveillance audits will take place at least once every year to maintain the certification.
Expect to pay anywhere up to $2,000 per audit day for a reputable audit company. For a small organization then, let’s say less than 50 persons, you’re likely talking about a 2-3 day certification audit and 1 day surveillance audit per year for ISO 9001 certification. That tallies up to somewhere around $10,000 for a three year certification period.
Audit costs should be known quite early on. Once you have determined the scope of your management system and the associated staff numbers the certification body should be able to provide a quotation for the whole process. And don’t forget to shop around.
As you might imagine, correctly scoping your management system will be a key factor in managing costs.
Conclusion
So in summary, its hard to say exactly how much it will cost, but I hope I’ve pointed out some of the key expenses involved.
In most cases you won’t really know what the full extent of the cost will be until you get started with some sort of gap analysis. Perhaps you already comply and just have to bring in the certification auditors!
A last thought on costs though – the major cost of implementing a management system is time, effort, and commitment. No consultant can do the work for you (the auditor doesn't audit the consultant!). Everyone in the company will be involved and if management aren't on-board and committed, it’ll never succeed.
Feel free to comment with your own experiences and pricing knowledge, wherever you may be.
No comments:
Post a Comment