Certification is often seen as a way to demonstrate compliance in various industries, such as security, safety, sustainability, and more. However, the effectiveness of certification in improving performance is limited. Studies have shown that organizations that pursue compliance certification for its own sake, rather than as a means to improve performance, may fail to achieve real progress as certification can create a "check-the-box" mentality that hinders real improvement and the advancement of compliance outcomes.
For example, ISO 14001 Environmental Management System (EMS) certification is a widely recognized certification for demonstrating compliance with environmental regulations. However, a study found that organizations that adopted ISO 14001 for the purpose of certification did not necessarily see an improvement in their environmental performance. These organizations focused on meeting the minimum requirements to obtain certification, rather than pursuing excellence and continuous improvement.
Similarly, organizations that pursue security certifications, such as ISO/IEC 27001 Information Security Management System (ISMS) certification, may focus solely on meeting the minimum requirements to obtain certification, rather than on addressing real security risks. This can create a false sense of security, leading to complacency and putting the organization at risk.
The problem with certification is that it can create a culture of complacency. Once an organization obtains certification, it may feel that it has achieved mastery and stop pursuing further improvement. This can lead to a stagnation of skills and performance, limiting the potential for innovation and progress.
To truly improve performance, organizations must shift their focus from certification to a culture of excellence and continuous improvement. For example, instead of pursuing ISO 14001 certification for its own sake, organizations should focus on reducing their environmental impact through a continuous improvement program that includes metrics and targets for environmental performance. This can lead to real improvements in environmental sustainability and create a competitive advantage for the organization.
Similarly, organizations should focus on real security risks and adopt a risk-based approach to security, rather than solely focusing on meeting certification requirements. This can create a culture of continuous improvement and innovation, improving the organization's security posture and reducing the risk of security breaches.
While certification can be a useful tool for demonstrating compliance, it should not be seen as a substitute for real performance improvements. Organizations must adopt a culture of excellence and commit to learning and adapting to truly achieve their full potential across various industries.
Companies that desire to improve their compliance outcomes and chose certification as a means to get there, not only receive certification, but also improve their performance – you get both. However, to get both, you need to start with intention not certification.