A Roleplayer's Guide to ISO9001: Quality Assurance in the Laundry

Update Feb 2011: There's a thread about this PDF and article over on the Cubicle 7 Laundry forum.

Further update Mar 2012: I contributed a large amount of material for the Laundry Files Agent's Handbook (on sale now!), notably in "Chapter 4: Black Budget, Red Tape". It covers a lot more ground than this article and includes my rather super "Bureaucracy Random Encounter Table" which enables game masters to quickly add bureaucratic spice without requiring a detailed knowledge of quality management. It also answers vital questions such as what might happen to your security clearance, if Shoggoth-worshipping cultists happened to book their meetings in the same village hall as your character's mum's flower arranging class.

I've been playing pencil-and-paper roleplaying games since Dungeons & Dragons 2nd Edition in the late 1970s. In 2011, I started playing Cubicle 7 Entertainment's The Laundry role-playing game, which is a Call of Cthulhu-based RPG set in the modern day. In it, you play a civil servant in a secret British government organisation nicknamed the Laundry, dedicated to the control of Lovecraftian horrors, under the watchful eye of ISO9001 quality control.

This article is not a critique of ISO9001; I actually happen to be an advocate of correctly-implemented quality procedures. This article is a series of examples of how a badly implemented quality procedure might add to the comedic sense of futility and helplessness that provides the humorous backdrop to the Laundry's horror scenario. If you intend to use this article for any actual real-world business or training application... well, that would be very silly.

ISO9001 Non-Conformance Report template for the Laundry

As someone who has practised ISO9001 magicke for well over a decade in my real life as a software development manager, this element of the plot intrigued me. I felt it was a real shame that the RPG manual did not include some of the more common ISO9001 paperwork templates, so that other players could share the joy of quality certification.

So, here is my combined ISO9001 (2008) Non Conformance Report and Expenses Claim Form:
laundry-iso9001-ncr.pdf

My elements of it are Public Domain, the only thing that isn't is the Laundry logo which is probably copyright by Cubicle 7 Entertainment, but hopefully they won't mind. Appease their gods by ordering RPG books and electronic PDFs online from Cubicle 7.

It might be worth explaining to those unversed in the world of ISO9001, quite what ISO9001 entails.

A roleplayer's guide to ISO9001

ISO9001 is an international standard for business procedures which promote and improve quality. Actually, that's not true. ISO9001 is an international standard for business procedures which, if managers and employees made the effort, would promote and improve quality.

And there's the rub. The effort. It is perfectly possible to follow ISO9001 procedures and not improve quality.

What ISO9001 procedures give an organisation, is a structure for logging and tracking various business measurements. For a factory, those measurements might include raw materials or stock. For a retail store, those measurements might include footfall or sales figures. For a software house, those measurements are typically bugs - faults - in particular, those which have somehow managed to get as far as the live release. The ISO9001 concept is, that by tracking these indicators, and stating what needs to be done to avoid problems happening again, the management will have evidence which will help them make better business decisions.

Here's the dirty not-so-secret: You can continue to measure failure and not fix it and still be ISO9001 compliant. Fixing the failure is optional. So long as you continue to measure it, and suggest methods to fix problems, you can continue to be compliant; you don't actually need to fix anything. You must plan to implement the revised procedures, but those revised procedures can fail, or you can repeatedly postpone implementation of the revised procedures, and you can still qualify for ISO9001. All ISO9001 training courses will point this out on day one - it is the effort which improves quality; the procedures are just a tool. (And I genuinely think that ISO9001 is a very good tool. Just maybe not suitable for CASE NIGHTMARE GREEN.)

ISO9001 began life as British Standard BS5750, and has been part of British management culture since the late 1970s.

How ISO9001 affects the Laundry

There is a light spoiler here for entirely new players who have not read the novels. Skip this section if you haven't finished playing your first adventure.

For the Laundry fictional government agency, a quality system that requires significant employee buy-in presents a problem beyond the generic red tape and stereotypical Yes Minister inefficiency of civil service departments. In the Laundry scenario, the players soon become aware of a situation called Case Nightmare Green - the impending Cthuhloid apocalypse. Most Laundry scenarios describe this eventuality as unavoidable and imminent, with humanity - and the Laundry in particular - unable to prevent it. At best, all the Laundry can do is keep putting it off for a while.

So the employees have very little motivation to improve quality, since they, their department, their loved ones and their planet could, at any moment, be gobbled up by the Old Ones. The best they can hope for is to make it through another day - exacerbating the short-sightedness of the stereotypical civil service department. Where a typical civil service department may make long term plans only as far as the next election - 5 years maximum - Laundry employees do not see much point for long-term planning beyond, say, 18 months. Any fix that might take more than a couple of weeks, is probably considered worthless. This contrasts with ISO9001 which rarely produces short-term fixes; more often, it promotes long term iterative change.

ISO9001 documents in Laundry gameplay

The Laundry represents an organisation gone, well, not so much bad, as wrong. Many of the ISO9001 elements will be followed to the letter, but lost in the spirit. Key ISO9001 documents that the player characters may encounter include:

Quality Policy - A mission statement regarding quality. A bad policy would be pretty vague or unambitious, difficult to measure failure against, or too specific and continually breached. A bad policy will then descend into some boilerplate waffle about management, improvement processes and quality assurance, and possibly something scary about money or safety. For example:

"The Laundry's goal is to delay the onset of, and mitigate against, CASE NIGHTMARE GREEN as it may apply to the United Kingdom and her allies. The Laundry complies with our quality policy by: Consistent management focus on quality; Continual improvement of procedures and systems; Maintaining appropriate levels of secrecy; Controlling costs; Keeping fatalities amongst British Citizens to an acceptable level."

One humorous effect of the secrecy of the Laundry might be that most of the agency's staff might not have sufficient security clearance to read their own agency's Quality Policy.

Specifications and Service Level Agreements - These set out how the Quality Policy is interpreted for the products and services of the organisation. These documents will be far more concrete than the Quality Policy, giving mandatory requirements, or absolute or percentage measurements, as goals. These documents will set out what is and isn't considered "normal"; anything that falls outside these bounds is likely to require action by Laundry operatives. Even badly managed organisations tend to have pretty good-sounding Specifications and SLAs, as they are often the things which managers are measured against, and hence the one thing managers concentrate on getting right. However, bad management may still display a skewed, perhaps callous, sense of priority in the wording. An SLA for IT Support might read:

"To analyse Critical issues within 15 minutes and fix within 1 hour; To analyse High Priority issues within 1 hour and fix within 4 hours; To analyse Medium Priority issues within 4 hours and resolve within 1 week; To analyse Low Priority issues within 1 week and resolve within 1 month. Critical issues are defined as any problem where more than six British Citizens are or are likely to become in mortal danger; High Priority is any issue where at least one British Citizen is or is likely to become in mortal danger; Medium Priority is any issue that costs less to fix than it does in lost employee salary time; all other issues are Low Priority. Medium and Low Priority issues may be Resolved by a decision not to fix due to resource constraints."

Personal Objectives - Line management should create personal objectives for each employee. A manager who wants an easy ride might create simplistic objectives which the employee would find easy to achieve, but difficult to excel at. A vindictive manager might create unrealistic and unobtainable objectives. Good objectives are SMART; Specific, Measurable, Achievable, Realistic and Timely. The most observed characteristic is Measurable, by which it usually means "quantitative not qualitative"; something that can be proven by evidence or record-keeping, rather than somebody's opinion. It is difficult to attain ISO9001 certification if objectives cannot be measured - the other SMART characteristics are more of a judgement call. An employee will typically have 3-5 measurable objectives, which would be reviewed annually.

Corrective Action Matrix - A list of suggestions of how things could be done better (Future Corrective Actions), usually lessons learned from bad experiences. A bad organisation may hold hundreds or thousands of suggestions which are never implemented, typically due to a short-sighted management attitude or budget constraints (or, in the case of the Laundry, a sense of futility in the face of Case Nightmare Green). Disillusioned employees may see the Corrective Action Matrix as a dumping ground for work that never gets done.

Non-Conformance Report - The products and services of an ISO9001 organisation should conform to the Specifications, Service Level Agreements and, ultimately, the Quality Policy. Where they do not, i.e. where the agency fails, this is called Non-Conformance. Every time there is a Non-Conformance, a Non-Conformance Report must be filled in. The report will explain the problem, how it was fixed (assuming it was fixed at all), and what needs to be done in the future to prevent it reoccurring (Future Corrective Actions).

Continual improvement is not a document, but a buzz-phrase popular in ISO9001 circles. Future Corrective Actions proposed in Non-Conformance Reports form part of a never-ending spiral of planning, performing, acting and checking; a constant search for perfection. In a poorly run ISO9001 organisation, where Future Corrective Actions remain perpetually unimplemented, employees would see this as a never-ending paperwork treadmill. Laundry agents will see the same types of paperwork over and over again.

Timesheets are not generally part of ISO9001; instead they more commonly fall under project management or billing. For project management, timesheets from previous projects can be used to better estimate new similar projects. For contract work which is billed to customers by the hour, timesheets can be invaluable for justifying invoices. However, in a poorly-run organisation with little project planning, and in a civil service agency where time is not billed by the hour (think about it; how could a Laundry agent give a detailed break-down of how they spent their time, to a third party, without breaching the Official Secrets Act?), then timesheets become little more than an oppressive tool, promoting the fallacy that being extremely busy is the same as being extremely efficient. An organisation that is constantly busy will never have any slack to allow for project overruns, employee training, planning or even just giving employees a rest from stress. Timesheets will typically measure what each employee has done each day, split into anything from half-days to quarter-hours, depending on how expensive the employee's time is or how vindictive the management are feeling.

Non-Conformance is Adventure

For Laundry players, they will typically be assigned scenarios where an ISO9001 Non-Conformance has occurred or is likely to occur. Player characters will usually pick up an adventure either in order to investigate the Non-Conformance and implement a fix, or they will be asked to implement a new procedure to prevent an imminently anticipated Non-Conformance.

For example, if the players' department's Service Level Agreement is to "Keep annual rate of Anning Black-related fatalities in the South-West region to no more than three", then a Non-Conformance would be the death of a fourth Shoggoth victim in that area that year. A Non-Conformance Report would have to be filed, describing the event, listing what was done to mitigate it immediately, and what actions should be taken in the future to prevent further Shoggoth deaths in the West country.

Team8Mum made an interesting comment on the forum: "I have visions of some one trying to herd a Shoggie over a county boundary so the report features in 'East Midlands' figures rather than 'West Midlands' figures" - that is exactly the kind of narrow-mindedness that a poorly-implemented ISO9001 regime can foster. PeteRogers commented: "I was actually thinking of basing an entire scenario around one department creating fake occult events just to up the budget for the next year" - an interesting but sadly all-to-common reversal of motivation in ISO9001 measurements. Have you ever noticed how local councils do so many of their roadworks just before the new financial year in April? Gotta use up that budget, or the management might think it could be cut!

Conformance may beget Non-Conformance

A good department would be proactive. They might send banishing teams in advance to suspected Shoggoth incursions, to prevent casualties before they happen. They might even have some clever Shoggoth monitoring and prediction system, or perhaps even have created a technique for preventing incursions at all. If successful, there would be no Non-Conformances to report. Such departments may be held up as exemplars to other, less successful departments. For example, upper management might require that employees from the less successful department "shadow" (i.e. follow around) their counterparts in the more successful department, in an effort to learn how to improve. Or a key member of staff from the successful department may be seconded (i.e. reassigned for a few weeks or months) to the less successful department to act as a "guru" (i.e. expert). The point from a roleplaying perspective is; players who engineer a perfect system are unlikely to remain in harmony with that system for long- they'll either be drafted into other departments and new challenges, or have less competent staff foisted upon them.

In reality, there's a third option; the successful team create a load of documentation and continue as a successful team without interference from less successful projects. The less successful teams read the documentation, perhaps attend one or two slide presentations from the successful team's experts (although the presentation abilities, or lack thereof, of technical experts is rarely considered), then learn and improve; this is the ideal of ISO9001. However this does not make for an interesting roleplaying game. If things get boring... have a management reshuffle and reassign the players to new challenges. Another way to introduce new challenges would be to introduce new areas of responsibility to the team, or to vastly change the threats that the team had prepared for.