The certificate is not the point.
Thinking formed in practice, published as part of the Bearing & Course Points of View library.
Certification has become, in many organisations, the goal. Pass the audit. Renew the accreditation. File the evidence. Tick the box that says you are compliant with the standard. The assumption underneath all of this is that the certificate means something. In too many cases, it does not mean what people think it means.
A certificate tells you that, at a point in time, an organisation could demonstrate that certain things existed. A policy. A procedure. A register. A nominated owner. It does not tell you whether those things operate reliably under real conditions. Whether they hold when a system fails, when a key person leaves, when a contract goes wrong, or when pressure builds and shortcuts become tempting.
This gap has always existed. What has changed is how easy it has become to widen it without anyone noticing. It is now straightforward to produce policies, procedures and supporting documentation that appear comprehensive and credible. With the tools currently available, it is easier still to generate responses that are coherent, well-structured and aligned to expected standards, regardless of how the organisation actually operates.
Organisations can appear well-controlled without being well-controlled.
The consequence lands on buyers and funders first. The central question is not whether an organisation has documented its controls. The question is whether that organisation can be relied upon to deliver, operate and manage risk in practice. Current approaches struggle to answer that question with confidence. They assess presence rather than performance. They prioritise documentation over operational evidence.
The difference between those two questions maps onto five observable states. A control can be absent: nothing defined, activity ad hoc. It can be declared: a policy exists but there is limited evidence of real operation. It can be implemented: the control is used in practice, but inconsistently. It can be operating: consistently applied, structured, repeatable, traceable. Or it can be optimised: continuously improved, with feedback loops embedded, not dependent on individuals.
Most organisations, when assessed honestly, have controls distributed unevenly across those five states. The ones that exist only on paper tend to be the ones that matter most, because they were designed for conditions the organisation has not yet experienced. A control that has never been tested under pressure is a declared control, not an operating one.
The transition that matters most is from declared to operating: from a control that exists in principle to one that functions reliably in practice. That transition requires the organisation to have actually built the thing, embedded it in how work is done, tested it under real conditions and corrected what failed.
Controls embedded in how work is done are not the same as controls documented alongside it.
The organisations that get the most from certification are the ones that would pass without being asked. The certificate, for them, is a credibility multiplier: it confirms something that was already real, and makes it visible to the people who need to trust it. The work that made it true happened earlier: in the design of processes, in the clarity of ownership, in the consistency of application, in the habit of reviewing what failed and building that learning back in.
The organisations that get the least from certification are the ones that prepared for the audit. They invested in the artefacts rather than the conditions. Six months after the certificate arrived, the gap between what was presented and what is real has quietly reopened.
Pursue certification because it will require you to build something real. Not because the certificate will signal that you have. The signal is only worth something if the substance is already there.
Certification is not the point. Operating well is the point. The certificate is what you get when you have already done the work.