The Subcontracting Paradox: What ISO 17020 Teaches Every Business About Ultimate Responsibility

1.0 Introduction: The Hidden Risk of Delegation

In today's fast-paced business environment, subcontracting is a standard play in the strategic handbook. Companies delegate tasks to outside specialists to increase efficiency, access unique skills, and focus on their core competencies. From specialized manufacturing processes to technical inspections, outsourcing seems like a straightforward way to get the job done right. It’s a classic case of delegating a task to the most qualified hands.

But what if delegating the work doesn’t delegate the risk? In high-stakes industries governed by rigorous standards like ISO/IEC 17020 for inspection bodies, a counter-intuitive principle emerges: you can outsource a task, but you can never outsource the ultimate responsibility, the risk, or the mandate for absolute impartiality. This standard reveals a powerful truth about what true accountability looks like, offering critical lessons for any leader who relies on external partners to deliver results.

2.0 You Can Delegate the Task, But Never the Responsibility

The foundational principle of subcontracting under a quality management system is absolute. The primary company—the one that holds the contract with the end client—always retains full and ultimate responsibility for any work performed by a subcontractor. This is not a negotiable point; it is the bedrock of accountability.

This means that if a subcontractor makes an error, delivers a non-conforming result, or fails to meet a standard, the primary company cannot point fingers. All consequences, from client dissatisfaction to managing formal corrective actions, fall squarely on their shoulders. The standard makes this unequivocally clear.

The inspection body remains fully responsible for all inspection results, even if subcontracted.

This principle is so impactful because it forces a shift in mindset. It moves beyond simple project management to a deeper concept of ultimate ownership. When you are the one who is ultimately accountable, your entire approach to selecting, managing, and overseeing partners must change.

3.0 Competence Isn't an Assumption; It's a Verifiable Prerequisite

In many business relationships, a partner's reputation is enough to get started. Under a system like ISO 17020, however, reputation is not sufficient. An inspection body cannot simply hire a subcontractor and hope for the best. It must formally ensure and document that the subcontractor is competent for the specific job before any work is assigned. Failure to do so is a common nonconformity found during audits.

This verification is a formal process that includes checking and recording the subcontractor's qualifications, relevant experience, and any necessary authorizations. It is not a casual review but a documented assessment that must be kept on record.

This proactive approach is a powerful risk-management tool. Instead of reacting to problems after they occur, you prevent them by ensuring that only qualified and capable partners are brought into the process from the very beginning. It fundamentally contrasts with the more common—and more costly—approach of dealing with issues after they have already impacted the work.

4.0 If It's Not in Writing, It Didn't Happen

A handshake or a verbal agreement has no place in a controlled subcontracting process. The standard requires formal, written agreements for all subcontracted work. In fact, one of the most common nonconformities found during ISO 17020 audits is subcontracting work without a documented agreement in place.

These agreements are not mere formalities; they are critical control documents that must clearly specify key details to eliminate ambiguity. Key elements include:

• The exact scope of work to be performed
• Clear responsibilities and authority for all parties
• A mandatory requirement for the subcontractor to comply with ISO/IEC 17020
• Strict confidentiality obligations to protect sensitive information

This documentation isn't just a formality; it's the foundational link in a chain of records that establishes both traceability and accountability. It allows an auditor or client to trace every decision and result back to a controlled, documented process.

Furthermore, the formal agreement is just the beginning. ISO 17020 requires that the primary body maintain a complete set of records for all subcontracted work. This includes the documentation verifying the subcontractor's competence, the specific work performed, the resulting inspection reports, and crucially, evidence of the primary body’s review and approval. Incomplete records are another frequent source of nonconformities, as they break the chain of traceability and undermine accountability.

5.0 Oversight is an Action, Not a Position

Once a competent subcontractor is chosen and a formal agreement is signed, the primary company's job is not over. The standard mandates a process of continuous monitoring and review of the subcontractor's performance and results. Oversight is an active, ongoing responsibility, not a passive position. Lack of monitoring is another frequently cited nonconformity.

This involves actively reviewing the subcontractor's inspection reports and other deliverables to check for accuracy, consistency, and compliance with all established procedures. This oversight is also critical for ensuring the subcontractor’s work remains impartial and free from conflicts of interest, thereby protecting the primary body's accreditation and reputation.

Furthermore, the primary inspection body is responsible for managing any corrective actions that arise from the subcontractor's work. If a nonconformity is found, the primary company must document it and oversee the process to fix it. This active oversight ensures that the integrity of the entire inspection process is maintained from start to finish, regardless of who performs the individual tasks.

6.0 Conclusion: The Real Meaning of Control

The principles governing subcontracting in ISO 17020 offer a masterclass in accountability that extends far beyond technical inspections. The mandate for ultimate responsibility, verified competence, documented agreements, and active oversight provides a powerful blueprint for proactive risk mitigation.

This blueprint transforms subcontracting from a high-risk activity—fraught with dangers to competence, impartiality, and traceability—into a controlled, strategic advantage. By thoughtfully extending your own systems of control and quality to an external partner, you prove that true control isn't about doing everything yourself; it's about ensuring everything is done right.

In your own work, where could applying this principle of ultimate ownership prevent a future crisis?

Share This Article

Found this useful? Share it with your network: