Effective February 23, 2024, the International Organization for Standardization (ISO) is integrating climate change considerations into all management system standards through its Climate Change Amendments. These Amendments ensure climate change impacts are considered by all organizations in their management system design and implementation.

ISO’s recent action supports the London Declaration on Climate Change of September 2021, which establishes ISO’s commitment to combatting climate change through its standards and publications. The aim of the recent Amendments is to make climate change an integral part of management systems design and implementation to help guide organizational strategy and policy.

What are the changes?

The Climate Change Amendments explicitly require climate change considerations in all existing and future ISO management systems standards, as incorporated into the Harmonized Structure (Appendix 2 of the Annex SL in the ISO/IEC Directives Part 1 Consolidated ISO Supplement). More specifically, the Amendments add the following two new statements to Annex SL for organizations to consider the effects of climate change on the management system’s ability to achieve its intended results:

• Clause 4.1: The organization shall determine whether climate change is a relevant issue, as it relates to understanding the organization and its context.
• Clause 4.2: NOTE: Relevant interested parties can have requirements related to climate change, pertaining to understanding the needs and expectations of interested parties.

The broad scope of these Amendments (i.e., impacting all standards) reflects ISO’s commitment to integrating climate considerations across diverse operational areas (e.g., environment, quality, safety, food safety, security, business continuity, etc.).

What do these changes require?

The original intent and requirements of Clauses 4.1 and 4.2 remain unchanged; however, the Amendments now require organizations to consider the relevance of climate change risks and impacts on the management system(s).

Potential climate change issues will likely differ for the various standards. The Amendments ensure these various risks are considered for each standard and, if actions are required, allow the organization to effectively plan for them in the management system.

What do certified organizations need to do?

Organizations that are certified—or are planning for certification—need to make sure they consider climate change aspects and risks in the development, maintenance, and effectiveness of their management system(s).

The Amendments specifically require these organizations to evaluate and determine whether climate change is a relevant issue within their management system(s). If the answer is yes, the organization then must consider climate change in a risk evaluation within the scope of their management systems. Where relevant, organizations are further encouraged to integrate climate change into their strategic objectives and risk mitigation efforts. The Amendments do not require organizations to do anything about climate change beyond considering the impacts on the management system’s ability to achieve its intended results.

What is the timeline?

The Amendments are effective as of the date of publication. There is no transition for implementation.

Certification bodies and auditors will cover the Amendments in audit activities when assessing this section of a management system. The audit will ensure climate change is considered and, if determined to be a relevant issue, included in company objectives and risk mitigation efforts. If climate change is deemed not relevant, the audit will assess the organization’s process for making this determination.

Will new certifications be issued?

Because the changes are considered a clarification, ISO issued them in the form of an amendment. New standards will not be republished until new versions are released; therefore, the publication year of each ISO standard will not change, and no new certifications will be issued.

What are the benefits of these changes?

The Climate Change Amendments underscore the importance of understanding and addressing the impacts of climate change. By publishing the Amendments in Annex SL, ISO is leveraging the widespread adoption of all ISO management system standards across operational areas to integrate environmental stewardship into organizational practices, promote sustainability, and drive climate change action on a global scale.

For certified organizations, the Amendments are intended to enhance organizational resilience and adaptability to climate-related risks. Considering climate change in this way can significantly contribute to business sustainability and long-term success by:

• Ensuring regulatory compliance (e.g., emission limits, sustainability reporting, etc.).
• Creating positive brand reputation as a sustainable company and associated customer loyalty.
• Managing risks and opportunities associated with supply chain disruptions, energy efficiency initiatives, employee health and safety, natural disasters, etc.
• Engaging employees and attracting new talent who prioritizes sustainability.
• Providing access to markets and investors that have sustainability requirements.

The most effective way to respond to an emergency is to properly plan for it before it happens. That’s precisely why so many federal, state, and municipal laws and regulations require many facilities to develop and implement some sort of Emergency Response Plan (ERP).

Effective Emergency Response

An ERP is intended to outline the steps an organization needs to take in an emergency—and after—to protect workers’ health and safety, the environment, the surrounding community, and the business itself. The requirements developed by various agencies are important, as they establish the components that must be included in an ERP to comply with regulations and respond effectively.

Most ERPs contain the same basic information. However, it can get complicated when a facility is subject to more than one regulation requiring an ERP, because even though the various regulations share many similarities, they also contain important differences (e.g., command structures, training requirements, equipment needs, operating protocols). Often, facilities end up creating a different ERP to respond to the different regulatory requirements. In an actual emergency, this can create inconsistencies or, worse yet, an implementation nightmare trying to figure out which ERP to follow.

Importance of Integration

The solution lies in integration. For example, consider an integrated management system that allows organizations to align standards, find common management system components (e.g., terminology, policies, objectives, processes, resources), and add measurable and recognizable business value. The same can be done with the various ERPs required within a facility.

It shouldn’t come as a surprise that in 1996, the U.S. National Response Team (NRT) published initial guidance for consolidating multiple ERPs into one core document. The Integrated Contingency Plan (ICP or One Plan) is a single, unified ERP intended to help organizations comply with the various emergency response requirements of the Environmental Protection Agency (EPA), U.S. Coast Guard, Occupational Safety and Health Administration (OSHA), Department of Transportation (DOT), and Department of Interior (DOI). The ICP Guidance does not change any of the existing requirements of the regulations it covers; rather, it provides a format for consolidating, organizing, and presenting the required emergency response information.

While the ICP does not currently incorporate all federal regulations addressing emergency response, it does establish a basic framework for organizations to pull in ERPs for any applicable regulations. And the benefits of doing so are many:

• Streamlined planning process. A single document simplifies the planning, development, and maintenance process. When plans are integrated, it minimizes duplication of effort, eliminates discrepancies and inconsistencies, and helps the organization identify and fill in gaps.
• Improved emergency response. It is much easier—and faster—for emergency responders and employees to navigate one plan rather than multiple separate ones. One plan allows for a single command structure with defined roles rather than potentially conflicting responsibilities. This all allows responders to act quickly and decisively to minimize potential disruption to the organization and public.
• Greater compliance. An integrated ERP provides improved visibility to all parts of the organization’s emergency response and helps reveal gaps that could prove costly and/or dangerous. This is especially important for organizations that must comply with several regulations.
• Potential cost savings. Streamlined and simplified planning reduces the resources required to build the plan. An integrated ERP may also help eliminate regulatory fines and minimize the need for and associated costs of emergency response/cleanup efforts.

Find Your Format

The goal of an integrated ERP is not to create new requirements but to consolidate existing concepts into a single functional plan structure. Regardless of what the plan looks like, it should start with:

1. An assessment of the facility’s vulnerabilities to various emergency situations.
2. An understanding of the various applicable emergency planning laws and regulations to determine which specific requirements must be incorporated. For example, food emergency response has different implications that must be integrated, particularly when it comes to recovery. A food production facility that is ordered or otherwise required to cease operations during an emergency may not reopen until authorization has been granted by the regulatory authority. Food facilities also have strict guidelines to follow for salvaging, reconditioning, and/or discarding product.

With this understanding, the ERP should then comprise step-by-step guidelines for addressing the most significant emergency situations. The core plan should be straightforward and concise and outline fundamental response procedures. More detailed information can be included in the annex. Most ERPs should include the following basic elements:

• Facility information. Consolidate common elements required in various plans, including site description, statement of purpose, scope, drawings, maps, roster of emergency response personnel, emergency response equipment, key contacts for plan development and maintenance, etc.
• Steps to initiate, conduct, and terminate a response. Outline essential response actions and notification procedures, with references to the annex for more detailed information. Provide concise and specific information that is time-critical in the earliest stages of the response and a framework to guide responders through key steps to deliver an effective response.
• Designated emergency responders. Develop a single command structure for all types of emergencies. Assign qualified, high-level individuals who are familiar with emergency procedures to fill emergency roles. In addition, list the appropriate authorities for specific emergencies, as well as their contact information.
• Evacuation plan/routes and rally points. Clearly mark evacuation routes and identify rally points where employees should meet upon exiting. Do not allow employees to leave designated rally points until it has been documented they have safely left the building.
• Data and information backup technology. Develop provisions for data backup to secondary/off-site systems, as well as alternate options for communications and power.  
• Designated plan for communication. Outline who is communicating what, when they are communicating it, and how it is being communicated. This includes internal communication, as well as communication to customers/clients/suppliers/vendors that may be impacted, the media, and the appropriate regulatory authorities.
• Supporting materials. The annex should provide detailed support information based on the procedures outlined in the core plan and required regulatory compliance documentation. Importantly, facilities should create a table that cross-references individual regulatory requirements with the plan to ensure there are no gaps and to demonstrate compliance.

Ensuring Success

The goal of emergency response planning is to minimize impacts to the environment and workers’ health and safety, as well as disruptions to operations. An integrated ERP has the potential to significantly reduce the number of decisions required to respond in an emergency, eliminate confusion and disagreement regarding roles and responsibilities, and enable a timelier, more coordinated response.

That all being said, an integrated ERP will only be effective if it is thoroughly and consistently communicated to all employees. These best practices will help ensure that the integrated ERP functions not only on paper, but also in practice:

• Periodic training is vital to ensure employees understand the ERP and are fully aware of emergency response procedures. It is especially important in an integrated ERP that first responders are trained to handle all potential emergencies rather than more narrowly trained on response for a single regulation.
• Routine drills significantly improve understanding of the ERP, clarify employee roles, test procedures to ensure they work, and diminish confusion during an emergency.
• Posting an abbreviated version of the ERP throughout the plant provides easy access to all employees if an emergency occurs. This summary version of the ERP should highlight the most vital information for quick response: recognized hazards, high-level emergency procedures, evacuation routes, and key contacts.

According to the International Organization for Standardization (ISO), are currently more than 80 Management System Standards (MSS)—80 different standards designed to help companies improve their performance across a diverse range of areas and sectors.

Most companies these days have some sort of management system, whether formal (e.g., ISO, Global Food Safety Initiative (GFSI)-benchmarked standard, industry-specific) or informal. And, because most companies have various aspects and functions to their operations, many actually may have more than one system to organize processes and business objectives.

While management systems by ISO’s definition are designed to “help organizations improve their performance by specifying repeatable steps that organizations consciously implement to achieve their goals and objectives,” having multiple systems to manage often overlapping requirements (i.e., regulatory, certification, supply chain, internal) can create redundancies, inefficiencies, extra work, and overall confusion.

Integrated Management Systems: The Basics

A management system is the organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement (i.e., Plan-Do-Check-Act). It is designed to identify and manage risks through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value.

A management system should be a means to better align operational quality, safety, environment, food safety, security, energy, etc. with the business. An integrated management system does just this. It aligns an organization’s various systems and processes into one complete framework, enabling the organization to work as a single unit to implement specific best practices organization-wide, fulfill the requirements of multiple standards, and meet a unified set of business objectives.

Integration Business Benefits

Ultimately, the various MSS have many common points—and all work towards the goal of making the organization more effective and efficient. Developing an integrated management system allows organizations to align the standards, find common management system components (e.g., terminology, policies, objectives, processes, resources), and add measurable and recognizable business value, including the following:

Greater consistency. An integrated approach creates greater consistency across business facets when it comes to terminology, processes, procedures, expectations, etc., and, in turn, greatly improved focus on a common set of business objectives. With an integrated system, organizations can ensure that processes, methods, and practices are in place, documented, and consistently applied across the entire organization. A common documented framework such as this helps alleviate duplication of efforts, allows for a more complete view of the functional needs of the entire organization, and reduces variability in performance.

Optimized processes and resources. Integrated systems allow companies to optimize processes and resources and, subsequently, reduce the time it takes to do certain activities. Integrated management systems help organizations to maintain requirements and associated documents concurrently—particularly through use of an information system—streamlining the process and allowing the organization to focus on improvements rather than maintaining multiple systems. A common system enables better use of resources and better collaboration and communication across the company.

More strategic approach. Organizations can take a more strategic approach with an integrated management system because it focuses on managing all aspects of the business, not just one area. It provides clear methods and processes to identify and prioritize risks, set and monitor goals, communicate risks to employees and management, and allocate appropriate resources to mitigate them. It also establishes a common language among managers, executives, and employees, which enables better goal setting, priority ranking, and allocation of resources. As a bonus, integrated systems also make it much easier to implement an organization-wide information system capable of tracking and reporting on common activities and key performance metrics.

Forward-thinking. More and more organizations are expecting more from the companies they work with—and that includes management systems. The push for best practices over just regulatory compliance is a growing trend. Reliable and effective regulatory compliance is commonly an outcome of consistent implementation of a management system. Beyond that, an integrated management system allows organizations to more effectively manage those risks (i.e., compliance, financial, legal liability, brand reputation) that can significantly impact the entire supply chain.

Help from the Standards

Standards organizations such has ISO are making it as easy as possible to implement an integrated management system—whether formal or informal—because, plain and simple, it just makes business sense. For example, ISO has adopted a Harmonized Structure (formerly known as High-Level Structure) to make sure every ISO MSS is structured in the same way with ten universal sections. The ISO MSS also use Annex SL, which dictates how the MSS should be written and, again, is consistent across the various MSS. These efforts simplify use, streamline protocol, and encourage standardization across the ISO MSS.

Beyond that, ISO has published a Guide to Integrating Management System Standards (revised in 2018) to help organizations implement integrated management system design—ISO or not. According to Michael McLean, Convenor or the ISO working group that developed the handbook, “Many organizations benefit from multiple management systems to help them ensure their systems and processes are in line with their objectives and help them maintain their business model through ever-changing environments. This handbook provides a practical guide for organizations to effectively align their management systems with their strategies, plans, and operations.”

Taking the Next Steps

If you are operating with multiple management systems—or even if you have no management system at all—there are some basic steps to creating an integrated management system:

1. Invest the time to understand the current scope of operations, functional departments, compliance requirements, governance structure, etc. across the entire organization as a whole, not just siloed departments.
2. Conduct a gap assessment to evaluate the current (“as-is”) condition of any formal or informal management system(s) against the desired (“to-be”) condition (e.g., ISO, GFSI, industry-specific).
3. Create a development and implementation plan outlining tasks and resources required to close any identified gaps and achieve those objectives.
   • Determine key components of the integrated management system required to achieve business objectives.
   • Identify common elements to be standardized and incorporated into an integrated system (e.g., policies, procedures, processes, metrics, training).
   • Determine what information technology can support and streamline an integrated management system.
4. Provide relevant training to all interested parties to truly operationalize the management system across the organization.

Whether formal or informal, integrated management systems provide organizations—both big and small, in any industry—a pillar for sustainable growth. By developing and implementing an aligned management system, organizations can achieve more consistent, reliable, and efficient performance across many areas, while adding measurable and recognizable business value.

BioForward Wisconsin closely follows news stories about its members and invites them to contribute blogs and profiles to inform and advance the Wisconsin biohealth community. Read the recent BioForward Wisconsin member blog on KTL’s scalable systems for helping companies manage compliance business processes more efficiently and effectively.

Current Challenges of Technical Compliance in the U.S.:
Focus on Occupational Health & Safety and Environment
May 17, 2021 | 4 pm – 5 pm CT

Technical compliance regarding EHS has seen tremendous changes over the last couple of years and is likely to change even more in the foreseeable future. EHS regulatory enforcement will undoubtedly regain momentum in the next few years. Achieving and maintaining EHS compliance requires great management and expertise to ensure all aspects of a company’s technical compliance have been identified and are being actively managed.

KTL’s Sarah Burton will be joining Martin Mantz Compliance Solutions, our German alliance partner, to discuss the challenges of technical EHS compliance and to provide an up-to-date understanding of technical compliance in the U.S. today.

Don’t miss this free American Bar Association event on April 22, 2021 — Demonstrating Compliance in a Socially Distanced World: Virtual Auditing.

In the time of COVID-19, virtual auditing has become increasingly necessary and valuable to organizations as they seek to achieve environmental compliance while facing worldwide travel restrictions and remote work policies that have disrupted routine in-person audits. With this shift, comes the need for both regulated entities and regulators to develop new approaches and procedures to ensure the effectiveness of audits conducted remotely. Practitioners, including auditors and legal counsel, must consider new dynamics related to security, data protection, and audit integrity-on top of the usual audit considerations. This session will highlight some of these new challenges and provide real-world solutions to aid attendees form new practice skills to apply in the (virtual) field.

Panelists–including KTL’s Sarah Burton–will explore the new world of remote auditing, focusing on real-world solutions to the challenges that virtual auditing presents.

Register online.

Virtually every regulatory agency (e.g., EPA, OSHA, FDA, USDA) and voluntary certification standard (e.g., ISO, GFSI, organic) has compliance requirements that call for companies to fulfill several common compliance activities. KTL has outlined eight compliance functions that can be instrumental in improving a company’s capability to comply. One very important compliance function involves records and document management.

Records provide documentation of what has been done related to compliance—current inventories, plans, management systems, training, inspections, and monitoring required for a given compliance or certification program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations and standards, particularly since some, like OSHA have retention cycles for as long as 30 years.

Moving Away from Paper Recordkeeping

Organizing and maintaining the records can create challenges—where to store them, security levels, remote and local accessibility, etc. Supply chain requirements can further add to the cumbersome workload of collecting, reviewing, and sharing documents and information.

Companies have been keeping records and documents in binders and file cabinets for years. And while that system can work, many dynamic tools are available to alleviate some of these challenges and support organizational decision-making. A document management system can help create:

• Process and document standardization
• Central and secure storage, organization, and access to documents and records locally or remotely
• Improved document searchability and accessibility
• Enhanced workflows for approving and completing tasks involving documents
• Easy access to documents for audits and clear audit trail, particularly for remote audits
• Version control and history
• Reduced paperwork
• Higher quality data due to reduced human error
• Improved collaboration
• Improved security of sensitive documents

All of which lead to consistent, efficient, and reliable compliance performance.

Transitioning Your Records

Transitioning from a paper-based recordkeeping system to an electronic document management system can seem overwhelming, particularly given the sheer volume of documents some organizations have. However, following a step-by-step approach—and considering the desired end product from the start—can help ensure that organizations end up with a system that will function well within the business context and provide ongoing compliance efficiency.

Step 1. Assess Current Documents and Processes

The first step is to identify where all your documents reside and how you are currently managing and organizing those documents. Additionally, an assessment of the documents themselves should be conducted to evaluate if they are still current, if they are in line with the processes and procedures they are intended to monitor, and if they are collecting all the required information. 

Where are documents stored? What is electronic vs. paper? Are documents sorted by necessity, date, version, compliance area? What processes are currently in place for creating, managing, and storing documents? Where are the inefficiencies in adequately managing documents and records? If there are multiple systems, are they working together? 

The goal of this step is to get a good handle on the current state of your documents and systems so you can move onto step 2, which will be to define the desired state of your document management system. 

Step 2. Define Document Management System

Before building the system, you must define your ultimate desired end state. In a perfect world, how would the document management system operate? What parts and components would it have? How would things work together? At this point, you must consider the immediate need (i.e., document management) within the context of the overall business need. The idea is to align the document management system with any overall compliance management system (CMS). This requires a genuine understanding of both daily routines and the big picture.  

Bring together key stakeholders to discuss their objectives, review the current state, and evaluate industry best practices. While it is necessary to get senior management buy-in and to understand the business needs, it is equally important to understand the routine activities and tasks of the people who will use the system in a daily basis. The system must be designed with all these users in mind—the end user entering data in the field, management who is reading reports and metrics, system administrator, office staff, etc.  

Step 3. Gather Documents and Populate System

This step can involve significant resources depending on the volume of documents, so taking a phased approach can make it more manageable. It often makes sense to start where you already have processes and document storage systems in place that can be more easily transitioned into a new document management system to encourage user buy-in. Priorities should be set based on ease of implementation, compliance risk, business improvement, and value to the company.

Step 4. Determine Access and Train

The only way to ensure employees will correctly use the document management system is to provide adequate training. Define who needs access to the various parts of the system and what everyone’s roles and responsibilities are. Every employee who will touch the system should receive hands-on training to teach them how to correctly use the system to create efficiencies.

Step 5. Conduct an Annual Internal Audit and Document Review

Audits offer a systematic, objective tool to assess compliance across the workplace and to identify any opportunities for improvement. Audits may be used to capture regulatory compliance status, certification system conformance, adequacy of internal controls, potential risks, and best practices.

An internal audit of the document management system provides a valuable way to communicate performance to decision-makers and key stakeholders. This final step is an important one, because it will help ensure that:

• The organization is getting the most out of its document management system.
• The system and associated processes are operating as intended.
• Data can be used for trending and predictive analytics to better inform business decision-making.
• Ongoing opportunities for improvement in document organization and processes are identified and implemented.
• Efficiencies in business operations and overall compliance management—including remote access and remote auditing—are fully realized.

There is no question about it—organizations across nearly every industry are relying more heavily on information technology (IT) to carry out daily tasks, connect staff, and manage operations. Technology can also play a vital role in managing compliance requirements.

For example, we recently shared a case study demonstrating how leveraging a simple Microsoft SharePoint®-based Compliance Management System (CMS) has provided Southeast Missouri State University (SEMO) with access to the data, documents, systems, and processes required to help employees effectively manage compliance requirements—even when working remotely.

Tips to Design a Successful CMS

A CMS is used to coordinate, organize, control, analyze, and visualize information to help organizations remain in compliance and operate efficiently. When building a CMS, it is important to follow a process to design a system that provides the functionality to meet current requirements and the flexibility to anticipate future needs.

The following eight tips can help ensure you end up with the right CMS and efficiency tools to support your organization for the long term:

1. Inventory your existing systems – Identify how you are currently managing your compliance needs/requirements. What’s working well? What isn’t working? Do the systems work together? Do they all operate independently? This inventory should evaluate the following:
   • Current systems and tools
   • Status and functionality of existing processes
   • Data sources and ability to pull information from various sources
   • Organizational complexity
   • Compliance status
   • Existing management systems
     
2. Determine your business drivers – Are you looking to save time? Create efficiencies? Provide access to enable employees to work from home? Reduce the number of resources required? Have better access to real-time information? Answer to senior management? Respond to regulatory requirements? These drivers will also drive the decisions you make when it comes to module development, dashboard design, reporting, and more.
   
3. Understand the daily routine of the individuals using the system – Systems and modules should be built according to existing daily routines, when possible, and then implemented and rolled out in a way that encourages adoption. Having a solid understanding of routine tasks and activities will ensure the system is built in a way that works for the individuals using it—and for the way they will be accessing it.
   
4. Understand your compliance requirements – Do you have permitting requirements? Does your staff need training? How do you maintain your records? Are there regular (e.g., annual, semi-annual) plans and/or reports you need to submit? Do you have routine inspections and monitoring? All these things can and should be built into a CMS so they can be managed more efficiently.
   
5. Get the right parties involved – There are many people that touch a CMS at various points in the process. The system must be designed with all these users in mind: the end user entering data in the field, management who is reading reports and metrics, system administrator, office staff, etc. A truly user-friendly system will be something that meets the needs of all parties. If employees are frustrated by lack of understanding, if the system isn’t intuitive enough, if it is hard to put data in or get metrics out, the system will hold little value.
   
6. Make your wish list – While you may start your project one module at a time, it is important to define your ultimate desired end state. In a perfect world, how would the CMS operate? What parts and components would it have? How would things work together? What type of interfaces would users have? You may build piece by piece, but you must develop with the end in mind.
   
7. Set your priorities, budget, and pace – What is the most important item on your list? Do you want to develop modules one at a time or as a fully functional system? It often makes sense to start where you already have processes in place that can be more easily transitioned into a new system to encourage user buy-in. Priorities should be set based on ease of implementation, compliance risk, business improvement, and value to your company.
   
8. Select the right consultant – For a CMS, it is valuable to have a consultant who doesn’t just understand technology but also understands your operational needs, regulatory obligations, and compliance issues. More than likely, off-the-shelf software will not be a silver bullet compliance solution. A consultant who can understand the bigger picture of where you want to go and will collaborate to design the right CMS and efficiency tools will bring the most value to your organization.

These tips can help ensure any organization designs and develops the right CMS—one that works within the organization’s operating environment—to reduce compliance risk, create efficiencies, provide operational flexibility, and generate business improvement and value.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.

Most regulations, standards, and guidance require audits to be conducted with some established frequency. For many companies, figuring out how to meet these audit requirements amongst travel restrictions, new company safety protocol, and government quarantines related to COVID-19 presents a significant new challenge.

The Online Alternative

Companies come in a variety of sizes with a range of different needs. Because of this, auditing standards remain fairly flexible by design. Fortunately, this allows for online/remote/virtual audits as a viable alternative to onsite audits—provided the audits:

• Are planned well;
• Appropriately leverage technology; and
• Are executed by a team who understands the facility and the requirements.

The ultimate objective of a virtual audit remains the same as an in-person audit: To obtain credible audit evidence to accurately assess compliance/conformance with identified requirements/specifications. The difference lies in the means in which that evidence is collected (i.e., live stream video, surveillance cameras, group web meetings, electronic document review).

Weighing Risks vs. Rewards

Audits can be conducted onsite, remotely, or a combination of the two. In many cases, companies may already be having portions of the audit (e.g., document review) done remotely. Moving the entire audit to the virtual world allows credible evidence to be obtained in unique ways that can offer significant benefits to a company when onsite audits aren’t possible—and even when they are:

• Reduced cost – Online audits eliminate the expenses associated with travel (i.e., mileage, flights, hotels, meals), which can add up depending on the location and duration of the audit.
• Flexible schedule – Remote audits can be conducted on a more flexible time schedule. Auditors do not have to complete work onsite in a set number of days, as is required when traveling to a facility. The auditor can also review areas in question remotely after the audit is technically over. Note that a more flexible time schedule does not necessarily mean less time involved to conduct the audit.
• Social distancing – As CDC guidelines have recommended, it is currently safest to work remotely, when possible, or to remain six feet of social distance to avoid potential transmission of COVID-19. Through the use of technology, virtual audits provide a social distancing extreme.
• Improved systems – Preparing for a virtual audit provides the “push” some organizations need to improve electronic storage systems. To conduct a virtual audit, documents and records must be retained in an organized manner that facilitates easy/quick access. Being able to access all documents remotely is necessary—paper records or documents stored on individual computers/network drives no longer cut it.

At the same time, there are some potential risks to conducting a completely virtual audit, particularly since this practice is relatively new to many organizations:

• Observation/technology limits – Observation of site conditions is limited by the ability to direct live stream video remotely. Technology can create limitations. If the camera can’t see it, neither can the auditor. Poor video quality can impede visual clarity. You don’t know what you don’t know.
• Communication confusion – It can be difficult to read body language and/or interpret emails and phone conversations to make sure communication is clear. This can require revisiting topics/findings several times to ensure accurate evidence is collected.
• Time barriers – There may be time zone and associated scheduling barriers depending on the location of the auditor and the facility.

Considerations and Best Practices

Regardless of the type of audit a facility conducts (i.e., remote, onsite, combination), standard audit best practices should be followed to ensure that audit results are comprehensive and credible. If the company opts for a virtual audit—for any reason—there are a number of considerations and best practices to ensure that the audit effectively fulfills its objectives and alleviates the risks outlined above to the extent possible:

• Site Familiarity – Virtual audits work best if auditors are familiar with the industry and/or operations. While it is not necessary for the auditor to have visited the site before, that type of familiarity with the facility provides the best-case scenario, especially for compliance audits, as it prepares the auditor to know what to look for (and where) and what questions to ask.
• Careful Planning – Much like onsite audits, virtual audits require careful upfront planning on the part of the auditor and the facility—and perhaps to an elevated degree.
  • The facility needs to collect all documents and records prior to the audit and determine best way to present that information remotely (e.g., email/transfer ahead of time, allow access to company Intranet/shared directory space, share during a web meeting).
  • Interviews are best scheduled in advance to ensure availability; however, they can be conducted on an ad hoc basis as need arises.
  • It is best to plot out route and areas of specific focus for the audit ahead of time using a site map as a guide to ensure that all areas are covered and that the audit can be conducted as efficiently as possible using the allocated facility resources. An audit site guide must be assigned who is familiar with the entire facility.
  • Technology needs and requirements must be evaluated, and logistics and access should be tested prior to the audit. It is vital that all cameras, web meetings, shared document space, WiFi, and other technology is working appropriately prior to the audit or a lot of time can be wasted troubleshooting issues.
• Video – Videos should be live. Site walks should be led by a site guide/employee along the planned route with smart phones, iPads, etc., with live streaming capabilities. It is important to ensure that live streaming works within the facility being audited so auditors have a clear view of site conditions. Auditors can also take advantage of any in-house surveillance cameras (e.g., security or quality systems) to provide additional footage of operations, when necessary. In most cases, surveillance footage cannot replace live video.
• Web Meetings – Opening, closing, and daily briefings can be conducted via web meeting. Remote audits provide the flexibility to conduct the audit in segments, with briefings following each segment. This allows the auditor to review video footage, evaluate records, and generate questions to ensure the information collected is accurate and complete.

Companies all over the world are working through a transition period right now, where they are trying to establish what a new “normal” looks like when it comes to operating practices, employee health and safety, business continuity, and compliance. Audits are one piece of the overall puzzle that can be transitioned somewhat seamlessly with the right planning and technology in place to ensure ongoing compliance.

At the most basic level, a root cause is the fundamental reason—or the highest-level cause—for the occurrence of a problem, incident, or event. The root cause sets in motion the entire cause-and-effect reaction that ultimately leads to the problem. Getting to the root cause of any problem is important not just for resolving the issue at hand, but for identifying underlying issues to ensure that similar problems do not occur in the future. This starts with a process called the root cause analysis (RCA).

What Is the Root Cause Analysis (RCA)?

A root cause can be permanently eliminated through process improvement. RCA is a method of problem-solving used to identify the underlying (i.e., root) cause(s) of a problem/incident. RCA can be used to solve problems and provide preventive actions for:

• Major accidents
• Everyday incidents
• Minor near misses
• Human errors
• Maintenance problems
• Medical mistakes
• Productivity issues
• Manufacturing mistakes
• Environmental releases
• Risk analysis, risk mapping

RCA is a systematic process based on the basic idea that effective management requires more than merely putting out fires. RCA focuses on finding a way to prevent these fires from recurring. Rather than just treating symptoms, RCA seeks to identify and address the true, underlying concerns that contribute to a problem or event.

Why is this important? If you just treat the symptoms of the problem, that alleviates them for the short term, but it does nothing to prevent the problem from coming back again. Lasting solutions address the underlying factors—the root cause(s)— that create the problem in the first place. Targeting corrective measures at the identified root causes, subsequently, is the best way to alleviate risk and ensure that similar problems do not occur in the future.

Best Practice

Both the Occupational Safety and Health Administration (OSHA) and Environmental Protection Agency (EPA) encourage organizations to conduct RCA following an incident or near miss at a facility. In fact, facilities covered by OSHA’s Process Safety Management (PSM) standard are required to investigate incidents that resulted in (or could have reasonably resulted in) a catastrophic release of highly hazardous chemicals. Similarly, EPA’s Risk Management Program (RMP) regulations require regulated facilities to conduct incident investigations. In addition, certain management systems, including ISO and Responsible Distribution (National Association of Chemical Distributors) to name just a few, also require RCA.

Whether an organization is subject to PSM, RMP, or management system standards, identifying the root cause of any incident or problem through RCA is a best practice that can significantly benefit organizations by identifying underlying issues to ensure that similar problems do not occur in the future. So, how do you effectively implement RCA?

Six-Step Process

RCA can be broken down into a simple six-step process, as outlined below.

Step 1: Identify and Clearly Describe the Problem

The first step is to understand and document the problem/issue/incident that actually occurred. This might involve interviewing key staff, reviewing security footage, investigating the site, etc. to get an accurate account of the issue. Certainly safety- or security-related incidents might require an immediate fix or prompt action before the carrying out the complete RCA. This is always the first priority.

Some problems are easier to define than others based on what happened and the extent of the issue. When defining and describing the problem, it is important to be as descriptive as possible, as this will aid in future steps to identify the root cause(s).

For example, the first description below is somewhat vague. The second description provides an additional level of detail that more fully documents the situation:

1. A forklift driver wasn’t wearing his seatbelt. (vague)
2. During a walkthrough of the warehouse on 2/1/20, it was observed that forklift driver John Smith, who is a contract employee, was not wearing his seatbelt while operating the forklift. (clear)

Step 2: Identify Possible Causes…Why?

There are several methods for identifying possible root causes. One of the most common is known as the “5 Why Method”. This approach simply involves asking the question “Why” enough times (i.e., five times) until you get past all the symptoms of a problem and down to the underlying root cause of the issue. The detailed problem description put together during Step 1 serves as the starting point for asking “Why”.

Let’s take our problem description from above a step further to identify the possible causes using the 5 Why Method.

Step 3: Identify Root Cause(s)

At this point, the 5 Why Method is leading you to the core issue that set in motion the entire cause-and-effect reaction and, ultimately, that led to the identified problem(s). It’s now time to determine whether the five whys have dug deep enough. Where does your questioning lead you? Is there one root cause or are there a series of root causes contributing to this incident? Often, there are multiple root causes that may be factors to address when preventing future incidents.

In our forklift operator case, the 5 Why Method points to the lack of a standardized checklist of all items to be trained on—including forklift training—prior to a new contract employee coming onsite.

Step 4: Corrective and/or Preventive Action Taken

Based on the identified root causes, it then becomes possible for the facility to determine what corrective and/or prevention actions (CAPAs) can be taken to fix the problem and, just as important, prevent it from occurring in the future. For our example, there are a number of potential CAPAs:

• Stop the employee from operating the forklift and educate him on seatbelt policy prior to resuming work
• Review contract/temp employee training program
• Retrain shift managers on training expectations
• Obtain training records for contract/temp employees
• Provide refresher/retraining, as necessary
• Add signage to forklifts and warehouse bulletin boards about seatbelt policy

Step 5: Analyze Effectiveness

The effectiveness of whatever action is taken in step 4 needs to be evaluated to determine whether it will resolve the root cause. If not, another CAPA should be explored, implemented, and analyzed to assess its impact on the issue/problem. If it is a root cause, it should help to resolve the issue and you should move on to step 6 below.

Let’s return to our example. You might ask, “Was the retraining effective?” An evaluation shows the following:

• Yes, the employee continues to operate the forklift using seatbelt.
• Yes, subsequent walkthroughs of the warehouse over the next six months have not resulted in any additional seatbelt violations.
• The next contract/temp employee brought on to assist during the busy end-of-year season was required to produce current training.

Step 6: Update Procedures, as necessary

As CAPAs are implemented, once they prove effective, related policies and procedures must be updated to reflect any changes made. This step ensures the outcomes of the RCA will be integrated into operations and used to prevent similar incidents from happening in the future.

In our current example, this might mean that the Contractor Policy is updated to include a new section specific to the hiring of contract/temp employees with the following requirements:

• Obtain valid training certificates for work performed
• Ensure Managers conduct on-the-job training for contract/temp employees specific to work performed

Benefits of RCA

Following these six steps will help to ensure a thorough investigation that identifies the root cause(s) versus just symptoms is conducted. It further ensures that any changes related to the root cause are integrated into the organization to prevent similar events from happening again. In the end, the RCA process can help:

• Reduce the risk of injury and/or death to workers and community members
• Reduce the potential for environmental damage
• Avoid unnecessary costs resulting from business interruption; emergency response and cleanup; increased regulation, audits, and inspections; and OSHA or EPA fines
• Improve public trust by maintaining an incident-free record
• More effectively control hazards, improve process reliability, increase revenues, decrease production costs, lower maintenance costs, and lower insurance premiums