​Last month we looked at ISO 14001 - how it has become the de facto standard for designing and implementing an environmental management system, how it works, and a bit about its history.

This week we look at two key concepts in the standard which you’ll need to get to grips with in order to implement it properly. The first is ‘Environmental Aspects and Impacts’, and the other is ‘Compliance’.

Environmental Aspects and Impacts

An organisation’s activities, products and services that interact with the environment are referred to as ‘aspects’, which may have a negative or positive impact on the environment. Typically, aspects might include emissions to air, discharges to water and waste, which in turn may generate environmental and health impacts such as global warming, water pollution or contaminated land.

Some activities, such as those of an office-based service, will have relatively minor environmental impacts, such as energy usage and emissions linked to air conditioning, whereas in some heavy industrial companies aspects such as processes that cause emissions to air and discharges to water may have significant environmental impacts.

Once you’ve identified an aspect, you then need to judge its impact on the environment. Is it major or minor? If it’s major, how can it be reduced? Can it be managed better? Do you have to do it at all, or is there another way?

Managing environmental aspects and impacts is arguably the most important component of an EMS, and your job is to determine which ones apply to you and their relative significance in terms of risks to the environment and then look at the controls you can put in place to minimise these as much as possible. These will usually sit in a register of significant aspects and impacts for you to monitor and update.

Compliance obligations and evaluation of compliance

ISO 14001:2015 has two main requirements when it comes to compliance:

Identify and have access to applicable compliance obligations
This is the important first step of making sure that you know all of the legal requirements related to the environmental aspects that are applicable to your company. Think about any chemicals you use - how do they relate to Control of Substances Hazardous to Health 2002 (COSHH)? Do you use cleaning products, fuel company vehicles, use paints or glues? How do you dispose of electrical equipment? Is it in line with the Waste Electrical and Electronic Equipment (WEEE) Regulations 2013?

Remember that these can originate at a local, regional, national, or even international level depending on the activities of your company. If you don’t know that a specific item of legislation exists, you will very likely not meet the requirements of the legislation.

Determine how these obligations apply to your organisation
Equally as important as knowing that a law exists that could be applicable to your environmental aspects is knowing if it actually applies to your situation and, if so, what obligations it places upon you. Whilst there is no formal requirement to have a legal register as such, the standard requires that documented information regarding compliance obligations is maintained.

So, once you have determined your compliance obligations, now you must evaluate your compliance. Here you must plan and implement a process to evaluate if you meet the environmental, legal and other requirements that are applicable to your business. In our COSHH example above, if you answered ‘yes’ to any of those things listed the chances are you’ll need to perform a ‘COSHH assessment’. This would be how you would demonstrate compliance.

Your compliance evaluation process needs to include:

• Frequency of compliance evaluation: How often you are going to check to see if you meet the requirements of a particular item of legislation will vary, but your process needs to determine how often you will check each level of compliance. For example, you may need to continually check the make-up of effluent that you discharge into the sewage system, but you may only need to periodically check on how well you are diverting recycling from your landfill waste.
• Evaluate compliance and take action: As an organisation, you need to make an assessment against the applicable regulations or other commitments to see if you meet these requirements, and take any actions necessary to become compliant if you are not.
• Maintain the status of your compliance: In other words, always know if you actually comply with your legal requirements. If a requirement changes, you need to know about it and know if the change affects your compliance. If you make a change in your facility, you may need to evaluate whether you continue to meet all requirements, both during and after the change, even if you are not yet due to evaluate this according to your regular schedule.

These are two important concepts in ISO 14001, and next week we’ll be looking at another important part of the standard, namely how you undertake measures for emergency preparedness and response.

ISO 14001 has become the de facto standard for designing and implementing an environmental management system.

An environmental management system - often called an EMS - needs to be tailored to your particular company, because only your company will have the exact legal requirements and environmental interactions that match your specific business processes.

However, the ISO 14001 requirements provide a framework and guidelines for creating your environmental management system so that you do not miss important elements needed for an EMS to be successful.

A brief history of ISO 14001

In March 1992, the British Standards Institute (BSI) published the world’s first environmental management systems standard, BS 7750, as part of a response to growing concerns about protecting the environment. Prior to this, environmental management had been part of larger systems such as ‘Responsible Care’ (a voluntary initiative developed autonomously by the chemicals industry in Canada). BS 7750 supplied the template for the development of the ISO 14000 series in 1996.

Prior to the development of the ISO 14000 series, organisations voluntarily constructed their own Environmental Management Systems (EMS), but this made comparisons of environmental effects between companies difficult: therefore, the universal ISO 14000 series was developed.

An EMS is defined by ISO as: “part of the overall management system, that includes organizational structure, planning activities, responsibilities, practices, procedures, processes, and resources for developing, implementing, achieving, and maintaining the environmental policy.”

Why you should use ISO 14001:2015 as your Environmental Management System

ISO 14001 is an EMS which provides a structure for measuring and improving your environmental impact. The areas you’ll need to look at would be:

• Developing an Environmental Policy
• Risk assessing your processes and identifying environmental aspects and impacts, and significant environmental impacts that the organisation may cause
• Identifying environmental compliance requirements
• Creating and maintaining a Legal Register to show that you are monitoring and complying with current environmental legislation and regulation changes
• Developing objectives and targets, and their environmental management programmes 
• Defining resources, roles, and responsibilities for environmental management
• Developing competence, training and awareness
• Creating communication processes to stakeholders and interested parties
• Developing operational control processes
• Developing emergency preparedness and response procedures
• Developing processes to monitor and measure operations that can have significant impact to the environment
• Developing processes for management review by senior management

ISO 14001 enables companies to put in place an effective environmental management system which is designed to address the balance between a company’s environmental impacts while maintaining profitability.

Common requirements between ISO 9001 and ISO 14001

When you implement an ISO 14001 management system you’ll find that the requirements are very common between the ISO 14001 and ISO 9001 standards. Both require you to:

• Look at the context of your organisation
• Demonstrate leadership and commitment
• Have a company policy (one for Quality and the other for Environment)
• Demonstrate organisational roles, responsibilities and authorities
• Demonstrate planning, including actions to address risks and opportunities
• Have objectives with a plan on how to achieve them
• Show appropriate and adequate resources to implement your management system
• Show competence
• Demonstrate awareness across your organisation
• Use effective communication both internally and externally
• Have control of documented information
• Demonstrate operational planning and control
• Use performance evaluation (e.g. internal audit and management review)
• Show improvement measures (e.g. nonconformity and corrective action and continual improvement)

However, ISO 14001 has three distinct requirements in addition to the above:

• Environmental aspects
• Compliance obligations and evaluation of compliance
• Emergency preparedness and response

We’ll go into more detail about these over the coming months, so if you’re considering getting ISO 14001 then stay tuned!

This month we take a look at how internal audits actually work. As we saw last month, these are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.

An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest. Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.

For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:

• Ensuring adherence to the company’s processes – the auditor should look to ensure that the organisation is complying with its own procedures.
• Ensuring the effectiveness of the system – the auditor should look at all processes, reviewing the value of each process, and ensure that the procedures still meet the organisation’s objectives.
• Providing information for management reviews – the results of audits should be documented so that they can be reviewed and analysed, providing information for use in corrective action programmes and management reviews.
• Identifying opportunities for improvement – the auditor should examine documented evidence against the management system that is relevant to the function or department being audited. This could include staff competency, qualifications or training. Problems should be discussed with the auditee and corrective/preventative actions should be recorded.
• Driving continual improvement – the auditor needs to follow up and verify that any corrective actions have been completed by the agreed date.

You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.

The first and most important thing to understand is how often you need to audit your systems. There is a myth out here that you need to audit your entire ISO Management System every year, and it is just that a myth, you do not!

The wording in pretty much every standard is now the roughly the same, the key wording being: “The organisation shall conduct internal audits at planned intervals to determine……” There is nothing there about every year it just says planned intervals. Planned intervals just means that you should have a documented planned frequency for auditing your system, it maybe you decide you want to do it all within the 3-year cycle of your certification but again you do not actually have to (you should, but you do not have to).

In all the newer revisions of the ISO Management System Standards, right at the very start of them they all talk about taking a risk-based approach to your compliance system. That means throughout your entire ISO9001 Quality Management System or ISO14001 Environmental Management System or even your ISO27001 Information Security Management System you should look at the risks of each policy or procedure and make a call on how often you will carry out an internal audit on it.

Grouping things into a risk category does not need to be complicated, keep it simple and allocate each on a simple rating in terms of the impact each one could have on the performance of your ISO Management System, the possible impacts on your product or your customer if things were to go wrong. For example, a rating like this works well in terms of setting out your audits:

• Low – As required i.e. you may audit once in the 3 years or more frequently if something pops up
• Medium – Audit Every Two Years
• High – Audit Every Year
• Critical – Audit Multiple Times Per year

In terms of things to consider when deciding that risk level, you could use the list below as a good starting point, you should also factor into your thinking when you are deciding if you need to re-audit an area sooner than planned or push it further out (yes, you can adjust your schedule as you go):

• Level of non-conformances within / linked to that process.
• Customer complaints
• Any business risks / hazards
• Importance of the process on your product or customer
• Previous audit results (internal & external)
• Organisation changes e.g. key personnel changes.

A shameless plug here - The Ideas Distillery offers a comprehensive, objective internal auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process therefore maintaining impartiality.

Regardless of the industry, companies face increasing competition with each passing day. Whether you’re a massive enterprise, or a small startup, monitoring and maintaining operational efficiency has never been more important. Consequently, internal audits have grown to become an essential component of a business’ success.

The dynamic pace of today’s business landscape also means that failure to effectively evaluate and manage risks has the potential to ruin any organisation.

If your clients or end users expect products or services that are secure and compliant, you will need to ensure that you’re making the most of internal audits. 

Simply put, an internal audit is an independent activity designed to objectively evaluate the effectiveness of an organisation’s internal controls, risk management and governance. It is typically pre-emptive in nature and aims to uncover any discrepancies between operational processes and their intended purpose.

Upon completion of the internal audit, a detailed report is provided to management, outlining the findings alongside any recommendations. By including activities that affect businesses from top to bottom, internal audits go beyond your organisation’s internal processes: they’re concerned about the overall wellbeing and success of your organisation.

So internal audits are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.

An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest.

Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.

For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:

• Ensuring adherence to the company’s processes – the auditor should look to ensure that the organisation is complying with its own procedures.
• Ensuring the effectiveness of the system – the auditor should look at all processes, reviewing the value of each process, and ensure that the procedures still meet the organisation’s objectives.
• Providing information for management reviews – the results of audits should be documented so that they can be reviewed and analysed, providing information for use in corrective action programmes and management reviews.
• Identifying opportunities for improvement – the auditor should examine documented evidence against the management system that is relevant to the function or department being audited. This could include staff competency, qualifications or training. Problems should be discussed with the auditee and corrective/preventative actions should be recorded.
• Driving continual improvement – the auditor needs to follow up and verify that any corrective actions have been completed by the agreed date.

You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.

Another shameless plug here - The Ideas Distillery offers a comprehensive, objective auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process. 

There's no getting around it - an ISO 9001 certification will require time, effort and improvement from many areas of the business. However, the steps that must be taken are worth it for any company. The whole point of putting in a quality management system is that it will benefit business owners, employees and customers alike.

If you are considering becoming ISO 9001 certified, it's important to learn as much as possible about the certification and about the process. Rather than simply leave everything to a consultant, it's always a good idea for you to know exactly what you must do to get the certification.

In simple terms, ISO 9001 requires organisations to ‘say what they do, and do what they say’. They ‘say what they do’ by detailing their operating procedures, explaining how quality is monitored and controlled. They must then demonstrate that they ‘do what they say’ as they operate their quality systems. This usually involves keeping records of quality checks, tests and other activities, so that the system can be audited.

In previous iterations of ISO 9001 (before 2015) there was an emphasis on writing down your operating procedures and having a written manual detailing how your quality management was monitored and controlled. No longer - the 2015 standard has a distinct absence of the terms “documents” and “records”.

Documented information is a means by which an organisation demonstrates compliance. It communicates what we do and how we do things, it communicates what happened and what results were achieved. It is, essentially, a tool for communication.

There are many different formats in which communication can happen and ISO 9001:2015 makes allowances for organisations to use what suits them best. Documented information can be in any format, any media, from any source.

While some may be wedded to pieces of paper, the medium used can be anything: paper, electronic, photographic, samples, etc. The possibilities are not quite endless, but certainly varied. If an organisation would find it useful and appropriate, a wall-painting or mosaic may also achieve the required result!

Organisations are not obliged to relegate their quality manuals and documented procedures to the dustbin. While there is no requirement for an organisation to have or use either, where such documentation exists, and is of use to the organisation, they should continue to use it.

I still believe in an organisation having a Quality Manual, even though this is not a requirement under the standard. My experience shows that a good Quality Manual can be a vital a tool when referred to properly throughout an organisation - if it’s just a tome which sits on a shelf gathering dust, the only purpose of which is to satisfy the requirements of a standard (as far too many used to be), then this is clearly a waste of time and effort. 

But I find that the benefits of having a Quality Manual are wide and varied and applicable to most businesses. They:

• Communicate management’s expectations to employees
• Demonstrate the organisation’s plan to conform to the standard
• Demonstrate that organisational roles, responsibilities, and authorities have been assigned, communicated, and understood
• Provide company context for internal and customer requirements (you need to consider the needs of your own company and your clients or customers in setting up your management system - yes, this is a requirement of the standard, but it also makes fundamental business sense)
• Guidance in increasing efficiency and improving processes
• Guidance on having clear and concise communication throughout the organisation’s documents and between functions or departments
• And yes, not a main reason but certainly a useful by-product, it makes audits easier (both internal and any external ones you might have) as it shows how you are aiming to comply with each clause of the standard

This will really help you as your system will consist of the following elements and a properly-managed Quality Manual will help to keep tabs on things:

• a quality plan, and written Quality Policy which is understood, implemented and maintained at all levels of the organisation;
• a definition of the responsibilities of all those who affect quality (an organisation chart is a good idea here);
• a review of accepted orders to ensure that customers’ requirements are clear, and procedures which control the design of goods or services to ensure that these requirements are met;
• procedures to ensure that purchased goods and services conform to the requirements of the organisation and that their progress can be traced through to delivery;
• systems that ensure the suitability for use of any materials or services supplied by a customer;
• demonstration that processes are carried out under specified conditions;
• the control, calibration and maintenance of all measuring and testing equipment;
• a system which identifies and segregates all non-conforming goods and services and which specifies corrective action and identifies root causes for these;
• processes for any servicing operation to document and verify that it satisfies customers’ requirements;
• records which provide objective evidence that the work is being carried out in accordance with procedures and customers’ requirements;
• processes which identify training needs and carry out and record training for employees
• the use of statistical techniques;
• self-policing through internal audits and reviews (e.g. Senior Management meetings).

That's it for this month, next month we'll be taking a look at how internal audits work.