The story of the COVID-19 pandemic is far from over. But even though it will, in all probability, end, the ‘new normal’ it has been responsible for could last for months, years, or indefinitely. What is beyond doubt, however, is that businesses will have to start planning for the affects of pandemics in a way they’ve never done before.

You won’t have failed to notice that, although there’s been some dramatic losers over the past few months (think hospitality, airlines, high street retail), there’s also been some big winners (think technology companies, especially videoconferencing ones, online shops and supermarkets, healthcare suppliers).

At The Ideas Distillery we help companies put in place management systems such as ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (health and safety) and ISO 27001 (information security). Even though these are quite differing and disparate disciplines, all four have one important thing in common.

They are all classed as ‘risk based’ standards, which is to say that they all require you to assess the risks to your business and build your system accordingly. Recognising risk and putting measures in place to control and mitigate these risks are central tenets.

But what is most interesting about this risk assessment process is that it also, simultaneously, gets you to consider any opportunities associated with the risk.

You see, ISO management systems consider that risks also have a positive side - opportunities. That’s because within every risk lies an opportunity.

So when lockdown made everyone stay indoors, the watch-word for business was ‘pivot’ - how could a business adjust what it did in normal times to fulfil a need in, well, frankly, very abnormal times. Some did it successfully, others less so - either the perceived need wasn’t there, or the business didn’t have the necessary infrastructure, funding, competence, (fill your own diagnosis in here), etc to carry it off.

But, of course, if they had a properly-research plan with the necessary contingencies that they could have put into action almost immediately, using a finely-honed management system, then things might have been different.

I know this may sound like sage advice once the horse has bolted and run far away over the hills, but a pandemic is just one business risk that has the ability to close even the best-run company overnight (indeed a pandemic hasn’t been a far-fetched scenario in business risk circles for quite a few years given the swine flu, bird flu and SARS scares of recent years).

Let’s just take a look at two immediate risks in the wake of the pandemic (which is, of course, still going on):

• A collapse in supply and demand leading to mass unemployment and a recession/depression
• The need for an entirely new business model for many companies as social distancing remains for months if not years to come

Both are clearly the worst type of business risk. But are there opportunities? Can you be a market disruptor? Can you make use of existing current resources - your people and their skills, any intellectual property, systems and technology, or capital you might have?

Just some tips - a quick scan of trends using Google finds that anything to do with wellbeing - from vitamin supplements to exercise equipment - is big business as people start to value their health. Distance learning (or e-learning) is also becoming a juggernaut!

But the big takeaway is to take a risk-based approach to your business planning. There’s still much that can happen (don’t forget there were many businesses still recovering from flooding right before the COVID outbreak), and we’re still living in a climate-changing world with resources getting ever-scarcer.

You could do much worse than to look at adopting an ISO standard and using some tools to really get you thinking about how you might more effectively ‘pivot’ when the next crisis hits. Hopefully it won’t be for a long time yet, but then you never know…

The world has only until 2030 to stem catastrophic climate change - but can companies be part of the solution? And, if so, how?

A report published by the UN Intergovernmental Panel on Climate Change said that “rapid, far-reaching and unprecedented changes in all aspects of society” are needed to avoid disastrous levels of global warming.

Whilst often seen as culprits, businesses can actually set a positive example.

What is ISO 14001:2015?

ISO 14001 enables companies to put in place an effective environmental management system, and is designed to address the balance between a company’s environmental impacts while maintaining profitability.

Environmental issues are growing in prominence; energy efficiency, environmental compliance, environmental impact, and carbon footprint are widely discussed. In implementing an environmental management system, companies can effectively control these issues, and ensure that they are fully compliant with environmental legislation.

They also join in the fight against climate change. Being ISO 14001 certified proves to stakeholders, customers, suppliers etc. that you are environmentally credible.

So what’s the link between ISO 14001 and climate change?

One of the major challenges that face us all is that of mitigating and adapting to climate change. Internationally, work has progressed from the formation of United Nations Convention on Climate Change (UNFCCC) to the Paris Agreement which came into force on 4 November 2016.

Under the Paris Agreement countries agree to hold the global temperature increase due to increase in greenhouse gas (GHG) emissions, to below 2 °C, aiming at 1.5 °C. This commitment is realised through a commitment at national level to reduce national GHG emissions. Additionally, countries agreed to support action to adapt to the consequences of climate change.

For users of ISO 14001 the question is 'How does ISO 14001 help organisation to mitigate and adapt to climate change?' The diagram below shows the link between key clauses in ISO 14001:2015 and climate change mitigation and adaption. It shows that users of ISO 14001 CAN address climate change challenges through their management system:

​ISO 14001 deals with the need to adapt to any change in environmental conditions and hence include matters such as the need to adapt to other environmental consequences which are not due to climate change, for example loss of ecosystem services and biodiversity.

Additionally ISO 14007 and ISO 14008 help companies provide a ‘value’ and ‘determine the costs’ for the GHG they emit and to ‘determine the cost benefit’ in their company for any action they take to adapt to climate change. 

So UN Sustainable Development Goals - can ISO standards help? Yes!
​
Eight out 17 UN SDGs directly link to the focus of ISO 14001, such as those related to clean water and sanitation; affordable and clean energy; decent work and economic growth; industry, innovation and infrastructure; responsible consumption and production; climate action; life below water; and life on land.

​The UN SDGs cover both mitigation of environmental impacts and adaptation to changes in the environment – both topics are covered by ISO 14001.

Four out of 17 UN SDGs – while relating to human and social issues – are areas where ISO 14001 by, among others, reducing harmful emissions reduces the impact on human health as exemplified by the goal on zero hunger and no poverty.

Which UN SDGs and targets may be considered by a company using ISO 14001 will depend on many and diverse factors such as what the organisation does, its resources and its overall business aims.

How does ISO 14001:2015 support achievement of UN SDGs?

ISO 14001 in relation to environmental matters cover issues such as:

Protecting the environment
commit to proactive initiatives to protect the environment from harm and degradation;
protect the environment can include prevention of pollution, sustainable resource use, climate change mitigation and adaptation, protection of biodiversity and ecosystems, etc.

Environmental performance
continual improvement focus on improving environmental performance
Lifecycle perspective
extend its control and influence to the environmental impacts associated with product use and end-of-life treatment or disposal

Strategic Environmental Management
increased focus on environmental management within your company’s strategic planning processes and understanding your context focus:

• needs and expectations of interested parties (including compliance obligations)
• local, regional or global environmental conditions that can affect, or be affected by, your company
• actions to mitigate adverse risk or exploit beneficial opportunities are integrated in the Environmental Management System (EMS)
• Leadership - promoting environmental management within your company

If you run a business and care about climate change and - more importantly - want to do something about it, then getting and effectively operating ISO 14001 is definitely for you! ​

​As isolation is eased and people return to work, governments across the UK are requiring organisations to complete risk assessments as part of the permission to resume normal service.

Health and safety law requires employers, who continue to operate under current circumstances, to do ‘what is reasonably practicable’ to protect their staff and members of the public.

As an employer, you’re required by law to protect your employees, and others, from harm. Under the Management of Health and Safety at Work Regulations 1999, the minimum you must do is:

• identify what could cause injury or illness in your business (hazards)
• decide how likely it is that someone could be harmed and how seriously (the risk)
• take action to eliminate the hazard, or if this isn’t possible, control the risk
• Assessing risk is just one part of the overall process used to control risks in your workplace.

To fulfil this duty in addressing the risk from COVID-19 all companies must review their risk assessments and put in place measures to ensure the guidance available from their respective governments (in England, Northern Ireland, Scotland and Wales) is implemented.

Risk assessment covering exposure to Covid-19 will be different from one organisation to another. Healthcare workers, retail cashiers, home delivery drivers, utility engineers and construction workers have different exposure to this risk. 

A risk assessment should recognise the virus as a hazard. It should also reflect that the virus is spread in minute water droplets that are expelled from the body through sneezing, coughing, talking and breathing. 

The virus can be transferred to the hands and from there to surfaces. It can survive on surfaces for a period after transfer (depending on such things as the surface type, its moisture content and temperature). The risk assessment should conclude that if it is passed from one person to another, while many survive infection, some may die from the disease. It should be regarded as a high hazard.

The safety hierarchy of control can serve you well in considering what can be done. Any mitigation controls devised and implemented must reduce exposure of employees and anyone else who could be infected by your employees. 

Control considerations must include identification of those who may have the disease, preventative measures and what to do if you find if an employee has contracted the disease. In other words, there may be elements of management systems design to think about. Decisions about what may be done must be realistic and reasonably practicable: achievable given the resources available.

Elimination is the best form of control. Can we eliminate the virus? Only through vaccination, so there is little that can be done by organisations. They are reliant on government response. Organisations should monitor vaccine availability and the priority of their workforce in any future vaccination programme so that arrangements can be made promptly. Social distancing and staying at home are not forms of elimination, but an administrative control. 

Next in descending order is substitution: replacing the virus for something less harmful is not possible. Engineering controls place a physical barrier between the person and the hazard, or provide mechanical reduction of the hazard. Placing screens between people (e.g. cashier points in shops) will interrupt the flow of air from one person to another and therefore provide protection. 

Providing ventilation is also an option. Recent research has shown that downward ventilation onto a patient’s bed considerably reduces the exposure of healthcare workers to infected droplets suspended in the air. Care must be taken if ventilation is to be considered. The fundamental question is where the potentially infected water droplets are ventilated to. It’s no good if they are blown onto other people or surfaces and increase exposure elsewhere. But as a principle it is worthy of some consideration e.g. ask whether the job must be done in a workshop, or can be done outside. 

But then also consider exposure to ultraviolet radiation and other risk. Ventilation is a good control if it takes infected air away from people and transfers it to somewhere where the virus will not do harm. 

Administrative controls provide the best options for most organisations. The risk assessment must consider how you will keep the workplace and equipment clean, adjust your working practices and ensure people are safe.

As an ISO consultancy obviously there is a big focus on taking a risk-based approach and the assessment of risk, evaluating effectiveness of control measures, complying with regulations, legislation, etc.

As businesses start to mobilise they’ll have the twin issue of new, immediate significant risks which will have arisen due to the pandemic alongside dealing with budget constraints and limited compliance resources.

We’ve been helping businesses in these scenarios, assessing their risk and conducting a review with the aim of identifying core compliance requirements. Much of this has been driven by their own clients requiring supply chains to undertake a proper Risk Assessment of current working arrangements. 

Significantly, the crisis may have caused companies to find new suppliers that have not been fully vetted due to time pressures. Likewise, the pandemic may have caused substantial risks to employee safety associated with reopening businesses, such as effective social distancing. This emerging risk will likely call for the development of new policies and procedures that will require close oversight by senior management.

Our review will usually entail a historic review of internal procedures and controls to identify past activities or other problems to determine where the biggest risks reside. At this point we undertake a detailed COVID-19 Risk Assessment. External industry risks such as enforcement actions are considered as well.

But for those businesses who simply want to undertake their own detailed assessment, we are giving away the template we use for free. You can simply download it here.

There is no catch, we won’t ask you to sign up for anything, simply download, conduct the Risk Assessment and get back to work!

Millions of people around the world have lost their jobs amid the current Covid-19 crisis - it is a crisis within a crisis. The long-term economic impact is yet unknown but will surely be deep.

What is not in doubt is that the economic strain on companies of all sizes across the UK and the rest of the world will be here for the foreseeable future. Manufacturers have closed plants, stores are shut, and consumer demand has collapsed in many sectors.

Research by the Institute for Social and Economic Research at the University of Essex has found that more than 6.5 million jobs could be lost due to the economic fallout from the UK’s coronavirus lockdown, about a quarter of the UK’s total jobs.

A simply staggering number of companies have plunged into administration, from stalwart high street brands to major travel agents, as well as a whole raft of businesses in sectors such as construction. The true toll is only just beginning to be understood.

So it’s no surprise that companies which are still managing to keep their heads above water will be starting to look at deep cost-cutting measures in the short- and medium-term. With profit centres being hit like never before, cost centres such as ISO compliance will undoubtedly have fewer resources until the economy turns around.

What does this mean for the ISO compliance functions of companies that are struggling?

In practical terms, they will have to make risk-based decisions about how to allocate the limited resources that they have. And one important thing to think about is how you can use the expertise of companies such as The Ideas Distillery to outsource your compliance tasks cost-effectively with little overhead.

Certification Bodies have recognised, for the moment at least, that the world has changed significantly. Just about all have turned to ‘remote auditing’ as a way to still service clients while still respecting the lockdown. There has also been the option of postponing for up to six months in many circumstances, although this option is now starting to wind down.

Any company’s priority will simply be to put themselves in a position to survive the crisis. So when dealing with budget constraints and limited compliance resources, flexibility and creativity will be key.

For our part, when we are helping businesses in these scenarios, we always assess risk and conduct a review with the aim of identifying core ISO compliance requirements. This often entails a historic review of internal procedures and controls to identify past activities or other problems to determine where the biggest risks reside.

​External industry risks such as enforcement actions brought against competitors should be considered as well, along with identifying low-risk areas where there have been few incidents or problems.

But more significantly, we help companies to determine if new, immediate significant risks have arisen due to the pandemic. Another emerging risk may exist in a company’s sales department, for example, perhaps due to the pressures of bringing in new business. This may be an area that leads to an increase in customer complaints as things are missed.

The crisis may have caused companies to find new suppliers that have not been fully vetted due to time pressures. Likewise, the pandemic may have caused substantial risks to employee safety associated with reopening businesses. This emerging risk will likely call for the development of new policies and procedures that will require close oversight by senior management.

For more information - and to see how we can help - just get in touch with us in any number of ways using on our Contact page.

​Achieving certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether the data you are handling is adequately protected.

Information is the lifeblood of any business – this is especially true if your clients have entrusted their valuable data to you. Maintaining an information security management system (ISMS) is the most effective way of reducing the risk of suffering a data breach.

An ISMS is a systematic approach to managing the security of sensitive information and is designed to identify, manage and reduce the range of threats to which your information is regularly subjected.

​There are a whole host of benefits to getting ISO 27001, such as demonstrating credibility when tendering for contracts, showing you are taking cyber security threats seriously, and avoiding fines and penalties.

We identify the key requirements of ISO 27001 for you and provide a top level route map for a successful ISMS implementation in your organisation. We will outline a structured approach to implementation based around:

• Planning. Defining the scope of the ISMS. Undertaking a Gap Analysis to assess management system requirements and controls currently implemented. Defining your information security policy. Creating a network map to identify all of your organisation’s devices that are connected, as well as their functions. Produce a data map in respect of all personal data held/used by your organisation.
• Creating a list of relevant risks that would compromise the confidentiality, integrity and availability of your information.
• Defining a systematic approach to risk assessment. 
• Carrying out risk assessments to identify and evaluate information security risks. 
• Identifying and evaluating options for the treatment of these risks. 
• Selecting, for each risk, the controls to be implemented.
• Preparing a statement of applicability (SoA).
• Formulating a risk treatment plan for approval by risk owners. 
• Meeting your organisation’s ongoing legal, regulatory and contractual obligations through a Compliance Legal Register and Key Issues Newsletter.