Here is a webinar we lead for ASSP on Covid-19 recently. The webinar discusses how organizations can use occupational health and safety management system audits and the corrective action process to respond to Covid-19 challenges.
Leadership commitment to a management system is critical to its performance. Encouraging support is sometimes challenging. The management review process required by ISO management system standards can help gain leadership commitment.
Do’s and Don’ts
Coordinate management review with management other business review meetings. Conducting “management review” during regular business review meetings gives the sense that the management systems is part of the overall business. Management reviews conducted infrequently and apart from the other important business management meetings leads to a silo-ed perception of the management system.
Make management review value added. Ensure the information being presents is actionable by leadership. Give them a few choices for recommendations with supporting information and ask them to decide. They will appreciate your opinion and recommendations to help make decisions.
Do the Math and Have Backup.
Defend your recommendations for improvement with cost and return on investment information. Showing leadership how the management system helps save and even makes money, contributes to their support and commitment.
Take Good Notes
Recording leadership decisions during the management review helps ensures follow-up. Records of management review are also evidence of their leadership commitment, especially during audits.
Timely Management Review Follow-up
Follow-up on management review recommendations in a timely fashion and report on progress at the next management review opportunity. This will enhance leaderships perception of the management system, their support and commitment.
Management Review Frequency
Most organizations perform periodic reviews of the business performance to make sure things are going along smoothly and to make any course corrections needed. Integrating the ISO system management review with these regular business review meetings will help ensure that:
- Management system performance issues are addressed in a timely fashion
- The management system is integrated with all other business processes
- Timely information is provided to leadership to help make important business decisions
Management Review Inputs
Management review meetings should not necessarily address all management review inputs during each meeting. Management review inputs that should be reviewed at every management review include:
- Follow-up from previous management reviews
- Status of actions from previous management reviews;
- Status of corrective actions and incident investigation
- Progress toward achieving objectives.
Management review inputs to be reviewed less frequently and as needed such as
- Customer Complaints and interested party concerns
- Changes including new compliance obligations
- Adequacy of resources
- changes in risks and how they are being addressed
- Audit results
Management Review Outputs
The purpose of management review is to ensure the management system is able to achieve it intended outcomes. The outputs of management review are an important part of the Act part of the Plan-Do-Check-Act continual improvement cycle. It is where leadership has the opportunity to review the information generated in the “Check part of the PDCA cycle and intervene (Act) and continually improve the management system
Records of management review are the notes of the meeting (output notes). They are required by all ISO management system standards. Outputs are what leaderships asks the organization to do to improve performance. These records are also excellent evidence of leadership commitment during third party audits.
The goal of management review is to provide information to leadership that it can act on. Planning and conducting good management reviews will enhance leaderships opinion and support of the management system.
The ISO High-Level Structure (HLS) is the basis for all management system standards and is now being revised by ISO. These changes will affect all management system standards. Users of ISO management system standards such as ISO 14001, 9001 and 45001 will need to evaluate how these changes will affect the organizations ISO management systems.
Introduced in 2012, the HLS was created to help better integrate quality, environmental and health and safety management systems. Prior to its introduction ISO 9001 had a different structure that ISO 14001 that complicated integration of the management core processes such as corrective action and management review. The HLS solved that problem. The revision introduced a new name for the HLS and it is now called Annex L, Appendix 2.
The revision will also introduce guidance on use of the HLS for standard writers and users. This guidance is called Annex L, Appendix 3. Both Annex L, Appendix 2 and 3 will be combined as a table.
Appendix 2 is in the final stages of an initial “limited” revision and not yet available to the public. Appendix 3 is in mid-stage revision and should be approaching the final stage later this year.
Here are a few of the most important changes to Annex L, Appendix 2 from the “limited” revision:
Definition of Risk
A lengthy debate is ongoing within ISO about if a revision to the definition of “Risk” is needed. “Risk” is currently defined in the HLS as “the effect of uncertainty”. Some within ISO argue that a better definition is “the effect of uncertainty on objectives“.
Others fear that the addition of the words “on objectives” to the definition of risk will cause confusion in standards like ISO 9001, 14001 and 45001. They believe this because these standard have a specific requirement to create measurable “objectives” within the management system.
The debate over the definition of risk has lead to several proposals including eliminating the definition of risk entirely from the HLS. A subgroup has been assigned the task of sorting this difficult issue and the results will be reflected in a future revision of the HLS. For now however the definition of “risk” will remain as it is in the HLS.
Expected Outcomes Vs Results
The previous version of the HLS used the term “expected outcomes” to describe the results organizations should expect from its ISO management system. Some users found the term “expected outcomes” confusing so it has been changed to “expected results”. The change was also made to simplify translation to other languages.
The old HLS used the term “outsourced processes”. Manufacturers sometimes send their products to other organizations who perform specialized processes like heat treating or electroplating. This relationship between organizations was called “outsourcing” in the previous version of the HLS. The concept of “outsourced processes” however does not apply as well to other disciplines such as environmental management or health and safety management systems.
The term “external provider” is now being used in place of outsourced process. This change has been made in response to several comments that found the term “outsource” unclear. The use of external provider clarifies that outsourced, contracted, and purchased products, services and processes all need to be controlled by the management system.
The use of the terms “maintain” and “retain” to describe what needs to be done with certain types of documents in the management system has been replaced with the term “shall be available”. This change has been made to avoid confusion between maintaining and retaining documented information. This change is not expected to impact organizations with mature document control process and management systems.
This part of the HLS has been substantially reorganized. The title of 9.2.1 was changed to General and 9.2.2 Internal Audit Program has been added. This change has been made for ease in understanding. Now the two distinct concepts covered in the paragraph (what an audit program entails and what should be considered when establishing an audit program) are listed separately.
Effects of the Annex L, Appendix 2 and 3 Revisions (Whats Next?)
The revision of Annex L is not expected to have a significant immediate effect on ISO standards or ISO management system audits. The revisions will not requires revision of any of the ISO management system standards until these standard are revised and updated as required by ISO. However, organizations in the process of implementing an ISO management system or integrating a new discipline specific standard such as ISO 45001 into an existing management system structure, should anticipate that these changes will appear in future revisions of ISO management system standards.
We recently participated on the leadership team for the United States Technical Advisory Group (US TAG) for the Development of the new ISO 45001 standard for Occupational Health and Safety management systems.
The purpose of the week long meeting held at the ISN headquarters in Dallas, TX was to disposition over 800 comments on ISO/DIS 45001. The US TAG successfully dispositioned all of the major issues and many of the individual comments. Our role at this meeting was as co-chair of a subcommittee with Vic Toy for Clause 6 – Planning. Our section had 157 comments to review and decide how they would be addressed.
The meeting was attended by about 70 participants representing business, organized labor and government. Major issues addressed during the meeting included questions and comments like:
- Should organizations be required to use the hierarchy of controls when reducing risk?
- Does redundancy add clarity or confusion (frequent references to workers and worker representatives)?
- Should organizations be required to assess risk to the management system (other risks) or is this already addressed by the clauses of the standard?
- When must workers be asked for an opinion (consultation) and when must workers have authority to influence decisions made by management about risk control and other management system issues (participation)?
We have posted some articles about the following on our website blog if you are interested in learning more about these important issues.
- ISO 45001 – Hierarchy of Controls
- ISO 45001 – Other Risks and Other Opportunities
The public comment period in the USA is now open until April 1, 2016 so if you are in the USA and your organization would like to submit comments for consideration send me an email to firstname.lastname@example.org and I can help you get the comments to the right place. Also please feel free to call or email with any questions about ISO/DIS 45001.
ISO 14001 and OHSAS 18001 are undergoing significant change intended to improve these standards. The new ISO High Level Structure will align all ISO standards along a common management systems structure and promote integration. The recent US Technical Advisory Group meeting in Orlando, Florida was a particularly enlightening conference for us where US TAG members were able to share their ideas of the way the HLS applies to EHS management Systems.
An important part of the revision processes is being able to communicate to current and new users how the standards are changing and how these changes will affect an existing EHSMS. This diagram represents how we at ECSI see the developing changes to ISO 14001 and ISO 45001 and the relationships between some of the important clauses of the revised standards.
We are interested in understanding how users of the EHSMS standards feel about the changes and what information they need to begin to plan for the changes to their EHSMS. ECSI will be conducting a short, one hour webinar Tuesday, April 22, 2014 from 10am-11am Central Standard Time. The purpose of the seminar is to provide the current state of the revision process and to discuss how we see the EHSMS standard revisions progressing. If you are interested in participating in one of these webinars send us an email to email@example.com and we will reply with the logon instructions.
Over the last two decades practicing as an ISO 14001 auditor, consultant, and teacher, I have found that many individuals and organizations misunderstand the intent and meaning of the terms “significant environmental aspect” and “significant environmental impact.” With the revision to ISO 14001:2004 well under way, perhaps now is a good time to attempt introducing language or definitions into ISO 14001:201x that will help individuals and organizations better understand the term “significant”, and the distinction between the terms “aspect,” and “impact.” Such clarity would enable individuals and organizations to better interpret what exactly must be done according to the standard. This confusion in meaning is understandable because, at least in the English language, there are several definitions or “senses” or “subsenses (meanings in specific contexts) of the term “significant.” The senses or subsenses that are applicable within the context of ISO 14001 can be found in the MerriamWebster Collegiate Dictionary (Tenth Addition) as follows:
2 a: having or likely to have influence or effect: IMPORTANT <a significant piece of legislation>; also: of a noticeably or measurably large amount <a significant number of layoffs> <producing significant profits>
In order to fully comprehend this definition, you need to refer to the Explanatory Chart and Explanatory Notes at the beginning of the dictionary, which describe the meaning of the numbers (2), something called a “sense number”; the small letters (a), which are “sense letters”; the colon (:), which is used to separate two or more definitions of a single sense; and the italicized word “also,” which is called a “sense divider” and is used to introduce a meaning that is closely related to but may be considered less important than the preceding sense. If a capitalized word is used to define a sense of the word, that capitalized word, in this case IMPORTANT, is defined as a synonym of the term being defined.
The sense number 2 definition of the term “significant” has several subsenses with different meanings. One of these subsenses means “important.” The other means “a noticeably or measurably large amount.” What has happened over the years with the interpretation of ISO 14001 is that many individuals and organizations have applied only the second subsense of the term – “a noticeably or measurably large amount,” – when they are determining which environmental aspects they consider significant. They ignore the other, and arguably more important, subsense of the term – “IMPORTANT.”
The effect on an organization’s Environmental Management System of only considering the part of the definition of “significant” that means “a noticeably or measurably large amount“ has been that an organization typically excludes from its list of significant environmental aspects those that are “important” to them for reasons other than their being “a noticeably or measurably large amount”. This typically includes environmental aspects for which the organization has established operational controls (work instructions) to ensure that the environmental impact of the significant environmental aspect is controlled to the level desired by the organization.
An example might be waste light bulbs, batteries, and other electronic waste. Although most organizations have procedures for ensuring that these wastes are properly recycled (work instructions or procedures), many do not identify these wastes as significant environmental aspects because they believe the presence of the operational control has reduced the potential impact from these wastes to a point where they do not constitute a “noticeably large amount.” They do not apply the other subsense of the word “significant” with the meaning “important.” Proper management of waste light bulbs is obviously important to the organizations because they have established a procedure (operational control) for ensuring that they are managed in a certain way.
The unfortunate consequence of not including waste light bulbs as a significant environmental aspect is that this important environmental aspect then becomes transparent to the management system. The organization’s performance toward ensuring that waste light bulbs are managed correctly is not routinely measured or audited during internal or other system audits.
To correct this problem the US TAG should consider adding the following definitions to ISO 14001:201x:
3.xx significant environmental aspect The cause of a significant environmental impact
3.xx significant environmental impact The potential or actual environmental effect or risk caused by a significant environmental aspect that an organization intends to manage or is managing through operational controls and/or environmental objectives, targets, and programs
The definition of significant environmental impact above includes reference to “risk,” which is meant to address the risk to the organization, including potential regulatory noncompliance. The result of including the word “risk” in the definition is that organizations controlling an environmental aspect to manage a potential risk of noncompliance will need to identify that environmental aspect as “significant.” Close attention should also be paid to the way in which the terms “significant environmental aspect” and “significant environmental impact” are used in the standard to avoid confusion between these terms. The use of the term significant environmental impact” should be limited compared to the use of the term significant environmental aspect. The term significant environmental impact should be used only in the section of ISO 14001:201x addressing identification of environmental aspects.
Kevin A. Lehner, EMS-LA, CHMM – January 11, 2013
It has been over seven years since we first began helping a medium sized automotive equipment manufacturer in the midwest implement a company wide ISO 14001 EMS. They were getting pressure from their customers to prove they were good environmental performers and an ISO 14001 certificate was the best solution. We helped them with environmental aspects, setting up the EMS and identifying regulatory compliance requirements. As we were completing the project we performed a round of internal audits to check that each facility was complying with the applicable legal requirements.
The Audit Finding
One of the findings of our compliance audit was that at one location, the company was operating unpermitted production painting equipment. The audit team could find no records of correspondence with the State permitting authority about this new equipment. It had been commissioned sometime after an initial Title V permit application had been prepared for the facility. The paint operation was an important part of the manufacturing process and it was not possible to simply shut the process down. Doing so would have resulted in delayed shipment of product and dissatisfied customers.
Although the discovery of this potential noncompliance was uncomfortable news for the organization, at least they now had a better picture of the potential risks they were facing. They examined the process closely and decided that it was time to upgrade. They worked it out with the state permitting authority to replace the old system with a new more efficient paint system.
Over the last several years we have continued to perform periodic EH&S compliance, ISO 14001, and OHSAS 18001 internal audits to support their continued certification to these standards.. During a recent compliance audit at one of the facilities we were delighted to see a new process being installed. It means the company continues to grow but, from an auditors perspective, the stack ducting through the roof becomes a great opportunity to check the EMS effectiveness to control noncompliance risk. As we walked by the new process I could see the auditee cracking a half smile as I asked a few questions about the new equipment and construction underway. He knew where this audit was going.
The audit was actually a combined one-day environmental and OSHA compliance audit so we had a lot of ground to cover in 8 hours. When the audit schedule called for review of compliance with state air emission permits, I asked what they knew about the potential emission from the new process. The audtee said “the process had the potential to emit a hazardous air pollutant at levels requiring permitting before installation of the equipment”. The auditee then produced the construction permit they had been issued by the state? The EMS had worked to help the organization identify the need to obtain a permit, well in advance of beginning construction on the new process.
Discovery of unpermitted emission sources during internal and compliance audits is not uncommon for us even today. Helping organizations identify and manage risks of noncompliance in the short term provides some satisfaction in our work. But having the opportunity to see the results of an effective EMS that we helped implement and, how that EMS has helped manage risks long term, is particularly gratifying.
Skepticism of the benefits of ISO 14001 will continue to linger especially with the uniformed. However, organizations interested in managing environmental risk and becoming more sustainable need to understand how the audit processes, embedded in ISO 14001, can be used to support an organizations sustainability efforts, promote successful outcomes and provide confidence by other stakeholder that environmentally, things are as they should be.
Integration of Environmental Management Systems, (EMS) and Occupational Health and Safety Management Systems (OHSMS) into an EHSMS (Environmental Health and Safety Management System) is the way to go. ISO 14001:2004, OHSAS 2007 are your best choices for models of continual improvement management systems that are easily integrated. Both of these standards share many common elements and integration avoided the confusion of having separate process that address these in the EMS and OHSMS.
Separating the results of environmental aspect identification required by ISO 14001 and the hazard identification and risk assessment required by OHSAS 18001 alos helps avoid confusion. Get some help from an experienced, competent professional when you are deciding how to identify aspects and evaluate hazards and risks. If this part of the EHSMS implementation process is not done with skill, the effectiveness of the EHSMS will be greatly compromised.
Here is a link to a brief discussion about approaches to OHSMS hazard identification and risk assessment.
Skillful performance of concise management review meetings can dramatically improve management’s perception of the value of the EHSMS. The key to successful management review is distilling important information about the performance of the EHSMS to a point where it is actionable by management and presenting this information in a timely manner. Here are a few Does and Don’ts for successful management reviews:
• Use regular periodic general business review meetings to present selected EHSMS inputs.
• Make sure the inputs are concise, well thought out and include recommendations for action.
• Include financial information such as Return on Investment calculations with recommendations.
• Keep a log of the dates each of the required inputs was discussed and records of the details of the presentation and any outputs from management.
• Conduct management review infrequently (only annually).
• Forget to record the results (outputs) of management review
• Ask management what they think should be done. It is the management review presenters’ responsibility to make EHSMS recommendations for improvement upon which management can act.
• Try to cover everything at once.
The following is a brief discussion the Management Review Does:
Use regular periodic general business review meetings to present selected EHSMS Management Review inputs.
Good managers and leaders recognize that organizational change happens in increments. That’s why most organizations conduct regular periodic meetings of the management staff to review important attributes of business performance such as production issues, staffing, financial performance, new predict development and sales. These meetings are used by management to keep in touch with many of the key performance indicators management uses as a basis for deciding what incremental interventions are needed to keep the business healthy and prosperous.
These meetings are a great opportunity for the EHSMS manager to briefly get top managements attention about specific important EHSMS issues and propose potential incremental changes to improve performance. The notion that EHSMS Management Review is only needed infrequently (for some organizations only annually) can result in significant delay in management’s recognition of potential improvement opportunities and delay in realizing the benefits of the improvement. More frequent reviews also keep management informed on the progress of execution of recommended changes (outputs of management review). Figure 1 is a example of how you might create a schedule for performing portions of management review during regulator business review meetings.
If management review is only conducted infrequently top management at the organizations will not know if the interventions they have approved are effective. It may be another year before they get any feedback on whether the recommended improvement was implemented and if it had an effect on performance.
Make sure the inputs are concise, well thought out and include recommendations for action.
Doing more with less is the reality of businesses today. Human resources including management resources are scarce and top managements time is a precious commodity. Therefore it is important to be able to quickly cover the important points about an EHSMS issue in a way that will result in an action (a decision by top management). Make sure that at recommendation for action is included at the end of a brief presentation of the facts of a particular issue. If you simply present the facts of an issue without a specific recommendation management may not act. Proposing a specific recommendation as a potential solution to an issues encourages management to make a decision.
Include financial information such as Return on Investment calculations with recommendations.
Improvements in the EHSMS are good but, if they require an investment of financial or human resources management will likely care a lot about what they will get out of that investment. Putting a monetary value on the benefits in terms of return on investment helps management justify it. Proposed investments in the EHSMS should cash flow within the time period that management would consider for other investments.
The ROI for recommendations for improvements in environmental performance are easier to calculate than health and safety improvements because they are more measureable. Re-lighting a warehouse with energy efficient bulbs is an good example because it is fairly easy to calculate how long it will take to recover the investment.
Calculating ROI for Health and safety improvements is a bit more difficult because it involves estimating the relative risk of something bad happening and the consequences of that event. When presenting health and safety recommendation you should include a recommendation for what risk level should be acceptable and what it will cost to achieve that reduced risk level. Management then needs to decide if the recommend risk reduction is acceptable and worth the investment of financial or human resources.
Keep a log of the dates each of the required inputs was discussed and records of the details of the presentation and any outputs from management.
Records of the results of management review are valuable to show evidence of management commitment to the EHSMS. They can be used to show external auditors the organization is conforming to the requirements of ISO 14001 and OHSA 18001 clause 4.6. They may also be valuable should an incident occur that is investigated by a regulatory agency (USEPA or OSHA) or if there is a civil action involving an injury case.
A matrix or table like Figure 1, showing what parts of the EHSMS were reviewed when (during regular business review meetings) can help you retrieve the records of what was discussed and what decisions were made. Keeping a brief accurate record of the issues discussed and the outputs from management and then linking these records to the dates on the matrix will help in locating specific management review meeting minutes when they need to be retrieved.
Conclusion and Recommendation
The management review part of an EHSMS is a powerful tool which enables incremental improvements in EHSMS performance. Done with skill, management review can improve the perception by management of the value of the EHSMS. Integrating the management review function with normal business review meetings helps management address import EHSMS issues in a timely incremental fashion.
Take a look at your management review process and decide if it is helping sustain the continual improvement process and the effectiveness of the EHSMS. If not, maybe it is time to think about re-engineering the management review process to make it more relevant to the organizations performance improvement efforts.
One of the registrars we audit for has asked us to respond to a few questions posed by a potential audit client. Each question (in bold font) is followed by our response (in italic font). Feel free to share your thoughts here in a comment.
(1) Which one or two areas of the Quality Manual (of the 8 required areas) does your registrar focus heavily on during the initial certification audit and why?
We view the Quality Manual as a road map to the QMS. It describes the core elements of the QMS and provides direction to related documentation. We use this Manual to help us understand how the QMS operates. The Manual is the point of departure while we go about the work of collecting objective evidence to show that the organization is meeting the requirements of ISO 9001:2008. Therefore, the Manual itself is not the focus of our process approach to auditing. Rather, we use it to point us to the evidence of conformance that we need to observe and record during the audit. We do not treat any areas of the Manual as priority. We use the Quality Manual more for navigation of the QMS to help us find the evidence we need to determine the QMS effectiveness at enabling continual improvement.
(2) Which one or two processes of the required six does your registrar focus heavily on during the initial certification audit and why?
All of the QMS processes are important; thus, during our assessment of an organization’s QMS, we focus on all processes, not just a few. If any of the elements of the QMS are absent (unless design is legitimately excluded,) the system will not be effective. It is therefore imperative to view the QMS as a whole when drawing a conclusion about both its effectiveness and its conformance to ISO 9001:2008.
More mature and ready organizations initially focus their attention on the following areas when implementing and registering a QMS:
8.2.3 Monitoring and Measurement of Processes
Organizations should identify the key performance indicators that they use as metrics of the performance of the organization’s QMS. We like to explore these metrics to understand why the organization chose them, how the measurements are made, and how the results of the measurements are conveyed to management.
The ability of an organization to solve problems is another area we like to explore. What are the processes used to solve problems? How does the organization investigate problems so they understand causality? Although organizations are not required to do so by ISO 9001:2008, we like to investigate to what degree they have embraced formal problem-solving techniques like 5Y, 8D, Lean Six Sigma, or others.
An organization’s ability to solve problems is key to continual improvement. However, during an initial audit, it is sometimes difficult to find much direct evidence of the effectiveness of these techniques. Evidence of the effectiveness of the organization’s problem-solving techniques becomes clearer with time, as the organization works through correcting nonconformances or customer-related issues.