CHAPTER 4

Management Systems

Introduction

A management system refers to what an organization does to ­manage its structures, processes, activities, and resources in order that its ­products or services meet the organization’s objectives, such as satisfying the ­customer’s quality requirements, complying with regulations, and/or meeting environmental objectives. Elements of a management system include policy, planning, implementation and operations, performance assessment, improvement, and management review. By systemizing the way it does things, an organization can increase efficiency and effectiveness, make sure that nothing important is left out of the process and ensure that everyone is clear about who is responsible for doing what, when, how, why, and where. While all organizations should benefit from some form of management system, they are particularly important for larger organizations or ones with complicated processes. Management systems have been used for a number of years in sectors such as aerospace, automobiles, defense, and health care.

Organizations implement management systems for a variety of reasons such as achieving business objectives, increasing understanding of current operations and the likely impact of change, communicating knowledge, demonstrating compliance with legal requirements and/or industry standards, establishing “best practice,” ensuring consistency, setting priorities, or changing behavior. Organizations often have more than one management system to deal with different activities or assets and integrate several related operational areas. For example, a customer relationship management system (“CRM”) might be launched to manage relationships with customers. A preventive maintenance management (“PMM”) and financial management systems may be used to preserve the value of organizational assets and human resource management systems merge and integrate the principles of human resource management with information technology. Other management systems focus on managing all relevant areas of operation in relation to a specific aspect such as quality, environment, health and safety, information technology, data security, corporate social responsibility, risk management, and business continuity.

Even though they may not realize it, all organizations have some sort of management system—“the way things get done”—in place. Elements of the system may be documented in the form of policies and checklists, but much of the system is based on unwritten rules and customs. The interest of organizational leaders in management systems is based not only on the desire to understand how things are currently done but also to find out how “things should be done” in order to improve organizational performance. Fortunately, reference can be made to management system standards, such as those promulgated by the International Organization for Standardization (“ISO”) (www.iso.org), which are intended to provide all organizations with easy access to international “state-of-the-art” models that they can follow in implementing their own management systems. Management systems standards are concerned with processes, meaning the way that organizations go about carrying out their required work—they are not product and service standards, although processes certainly impact the quality of the organization’s final products and services.

Many of the ISO standards are intended to be generic, which means that they can be applied to any organization, large or small, whatever its product or service; in any sector of activity; and whether it is a business enterprise, a public administration or a government department. The standards specify the requirements for a management system (e.g., objectives, policy, planning, implementation and operation, performance assessment, improvement and management review); however, the actual format of the system must be determined by the organization itself taking into account its specific goals and the environment in which it operates. ISO standards are available for management systems covering a broad range of topics including quality (ISO 9001, discussed below), environment (ISO 14001, discussed below), medical device quality (ISO 13485), medical devise risk (ISO 14971), information security (ISO 27001 and ISO 27002), business continuity (ISO 22301), supply chain security (ISO 28000), corporate risk (ISO 31000), food safety (ISO 22000), and management auditing (ISO 19011).

Organizations interested in improving their practices with respect to social responsibility, including engagement with their stakeholders, may refer to ISO 26000; however, ISO 26000 is not a management system standard and does not contain requirements. Instead, ISO 26000 explains the core subjects and associated issues relating to social responsibility including organizational governance, human rights, labor practices, the environment, fair operating practices, consumer issues, and community involvement and development. For each core subject, information is provided on its scope, including key issues; its relationship to social responsibility; related principles and considerations; and related actions and expectations. For example, with respect to labor practices, one of the core subjects, organizations are reminded to integrate consideration of the following issues into their policies, organizational culture, strategies and operations: employment and employment relationships; conditions of work and social protection; social dialogue; health and safety at work; and human development and training in the workplace.1

As discussed below, organizations may, and often do, seek and obtain certification by independent outside parties that their management systems conform to the requirements of ISO standards. In lieu of certification, or in preparation for a certification audit, organizations should conduct formal self-assessments on a regular basis that cover quality management system requirements; management responsibility requirements; resource management requirements; product realization requirements (e.g., planning, determination of customer requirements, design and development, purchasing, production, and service provision); and measurement, analysis, and improvement requirements.2

Guidelines for Establishing a Management System

Implementing any management system, regardless of the system’s particular focus (e.g., quality, environment, and risk), is a challenging task. In many cases, reference can be made to published management systems standards available from ISO and others; however, there are certain key activities that should always be considered:

• Identifying and understanding the organizational context
• Ensuring that senior management provides leadership in developing and implementing the system
• Developing a plan for the system that incorporates the risks and opportunities that could influence the performance of the system
• Ensuring that the organization is committed to support the system with the necessary internal and external resources
• Developing, planning, documenting, implementing, and controlling the organizations’ operational processes
• Planning in advance for monitoring, measuring, analyzing, and evaluating the performance of the system

The following sections illustrate how the activities listed earlier might be carried out in connection with the implementation of a quality management system (“QMS”).3 In that situation, the parties responsible for implementation will typically consult and follow the standards in ISO 9001, which is described elsewhere in this chapter.

Organizational Context

Before establishing a QMS it is essential to identify and understand the organizational context by considering both the external and internal issues that are relevant to the organization’s purpose and strategic direction and thinking about the influence these issues could have on its QMS and the results it intends to achieve. An effort needs to be made to monitor information about the organizational context and the impact that changes in context should be considered.

Management must also identify the interested parties who affect or could affect the QMS including parties that affect or could affect the organization’s ability to provide products and services that meet customer requirements and statutory and regulatory requirements. Once the ­parties have been identified, management must monitor and review information about each of them in order to clarify and understand their unique needs and expectations.

Management must define the scope of the QMS by clarifying boundaries and thinking about what the QMS should apply to and then using the boundary and applicability information to define the scope. When defining the scope of the QMS, management should take into account the organizational context of the organization. Management should ­create a scope document for the QMS that describes the boundaries of the SMS, explains what the QMS applies to, identifies the types of ­products and services that will be included the QMS, and makes it clear that every ISO 9001 requirement must be applied unless an exception can be ­adequately asserted. Once the scope document is created procedures should be ­followed to maintain and control it.

Once the scope document is completed the next step is to actually develop a process-based QMS and establish documented information. Management should determine the processes that the QMS needs, the methods needed to manage processes, the resources needed to support the processes, process, responsibilities and authorities, the risks and responsibilities for each process and the methods needed to evaluate the processes. The QMS should also provide for maintenance and control of the documents required to support process operations and retention and control of the records that can be used to show that the plans are being followed. Once the QMS has been implemented and the organization is applying the criteria and methods needed to operate and control the QMS processes, provision should be made for maintaining and improving the QMS.

Leadership

Senior management must provide leadership for the QMS initiative by focusing on quality and customers and ensuring that an appropriate quality policy is established and implemented. Leadership includes accepting responsibility for the QMS and demonstrating and communicating a commitment to QMS by explaining why quality management is important, making it clear that managers are expected to be accountable for the QMS and encouraging everyone in the organization to support the QMS and their roles in quality management. Senior management must also make it clear to everyone in the organization that emphasis on quality management emerges from the need and desire to focus on customers and that all personnel are expected to manage all relevant requirements, risks and opportunities and focus on enhancing customer satisfaction. Senior management should be closely involved in the development, establishment and implementation of the QMS and the associated policies and procedures to ensure that the QMS supports the organization’s purpose, deals with the organization’s context, has all requirements built into processes, and achieves all intended results. Once the QMS is ready for implementation senior management must be sure that it is fully documented and be actively involved in communicating the ­policies to everyone in the organization and making sure that everyone’s role, responsibility, and authority with respect to the policies has been assigned and communicated.

Planning

When planning for the development of the QMS consideration must be given to identifying the risks and opportunities that could influence the performance of the QMS or disrupt its operation and how the organizational context could affect how well the QMS is able to achieve its intended results. With this information the QMS can incorporate risk treatment options and define actions that will be taken to address the relevant risks and opportunities. The QMS should include quality objectives for all relevant areas and those objectives should be documented, communicated, monitored, and updated as necessary. Provisions should be made in advance for evaluation of the results from operation of the QMS and information from the evaluation should be used to plan and implement changes in the QMS. Whenever changes are to be made in the QMS it is essential to plan them carefully and consider the purpose of the changes, responsibilities and authorities, the potential consequences of the changes, the available of resources required to make the changes, and the impact that the changes might have on the overall integrity of the QMS.

Resources and Support

In order for any QMS to be effective it must be supported by the necessary internal and external resources. The first requirement is making sure that the organization has access to suitable personnel who can operate and control the QMS processes. The second requirement is a suitable infrastructure that enables and supports process operations and achieving conformity of products and services. Other necessary resources include an appropriate environment for the processes and monitoring, measuring, and traceability resources.

Management needs to provide several types of support in order for the QMS to be effective and provide value to the organization. For example, management needs to be sure that the persons involved in activities that impact quality are competent and understand their roles in implementing the QMS. Competence should be documented and evaluated and appropriate training should be made available. Personnel should be made aware of the QMS and its core goals and objectives and management should share relevant information with personnel in order to allow them to carry out their jobs in a way that is consistent with the QMS goals and objectives. Another area where support is crucial is the creating and control of documentation regarding the QMS.

Documentation requirements should be consistent with key activities associated with development and commercialization of products and services and documents should be properly formatted and presented and controlled in a manner that allows for appropriate access when necessary for evaluation of the overall QMS initiative. Procedures should also be implemented covering modification to QMS documentation and protection and preservation of QMS documentation and records.

Operations

Since so many aspects of a QMS relate to operational activities it is ­essential for management to carefully and thoughtfully develop, plan, document, implement, and control the organization’s operational ­processes. Key steps in this area include:

• Determining and documenting product and service ­requirements, a process that should include communications with customers;
• Establishing an appropriate process to design and develop products and services, a process which should include consideration of design and development process stages and controls, complexities, requirements, expectations, participation, interfaces, resources, responsibilities, and documentation;
• Monitoring and controlling external processes, products, and services, a process that should include establishing controls for external products and services and communications with external providers to develop/clarify requirements;
• Managing and controlling production and service provision activities, a process which includes implementing ­controlled conditions for production, service provision, delivery ­processes, and post-delivery processes; and
• Controlling nonconforming outputs and document actions taken, a process that involves identifying and controlling ­nonconforming output to prevent unintended use and ­documenting nonconforming outputs and the actions that are taken.

Evaluation and Improvement

While every effort should be made to make the QMS as effective as possible from the very beginning, the need to make changes and improvements as times goes by is inevitable. Quality management is a continuous process and companies need to plan in advance for monitoring, measuring, analyzing, and evaluating the performance of the QMS. Evaluation mechanisms should be considered during the initial planning phase of the QMS and management must ensure that the QMS includes methods for monitoring how well the needs and expectations of customers are being served. Once the data and other information from the monitoring process have been collected and measured the next step is to conduct an internal audit of the QMS in order to get a clearer picture of the suitability, adequacy, effectiveness, and direction of the QMS. Results from customer surveys and the internal audit should be used to identify new ways to enhance customer satisfaction and otherwise meet ­customer requirements. In addition, attention must be paid to correcting deficiencies in the way that the organization is implementing the QMS. All changes to, and corrective actions relating to, the QMS should be documented and progress should be carefully monitored through the date of the next scheduled evaluation and audit. Senior management should be thoroughly conversant in the evaluation process and should make regular presentations on the QMS to members of the board of directors.

ISO 9001 and Quality Management Systems

ISO 9001 is one of the best known and widely used standards of the ISO and provides a structure [i.e., a “quality management system” (“QMS”)] to help organizations develop products and services that consistently ensure customer satisfaction and continuously improve their products, services, and process. Quality refers to all those features of a product or service which are required by the customer. Quality management means what an organization does to ensure that its products or services satisfy the customer’s quality requirements and comply with any regulations applicable to those products or services. Quality management also means what the organization does to enhance customer satisfaction and achieve continual improvement of its performance. ISO 9001 gives the requirements for what the organization must do to manage processes affecting the quality of its final products and services using Deming’s “plan, do, check and improve” approach; however, ISO 9001 is not a product or service standard, nor does it specify what the objectives of the organization should be with respect to “quality” or “meeting customer requirements,” each of which must be defined by organizations on their own.

ISO publications have listed a number of potential benefits for organizations electing to follow the standards and practices set out in ISO 90014:

• International, expert consensus on state-of-the-art practices for quality management
• Common language for dealing with customers and suppliers worldwide in business-to-business transactions
• Increased efficiency, productivity, and effectiveness due to alignment of processes
• Model for continuous improvement
• Model for satisfying customers and other stakeholders
• Meet the necessary statutory and regulatory requirements
• Build quality into products and services from design onwards
• Identify and address the risks associated with the organization
• Address environmental concerns of customers and public and comply with government regulations
• Integrate with world economy
• Expand into new markets
• Sustainable business
• Unifying base for industry sectors
• Qualify suppliers for global supply chains
• Technical support for regulations
• Transfer of good practice to developing countries
• Tools for new economic players
• Regional integration
• Facilitate rise of services

Other potential benefits to organizations include providing senior management with better tools for implementing and maintaining an efficient management process, highlighting deficiencies and continuous assessment and improvement; clarifying areas of responsibility across all parts of the organization; communicating a positive message to employees and customers; time savings and cost reduction; and sales and marketing opportunities, including the ability to tender for new public sector ­projects. Organizations will also benefit from being able to ­provide improved quality and service, as well as “on time” delivery, to ­customers and reductions in the volume of returned products and customer complaints. Moreover, as customers learn more about the organization’s commitment to quality, including independent audits for certification purposes, they will become more loyal to the organization and be more open to expanding the scope of the business relationship.

While not a requirement of ISO 9001, organizations may opt for ISO 9001 certification, known in some countries as registration, which means that an independent, external body conducts an audit of the organization’s management system and verifies that it conforms to the requirements specified in ISO 9001. ISO itself does not carry out certification and does not issue or approve certificates. It is important that the certification body be accredited, which means that a specialized accreditation body has formally endorsed the certification body as being competent to carry out ISO 9001 certification in specified business sectors. When organizations are certified by accredited certification bodies they receive an accredited certificate, which is typically considered to carry greater weight and credibility in the marketplace. As with certifications, ISO does not carry out or approve accreditations.

As noted earlier, there is no certification requirement in ISO 9001 and companies often implement and benefit from management systems based on ISO 9001 without incurring the additional expense of going through the certification process. However, an organization may be driven to pursue certification for important business reasons such as satisfying contractual, regulatory, or market requirements; meeting customer expectations and preferences; strengthen a risk management program; and/or motivating managers and employees by establishing clear performance goals and objectives. According to ISO, over one million ISO 9001 certificates were issued across 187 countries in 2013 alone.

ISO 9001 is one of several standards in the ISO 9000 series and notice should also be taken of the following:

• ISO 9000 contains detailed explanations of the seven quality management principles with tips on how to ensure these are reflected in the way that organizations work, and also contains many of the terms and definitions used in ISO 9001.
• ISO 9004 provides guidance to organizations on how to achieve sustained success with their quality management systems.
• ISO 9011 gives guidance to organizations on performing both internal and external audits to ISO 9001 and can be used to measure the effectiveness of the quality management system and prepare for the external audit needed in order to achieve ISO 9001 certification.

ISO 14001 and Environmental Management Systems

ISO 14001 is an internationally agreed standard that sets out the requirements for a structure [i.e., an environmental management system (“EMS”)] to help organizations manage and minimize their environmental impacts, conform to applicable legal requirements, and improve their environmental performance through more efficient use of resources and reduction of waste, thereby gaining a competitive advantage and the trust of stakeholders.5 An EMS helps organizations identify, manage, monitor, and control their environmental issues in a holistic manner and also includes the need for continual improvement of an organization’s systems and approach to environmental concerns. ISO 14001, which was recently revised ­effective in 2015, is suitable for organizations of all types and sizes, be they ­private, not-for-profit, or governmental, and requires that an organization ­consider all environmental issues relevant to its operations, such as air pollution, water and sewage issues, waste management, soil contamination, climate change mitigation and adaptation, and resource use and efficiency. While an EMS may be adopted as a standalone system, it is often added to an existing management system (e.g., a system based on quality, such as ISO 9001). Having an EMS does not mean that an organization will be immune from all environmental challenges; however, the procedures implemented as part of an EMS should allow the organization to manage events and operational activities that will have a significant impact on the environment. ISO 14001 gives the requirements for what the organization must do to manage processes affecting the impact of its activities on the environment; however, ISO 14001 is not a product or service standard.

Organizations that have adopted and implemented ISO 14001 standards have reported that it has helped demonstrate compliance with ­current and future statutory and regulatory requirements; increase leadership involvement and engagement of employees; improve company reputation and the confidence of stakeholders through strategic communication; achieve strategic business aims by incorporating environmental issues into business management; provide a competitive and financial advantage through improved efficiencies and reduced costs; and encourage better environmental performance of suppliers by integrating them into the organization’s business systems. There is no requirement that organizations seek and obtained accredited certification to ISO 14001 and there are many benefits from using the standard without going through the accredited certification process. However, third-party certification, which involves an audit of organizational practices against the requirements of ISO 14001 by an independent certification body (ISO does not perform certifications), has been found to be an excellent way for organizations to assure their stakeholders that the standards have been implemented correctly. Accredited certification may also be necessary for organizations to fulfill regulatory or contractual requirements.

Elements of an EMS

In general, an EMS that is to be based on ISO 14001 standards should include the following elements6:

• Development and establishment of an appropriate environmental policy that is documented and communicated to employees and also made available to the public and which includes a commitment to continual improvement and ­pollution prevention, regulatory compliance, and a framework for setting policy objectives;
• A planning phase that covers the identification of the environmental aspects of the organization’s activities, identification and access to legal requirements, establishment and documentation of objectives and targets consistent with the and establishment of a program for achieving said targets and objectives (including the designation of responsible individuals, necessary means, and timelines);
• Implementation and operation of the EMS including the definition, documentation and communication of roles and responsibilities, provision of appropriate training, assurance of adequate internal and external communication, written management system documentation as well as appropriate document control procedures, documented procedures for operational controls, and documented and communicated emergency response procedures;
• Checking and corrective action procedures, including procedures for regular monitoring and measurement of key characteristics of the operations and activities, procedures for dealing with situations of non-conformity, specific record maintenance procedures, and procedures for auditing the performance of the EDS; and
• Periodic management reviews of the overall EMS to ensure its suitability, adequacy, and effectiveness in light of changing circumstances.

Diagnostic questions for each of these elements are included in the following sections.7

Environmental Policy

• Has top management defined the organization’s environmental policy, ensuring that it is defined within the scope of the EMS?
• Is the policy appropriate to the nature, scale, and environmental impacts of the activities to be undertaken?
• Does the policy include a commitment to continual improvement and prevention of pollution; a commitment to comply with applicable legal and other requirements to which the organization subscribes and which relate to its environmental aspects; and a framework for setting and reviewing environmental objectives and targets?
• Is the policy documented, implemented, and maintained; communicated to all persons working for or on behalf of the organization; and available to the public?

Planning

• Has a procedure(s) been established, implemented, and maintained to identify the environmental aspects of the organization’s activities, products, and services within the defined scope of the EMS that it can control and those that it can influence taking into account planned or new developments, or new or modified activities, products, and services?
• Has a procedure(s) been established, implemented, and ­maintained to determine those aspects that have or can have significant impact on the environment program (i.e., ­significant environmental aspects)?
• Has a procedure been established to document the information on the environmental aspects of the organization’s activities, products, and services and keep it up date?
• Are the significant environmental aspects of the organization’s activities, products, and services taken into account in establishing, implementing, and maintaining its EMS?
• Has a procedure been established to identify and have access to the applicable legal requirements and other requirements to which the organization subscribes related to its environmental aspects; and determine how these requirements apply to its environmental aspects?
• Has a procedure been established to ensure that applicable legal requirements and other requirements to which the organization subscribes are taking into account in establishing, implementing, and maintaining its EMS?
• Have documented environmental objectives and targets been established for relevant functions and levels within the organization? Are the objectives and targets, where practicable, measurable; and consistent with the environmental policy and legislative requirements?
• Has a program(s) been establish that addresses the means and time-frame to achieve the environmental objectives and ­targets?

Implementation and Operation

• Have specific management representative(s) been appointed with the role, responsibilities, and authority for ensuring that the EMS is implemented and maintained in accordance to the ISO14001; and reporting on the performance of the EMS for review, including recommendations for improvement to the project manager?
• Has the contractor ensured that staff or subcontractors associated with work identified with the potential to cause a significant environmental impact is (are) competent on the basis of appropriate education and training or experience? Are associated records available?
• Has the contractor identified training needs associated with its environmental aspects and its EMS and provided training or taken other action to meet these needs? Are associated records available?
• Has a procedure been developed to ensure that persons working for the contractor or on its behalf are aware of the importance of conforming with the environmental policy, procedures, and requirements of the EMS; the significant environmental aspects and related actual/potential impacts associated with their work and the benefits of improved ­performance; their roles and responsibilities in achieving ­conforming with the requirements of the EMS; and the potential consequences of not following procedures?
• Has a procedure been developed for internal communications and receiving, documenting, and responding to communication from external interested parties?
• Is the level of documentation considered sufficient to describe the EMS, how its parts work together, and does it provide direction on where to obtain more detailed information on the operation of specific parts of the EMS?
• Has a procedure been developed and maintained to approve documents for adequacy prior to use; review and update as necessary and re-approve documents; addresses the changes to the format of the documents; ensure that changes and the current revision status of documents are identified; ensure that relevant versions of applicable documents are available at points of use; ensure that documents remain legible and readily identifiable; ensure that documents of external origin necessary for planning and operation of the EMS are identified and distribution controlled; and prevent the use of obsolete documents and suitable identification if they are retained for any purpose?
• Have operations that are associated with significant environmental aspects been identified and planned for by preparing procedures to ensure that they are carried out under specified conditions to control situations where their absence could lead to deviation from the environmental policy, objectives, and targets; and stipulating operating criteria?
• Has a procedure been developed to identify potential emergency situations or accidents that can have an impact on the environment and does it address how to respond to them? Does the procedure address the periodic testing where ­practicable?

Checking

• Has a procedure been developed to monitor and measure key operations of the project that can have a significant environmental impact? Does the procedure include documenting information to monitor performance; the applicable operational controls; and conformity with environmental objectives and targets?
• Has a procedure been developed to evaluate compliance with applicable legal requirements and other requirements to which it subscribes?
• Has a procedure been developed to deal with actual and potential nonconformity(s) and for taking corrective action and preventative action? Does the procedure address identifying and correcting nonconformity(s) and taking action(s) to mitigate their environmental impacts; investigating nonconformity(s), determining their cause(s) and taking actions in order to avoid their recurrence; evaluating the need for action(s) to prevent nonconformity(s) and implementing appropriate actions designed to avoid their occurrence; recording the results of corrective action(s) and preventive action(s) taken; and reviewing the effectiveness of corrective action(s) and preventive action(s) taken?
• Has a procedure been developed to establish and maintain records as necessary to determine conformity to the requirements of its EMS, ISO14001 and the results achieved?
• Are internal audits to be scheduled at defined intervals to determine whether the EMS conforms to planned arrangements of environmental management including the requirements of ISO 14001; and is being properly maintained?

Best Practices for EMS implementation

A report prepared by consultants from the Rand Corporation on the keys to successfully implementing environmental management found that it was important for organizations to integrate its environmental management program with the management system it uses to plan and execute its core missions and functions. In this way, managers would view environmental issues as being just one more relevant context in which they pursued the core values of the organization.8 The report suggested that insights gained from surveying the best commercial practices indicated that successful and effective integration could be achieved by taking the following steps:

• Identify how environmental issues affect its key stakeholders and how these issues relate to stakeholder goals;
• Develop and sustain senior leadership support for proactive treatment of environmental issues;
• Identify champions who can take day-to-day responsibility for managing environmental issues to satisfy the specific stakeholder goals that the senior leadership has endorsed;
• Make environmental principals in the organization effective partners in coalitions in the organization to align environmental interests with other specialized interests;
• After identifying the organization’s position in the value chains that it services, work with other elements of these value chains to achieve common goals;
• State specific environmental goals in simple terms that help individual decision makers relate them to broader corporate goals without much ambiguity;
• For specific decisions or projects, use teams that include ­representatives of all the relevant functions, including ­environmental representatives when appropriate;
• Promote routine use of databases and analytic tools that help decision makers see how environmental decisions affect all parts of the organization; and
• Balance centralization and decentralization to align environmental concerns with the most closely related core activities.

The report emphasized that while it was important to have champions and principals within the organization who could be held responsible for implementation of environmental policies in the context of the organization’s broader corporate goals and culture, they must be prepared to reach out to others throughout the organization and communicate with them using data and language that can be easily understood to demonstrate how their interests can be aligned with the environmental mission. The report also provided the following recommendations for implementing a proactive approach to environmental management9:

• Motivate employees to be not only creative but also dogged in their determination to change the status quo for the better;
• Assign responsibilities clearly so that specific individuals or teams feel the effects of environmental decisions on the organization as a whole and can be held accountable for promoting the goals of the organization as a whole over the long term;
• Design metrics to encourage individuals and teams, ­constrained as they are in their particular locations in the organization, to make decisions compatible with the ­organization’s broad goals;
• Back up these metrics with incentives that are compatible with the organization’s broader norms about compensation and advancement;
• Expect individual failures to occur when employees push hard enough for real change and (1) limit the damage from such failures while (2) helping employees learn from these failures rather than punishing them for failing;
• Train employees to increase their environmental awareness and improve their ability to work collaboratively;
• Design training so that it occurs “just in time,” when ­employees need it to execute specific tasks;
• Provide effective analytic tools and maintain a supportive organizational environment for their use;
• Communicate continuously, internally and with key stakeholders, to sustain trust and commitment; and
• Benchmark environmental performance against that of other organizations, report the results to the senior leadership, and use the results to sustain senior-level support for continuing improvement in environmental performance.

Companies often implement several different, but interrelated, environmental management programs as part of their overall environmental strategy. Common areas of focus include product design, which involves continuous efforts of design teams to locate new materials and technologies to ensure that future products are at the leading edge of commercial environmental product design and recognition of specific design considerations such as environmentally oriented materials selection, design to facilitate cleaner production, design for durability and extended product life, design for refurbishment and reuse and design for disassembly and recycling; supply chain management, which involves routine dialog with supply chain members about their efforts to create and maintain a sustainable production system and adhere to environmental requirements through continuous improvement actions; operations, including certification of the company’s EMS; product stewardship, including a robust and practical end-of-life management approach that maximizes environmental and economic value; and communications with internal and external stakeholders regarding sustainability.10

ISO 45001 and Environmental, Health and Safety Management Systems

An important tool for companies seeking to implement environmental, health and safety (“EH&S”) management systems was introduced by ISO in 2018 when the new ISO 45001 standard on occupational health and safety management systems was finalized and published. ISO 45001 is intended to help organizations reduce the burden of occupational accidents and illnesses by providing a framework to improve employee safety, reduce workplace risks and create better, safer working conditions, all over the world. ISO 45001 follows other generic management system approaches such as ISO 14001 and ISO 9001 and also takes into account other relevant internal standards such as OHSAS 18001 (an international standard that has provided a framework to identify, control, and decrease the risks associated with health and safety within the workplace), the International Labour Organization’s ILO-OSH Guidelines, various national standards and the ILO’s comprehensive international labor ­standards and conventions.11

The ISO has explained that an occupational health and safety (“OH&S”) management system is intended to support organizations in meeting their responsibilities with respect to the occupational health and safety of workers and others who can be affected by its activities. An effective OH&S management system enables organizations to provide safe and healthy workplaces, prevent work-related injury and ill health, and continually improve its OH&S performance. The ISO has made it clear that implementation of an OH&S management system is a strategic and operational decision for an organization, and that the implementation and maintenance of an OH&S management system, its effectiveness and its ability to achieve its intended outcomes are dependent on a number of key factors, which can include12:

• Top management leadership, commitment, responsibilities, and accountability;
• Top management developing, leading, and promoting a ­culture in the organization that supports the intended ­outcomes of the OH&S management system;
• Communication;
• Consultation and participation of workers, and, where they exist, workers’ representatives;
• Allocation of the necessary resources to maintain it;
• OH&S policies, which are compatible with the overall ­strategic objectives and direction of the organization;
• Effective process(es) for identifying hazards, controlling OH&S risks and taking advantage of OH&S opportunities;
• Continual performance evaluation and monitoring of the OH&S management system to improve OH&S performance;
• Integration of the OH&S management system into the ­organization’s business processes;
• OH&S objectives that align with the OH&S policy and take into account the organization’s hazards, OH&S risks and OH&S opportunities; and
• Compliance with its legal requirements and other ­requirements.

EHS Support, which provides a wide array of EH&S services and support to clients across a broad spectrum of industries, has laid out the following list of essential elements for an effective HS&E management system13:

• Management Leadership, Commitment, and Accountability: The board of directors, the EH&S committee of the board and the senior management team must take responsibility for establishing policy, providing perspective, setting expectations, and ensuring the provision of adequate resources for successful operations. Management leadership, commitment, and action need to be visible to the organization, and clear accountabilities must be established at all levels.
• Risk Planning, Assessment, and Management: Risk planning, assessment, and management is a continuous process that includes the formal and informal identification, evaluation, and control of EH&S business risks including business liabilities, regulatory compliance, and customer requirements.
• Facility/Site and Equipment/Tool Safety Management: Safety can be enhanced and risk to health and the environment can be minimized by using effective standards, procedures, and management systems for facility/site design, activities, and services. Health and safety plans should be used to summarize health and safety hazard information for field activities.
• EH&S Regulatory Management, Information, and Documentation: Accurate information about the configuration and capabilities of sites and facilities, properties of products and materials handled, potential hazards, and regulatory requirements is essential to assess and manage risk. All projects and services should comply with the organization’s regulatory compliance procedures and contractors should be required to have equivalent procedures in place and submit to audits of such procedures by the organization.
• EH&S Planning and Procedures: Safety and health policies and programs should be established and maintained to manage significant risks and comply with legal requirements. All such policies and programs should be written, communicated and followed, and be accessible to personnel, contractors, and government entities as appropriate.
• Personnel, Organization, Competence, and Training: Recognizing that people are at the core of every EH&S initiative, provision must be made for appropriate training, ­effective communication and assessment of employees, and the ­implementation of appropriate programs.
• Emergency Management and Community Awareness: The organization must take a proactive rather than reactive approach to planning and preparing for a safe and effective emergency response to incidents that mitigate the consequences, prevents further harm and enables a safe efficient resumption of normal operations. In the event of an incident, plans must be in place to ensure that all necessary actions are taken for the protection of the public, the environment, and organizational personnel and assets.
• Incident Investigation, Analysis, and Management: While every effort should be made to prevent incidents, the reality is that problems will arise and the organization must be committed to effectively managing all incidents, including work-related injuries, accidents, regulatory violations, and near misses, immediately and thoroughly and communicating the results of investigations and following proper reporting practices.
• Management of Change: Changes in services, procedures, site standards, facilities, or personnel must be evaluated and managed to ensure that risks arising from these changes are properly assessed and managed.
• Third Party Services: Third parties (e.g., contractors and contracted personnel working directly with or for the organization and suppliers) impact the organization’s business and reputation and it is essential that they perform in a manner that is consistent and compatible with the EH&S policies, procedures, and expectations of the organization.
• EH&S Performance Monitoring, Measurement, Reporting, & Improvement: To ensure continuous improvement, EH&S performance must be accurately monitored, measured, recorded, and analyzed, with the key tools being audits, review and self-assessments with respect to achievement of EH&S plan and objectives; compliance with federal, state, and local regulations; corrective actions closeout; and leading and lagging indicators. Provision should be made for continuous review of EH&S systems and continuous improvement implementation. In addition, systems should be implemented for, and adequate resources allocated to, reporting of EH&S performance to stakeholders.

Enterprise Risk Management

No business is without some sort of risk and overcoming those risks is the key to achieving an acceptable return on investment of capital, technology, and human resources. Higher levels of risk drive investors to expect greater risk-adjusted returns in exchanging for providing ­capital to the business. The risk profile for each company is different; however, commentators have suggested that the range of risks confronting an enterprise may appear within an extensive list that includes the following, in no particular order: financial markets disruption; credit; interest rate; capital; human resources; transactional; data protection and privacy; legal; enforcement actions by federal or state criminal authorities; Foreign Corrupt Practices Act; governmental investigations; regulatory and compliance requirements; cyberattacks; information technology; business continuity and disaster planning; operational; supply chain; financial disclosure; document retention policies and practices and disclosure (obstruction of justice or civil contempt); executive misconduct or negligence (personal and/or professional); brand; reputational; vendors; business partners; third party service providers; customers; and environmental.14

The scope of the potential risks to a company above should illustrate why companies need a formalized approach to risk management, systems and programs that have come to be known as “enterprise risk management,” or “ERM.” ERM programs, which often include compliance aspects or are implemented in conjunction with a separate but related compliance program, have been mandated or highly recommended by federal and state laws and regulations, such as the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act; federal sentencing guidelines; listing standards required by national securities exchanges; credit agencies; directors’ and officers’ liability insurance carriers; and accounting and audit review standards. In many cases, companies are required, or strongly urged, to create a separate board-level risk management committee and appoint a chief risk officer. ERM has been conceived as a comprehensive solution to risk management that requires that all strategic, management, and operational tasks of an organization be enabled through projects, functions, and processes so that those tasks are aligned to a common set of risk management objectives. ERM addresses various types of risk exposures including15:

• Hazard risk risks related to accidental losses, such as ­workplace injuries, liability torts, property damage, and ­natural disasters
• Financial risk risks related to financial activities, such as ­pricing, asset valuation, currency fluctuations, and liquidity
• Operational risk risks related to operations, such as ­supply chain, customer satisfaction, product failure, or loss of key personnel
• Strategic risk risks related with an organization’s long-term goals and management, such as partnerships, mergers, and acquisitions
• Reputational risk risks related to the trustworthiness of ­business (damage to a firm’s reputation can result in lost ­revenue or destruction of shareholder value)
• Compliance risk risks related to violations of or nonconformance with laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards.

Apart from legal and regulatory requirements, companies have recognized that ERM can be deployed as an essential business management tool to assess and analyze business and activities on a risk-adjusted basis; engage in sound strategic planning and financial management which requires that all risks of every line of business and activity be assessed and balanced against profitability, and recognize and prepare for the interdependency of events.16

The first step in creating an ERM program is conducting an enterprise-wide risk identification and assessment program, preferably undertaken by an independent third party and with the intent that the assessment process would be continuously updated on a regular basis. The goal of the risk assessment, which is discussed in more detail below, is to create a solid foundation for designing an ERM program that is aligned with the most material risks confronting the organization. Once the assessment has been completed the results should be reviewed by the board of directors and the senior management of the company and specialists should be assigned to develop a proposal for the ERM program. The proposal should be reviewed by the entire board and senior management and approval of the program should be accompanied by a commitment to provide the resources necessary for the program to be successful. At this point the ERM infrastructure should also be established starting with allocation of risk topics among committees of the board and continuing with the appointment of a chief risk officer and creation of an ERM committee that will include senior representatives from each of the main functional groups of the company and the company’s various ­business units.

While creation of a standalone committee at the board level to focus on risk management issues and initiatives is growing in popularity it is by no means a universally accepted approach. Each company must make its own decision and Deloitte has suggested that the follow factors and questions should be considered when deciding whether a risk committee at the board level is appropriate17:

• The needs of the stakeholders: The board should assess the quality of the current risk governance and oversight structure, the risk environment, and the future needs of the organization to determine how best to meet the needs of all of the company’s stakeholders, not just investors.
• Alignment of risk governance with strategy: Having a risk-­focused committee at the board level increases the likelihood that the board, management, and business units be aligned with their approach to risk and strategy, this promoting better risk governance and ensures that risk oversight is ­value-­adding.
• Oversight of the risk management infrastructure: The decisions about the role of the board-level committee, if any, should be made in the context of larger questions regarding who will be in charge of the people, processes, and resources of the risk management program. Assuming that a chief risk officer position will be created, it is important to be clear about reporting obligations for that position (e.g., to the risk committee, the entire board, or the CEO).
• Scope of risk committee responsibilities: Before a board-level committee is formed decisions must be about the scope of its responsibilities. In some cases the committee may be responsible for overseeing all risks; however, the board may decide that certain risks should be primarily addressed by other committees (e.g., the audit committee should maintain oversight of risks associated with financial reporting) and that the purview of the risk committee should be limited.
• Communication among committees: Particularly when the scope of the responsibilities of the risk committee are to be limited as mentioned earlier, the board must clear define boundaries among all of the board committees and establish communication channels to be sure that activities do not overlap or that important risks “fall between the cracks.”

---