To Everything, There is a Season... Audit Planning Follies Part 1

Do I have to audit all elements of the standard within a year?

What the $^&@*! is a "full cycle" of audits? (See “EMS Registration: The Road to Becoming ‘Certifiable’” – coming soon!)

Will an audit a day keep the registrar away?

These are the questions that keep environmental managers up at night… or at least the night before their registration audit.

Well, let’s see: Element 4.5.5 requires audits to be conducted at “planned intervals,” whatever that means... So a simple schedule showing I audited all the elements in a year should work…

But… wait a minute... What’s this gobble-de-gook in paragraph 2: “Audit programme(s) shall be planned, established, implemented and maintained by the organization, taking into consideration the environmental importance of the operation(s) concerned and the results of previous audits.”??? Huh??? Why can’t they just say what they mean??!!!!!!

What, you want more clarification? Well, alrighty then. How about our good friend (and would-be rapper) TC 207? This roundabout requirement is mirrored - in two-part harmony no less - by COIs 02-03.A1 and 02-03.A2. After reading them, I promise, everything will be clear… as mud.

Don't know what a TC 207 COI is? See "Dr Strangeaudit or: How I Learned to Stop Worrying and Read the COIs."

Still itching for a numbers fix? I’ll try to explain in plain English: You audit when you need to.

It all boils down to that pesky 25-cent phrase: “planned intervals,” which miserably failed to clarify equally vague “periodically” used in the 1996 standard.

So is an interval the same as a “period”? If yes, then what’s a "period"? Is there a standard accepted timeframe that any auditor (no matter how dense) can recognize as a "period"? Whoah there! All this talk about periods is enough to give anyone PMS! To quote Foghorn Leghorn:: “I gotta straighten this lad out; thing like this could warp his mind for life.”

Look, take some ibuprofen, dry your eyes and cheer up. The "party animals" who went to the TC 207 site and read the COIs already know that there is no bare minimum number of audits you can “get away with.” Yep, that’s right. Playing dodge ball around an arbitrary number is not an option here. But there is still a silver lining: in a freak accident of common sense, the standard writers decided to require you to base your audit needs on:

1. What is important to your organization (NOT your registrar auditor), and

2. What has been a problem in the past

This means you focus on your problem areas, both actual and potential. Let’s face it: in the world of environmental management, things are constantly changing, and usually not for the better. Controls seem to fail when it’s most inconvenient, and even relatively good days still have nagging glitches. Then, there are always nasty surprises like mystery drums left by naughty “elves” in the middle of the night. Wouldn’t it be great to catch the problems before they blew up in your face, instead of being constantly blind-sided?

Internal audits help you do this because (if you do them right, and look beyond the "safe zones" of what's already working) they give you consistent, accurate and regular data about how your attempts at environmental control are performing, so you can quickly respond to small problems before they get out of hand. If you do enough good audits of the right things, they might even help you see a problem before it happens and prevent it!! You move from REactive to PROactive.

But I still hear whining: “That doesn’t answer the question how often and how many! Give us a number, we just want a number, surely there must be a number?!!!! WAAAAHHHH!!!!”

Well, just like other addicts, the whiners can’t help it. They have been brainwashed and need their number fix. There are lots of meaningless and arbitrary numbers out there - in permits, in regulations, or (if you really screw up) on your prison-issued clothing. And really, we are all in the same boat with the whiners because, even though enforcement of these numbers is capricious and inconsistent, we all want to believe that, if we meet the numbers, or get under or around them, everything is ok, even when it really isn’t. The reality is more like Lucy swiping the football out from under Charlie Brown – as soon as you are convinced it’s OK, the game changes.

Without our numbers, we often feel like a blind person trying to climb Mount Everest. But you still have “Sherpas” to guide you through this audit scheduling wilderness. You want numbers? Here are 5 things to consider when planning your audits:

1. Applicable legal requirements

2. Significant aspects

3. Corrective and preventative actions

4. Objectives and targets and

5. COMMON SENSE!

Numbers 1-4 are indicators of environmental performance, so they should be audited regularly; how regularly depends on number 5. The EMS does not exist in a vacuum, and you should always listen to your inner reason!

Objectives, Targets and Bullseyes

...And the comments just keep rolling in - I feel so loved!

Someone has asked what the difference between an objective and target is. A lot of people think there isn't any difference, but there is, and it is important to understand it because objectives and targets are a powerful tool for demonstrating continual improvement.

Both of these terms are specifically defined in the standard in Section 3 (Terms and Definitions) 3.9 and 3.11, which means they don't want you to use the dictionary version. Although the standard writers probably thought they made it crystal clear, you are not alone in asking: "What the #$!@" do they mean?"

A common explanation is that an objective is an overall goal or "umbrella" description of a goal whereas the target is more specific and must be met as part of the larger goal.

...zzzhnh Wha...?? Whoa - I just fell asleep typing that!!!

This reminds me of something mildly hilarious: When asked why the ISO 14001 standard wasn't written more clearly, my instructor answered that it was difficult even for college undergraduates to understand because it was written very elegantly to the "17th-grade level." Folks, I can't make up stuff this ridiculous.

Although mere baccalaureates (I mean, 16th graders) cannot reasonably be expected to attain this lofty reading comprehension level, the concept of objectives and targets could easily be explained to a tipsy barfly with a beer in one hand and a crooked plastic dart in the other.

Think of the type of dart game (301, cricket) as the "objective," and the various numbers on the dartboard, including the bullseye, as the "targets." In the game, hitting individual targets measures progress toward reaching the overall goal: winning. Without both the objective and the targets defined, you might as well throw darts at anything or anyone, which I think we can all agree would not clearly demonstrate continual improvement, even if they were thrown by someone with a PhD.

The standard requires programs be defined to achieve objectives and targets. So I'll take this example one step further (too far?) and define a "program": the barfly (responsibility) must use the darts (means) to finish the game before he passes out (timeframe).

And just because I can, I'm going to go over the proverbial cliff with this example: In 4.5.1, the standard requires calibrated/verified equipment to monitor objectives and targets. This is because the data must be not only accurate, but consistent, reliable and repeatable. So, to return to the example: if the "equipment" is a drunk person using worn out bar darts, I wouldn't bet on a winning streak. In other words, "GIGO" applies.

There are lots of myths about how objectives must be set and what they must include. For more information on objectives and targets, see the following COIs: (click on the link under "Faves," or if you don't know what COIs are, click here)

99-03.A4

97-05.A1.R99-06

07-08.A1

07-08.A2

Maaaa! Do I Have To?

Some bold soul has asked one of the most common questions out there: "Is it mandatory to have one or more significant aspects to be registered?" Huzzah!!! My first comment. I'm so excited...

The essential answer is: YES!

Now, you may feel a little sheepish telling someone, "Well, this blogger said to do it..." Baaah humbug! Fortunately, you don't have to depend on an opinion-based blog to get the answer because the standard writers (TC 207) and the registrar oversight body (ANAB) have kindly provided the "official" answer to this question. To quote Mr. Burns: "Eh-eh-xcellent!"

There are actually 2 different places to find the answer, although only one really applies if you are seeking registration.

1. Our TC 207 friends answered almost the exact same question in COI 04-03.A1. Unfortunately, their publishing skills do not appear to extend much beyond stone carving because you cannot directly link to this question online, but you can access the COI document that contains it here, or by clicking on the link provided under "Faves." Hint: it's in the 2004 version.

For more information on TC 207 COIs see the following blogs: "How I learned to Stop Worrying..." and "The ABCs of COIs"

2. TC 207 gets you most of the way there, but those competing for "registration gold" must play by the rules - in this case, ANAB's Accreditation Rules. This group of sages has at least a minimal grasp of "that new-fangled internet thingy," and you can directly access Accreditation Rule #13 online.

For that ANAB history buff out there (you know who you are), AR 13 supersedes Advisory 20. More importantly, it incorporates the TC 207 COI mentioned above and adds some extra ANAB icing, which spectacularly fails to make this topic any less dry. So, grab something to wash this down (it should be at least 80 proof), and I'll give you the "CliffsNotes" version - there is no movie version (thank God!!)

AR 13 essentially says: If you don't have any significant aspects, you won't have a system that can be registered because you WON'T have to do..., well, pretty much anything and everything that would show an auditor you have a system in place. That's because key elements all tie back to SIGNIFICANT aspects; heavy-hitters like: objectives and targets, training, communication, operational control and monitoring and measurement. You don't need to do this stuff for INsignificant aspects, so without any significant aspects, you basically don't have a reason for a system.

You just snorted your drink through your nose, didn't you? I can hear the choking and spluttering from here. In the immortal words of George Carlin: "Calm down, have some dip." OK, so you've changed your shirt, refreshed your drink, and taken several deep breaths. You are dry, relaxed, and best of all, armed with new (albeit painful) knowledge: You must have at least one (1) significant aspect to get registered. Whew!

But this begs a second question (so take a big steadying gulp and swallow it before reading on):

Why put a whole EMS program in place around 1 or 2 aspects? And even if you still see value in a severely limited scope, why register such a system? It's like throwing a big party and not inviting anyone. OK, registration is nothing at all like a party, except for possibly the excessive drinking, hangovers, and morning-after regrets.

For more information about this endlessly fascinating topic, see "Covering Your Aspects" - coming soon.

The ABCs of COIs

In the post "Dr. Strangeaudit - or How I Learned to Stop Worrying and Read the COIs" I discussed the joys of exploring TC 207's clarifications of intent (COIs). Better than sex wasn't it - OK, maybe not, but you probably slept almost as well, didn't you? Anyway, maybe you found that reading them from start to finish was a waste of a good cigarette.

The COIs can confuse more than help if read the wrong way. Apparently TC 207 has never heard of a FAQ, so I am working on an index. Meanwhile, below are some (I hope) helpful navigation tips:

A is for "A FAQ would be helpful here." The COIs are in a Q&A format, so rather than reading straight through, it's better to use them as a diagnostic tool. Remember, COIs are specific to the question's context, so don't apply them too broadly. See "F" below if you read the first 2-3 pages and didn't see any Q&A.

B is for "Beginners like FAQs." Each question is numbered - Fabulous! Some questions refer to each other by number - Neato!! The numbers start with the year, older questions first - Brilliant!!! Unfortunately this helps ALMOST NO ONE since there is no index of questions!

C is for "Could we please have a FAQ?!!" The COIs are rolling: those made for the 1996 edition are still valid for the current version (2004), unless removed or revised (which is noted). You have to parse through all the COI documents to see all the questions because there is no comprehensive cross-reference.

D is for "Definitely read this tip." Read the COIs with an objective eye (it helps to be sober). TC 207 makes their own definition for certain words. If not, the rule is to use the most relevant (not common) dictionary meaning. Just like mom always said: "Look it up!"

One important term left to fend for itself is "significant," which can mean different things depending on context. Skewed COI readings have been the downfall of many. Look for a particularly nasty example in a future blog called "Covering your Aspects" - coming soon...

E is for "Everyone with a certified system, take note." COIs don't account for specific accreditation rules and requirements ("We don't need no stinkin' certs!"). If you are a certified system, or plan to register, there may be additional requirements that apply - there certainly are in the "good ol' U.S. of A." So put on your PJs and bop on over to the ANSI-ASQ National Accreditation Board (ANAB) website where you can guarantee another good night's sleep with the "Accreditation Rules" for U.S. certifications.

F is for the grade I would give the COI format. The instructions for submitting a question to TC 207 take up the first 2-3 pages of the COI - scroll past the boilerplate BS for the Q&A. There is no TC 207 "hot-line, " so if you want a different question answered, see the "condensed" instructions for submitting to TC 207 (p.1-3) - just don't hold your breath waiting for the answer! If you get selected, it apparently takes months to respond (so much for instant gratification). You're SOL for any answer unless your question is both carefully crafted and deemed valuable to share - unlike American Idol, really bad questions won't earn you fifteen minutes of fame.

Dr. Strangeaudit or: How I Learned to Stop Worrying and Read the COIs

So, what the #$%@ are COIs?

COIs, or Clarifications of Intent, are written by TC 207.

Well, who the $%&# are they?!

Technical Committee 207 is the International Organization for Standardization (ISO) committee responsible for developing the ISO 14000 series of standards and guidance documents.

In other words, they write the standard you are trying so hard to follow, so when they provide a clarification it is "normative" - sort of like God giving Moses advice on how to apply the 10 commandments. It is the official "intent" of the standard.

Great! So where do we get a hold of these puppies? Click on this link. It takes you to a page listing links to the various COI documents, which you can pull up in MS Word.

Which brings me to an important note: be sure to read the blog titled the "ABCs of COIs"

AUDIT TIP
Remember, COIs are the official "intent" of the standard - a "shall" so to speak. So when Dr. Strangeaudit tells you the standard intends something, it should be in alignment with the COIs. Now you have the power to defend yourself and your program against unreasonable and arbitrary findings and opinions. Woo Hoo! Knowledge truly is power (but be sure to read the "ABCs of COIs" first!!!!).

MORE ABOUT TC 207
Those with keen auditor skills may have noticed that link to the COIs takes you to the American Society for Quality (ASQ) site. TC 207 has their own website (and if you have explored it, give yourself an ISO star) with a pretty good basic FAQ about what ISO 14001 is all about (from the horse's mouth so to speak). What the website does NOT have is a link to the COIs (duh!). It also looks like the site hasn't been updated since maybe 2003. Brilliant!

Anyway, the ASQ site is pretty much the only place to get them, although a Google search for the COIs won't take you directly there.

Intro to "Show me the Shall"

This blog is all about ISO 14001 implementation and auditing, so, there are basically three types of people (or maybe only 3 people period) who might be interested in it:

“ISO fed up with this frigging EMS!” (Embattled EMRs)
“ISO frigging confused about EMS!” (Shell-Shocked Newbies)
“ISO tired of frigging traveling!!” (Road-Weary Auditors)

Even if you are not one of these poor devils, there’s something here for everybody (OK, maybe not normal people): advice on EMS implementation and maintenance, internal/external auditing tips for both parties (how to tell people they have an ugly "baby", AND how to deal with audit results showing that your "baby" is, in fact, ugly) and common sense advice based on "real world" experiences.

The primary purpose of this blog is to explain the “shalls” of the standard in layman's terms, but the ultimate goal is to reveal the great hidden secret behind ISO 14001 --- drum roll please --- there is way more flexibility than you think! I hope the explanations and examples will help your system work for you, instead of the other way around.

This is a place to share experiences, gripes and, of course, audit horror stories - so please feel free to comment! Just remember, the central philosophy is the title of this blog - everything should be geared toward continual improvement of our understanding of the standard (how's that for buzzword bingo?) All advice is based on the "KISS" principal (and if you don't know what KISS means, say "hello" to the root cause of most of your troubles!).

I can’t think of a drier topic than EMS. For example: document contr…YAAWWN!!! – need I say more? Still, I hope to make it a little entertaining (at least not boring), and, of course, enlightening… well, maybe just thought-provoking... Um, how about only mildly upsetting? OK, OK, I’ll shoot for not morally offensive. FINE! Not morally offensive to “everyone.”

This brings us to the only rule I can think of now: Ground Rule #1 Let's keep it fun. No personal attacks and don't take any of this personally. This blog is based on my opinion, and all comments and contributions are just opinions. This is my creative outlet and I do it because "I love." And, (just to throw a movie quote in): "Love means never having to say you're sorry." So everyone put on your "big girl panties" and play nice.

IMPORTANT NOTE: Please make any real-life examples anonymous. We must protect the innocent AND the guilty, like

…well, you know who you are...

For more on who I am, and why I feel even remotely qualified to tell anyone anything about ISO, see my profile or download the pdf.

SHAMELESS PLUG
If you are actually desperate enough to want my consulting or training services, you can call me on my mobile (219.871.9748) or send me an e-mail at mollylong@aweconsulting.biz.

If you are tired of watching YouTube or need another time-wasting diversion, check out my website: www.aweconsulting.biz. You won't win fabulous prizes or become instantly (in)famous, but you can learn more about the standard and A.W.E. Consulting, Inc.

For those of you stalking me, I've just made it easier - now you can follow me on Twitter (ISO14001MEL) - click the link in the right hand column.

Anyway, ISO happy you are reading this and I hope it is helpful!

Happy audit trails!
Molly