A fresh approach to ISO 14001 certification
The advent of risk-based environmental management system auditing
By David Powley - DNV Certification

What does it take to narrow the perceived credibility gap associated with ISO 14001 certification? David Powley of DNV Certification explains a new regime that is not only scrupulously driven by environmental risk management principles but is also client-friendly.

The criticism surrounding certification to ISO 14001, the environmental management system specification, was almost predictable since its publication in 1996. The comments go along the lines of undeserving companies being granted certification, audits being performed in a clause-based ‘inspector’ mentality, audit findings being punctilious and having no real value. The comments, if not wholly justified, were at least forgivable. Many of the certification bodies granting ISO 14001 certification had grown up in an era of the traditional quality management system certification which for most tended to be based on clause compliance, at least in the days before publication of the 2000 version of ISO 9001, the quality management system specification. This should not have been the case. What should management system certification be concerned with? Undoubtedly, risk management should serve as the essence and this deserves some explanation.

There are three basic qualitative requirements of risk management:

1. identify the significant risks
2. manage the significant risks
3. monitor the effectiveness of the management of the significant risks

The ISO 14001 specification not only accommodates but is based on these requirements. Furthermore there are two other elements associated with risk and these are:

a) The inherent risk or potentiality of an event or condition arising.
b) The actual performance associated with that event or condition.

The element (a) is determined by possibilities or potentiality whereas (b) is determined by actual experience. For example, when one considers the risk of a major spill of a hazardous liquid the theoretical likelihood and consequences (i.e. potentiality) are given attention as well the actual experience (i.e. relevant performance data, occurrences, non-conforming situations etc). Here again, this is consistent with the demands within ISO 14001 and its certification.

DNV Certification recently launched its risk-based certification service. The service applies to certification against all management system standards and specifications for environment, health & safety and quality. A ‘journey’ (as DNV terms it) is embarked upon with the client company whereby the main issues facing it are decided upon. prior to or at the start of audits. These issues then become ‘focus areas’ for the audits and the plans for the audits have their basis in them. Reporting will also be framed by the focus areas and will deliver findings on not only non-conforming situations but also points for improvement as well as noteworthy efforts. Maximum benefit is derived when an open relationship exists between the client company and the Auditor and where interest extends to more than ‘the certificate on the wall’. The potential for real continual improvement is high in these circumstances.

From the perspective of ISO 14001 audits, the Auditor will have an appreciation of the inherent environmental risk (see element (a) above) based on his capability and knowledge of the significant environmental issues faced by an organisation working in that particular sector. He may not have current performance data (see element (b) above) associated with those significant issues for the client company and this is where the dialogue with client company becomes important. The focus areas will then be decided according to a combination of what is inherently risky and what could be improved. The audit is then performed according to the requirements of risk management (see requirements 1, 2 and 3 above) where all relevant processes are interrogated that cover identification, management and monitoring of the management, for the subject of the focus areas. An example may assist here.

Based on his knowledge of the industry sector and the fact that they have a consent for a discharge into a nearby river an Auditor perceives that discharges to controlled waters is an issue for a client company he has yet to visit. He would discuss the issue with the client, prior to or at the start of the audit. This discussion should reveal the relevant performance information, such as breaches or near-breaches of the consent or any deficiency associated with the issue. That focus area (i.e. ‘discharges to controlled waters’) would be decided upon. The audit would then be conducted along the requirements 1, 2 and 3 above to ensure:

The above is a mere simplification of the DNV approach to risk-based certification auditing - a fuller, more deserving account would require more space. However it is hoped that this serves to give an appreciation. Early indications are that the large majority of client companies will be enthusiastic for this approach. This is encouraging as it would indicate that at last a balance may have been struck between client-friendliness and environmental risk management.

top of page