Blackmores is a pioneering consultancy firm with a distinctive approach to working with our clients to achieve and sustain high standards in Quality, Risk and Environmental Management. We'll be posting podcasts discussing ISO standards here very soon!
Emergency preparedness is a term you're likely familiar with regarding Health & Safety, but its application is also a key part of the Best Practice Environmental Management Standard, ISO 14001. ISO 14001 aims to help organisations reduce their overall impact on the environment, and this includes mitigating and responding to any incidents that may adversely affect factors such as biodiversity and water quality in areas where your business is based. While not applicable to every industry, there are many which need to take greater responsibility in the event of an environmental incident. ISO 14001 provides key guidance in how to create effective processes to ensure you respond swiftly, and in alignment with the law. In this episode Ian Battersby explains what is meant by emergency preparedness and response within ISO 14001, and how that can apply to your business. You'll learn · What is emergency preparedness and response in ISO 14001? · How do you approach Clause 8.2 in ISO 14001? · Planning for an environmental emergency · Definitions of different types of emergency · How can you prevent an environmental emergency? Resources · Isologyhub · Learn more about ISO 14001 In this episode, we talk about: [02:05] Episode Summary – Ian explains the purpose of clause 8.2 in ISO 14001, emergency preparedness and response. [02:35] What is meant by ‘emergency preparedness and response' in ISO 14001?: Many will be familiar with emergency preparedness and response in relation to Health and Safety. In Standards such as ISO 45001, it's about ensuring there are plans in place to reasonably foresee and prevent any serious harm to a person or persons affected by our activities The aim with Clause 8.2 in ISO 14001 is to minimise the risk an organisation poses to the environment. Though, these aren't mutually exclusive and some environmental response plans can prevent harm to both people and the environment. Ian seeks to clarify this clause further as many have a tendency to point towards their fire evacuation plan and fire drills as the first piece of evidence when demonstrating conformity to clause 8.2 in ISO 14001. While fire is very violent to the environment once it's occurred, the evacuation of people during such an event building offers little in the way of an environmental response. [05:10] Breaking down Clause 8.2: Clause 8.1 states: “The organization shall establish, implement and maintain the process(es) needed to prepare for and respond to potential emergency situations identified in 6.1.1.” Like with many Standards, it references an early clause where you should be identifying the relevant emergency situations. Clause 6 focuses on risk and opportunities, and in the case of ISO 14001 this is where you'll establish your environmental aspects and compliance obligations. Specifically, Clause 6.1.2 states: “Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts.” This would take into consideration any abnormal conditions and reasonably foreseeable emergency situations. So, this is where you should already have established the emergency situations for which you need to plan for. Risk management is a core of the standards and planning for emergency situations is a core of risk management. You don't write plans in isolation; you will have already established what's important. [07:30] Planning for emergency: As stated in Clause 8.2: “The organization shall plan: a) to take actions to address its risks b) how to: 1) integrate into environmental management system or other business processes; 2) evaluate the effectiveness of these actions.” This is all part of the familiar PDCA cycle. From Ian's perspective as an auditor, he won't look at emergency plans first, instead looking at an organisations Aspects & Impacts Assessment. The standard isn't prescriptive on how you assess the impact of what you do or the risks. The methodology is your choice, but it is very explicit in that the content must include abnormal conditions and reasonably foreseeable emergency situations. [09:40] What are the definitions for different types of emergency situations? Normal situations are when everything operates as intended, Business as usual, the day-to-day activities you expect: E.G. Standard operation of machinery, a vehicle getting from A to B without issue. Abnormal situations are when things aren't quite right, not catastrophic, but not business as usual; you can still achieve your intended outcome, but maybe not as quickly or efficiently: E.G. machinery running inefficiently or perhaps using more fuel or lubricant than usual. They don't necessarily require an emergency plan, but you may want to monitor the severity of such situations and their potential for significant impact if unaddressed. Emergency situations are serious events requiring immediate attention and which could cause significant environmental impacts. The type of emergency situation that could possibly occur will depend on the type of organisation, but common ones include fire or chemical / fuel spill. [11:30] What is required by the Standard? – As stated: You are required to: A) plan to respond to prevent or mitigate adverse environmental impacts from emergencies; (not human) B) respond to actual emergencies; C) prevent or mitigate the consequences of emergencies; D) periodically test the planned response; E) review and revise the process, in particular after the occurrence of emergency or test; F) provide relevant information and training, to relevant interested parties, including persons working under its control. [13:00] Examples of Emergency Situations – We'll look at a common one, fire. There are still 22,000 workplace fires in the UK each year, which is a significant environmental impact. That amounts to approximately 2,700 tonnes of carbon emissions annually. This in addition to the atmospheric toxins, ground/water contamination, resource loss, waste etc. So, in considering fire as an environmental emergency, these are the impacts. IOSH states that the most common cause for workplace fires is faulty or misused electrical equipment, followed by flammable/combustible materials, dirt and clutter, human error, smoking and cooking. One thing to note about those causes is that they are generally required to be controlled by specific legislation. So, you would be looking for a link between compliance obligations (or legal) register, the Aspects & Impacts Assessment and the controls in place to minimise the risks identified in both. Faulty electrics would stand out, so you would look at what measures could be put in place to prevent such faults occurring, including: · Preventive maintenance of equipment · Inspection and testing of electrical fixed wiring · Portable appliance testing By demonstrating the processes in place to address these, you can evidence compliance obligations and the planning to reduce the possibility of an emergency situation arising. However, a fire may still occur [15:40] Example emergency situation – Prevention: – You should look at the planning to prevent such a situation escalating into a full-blown emergency in order to prevent the environmental impact. This could include: · The maintenance, inspection and testing of fire detection or suppression systems · The inspection and servicing of firefighting equipment. · Firefighting equipment training for personnel Based on what you know about the causes of fire, you should examine smoking policies/practices, catering equipment maintenance, housekeeping, hazardous material management etc. Proof of fire drills alone enough when it comes to emergency preparedness and response in ISO 14001. Especially from an auditor's perspective, as how can you prove that your fire drills are useful in minimising the impact on the environment? [17:15] Other emergency situations – Spillage: An area where you can more readily see that preparedness and response directly affects the environmental outcome is where there has been a spillage of some kind. A spill of a lubricant on a shop floor, for instance, has the potential to cause a slip hazard, affecting the safety of people. The preventive measures, again, have similarities regardless of whether we're talking safety or environment, but do differ in that we're trying to prevent the lubricant then reaching the outside world and contaminating ground or water; that's the environmental impact. Waste disposal associated with the mopping of a spill; you may be dealing with hazardous waste, which must be disposed of in a controlled fashion under the law. If you'd like assistance with ISO 14001, get in contact with us, we'd be happy to help. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Watch the Podcast Video on our YouTube Channel There has been a global shift towards the sustainability effort in recent years, highlighted by various regulations and schemes aimed at businesses to help encourage a more sustainable way of operating. This has led to more focus on the voluntary use of carbon markets, in which companies help to fund decarbonisation projects by buying carbon credits. In this episode Mel is joined by Tiffany Cheung, the Corporate Engagement Lead at carbon markets data company AlliedOffsets, as they discuss the landscape of the market, including current trends, decarbonisation challenges in different sectors, and top tips for navigating the space. You'll learn · What impact will corporate disclosures have on the carbon markets? · What are the rates of decarbonisation across different sectors? · What are the emerging buyer trends within the voluntary carbon market? · What is an internal carbon price? · How can companies use a carbon price to ensure that their sustainability goals are financially viable? · How can AlliedOffsets' data help companies when entering the carbon market? · What are the critical steps businesses should take to mitigate price volatility and ensure that they're investing in high quality, impactful carbon offsetting projects? Resources · AlliedOffsets · AlliedOffsets LinkedIn · AlliedOffsets Corporate Emissions Data and Findings · Carbonology In this episode, we talk about: [00:30] Episode Summary – Tiffany Cheung joins Mel to discuss buyer trends in the voluntary carbon market (VCM), including insights on the use of internal carbon prices and top tips for businesses looking to enter the market. Don't forget to catch-up on the previous episode where Tiffany explains what the voluntary carbon market is and gives an insight into the lifecycle of carbon credits. [01:30] What impact will increased corporate disclosures have on the carbon markets? There are 2 main points: 1. Already on the Agenda: Increased corporate sustainability disclosure may already fit into the changes that are taking place within the thinking of a company. If a company is spending time on creating and publishing reports on their sustainability initiatives, it is likely that they will be exploring their options for how they can take action more broadly.This is likely to be associated with increased engagement with the voluntary carbon markets, both through offsetting of carbon footprints and investing in carbon credits or project developers. 2. Project Developer benefits: Project developers will likely benefit from increased insight to the kinds of projects that buyers are purchasing credits from. As a by-product, there may be more focused projects created based off what certain sectors are willing to offset or invest in. [02:55] What are the rates of decarbonisation across different sectors? To give a macro view from the public data available in corporate sustainability reports over the last few years, the biggest total polluters by sector continue to be energy, maritime, transportation and materials and mining. Looking at the positives, the energy sector, which has historically been the biggest polluter, has decreased its emissions in both scopes 1 and 2 since 2019. However, there's still a very long way to go, and with major emitters recently rolling back their climate commitments, one shouldn't assume that that trend will continue linearly. Another sector facing an interesting decarbonization journey is aviation, whose emissions have been increasing in recent years, although not quite to pre-COVID pandemic levels. This sector will have to grapple with its emissions whilst contending with forecasted growth in both consumer and business travel over the next decade. Many aviation companies are both committed to Science Based Targets initiatives (SBTi) and fall under CORSIA (Carbon Offsetting and Reduction Scheme for International Aviation), applying pressure on the sector to decarbonize as a whole. On a positive note, 18 sectors assessed by AlliedOffsets have decreased their average carbon emissions in scope 2 over the past few years, due in large part to increased renewable energy sourcing and improved energy efficiency. [07:10] What are the emerging buyer trends within the VCM?: AlliedOffsets are in a particularly good position to provide insight to this due to their comprehensive view of both historic buyer activity and new market entrants across the world. Chinese and German manufacturers have become a steady presence in the market, distinguished by their especially detailed credit retirement information. They'll go as far as to specify the products and operating periods that are being offset, showing really high levels of engagement with their environmental impact and giving clear insight on their targeted offsetting approach. Another buyer trend to highlight is occurring within the Australian market, where AlliedOffsets is seeing lots of credit retirement associated with the carbon neutrality certification scheme Climate Active. This is driving most voluntary retirements from the region, particularly from real estate and pension funds. [09:15] What is an internal carbon price? An internal carbon price is a specific cost or budget set by a company for the carbon or other greenhouse gas emissions that are associated with their specific business activities. This is typically based off of something like the World Bank calculations on the cost of climate change to society, or it could be based on the price of carbon set by an compliance emissions trading scheme (ETS) that is local to that business. [10:20] How can companies use a carbon price to ensure that their sustainability goals are financially viable?: For example, EasyJet has an internal carbon price that's based off of the UK emissions trading scheme. That internal carbon price is factored into the airline's master financial models and that drives their 5 - 10 year long financial plans. That helps to determine things like the geographical routes that EasyJet operates, which can affect profitability. An internal carbon price makes emissions tangible and material, playing a role in the wider business decisions. An airline operator is considered a big emitter and is likely to already be exposed to some kind of compliance carbon scheme which has a financial impact on the company. Nonetheless, having an internal carbon price can be useful regardless of how big your business is, as it can be used to budget certain activities and see where emissions might be centralised in a particular department. An example of this in practice may be that you have an internal carbon price of £50 per tonne, you can take that to an emissions calculator or advisor to work out a budget based on the carbon footprint of different activities or departments in the business. The idea being that if you can identify the cost associated with the emissions created, you know how much to spend to decarbonize. This process may also highlight where you can make further reductions, i.e. reducing air travel and supporting staff on switching to less polluting forms of transport. [12:55] How can AlliedOffsets data help companies interested in an internal carbon price?: AlliedOffsets has data on the carbon pricing programmes used by companies to set their internal carbon price, as well as the specific price itself for hundreds of different companies. This dataset also includes companies that haven't chosen to use a particular pricing scheme but have set an internal carbon price based just off of their unique activities. This helps to contextualize the current range of internal carbon prices and the logic behind them. [13:50] The need for regular review: Internal carbon pricing is something that needs to be reviewed on a regular basis as the costs associated with emitting in some business locations is not going to remain the same. This can also be affected by national legislation, which can increase the financial risk of emitting. Tiffany recommends reviewing your internal carbon pricing at least annually. They're seeing an emerging trend within the environmental space where sustainability related impacts within a company are being sequestered into their wider financial operations. The impacts of climate change are going to become more material to businesses in the very near future. As a result of this, it makes sense for businesses to assess their internal carbon price as part of their annual financial reviews. [16:30] What are the critical steps businesses should take to mitigate price volatility and ensure that they're investing in high quality, impactful projects? Tiffany recommends the following steps: 1. Focus on decarbonising your business operations first and engaging with your suppliers to tackle scope 3 emissions as well. It's more beneficial to both the business and environment for you to reduce emissions as much as possible, so you have a smaller residual footprint to offset. 2. Decide what kind of projects / carbon credits you want to spend money on, whether it's offsetting or investing. Besides the climatic impact, there are many co-benefits of carbon projects to choose from, such as improved biodiversity, water supply, or workplace gender equality. Knowing what is valuable to you and your business will help in the selection of these projects. 3. Build strong relationships with developers directly where possible and buy credits directly, in advance. This also has the benefit of ensuring a supply of carbon credits into the future without the worry about how the market might change or become more volatile within the next couple of years. 4. If your business is operating at quite a significant scale, it would be wise to work with another company that's focused on the voluntary carbon market, like AlliedOffsets. They can provide guidance and forecasting for the specific projects or sectors you'd like to buy from, reducing uncertainty on the future of the market. [20:00] Have faith in the impact of the voluntary carbon market – The voluntary carbon market has been through a turbulent period of time, and it's alright to feel cautious about entering a space which has been unstable in the past. The concerns about reputational risk associated with offsetting have greatly reduced in the last few years, and it's set to reduce further as the voluntary and compliance markets merge and integrity improves. However, if you decide that offsetting isn't right for your business, there are still other tools that you can take from the voluntary carbon markets to help drive decarbonisation, such as internal carbon pricing. If you'd like to learn more about AlliedOffsets, visit their website! If you'd like any assistance with carbon standards, get in touch with Carbonology, they'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: · Share the ISO Show on Twitter or Linkedin · Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Watch the Podcast Video on our YouTube Channel No business can operate with zero emissions, there's only so much you can reduce before you need to look at offsetting the remainder to truly achieve Net Zero. Carbon offsetting comes in many forms, but the ones people will be most familiar with include purchasing carbon credits for nature restoration projects and tree planting efforts. Historically, the voluntary carbon market has been troubled by project developers who haven't operated their carbon offsetting projects to the environmental and social standards expected by buyers. With the use of offsets on the rise, it's clear that there is a need for transparency and standardisation within these voluntary markets. In this episode Mel is joined by Tiffany Cheung, the Corporate Engagement Lead at AlliedOffsets, to explain what the voluntary carbon market is, how carbon credits work from purchase to retirement and what quality controls are in place to ensure they are reliable. You'll learn ● Who are AlliedOffsets? ● What is the voluntary carbon market? ● What are carbon credits, and how do they work? ● What quality controls are in place for carbon credits? ● How will the voluntary carbon market affect future regulatory requirements? ● What does it mean to retire a carbon credit? ● What services do AlliedOffsets offer? Resources ● AlliedOffsets website ● AlliedOffsets LinkedIn ● Carbonology In this episode, we talk about: [00:30] Episode Summary – Tiffany Cheung joins Mel to discuss the voluntary carbon market, explaining the carbon credit lifecycle and what quality controls are in place to ensure they are reliable. [01:40] Who are AlliedOffsets?: AlliedOffsets aggregates data from over 30 carbon registries and compliance schemes as well as off-registry transactions to present the most comprehensive dataset on carbon offsetting activity globally. Their data has been featured in publications such as the Financial Times, Forbes, The Guardian and many more. [03:20] How did Tiffany get involved in carbon markets?: Tiffany has been working with AlliedOffsets for over a year, and a lot of their role as Corporate Engagement Lead includes talking to a variety of stakeholders on the buying side of the carbon market, understanding what their motivations for being in the space are, what their strategies are going into the future and their wider decarbonisation process. Tiffany also looks at their transactional activity and how that has changed over time. Prior to their position at Allied Offsets, Tiffany worked in a major environmental advisory and brokerage firm based in London. There they gained a knowledge of both voluntary carbon markets as well as renewable energy markets in that space, this in addition to learning more about the accompanying compliance trading and risk side of things. [06:00] What is the carbon market?: Carbon markets describe markets where carbon is translated from a greenhouse gas into an asset, or a commodity that can be traded. These tend to represent actual tonnes of atmospheric carbon dioxide that have been sequestered somewhere else in the world through various projects. Compliance carbon markets work differently from voluntary carbon markets. Compliance carbon markets provide regulated ways of pricing carbon, both in terms of reducing emissions and generally making polluters aware of the environmental impact of their emissions in a financial way. They may be associated with the voluntary carbon market, also known as the VCM, or they may be referred to as a kind of carbon tax. [07:05] What's the difference between a voluntary carbon market and a non-voluntary carbon market? If you are engaging in the voluntary carbon market, there is no legislative impetus for you to be involved in it. It's mostly driven by a business' own desire to offset emissions. The offsetting of residual emissions is done through the purchase of carbon credits, which are representative of 1 tonne of CO2 equivalent removed from the atmosphere. If you offset all of your remaining emissions, then you may be able to claim carbon neutrality for the year that the credits apply to. The benefits of carbon credit-issuing projects aren't always related to solely greenhouse gas removal, and depending on a businesses motivations, you can help to fund a wide range of beneficial projects such as clean water provision or improved cook stoves which improve air quality in domestic settings. [09:25] What type of organisations are leading the way with carbon credit purchasing? – AlliedOffsets has unique access to the transaction history across 30 different global registries, enabling them to provide an up to date and wide ranging view on the voluntary carbon market. There is a very strong relationship between how polluting a sector is and how well engaged it is with the voluntary carbon markets. So major players include energy producers, aviation, maritime, ground transportation and mining and materials. There is also an increase in financial services, technology and telecommunications services entering the carbon market. Tiffany expects this trend to continue with increased data centre usage and artificial intelligence driving up energy consumption across these sectors. [11:10] How does the voluntary carbon market operate?: When a company first decides they want to buy carbon credits, ideally they would engage with a well-established broker or intermediary who can source a variety of carbon credits. It's helpful for the broker to know what sort of carbon credits or projects a company is looking to invest in. There's a lot of different options, including: ● Forestry ● Alternative land use ● Blue Carbon ● Engineered carbon dioxide removal The company will let the broker know how many tonnes of carbon credits they'd like to buy, attributed to a certain period of time or activity based on their quantification and existing carbon reporting. Market prices will range quite significantly based off of what technology type or methodology you're going with, but most carbon credits are currently sub $15. Once agreed, your intermediary will secure and retire the credits for you, from the registry and project developer. Retiring a carbon credit means they are taken entirely off the market and they're considered to be “spent” or used. Nobody else can use those as an investment or offset at that point, and the purchasing company can consider their carbon footprint to have been neutralised for the specified period. [12:00] What quality controls are in place for the voluntary carbon market? While there isn't a master registry, there are several registries across the world that generally dominate the market. They vary in terms of the methodologies that they may or may not specialise in, as well as with geographies. The biggest ones that you're most likely to see in the market are known as VCS, GS, ACR, and CAR. These account for about 80% of the total market volume by retirement and issuance. The way that these registries work is that they perform a bookkeeping function within the space. Projects will register their sequestered tonnes of CO2 removed with these registries, who will then check to see if these projects have complied with their methodology, which would have been set by a Standards Body. Once approved, those project developers can sell their credits as a commodity. When a business wants to buy credits, the type of projects they want to engage with will dictate the sort of registries they'll be engaging with. There are also checks in place set by the registries to ensure that project developers use third parties to further validate their project activities. [16:45] What are the methodologies used in the voluntary carbon market? A methodology refers to the way in which a specific project should be undertaken in order to ensure that the pace of carbon sequestration and storage is consistent throughout the project's life. Registries are ultimately responsible for issuing the appropriate methodology, and the project developers need to be able to evidence compliance to that methodology. The process for a project to be registered is quite complicated, and it generally takes 2 – 3 years from concept to being in a position to issue credits. There is also a requirement to have their work validated by a Verification and Validation Body (VVB). These are third party auditors who check the evidence provided by project developers to ensure they comply with the necessary methodology. This may include the VVBs undertaking a site visit. [19:30] Will regulatory requirements be introduced within the voluntary carbon market? – Tiffany states that there is definitely a demand for regulatory requirements in the space. There a two key drivers for this: The need for integrity among buyers – There are many sectors where engaging in a more unregulated space can be risky. Sectors such as the legal and financial sectors need a certain level of oversight to ensure they are making sound investments. Convergence of compliance and voluntary markets – This is a change that's been happening over the past few years. This is being driven by governments taking part in the voluntary carbon market space and realising that they can yield returns for the country. Additionally, when they're spending public funds, there needs to be a certain level of assurance in the projects they're engaging with. There is also a growing appetite for businesses engaging in this market to ensure that they are doing the best thing possible ahead of the curve. There's been a lot of negative press around greenwashing projects, leading to potentially tarnished reputations, to the need for proper checks and regulation is becoming a necessity. [22:45] What does it mean for a carbon credit to be retired? – The point at which a carbon credit is retired is when it has been taken totally out of circulation for the market. That means that no other broker, intermediary or end buyer would be able to use that credit in any kind of capacity. It's like having the receipt to say this person has purchased this product, it belongs to them now and nobody else can use it. [24:30] How are stakeholders using the data provided by AlliedOffsets? – AlliedOffsets has a very wide data set, with an equally wide range of stakeholders. Some particularly interesting use cases include: Benchmarking against the competition – Corporate buyers use their data to compare how their activity measures up to competitors or peers within their sector due to AlliedOffsets long view of historic activity. It highlights what projects are being favoured by their competitors and what kind of price points they should be looking at as well. Project developer research - Another common use case is that project developers will want to see who is active in the market and who they should be targeting for funding. AlliedOffsets can see specific buyer activity broken down by region as well as methodology, which means project developers have a really good chance of being able to engage with buyers who are entering the space and might not have established those direct procurement relationships. Government consultation - Markets can be a huge source of income from the private sector into the public purse. For example, you might have a voluntary carbon market scheme that's associated with a compliance scheme, which can mean tax benefits for complying businesses alongside socio-environmental benefits for the country. If you'd like to learn more about AlliedOffsets, visit their website or reach out to Tiffany for more about buyer activity in the VCM! If you'd like any assistance with carbon standards, get in touch with Carbonology, they'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO consultancy isn't a field many aspire to enter, mostly because many don't know it exists until you're tasked with either managing an existing ISO Management System or implementing a brand new one. We're continuing with our latest mini-series where we introduce members of our team, to explore how they fell into the world of ISO and discuss the common challenges they face while helping clients achieve ISO certification. In this episode we introduce Sarah Ball, a Senior Isologist® at Blackmores, to learn about her journey towards becoming an ISO Consultant and what drives her to help clients on their ISO journey. You'll learn · What is Sarah's role at Blackmores? · What does Sarah enjoy outside of consultancy? · What path did Sarah take to become an ISO Consultant? · What is the biggest challenge she's faced when implementing ISO Standards? · What is Sarah's biggest achievement? Resources · Isologyhub · Productivity Ninja In this episode, we talk about: [00:30] Episode Summary – We introduce Sarah Ball, a Senior Isologist® here at Blackmores, to discuss her journey towards becoming an ISO consultant who specialises in ISO 9001, ISO 45001, ISO 14001 and ISO 27001. [03:45] What is Sarah's role at Blackmores? Sarah is a Senior Isologist® with Blackmores, supporting companies with maintaining systems, undertaking internal audits, and supporting with implementing new systems to gain certification utilising our Isology methodology. Sarah also coordinates the development of content of our online learning platform, the isologyhub. [04:50] What does Sarah enjoy doing outside of consultancy?: Sarah has a keen interest in history, having studied it at school, she like to travel to various locations of historical interest. She also spends a lot of time researching her own family tree, learning as much as she can about the far reaching members of the past. Sarah also likes to go jogging outside, as the gym environment didn't inspire much enjoyment, she instead prefers to be in nature while exercising. She has also participated in long distance running for charity, completing the 10k Race for Life. She's taking on the more daunting muddy 5K version this year, which includes a number of obstacles, so we're wishing her luck! One of the new hobbies she's like to take up this year include mountain climbing, with Mount Snowdon on her to-do list. [06:35] What was Sarah's path towards becoming an ISO Consultant?: Sarah initially started in Customer Services, working as a customer service advisor in a company and then got promoted to manager of a team. At that point, her role became more about understanding why they were getting certain complaints and what could be done to prevent them happening rather than just resolving them. She ended up spending more time with suppliers and other departments to help prevent some of the recurring issues, and along the line it lead onto being asked to implement an ISO 9001 Quality Management System. Which was a tall request considering the fact that at the time, Sarah knew nothing about ISO 9001 outside of it's designation and area of focus. As a result, she spent a lot of time researching it, and had the help of an external consultant to Implement the Management System. This was necessary, as knowing how to apply it to a business was something that she needed support with. 2 years later, the company asked Sarah to implement an ISO 45001 Health & Safety management system and an ISO 14001 environmental management system. These two she implemented herself after getting a feel for it during the initial quality management system implementation. For the next 10 years, Sarah worked in other companies, assisting with their integrated management systems. Along the way, she also picked up on ISO 27001 Information Security, before landing in Blackmores in 2020. [09:10] A path people fall onto – Most people don't actively plan to get into ISO consultancy, it's usually a result of being tasked with managing or implementing a management system while working in another role. [10:10] What is Sarah's favourite aspect of being a Consultant? – Sarah enjoys the variety, not just in the work and tasks but in the companies and industries that she gets to work with. Each have their own way of working, unique approaches and knowledge nuggets in the form of ways of working that can be cherry picked and applied elsewhere. She also likes to see how a management system develops and evolves overtime and how it can become part of a company's success, driving continual improvement. Sarah enjoys working with people that can see the real benefits of ISO management systems, rather than just focusing on the certificate on the wall. [13:40] Making a Management System your own – Sarah is a big proponent of making a Management system your own, giving it an identity so that it can be fully integrated into the way a business works. Businesses do it all the time, usually by naming large projects that everyone can reference by a common shorthand. A Management System can work in the same way, making it a part of the day-to-day running of the business. She's also a fan of not worrying about the terminology in Standards. Many of the terms used are meant to be general, this was due to the way international audiences referred to certain aspects of management, it wouldn't always translate correctly. So many Standards have some admittedly awkward terminology that can be applied to any business, and you by no means have to use their wording, as long as you can explain what relates to what in an audit then you're free to name things as appropriate to you. [16:55] What Standards does Sarah specilaise in and why? Starting with: · ISO 9001 Quality: This is the main standard that Sarah starting working with, and is one that touches on a lot of areas within other Standards. It's a great base to build off of, and is the starting point for many venturing into the world of ISO. · ISO 14001 Environmental: Sarah got experience with this Standard at her first company, it's also commonly implemented alongside ISO 9001. · ISO 45001 Health & Safety: Another one of the first Standards Sarah implemented, it's also a common one to see in integrated management systems. · ISO 27001 Information Security: Sarah got to grips with this Standard through years of working with other companies. Sarah's favourite Standard is ISO 9001, not only because it was her first experience with implementing ISO Standards, but because it create a blueprint for success. ISO Standards are setting the minimum requirement, not the maximum, they are designed get you started so you can make continual improvements. It also acts as a foundation to build onto, you can pick aspects of other Standards to integrate into your existing system. You don't necessarily have to certify to those additional Standards, but nothing is stopping you from strengthening your Management System with the best bits from other ISO's. [21:00] Sarah's favourite clause in ISO 9001: Sarah personally favors Clause 10 – non-conformity and corrective action. The reason behind that choice is due to that clauses' importance in driving continual improvement. It's about taking something negative being turned into a positive, which is what Quality Management is at it's core. [22:05] What is the biggest challenge Sarah had faced during a project and how did he overcome it?: Molding the Standard to the business. As a consultant, the biggest challenge is understanding how to make the requirements of a Standard fit the business, and not the other way round. It's all about trying to align the ISO Standard requirements to their values and mission, and then getting people on board with understanding the true benefits of management system implementation. At Blackmores, we ensure that each management system is unique to each business. We don't operate with a copy paste model. This is another reason why Sarah encourages naming your management system, by branding it you encourage engagement. Sarah highlights the fact that we run a lot of workshops in the initial part of a project, conducting a Gap Analysis, SWOT and PESTLE ect, this helps our consultants to really get a feel for how a business ticks. From that, we can help steer the delivery of the Management System to the wider business, by building it into their existing tools, such as an intranet. [25:45] Leading by example: We revamped our own ISO 9001 Management System a few years ago, with both Rachel Churchman and Sarah Ball leading the refresh. We gave it a name, H20 (How 2 Operate) and integrated it with our Microsoft Teams channels as we'd all swapped to mostly remote work following the COVID pandemic in 2020. As Sarah points out, there are many different ways to display and deliver your management system, including: · Microsoft Teams · Intranet · Google / Google Drive · SharePoint · CRM's such as Monday.com The key is building it into the day-to-day tools everyone uses. Make the Management System part of your processes, so adhering and maintaining it becomes part of everyone's way of working. [28:55] What is Sarah's proudest achievement? Obtaining her degree through the Open University while still working full time. It took Sarah 8 years of hard work to obtain her honours degree in History, which was one not required by her work or career development. It was simply something she wanted to do to prove to herself that she could achieve it. Many other members of Blackmores can attest to Sarah's level of determination, and organisation, as she shares many tips and techniques learned from her years of study and work. This includes: The Productivity Ninja – Learned from Graham Allcott's book, which seeks to help reduce procrastination, and tackle tasks with efficiency. The Second Brain – A tool to help keep track of ideas / tasks that aren't an immediate priority. These tools are now used by a number of the team, and we have no doubt Sarah will be schooling us on more techniques in future. If you'd like any assistance with implementing ISO standards, get in touch with us, we'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
We share a lot of success stories here on the ISO Show, along with hints, tips and updates to Standards, including insights from our consultants who work with Standards day in and day out. In our latest mini-series, we're taking a step back to introduce members of our team, to explore how they fell into the world of ISO and discuss the common challenges they face while helping clients achieve ISO certification. In this episode we introduce Darren Morrow, a Senior Consultant at Blackmores, to learn about his journey towards becoming an ISO Consultant and what drives him to help clients on their ISO journey. You'll learn · What is Darren's role at Blackmores? · What does Darren enjoy outside of consultancy? · What path did Darren take to become an ISO Consultant? · What is the biggest challenge he's faced when implementing ISO Standards? · What is Darren's biggest achievement? Resources · Isologyhub · Engagement Amplifier Gameplan In this episode, we talk about: [00:30] Episode Summary – We introduce Darren Morrow, a Senior Consultant here at Blackmores, to discuss his journey towards becoming an ISO consultant who specialises in ISO 9001, ISO 45001, ISO 14001 and ISO 50001. [03:45] What is Darren's role at Blackmores? Darren is a Senior Consultant with Blackmores, supporting companies with maintaining systems, undertaking internal audits, and supporting with implementing new systems to gain certification. A key part of his role is translating ISO Standards into plain English, and guides clients on how to apply them in practice. [04:55] What does Darren enjoy doing outside of consultancy?: Darren moved to Norfolk back in 2021 ans has since found the relaxed way of life there to be a great fit. It also offers a lot of good walking opportunities for his 2 Leonberger's (giant breed dogs), who mostly enjoy the local parks and beach walks. Darren is also an avid reader, clocking in a whopping 343 weeks' worth of reading on his kindle. His favourite genres include:- · Crime, thriller, adventure types - Clive Cussler, Michael Connelly, David Baldacci, CJ Box, Dan Brown, James Carol · Horror - James Herbert, Stephen King · Supernatural, urban fantasy, fantasy - Ben Aaronvitch, Jim Butcher, Raymond E Feist, C S Lewis & Tolkien · Historical - CJ Sansom, SJ Parris · And Terry Pratchett for a weird dose of reality. He's also a movie buff, with a collection of over 1,000 films ranging from the 1930's all the way to modern era. Recently he took on the challenge of watching all the Marvel films in chronological order, which took a few weeks! [10:35] What was Darren's path towards becoming an ISO Consultant?: Before Blackmores, Darren was the Quality Manager for a company that worked within the Highways Maintenance sector, working there for 8 years. For the first 18 months he was primarily the Quality Manager for a specific contract on the Olympic Park, as that contract came to an end, he moved into the main company Quality Manager role supporting multiple highway term maintenance contracts along with various smaller projects that the business won. Prior to that, he was a SHEQ Advisor within the Rail industry, working for a signaling company. Darren worked there for about 5 years, within head office support roles for quality and health and safety, moving to working on supporting the project teams and project delivery for signaling schemes. Overall, looking back, he's worked with standards within a quality, health & safety, environmental for around 25 years now. [13:20] What is Darren's favourite aspect of being a Consultant? – Darren likes the variety. As an ISO Consultant, he gets to work with lots of different people, companies and industries, so he gets to learn a lot about how they work and how Standards apply to different industries. He also enjoys the fact that after working with clients for a number of years, he becomes just another member of the team. [15:15] What Standards does Darren specilaise in and why? Starting with: · ISO 9001 Quality: This is the main standard that Darren starting working with back in 1999 · ISO 45001 Occupational Health and Safety: While working within rail, Darren was given the opportunity to do some training and proceeded to complete NEBOSH courses - general and construction, this proved invaluable in future roles. · ISO 14001 Environmental: Darren ended up working with this Standard as part of on-going development. His role as a Quality Manager expanded, and at the time, all external audits with our certification body were coordinated through him. So, for on-going development he completed the NEBOSH environmental managed certificate. · ISO 50001 Energy Management: This is one of Darren's favourites. He's taken on this standard since working with Blackmores and seemed like a natural progression with the work he was already doing. He likes how this standard helps companies think more about their impacts on the environment in terms of energy consumption. In terms of companies climate change impacts, Darren likes how ISO 50001 can support deep dives into data that is available or not clearly available in many cases to support improvement and reduction in energy consumption. This also can pave the way for those companies that take it more seriously, and progress to newer standards like ISO14064-1 for quantification and reporting of greenhouse gases, but also part 3 for the verification and validation of greenhouse gases. This is where our sister company, Carbonology Ltd, really excel. Darren does his bit with ISO 50001 clients to educate and prepare them for taking more proactive steps towards meaningful energy and carbon reporting. For example, if they grow sufficiently or fall within the parameters of mandatory schemes such as ESOS or SECR reporting, or they just want to do their bit and demonstrate their commitment to minimising their impact on the environment and overall energy consumption. [23:10] What is the biggest challenge Darren had faced during a project and how did he overcome it?: He doesn't have a single one that stands out, but common issues are usually either down to availability or commitment of the individuals within the company he's supporting. For example, the company may decide that they require certification to a standard or multiple standards. There will be commitment from some within the business, and there are those that may not see the importance or feel it's not important to them and what they do. Darren's job is to support the company in achieving its main goal in gaining certification. His work with the company involved explaining what is to be done and why. He's found that most of any resistance is because individuals do not know the why and how it impacts them, etc. The other aspect is to make it clear that he is not there to tell them what to do, or that they're doing it wrong. He works with people to either document the process (where required), help them find improvement in the process and continue to search for improvement. [27:00] What is Darren's proudest achievement? Darren states that there's no one definitive achievement to highlight, rather he would say supporting clients who are new to the standards. Working with them and providing knowledge so that they know the 'why' and understand the standards and their processes, and finally seeing the end result with being recommended for certification. The ones that he's particularly happy with are those that go for multiple standards, that result in recommendation for certification with little or no significant findings from the certification body, it shows that the company has been fully engaged and embedded the overall process into how they work. If you'd like any assistance with implementing ISO standards, get in touch with us, we'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
A well implemented ISO Management System can improve efficiency, customer satisfaction and drive continual improvement for a business. On the flip side, a poorly implemented Management system will yield little to no results, so what makes the biggest difference between good and bad implementation? Communication is the key. If no one knows about your Management System, then how can it benefit the business as a whole? In this episode Ian Battersby discusses the importance of effective communication of your Management System, why it's vital to reap the full benefits of ISO Implementation and gives some examples of how you can communicate elements of your Management system to the wider business. You'll learn · Why do you need to communicate your management system? · What do you need to communicate? · Why is it important to communicate your Management system? · Different ways you can communicate your management system · How can you measure effective communication? Resources · Isologyhub · How can ISO Standards Support ESG Compliance Workshop In this episode, we talk about: [00:30] Episode Summary – Ian talks discusses elements of communicating a management system including, why you need to communicate and what needs to be communicated, the importance of doing so and how you can go about doing it. [02:45] Why do you need to communicate your Management System? In every ISO Standard, communication is a requirement. The levels and information specified will vary depending on the Standard, but the principles remain consistent. Ian cites ISO 9004 as providing further guidance to improve on what's initially required. In Clause 7.4 it states: “The effective communication of policies, strategy, relevant objectives is essential to the sustained success of an organisation.” Going on to state that communication should be “Meaningful, timely and continual” and that there should be some form of feedback within it to be able to address changes in the organisation's context. So, it's not just a one time exercise. It also states that: “communication processes should be both vertical and horizontal and be tailored to the differing needs of its recipients, whether internal or external.” So you also need to consider the external communication needs too. [04:35] Empowering through communication: ISO 9004 also talks about engaged, empowered and motivated people and their value as a key resource. These types of people help organisations to create and deliver value, so you should have processes in place for engaging those people, to gather feedback and drive continual improvement. [05:40] Where is Communication referenced in Standards?: Typically, communication is Clause 7.4 in most ISO Standards. Additionally there are elements of communication included in Clause 7.3. Awareness. The Awareness clause focuses on employees knowledge of the Management System, and is more focused on internal communications rather than with external interested parties. [06:25] What should be communicated internally? Under Clause 7.3 Awareness, it requires you to share: · Policies · Objectives · The consequences of non-conformance Other Standards may have additional communication requirements such as ISO 45001, which also highlights the need to share risks, hazards, incidents and the outcomes of investigations. [07:10] Clause 7.4 Communication – This clause is more about determining internal and external communications. This includes considerations for: · What communications are relevant? · When should they be communicated? · Who should they be communicated to? · Who should be the one to communicate this information? Some Standards may also include specifications for communicating legal requirements, such as ISO 14001 and ISO 45001. [08:20] Nuance in effective communication: One key element of communication is ensuring that it's understood and applied by the wider business. This doesn't mean that every employee should be able to parrot a specific policy within a business, but rather they should at least know where to find it and understand the implications for them. [09:40] A link between Communication and Leadership: Leadership plays a key role in communications, and ISO Standards specify that certain elements can't be delegated to another individual. Clause 5 Leadership specifically states: · They shall promote the use of the process approach and risk-based thinking, not delegating that promotion. · They should communicate to the importance of the management system and of conforming to that management system. · They should engage directly and support persons to contribute to the effectiveness of the system. · They should promote continual improvement. · They should support other relevant managers to demonstrate their leadership in their areas of responsibility. We've stressed the importance of Leadership in the success of a Management System in a previous episode, and their support with communication is a big part of that. [11:20] Communicating Objectives: Clause 6.2 Objectives states that they must be established and communicated. This doesn't have to be to everyone, so you can be selective and communicate certain objectives relevant to select people. [11:40] How to effectively communicate your management system – Management systems can be vast, and it can be tricky to know exactly how much to communicate and to who. The first tip is to keep it simple. Translate the ‘Standard speak' into something recognisable for your business, which may not always be easy if you're familiar with the Standards terminology. However you need to relate these elements to how people in the business work. Try to keep it brief to avoid confusion. Next, ensure you are assuaging fears. Many are firstly opposed to the introduction of things like Operational Procedures if they've not worked with a Management System in place previously. However, all this is in practice is a written format for how they work, it shouldn't drastically change the way in which they work. Make sure they know this and describe what elements will change i.e. documentation updates. Lastly, they need awareness of the consequences of non-conformance and the need to look for opportunities to improve. [15:25] Communicating Policies – This is a part of all ISO Standards, a Policy can't just be hidden away in a rarely visited folder. A Policy communicates the intent of top management in an organisation, and is something that should be communicated to everyone, which could include external parties. So, you should try to keep this concise. On one page ideally. As long as you've encompassed the vision, values, strategy and top management commitment, and for certain standards a commitment to legal requirements, then you will meet an ISO Standards requirements. Some businesses like to include links to all their procedures within a policy, which by all means, you can, but don't expect people to read a 48 page policy and understand it enough to apply to their daily working lives. [17:00] How can you communicate your Management System? – One key objective of communication is to ensure people understand and apply what's being communicated. To help achieve this, you may want to use multiple methods of communication, including: · Feedback options on content i.e. a yes or no check / options to provide feedback · Training sessions · Intranet page – quick links to relevant content such as policies or audit findings · Regular briefings · Notice boards · Electronic displays · Company briefs · Team meetings [20:25] How can you measure effective communication? There's a lot of ways you can assess this, including: · E-mail voting – to clarify when people have read specific documents · LMS Systems · Through SharePoint systems · Conduct surveys · During Internal Audits All of these can be used as methods of feedback where you can identify further opportunities for improvement from various levels of the business. [21:35] When should you consider external communications? – Clause 4.2 is where you're required to consider the needs and expectations of interested parties. When going through an anaylsis of these interested parties, you determine what they expect out of your Management System. Standards don't specify the need to write a communication plan, but they do say who's going to communicate what to whom, including how and when. In combination with that analysis of interested parties, it creates a solid basis for an effective communications plan. Again, some discretion will be required as not every external party will need to be privy to your internal policies and procedures. Just communicate what's relevant to them. If you'd like any assistance with implementing ISO standards, get in touch with us, we'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Watch the Podcast Video on our YouTube Channel Greenwashing is a concern for both businesses and consumers. The proliferation of it in recent years has caused genuine green claims to be treated with an air of caution rather than being rightfully celebrated. It's become clear that there is a need for transparent and substantiated green claims, both to help consumers and stakeholders to make informed decisions and to ensure that real steps towards sustainability are being taken. Is the upcoming EU Green Claims Directive the answer we've been looking for? In this episode Mel is joined by Charlie Martin, CEO and Founder of The Anti-Greenwash Charter, to discuss the purpose of the EU Green Claims Directive, who it applies to and what it's requirements for substantiation and verification mean in practice. You'll learn · What is the purpose of the EU Green Claims Directive? · What are the drivers behind this objective? · Who is required to comply with the EU Green Claims Directive? · What do the requirements for substantiation and verification mean in practice? · How will the directive impact the use of carbon offsetting and carbon neutrality claims within the EU? Resources · EU Green Claims Directive · Anti-Greenwash Charter · How can The Anti-Greenwash Charter can help with the EU Green Claims Directive · Green Claims Policy Template · Carbonology In this episode, we talk about: [00:30] Episode Summary – Charlie Martin joins Mel to discuss the upcoming EU Green Claims Directive, who it applies to and what it's requirements mean in practice. [02:30] What is the purpose of the EU Green Claims Directive?: This directive is a new law, not simply a voluntary scheme that businesses can opt into. It's a regulation that governs all voluntary green or environmental claims made by organisations operating within the EU, and requires data to back these claims up. Another key fundamental of this directive is the need for independent verification of any claims before they're made public. [04:35] What are the main drivers for the EU Green Claims Directive?: One of the key drivers is combatting the rampant rise in greenwashing. It's created a culture of mistrust around green claims, which makes it difficult for stakeholders and consumers to make informed decisions on who to work with or buy from. Greenwashing also makes it harder to tackle bigger environmental concerns. With misleading data, we can't accurately measure businesses impact on the environment, which is essential if we are to take meaningful action to reduce our impact. Ultimately, greenwashing practices are slowing down our ability to effectively reduce our impact as a collective. We are at a point where sustainability related decisions need to be made quickly. [08:00] Clearer Communications: This directive also has more control over what you can and can't say in relation to green claims. By waiting until that independent verification has occurred, businesses can feel confident in the information they're communicating. [09:30] What is Green Masking? Coined by Carbonology, green masking is where organisations are essentially marking their own homework and hiding behind that fact. It's where no independent verification has taken place, which can result in a lack of accuracy and transparency. [10:25] Who needs to comply with the EU Green Claims Directive? – This is an EU based regulation, so if you're located within the EU you will be expected to comply with this law. If you do business within the EU, so if you're based in the UK and sell to Europe, then you will also fall under this jurisdiction as well. [11:25] What is required by the EU Green Claims Directive?: A full summary of the directive's requirements can be found on the EU website. A simple break down of these requirements is also available on The Anti-Greenwash Charter website. Charlie recommends familiarising yourself with the EU Green Claims Directive requirements initially, which are written to suit how businesses generally operate. He also advises that you seek legal assistance as well as sustainability and marketing experts or consultants to get a full picture of how you can comply with these requirements. [13:35] There is an emphasis on substantiation and verification in the EU Green Claims Directive – what does this mean in practice? A green claim doesn't account for much if you're marking your own homework. For it to be truly substantiated, it needs to be verified by an independent third party. The Directive also highlights the need for life cycle data, and its inclusion within the verification process. This will give businesses a more wholistic view of the impact of the materials they use, the products they use and services they deliver. Charlie encourages businesses to get a head start on this now, not only due to the benefits it can bring but also to get ahead of the tightening of sustainability legislation that is coming down the road for the UK. [16:15] How will the directive impact the use of carbon offsetting and carbon neutrality claims within the EU? Businesses are going to have to be crystal clear in their terminology in terms of their substantiated claims. There is going to be a lot more scrutiny on the quality of evidence provided for carbon claims, so businesses may want to outsource help with analysing the relevant carbon data and communicating any claims and offsetting efforts. [18:25] Is the Directive ambitious enough? Or could it be strengthened? – Previous attempts to enforce sustainability regulations have been rather weak, and time will tell if this EU Directive is set to change that pattern. Charlie praises the Directives approach to best practice, though that will evolve further as time goes on. He thinks that the use of generative AI and how that impacts and influences sustainability communications needs to be considered further. It's all still quite new, so this may be added in down the line. The Anti-Greenwash Charter already have considerations for responsible AI use within communications and data processing within their Green Claims Policy Template. They caution any signatories of their Charter to be very careful with the use of AI to support data collection and analysis, as it has the tendency to ‘hallucinate', and companies will be held responsible for any mishaps related to incorrect results provided by AI. [23:00] What are the potential consequences for businesses that fail to meet the requirements of the EU Green Claims Directive? – The penalties will be significant, including both fines and potential bans in areas such as marketing, advertising and promoting sustainability claims on the basis of malpractice. Time will tell on how these penalties are delivered and to what extent within the EU and UK. It shares similarities with other regulations, such as ESOS, where a phased approach was implemented for organisations that met certain criteria. [25:00] How can The Anti-Greenwash Chater help organisations comply with the EU Green Claims Directive? – Since it's inception in 2022, they have paid close attention to the Directive's development, utilising any improvements and iterations to bolster their own process. As a result, a lot of the work they do with signatories directly aligns with and facilitates the delivery of the foundations of the Directive. Examples of this include: Independent verification – Their Green Claims Policy has to include a green claims database, so any claim that a business want to make has to have the relevant data to back it up. It also requires specification of what third party that business used to verify that evidence. Accessibility of evidence – This is stressed within the EU Green Claims Directive, and is easily fulfilled with the creation of a green claims database as specified by The Anti-Greenwash Charters' Green Claims Policy. A full summary of how The Anti-Greenwash Charter can help with compliance to the EU Green Claims Directive is available on their website. [27:55] How will the EU Green Claims Directive will impact consumer trust in environmental claims? – There's currently an issue with the flooding of sustainability related communications. With greenwashing so rampant, making an informed decision as a consumer is really difficult. The standardisation of sustainability credibility and substantiation is what the EU Green Claims Directive aims to do. Ultimately, it will act as a trustworthy marker for stakeholders and consumers to make an informed decision quickly. If you'd like to learn more about The Anti-Greenwash Charter, visit their website! If you'd like any assistance with carbon standards, get in touch with Carbonology, they'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Watch the Podcast Video on our YouTube Channel We are hitting a crunch point in regard to keeping to the 1.5°C limit as set out in the Paris Agreement. It's going to take a collective effort to reduce the most catastrophic impacts of climate change, which is exactly why we're seeing an increase in legislation and regulations that call for tangible evidence of sustainability efforts to combat the rise in greenwashing. If you're looking for guidance on sustainability transparency, today's guest has an initiative that can help. In this episode Mel is joined by Charlie Martin, CEO and Founder of The Anti-Greenwash Charter, to discuss how their charter promotes transparency and accountability for sustainability claims, and how it can help consumers to identify credible carbon claims. You'll learn · What is The Anti-Greenwash Charter · How can the Charter ensure credible carbon claims? · What are the biggest challenges businesses face in measuring their carbon footprint? · How can The Anti-Greenwash Charter help consumers to spot credible carbon claims? · What role do governments and regulatory bodies play in combatting greenwashing? Resources · Anti-Greenwash Charter · Green Claims Policy Template · Carbonology In this episode, we talk about: [00:30] Episode Summary – Charlie Martin joins Mel to discuss how The Anti-Greenwash Charter can help promote accountability and transparency in sustainability claims, and how it can help consumers identify credible carbon claims. [01:50] What inspired the creation of The Anti-Greenwash Charter?: Charlie used to run an agency called Gusta, which was a UK based business that worked on sustainability communication for organisations in the built environment. His focused shifted when the Competitions and Markets authority in the UK published their Green Claims Code alongside research which found that 40% of sustainability-related messaging online was misleading. At the same time, they had 2 very proactive clients (1 of which was going through B Corp certification) that highlighted that the CMA had not named the built environment as one of the affected sectors. They pointed out that the built environment accounts for 40% of all emissions, so were likely to be targeted by such regulations next. They asked to run a campaign that would Increase confidence both internally within their sectors and externally in their sustainability messaging. It was decided that a publicly available document would be the best way forward to proactively disclose their carbon reduction related activities. Other ideas were added for an editorial process to include legal, sustainability and marketing feedback ahead of publishing. Essentially, the origins are rooted in the notion of a green claims policy, which developed into a more robust accreditation signatory. [06:30] How does Charlie define Greenwashing?: Charlie defines greenwashing as "overstating or misleading stakeholders regarding the environmental credentials of an organization, service, or product. Charlie explains that there are two types of greenwashing: direct and indirect. Direct greenwashing involves making false claims about a product's environmental benefits, while indirect greenwashing involves making true claims that are irrelevant or misleading. [08:00] What are the key principles of the charter, and how do you ensure adherence among signatories?: The 4 key principles are: · Accountability · Honesty · Fairness · Transparency If you'd like to know more about each principle in more detail, visit The Anti-Greenwash Charter website. Taking a look at transparency in more detail, it's not just about sharing all the best sustainability related news for your business, it's about being willing and upfront with areas where you're not as strong. One keyway they ensure signatories adhere to this principle involves publicly displacing their green claims policies. The first section of every policy is ‘where can we improve?' – they specify this as there isn't a company that is 100% environmentally sustainable, and businesses need to be honest about this if they want to improve. [12:15] What are Charlie's thoughts on the current state of Net Zero claims? There are some promising developments, such as the upcoming Green Claims Directive, which has more requirements set around how people make claims and being held accountable for those. It's challenging for everyone to navigate, and the big thing here to remember is that everyone is clumsy when it comes to Net Zero. Businesses are trying their best, but when getting deep into the topic of sustainability, it becomes clear how broad it truly is. Ultimately, people have to be okay with getting things wrong. Some people see setting ambitious targets as dangerous, but if we don't push for them, change is going to happen at a snails pace. There is a need for credible, substantiated plans that are in-line with best practice, but we need to be careful to not go too far in that direction to ensure that it helps rather than hinders sustainability efforts. Innovation should be encouraged and not punished if mistakes are made or certain really ambitious targets aren't met within a certain timeframe. Mel highlights that Standards such as ISO 14064 are great frameworks to guide businesses in measuring their carbon footprint, with guidance that encourages independent third party verification for further transparency. [15:40] The Green Claims Directive and Transparency – Charlie highlights that the Green Claims Directive identifies independent third party verification as a mandatory requirement of claims made before they're disclosed publicly. As this is also something that The Anti-Greenwash Charter encourages, signatories are already ahead of the curve. [17:10] What are the biggest challenges that companies are facing in accurately measuring their carbon footprint and how does the Charter help to address these challenges? The main challenge is accurately measuring their carbon footprint, and the charter acts as a signpost with referral partners who can assist with this aspect of their sustainability journey. Another challenge is communication. So you've got your substantiated claims and green credentials, but how do you go about communicating that? That's one of the crucial elements that The Anti-Greenwash Charter can help with. As mentioned earlier, they can help verify a publicly available green claims policy, which is a huge step towards credible carbon claims. If you'd like an example of this, you can download Anti-Greenwash Charters' green claims policy template from their website – which provides a step-by-step guide on producing one of your own. [20:50] What are the broader benefits for companies that adopt a transparent and credible green claim? Charlie explains that signatories have used their status as a signatory for their Charter on tender frameworks, and won due to that fact. Another benefit is the Charters' credibility, which gives external stakeholders confidence that a business is doing what they claim to be doing. They also offer anti-greenwashing awareness training, which gives those within the business the tools and techniques that can be utilised in any published content to ensure they aren't making any greenwashing claims. [22:25] The negative effects of greenwashing on well meaning businesses: Charlie and Mel both highlight the sad reality that many businesses would prefer to simply not make any green initiatives or claims public for fear that if they are not done 100% successfully then there's a chance for reputational damage. The need for robust sustainability frameworks that build confidence is clear. Due diligence is important, and so is the need to allow room for mistakes to happen, so long as businesses take the necessary steps to fix them and keep continually improving. [27:15] What role does Charlie see governments and regulatory bodies playing in combating greenwashing, and what policy changes would he like to see? – The EU Green Claims Directive is currently best in class as it requires businesses to look at the consequences of their impact on the environment, in addition to the requirement for independent verification to back up any claims made. Other regulations here in the UK, like the Green Claims Code, is weaker in comparison. It was watered down through negotiation into a more voluntary scheme. For us here in the UK, we really do need to align with Europe, as their regulations are a lot more robust and offer a tangible path towards a united greener future. There are other benefits, as Mel highlights from her Masters research, there is compelling evidence that a company's value increases by an average of 10% if their carbon claims are independently verified. [32:35] What are Charlie's aspirations for The Anti-Greenwash Charter? And what are his hopes for the future of credible carbon claims? – They're really keen to become a multinational signatory, which is already showing promise as they've had interest from the US and Australia. Charlie envisions a future where businesses publish a green claims policy regardless of if it's mandated by legislation. This is so we can build confidence in green claims being made and be assured that people are doing what they say they're doing. To help with credibility and transparency, The Anti-Greenwash Charter has been incorporated as a not-for-profit organisation. Charlie wants to reaffirm that they started this to ultimately reduce the impact businesses make on the planet, and they are fully committed to this goal. If you'd like to learn more about The Anti-Greenwash Charter, visit their website! If you'd like any assistance with carbon standards, get in touch with Carbonology, they'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO Standards have been at the forefront of creating a unified approach to various aspects of sustainability, ensuring businesses have a robust framework to both manage and reduce their environmental impact. However, there are a lot of different sustainability Standards that cover specific areas of sustainability, or only apply to certain sectors. Each come with their own pros and cons, making it tricky to pick the best fit for you. In this episode Steph Churchman introduces four of the leading sustainability focused ISO Standards and explains the benefits and disadvantages of each to help you decide which could be the best fit for your business. You'll learn · Learn about our upcoming ESG Workshop · What is ISO 14001? · What are the pros and cons of ISO 14001? · What is ISO 50001? · What are the pros and cons of ISO 50001? · What is ISO 20400? · What are the pros and cons of ISO 20400? · What is ISO 14064? · What are the pros and cons of ISO 14064? Resources · Isologyhub · Register for our ESG Workshop (26th March 2025) In this episode, we talk about: [02:05] Episode Summary – Steph discusses the leading sustainability ISO Standards, and explains the advantages and disadvantages of each. [02:45] ESG Workshop: On the 26th March 2025 we'll be explaining how ISO Standards directly support ESG compliance, and we're including the opportunity to participate in 1 of 3 interactive sessions that tackle things like completing a materiality assessment, a balance scorecard and learning more about the current mandatory ESG reporting requirements. Register your place here. [03:15] What is ISO 14001?: ISO 14001 is the Standard for Environmental Management. Published back in 1996, this Standard is one of the staples in the ISO world. Its main purpose is to establish and implement an effective environmental management system (EMS), with the primary goal of helping organizations to minimize their environmental impact and achieve sustainability objectives. It sets out general requirements for: · Pollution control · Reduction of your impact on the environment · And compliance to relevant legislation It is also due for a revision soon, with the latest version expected to include further considerations for changes to available technology, more emphasis on product life-cycle and supply chain issues and further guidance on integrating environmental issues into your strategic planning. [04:35] What are the benefits of ISO 14001?: Reducing environmental impact: By identifying and controlling environmental aspects, organizations can minimize pollution, reduce waste, and conserve resources. Improved compliance: ISO 14001 helps organizations comply with environmental regulations and legal requirements, such as the environment Act 2021, reducing the risk of fines and penalties. Improved efficiency: ISO 14001 helps to tighten production processes, leading to better efficiency and reduction in the risk of incidents. It also removes uncertainty by managing disruption and waste and helps to clarify staff responsibility. Enhanced reputation: Demonstrating a commitment to environmental responsibility can enhance your reputation and brand image, attracting environmentally conscious customers and stakeholders. Cost savings: Implementing an EMS can lead to cost savings through improved resource efficiency, reduced waste disposal costs, and lower energy consumption. Businesses can also benefit from reduced insurance costs by demonstrating better risk management. Increased competitiveness: ISO 14001 certification can give organizations a competitive advantage in the marketplace, particularly in sectors where environmental performance is a key consideration. [06:45] What are the disadvantages of ISO 14001? Initial costs: Implementing an EMS requires an initial investment in resources, including training, documentation, potentially hiring consultants, and if you're going for certification, that will incur its own costs from a certification body too. Ongoing maintenance: Maintaining an EMS requires ongoing effort and resources to ensure compliance with the standard and continuous improvement. Potential for bureaucracy: If not implemented effectively, an EMS can become cumbersome, hindering operational efficiency. Limited scope: ISO 14001 focuses primarily on environmental aspects within an organization's direct control, and may not address broader environmental impacts or social responsibility concerns – which is where other Standards can fill the gap. [08:05] What is ISO 50001? – ISO 50001 is an internationally recognized standard that provides a framework for organizations to establish, implement, and maintain an Energy Management System (EnMS). The primary goal is to help organizations improve energy performance, including reducing energy consumption, increasing energy efficiency, and using energy more effectively. [08:40] What are the benefits of ISO 50001? Reduced energy costs: By identifying and addressing energy inefficiencies, you can significantly reduce your energy bills. We had great success with this when we worked closely with a branch of the NHS, where their initial energy spend was around £2.8 million which was reduced by £1 million as a result of implementing ISO 50001. Improved energy performance: ISO 50001 helps organizations establish baselines, set targets, and track progress in improving energy performance. This is vital as you can't hope to reduce what you can't measure. Enhanced environmental performance: Reduced energy consumption leads to lower greenhouse gas emissions and a reduced environmental impact. Often times, energy usage is the largest impact many organisations have on the environment, especially for those who may only have an office or warehouse. Increased competitiveness: Demonstrating a commitment to energy efficiency can enhance an organization's reputation and attract environmentally conscious customers and stakeholders. Improved operational efficiency: An energy management system can lead to improved operational efficiency through better resource management and reduced waste. [10:55] What are the disadvantages of ISO 50001? Initial investment: Implementing an EnMS requires an initial investment in resources, including training, data collection, and possible help from a consultancy. Limited Guidance: Calculating your energy usage can be complicated, especially if you're spread across multiple sites and countries. In cases where you're renting space, you may face difficulties obtaining the information needed, then on top of that is the actual calculation which may involve conversion factors if you've got international sites in scope. Resistance to change: Implementing changes to energy-using processes can sometimes meet with resistance from employees. A lot of practices will require a change in habits, such as turning off and unplugging all devices when leaving an office, or more frequent checks on equipment to ensure it's running optimally. Limited scope: ISO 50001 focuses primarily on energy performance within an organization's direct control and may not address broader energy-related issues or the entire supply chain – which includes its own energy consumption considerations. [12:30] What is ISO 20400? – ISO 20400 is an internationally recognized standard that provides guidance on sustainable procurement. It helps organizations integrate sustainability considerations into their procurement processes, ensuring that environmental, social, and economic factors are taken into account when making purchasing decisions. This Standard differs from the others as it's not a certifiable Standard. It's a guidance document that you can align with. For those of you looking into ESG schemes, this Standard is often citied as a key tool to help get you in the right place for scoring. In addition, for those of you looking into more comprehensive carbon reporting, Supply chains are often one of the biggest sources of emissions. Alignment with that Standard will allow you to take a good hard look at the suppliers you work with, and determine if they hold the same sustainability values as you. [13:25] What are the benefits of ISO 20400? – Reduced environmental impact: By selecting suppliers with strong environmental performance, businesses can reduce their overall environmental footprint. You also have a great chance to help influence your own supply chain, we know that if you've had a reliable supplier for a number of years, it's not just a simple case of cut and move on. Improved social responsibility: ISO 20400 encourages organizations to consider the social and ethical impacts of their procurement decisions, such as fair labor practices and human rights. Enhanced reputation: Demonstrating a commitment to sustainable procurement can enhance your reputation and brand image. It shows that you're thinking and acting sustainably from start to finish for either your product production or service delivery. Cost savings: Sustainable procurement practices can lead to cost savings through reduced waste, improved resource efficiency, and lower long-term maintenance costs. Increased innovation: Working with sustainable suppliers can expose you to new technologies, products, and services that can improve your own operations. [15:35] What are the disadvantages of ISO 20400? – Increased complexity: Integrating sustainability considerations into procurement processes can add complexity and require additional resources. This would include supplier checks before working with new suppliers and a review of all current suppliers to see where improvement could be made. Finding sustainable suppliers: Identifying and qualifying sustainable suppliers can be challenging. Though more businesses are certainly making an effort to be more sustainable, ensuring they have proof of their claims is essential. Potential for higher costs: In some cases, sustainable products and services may have a higher initial cost compared to conventional options. Limited scope: ISO 20400 focuses primarily on procurement practices and may not address broader sustainability issues within the organization. This is where ISO 20400 can be supported by certifiable standards such as ISO 14001 and ISO 50001. [17:00] What is ISO 14064? – ISO 14064-1 is an internationally recognized standard that provides a framework for organizations to quantify and report their greenhouse gas (GHG) emissions and removals. It helps organizations to: · Understand their carbon footprint · Set reduction targets · Engage in carbon markets · Improve environmental performance [17:45] What are the benefits of ISO 14064? Improved data quality: The standard provides a robust methodology for collecting, analyzing, and reporting GHG emissions data, ensuring accuracy and consistency. Set achievable reduction targets: By having an accurate way to measure your impact, you can look to set realistic and more importantly achievable reduction targets. Enhanced credibility and transparency: Both consumers and stakeholders are increasingly looking at real tangible evidence of your carbon claims. Simply having a sustainability page full of promises is no longer enough, you need facts and figures to back up what you say you're doing. Reduced climate risk: By understanding and managing your GreenHouse Gas emissions, you can better mitigate the risks associated with climate change, such as regulatory changes and physical impacts. Competitive advantage: In an increasingly climate-conscious world, businesses that can demonstrate their environmental performance through credible GHG reporting will gain a competitive advantage. [19:30] What are the disadvantages of ISO 14064? Initial investment: Much like the other Standards, if you want to do this right you will have to invest time, resources and money. That could include hiring consultants to help you with the necessary calculations, and if you wish to go for full verification, then there will be an additional cost from a verification body. Ongoing maintenance: Maintaining an accurate and up-to-date GHG inventory requires ongoing effort and resources. Monitoring your emissions doesn't stop once you get a verification badge, it will be on-going. Data complexity: Collecting and analyzing GHG emissions data can be complex, especially for large and diverse organizations. So, you may need some initial help to do and understand this yourselves. Limited scope: ISO 14064-1 focuses primarily on the quantification and reporting of GHG emissions and removals, and may not address broader sustainability issues. If you'd like any assistance with implementing any of these Standards, get in touch with us, we'd be happy to help! We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
If you've ever implemented an ISO Standard, then the term Management Review will be familiar to you. It's a mandatory part of the implementation process, and a crucial tool for monitoring continual improvement. Somewhere down the line, it's become a bit of a myth that a Management Review needs to be an annual meeting. That is simply not the case, while required by the Standard, it's very flexible on how this could be achieved. In this episode Ian discusses the purpose of Management Review, including what you should be including and getting out of the review and breaks down the fallacy of the annual event. You'll learn · What is the purpose of a Management Review? · What are the common misconceptions about Management Review? · How Management Review supports other clause requirements · What are the inputs for Management Review? · What are the outputs of a Management Review? Resources · Isologyhub · How to conduct a Management Review In this episode, we talk about: [02:05] Episode Summary – Ian discusses the real purpose of Management Review, and dispels the myth of the annual event. [02:35] What is the purpose of a Management Review?: Management Review is a requirement of all ISO Standards. It's main purpose is to check if your Management System is fit for purpose, and what needs to be updated to ensure it aligns with your businesses objectives and strategic direction. In short, it's there as a check to see what's working well and what's not working well, in addition to continual improvement considerations. [03:30] What are some common misconceptions about Management Review?: Some common misconceptions include:- · That it's simply a formality – Rubber-stamping things and missing out on the opportunity to effectively monitor management system progress · That It must be once a year · Having to review everything in excruciating detail i.e. all audit findings · The need to update the risk assessment and re-jigging scores · That you must review and update your SWOT/PESTLE · Or review and update all management system documentation · That it's the perfect opportunity to re-write a policy There is a time and place for all of these, and you could tackle some of this in a Management Review if you really want to, but that is not the main purpose of a Management Review. [04:50] How Management Review supports other clause requirements - Leadership: If we take ISO 9001 as an example, the Leadership clause states: “Top management shall demonstrate leadership and commitment with respect to the quality management system by: a) taking accountability for the effectiveness of the quality management system e) ensuring that the resources needed for the quality management system are available g) ensuring that the quality management system achieves its intended results” These requirements at first glance may seem like they'd require a lot of effort and monitoring of many different factors, but in actuality they can all be satisfied through effective Management Review. [05:55] What involvement is required from top management? As stated in ISO Standards:- “Top management shall review the organization's management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization.” Top management also have involvement in the following elements of implementing and maintaining a management system: · Context · IPs · Risks/Ops · Objectives · Policy · Support · Operation · Performance monitoring Management Review relates specifically to ‘performance monitoring', but that in of itself will include elements of all the other clauses within the Standard, and many of those require top managements involvement on some level. [07:45] The fallacy of the annual event – The Management Review clause specifically states that a Management Review should be ‘carried out at planned intervals'. Many had interpreted that as once a year, which has been the prevailing myth for decades. Looking at the Standard, no where does it say ‘once a year', planned intervals means it could be once a month, it could be once a week, it could be a set points during the summer. When deciding on these planned intervals, take into consideration the nature of your business, the size of your business, the risks associated with it and the maturity of your Management System. This will determine how frequent the Management Review should be, as it will differ for every business. [09:10] Examples of Management Review frequency – Ian has worked in an organisation where they had a rather grand Management Review process, where top management and other relevant individuals meet to review the past year and set the scene for the following year. That same organisation also had monthly meetings with the same members of top management to keep on top of new and on-going issues. That isn't to say this is the only way to run Management Review. Some opt to have quarterly meetings, others once every 6 months and some even leave it to once a year. [10:40] What is required of Management Review? Inputs – Clause 9.3 details the requirements of Management Reivew in most Standards (some swap 9.3 and 9.2 around, but the contents remains the same). First, the inputs required for Management Review include: The status of actions from previous management reviews - If you said you were going to do something before, how's that going? Changes in external and internal issues that are relevant to the quality management system - this doesn't mean that every meeting should consider the SWOT/PESTLE/IP tables, but there must be some determination of when that's done in detail and when a senior mgt discussion should include the key aspects of that and its impact. There is a need to review these things when required anyway, so doing it only at pre-defined times can be problematic. Information on the performance and effectiveness of the quality management system, including tends in:- · Customer satisfaction and feedback from relevant interested parties; · The extent to which objectives have been met; · Process performance and conformity of products and services; · Nonconformities and corrective actions; · Monitoring and measurement results; · Audit results; · The performance of external providers; · The adequacy of resources; · The effectiveness of actions taken to address risks and opportunities; · Opportunities for improvement. [20:45] What is required of Management Review? Outputs – You will also have a number of outputs from Management Review, including:- Opportunities for Improvement – This could be as a result or reviewing audit findings and discussing the OFI's found and how you can address and implement these. You could also use the Management Review to review and set new objectives for the year ahead. Any need for changes to the management system – You may need to review policies and procedures and see if they're still fit for purpose, if they're not then this is a good venue to discuss and update them. Other aspects that may have changed or will have a need to change include: · Interested parties – have their needs and expectations changed? · People – Do you need to change the people involved with certain processes? · Awareness – Do you need to raise more awareness around a specific topic? Resource needs – You may need to raise the need for more resourcing in regard to the management system or related processes. If you'd like to learn about alternative ways to host a Management Review, listen to one of our previous episodes. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The importance of setting key objectives can't be understated. They help drive continual improvement and reflect a business's key metrics for success in various areas. They are also a key aspect of implementing an ISO Standard, with most specifying a dedicated Objectives clause. While most businesses will have objectives irrespective of any ISO certification, many may fall into the familiar trappings of having separate objectives for different departments, which only serves to fragment your measurement of success. In this episode Ian discusses the importance of setting key business objectives, and why you should be aligning these with your strategic direction. You'll learn · What is the Annex SL format and why was it introduced? · What is meant by ‘Strategic Direction'? · The importance of risks and opportunities in objective planning · Who are setting key business objectives important? · How can you align objectives with a businesses strategic direction? Resources · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Ian discusses how to align objectives with the strategic direction of the business, and why it's important to do so. [02:55] What is the Annex SL format and why was it introduced?: The Annex SL format refers to the standard 10 clause structure that we now see in most ISO Standards. Introduced back in 2015, it sought to address the issues with integrating multiple Standards, in addition to making them more accessible to every sector. Prior to 2015, many ISO standards were designed with specific sectors in mind, using terminology that would make sense to them, but perhaps not to others. The Annes SL format now uses the same language across all ISO's, making It easy to integrate multiple ISO compliant Management Systems. [06:10] What is meant by the term Strategic Direction? Leadership: This is a term that appears in ISO 9001 5 times. We first see it in Clause 5 – Leadership, where it states: “Top management shall demonstrate leadership and commitment with respect to the management system by ensuring that the policy of objectives are established for the management system and are compatible with the context and strategic direction of the organisation.” This is where it's made explicitly clear that leadership / management are responsible for ensuring the Management System aligns with the way their business runs, in addition to integrating it into existing processes. [07:05] What is meant by the term Strategic Direction? Management Review: It also appear in clause 9.3 Management Review, where it states: “Top management shall review the organisation system at planned intervals to ensure its continuing suitability adequacy, effectiveness and alignment with the strategic direction of the organisation.” Again, this reinforces the need for top management to be involved to ensure that the Management System is in alignment with their overall goals. [08:40] What is meant by the term Strategic Direction? Context of the Organisation: It also appears at the very start of the auditable clauses, in Clause 4 – Context of the organisation, where it states: “The organisation shall determine the external and internal issues which are relevant to its purpose and its strategic direction.” This involves looking at issues from a legal, technical, competitive, cultural and economic point of view, and many of these will be determined by top or broader management within the business. They ultimately have the most influence in how a Management System is built, therefore have the most influence on how the policies and objectives are created. [10:45] The importance of risks and opportunities in Objective planning – Clause 6 (Planning) is where we address risks and opportunities raised in clause 4. It states that ‘Objectives must be established at relevant functions, levels and processes.” For us at Blackmores, we directly relate the findings from a risks and opportunities assessment (such as a SWOT & PESTLE), and link these to our objectives to try and minimise those risks. We also leverage the opportunities, by making them real tangible goals to work towards – seems obvious but we often see businesses missing the link between these exercises! [12:00] How can you set Objectives in alignment with Strategic Direction?: Many businesses now build their mission, values and strategic direction around sustainability and general ESG. When building a management system, you need to consider how it affects those sustainability / ESG goals, because that is essentially the context of your organisation. So, you'd need to consider: How does environmental performance, health & safety performance or legal compliance contribute to the success of the management system as a whole? You don't have to be going for ISO 14001 or ISO 45001 for these things to matter, even a quality management system can contribute to sustainability goals. This can be through improving economic performance by reducing waste ect. Also, don't be afraid to relate economic performance to your management system. If you have a turnover goal of X, mention that in your context documentation, and also consider how the management system can contribute to achieving that goal i.e. through processes, controls, monitoring and improvement activity. Also consider your client requirements, they may require an accident rate below X which can also be included in context documentation and can then be factored into your management system measures and objectives if need be to achieve that. [16:55] How do you establish your objectives? – First you must establish context, and that context must be relevant to the purpose and strategic direction of the business. The context setting must include those who understand that context, strategic direction and the purpose of the business, the risks and opportunities must be assessed in relation to that context, which in turn is already aligned with strategic direction. Finally the objectives must be set in relation to those risks and opportunities. It's all about having the right people to identify the relevant issues affecting the organisation, and setting concrete objectives in order to improve that. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
AI usage has skyrocketed in the past 2 years, with many commonplace apps and software now featuring an AI integration in some form. With the rapid development and possibilities unlocked with this powerful technology, it can be tempting to go full steam ahead with implementing AI use into your day-to-day business activities. However, new technologies come with new risks that need to be understood and mitigated before any potential incidents. In this episode Mark Philip, Information Security Manager at Cloud Direct, joins Ian to discuss emerging AI risks and how you can build AI resilience into your existing practices. You'll learn · Who is Mark? · Who is Cloud Direct? · How can you assess your current level of AI resilience? · What are some of the key threats that AI systems currently face, and how can you mitigate these? · How can you utilise AI to enhance your security? · What is best practice when responding to an AI related security incident? Resources · Cloud Direct · Isologyhub In this episode, we talk about: [02:05] Episode Summary – We invite Cloud Direct's Information Security Manager, Mark Philip, onto the show to discuss AI risks and how to build in AI resilience into your existing security practices. [03:25] Who is Mark Philip?: While his primary role is as an Information Security Manager at Cloud Direct, a little known fact about him is that he is an amateur triathlete! At London earlier in 2024, he was lucky enough to bump into Alistair Brownlee, who is the UK's two time gold olympic medalist in triathlon. [05:10] Who are Cloud Direct? – Founded in 2003, Cloud Direct are a Microsoft Azure expert MSP that is the top of Microsoft accreditation that any partner can hold, putting them in the top 5% of Microsoft partners globally. They offer consultancy and professional managed services, specialising in Microsoft Cloud, which is all underpinned with security across the whole Microsoft stack. They also assist with digital transformation and modernisation. [06:30] Assessing the current AI risk landscape: Ian points out that a recent report from the Capgemini Research Institute found that 97% or organisations are using generative AI. With this increase in AI use, there is a correlation with an increase in security incidents related to AI. Mark adds that this technology is so new, with a lot of larger software companies such as Microsoft pushing AI elements into their tools. So there is a learning curve involved with utilising the technology. There is also a lack of Risk Assessment being done in relation to AI, not a lot of though is going into the use of AI on a day-to-day basis. If you're using an AI platform, you need to ask yourself: What is this platform actually doing with the data I'm inputting? There is also the fact that shady individuals are already leveraging this technology with the likes of deep fakes, bad bots and more sophisticated phishing schemes – and the harsh truth is that they're going to get better at it over time. [08:20] What is AI resilience and why is it so important? – AI resilience is about equipping businesses with the processes that control the use and deployment of AI usage, so that they can anticipate and mitigate any AI risks effectively. Similar to ISO Standards, this would involve a risk-based approach. However, this will look very different depending on your business and how you are using AI. For example, the risks of someone using AI to generate a transcript of meeting notes will be much lower in comparison to a healthcare company using complex sets of data with AI to synthesize new medicines. So, if you are using AI you need to consider what the inherent risks could be, and that would be dependent on the data you're processing i.e. is it sensitive data? And then factor in if the software is publicly available (such as ChatGPT), or it is a closed model under your control? Asking these types of questions will give you a more realistic outlook on the risk landscape you face. [10:35] How can a business assess their current level of AI resilience? AI is here to stay, so you won't be able to avoid if forever. So first, you need to embrace and understand it, and that includes creating a clear picture of your use cases. Mark states they did this exercise internally at Cloud Direct when they were starting to use Microsoft's Co-Pilot. They asked themselves: · What sort of data is the software interacting with? · What data are we putting into it? · How do Microsoft manage the program and related security? · Are Mircrosoft storing any of that data? It's not just about the security either, you need to understand why your using AI and if it will actually be to your benefit. A lot of people are using it because it's new and shiny, but if it's not actively helping you achieve your business goals, then it's more of a distraction than anything else. For those looking for additional guidance on AI policies, risks and resilience, there's a lot of guidance provided by both ISO and the NCSC. ISO 42001 in particular is useful for both people using AI and developers creating AI. If you're stuck on where to start, a Gap Analysis is a fantastic tool to see where you are currently and what gaps you need to bridge in your security to cover any AI usage, and to see how well you are complying with current legal requirements (the EU AI Act is now in effect!). Another tool is a Risk Assessment. You may not process what many would consider sensitive data, such as healthcare information, but even if you store and hold customer data, then you need to ensure that any AI you use doesn't pose a risk to it. [14:30] How can AI improve security and resilience? – Sticking with Microsoft as an example, as they are releasing a lot of AI driven tools, they can be used to fill gaps that humans may not have the time to do. Once example of this is monitoring and sending security alerts, previously a system may have just sent this to a human member of staff to resolve, but now AI security tools can act on those alerts on your behalf. So, if you have limited IT resources, this could be a fantastic addition to your security set-up. It also eliminates the lag of human response, and AI can look at things in a way a human wouldn't think to. [17:55] How do people stay ahead of the curve in the evolving AI landscape? – You should be using the myriad of resources available to learn about AI, as there are webinars, social media feeds, blogs and videos released constantly. Microsoft in particular are offering a comprehensive feed of information relating to AI, the risks and new technologies in development. The key is to understand AI before integrating it into your business. Don't just jump at the new shiny toys being advertised to you, go to reputable sources such as the ICO, NCSC, Cyber Essentials and regulatory bodies to learn about the technology, the benefits it can bring in addition to the risks you need to mitigate against. Mark can vouch for Microsoft's though leadership in this field, as they keep all of their customers up-to-date with all of their AI related developments. Cloud Direct themselves are also putting out some great content, so don't forget to check out their resources. If you are already utilising Microsoft's tools, the Cloud Direct can help explain how their new tools can apply to your business. If you're looking for assistance with ISO 42001, then Blackmores can help you with implementing a robust AI Management System. [21:40] What is best practice when responding to an AI related incident? – To be honest, there's no reason to not treat it like any other security incident. We've already adapted to more sophisticated security risks as a result of the move towards home and hybrid working over the pandemic. This simply another stage along in this ever changing security landscape. You should treat it like assessing any new step, and you likely have all the processes in place for analysing risk already in place, simply apply them to the usage of AI and put in place the necessary governance based on your findings. Standards such as ISO 20000 IT Service Management and ISO 22301 Business Continuity are fantastic tools of you're new to this sort of incident response planning. If you've already been certified to these standards, then you likely have the following in place already: · Risk Assessments · Business Impact Assessments · Business Continuity Plans · Recovery Plans Simply add AI as an additional risk factor into your existing management system and update the necessary documentation to include actions and considerations for its use. If you update your Business Continuity and recovery plans, then make sure to test them! Don't just assume that they will work, put them to the test and adjust until you're comfortable that in a real incident, everyone in the business knows how to react, what to communicate and how to get back up and running. [24:00] What are Mark's predictions for the field of AI resilience? – People need to look at the opportunities in utilising AI, a lot of people are using it without really understanding it so there's a lot of learning still to do. So, he expects to see a lot of businesses fully grasping how they can use AI to their advantage in the coming years. With that comes the challenge of ensuring it's integrated safely, with the right governance embedded to ensure its safe and ethical usage across entire organisations. Another big challenge is the handling data privacy within AI. Scams are only going to get more complex as AI develops, and you need to ensure your business can protect against that as much as possible. Also businesses should carefully consider what AI platforms they choose to use. Ensure you understand what data is being input and stored, and the level of control you have over it. All of this to say, there are a lot of massive benefits of using AI and you should shy away from it. But, you need to ensure you are using it safely and ethically. [27:30] What is Mark's book recommendation? – The hunt for Red October by Tom Clancy [28:45] What is Mark's favorite quote? – “I have a bad feeling about this…” – Star Wars Want to learn more about Cloud Direct? Check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The uptick in greenwashing cases, and subsequent outing of these claims only serves to make stakeholders and consumers dubious of any businesses sustainability pledges. One key way to combat this is to have the information to back up your claims, something that is becoming a mandatory requirement for some depending on sector, location or company size. In this episode, Mel dives into the use of ISO 14064 and how verification to this internationally recognised Standard can help companies build trust and ensure their climate action claims are genuine and impactful. You'll learn · What is Greenmasking? · Why there is a need for transparency in green claims · What is Greenhouse Gas Statement Verification? · What is ISO 14064? · How can ISO 14064 Verification combat greenmasking? Resources · Carbonology · 7 Shades of Greenwashing Guide In this episode, we talk about: [02:05] Episode Summary – In this episode, Mel delves into the world of ISO 14064 and explores how verification under this international standard can help companies build trust and ensure their climate action claims are genuine. Catch-up with the previous episodes in the series here: The Rise of Greenwashing The 7 Shades of Greenwashing [03:05] What is greenmasking?: Greenmasking (a term coined by Carbonology®) is used to describe the practice where organisations self-certify their environmental impact without independent verification. This means they claim their green credentials are accurate while avoiding transparency about their methodology and data. Essentially, they are "marking their own homework," which can lead to misleading claims about their sustainability efforts. This could be compared to someone completing their own MOT and signing it off themselves, instead of taking it to a qualified mechanic. Obviously, that MOT certificate wouldn't be valid in that case, and would have no credibility when it came to selling the car. [04:45] The need for transparency – For carbon reporting to succeed globally, enforcement will need to be standardised across all nations. With transparency around ESG initiatives increasingly important, you need to be able to objectively and accurately measure and report on your carbon footprint. Some to keep an eye on include the Green Claims Directive and the Anti-Greenwashing Charter. Stakeholders are now looking for independent Verification of the accuracy of your emissions data and your calculated carbon footprint through Standards such as ISO 14064-3. [07:05] What is Greenhouse Gas (GHG) Statement Verification? - GHG Verification is the engagement of an independent third-party by an organisation to provide Verification of their GHG statements using standards such as ISO 14064-3. Carbon footprint Verification involves, collecting data and reporting on your emissions from your company's activities, and then independently verifying its accuracy to provide assurance to stakeholders that your claims are transparent and true. If you'd like to learn more about the differences between the Greenhouse Gas Protocol and ISO 14064, check out a previous episode. [08:10] What is ISO 14064-1 and ISO 14064-3? – This is the specification for Greenhouse Gas emissions reporting and part 3 is the specification for verifying that, covering more elements than the Greenhouse Gas protocol. The reporting requires you to collect data from various sources across your scope 1, 2 and 3 emissions, collating it into a report and then have that report independently checked against the requirements of ISO 14064. [09:45] How can Greenhouse Gas Verification combat greenmasking? – · Highlights integrity - Verification against ISO 14064-1 highlights the veracity of your systems and processes to prove your GHG inventory, assertions and reports conform to the ISO 14064 standard; and are free from errors, omissions or misstatements, demonstrating the highest integrity of your GHG reporting. · Validation of Net Zero goals - Verification against ISO 14064-1, establishes the integrity of your claims towards Net Zero. · Verify success - Verification against ISO 14064-1 provides assurance of your carbon footprint declarations which will give confidence in achieving the projected emission reductions · Stakeholder assurance - Stakeholders are increasingly looking for independent Verification of GHG Data to prove reduction are achieved year on year Download a copy of The 7 Shades of Greenwashing from Carbonology's website here. If you would like some assistance with carbon Standards and reporting, simply get in touch with the team over at Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The rampant rise of greenwashing threatens to undermine genuine sustainability efforts and mislead consumers, with over 900 businesses in Europe being accused of the practice in 2024. Greenwashing can come in many different forms, and the tactics used aren't always easy to spot. In this episode, Mel dives into the 7 shades of greenwashing and explains the common greenwashing tactics you should be on the lookout for. You'll learn · What is Greencrowding? · What is Greenlighting? · What is Greenshifting? · What is Greenlabelling? · What is Greenrinsing? · What is Greenhushing? · What is Greenmasking? Resources · Carbonology · 7 Shades of Greenwashing Guide In this episode, we talk about: [02:05] Episode Summary – In the 2nd part of this 3-part series on greenwashing, we dive into the various methods and tactics used by businesses to avoid their sustainability obligations. [03:05] What is greencrowding?: This tactic relies on safety in numbers and occurs when different groups (like governments, organisations and companies) join forces to create the impression of making significant environmental changes. For example, 8 of the world's biggest 20 plastic polluters including companies such as Royal Dutch Shell, Coca-Cola, and BP are part of the Alliance to End Plastic Waste, however the group moves at the speed of the slowest member and sets low environmental targets to stall action as it is often costly and involves a lot of the companies resources and time [03:55] What is greenlighting? – This is when companies spotlight a particularly ‘green' product or operation which helps to draw attention away from tis otherwise environmentally damaging activities. Commonly seen in the car industry, recent BMW campaigning highlights the company's electric vehicles, despite being heavily invested in combustion engine vehicles therefore not addressing their major source of emissions. Another example is Exxonmobil, who heavily advertised its “advanced biofuels” made from algae, however didn't mention the fact that the biofuels made up a miniscule part of production. Since coming under scrutiny Exxonmobil have rescinded this project altogether and haven't looked to practical alternatives. [05:15] What is greenshifting? - This is where the blame gets shifted onto consumers. BP's “Know your carbon footprint” campaign is a key example, it invited customers to share pledges for reducing their individual emissions yet BP's core business continue to partake and scheme hugely polluting oil and gas projects. Another example include H&M who urged consumers to recycle their old clothes yet, the company continues to be a prime culprit in fast-fashion and have a significant part to plat in over-consumerism leading to environmental degradation. [06:10] The growing need for comprehensive carbon reporting – This occurs when companies use words like ‘eco', ‘sustainable' or related wording or symbols conveying green messaging with no evidence to support it. Kohl's and Walmart were sued for labelling toxic rayon textiles as eco-friendly bamboo. Another more recent example is McDonald's Paper Straws where In 2019 a paper straws to introduced to replace plastic ones, claiming it was an eco-friendly move. However, it was later revealed that these paper straws were not recyclable, leading to criticism that the company was misleading consumers about the environmental benefits. [07:15] What is greenrinsing? - This is where companies change their sustainability commitments or targets before actually achieving them. Repeatedly, Coca-cola has missed and moved its recycling targets. Between 2020 – 2022, the company dropped its targets for using recycled packaging from 50% by 2030 to 25% proving these targets were not sufficiently made. BP and ExxonMobil are two more examples of being criticized for frequently updating their climate targets without substantial progress. Various ambitious goals were announced over the years, but critics argue that these targets are often revised or postponed making it hard to assess real achievements and also trust between consumers, investors and legal frameworks are lost. So the takeaway here is, make sure you're targets are realistic! [08:45] What is greenhushing? – This occurs when companies deliberately underreport or hide green credentials to evade scrutiny, which is a rising practice found in larger firms who struggle to successfully hit their targets/ aims. Commonly found with firms that make distant net zero targets but do not report on progress. It allows them to hide the fact that they are not taking meaningful steps. Companies often avoid reporting positive environmental measures they may be taking to prevent greenwashing accusations which can be argued as counter-productive in the efforts to help drive systemic and industrial change in the most polluting industries. H&M and ExxonMobil are key examples of greenhushing and no-longer actively promote their sustainability practices as they have faced criticism over false / limited actions in the past. This one is rather damaging, especially to those who are taking meaningful sustainable action, but may not be keeping up with their targets. This is why it's so crucial to make those targets obtainable. If this practice continues, then there is less pressure overall for businesses to do their part for sustainability. It's important to celebrate the victories, no matter how small, as it all adds up to the bigger picture. [10:55] What is greenmasking? - Greenmasking (a term coined by Carbonology®) is used to describe the practice where organisations self-certify their environmental impact without independent verification. This means they claim their green credentials are accurate while avoiding transparency about their methodology and data. Essentially, they are "marking their own homework," which can lead to misleading claims about their sustainability efforts. Some companies offer ISO 14064 consulting and verification services that may not always adhere to the rigorous standards required for genuine verification. This can result in poor practices and undermine the credibility of the certification. For example, some consulting firms might offer ISO 14064 verification as part of their services but fail to conduct thorough and independent audits. Instead, they may ‘verify' the data is correct in-house. This can lead to situations where companies are able to self-label their environmental impact as compliant with ISO 14064 without truly meeting the standard's requirements. This results in a vast amount of unreliable and untrustworthy data that is purportedly verified. Furthermore, with some consultancy companies asserting that offering both consultancy and verification within the same firm is a viable option, it paves the way for poor reporting standards to be accepted, only worsening the problem in the long run. Greenmasking can have significant implications for stakeholders, including investors, customers, and regulators, who rely on accurate and transparent environmental reporting. To combat greenmasking, it is crucial for organisations to seek independent and accredited verification of their GHG emissions ensuring that their sustainability claims are credible and based upon the rigorous standards stated in ISO14064-3. Download a copy of The 7 Shades of Greenwashing from Carbonology's website here. If you would like some assistance with carbon Standards and reporting, simply get in touch with the team over at Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
In a world increasingly concerned about environmental impact, companies are under immense pressure to demonstrate their sustainability credentials. But how can businesses truly differentiate themselves from those simply paying lip service to green practices? Greenwashing is a term that you will likely be familiar with, as it's one that's been on the rise as consumer preference steers towards those who are seen to be doing the right thing. Alarmingly, high-severity cases, which involve companies that took a purposeful and systematic approach to concealing ESG violations, rise by more than 32% year on year. In our upcoming 3-part series we'll be exploring the impact of greenwashing on business, the different types of greenwashing and the role verification can play in building genuine evidence based sustainability strategies. In this episode, Mel dives into the first of this 3-part series to explain what greenwashing is, the common tactics used in greenwashing and how businesses can build genuine sustainability. You'll learn · Who is greenwashing? · Where did the term originate from? · The rise of greenwashing · What are some of the common greenwashing tactics used? · The danger of greenwashing · How can businesses build genuine sustainability strategies? Resources · Carbonology In this episode, we talk about: [02:05] Episode Summary – We kick off our 3-part greenwashing series with an exploration of what greenwashing really is, the common greenwashing tactics businesses employ and how you can avoid those pitfalls to build genuine sustainability within your business. [05:25] What is greenwashing?: Greenwashing, in essence, is the deceptive use of environmental claims to mislead consumers into believing a company's products or services are more environmentally friendly than they actually are. [05:45] Where did the term ‘greenwashing' originate from? – The term "greenwashing" was coined in 1986 by Jay Westerveld, an American environmentalist. Westerveld first used the term in an essay describing his experience at a hotel in Fiji. The hotel encouraged guests to reuse towels to "save the environment," but Westerveld observed that the hotel was simultaneously expanding its operations, significantly impacting the local environment. This contradiction highlighted the hotel's primary intent to cut costs rather than genuinely conserve resources. Westerveld's observation exemplified how businesses could deceptively use environmental claims to mislead consumers into believing their products or services are more environmentally friendly than they actually are. [06:35] The rise of greenwashing: Many businesses over a wide range of industries have made a pledge to reduce their carbon impact by 2050, driven by both an increase in regulation and consumer perception. However, the Economist highlighted some troubling research, citing that while many businesses will puff out their claims of sustainable practices, many don't have the evidence to back them up. Many should have the resource, say an Asset Manager, that could provide tangible reports on their carbon consumption each year, and yet they choose not to publicly disclose any such reports. So, a lot of talking the talk, but not walking the walk! [07:40] The growing need for comprehensive carbon reporting – There are a number of sustainability and ESG regulations now in effect, with more to come in 2025 (such as the Green Claims Directive that is due to come into affect on the 27th March 2025) that require businesses of different sizes and sectors to report on their carbon consumption and reduction. If you'd like to learn more about a few of these, check out our previous episodes on: · SECR · ISBB S2 · CSRD · CSDDD [08:15] What are the common tactics used in greenwashing? These can include:- · Vague and Ambiguous Claims: Phrases like "eco-friendly" or "sustainable" are often used without specific, quantifiable data. However, the EU Green Claims Directive, in theory help address this, although this only applied in Europe. · Focus on Single Issues: Highlighting one minor environmental benefit while ignoring significant negative impacts across the supply chain. · False Labels and Certifications: Creating misleading labels or misrepresenting genuine certifications. There are numerous ‘Green certifications' out there that charge for a badge, without providing any evidence, of for those that do provide information it could just be a document that isn't evidence based i.e. a Policy statement or ‘pledge' or ‘commitment' · "Greenwashing by Association": Implying a connection to environmental causes through sponsorships or marketing campaigns. [10:15] The danger of greenwashing – The danger with greenwashing is the negative impact it has through an Erosion of Consumer Trust. People are becoming increasingly skeptical of environmental claims, making it harder for truly sustainable companies to gain credibility. Greenwashing can also lead to Distorted Market Signals: creating a false impression of progress, hindering genuine innovation and investment in sustainable solutions. [11:30] How can businesses build genuine sustainability strategies? · Transparency and Accountability: Disclose environmental data openly and transparently. Seek independent third-party verification of sustainability claims. Focus on Life-Cycle Assessment: Evaluate environmental impacts across the entire product or service lifecycle, from raw material extraction to end-of-life disposal. Continuous Improvement: Set ambitious, measurable, and time-bound environmental targets. Regularly review and refine sustainability strategies based on performance data. Engage with Stakeholders: Collaborate with suppliers, customers, and other stakeholders to identify and address environmental challenges. If you would like some assistance with carbon Standards and reporting, simply get in touch with the team over at Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The end of another year has rolled around in the blink of an eye! We've managed to publish a whopping 42 episodes this year, pushing us over the 200 episode mark. We want to thank all our listeners, both old and new, for allowing us to continue to share both ISO tips and success stories from our wonderful clients. We hope you'll follow along as we continue our podcasting journey in 2025. To close out the year, Ian Battersby and Steve Mason share some of their stories of misadventures during audits, from common mistakes, to broom battles and forklift mishaps, they really have seen it all! Listen, laugh and learn what not to do during an audit. You'll learn · What not to do in an audit Resources · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Ian and Steve share some of their experiences from their time as auditors. From common mistakes to outlandish situations that you'd have to see to believe, listen and learn what shouldn't happen during an audit. [03:40] Lazy Copycats: Steve recounts a time where a company had copy and pasted their Management Review for years, which rightfully earned them a non-conformity. Ian shares a similar story where a construction company submitting a tender had copy pasted the content and included the wrong company name! The copying doesn't stop there, as Steve remembers a company Quality Manual that managed to include multiple company names. It was found that they'd simply copy and pasted example pages they'd found online that looked good, but didn't bother to update any of the content to be relevant to them. [06:30] Training Troubles – Ian recounts a time where he was auditing a subcontractor for a construction company that required a record of training. The induction was very important and obviously needed to be documented. When he checked the documents, though all the forms had different names, all the signatures suspiciously had the exact same handwriting! Turns out the Director was signing them all off, which is obviously in breach of a number of health and safety related regulations. [08:00] IT Security slip-ups – Steve recounts a time where a Finance Director had good intentions, but poorly implemented his idea. The Finance Director didn't trust their IT system back-up and instead backed-up all his information on a memory stick. Steve had pointed out the flaws with this, such as losing the memory stick, data getting corrupted ect. It just simply isn't a safe or reliable way to store such important information. [09:05] Disconnected Leadership – Ian shares a time where an auditor caught the lack of leadership commitment to their management system. Despite it being a very nice looking management system by all accounts, the cracks showed enough for an outsider to spot the flaws. Steve adds that sometimes, you can over engineer a management system to a point past useful. It needs to work for your business, otherwise people will work around it to get what they need done. Steve had a rather obvious example if this when he required a chat with a member of leadership, who refused on the day initially, despite it being scheduled for 6 months. The person relented a few minutes over lunch where he posed his complete commitment to BS 5750 – A standard that existed 20 years ago and had since been replaced by ISO 9001. Very telling for his level of ‘commitment'. As we have covered in a previous episode – Leadership commitment is imperative to a successful management system. [11:40] Skip Diving for Secrets – Steve shares his experience of conducting a skip diving exercise, which is following a document waste trail. At a certain company, they ended up looking in an actual skip only to find what looked like a lot of confidential documents, when questioned someone had said that they looked like they belonged in the CEO's filing cabinet. When questioned, the CEO remarked ‘I didn't want you to catch me with anything that I shouldn't have, so I threw it all out last night'. This warranted a non-conformity as anyone could have gone past and fished out that confidential information just as Steve had. Ian also adds a time where he worked in the NHS and a local hospital had an accident where a lot of confidential medical files ended up scattered across the floor. These were documents that should have been disposed of securely. [14:05] PPE? You've got to be kidding me! – Ian recounts a time working for a manufacturing company that was part of a large international firm. Their UK operation had to abide by strict PPE requirements, proper shoes, eye protection ect. It was something that everyone on the premises had to adhere to. One day, a Director walked in with none of the PPE which was clearly labelled on many of the signs decorating the shop floor. He had incorrectly assumed that because of his position, he could walk around with no PPE whatsoever. Fortunately the shop floor supervisor set him right and sent him to get properly suited up. [15:35] Data Centre security says no – Steve recalls a time when a member of top management went to visit one of their own data centre's, on getting to the gate the security had told him ‘I don't care who you are, your name isn't on the list so you're not getting in.' That person hadn't gone through the process of being approved for entry. Yet, predictably, they sent complaints everywhere, but the head of the UK branch had quite rightly praised the security personnel for simply following protocol. [16:55] Private bank details? Don't mind if I do! – While Steve was auditing physcial security for an office, a printer ended up printing the payroll of every employee at the business. This wasn't in a private room, this was in the middle of the office, so anybody could walk up and see bank account details and salaries! When questioned, it turned out their Finance Director was working from home, and hadn't bothered to contacts anyone to retrieve the documents. So unsurprisingly, they received a non-conformity. [19:55] Do not goad the auditor - A bit of advice from Steve “Never say ‘this is our most secure room' to an auditor” – that is essentially a challenge, and one that you'll likely lose if you don't follow your own processes. Steve put this to the test when someone had claimed only 3 people had access to a certain room. Out of curiosity, Steve used his visitor badge to gain entry, and asked if he was included in that 3. Obviously he wasn't, and this was simply down to access control being a bit muddled at that particular company. [21:25] Mistaken Identity: Steve recalls a time when he was given a visitors badge with a completely different person as the photograph. It had no effect on the correct access rights, but amusing all the same. He shares another story where he shared a waiting room with another Steve. When they called only the first name, the other Steve was taken into that business and questioned on ISO, to which the poor man had to inform them that he had no idea what they were talking about! Shortly after, the correct Steve was collected. But it goes to show how important it is to ensure you're giving access to the right people. [24:20] Battle of the Broomsticks: Ian recalls another time when working in construction, when he had the opportunity to work at a horse racecourse. They were looking to achieve what was OHSAS 18001 at the time (now known as ISO 45001), and it was going so well until a few new hires came running across the stable yard wielding 2 brooms, battling like gladiators in view of their auditor. Thankfully they weren't really harming each other, but it was enough for the auditor to raise a few questions about subcontractor controls. You really couldn't write the timing any better (or worse, I suppose!). [26:15] Clearly a certified forklift driver: While Steve was working at a warehouse, the manager there stressed how well trained all of their forklift drivers were, how sensible they all were. Though, Steve could see a person dancing, speeding and popping wheelies with his forklift over the managers shoulder. After he'd been alerted to the wannbe stunt driver, the manager went to have a word with them. [27:30] Accidents don't happen after 5pm: Ian was working at a company that highly valued the use of PPE on-site, everyone did a good job of abiding by that, until it came to the end of the day. One person leaves across the shop floor in just a normal t-shirt and jeans, waving them all off happily as he leaves for the day. He still had to cross the shop floor, and being off the clock doesn't make you invincible. [29:10] Fire Door Dramas: Steve recalls a time during an ISO 9001 audit where he spotted a fire door had been blocked by pallets in a warehouse. Another time he saw a fire door that was actually chained and padlocked! On another occasion, a local council had put their rubbish bins outside the fire door for the building, and during a fire drill, they couldn't get out. Ian states how many times he's seen signs ignored by drivers who park in front of fire exits. All this to say that a little awareness goes a long way. [31:10] Emergency Plans for the avid reader: During an incident at an NHS hospital where they'd suffered a long term major power outage, Ian and the staff had found that the emergency plans were 144 pages long! With Senior responsibilities hidden away in an Appendix on the last few pages. Well thought out plans are necessary, but the actual procedure needs to be something that can be followed in the event of an emergency. A little common sense should be applied when deciding what needs to be communicated. [34:00] Risk Assessment disaster: While working with a team in a manufacturing plant, Ian helped them to streamline their risk assessment process as their previous one needed too many signatures to actually go anywhere. This bottleneck was resolved with months of hard work, or so they thought… When it came to being audited, the auditor asked the team manager what happened to all of the risk assessments, he'd then pointed towards the Health & Safety Management and claimed they had them all, who had to admit that he didn't. Later that evening a director called the administration and asked to hide all of the documentation, to which she rightly refused to do. This also linked back to when the auditor had asked about how the apprentices were trained, and it happened that the apprentice supervisor was on holiday and so they were just let onto the shop floor. Suffice to say, this didn't reflect well on the resulting audit results. [36:30] Against the wire: Ian states that manufacturing companies are not famous for admin. He had one experience while trying to get a recertification booked in, which went up against the wire for their current certification running out. The CB obliged and sent a very qualified Health & Safety assessor there, who took them to pieces. It didn't take long for him to point out that they had a really nice management system with no commitment from managers to use it. A word to the wise – don't leave your recertification up until the last minute! If a CB tried to move your recertification past that expiry date, you can and should push back. [39:00] Password palavers: Steve shares an experience when he interviewed a very organised PA who managed 7 Directors. At the end of the audit he pointed out a folder on her computer called ‘passwords', to which she obliged to show him the contents. Predictably it contained all the usernames and passwords for various accounts the Directors owned. She knew about the secure passwords policy, but no one could realistically remember that many! When Steve questioned the technical team, they states only selected people needed one, and she wasn't one of them. Steve pointed out that she did, and had done the best she could with the tools available, and gifted them a non-conformity as a result as they hadn't done a good job of ascertaining who should get additional security tools. By the end of that day, the PA had their own password vault. [41:30] A fire extinguisher as useless as a chocolate teapot: In another company Steve had noted that they still had a black fire extinguisher. When asked, the staff replied that they were all up-to-date as of 2007. On checking, it was revealed that it had last been serviced in August 1997 – so no, it was not in fact ‘up-to-date'. It may be innocuous to some, but when it comes to safety equipment, that could be the difference between life and death in an emergency. [42:40] Technophobes in a modern age: Ian recounts a past quality audit he did for an engineering company. They require a lot of specific ISO Standards for that industry, and so the company paid a subscription service to ensure they had digital copies of all these Standards to refer back to. One such standard was on verification, and on asking a particular quality engineer about how he verifies a specific product, he pulls out a printed hard copy of a standard from 1993. Ian was interviewing him in 2017, there had been at least 2 updated versions of the Standard out by that point. When probed about why he wasn't using the online standards library paid for by the company, he simply stated ‘I don't like computers'. [45:00] The case of the mysterious ghost file: Steve once had an audit with a relatively nervous member of staff, after explaining that all he has to do is explin how he works, the interview went rather smoothly. At one point he photocopied a bit of paper, hole punched it and filed it away on a shelf in the corner. Steve initially thought ‘good admin, he's clearly following a process', so when he returned Steve asked why he filed that particular bit of information away, to which the staff member said ‘I don't know, I've just been told to do it'. Steve then questioned the Quality Manager there about that document and they replied with the same. He then questioned the warehouse personnel to get the same answer. So, you have this document being photocopied over and over, filed away each time and no one knows why! Steve politely pointed out that it might be a good idea to rethink that pointless process. [47:50] Useless numbering systems: Ian had a similar experience with a numbering system that nobody knew the origins of. The staff involved simply shrugged it off and stated it was simply just what they used. Ian decided to put something to the test, by getting rid of it. He removed an entire archive system from a company's network folder, as back then file space was a big cost and concern. He kept the files and waited to see if anyone actually needed them. After months, he only had 2 requests for documents. It's important to ask both what is and isn't working well. Getting input from all levels of staff can be eye opening, and empower those employees who can help shape up company processes to work more efficiently. [49:50] Allergic to Audits: Ian shares a secondhand story where a trainer for the HSE was conducting a site visit, where he needed to question the shop supervisor on a few things. He asked him for something he couldn't see, and the guy agreed to go get it, and just never came back. Apparently he was so scared of the auditing process that he just went home! [54:00] Shady police and stolen cars: One of Steve's previous clients had an experience where what they thought was a policeman asked about a hire car the company owned, stating it had been involved in a crime. They didn't think much of letting him take it for his ‘investigation'. Later when the hire company asked about getting their car back, the staff let them know what happened, rightly confused this led to a lot of discussion. As you can probably tell, the man was not a policeman and had made off with a nice shiny BMW simply by asking for it. If something like this happens to you, always ask for documentation from the police. [55:00] The Great Computer Caper: Ian recalls a training centre incident where a lot of computer equipment is stored in one suite. One day a few guys came in and started lifting stuff out, people were holding doors open for them, not at all thinking them to be thieves. Low and behold, they were and took everything. Steve recounts a very similar experience where the thieves posed as a computer service company, stripping the entire office on a Friday afternoon. It wasn't until Monday when everything was still gone that people thought to question who those people really were. Thank you all for a great 2024, we look forward to bringing you more ISO tips and success stories in 2025. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
On average, international events emit over 2,000 tonnes of greenhouse gases, which is the equivalent to what 270 UK citizens emit in a whole year. The events industry has been under scrutiny for a number of years in regard to its sustainability, with many factors such as international and domestic travel and exhibition waste to consider, it's quite a beast to tackle! Back in 2012, to coincide with the London Olympics, a new Standard dedicated to Sustainable Events Management was launched. ISO 20121 provides a robust framework for those seeking to take actionable steps to tackle their sustainability, such as todays' guest FESPA. In this episode Ian is joined by Graeme Richardson-Locke, Head of Associations & Technical Lead at FESPA, to discuss FESPA's journey towards achieving ISO 20121, the challenges faced along the way and benefits felt from certification. You'll learn · Who is Graeme Richardson-Locke? · Who are FESPA? · What was the main driver behind obtaining ISO 20121? · What was the biggest gap identified in the initial Gap Analysis? · What did FESPA learn from the experience of implementing ISO 20121? · What are the main benefits of ISO 20121 certification? Resources · FESPA · FESPA Sustainability Spotlight · Isologyhub In this episode, we talk about: [02:05] Episode Summary – We welcome today's guest, Graeme Richardson-Locke, Head of Associations & Technical Lead at FESPA, to discuss their journey towards achieving the best practice standard for Sustainable Event Management – ISO 20121. [02:40] Who is Graeme?: Graeme has spent 40 years in the print sector, from textiles to graphics to industrial printing. Starting from an apprenticeship in screen printing, which moved onto industrial printing and then finally into digital print. A little known fact about Graeme, he used to live on a goat farm on the Isle of Isla in the inner Hebrides. He speaks fondly of his time in a small community of just over 3,000 people, taking long walks and admiring the rich landscape. [06:00] Who are FESPA? – FESPA is the global Federation of National Specialty Print Trade Association. They work to support visual communication businesses in wide format and production of wide format products, so this includes things like garment decoration, interior décor, signage and industrial products. Their association have members across 37 countries with around 1400 businesses within their membership. They ultimately seek to reinvest their profits for the purpose of inspiring, educating and growing the industry. Their roots can be found in creativity, with some of their founding members coming from a background of screen printing. [09:55] What is the scope of FESPA's ISO 20121 certification? Currently it extends to their major European based exhibition – Global Print Expo, which also includes their European Sign Expo. They thought it best to roll out certification to the Standard against their largest event. Outside of the certification scope (so far) they do run events in Mexico, Brazil, Africa and the Middle East. It would be much too large of an undertaking trying to certify all their events initially, so they started with the European events with a view to expand their scope of certification at a later date. [11:05] What was the main driver for achieving ISO 20121? Their was a clear need for sustainability related materials to be made available to their members. So FESPA started to develop a guide on sustainability certification schemes, a glossary of terms and a calculating carbon guide. As a result, they set-up a feature on their website called Sustainability Spotlight, which highlights new sustainability produced materials coming to market. So it was clearly a topic of focus for their members. They also sought to increase the positive impact they can have within their community, reduce the negative impacts and further develop their overall value. [13:05] The ethical way forward – As an internal advocate, Graeme wanted to put forward a proposal for something that was really meaningful and not just a greenwashing exercise. This is something that seeking certification, which includes third-party verification, can provide. [13:35] How long did it take FESPA to achieve ISO 20121? – FESPA began looking into the Standard back in 2022, but it was mired with other turbulence that needed their focus. The pandemic, the war in Ukraine, supply disruption and inflation, there was a lot happening in a short space of time. They made a start on their journey in the Summer of 2022, but it was slow going as they were still building back from the pandemic. The slow burn picked up speed in 2023, with their certification being secured in May 2024. [15:45] What was the biggest Gap identified during the Gap Analysis? FESPA have a lot of talented members, with a lot of competence, but the experience of creating formalised policies, procedures and a Management System that had to meet the set requirements of the Standard was a learning curve. FESPA didn't have the benefit of other ISO certifications, and this was the first time they were implementing an audited Standard, so the whole process was very eye opening. [16:40] What impact did Implementing ISO 20121 have on FESPA? It provided a new perspective on their business, and has helped to develop a greater awareness of sustainable development opportunities. An example of this includes when they started to really dig deeper into how they build and run events, from stand materials to catering. They found that switching their stand build materials to fiber build materials reduced their carbon footprint by 90%! By simply thinking more carefully about what they were doing, they managed to make a massive carbon reduction, with an appetite to reduce this even further. They worked with a company called Quota to calculate their carbon emissions, as they didn't have that particular expertise in-house. With that massive reduction as a motivator, they are now looking at stand material lifecycle, with a view to use more recycled materials that can be reprocessed. [19:00] An eye opening experience - Completing exercises like a SWOT and PESTLE and rolling out a risk register which is reviewed on a quarterly basis, allows them to really keep an eye on how things are changing and any available opportunities. All of these feed into their objective setting for the next year, establishing a solid path of progression to drive the business forward. [20:10] Keeping up with an ever changing world: FESPA have molded their Management to suit the way they work, which is not linear. Venues change ever year, and it's critical that their management system assist in asking the right questions for new event locations. One of their recent events took place in The Rye in Amsterdam, and they had zero emissions relating to energy because the Rye had their own sustainability related policies and procedures in place. [21:15] The event industry's collective effort: Many venues and other businesses involved in the events sector are large organisations with high energy consumption. Many will already fall under legislative requirements to address and reduce their energy consumption. So, everyone is working in step with each other for the most part. FESPA's own members are showing trends of steering more towards utilising more sustainable materials such as recycled fabrics, as these have less weight, less cost to ship and more opportunity for reprocessing. It's still very much a work in progress, but it's being driven in the right direction. [24:20] Graeme's Top Tip: The power of systematic thinking, Implementing a Management System requires a new way of working. Graeme ran into trouble when first providing auditable evidence, as it was not something FESPA had ever done before. They encountered a minor non-conformance for F gas leakage in their head office air conditioning, and while they could confirm that their provider was F gas certified but they hadn't checked to make sure the certificate was in date. Little examples like this proved that they need a more systematic approach in all aspects of the business to ensure they complied with all relevant regulations, while also providing a solid framework for continual improvement. [26:15] Celebrating ISO Success: Graeme was fortunate to attend a Certificate ceremony, put on by their Certification Body, BSI. The acknowledgement of not only his effort, but others who had been through a similar experience made for a fantastic celebration of FESPA's achievements. [27:20] Graeme's book recommendation: Green Swans, The Coming Boom in Regenerative Capitalism – By John Elkington [29:15] Chris's favourite quote: The biggest threat to this planet is the belief that someone else will save it – Robert Swan If you would like to learn more about FESPA, and their sustainability initiatives, visit their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
AI has been integrated into almost every aspect of our lives, from everyday software we use at work, to the algorithms that determine what content is recommended to us at home. While extraordinary in its capabilities, it isn't infallible and will open up everyone to new and emerging risks. Legislation and regulations are finally catching up to the rapid adoption of this technology, such as the EU AI Act and new Best Practice Standards such as ISO 42001. For those looking to integrate AI in a safe and ethical manner, ISO 42001 may be the answer. Today Rachel Churchman, Technical Director at Blackmores, explains what ISO 42001 is, why you should conduct an ISO 42001 Gap analysis and what's involved with taking the first step towards ISO 42001 Implementation. You'll learn · What is ISO 42001? · What are the key principles of ISO 42001? · Why is ISO 42001 Important for companies either using or developing AI? · Why conduct an ISO 42001 Gap Analysis? · What should you be looking at in an ISO 42001 Gap Analysis? Resources · Register for our ISO 42001 Workshop · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Rachel Churchman joins Steph to discuss what ISO 42001 is, it's key principles and the importance of implementing ISO 42001 regardless of if you're developing AI or simply just utilising it. Rachel will also explain the first step towards implementation – an ISO 42001 Gap Analysis. [02:45] Upcoming ISO 42001 Workshop– We have an upcoming ISO 42001 workshop where you can learn how to complete an AI System Impact Assessment, which is a key tool to help you effectively assess the potential risks and benefits of utilising AI. Rachel Churchman, our Technical Director, will be hosting that workshop on the 5th December at 2pm GMT, but places are limited so make sure you register your place sooner rather than later! [03:20] The impact of AI – AI is everywhere, and has largely outpaced any sort of regulation or legislation up until very recently. These are both needed as AI is like any other technology, and will bring it's own risks, which is why a best practice Standard for AI Management has been created. If you'd like a more in-depth breakdown of ISO 42001, check out our previous episodes: 166 & 173 [04:30] A brief summary of ISO 42001 – ISO 42001 is an Internationally recognised Standard for developing an Artificial Intelligence Management System. It provides a comprehensive framework for organisations to establish, implement, maintain, and continually improve how they implement and develop or consume AI in their business. It aims to ensure that AI risks are understood and mitigated and that AI systems are developed or deployed in an ethical, secure, and transparent manner, taking a fully risk-based approach to responsible use of AI. Much like other ISO Standards, it follows the High-Level Structure and therefore can be integrated with existing ISO Management systems as many of the core requirements are very similar in nature. [05:45] Why is ISO 42001 important for companies both developing and using AI? – AI is now becoming commonplace in our world, and has been for some time. A good example is the use or Alexa or Siri - both of these are Large Language AI Models that we all use routinely in our lives. But AI is now being introduced in many technologies that we consume in our working lives - all designed to help make us more efficient and effective. Some examples being: · Microsoft 365 Copilot · GitHub Copilot · Google Workspace · Adobe Photoshop · Search Engines i.e. Google Organisations need to be aware of where they're consuming AI in their business as it may have crept in without them being fully aware. Awareness and governance of AI is crucial for several reasons: For companies using AI they need to ensure they have assessed the potential risks of the AI such as unintended consequences and negative societal impacts, or potential commercial data leakage. They also need to ensure that if they are using AI to support decision making, that they have ensured that decisions made or supported by AI systems are fair and unbiased. It's not all about risk - organisations can also use AI to streamlining processes helping to become more efficient and effective, or it could support innovation in ways previously not considered. For companies developing AI, the standard promotes the ethical development and deployment of AI systems, ensuring they are fair, transparent, and accountable. It provides a structured approach to risk assessment and governance associated with AI, such as bias, data privacy breaches, and security vulnerabilities. And for all, using ISO 42001 as the best practice framework, organisations can ensure that their AI initiatives are aligned with ethical principles, legal requirements, and industry best practices. This will ultimately lead to more trustworthy, reliable, and beneficial AI systems for all. [10:00] Clause 7.4 Communication – The organisation shall determine the internal and external communications relevant to the system, and that includes what should be communicated when and to who. [09:00] What are the key principles outlined in ISO 42001? – · Fairness and Non-Discrimination - ensuring AI systems treat all individuals and groups fairly and without bias. · Transparency and Explainability - Making AI systems understandable and accountable by providing clear explanations of their decision-making processes. · Privacy and Security - Protecting personal data and privacy while ensuring the security of AI systems. · Safety and Security - Prioritising the safety and well-being of individuals and the environment by mitigating potential risks associated with AI systems. · Environmental & Social - Considering the impact of AI on the environment and society, promoting sustainable and responsible practices. · Accountability and Human Oversight - Maintaining human control and responsibility for AI systems, ensuring they operate within ethical and legal boundaries. You'll often hear the term 'Human in the loop'. This is vital to ensure that AI is sanity checked by a human to ensure it hasn't hallucinated or result ‘drifted' in any way. [11:10] Why conduct an ISO 42001 Gap Analysis? What is the main aim? – Any gap analysis is a strategic planning activity to help you understand where you are, where you want to be and how you're going to get there. The ISO 42001 gap analysis will identify gaps and pinpoint areas where your AI practices need to meet the ISO 42001 requirements. It aims to conduct a systematic review of how your organisation uses or develops AI to then assess your current AI management practices against the requirements of the ISO 42001 standard. This analysis will then help you to identify any "gaps" where your current practices do not fully meet the standard's requirements. It also helps organisations to understand 'what good looks like' in terms of responsible use of AI. It will help you to prioritise improvement areas that may require immediate attention, and those that can be addressed in a phased approach. It will help you to understand and mitigate the risks associated with AI. It will also help you to develop a roadmap for compliance to include plans with clear actions identified that can then be project managed through to completion, and as with all ISO standards it will support and enhance AI Governance. [13:15] Does an ISO 42001 gap analysis differ from gap analysis for other standards? – Ultimately, no. The ISO 42001 gap analysis doesn't differ massively from other ISO standard gap analysis, so anyone who already has an ISO Standard and has been through the gap analysis process will be familiar with it. In terms of likeness, ISO 42001 is similar in nature to ISO 27001 in as much as there is a supporting 'Annex' of controls and objectives that need to be considered by the organisation. Therefore the questions being asked will extend beyond the standard High Level Structure format. Now is probably a good time to note that the Standard itself is very informative and includes additional annex guidance information to include · implementation guidance for the specific AI controls, · an Annex for potential AI-related organisational objectives and risk sources, · and an Annex that provides guidance on use of the AI management system across domains and sectors and integration with other management system standards. [14:55] What should people be looking at in an ISO 42001 gap analysis? – The Gap Analysis will include areas such as looking at the 'Context' of your organisation to better understand what it is that you do, or the issues you are facing internally and externally in relation to AI - both now and in the reasonably foreseeable future, and also how you currently engage with AI in your business. This will help to identify your role in terms of AI. It will also look at all the main areas typically captured within any ISO standard to include leadership and governance, policy, roles and responsibilities, AI Risks and your approach to risk assessment and treatment and AI system impact assessments. It also looks at AI objectives, the support resources you have in place to manage requirements, awareness within your business for AI best practice and use, through to KPI's, internal audit, management review and how you manage and track issues through to completion in your business. The AI specific controls look more in-depth at Policies related to AI, your internal organisation in relation to key roles & responsibilities and reporting of concerns, The resources for AI Systems, how you assess the impacts of AI Systems, The AI system lifecycle (AI Development), Data for AI Systems, Information provided to interested parties of AI Systems, and the use of AI Systems and 3rd party and customer relationships. [18:10] Who should be involved in an ISO 42001 Gap analysis? – An ISO 42001 gap analysis looks at AI from a number of different angles to include organisational governance that includes strategic plans, policies and risk management, through to training and awareness of AI for all staff, through to technical knowledge of how and where AI is either used or potentially developed within the organisation. This means that it is likely that there will need to be multiple roles involved over the duration of a gap Analysis. At Blackmores we always provide a Gap Analysis 'Agenda' that clearly defines what will be covered over the duration of the gap analysis, and who typically could be involved in the different sessions. We find this is the best way to help organisations plan the support needed to answer all the questions required. It's also important to treat the gap analysis as a 'drains up' review, to help get the most benefit out of the gap analysis. This will ensure that all gaps are identified so that a plan can then be devised to support the organisation to bridge these gaps, putting them on the path to AI best practice for their business. If you'd find out more about ISO 42001 implementation, register for our upcoming Workshop on the 5th December 2024. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
One of the biggest contributors to a stagnating ISO Management System is a failure to communicate. This has certainly been true in our experience with implementing ISO Standards for over 18 years, and as a result, we make sure to highlight awareness and communication as an integral step of the Implementation process. It's a wasted effort only to have your management system gathering dust in a rarely visited folder on your server. If you want to reap the benefits of ISO implementation, it's in your best interest to make everyone aware of their role in relation to your management system and its continual improvement. Today Ian Battersby explains what ISO Standards mean by awareness and communication, why they are so integral to a successful management system and how you can effectively communicate your management system. You'll learn · What does awareness and communication mean in relation to ISO Standards? · Why should you communicate your management system? · The benefits of management system awareness · How can you effectively communicate your ISO management system? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby will be explaining what ISO Standards mean by awareness and communication, and why they are so integral to a successful Management System. [02:30] What is awareness and communication so important?– The success and failure of a management system depends on it's existence being known and understood within an organisation. Staff have a key part to play, and they need to know their part in the Management System and how it aligns with the organisations direction. [03:20] Extra guidance available for awareness and communication – There is a Standard that accompanies ISO 9001, called ISO 9004:2018 – Quality of an Organisation: Guidance to achieve sustained success. This is a great companion to any Standard, as it provides general guidance on how to properly embed a management system within your business. It talks at length about people and the need to ensure that they are competent, engaged, empowered and motivated. These are crucial as: Engagement of people enhances the organisations ability to create value for interested parties. Empowerment motivates people to take responsibility for their work and the results of their work. These can be achieved by providing people with necessary information with authority and the freedom to make decisions related to their own work. People should understand the significance and importance of their role, specifically in creating that value to meet and exceed customer expectations. [05:30] What should be communicating according to ISO Standards? – Taking ISO 9001 as the example, because it is the basis for most ISO Standards, it has a specifies the following: 5.2.2 Quality Policy - The policy should be available and maintained as documented information, so must be issued somewhere so that people can see it. But it also, quite importantly, must be communicated, understood and deployed within the organisation. It also needs to be made available to other relevant and trusted parties. 5.3 Organisational roles, responsibilities and authorities - Top management have a responsibility here. They must ensure that responsibilities and authorities for relevant rules are assigned, communicated and understood within the organisation. There's a lot to consider here as this will also take into account for ensuring processes are delivering expected outputs, the reporting of system performance and improvement and the promotion of customer focus throughout the organisation. 6.2 Objectives - The organisation should establish objectives. These will be targeted at relevant functions, levels and processes and should be communicated to the relevant people affected by those objectives. 7.3 Awareness – Includes the specification that anyone working under the organisations control, so this could include indirect workers, must be aware of your quality policy. Also included is the awareness of objectives and staff's contribution to the effectiveness of the management system. People aslo have to be aware of the implications of not conforming to the requirements of the management system or standard. [09:30] The implications of not following requirements – You need to consider what happens if someone doesn't follow a process. For Standards such as ISO 45001 Health & Safety management, following processes could be a matter of someone getting hurt or breaking the law. [10:00] Clause 7.4 Communication – The organisation shall determine the internal and external communications relevant to the system, and that includes what should be communicated when and to who. [10:30] When should you deliver ISO Management System awareness and communication training? – If you're just starting out on your ISO Implementation journey, it's crucial to communicate at the outset the importance of the process of achieving certification. The level of awareness will vary depending on people's roles, i.e: Top Management: Top management must understand the role of the management system in relation to the strategic direction of the organisation as part of context, they must understand what the management system contributes to the overall business outcomes. While top management don't need to know standards inside out, they must be aware and must have understanding of the overall purpose of the standard and the benefits that standard will bring to the organisation. To gauge the level of awareness top management need, ask yourself, would you be happy to let them be interviewed in private by a third-party assessor in regards to all of their responsibilities in relation to the management system? [13:20] General awareness for the workforce– While leadership require a greater level of awareness, there is still a need for general staff to have a certain level of management system awareness. For those on their first implementation journey, you should bring people in from the very beginning, this includes all staff and those working indirectly under your organisation. You will want to make them aware of the following: What is a quality management system? – Define what it is and what it means What's important about the Standard? – People don't need to know the intricacies of standard subclauses, so just select important aspects such as the Plan Do Check Act (PDCA) cycle If you're integrating Standards, what are some common requirements? – If you're integrating a new standard, what requirements specific to that new standard need to communicated? [15:15] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [17:20] General awareness for the workforce continued – You will also need to make sure people are aware of: What do they need to know in relation to certification? – This can include the date you're working towards, what might be expected of them during an ISO assessment, what does the certification actually mean for the business? Accessing the Management system – How can people find your management system? What documents does it hold? How do you use it? And how does this impact on staff's day to day activities? Staff's role in relation to the Management system – How do staff contribute to the management system on a daily basis? How do they contribute to business objectives? How does the management system benefit them? – Your management system will include tools and guidance on how to carry out certain activities. It explains how improvements can be suggested and made and how audits work. Ultimately it provides a structured approach to ensure everyone is singing from the same song sheet. The importance of complying with policies, processes and procedures – including the consequences of not complying with them. Raising issues relating to non-conformity, the effectiveness of the management system and any potential improvements – You can't have eyes everywhere, and the people working in alignment with your processes can better highlight where something may not be working. This also increases engagement as people will have a real impact on how your business operates. [20:15] Specific standard considerations for communication – The focus of elements of your communication will be tied to the specific ISO Standard you're implementing. I.e. A Health & Safety management system will include communication of key risks and hazards, how to report safety issues and abiding by Health & Safety law Environmental management systems may include awareness of the need to protect the world we live in, how each person can help lessen their impact on an individual scale ect. [21:00] Other key roles and related communication – There are other key roles within the organisation which will have specific communication requirements. These will be people like operational functional managers with key roles in processes they may be involved in, i.e. sales, design, purchasing, calibration ect. If they've got specific functions in the organisation with respect to the management system, they need to understand them as much as top management needs to know theirs and the general workforce need to know theirs. [21:50] Communicating key changes to the Management system – You need to continually communicate to the workforce when changes occur to the management system. That communication doesn't stop as soon as you're certified! For first time implementation, you'll want to communicate when you've achieved certification. [22:30] The importance of communication within a Management System – If people are aware of their role and importance to a management system, they will be more engaged with its operation. This can include reporting on objectives progress during team briefs, raising potential issues and non-conformities or opportunities for improvement, highlighting customer complaints, monitoring number of incidents at work ect All of these contribute to the success of the business and need to be reported on continually. These can turn into lessons learned, which could lead to major system changes where documentation or processes need to be updated and communicated. [24:30] What's the best way to communicate your ISO management system? – Not all organisations are the same, so there is no right or wrong way to do so. A few suggestions include: · SharePoint · Teams Channel · E-mail / internal newsletters · Bulletins · In-person training · Videos For any of the above you may need to consider how to record who has completed set awareness training. [25:30] A final thought – If an auditor stops and asks a worker about your quality policy, what will that person say to that auditor? We understand that the quality policy must be communicated, but how does each person understand it? Your awareness raising needs to capture methods of ensuring that that happens, which is a tricky task! They do not need to know a Standard verbatim, but they should know the importance of complying with it, what a non-conformity within that system means, and what are the consequences are if they don't follow the rules. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
A crucial part of Implementing any ISO Standard is addressing your risks and opportunities. This is a key part of Clause 4 Context of the organisation, which expresses and explicit need to review and assess what internal and external factors could help and hinder in achieving your business goals. While ISO Standards don't define a definitive method of doing so, many have adopted the practice of carrying out a SWOT and PESTLE analysis. Today Ian Battersby explains what a SWOT and PESTLE analysis is, the key questions you should be asking and the importance of continually reviewing and updating the results as your management system matures. You'll learn · What is a SWOT analysis? · What is a PESTLE analysis? · Examples of questions you should be asking during a SWOT and PESTLE · How often should a SWOT and PESTLE be conducted? · Examples of SWOT and PESTLE in practice Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby will be explaining what a SWOT and PESTLE exercise is, it's role in fufilling key requirements in Clause 4 of any ISO Standard, and the key questions you should be asking during the exercise. [02:30] What is a SWOT and PESTLE analysis? – This is one is the tools you can use to look at various factors that affect your organisation. SWOT standards for: · Strengths · Weaknesses · Opportunities · Threats PESTLE standards for: · Political · Economical · Social · Technological · Legal · Environmental And in recent years, people have added ethical into PESTLE too. Whether that's on its own or integrated within the other elements is up to the organisation and how they want to run the exercise. Both analysis are fundamental in helping organisations understand the benefits and pitfalls of a project, management system implementation included. [05:05] Where in the Standard is there a need for a SWOT and PESTLE? – Clause 4 in all ISO Standards is known as ‘Context of the organisation', which you need to establish early on in order to set the foundations for building your management system. Context is the world in which an organisation works, it is the considerations of the internal and external factors that affect what you do. SWOT and PESTLE, while not specifically referenced in the Standard, is a highly recommended tool as it directly assesses multiple internal and external factors and can fulfil the requirements of any ISO Standard. [06:20] Addressing Context of the Organisation – Clause 4, Context of the organisation states: “The organisation shall determine external and internal issues that are relevant to its purpose and its strategic direction, and that affects its ability to achieve the intended results of its management system. The organisation shall monitor and review information about these external issues.” There are also 3 additional notes: #1: Issues can include positive and negative factors or conditions #2: Understanding the external context can be facilitated by considering issues arriving from legal, technological, competitive, market, cultural, ect 3#: Understanding the internal context can be facilitated by considering Issues related to values, culture, knowledge and performance of the organisation. So, there's a lot to consider! [08:10] How SWOT and PESTLE address Context of the Organisation – Taking a look at SWOT, strengths and weaknesses would refer to factors internal to your organisation, while the opportunities and threats would be external. Depending on the focus of your management system, you may also want to complete this exercise through a certain lens. That could be information security, health & safety or environmental. The Standard requires you to align your management system with the strategic direction of the organisation, so even if you are viewing this exercise through a certain lens, don't do so in complete isolation. [09:55] How to conduct a SWOT and PESTLE – The people involved in completing this exercise are important, not just the questions you ask. Senior management should be included as they will have key insight to the strategic direction of the business. You should also include operational managers or other functional managers as they will have more context for how things actually work in practice. The point of a SWOT and PESTLE is to ascertain where you stand in terms of your risks and opportunities, and issues relating to resources, people, information, process, technology, equipment, laws, markets, environment, finance, economy ect from both an internal and external lens. This will give you a solid foundation to build your management system on, which will ultimately help you achieve your intended outcomes and lead to a cycle of continual improvement. [11:55] Considerations for Strengths – Strengths is an internal factor. Questions you could ask include: · What do we control through good processes? · What are we known for? · What does our marketplace and competitors say about us? · What are we good at? · What assets do we have? · What resources and knowledge do we have readily available? · What's the strength in our products and in the processes for delivering those products and the people that run those processes and deliver those products, their skills, their knowledge, their strengths, their weaknesses and their expertise? · What areas in our organisation are already at a high standard and don't necessarily need improvement? · Do we have objectives and targets that we measure against, i.e. KPIs, metrics, success factors and service level agreements, that demonstrate we're good? [13:10] Considerations for Weaknesses – Weakness is another internal factor, one that you have to be brutally honest conducting. Questions you could ask include: · What could you improve? · Where is money being spent poorly, or being lost? · What do your competitors do better than you? · What resources / knowledge / people / expertise do you lack? · What processes do you lack? · Where can your products or services be improved? · What are the constraints on your ability to meet changes in market need or demand? · What does your customer feedback look like? · Do your suppliers meet your requirements or the requirements of your clients? [14:45] Considerations for Opportunities – Opportunities are considered an external factor. Questions you could ask include: · What new opportunities are available in your market? · What data do you have available on market trends, and how can you leverage that? · How changes in compliance requirements in your specific industry or your locality might provide you with opportunity to gain an edge? · What are past identified opportunities that we've not acted on? · What is the competition not taking advantage of that you could? · How can you increase customer satisfaction based on both positive and negative feedback received? [16:00] Considerations for Threats – Threats are also considered an external factor, they are obstacles for you achieving your goals. Questions you could ask include: · What new environmental effects may affect you? Note: there is a new climate change amendment added to many commonly adopted ISO Standards, so this is something you will need to address. · What competitors are a threat to you? · Are other competitors taking advantage of markets that you have not accessed? · Why might competitors be getting ahead? · Are the habits of customers changing, and if so, how? · Are there other interested parties other than customers who present obstacles to you? · Are there any foreseeable resource issues? i.e. loss of experienced staff, lack of relevant talent in the pool of available people ect · Are you adapting to changes in the world? [16:00] PESTLE: Addressing political factors – When you're looking at political factors affecting your intended outcomes, consider the following: · What is happening politically in your environment? - That could be international or local on scale · What is the impact of policy or tax? · What is the impacts of employment trends / trade restrictions / tariffs? · What is the impact of unemployment rates on your organisation? · What is the impact of workforce shortages that may affect you? · Is there any form of Government intervention in your specific market? · Would this government intervention be considered an opportunity or threat? i.e. offering grants [19:20] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [21:25] PESTLE: Addressing economic factors – When you're looking at economic factors affecting your intended outcomes, consider the following: · What is the impact of interest rates / exchange rates / inflation? · What is economic policy doing to you and your industry and your clients? · What are the impacts on wage rates / minimum wage changes /affordable living cost of living? [21:50] PESTLE: Addressing social factors – When you're looking at social factors affecting your intended outcomes, consider the following: · What's the impact of changes in the cultural landscape? · What's the impact of the expectation of people? · What's the impact on working people's lives and what their expectations are for working life in general? i.e. working hours and career aspirations · What is the and the emphasis on ethics, safety, Environmental Protection and data privacy for your clients / workforce / suppliers? [22:50] PESTLE: Addressing technology factors – When you're looking at technological factors affecting your intended outcomes, consider the following: · What is happening technology wise which impacts on what you do? · How does this affect the equipment you use? i.e. automation, the age of your equipment ect · What's the impact of emerging technology? · How you decide on the costs and benefits of investing in new technology? · How do you use your website / blogs / social media to interact with your marketplace? · Have you got intellectual property you need to protect? i.e copyright pins that need consideration. [23:40] PESTLE: Addressing legal factors – When you're looking at legal factors affecting your intended outcomes, consider the following: · How does the law affect how you do business? i.e company law, health & safety law, HR law, trade law? · What changes in legislation have occurred recently that you need to have considered? · How do you horizon scan for changes in legislation that affect you in your market? · What's the impact on employment on imports, exports, labour departments? · Have you considered other compliance obligations, such as certification to certain standards? [24:50] PESTLE: Addressing environmental factors – When you're looking at environmental factors affecting your intended outcomes, consider the following: · How do environmental aspects impact you, and how does the way you operate affect the environment? This includes consideration for air, water, land, natural resources, flora, fauna. · How do changes in the energy and utilities markets affect you? · How does your organisation fit in with any carbon reduction targets that your Government may have in place? · Are you required to create a carbon reduction plan? · Do you need to comply with certain environmental reporting requirements? i.e. here in the UK we have schemes like ESOS and SECR [24:50] PESTLE: Addressing ethical factors – This one is optional, but many are choosing to include it as part of their PESTLE now. When you're looking at ethical factors affecting your intended outcomes, consider the following: · How do you stay on the right side of the law with respect to the use of money? · Have you considered human rights / labour / children in the workforce / slavery / health & safety and well-being of local populations? · What charitable contributions do you make as an organisation? [27:15] Assigning significance – The next part of a SWOT and PESTLE requires you to assign significance to the various factors affecting your organisation. So, make sure you document every factor and how those factors affect your ability to achieve what you intend. Ensure that this all remains in alignment with the strategic direction of the business, as ultimately, you want your Management System to help drive those goals forward. [30:25] Frequency of a SWOT and PESTLE: This isn't just a one-off exercise. You should be continually monitoring these internal and external factors, and only updating the exercise during a management review meeting will do you a disservice. This is an ever-changing world, it's the one in which you operate, and you need to ensure you're keeping up with it. You could look at various factors in monthly or even weekly meeting with the appropriate parties, and see if circumstances have changed. [31:25] Examples of why you should continually update your SWOT and PESTLE: Ian recounts an experience he had with a client where they had failed to disclose where they had switched to a digital system for competence related documentation, but it had not met their needs and so they needed to return to manual documentation. This switch made finding the required documentation for internal audits difficult. None of this was recorded in their SWOT and PESTLE. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Business travel remains one of our largest sources of greenhouse emissions, accounting for 26% of the UK's total emissions. In an ideal world, no one would have to travel to work or events, some might even point to the way everyone adapted in COVID as a prime example of this in practice. However, for many that model of work is not feasible in the long-term. So, how can we reduce this unavoidable stream of emissions? Businesses are starting to take the right steps, however, today's guest is paving the way as a shining example of sustainable business travel and events management. In this episode, Mel is joined by Christopher Truss, Global Sustainability Director at Reed & Mackay, to discuss their impressive existing ISO Standard portfolio and their journey towards ISO 14064 carbon verification. You'll learn · Who is Chris Truss? · Who are Reed & Mackay? · What are the highlights from Reed & Mackay's latest Sustainability and Responsible Business report? · What Standards are Reed & Mackay certified to? · What is the demand for sustainability within the business travel and events management sector? · Why get ISO 14064 verified? · What were the challenges with obtaining ISO 14064 verification? · What are the benefits of obtaining ISO 14064 Verification? Resources · Reed & Mackay · Reed & Mackay Sustainable and Responsible Business Report 2024 · Carbonology In this episode, we talk about: [02:05] Episode Summary – We welcome today's guest, Chris Truss, Global Sustainability Director at Reed & Mackay, to explore their ISO Standards portfolio and journey towards ISO 14064 verification. [02:40] Who is Chris?: Chris has had over 20 years experience in the business travel industry. He is currently responsible for driving the sustainability agenda at Reed & Mackay, which includes the development of services and solutions that their clients require to meet their own sustainability initiatives. He also manages a wide range of third-party suppliers. A lesser know fact about Chris is in a band, playing the folk fiddle and singing in pubs around Yorkshire. He also plays tennis in the over 45 category for Yorkshire! [04:50] Who are Reed & Mackay? – Reed & Mackay are a global travel management and event management business. They help clients all the way from picking up the telephone and making bookings on their behalf, helping them source appropriate venues for their events and then managing the overall spend, the supply chain and ultimately reporting back to them on what they've been up to and how they can improve their processes and save money. Reed & Mackay are highly regarded for their quality of services, especially within the professional services sector, and they proudly boast a number of large blue chip clients. [05:50] What are some of the highlights in Reed & Mackay's Sustainability and Responsible Business Report? When Chris came into his latest role, he looked to tackle two main points: · How can Reed & Mackay operate sustainably? · How can we articulate that to our clients? As a result of the work Chris has done, Reed & Mackay have signed up to the United Nations Global Compact and have aligned themselves with the UN's Sustainable Development Goals. They have also become an EcoVadis rated supplier and are undertaking their first Carbon Reduction Plan disclosure. From a corporate responsibility point of view, they have made great strides to improve their gender pay gap. They are also ensuring the integrity of their charitable partnerships. [08:00] What are some of the sustainability initiatives that Reed & Mackay have started? Reed & Mackay support a charity called 4Ocean, who are trying to remove as much plastic from our oceans as possible. They selected this charity in particular due to it's global reach, embodying the nature of Reed & Mackay's global influence in 13 countries for the past 10 years. They recognised the need to support a sustainability based charity as corporate travel is highly polluting, so this is a form of taking responsibility and looking at where they can assist to reduce environmental damage. 4Oceans also allows their employees to get involved directly, should they choose to take some time out of the office to help with ocean clean-up. [09:55] What ISO Standards are Reed & Mackay certified to? They are currently certified to: · ISO 27001 Information Security · ISO 14001 Environmental Management · ISO 22301 Business Continuity · ISO 9001 Quality Management All of which they have been certified to for over 10 years now! They acted as a foundation for Chris to drive his sustainability agenda. [11:10] How are these ISO Standards managed across the business? – Reed & Mackay have a dedicated Security and Trust team that manage all ISO certifications, in addition to their other responsibilities. All of the ISO Standards are a part of their Integrated Management System, which sits alongside their policies and procedures for the business that are managed by a central team. This has provided them with an invaluable foundation to ensure the delivery of quality services, client satisfaction and continual improvement. [12:45] What is the demand for sustainability within the business travel sector? They are receiving more requirements and requests from clients in regard to their own operational CO2 footprint, which is needed for clients own reporting requirements as Reed & Mackay would count towards many clients Scope 3 emissions. There is also a need for more transparency with carbon reporting, including the use of credible calculation methodology's. The verification of GHG emissions also gives clients more confidence that businesses are doing what they say they're doing. [14:15] What was the main driver behind Reed & Mackay gaining ISO 14064 verification?: While they felt confident in their sustainability efforts up to a certain point, they wanted someone to come in and mark their homework to make sure they were doing the right thing. With the increase in client demand for credible sustainability reporting, it was vital to pursue various CPD disclosures such as EcoVadis and prepare for upcoming legislation like CSRD. To ensure they were in the best possible shape to give the information requested by clients and other stakeholders, they needed am accurate and reliable method of verification, which is what ISO 14064 could provide. [15:40] What were the main challenges in obtaining ISO 14064 verification?: Just getting a hold of the raw data was the most difficult part, although they found it to be a very enlightening experience too. Having to dig to find the right information helped Chris to understand the business better, giving him a greater visibility on where their carbon emissions are coming from and where there are opportunities to reduce those. You have to be very tenacious to get all the necessary data. Chris highlights purchased goods and services data as particularly challenging to obtain due to its granular nature. Now they have been through this process once, they've got a system in place to make data collection a lot easier in future. [18:55] What impact has ISO 14064 verification had on Reed & Mackay?: It's helped from an internal perspective as people now have a greater visibility and understanding of the impact that have on an individual basis. This in turn creates a strong launchpad for their Net Zero strategy. From an external perspective, it's given Reed & Mackay a lot more confidence in their own processes and their ability to work with their clients towards sustainability goals. [20:00] What were the main benefits of getting ISO 14064 verified?: Giving clients, stakeholder and employees confidence: The verification calculation is reliable, and so they can be confident in relaying the facts and figures to interested parties. A great insight: The data has provided huge insights into how the business operates and where it's biggest emissions sources lie. This is vital to know before you take steps to try and reduce your current impact. Ability to create an accurate Carbon Reduction Plan: Once again, with confidence in having the correct data to hand, they are able to formulate an accurate Carbon Reduction Plan which can be realistically achieved. Anti Green-washing: Consumers are crying out for a reliable sign of credibility. Simply having an environmental policy statement may have been enough 10 years ago, but that's not the case now. People expect evidence of your sustainability claims. [21:50] Chris's top tip for anyone considering ISO 14064 verification: Just get started and don't be scared by the process. Though it may seem daunting to start, you will actually be in a much better position than when you started. Having verified data and awareness of where that data comes from and what it means on a larger scale will be vital to looking for opportunities for improvement. So, if you want to improve your sustainability, you just need to get cracking! [23:20] How are Reed & Mackay helping organisations improve the sustainability of their travel?: Reed & Mackay's ambition is to make sure that clients understand the impact of their choices at every single step of their journey. To help, they provide the carbon footprint of every booking they make, whether that be through their site or with a consultant. They also have approval processes built into their systems, which can be based on carbon. For example, if a client doesn't want to take the lowest carbon option on a particular journey, they can add required approval from an additional person within that client's organisation. So it adds a level of accountability over the choices people make. They also provide full reporting on business travel activity and where potential savings have been missed. This is a valuable tool if they need to provide travel data to carbon consultants for example, they'll already have all of those granular reports prepared. These reports will highlight where clients haven't taken the lowest carbon option, i.e. where they could travel in a group instead of individually. Reed & Mackay's intention is to make sure people have visibility of carbon alongside cost so clients can make a fair and balanced decision. Additional services include: · Able to set carbon budgets across a business · Ability to purchase carbon credits for offsetting purposes · Opportunities to mitigate carbon emissions through offsetting, or decarbonise through Carbon Reduction Plans over a period of time [28:50] Chris's book recommendation: His Dark Materials by Philip Pullman [29:15] Chris's favourite quote: You can't measure success if you have never failed – Steffi Graf If you would like to learn more about Reed & Mackay, and their sustainability initiatives, visit their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Purchasing goods and services is a necessity for any business, whether that's simply stocking up on office supplies, or looking for someone to manage your IT environment. Procurement has a key role to play in keeping things running smoothly, along with facilitating the core values of businesses as priorities change, such as a commitment to ESG compliance. In this episode, Ian is joined by Philip Ideson, Founder & Managing Director of Art of Procurement, to discuss procurement's role in ESG compliance, the challenges procurement faces with ESG, and learn about their mission to 10X the impact of procurement. You'll learn · Who is Philip Ideson and the Art of Procurement? · What are the current trends in procurement? · What is procurement's role in relation to ESG? · How do ESG deliverables fit in with the other results procurement is expected to deliver? · What are the greatest challenges procurement currently faces with ESG? · What is Art of Procurement's mission to 10X the impact of procurement? · What are the 6 principles of this mission? Resources · Art of Procurement · Art of Procurement Podcast · The Art of Procurement philosophy · ESG Compliance In this episode, we talk about: [00:25] Episode Summary – We welcome today's guest, Philip Ideson, Founder and Managing Director of the Art of Procurement, to discuss the role procurement has in ESG compliance. Additionally we will dive into Philip's mission to increase the impact of procurement. [03:00] Who is Philip?: Philip has been in the procurement space for almost 25 years now! He started at Ford Motor company, in direct Procurement where he was purchasing parts for car manufacture. He later moved into indirect Procurement, which is essentially everything you need to operate on a day-to-day basis i.e. office supplies, childcare facilities ect. Philip has worked in the UK, Europe, India and has been based in the US for the past 19 years. To get a perspective on the other side, he joined a Service Provider who provided outsourced procurement, that company later got bought out by Accenture, which was when Philip decided to go out on his own and started ‘Art of Procurement. His podcast has been running for 9 years, and has the aim to share inspiring stories of companies who think differently about procurement. [06:05] Hard Truth: Inside the Football Industry Podcast – Philip also co-hosts another podcast in his spare time, which was awarded the EFL podcast of the year in 2023! Hard Truth delves into the behind the scenes aspects of football, co-hosted by the owner and Chairman of Peterborough United, it also gives an owner perspective of the football season. [07:05] What are some of the top trends and priorities in procurement currently? Digitisation: Procurement was an area where technological change happened relatively slowly, at least up until around 5 years ago there weren't many tech solutions built specifically for procurement. However, a lot of money has been poured into the space, so now there's the challenge of ‘How can we digitise?' The problem with a lot of technology solutions is that they often become obsolete quickly, and with the rise of AI it's trickly to keep up, let alone get ahead. [08:10] What is something about procurement that might surprise people who don't work in the field? Procurement gets a bad rep for trying to save every last penny at the cost of bullying suppliers. However, they are a lot more passionate around the role that suppliers can play in the growth of a business. It's all about marrying together the capabilities of supply chains with the needs of a business, rather than trying to squeeze every last penny's worth out of suppliers. [09:15] Procurement put into a box: In a lot of businesses, procurement kind of professionalised the profession based on an ROI which was tied to cost savings, because procurement sold that value proposition to get the investment, it means that that's the only thing businesses think they can do. Procurement gets put in this box within a business of when I need to save money, you know break the glass, bring out procurement and they can do that. Where you actually get a much better result by working more collaboratively with your procurement team. There's a lot more tied to business objectives than with procurement objectives, instead of focusing on what procurement can do to save you money, look at what other objectives they can help you achieve. [10:35] What is procurement's role with regard to ESG? – Philip was involved in a research study that was done by The Economist, where they surveyed approximately 2300 C-Suite executives, procurement and non-procurement individuals. It was revealed that ESG was the number 2 priority right now, specifically where sustainability was concerned. Modern slavery is also becoming more of a concern. [12:00] A fad or long term change? Priorities like this for any business are subject to the politics of the day. They are important now as that's where a lot of focus in from many different sources, but they are likely temporary and will be dependent on geographical location and available investment. However, the impact of emissions reporting as a result of ESG will have a longer term affect as scope 3 emissions include supply chains. More businesses will be expecting their supply chains to meet their emissions reporting requirements going forward. [13:20] How long has procurement been doing ESG/CSR type work?: Back 14 years ago, when they had to report back on supplier diversity spend, they had very little data. It involved a lot of extrapolating data so that you have something to report back with. More accurate data reporting has picked up in the last 6 years, and is more on an organisation by organisation basis. The key driver for procurement involvement in any aspect of sustainability is due to regulatory requirements. [15:00] Innovation for a better future: The digitisation and other technological advancements will allow for better ESG support, with more accurate data and reporting capabilities. Back in the day, it may have been a case of sampling some 100 suppliers out of a pool of 10,000 listed on a simple spreadsheet, and then googling them to see which ones would be considered diverse suppliers. It short, it used to involve a lot of manual data gathering, which is rapidly getting replaced by new tech tools. [26:20] What are the greatest challenges procurement currently faces with ESG? One of the challenges is internal. When ESG is brought to the table, decisions have to be made about selecting suppliers who would align with their ESG requirements, which is a decision that is ultimately made by the budget holder. Procurement can do everything they can to mitigate any additional cost, but they do not decide who spends the money with who. A lot of the role procurement can play in supporting ESG is dependent on the organisational focus on those initiatives and how well everything is communicated to all involved. [17:20] Looking to the future of procurement: Procurement was once seen as a cost management function, now professionals like Philip are looking at how they can demonstrate the additional value they can bring to an organisation, including supporting ESG compliance. Procurement has shifted more towards risk management, with a greater focus on risk factors such as cost and sustainability. There's still a lot of uncertainty around what the next 10 years will look like. Philip predicts that procurement will become a smaller, yet more impactful area than it is today. The operating model will likely shift to a more service-based approach with a more nuanced approach to supporting businesses. Philip can see a world where sustainability and supply chains merge as third-party suppliers will have an increased effect on an organisations ability to meet its sustainability goals. [20:30] What is Art of Procurements' mission to 10X the impact of procurement?: Philip aims to change the mindset of procurement leaders, and get them to think outside of the box. Procurement can have a significant impact on organisations, in the form of additional support like ESG, but also because they have a much wider field of view regarding potential suppliers. It's about going back to basics, asking: · What is procurement? · How should it operate? · How can procurement best support businesses? Their mission aims to rethink how procurement works, and refining how to best work with organisations to achieve their goals. [22:25] What are the principles of this mission?: Philip highlights a few that he's passionate about, including: Focus on driving business outcomes: How can procurement build their capabilities around what the business truly needs? There can be conflict between an organisation and its procurement, whether that be with stakeholders or selecting suppliers. So, it's about finding a balance between doing what can be done to further an organisations goals while also saving them money. Procurement facilitating differentiated decision making: Procurement can offer some crucial insight into potential suppliers for organisations, but they can only do so if they have the correct data to help make those decisions. When it comes to measurable data, like many aspects of how sustainable a supplier may be, this is where procurement can help businesses make smarter decisions. Overseeing not managing spend: Procurement should not necessarily have complete control over the spend of an organisations, but using technology they should be able to understand what is being spent and with who. It's keeping an eye on potential risk factors with suppliers and helping organisations decide who to continue to work with. [28:00] How are the Art of Procurement philosophically different? They see procurement as a journey, where many organisations are on a different part of the maturity curve and may need help bridging those gaps to keep moving forward. Art of Procurement seek to accelerate that speed of maturity by working smarter with new technology, and in alignment with an organisations goals. Procurement is facing a battle currently, where if they don't adapt, they run the risk of losing out to purely AI driven tools. This is of course, not a concern unique to the world of procurement, it's actively affecting HR, IT support and the creative industry in a huge way. [30:40] Connect over common goals: Procurement professionals often want to be more collaborative than people may think. Don't be afraid to reach out to your procurement team to see what common goals you can try to achieve. They are there to work with you, not against you. [32:45] Procurement and ISO: Philip has seen a lot of instances where an internal audit finding will lead to procurement success. In some cases, this may be from an identification of a need for investment in procurement, it's seen as necessary tool for the organisation and so they approach it with that mindset in mind. Internal Audits, a staple in the world of ISO, offer the opportunity to highlight where improvements can be made. They also compile credible evidence to put a case forward to relevant individuals, who may have not listened to previous grievances. If you would like to learn more about the Art of Procurement, check out their podcast available on their website. If you'd like to hear more from Philip, he also co-hosts the hard truth - inside the Football Industry podcast. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Sustainability is an area that affects all businesses, no matter the sector. We are all currently contributing to the climate crisis, from travel and hospitality to manufacturing to those working in an office or from home. You may be surprised to hear that the legal sector is currently one of the leaders in championing sustainability, not just in enforcing new environmental legislation, but also leading by example in the race to net zero. One such stand out leader is today's guest – Clyde & Co, a global law firm that have made great strides in their sustainability journey. In this episode, Mel is joined by Paddy Linighan, Chief Sustainability Officer at Clyde & Co, to discuss their ambitious net zero targets, sustainability initiatives and their journey towards ISO 14064 Carbon Verification. You'll learn What is Paddy Linighan's role as CSO? Who are Clyde & Co? What are their net zero targets according to their responsible Business report? What sustainability initiatives have Clyde & Co introduced? Why get ISO 14064 verified? What were the challenges with obtaining ISO 14064 verification? What are the benefits of obtaining ISO 14064 Verification? Resources Clyde & Co Clyde & Co Responsible Business report Carbonology In this episode, we talk about: [00:25] Episode Summary – We welcome today's guest, Paddy Linighan, Chief Sustainability Officer at Clyde & Co, to dive into their responsible business report, discuss their net zero ambitions and journey towards ISO 14064 Carbon Verification. [01:40] Introduction to Paddy: Paddy has 30 years experience in the legal sector, and was formerly the Chief Operating Officer for Clyde & Co before transitioning to the role of Chief Sustainability Officer. Paddy is also a Director at the Legal Sustainability Alliance, which is an association committed to supporting the legal sector to measure and manage their carbon emissions to achieve net zero. One lesser-known fact is that Paddy was a Latin and ballroom dancer! [02:30] Who are Clyde & Co? – They are a global law firm with 500 partners, 2700 lawyers and 3216 legal professionals across the world and operating out of 70 offices. They set out to help organisations successfully navigate risk and maximise the opportunity in the sectors that underpin global trade, namely insurance, aviation, marine construction, energy, trade and natural resources. They offer a comprehensive range of contentious and non-contentious legal services and commercially minded legal advice to businesses operating across the world in seamless fashion. Clyde & Co are committed to operating in a responsible way by progressing a diverse and inclusive workforce that reflects the communities and the clients it serves, and provides an environment in which hopefully everyone can realise their potential. They use their legal and professional skills to support communities through pro bono work, volunteering charitable partnerships, and minimisation of environmental impact through the pursuit of sustainability standards. [04:25] What are some of the Net Zero targets highlighted in Clyde & Co's responsible business report? Near term target: Reduce their scope 1 and scope 2 emissions by 80% by 2030 and scope 3 emissions by 50% by 2030. Long term target: Have a 90% reduction in emissions by 2038 Focused on decarbonizing their operations across the globe. [06:25] What are some of the sustainability initiatives that Clyde & Co have started? All their initiatives can be broadly groups into 3 categories, but ultimately they seek to decarbonize their operations, address resource consumption and offset emissions where possible. They found that 95% of their emissions reside in their scope 3, which is due to their supply chain. A few of their initiatives include rationalizing their supply chain to reduce the impact of purchasing goods and services. They are also supporting their supply chain to measure and reduce their own emissions. Clyde & Co have also incorporated their sustainability requirements into their Procurement Process and Due Diligence Process. One challenging area for a professional services business like Clydo & Co is sustainable business travel. They have adopted a global note on sustainable travel, which trickles down into regional travel policies. Working with travel management companies, they will implement those new policies, in addition to improving the quality of travel data collection and prioritisation of sustainability over cost. Clyde & Co are also making the move to switch direct and in-direct consumption of fossil fuels to renewable energy in the heating and cooling of their buildings. As of summer 2023, all UK offices were on 100% renewable energy! They aim to roll this out on a global scale, but understand that there are significant challenges with doing so. [09:30] How did Clyde & Co celebrate Earth Day? They introduced climate change awareness training on Earth Day. It wasn't mandatory in any way, and included the rolling out of several blogs and videos which were produced by AXA Climate School in Paris. They ran these through Earth Day (April 22nd) to World Environment Day (5th June). Covering topics such as: Financial disclosures Plastic pollution Saving water Beekeeping Composting This led to a campaign called ‘Zero as One' which helped to create of a network of sustainable champions across their organisation, who help to further raise awareness and where there may be regional issues with reducing resource consumption and energy use. This campaign has continued and is beginning to facilitate a structured, bespoke training programme for all Clyde & Co staff which covers climate awareness to climate competency. It will encourage people to think ‘How can I, as an individual, make a difference?' [15:30] The Clyde & Co Community Forest – A 6.2 hectare plot of land is shared with 2 other community groups, and is not only being used for reforestation but also biodiversity, focusing on red squirrels in particular. Getting this project set up included: Gauging the appetite of colleagues: They offered increased level of refforestation for every response they had to their annual ‘Have your Say' survey. For every response received, they would add 2 square metres of forest. So, 5000 people would give them a hectare. It was a knowledge gathering exercise and experience of what a carbon offset project would look like. They know that they'll never be able to 100% decarbonise their operations, but they hope to get it down to 10% remaining emissions which can be offset with more projects like the community forest. [19:35] What does Paddy think of the sustainability reporting regulatory requirements affecting the legal sector? Not only do lawyers have a key part to play in supporting and advising clients in relation to how they navigate towards a low carbon economy, but they are also a part of many businesses supply chain – meaning they would be included in scope 3 emissions for others. Putting in the work at their end enables them to proactively help and assist clients with their emissions reduction and reporting. The drive in this sector is mostly due to client demand. [21:10] The increase in sustainability targets in North American companies: Paddy highlights that a recent report issued by Climate Impact Partners found that 79% of North American companies now have climate targets, which is up 6% on Asian companies and just shy of European companies. 61% of those North American companies report under ISO 14064. [23:00] What were the drivers behind Clyde & Co getting ISO 14064 verified?: High Transparency: They wanted to ensure that any disclosed information was reliable and that they'd had third-party verification to back that up, making them much more comfortable putting that information out into the public. Financial Benefits: Sustainability and greenhouse gas emission reduction was a part of their main KPI's to tackle, the main reason being to save money through not only the reduction in energy use but also reduced interest rates as a result of their sustainability efforts. [25:20] What were the main challenges in obtaining ISO 14064 verification?: Clyde & Co are a large organisation, so gathering and quantifying the necessary emissions information was like getting blood from a stone! Nearly 65 – 70 sites only have a small team of 5 people, and getting data from each can be time consuming. Also, the quality of data can vary a great degree with that many sites, especially on a global scale as you need to consider the conversion factors when collating all the data into something verifiable. [26:50] What impact has ISO 14064 verification had on Clyde & Co's sustainability credentials?: Very simply, it validates Clyde & Co's claims. With the third-party assessment, it shows that they are actually doing what they say they're doing, and not simply paying lip service. [27:45] What were the main benefits of getting ISO 14064 verified?: Helping to secure financial benefits: ISO 14064 verification is proof enough for banks to issue discounts on interest rates Ease of process: The audit process introduced for ISO 14064 can be repeated as needed. As a result of getting verified, Clyde & Co found the exercise a good stress test for existing auditing procedures, and found a way to simplify them further. Credibility: Third-party verification adds a level of credibility which is lacking from internal calculation alone. [29:00] Paddy's top tip for anyone considering ISO 14064 verification: Do not let perfection get in the way of progress. They found that people can become a bit defensive in audits, trying to avoid errors being picked up, however, audits are meant to be constructive. They are opportunities to pick up on areas for improvement. [30:40] Paddy's book recommendation: The Ministry for the Future by Kim Stanley Robinson [32:10] Paddy's favourite quote: The greatest threat to our planet, is the belief that someone else will save it – Robert Swan OBE If you would like to learn more about Clyde & Co, and their sustainability initiatives, visit their website. To find out more about verification visit www.carbonologyhub.com We'd love to hear your views and comments about the ISO Show, here's how: Share the ISO Show on Twitter or Linkedin Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Don't forget to subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Did you know that only a third of the emissions reductions required to achieve the country's 2030 target are currently covered by credible plans? As a result, we can expect to see more mandatory and voluntary regulations that require carbon emissions reporting to verify your ESG and net zero claims. In this episode, Mel closes out the ESG Reporting Disclosures series by explaining what Corporate Sustainability Due Diligence Directive (CSDDD) is, it's key emissions reporting requirements, the verification requirements and who qualifies for CSDDD. You'll learn · What is CSRD? · Key requirements of CSDDD · Key emissions reporting requirements · the emissions verification requirements for CSRD? · Who qualifies for CSDDD? · The likely impact of CSDDD Resources · Carbonology · Carbonology LinkedIn · Carbonology Instagram · CSDDD In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:10] Episode summary: Mel closes out the series on ESG reporting requirements by diving into CSDDD. [03:10] What is CSDDD? – The Corporate Sustainability Due Diligence Directive (CSDDD) is a new EU directive that promotes sustainable and responsible corporate behaviour in companies' operations and across their global value chains. Purpose: It aims to promote sustainable business practices, protect human rights, and address environmental challenges. The CSDDD was adopted by the European Commission on the 23rd of February 2022 and approved by the Council of the European Union on the 24th of May 2024. The new rules ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe. The CSDDD is expected to start affecting companies from 2027 at the earliest once the directive has been transposed into national legislation. [05:10] What are the key requirements of CSDDD?: · Human rights due diligence: Companies must identify, prevent, and mitigate adverse human rights impacts within their value chains. · Environmental due diligence: They must assess and manage risks related to climate change, biodiversity loss, and pollution. · Disclosure obligations: Companies must disclose their due diligence processes, findings, and any remedial actions taken. [06:20] What are the Emissions Reporting Requirements? Under the CSDDDD, companies are required to report on their greenhouse gas (GHG) emissions within a climate transition plan. This includes considerations for Scope 1, 2 and 3. These were explained in more detail in a previous episode on CSRD, so go check that out if you want to learn more about the individual scope requirements. What if you fit the requirements of both CSRD and CSDDD, do you have to double report on emissions? In short – No! The climate transition plan required by the CSDDD will be reported within CSRD reporting, as organisations just need to adhere to the CSDDD's implementation requirements for the transition plan. [10:10] What are the Emissions Verification Requirements? More definitive guidance on verification requirements is expected closer to 2027. Companies will more than likely need to verify the emissions data reported through CSDDD, as the directive mandates a climate change transition plan that aligns with the Corporate Sustainability Reporting Directive (CSRD), which does require companies to verify their emissions data. [09:55] Who qualifies for CSDDD? The Corporate Sustainability Due Diligence Directive (CSDDD) applies to both EU and non-EU companies depending on their workforce size and revenue: EU and non-EU companies (or the ultimate parent company of a group): · With more than 1,000 employees and a global net turnover of at least €450 million in the last fiscal year; or · Which have franchising or licensing agreements in the EU in return for royalties with more than €22.5 million generated by royalties in the EU and have a net worldwide turnover of over €80 million in the last financial year. [11:10] What is the possible impact of this new directive? Similar to the other ESG disclosures I've covered over the past few weeks in this series on reporting disclosures, the impact of the CSDDD will result in 3 key impacts:- · Increased transparency: This directive will provide stakeholders with a clearer picture of companies' sustainability efforts, to combat greenwashing. · Enhanced accountability: Companies will be held accountable for their environmental and social performance. · Stimulation of sustainable business practices: The directive will encourage companies to adopt more sustainable practices, including regular reporting. If you would like to learn more about CSDDD or inquire about the related course, please get in touch with Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
2030 is fast approaching and we're already falling behind on our Net Zero targets, which will take a coordinated collective effort to get back on track. As a result, businesses are coming under increasing pressure to monitor, report and reduce their energy use and carbon emissions to meet net zero targets. This has led to an increase in both mandatory and voluntary regulations that require carbon emissions reporting to verify your net zero claims. In this episode, Mel continues the ESG Reporting Disclosures series by explaining what the Corporate Sustainability Reporting Directive (CSRD) is, how it affects your emissions reporting, the verification requirements and who qualifies for CSRD. You'll learn · What is CSRD? · How will the CSRD affect your Emissions Reporting? · What are the emissions verification requirements for CSRD? · Who qualifies for ISSB S2? Resources · Carbonology · Carbonology LinkedIn · Carbonology Instagram · CSRD In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:10] Episode summary: Over the course of September, Mel will be exploring the latest climate change regulations that may affect your organisation. In this episode she dives into Corporate Sustainability Reporting Directive (CSRD). [02:55] What is CSRD? – The Corporate Sustainability Reporting Directive (CSRD) is a new EU directive that modernises and strengthens the rules concerning the social and environmental information that companies have to report. It revises the 2014 Non-Financial Reporting Directive (NFRD), extends the scope of covered companies, and strengthens the reporting requirements. The CSRD was formally adopted by the European Council on 28 November 2022. The directive is transforming ESG reporting and will start affecting almost 50,000 companies from 2024 by expanding the scope to include all large companies, all companies listed on regulated markets, and non-EU companies with substantial activities in the EU. This includes non-EU companies with subsidiaries operating within the EU or those listed on EU regulated markets. Many companies located both within and outside the EU will be affected during the CSRD's phase-in period beginning in fiscal year 2024. [05:10] How will the CSRD affect your Emissions Reporting?: Under the CSRD, companies are required to report on their greenhouse gas (GHG) emissions. This includes: · Scope 1 Emissions: Direct emissions from owned or controlled sources. For example, emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc. · Scope 2 Emissions: Indirect emissions from the generation of purchased energy. This includes emissions from the production of electricity, steam, heating, and cooling consumed by the company. · Significant Scope 3 Emissions: Other indirect emissions that occur in a company's value chain. Companies are required to report on significant Scope 3 sources. This could include emissions from business travel, employee commuting, waste disposal, etc. [07:10] What are the Emissions Verification Requirements? Under the CSRD, companies are required to have their reported GHG emissions data verified by an independent third party. The verification process ensures the accuracy and reliability of the reported information. Verification options for CSRD include: · Independent Verification: Companies must engage an accredited third-party verifier to audit and confirm the accuracy of their GHG emissions reports. · Verification Standards: The verification must be conducted in accordance with recognised international standards, such as ISO 14064-3. · Assurance Levels: The verification should provide a reasonable level of assurance that the emissions data is accurate and complete. · Frequency of Verification: Verification is required on an annual basis to ensure ongoing accuracy and compliance with the CSRD. [10:10] Who qualifies for CSRD? The Corporate Sustainability Reporting Directive (CSRD) applies to a broad range of companies based on the following criteria: 1) Companies listed on regulated markets in the EU (excluding listed micro-enterprises). 2) Large companies, classified as those meeting at least two of the following three conditions: · More than 250 employees. · A turnover of over €40 million. · Over €20 million in total assets. 3) Listed Small and Medium-sized Enterprises (SMEs), although there will be a transitional period when SMEs can opt out until 2028. 4) Non-EU companies with a net turnover of €150 million in the EU, and with at least one subsidiary or branch in the union. If you would like to learn more about CSRD or inquire about the related course, please get in touch with Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Businesses are coming under increasing pressure to monitor, report and reduce their energy use and carbon emissions to meet net zero targets. As a result, we're seeing an increase in both mandatory and voluntary regulations that require carbon emissions reporting to verify your net zero claims. In this episode, Mel continues the ESG Reporting Disclosures series by explaining what The International Sustainability Standards Board Climate-related Disclosures (ISSB S2) are, the emissions reporting and verification requirements and who qualifies for ISSB S2. You'll learn · What is ISSB S2? · What is the scope of ISSB S2 · What are the emissions reporting requirements for ISSB S2? · Emissions verification requirements · Who qualifies for ISSB S2? Resources · Carbonology · ISSB S2 In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:10] Episode summary: Over the course of September, Mel will be exploring the latest climate change regulations that may affect your organisation. In this episode she dives into The International Sustainability Standards Board Climate-related Disclosures (ISSB S2). [03:20] What is ISSB S2? – The International Sustainability Standards Board Climate-related Disclosures (ISSB S2) is a new global standard that mandates entities to provide comprehensive information about climate-related risks and opportunities. The ISSB S2 was issued by the International Sustainability Standards Board on the 26th of June 2023 and is effective for annual reporting periods beginning on or after the 1st January 2024. The new standard ensures that companies disclose physical and transition risks and their potential impact on the move towards a low carbon economy. [04:20] Further learning with Carbonology: Carbonology have created a half-day course which walks you through all of the various carbon reporting disclosures and sustainability disclosure reporting requirements. If you would like to learn more, get in touch with Carbonology. [07:00] What does ‘Acute and Chronic Physical risks' mean in the context of ISSB S2? Climate related physical risks are risks resulting from climate change that could be event driven, so an example of an acute physical risk could arise from weather related events like storms, floods and heatwaves, which are increasing in frequency. These could have a knock-on effect to businesses, taking a heat wave as the example, you will need to consider: · Can your IT systems and datacentres cope with it? · Have you got resilience built in to your operations to be able to deal with that sort of disruption to your organisation? Chronic physical risks arise from longer term shifts in climatic patterns, including changes in precipitation and temperature, which could lead to sea level rises and reduced water availability and changes in soil productivity. These risks could carry a weighty financial burden either through direct damage to assets, or indirectly through supply chain disruption. [09:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [11:43] What does ‘Transition risk' mean in the context of ISSB S2? This is looking for a climate related transition plan, which should include targets, actions and resources for the transition towards a lower carbon economy. This would include actions such as reducing greenhouse gas emissions. [12:30] What is the scope of ISSB S2? This Standard applies to: · climate-related risks to which the organisation is exposed, which are: · climate-related physical risks; and (ii) climate-related transition risks; and · climate-related opportunities available to the entity. Climate-related risks and opportunities that could not reasonably be expected to affect an organisation's prospects are outside the scope of this Standard. · The Standard covers:- · Governance · Strategy · Climate related risks and opportunities · Business Model and Value Chain · Financial position, financial performance and cash flows · Climate resilience · Risk Management [14:10] What are the emissions reporting requirements for ISSB S2? - Under ISSB S2, companies are required to measure and disclose their greenhouse gas (GHG) emissions across three scopes: · Scope 1 Emissions: Direct emissions from owned or controlled sources. For example, emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc. · Scope 2 Emissions: Indirect emissions from the generation of purchased energy. This includes emissions from the production of electricity, steam, heating, and cooling consumed by the company. · Scope 3 greenhouse gas emissions: Indirect greenhouse gas emissions (not included in Scope 2 greenhouse gas emissions) that occur in the value chain of an entity, including both upstream and downstream emissions. Scope 3 greenhouse gas emissions include the Scope 3 categories in the Greenhouse Gas Protocol Corporate Value Chain (Scope 3) Accounting and Reporting Standard (2011). [16:20] Emissions verification requirements - Under ISSB S2, companies are required to have their reported greenhouse gas (GHG) emissions data verified. Verification can provide users of financial reports confidence that the information is complete, neutral and accurate. Disclosure of inputs to Scope 3 greenhouse gas emissions needs to disclose information about the measurement approach, inputs and assumptions it uses. [18:30] Who qualifies for ISSB S2? - ISSB S2 applies to all entities that are required by law, regulation, or administrative provision to prepare financial statements. This includes, but is not limited to: · Publicly listed companies · Large private companies · Financial institutions such as banks and insurance companies · State-owned enterprises Entities are encouraged to adopt the ISSB S2 voluntarily, even if they are not mandated by law or regulation. Early adoption is permitted and encouraged to enhance transparency and accountability in climate-related disclosures. If you would like some help with your carbon emissions reporting, please get in touch with Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
As the urgency to address the climate emergency heightens, businesses are coming under increasing pressure to monitor, report and reduce their energy use and carbon emissions to meet net zero targets. As a result, there is an increase in regulations to ensure that companies are taking the climate emergency seriously and not pay lip service to climate action. During September, we'll be taking a look at a few of the latest regulations that may affect your organisation, including: · SECR – Streamlined Energy and Carbon Reporting · ISSB S2 - International Sustainability Standards Board Climate related disclosures · CSRD - Corporate Sustainability Reporting Directive · CSDDD - Corporate Sustainability Due Diligence Directive In this episode, Mel Blackmore breaks down what Streamlined Energy and Carbon Reporting (SECR) is, its reporting requirements, it's qualifiers and how it can work in tandem with other carbon management initiatives. You'll learn · How do these regulations relate to ESG reporting? · What is Streamlined Energy and Carbon Reporting? · What are the SECR Emissions Reporting Requirements? · Who qualifies for SECR? · How can SECR work with other carbon management initiatives? Resources · Carbonology · SECR In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:10] Episode summary: Over the course of September, Mel will be exploring the latest climate change regulations that may affect your organisation. In this episode she dives into Streamlined Energy and Carbon Reporting (SECR). [03:20] How do these regulations relate to ESG reporting? – ESG requirements include a commitment to sustainability, and reducing your overall impact. All of these regulations contribute towards an organisations ESG reporting requirements, as they require tangible proof to back up your ESG claims. They will require you to provide comprehensive emissions reporting, the level of detail of which will depend on the specific applicable regulation. [04:05] Future content to look forward to: During September Mel will look at involuntary emissions reporting schemes, but in October she will be looking into the voluntary schemes that many are already adopting as part of their Stakeholder requirements. This will include: · CDP (Carbon Disclosure Project) · EcoVardis [05:50] What are the SECR Emissions Reporting Requirements?: SECR has been around since April 2019, and was originally introduced to replace the Carbon Reduction Commitment Scheme. This is a mandatory scheme, so it is a legal requirement for those that meet it's criteria. For those that are familiar with ESOS (The Energy Savings Opportunity Scheme), it functions in a very similar way. This scheme isn't solely focused on reporting energy usage and carbon emissions, it's also looking for organisations to report on efficiency measures that are undertaken on an annual basis. Which is reflected in the financial reporting that you will also have to submit. It's important to note that SECR has specific requirements for the disclosure of greenhouse gas (GHG) emissions and energy consumption. Emission reporting requirements vary slightly between quoted companies and large unquoted companies and LLPs. For quoted Companies: · Global Scope 1 and 2 GHG emissions must be reported. Scope 3 emissions reporting is strongly recommended but voluntary. For large unquoted companies and LLPs: · UK based Scope 1 and Scope 2 emissions and associated energy consumption. Scope 3 emissions from the combustion of fuel in vehicles or equipment not owned by the company. [10:10] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:05] Who qualifies for SECR?: All UK Quoted Companies: Any company that has shares listed on the UK Stock Exchange is required to comply with SECR. Large Unquoted Companies and Large LLPs: These are companies and Limited Liability Partnerships (LLPs) that are not listed on the UK Stock Exchange but meet two or more of the following criteria: · Turnover: More than £36 million per annum. · Balance Sheet Total: More than £18 million. · Number of Employees: 250 or more employees. These criteria ensure that SECR framework targets large organisations that have a significant impact on the UK's energy consumption and carbon emissions. By complying with SECR, these organisations can contribute significantly to the UK's sustainability goals. [14:10] When is the SECR disclosure made? SECR reporting must occur alongside financial reporting, being included within annual reports and Directors' Reports, which are then filed with Companies House. [14:30] The importance of Accurate SECR Reporting and Carbon Reduction - The reporting process can unlock valuable insights and opportunities for operational improvements, leading to enhanced energy efficiency and reduced carbon emissions over time. Demonstrating your organisation's commitment to energy efficiency and carbon reduction can enhance brand perception and foster positive relationships with stakeholders, including investors, clients, and regulators. [16:05] Integrating SECR Reporting with Other Carbon Management Initiatives - You are missing a trick if you're keeping your SECR reporting separate from the rest of your business activities. It should be included as a part of your sustainability umbrella, and can be invaluable if you're going for other reporting requirements such as EcoVardis and CSRD. There's no need to reinvent the wheel if you already have something like an Environmental Management System in place, simply weave the additional requirements in with your usual annual maintenance. Established systems will already be adhered to across the business, meaning any new requirements will soon become business as usual. You could incorporate this as part of your Net Zero strategy, or Carbon Reduction Plan if PPN 06/21 is one of your reporting requirements. You could also incorporate this into your supply chain emissions reporting. If you would like some help with SECR, please get in touch with Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached. It has become clear in recent years that information security isn't just a ‘nice to have', it's a necessity to ensure you and your client's data are protected. Which is especially the case for those processing personal and financial data, such as today's guest, Mintago. In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard. You'll learn · Who are Mintago? · Who is Tom Catnach? · What was the main driver behind achieving ISO 27001? · What was the biggest ‘gap' identified in the Gap Analysis? · What have they learned from the experience? · What are the benefits of certification to ISO 27001? · What does the threat horizon for information security look like? Resources · Mintago · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification. [02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including: · Finding lost pension pots · Help to save money through finding discounts · Retirement planning · Offering various salary sacrifice products · Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings · Helping people to be more financially literate [05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer. Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001. Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights. [06:30] What was Mintago's main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it's security. Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001. ISO 27001 also offers the assessment of general business practice, and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand. [08:30] Aligning Standards with core values: Trust is one of Mintago's core values and they want to give their clients the assurance that they can be trusted to protect their data. ISO 27001 can be compared to the likes of Bcorp as it's an on-going process. It doesn't just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year. [10:15] What was the scope of Mintago's certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service. This was because all of the sensitive data is handled in those departments and they don't allow access to any other teams, so it made sense to start there with a view to expand the scope after certification. That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they're ready. [11:50] How long was Mintago's certification journey?: They started their journey in September 2023, in fact it was Tom's first project with Mintago! Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified. Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it's an advantage to implement ISO Standards early while your agile so that your management system grows with you. [14:25] What was the biggest ‘gap' identified at the Gap Analysis? Mintago are lucky in the fact that they are a new business so are using modern tech, and don't have the burden a larger site or other physical elements such as rack mounted servers. However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance. There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place. [16:35] Did Mintago experience any significant barriers in addressing identified gaps? Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to. One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place. When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago's size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software. [18:45] Engagement is key - Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security. Mintago also has the advantage of being a smaller business, so getting communication out isn't a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite'. Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that's something that people would want to engage in. It's also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online. [23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? - The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don't work?', ISO 27001 drilled down to ask specifics such as: · How do we recover from that scenario? · Are we 100% confident in our back-ups? · Will they work near instantaneously? · What's Mintago's availability like in that scenario? · How do we prevent disruption to our clients during that scenario? So, while they did have back-ups they weren't necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system. In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories. [25:00] Internal Auditing – A beneficial tool - Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average. Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified. Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification. [27:20] Minor Non-conformities aren't the end of the line – There's a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can't be certified, but that's simply not true! If an Assessor is comfortable that you are in a good position for certification, they will recommend you. ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits. [29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include: Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it's core qualities to the benefit of their own Information Security practices. Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other's commitment to information security. Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow. [31:10] Any concerns on the threat horizon?: As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They're going to be a lot more sophisticated and harder to spot and deal with. Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident. However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security. [34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It's not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place. If you would like to learn more about Mintago and their financial services, check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Greenhouse Gas (GHG) accounting has become increasingly important in recent years due to the demand for more environmental accountability. Whether by choice or due to legislation or mandatory Government led schemes, organisations need to able to effectively calculate their current impact before they can the right steps to reduce and offset the remaining emissions. There are a lot of different routes to take, and some may look so similar that you have to squint to see a difference. In this episode, Mel Blackmore breaks down the similarities and differences between the leading GHG emission reporting frameworks, ISO 14064-1 and the GHG Protocol Corporate Standard. You'll learn · What are the 2 leading GHG accounting frameworks? · What are the similarities between the GHG Protocol and ISO 14064? · What are the differences between the GHG Protocol and ISO 14064? · Reporting on indirect emissions · Choosing the right framework · How can the GHG Protocol and ISO 14064 complement each other? Resources · Carbonology In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] Episode summary: Mel will look at the similarities and differences between the 2 leading GHG emissions reporting frameworks, the GHG Protocol and ISO 14064-1:2018. [02:20] What are the 2 leading GHG accounting frameworks? – Greenhouse gas (GHG) accounting has become increasingly important for organisations seeking to manage their environmental impact and contribute to climate change mitigation efforts. Two prominent frameworks guide this process: ISO 14064-1:2018 and the GHG Protocol Corporate Standard. Climate change concerns necessitate robust methodologies for quantifying and reporting organisational GHG emissions. Standardised frameworks offer a transparent and reliable approach for organisations to measure their impact and contribute to environmental sustainability goals. This article examines two leading frameworks: ISO 14064-1:2018 and the GHG Protocol Corporate Standard. [06:10] What are the similarities between the GHG Protocol and ISO 14064? – GHG Scope Definition: Both frameworks categorise emissions into three scopes: Scope 1 (direct emissions from owned or controlled sources), Scope 2 (indirect emissions from purchased electricity, heat, or steam), and Scope 3 (other indirect emissions throughout the value chain). In general, the GHG Emissions covered in the GHG Protocol Corporate Standard conform to ISO 14064-1 if significant Sope 3 GHG emissions and GHG removals are both considered. Quantification Principles: Both emphasize the importance of accuracy, completeness, consistency, transparency, and relevance when quantifying emissions. GHG Reporting Boundaries: Both require clear definition of the organisational boundaries for which emissions are quantified. GHG Inventory: Both frameworks guide the development of a GHG inventory, a comprehensive record of all organisational emissions. [09:15] What are the differences between the GHG Protocol and ISO 14064? – Focus: ISO 14064-1 is a more procedural framework, outlining the steps for quantifying, reporting, and verifying GHG emissions. The GHG Protocol, on the other hand, offers detailed guidance on calculating emissions for various activities and sectors but lacks formal verification requirements. Level of Detail: The GHG Protocol provides a more comprehensive and detailed approach, including calculation methods, guidance on emission factors, and best practices. ISO 14064-1 offers a less prescriptive approach, allowing organisations to choose calculation methodologies based on their specific needs. Avoided GHG Emissions: The concept of avoided GHG emissions is not addressed in ISO 14064-1. However, the GHG Protocol Corporate Standard addresses the quantification of avoided emissions, which are required to be reported separately. Verification: Verification by a third-party verifier is optional under the GHG Protocol but mandatory for organisations seeking public disclosure or certification under ISO 14064-1. Verification enhances the credibility and reliability of reported emissions data, this could be to schemes like EcoVadis. Value Chain Emissions: While both frameworks acknowledge Scope 3 emissions, the GHG Protocol offers a dedicated standard - the Corporate Value Chain (Scope 3) Standard - providing specific guidance on quantifying these emissions. Addressing GHG Emissions and Removals: ISO 14064-1 clearly address GHG emissions and removals for each category and removals are therefore an inherent part of the GHG quantification. The guidance in the GHG protocol is not as clear but allows for the reporting of removals separately from GHG Emissions. [13:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [17:05] Reporting on indirect emissions: The main challenge for organisations is the reporting of indirect emissions (Scope 3), often leading to confusion based on a lack of clarity and understanding of how granular the data needs to be, combined with challenges extracting data from third-parties. ISO 14064-1 is very clear regarding which Scope 3 emissions are to be included, whereas the GHG Protocol standard maybe viewed as more open to interpretation. In contrast, GHG Protocol standards require the inclusion of Scope 2 (indirect emissions from purchased energy); the inclusion of other indirect GHG Emissions under scope 3 is optional. The GHG Protocol standard is referred to in various GHG reporting and disclosure initiatives whose requirements for the reporting of the Scope 3 emissions vary. Whereas ISO 14064-1 has been created and approved by representatives from 61 nations to determine a specification for Scope 3 emissions reporting. [20:30] Choosing the right Framework: The choice between ISO 14064-1 and the GHG Protocol depends on an organisation's specific needs and goals. Here are some considerations: · Is there a need for Verification? i.e. is it a mandatory requirement · What level of detail is required? If a detailed approach with extensive calculation guidance is preferred, the GHG Protocol might be more suitable. · Resource availability – Do you have the resource to do this yourself or will you need a helping hand? · Disclosure reporting requirements – check what you need to comply with as this could determine which framework you use. [23:30] How can the GHG Protocol and ISO 14064 complement each other? - This podcast may have you thinking that it has to be one or the other, but in actuality the two frameworks can be used together effectively. Organisations can utilise the GHG Protocol's detailed guidance to develop their GHG inventory and then follow ISO 14064-1's process for verification and reporting. If you would like some help with GHG reporting or Verification, please get in touch with Carbonology. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ESG is a very broad topic to try and address for any organisation, leaving many scratching their heads on where to start with ESG reporting. Currently, there is no official certification for ESG, however there are a number of schemes that will give you either a score or rating for your level of compliance against their requirements. For those currently working towards one of these schemes, you may already have a solid foundation in place if you're certified to one or many ISO Standards. In this episode, Ian Battersby and Ali Henshaw discuss ESG compliance and how elements of an ISO Management system can help with ESG reporting. You'll learn · What is ESG? · Is ESG reporting required? · Is ESG a nice to have or good solid business practice? · Is ESG certifiable? · How can ISO Standards help to address the 3 pillars of ESG? · How ESG compliance helps to combat Greenwashing Resources · Isologyhub · ESG Audit In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:00] Episode summary: Ian and Ali will be discussing how ISO Standards can help with ESG reporting. [02:20] What is ESG? – ESG stands for Environmental, Social, and Governance. Analysis and evaluation against these three elements help organisations to consider different areas within their overall sustainability profile. The Environmental section looks at issues surrounding climate change and actions to address an organisation's environmental responsibility. This includes monitoring and management of your energy consumption, waste management and pollution. It also seeks to tackle how organisations can address, reduce and mitigate their overall environmental impact. The Social aspect is based around the relationships an organisation has with its stakeholders. This is focused on employees and looks at a broad range of topics including employee wellbeing, fair and competitive pay, benefits and human resource related policies. Considerations can also include wider business relationships such as supplier relations, local community and government work. [05:00] The pillars of ESG aren't silos – You shouldn't approach each pillar of ESG in isolation, as they cross over in a lot of areas. For example, in environmental management you may manage hazardous substances, you'll have a duty to ensure those substances don't pollute the surrounding area or bodies of water. However, you will also need to consider the health and safety aspect of storing and working with that material. So already you have 1 issue that crosses both the Environmental and Social pillar of ESG. [05:50] What does the Governance pillar cover? – Governance criteria focuses on creating a business environment that is fair, transparent, and accountable. Considerations in this area include board composition, fairness in pay structures and executive compensation, business ethics and risk management. [07:05] What types of ESG reporting are required? – For small organisations, there is currently no set requirement as it stands, but you many encounter stakeholder or customer requirements that encourage ESG reporting on some level. For larger organisations at certain sizes there are mandatory reporting frameworks that you will be required to fulfill. At the moment it's quite sector specific but this is a trend that will only increase over time. Like with anything new, this is likely to trickle down to smaller organisations over time, however there will likely be funding and grants available to assist when that time comes. [08:25] Is ESG a nice to have or good solid business practice? If you want to be a sustainable business, with good legacy that has the ability to grow and develop, ESG is a fantastic tool. Investors are now looking for sustainable businesses, it's become a market trend for an ever increasingly environmentally conscious consumer base. You either need to move with the times of get left behind, and sustainability is one key factor that will determine which of those categories you fall into. [09:50] Which ISO Standards can support ESG?: From a holistic point of view, the structure of ISO standards, the plan do check Act (PDCA) cycle, the need for monitoring and measurement and the need for improvement supports the principles of ESG in terms of quantifiable results. The additional aspect of having set objectives and proof of tangible improvement actions was something that fulfilled CSR (Corporate Social Responsibility), which in turn has been superseded by ESG. ISO Standards high-level structure and life cycle approach lend themselves to support various aspects of ESG, depending on the Standard you implement. ISO 14001 for example, would support the environmental pillar, as it looks at your significant aspects and impacts in addition to that of your supply chain. You'll need to factor these into your objectives and overall business strategy. ISO 45001 would tackle elements of the social pillar as it directly addresses the well-being of your employees. It also includes a clause for the consultation and participation of workers, so work directly with employees to identify and address risks that may be missed by management. [13:40] Is there a certifiable Standard for ESG?: Not currently, but an ISO guidance document is in the works. Standards that address core elements of ESG include ISO 26000 (Social Accountability) and ISO 20400 (Sustainable Procurement). Again, these aren't certifiable, but provide invaluable guidance. Guidance documents have the advantage of being selective in what elements you decide to adopt. The ESG one in development is a good example, ESG as a topic is huge, a smaller organisation may not realistically be able to implement all of the advice. But, it can be used as a starting point for a materiality assessment that will allow you to be selective of the core subjects you apply to your business. The idea of guidance documents is not to be a bolt on, as those quickly get forgotten. It's all about embedding their elements into existing processes. [17:10] Utilising elements of ISO Implementation for ESG reporting: If you've already got an ISO Management System in place, i.e. ISO 14001 or ISO 45001, then you'll already have objectives, processes and monitoring & measurement in place to address those elements. ISO 26000 is another good example as it covers a wide range of topics, including human rights, labour practices, the environment, community involvement and development, consumer issues and fair operating practices. Some may not be applicable to you, but as mentioned, it's a guidance document so you have the freedom to be selective about the aspects you incorporate into your management system. You need to decide what really applies to you. It's better to prioritise and take 10 steps on one subject vs 1 on 10 subjects. [20:25] ESG isn't a once a year activity: There's no tick box exercise that you can do once a year and claim compliance, ESG is an on-going endeavor for as long as your business is running. It's a way of operating, much like ISO Standards. It will develop and grow with your business. [21:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [23:36] Will elements of ESG become certifiable down the line? We'll never say never! It's still very much a developing field. There is currently a framework being developed by the International Standards Organisation, it's currently in draft form. Ali herself is on the commenting committee for it's development, and can confirm that the framework is looking at the links between certifiable Standards and the tangible application. ISO Standards require third-party verification of your claims before getting certified. In that aspect, they're the perfect tool to provide tangible proof that you are doing what you say you're doing, but only in select aspects. ESG is broad, almost too broad to certify. It's not really feasible for one person to come in and assess a whole business like they would do for an ISO Assessment, there's simply too much to cover! [25:00] The trouble with ESG verification: Currently, a lot of voluntary schemes require you to report against and fulfill, but they are very sector specific because a general one would be too broad and likely will not cover every aspect appliable to every business. Schemes out there are doing something to battle greenwashing, as the environmental aspects are easier to verify, however social aspects are a lot more tricky and can get even more complicated outside of the UK where there is no HSE annual reporting available. [26:20] How can you support the Social aspect of ESG?: Measuring your social value can difficult, many think of education as the solution. Here are some ideas to consider: · Working with local schools – Improvement projects driven by Student run business studies · Work experience · Charitable work – allow staff to have a charity day as part of a benefits package [28:10] How can we prevent the greenwashing of ESG compliance?: Government Bodies are working to tackle this. It's being built into legislation to prevent greenwashing in future where self-policing hasn't gone far enough. Trade Associations are also pushing their members towards more legitimate frameworks to ensure they do remain accountable and transparent about their activities in relation to ESG compliance. [30:00] What resources do Blackmores have to help? We've developed an ESG Gap Analysis, based on the guidance provided in ISO 26000 Social Accountability. This ESG Gap Analysis will highlight where you're already compliant and where there is work to be done. You may be surprised to see that you're more compliant that you think! Especially if you're certified to one or many ISO Standards. We also have a Materiality Assessment, which will help you to determine which topics are of importance to your business and your stakeholders. You can take the findings from both to help develop your ESG Strategy. If you're not mandated to do any reporting, you can leave it at that. However, you may want to consider sector specific frameworks to get ahead of the curve for when elements of ESG do become mandated down the line. [36:00] Where should you start with tackling ESG using ISO Standards? If you're certified to one or many ISO Standards, then you will have processes in place that can support an ESG initiative program strategy, and you can make it as big or as small as you want. Start by looking at your environmental, social and governments impacts and work to embed ESG into your existing ISO Management System before they become mandated by stakeholders and legislation – being ahead also feeds into the principles behind social responsibility. You're embedding a culture, and it becomes a norm which can be developed further. Then, when legislation or customer requirements come in, you're already prepared to answer. Also, with ESG there is a focus on people and you can't have a successful business without good people. ESG isn't only attractive to your customers, but also to potential employees who will want to work for ethical, sustainable businesses. If you aren't keeping up and fulfilling that, you will struggle to find new talent. It also goes without saying that being ESG compliant will attract consumers. Greenwashing, as frustrating as it is, exists for a reason - because people want businesses to be sustainable. People wouldn't lie about it if it wasn't important to someone, so stand out by beating the greenwashing allegations and take the right steps towards tacking ESG. If you'd like to book a demo for the isologyhub, or would like help with an ESG Gap Analysis, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
In July 2024, A logic error in an update for CrowdStrike's Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete. Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this? Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident. You'll learn · What happened following the CrowdStrike crash? · How long did it take businesses to recover? · Which ISO management system standards would this impact? · How can you use your Management System to address the affects of an IT incident? · How would this change your understanding of the needs and expectations of interested parties? · How do risk assessments factor in where IT incidents are concerned? Resources · Isologyhub · ISO 22301 Business Continuity In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents. [03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike's Falcon software brought down computer systems globally. 8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error. Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected. [04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn't mean that computers affected would be automatically fixed. In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem. So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot. A lot of businesses were caught out as they don't factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA). [07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself: · What systems to you use? · How reliable are the third-party applications that you use? · If an issue like this to reoccur, how would it affect us? · Do we have the necessary resource to fix it? i.e. staff on site if needed? Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can't always count on them for a quick fix. [09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can't afford to say ‘We don't use CrowdStrike therefore it did not impact us' – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies. Standards that were directly affected by the outage were: · ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments · ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness · ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability Remember, our management systems should reflect reality and not aspiration [11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company's system for capturing non-conformities or continual improvement. You could liken this to how ISO 45001 requires you to report accidents and incidents. From the Incident a plan can be created which should include changes to be considered or made to the management system. The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made. We are directed in all standards to Understanding the Organisation and its context The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue. [15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they're delivering. So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services. This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans. Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it's being delivered. [17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [19:50] Once you have established lessons learnt, what's next? – The Standards provide a logical path to work through. One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result. Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault. One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider. It's also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted. If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way. [23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn't just be a one time thing. You should be addressing these after incidents and any major changes within the business. Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level. If you'd like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53. [25:20] How has our understanding of the needs and expectations of Interested Parties been changed? - How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system: · Risk Assessment · BIA for BCP · Recovery Plans · DR plans · Service Continuity [27:50] What should you be considering with your risks assessments? - Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated. If a company has set the likelihood as ‘once every 5 years' it should seriously consider changing this to ‘once every 6 months' or 'once every year' to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years'. The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly. [33:20] Why should a business carry out a risks assessment as part of lessons learnt? - Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of unintended changes,' and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses. So, use your risk assessments as live tools to report on the reality facing the organisation. Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective. If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed. Remember - your management system should reflect reality and not aspiration. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Continual Improvement is at the heart of every ISO Standard. The cyclical nature of ISO Standards lends itself to regular review and update of your Management System, to ensure it's working efficiently and to address any issues or opportunities that inevitably crop up. However, Integrating these improvements can be challenging, even for mature systems. Today Ian Battersby explains the concept of Improvement as defined in ISO Standards, how to find root cause for non-conformities and integrating improvement actions from multiple sources. You'll learn · What is meant by ‘Improvement' in ISO Standards? · Common misconceptions about Improvement in ISO Standards · How to address non-conformities in your Management System · Finding the root cause of a non-conformity · Integrating Improvement actions Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby will be explaining what Improvement means in relation to ISO Standards, how to address non-conformities and integrating the required Improvement actions. [02:30] What is meant by ‘Improvement' in ISO Standards? – One of the requirements of all Management System standards is to determine and select opportunities for improvement (Clause 10). This is the fundamental aim of Management Systems: to make things better In the words of the standards, it is so that an organisation can: “Implement any necessary actions to meet customer requirements and enhance customer satisfaction These shall include: a) improving products and services to meet requirements as well as to address future needs and expectations; b) correcting, preventing or reducing undesired effects; c) improving the performance and effectiveness of the management system.” An organisation going through certification for the first time may never have had in place a system for planning improvements. Some organisations are dealing with improvements, but not necessarily through a single, consistent route. While you can meet the requirements of the standards without a single route, the standard is not prescriptive in how you go about this. [04:45] Common misconceptions about non-conformities – the standard does go on to cover nonconformity and corrective action (10.2); is it suggesting these as the main source of non-conformities (NC). It isn't really explicit about other sources, other than specifically including customer complaints as a form of NC. However, there's a strong argument for consolidating data from different sources, so it's worth considering how complaints data is handled. Other sources of non-conformities can include your Internal Audit findings, addressing where you may not be meeting client expectations, addressing failure to meet legal obligations ect. As a reminder, ISO 9000 (Fundamentals and vocabulary) includes the definition of nonconformity: non-fulfilment of a requirement: need or expectation that is stated, generally implied or obligatory i.e. Legal / client expectation. [10:00] Addressing non-conformities – You need to evaluate the need for action to eliminate the cause of the nonconformity, to ensure that the issues doesn't recur, or pop-up elsewhere. When a non-conformity does occur, you need to: · Determine the causes · Determining if similar nonconformities exist, or could potentially occur; Any corrective actions should be appropriate to the effects of the nonconformities encountered. So, you don't need to commit a huge amount of resource to minor issues. [11:40] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [13:40] Finding the cause of non-conformities – Without removing the cause, repetition may occur, and this is where integrating improvement data from multiple sources comes into its own. The idea of Common cause is - a single cause may manifest itself in very different outcomes. For example, a lack of competence could lead to a process being delivered wrongly, leading to reducing level of quality in service or product, which would be picked up as an NC. Competence is an area which can also lead to NC's, through the result of a helath & safety incident or environmental incident if people aren't trained to use equipment or follow set procedures. It can also lead to a customer complaint where the failed process is apparent to a customer. If a product NC isn't spotted until after the product delivered/in service it could lead to a warranty claim Or even a claim for damages should it lead to harm/loss to the customer It could lead to regulatory breach or even enforcement or legal action Some of these outcomes may not be apparent until they have impacted upon a customer or other interested party, so would not be recorded internally through a nonconformity system. All this to say, finding the root cause will require looking in a lot of different places. Having a common methodology in place to address non-conformities, including considerations for different types of issues, makes life a lot easier. [15:55] Integrating Improvements from multiple sources: There are many sources which can highlight opportunities for Improvement, including: Internal Audit – This is a conformity assessment, so any gaps or issues identified will be NC's that need addressing. Surveillance Audit / Certification Audit – Your Certification Body will also be conducting a third-party conformity assessment, which may highlight something you've missed in your own internal audits. Supply Chain Audit – Auditing your supply chain can also highlight NC's that you can encourage them to address, both for your benefit and theirs. Client Audit – You may be audited by clients, especially where there may be specific technical industry related issues. Management Review – This is the perfect platform to identify Opportunities for Improvement. You can highlight NC trends from Internal Audits here and define if they need to be addressed separately. You will often have members of senior management present at a Management Review, so there is a greater chance for you to plan tangible actions to address issues, especially if they are business critical. SWOT / PESTLE – This usually happens early on in the Implementation phase, but there's no reason why you can't repeat the exercise on an annual basis. This exercise directly identifies your risks and opportunities, both from internal and external sources. Getting input from all levels of staff as they may also shed light on potential NC's and opportunities other departments may not even be aware of. Accident reporting / Safety observations – Any incident should be viewed as an opportunity to improve. Some accidents are unavoidable, but many are a result of someone not following instructions, equipment being left unattended or in the wrongs location ect. Addressing these will help you to ensure a safer environment. Site inspections – Just walking around your site can yield new insights. Ask other departments that may not visit your area to do a sweep and report any findings. Sometimes all you need is a fresh pair of eyes to highlight issues you've missed. Complaint / Other customer feedback – Allow clients and stakeholders to have input. Regulatory requirements – You may discover you are breaching a regulation, which needs to be addressed ASAP. Consider a legal register to keep track of all your legal and regulatory requirements. Enforcement (HSE, EA, professional body) – You may have opportunities for improvement enforced by professional bodies such as the HSE or Environment Agency. Management Action – Any management meetings should take opportunity suggestions from both management and the general workforce. Product NC's – If you're in the manufacturing industry, you likely already have a system in place for monitoring any product related non-conformities. This process can be applied on a broader scale, as it embodies the same principles: Identify the problem, find the root cause, address the root cause, put preventative measures in place to stop recurrence. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
In the workplace, everyone is responsible for safety. It's not just for managers or senior management to worry about where legislation is concerned, everyone from the top to the bottom needs to be actively ensuring the safety of others. ISO 45001 highlights the importance of this in its most recent iteration, which includes a specific requirement for the consultation and participation of workers. But, how does this work in practice? Today Ian Battersby explains what consultation and participation of workers in ISO 45001 is, and how you can incorporate elements of reactive and proactive hazard reporting to meet that requirement. You'll learn · What is consultation and participation of workers in ISO 45001? · What is the identification of hazards? · What's the difference between reactive and proactive hazard reporting? · Common approaches to reactive and proactive hazard reporting · Proactive hazard reporting in action Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby will be explaining reactive and proactive hazard reporting, and how this relates to the consultation and participation of workers (clause 5.4) requirement in ISO 45001. [02:30] What is ‘Consultation and Participation of workers? – ISO 45001's clause 5.4 states: “The organization must have a process for consultation and participation of workers at all levels and functions, and their representatives in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system.” ISO 45001 expects occupational health and safety aspects to be fully embodied within the organisation structure. All workers should be aware of their responsibilities, and work together to meet the organisation's health and safety goals. Everyone is responsible for safety. Consultation implies two-way communication, so workers can provide feedback to be considered by the organisation before taking a decision. This is important; the organisation has to consider workers' feedback before making decisions Participation implies the contribution of workers, including non-managerial workers, to decision-making related to OH&S performance and to proposed changes. [05:50] Hazard Identification – A specific issue which must be considered is the identification of hazards: · Identifying hazards and assessing risks and opportunities (Clauses 6.1.1 and 6.1.2); · Determining actions to eliminate hazards and reduce OH&S risks There are numerous sources for consideration when it comes to hazards · How work is organised · Routine/non-routine activities · Past incidents · Emergency situations · People · Processes · Workplace design · Equipment · Change [07:35] What's the difference between proactive and reactive hazard reporting? – Proactive is about spotting hazards in advance and putting in place measures to minimise the chances of them materialising and causing harm (eg, through an accident) Reactive is in response to an event which has already occurred, such as an accident; a hazard existed without being spotted already and dealt with. [08:20] A common approach to proactive hazard reporting – Risk Assessment. Consider hazard sources (i.e. people, processes, equipment, workplace etc) and consider what may happen; what could go wrong. Then consider what controls could be put in place to try and prevent that happening. Risk assessment can help you to demonstrate worker consultation and participation by including those affected: · Involved in or affected by an activity · Those delivering a process · Using equipment · Occupying a workplace Those people have valuable knowledge and understanding, sometimes moreso than someone in a supervisory / managerial role. And an absolute must: recording that all employees have read, understand and are committed to the controls included in Risk Assessments; that process may also give rise to workers' further involvement – through querying, suggesting change etc This also helps the culture of hazard spotting and promotes engagement among the workforce, both of which are vital in driving a proactive approach [11:10] A common approach to reactive hazard reporting: Accident reporting systems is the obvious choice. However, there are ways you can make this more proactive. There are various levels to accident reporting. Traditional systems wait until an accident occurs before recording and acting upon it. Some organisations also record near misses: where an event has occurred, but no harm has been caused. This approach in itself can be very valuable; and it provides an opportunity to act before any harm has occurred. However, we can go a step further and allow the workforce to observe what's happening; their surroundings and listen to what they feel may present a hazard to them and their colleagues (remember, everyone is responsible for safety). [13:00] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [15:30] Proactive hazard reporting in action: Ian recounts his experience in a previous company where their proactive hazard reporting led to meaningful change. This took place in a large manufacturing plant, but there was also significant office-based activity as well. Because of the nature of the work, many people would not have access to online systems so there was both online and paper systems; this is important; if everybody is responsible, everybody needs access and engagement is vital. In addition to the traditional accident/near miss system, there was a safety observation card (all data ended up in the same database). It was simple to fill out, would have only taken about 5 minutes at most. In an organisation of 500ish, we received 2200 observation cards per year by the time I left. When combined with accidents/incidents, there's a predictable cycle: more reports, poor quality, more accidents, better quality, improved actions, fewer accidents. [17:30] Creating an observation card: It should be easy to understand and record what's necessary, recommended content includes: · Date / Time · Who was involved – employee / contractor / visitor ect · Location of hazard / incident · Description of hazard / incident (ideally in 10 words or less) You could get more granular and include: · Identification of an unsafe condition or unsafe act · Type of hazard or incident: slip, trip or fall / exit obstructed / machinery being used unsafely / unsafe structure / not using PPE You could also include an option for actions taken if you decide to inform a manager of the issue, if you've corrected someone on the use of equipment or PPE ect. [21:15] The Importance of peer inspections: Often they would have supervisors from one area, checking a different one. This fresh pair of eyes may offer new insight into something that you usually miss! Note that you should also encourage any site visitors to do the same. The fact that you'd ask them to report any incident also displays that you take safety seriously, and are open to feedback to improve. [22:40] Hazard scoring: In order to judge that quality, they went a step further and graded all observations from 1-3: 1. Saw something but didn't act 2. Saw it, acted to put it safe there and then 3. Saw it, acted to prevent it happening again This allowed them to judge how effective hazard spotting is in removing cause and filters out points-scoring. [22:45] The results speak for themselves: Increasing number of observations Increasing number of participants Increasing quality of observations Reducing number and severity of accidents. Over five years, they increased the number of observations per employee ten-fold. As a result, they reduced lost time accidents over 75% This was a superb example of a personal safety campaign and a great demonstration of consultation and participation, It's not difficult to do, but it needs leadership commitment, constant and clear comms, user-friendly systems and effective analysis / reporting. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ESG compliance has fast become a focus for many organisations looking to address their wider sustainability profile. However, its broad framework has left many scratching their heads on exactly where to start with evaluating and addressing various elements of Environmental, Social, and Governance compliance. For those looking for some direction, you may already have a solid foundation in place if you're certified to one or many ISO Standards. Today Steph Churchman will explain what ESG is, how it can be scored and what role ISO Standards can play in ESG compliance. You'll learn · What is ESG? · What scoring systems are available for ESG? · How can ISO Standards support ESG compliance? · What ISO Standards can support each pillar of ESG? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Steph will be breaking down what ESG compliance means, how ISO Standards can support ESG compliance and give some examples of what ISO Standards can support each pillar of ESG. [02:50] What is ESG? – ESG stands for Environmental, Social, and Governance. Analysis and evaluation against these three elements help organisations to consider different areas within their overall sustainability profile. The Environmental section looks at issues surrounding climate change and actions to address an organisation's environmental responsibility. This includes monitoring and management of your energy consumption, waste management and pollution. It also seeks to tackle how organisations can address, reduce and mitigate their overall environmental impact. The Social aspect is based around the relationships an organisation has with its stakeholders. This is focused on employees and looks at a broad range of topics including employee wellbeing, fair and competitive pay, benefits and human resource related policies. Considerations can also include wider business relationships such as supplier relations, local community and government work. Governance criteria focuses on creating a business environment that is fair, transparent, and accountable. Considerations in this area include board composition, fairness in pay structures and executive compensation, business ethics and risk management. [04:15] An evolution of CSR – CSR (Corporate Social Responsibility) is very similar to ESG, but is less sustainability focused. It also lacked substance in the form of effective and accountable scoring systems that held businesses to account. This is where ESG differs, with many scoring systems, certifications and even mandatory requirements driving businesses to address their compliance. [04:45] ESG scoring – There are many schemes, scoring systems and certifications available for ESG, some of which are specific to industry sectors and company sizes. What one you pick will be up to you (note that some many be mandatory in select countries), however, here are a few examples: The S&P Global ESG Score – This assesses a company's performance and management of ESG risks and opportunities using a combination of company disclosures, media analysis, and industry-specific questionnaires. A score of 0-100 is given based on their findings and are relative within a company's industry sector. Fitch Ratings ESG Relevance Scores - Fitch Ratings assigns ESG Relevance Scores alongside their traditional credit ratings. These scores assess how ESG factors could impact a company's creditworthiness. Their scores range from 1-5, with 5 indicating the highest ESG relevance to credit risk. MSCI – They offer ESG ratings for a broad range of companies, it's not really limited by sector or size. They use a letter grade system, going from AAA-CCC, to assess a company's relative ESG risks and opportunities compared to its peers. The scoring for this one assigns companies as either an ESG leader, average or laggard within their industry. [06:10] How can ISO Standards support ESG Compliance – It's important to clarify that there's no single ISO standard that guarantees ESG compliance because ESG is a broad framework. However, ISO standards provide a strong foundation for implementing many aspects of an ESG strategy. [06:35] Supporting ESG – Structure and Framework: ISO standards offer a structured approach to managing environmental, social, and governance practices. This helps companies identify key areas for improvement and develop a systematic plan to address them. [07:10] Supporting ESG – Improved Performance: By following ISO standards, companies can demonstrably improve their environmental performance, social responsibility, and governance structures by putting in frameworks that align with best practice standards [07:30] Supporting ESG – Transparency and Credibility: Achieving certification to a relevant ISO standard involves a third-party audit, which verifies that a company's systems and processes meet the standard's requirements. This certification acts as a credible signal to stakeholders such as your investors, customers, regulators, that you're committed to ESG principles. [07:55] Supporting ESG – Risk Management: Proactive management of ESG risks is a key component of any ESG strategy. Many ISO standards focus on risk identification and mitigation. For example, ISO 37001 (Anti-Bribery Management Systems) helps identify and address bribery risks, which can have significant financial and reputational consequences. Or ISO 45001 health and safety management, which requires risk assessments to be carried out to ensure the safety and well being of your employees on site locations, which would fall under the social aspect of ESG. [08:30] Supporting ESG – Competitive Advantage: Strong ESG performance is increasingly sought after by investors and stakeholders. Implementing ISO standards can help companies demonstrate their ESG commitment and gain a competitive advantage in the marketplace. You'll also feel the benefit of gaining multiple badges, through ISO certification and possibly an ESG score if you choose to go through one of the official scoring schemes. [08:55] Think of ISO standards as building blocks. They provide the foundation and structure for a strong ESG strategy. By implementing relevant standards and achieving certification, you can demonstrate a dedicated commitment to ESG principles. [09:50] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [11:55] What ISO Standards can support the Environmental aspect of ESG Compliance?: · ISO 14001: Environmental Management - This provides a framework for managing environmental impacts, reducing waste, and improving your resource efficiency. · ISO 50001: Energy Management – this helps companies monitor and optimize their energy use with the aim to help reduce greenhouse gas emissions. · ISO 20400: Sustainable Procurement – This will help you to adopt sustainable procurement principles and practices within your organisation, by looking at how you can reduce waste, choose more sustainable options for required resources, how you can extend the life of resources available through remanufacturing and recovery of waste, and encourages the use of more innovative products and services. · ISO 20121: Sustainable Event Management – This Standard is mostly applicable to the events sector, and aims to help reduce the amount of waste produced during events, either through potential energy savings and the production and recycling of resources used during an event. It's recently had an update, so check out our latest episode to find out what the changes are. · ISO 14064: Greenhouse Gas Verification – This provides a framework for measuring and managing greenhouse gas emissions. This is a crucial step if you're working towards Net Zero, as you need to know what your baseline is before you can work on reducing and offsetting remaining emissions. · ISO 14068: A framework for helping businesses achieve Net Zero, this standard will replace PAS 2060 in November 2025, so anyone looking into PAS 2060 now may be better off going with ISO 14068 as it includes more guidance on purchasing credible carbon credits. [14:15] What ISO Standards can support the Social aspect of ESG Compliance?:– · ISO 26000: Social Responsibility – which offers guidance on integrating social responsibility practices throughout your organization. · ISO 45001: Occupational Health and Safety Management - which helps companies create a safe and healthy work environment. It provides a robust set of requirements designed for improving workplace safety in organisations and supply chains, with the aim of reducing workplace injury and illness. · ISO 45003: Psychosocial Health & Safety Management aka Mental health in the workplace. For the last 4 years or so, work related stress, depression and anxiety has been the leading cause for work related ill-health cases and lost working days. That's according to the annual HSE reports, which clearly highlights a big issue that many more need to consider and address. [14:15] What ISO Standards can support the Governance aspect of ESG Compliance?:– · ISO 9001: Quality Management – this is the leading global ‘quality mark' for businesses and designed as a vital business improvement tool. It's quite simply A blueprint for running your business successfully. · ISO 22301: Business Continuity Management - Which provides a basis for planning to ensure your long-term survivability following a disruptive event. This is a Standard that many align with, but don't always certify to, and for good reason as it provides some invaluable guidance for establishing robust Business Continuity Plans. · ISO 27001: Information Security – This is a Standard that is common place for most sectors now, given how reliant we all are on tech. ISO 27001 will help you to implement an Information Security Management System (ISMS), which is a systematic approach to managing sensitive company information, ensuring it remains secure and available. It encompasses people, processes and IT systems. · ISO 37001: Anti-Bribery Management Systems - It's the International Standard that allows organizations of all types to prevent, detect and address bribery by adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training and carry out risk assessments. · ISO 44001: Collaborative Business Management – This was originally a British Standard that had been created to provide a framework for creating and managing collaborative business relationships between organisations. The standard promotes the best way for businesses to work together, thus effectively developing and managing their interactions with each other for maximum benefit to all. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO 20121:2012, the Standard for Sustainable events management, was originally created and launched in coordination with the London 2012 olympics. 12 years on, it seems only fitting that its next revision would applied to the 2024 Paris Olympic Games. 10 Years on from it's original release, the Standard has received a substantial update to not only bring it in-line with other ISO Standards, but to also address additional elements within event management, such as human rights and legacy. Today Steph Churchman will explain the changes to ISO 20121:2024, what certified companies must do to transition and the consequences of not doing so before the deadline. You'll learn · What is ISO 20121? · What are the changes to ISO 20121:2024? · What steps should certified companies take to complete their transition? · What should you be updating? · What are the consequences for not completing your transition ahead of the deadline? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Steph will be discussing the changes to the Sustainable Event Management Standard, ISO 20121:2024, in addition to outlining what you should be updating ahead of your transition to the latest version of the Standard. [02:30] What is ISO 20121? – . The Standard for Sustainable events management was originally created and launched in coordination with the London 2012 olympics. When it came to planning the 2012 Olympic Games, they took a step back and considered the impact of required development and construction would have on biodiversity, as well as how they could reduce their Greenhouse Gas emissions and general waste in the preparation and running of the event. 12 years on, it seems only fitting that it's next revision would applied to the 2024 Paris Olympic Games. ISO 20121 specifies the requirements for an Event Sustainability Management System to improve the sustainability of events. The standard applies to all types and sizes of organisations involved in the events industry – from caterers, lighting and sound engineers, security companies, stage builders and venues to independent event organisers and corporate and public sector event teams. [04:45] A high-level overview of the changes to ISO 20121:2024 – One of the biggest and most welcomed changes is the fact that the Standard is now aligned with the familiar High Level Structure that many other ISO's follow. This means it will be easier to integrate with other Standards like ISO 9001 and ISO 14001. Next, there is a bigger focus on climate change, legacy and human rights. These elements weren't necessarily missing from the previous version, but they weren't a key focus either. [05:10] Climate Change in ISO 20121:2024 – , ISO 20121:2024 now explicitly requires considering climate change and its impact on your event and stakeholders. So, this might involve carbon emission reduction strategies and adapting to potential climate-related disruptions. Biodiveristy may also fall under this, especially if your events require construction, or take place in an outside venue such as a park or field. A quick reminder that 31 common ISO Standards also received a Climate Change Amendment, so if you haven't addressed that yet, check out our podcast episode and workshop recording to learn about what you need to do. What does this focus on climate change mean for certified companies?: · It provides an opportunity for event professionals and event organisers to demonstrate leadership in taking action around climate change · Certified organisations are required to ensure that any carbon offsetting completed via carbon credits are credible · ISO 20121:2024 Standard facilitates the process of taking credible action and aligns ISO 20121 with big changes relating to climate change [06:55] Human Rights in ISO 20121:2024 – The new version also expands beyond environmental concerns to encompass human and child rights, social impact (including mental health and diversity), and digital responsibility. Your management system will need to address these aspects throughout the event lifecycle. What does the increased focus on human rights in ISO 20121 mean for certified organisations?: · Certified organisations will need to demonstrate and adhere to UN Guiding Principles on Business and Human Rights. · The revised standard also now references social impact in its definitions – primarily in the definition for Sustainable Development and Stewardship. · A new Annex has been added – Annex D: Guidance on Human and Child Rights. · Added guidance states that event organisers should consult with Human and Child Rights experts and conduct a Human Rights Assessment to identify potential risks to the people as a result of an event and its surrounding activities. · You should publish a Human Rights Policy to ensure that Human Rights consideration is embedded in the whole lifecycle of an event. [08:40] Legacy in ISO 20121:2024 – An added focus on Legacy provides an opportunity to event organisers to focus, not only on the few days of event delivery, but also supports in creating enduring results for the hosting community. For example, creating an economic impact for the local population, by providing the opportunity to acquire new skills, to share best practices on how to do events in a more sustainable way or by improving a public place close to the event. [09:20] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [11:30] A strengthening of Stakeholder Engagement – The Standard now emphasizes demonstrating sustainability throughout your supply chain. This might involve you requesting proof of sustainability practices from vendors and incorporating ethical sourcing practices. The definition of stakeholders has also now been expanded to include partners and sponsors. So, you'll need to consider how their sustainability practices align with your event's goals. The policy clause now requires reporting on your sustainability achievements and lessons learned. Building a system for tracking and reporting these aspects will be crucial, and will likely involve a lot more communication between your stakeholders to gather any necessary data for reporting purposes. [12:35] alignment and flexibility – The updated standard aligns with other management system standards thanks to the high level structure update, making integration easier for organizations with existing systems. The revised standard also caters to events of all sizes and complexities, allowing for adaptation to your specific needs. There's now alignment with Global Frameworks, like the UN Sustainable Development Goals (SDG's) and the Paris Agreement. If you'd like to learn more about the SDG's, check out a few previous podcast episodes: 106, 107 & 108. [13:30] Transition Deadline – What happens if you miss it? – Anyone certified to the 2012 version of the Standard will have until the 31st March 2027 to transition to the 2024 version. If you don't, you'll risk losing your certification, and you'll have to go through the whole Stage 1 and 2 Assessment again to get that certificate back, which is obviously quite costly. [14:15] What do you need to do to transition? – Here's a very high-level of the steps you should take: · Review and conduct a Gap Analysis: This is to compare your existing system against the new standard's requirements to identify areas needing improvement. · Update your Policies and Procedures: specifically your event sustainability policy to reflect the broader range of sustainability issues and incorporate reporting requirements. · Develop a plan to engage with a wider range of stakeholders, including sponsors and partners, on sustainability initiatives. · Review your Supply Chain Management: This will involve establishing or updating procedures for assessing and integrating sustainability practices throughout your vendor network. · Training and Awareness: Any and all changes should be communicated. Educate your team on the new standard's requirements and integrate them into event planning and execution processes. · Carry out Internal Audits: Once you've implemented the changes, audit against the new Standard and ensure you're compliant. Then you'll need to prepare for your Certification Body Transition visit. [15:30] What Specific actions can you take to update your ISO 20121 Management System? Here are some suggested actions to address Human Rights and Children's Rights: · Update your event sustainability policy to explicitly state your commitment to respecting human rights and children's rights throughout the event lifecycle. · Update your Risk Assessments as you're going to need to identify potential human rights risks associated with your event, such as discrimination in hiring or unfair labour practices within the supply chain. · Review your Supplier Management as you'll need to ensure your suppliers uphold human rights standards. · Engage with relevant stakeholders like human rights organizations or local communities to understand potential human rights concerns and incorporate their feedback into your planning. A few other actions you could do include: · Partnering with organizations promoting fair labor practices and human rights. · Including human rights clauses in contracts with suppliers and partners. · Conduct training for staff on identifying and mitigating human rights risks. · Implementing a grievance process for reporting potential human rights violations. [17:00] What further actions can you take to address Legacy?: · Integrate legacy planning into the early stages of event development. Consider aspects like infrastructure, also workforce development (for example training opportunities for local communities), and universal accessibility for people with disabilities. · Develop metrics to measure the positive legacy of your event. This could involve tracking the number of jobs created, increased accessibility measures implemented, or infrastructure donated to the community. · Consider the potential to partner with local organizations to ensure the event's legacy benefits the community in the long term. This might involve collaborating on infrastructure projects or workforce development initiatives. · You should also Conduct a post-event impact assessment to evaluate the event's legacy. [18:00] Reporting on the social, economic and environmental impacts – The first step should be to develop a Reporting Framework: This framework should consider relevant metrics for social (e.g., job creation, diversity), economic (e.g., local business involvement), and environmental (e.g., carbon footprint, waste generation) impacts. Next, you need to Implement a system for collecting and analyzing data related to your event's social, economic, and environmental performance. And lastly, choose appropriate communication channels for your sustainability report, such as your website, annual reports, or dedicated sustainability reports. You could look at specific reporting software or get help from a third-party such as Blackmores. We'd recommend purchasing a copy of the Standard so you can review the specific changes yourself, in addition to reviewing the updated guidance provided in the Annexes. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO Standards provide a framework to help businesses manage various aspects of their activities. Whether that's quality, risk, environmental or Information Security management, they provide invaluable guidance to establish an effective Management System. One element that is key, no matter the Standard or subject area, is Leadership. Without this driving force, your Management System will not get the momentum it needs to truly benefit your way of working. Today Ian Battersby will explain the integral role of leadership within the Implementation and maintenance of an ISO Management System, and how their active participation benefits the whole business. You'll learn · What is Leadership? · Where is Leadership referenced in ISO Standards? · How do Leadership get involved with the Implementation and Management of ISO Standards? · How does Leadership participation benefit the business? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian will be discussing the role of Leadership within ISO Management Systems and how their active participation can benefit the business as a whole. [02:30] What is Leadership? – Leadership is central to success in achieving any goal in business. It involves motivating a group of people toward a common pursuit, and it certainly isn't straightforward without leadership believing in what it's doing. Without showing that belief, why would the workforce sit up and take note: ‘If it's not important to you, why should it be to me?' [03:30] Why should Leadership get involved? – The need for leadership has been recognised by Standards bodies, hence why it's been made central to all Management System Standards. For many years, Management Systems were separate from the day-to-day activities of running a business, often boiled down to just a person in a room with manuals, getting through certifications and earning a nice shiny badge.But this had little to no impact on the bottom line (be honest)! But, a well-run Management System can have huge impacts and benefits on all types of organisation, and updated ISO standards aim to deliver that impact more readily, so leadership gets its own clause (Clause 5 – Leadership) [05:25] Clause 5.1 Top management shall demonstrate leadership & commitment – This boils down to taking accountability for effectiveness of the system, but how do you do this? Firstly, the system can only be effective if it is designed correctly, so leadership must ensure it fits with its context of the organisation, which is required in Clause 4. There are ways of doing this, but we favour a SWOT and PESTLE. This is simply to ensure that those establishing context don't do it in a vacuum, opening up the floor to get input from everyone effected by the Management System. This is key because Senior Managers need active involvement to understand how the system works, its resource needs and its performance. [07:25] Ensuring quality policy and objectives are established and compatible with context and strategic direction – The quality objectives must contribute to the business, so there's a role for senior managers to ensure that they are aligned and have a measurable contribution to the business. What measures are included in your objectives which can demonstrably show that they affect the business in some way in a good way? That's what senior management have to do to link quality objectives with strategic organisational business objectives. [08:20] Ensuring integration into the organisation's business processes – The quality objectives must contribute to the business, so there's a role for senior managers to ensure that they are aligned and have a measurable contribution to the business. They must ensure integration into the organisations' business processes, which in turn must be aligned with the context. They must also be relevant to the way the organisation runs and senior management needs to oversee a system which allows processes to do that. [05:20] Promoting use of the process approach and risk-based thinking – This requires senior management to actually do some promotion – which is stipulated as ‘Shall Promote'. For those that don't know, whenever the word ‘Shall' is used in an ISO Standard, that essentially means you MUST do it. In this instance, that means actually contributing the communications and raising of Management System Awareness. Senior Management have to be involved in the process of describing to people what's important, why the standards are important and that risk and process are central to the organisations operations. [09:35] Providing resources for the system – There's a number of resources that Senior Management need to consider, including: · People - Need to be enlisted to run a system and to operate the system throughout the organisation. · Competence – You may need to invest in training if required. · Expertise in the standard – Do you have expertise in-house on the Standard you're certifying to? If not, you will have to invest in training or additional help from a third-party. · Systems / Access and Documented Information – Do you have a place for hosting of documentation, workflows, forms? Further considerations are needed for required authorization and controlled access. · Time – Implementing and maintaining a Management System is a big task, whether done by an individual or a team, they will need time to complete necessary Management System activities. [10:30] Communicating the importance of an effective system and conforming to its requirements – Everyone looks up to Senior Management in regard to what their priorities are. It's up to them to effectively communicate the importance of the Management System, it's processes, their role in relation to the Management System and how to confirm with it's requirements. Key points to get across: · How this system makes your workplace a better place. · How it contributes to success of the organisation – I.e. happier customers, safer working conditions, ect · How it can make their daily routine more fulfilling – i.e. having a complete picture of their place in the business, how they contribute to its success. · What could nonconformity bring if people choose to step outside a management system? – I.e. With ISO 45001, nonconformance could risk someone getting injured. [13:50] Engaging/directing/supporting persons to contribute to effectiveness of the system – Team managers should be harnessing the people at all levels to be able to fulfil the requirements of the Management System. They should do that by providing clear expectations, which can be done via so communications and objective setting. [14:30] Promoting improvement – Continual Improvement is absolutely key to every management system. When something does go wrong, senior management must provide the resources for actively asking why things may have underperformed, so you can get to the cause of why it's underperforming and put it right. It's also an opportunity to highlight when things have improved and celebrate those that contributed to that success. [15:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [17:40] Supporting other management to demonstrate leadership in their areas – Leadership drives top to bottom. Everybody can have a role in leadership. Roles and responsibilities are assigned by senior management, and this offers the opportunity for individuals to provide their own leadership in their specific areas. [18:15] 5.2 Policy – The definition of Policy in ISO Standards is: The overall intentions and direction of the organisation, expressed by senior management. A policy exists to govern the behaviour of an organisation and its employees in order to provide the best outcomes. It also provides the basis for the establishment of objectives. It does not explain how the policy is to be delivered through individual tasks. This may not be a detail for top management. What's the requirement?: Top management must ensure its appropriate to the purpose and context of the organization and supports its strategic direction It's not simply just a piece of paper to sign once a year. [19:25] 5.3 Organizational roles, responsibilities and authorities – What does the Standard say: ‘Top management shall ensure that responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization' What does this actually mean?: · Ensuring the Management system conforms to your ISO Standard(s) · Ensuring processes deliver desired results · Performance reporting including opportunities for improvement · Promotion of customer focus · Ensuring integrity of the management system through change and continual improvement [21:30] Leadership in practice – Ian recounts an experience where senior management did regular safety checks in an organisation he worked with previously. Senior Management took an hour out each month to do a floor walk and actually talk to those on the ground floor to ask them about risk, equipment and just generally get a feel for how everything really worked. In turn, they were challenged by their staff on safe working systems and this proper conversation led to better understanding on both parts. The staff got to see their Senior Management genuinely care about their work and well-being, and Senior Management got much needed insight into the actual day-to-day activities and see first hand where improvements could be made. Those familiar with ISO 45001 will know that worker participation is a requirement of the Standard, but there's no reason why you can't apply this to other Standards. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
There is a growing pressure on businesses to address their environmental impact, both from the Government as well as a more sustainably minded consumer base. As a result, the need to carry out Greenhouse Gas (GHG) emissions reporting is being introduced as a mandatory requirement for tenders, and Government led initiatives such as Streamlined Energy and Carbon Reporting (SECR). Today Mel Blackmore will discuss Greenhouse Gas (GHG) emissions reporting, and how verifying GHG Statements in alignment with ISO 14064-1 can benefit your business. You'll learn · Why is there a growing need to report on GHG emissions? · What is the difference between certification and verification? · What is ISO 14064-1? · What are the benefits of ISO 14064-1? Resources · Carbonologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Mel will be discussing GHG emissions reporting, and why verifying your businesses GHG Statements in alignment with ISO 14064-1 is a smart move. [02:30] What's the difference between Certification and Verification? – We covered this in detail on a previous episode, go back and listen to episode 162 [02:40] Why is there a growing need to address GHG emissions? – Climate change is a top concern for many. Consumers, investors and governments across the globe are all demanding greater transparency and accountability from businesses regarding their environmental impact. In particular, the carbon footprint a business claims to have. [03:25] What is ISO 14064-1? – ISO 14064-1 is in internationally recognised Standard for quantification of Greenhouse Gas (GHG) emissions and removals at the organisational level. In simple terms, this is the go-to Standard for businesses looking to calculate, verify and publish its carbon emissions. [03:40] Benefit #1: Making compliance and reporting easier – Now, it's important to note that the first time you go through this process will be like pulling teeth. You will need to do a fair bit of work initially, but once that's set-up, it will make the necessary annual reporting a much easier process. ISO 14064-1 verification ensures you are complying with applicable regulations such as SECR and the Governments requirement for a PPN 06/21 (within the UK). If you are based in the UK, there is now Public Sector tendering requirement to identify what your carbon footprint is and make recommendations for reductions in the form of a Carbon Reduction Plan (CRP). It can also help to streamline initiatives like the CDP (Carbon Disclosure Project) or EcoVardis. [05:40] Benefit #2: Taking a deeper look at your emissions footprint – Verification is not simply just ticking a box, it's about providing a clear picture of your organisations' total GHG emissions. Not just your CO2 emissions, ISO 14064-1 ensure you account for different types of emissions sources. This granular understanding will be crucial in identifying areas for improvement and developing an effective reduction strategy. [06:25] Benefit #3: Providing Trust and Transparency – Having your report verified by am independent third-party adds a layer of credibility to your GHG reporting. Anyone can just say their carbon emissions are X, but it's another to have that backed up by a third-party. They can ensure your claims are true, correct and that there is a credible methodology behind it. Stakeholders such as investors, consumers and regulators will then have the confidence that your emissions data is accurate and transparent. Carbonology can assist you with the training resources needed to do this – so check out their website to learn more. [07:30] Benefit #4: Pave a way for Carbon Reduction Strategies – We mentioned earlier about the requirement for a PPN 06/21, this requires a Carbon Reduction Plan (CRP). Whether you create one based on a mandatory requirement or not, having a CRP is a no brainer for any business. It helps you to understand your emissions, which is the first step towards reducing them. ISO 14064-1 verification lays the ground work for developing and implementing an effective CRP. This can translate into significant cost savings and a competitive edge in the long run. [08:30] Benefit #5: Embrace Mitigation – The verification goes beyond just cutting emissions. It supports mitigation actions like carbon removal projects, allowing you to demonstrate a holistic approach to tackling climate change year on year. [08:50] Benefit #6: It's a global Standard – ISO 14064-1 was created by over 140 representatives from over 50 countries globally to define exactly what greenhouse gas emission verification should look like. While there are lots of other ways to achieve Net Zero, it makes more sense to choose an established route that will be recognised as best practice globally. [10:25] Benefit #7: Tracking your progress – Verifying your GHG statements allows you to track progress over time. This data is invaluable for communicating your achievements both internally and externally to key stakeholders about your drive towards net zero goals. It also helps to showcase your commitment to sustainability. [11:00] Benefit #8: Participation in sustainability initiatives – Verification opens doors to participating in voluntary GHG registries and sustainability reporting initiatives. This in turn will help to broaden your visibility as an organisation, amongst the environmentally conscious stakeholders that will be looking for credible sustainable businesses to work with or buy from. [11:45] ISO 14064 is a no-brainer – It offers a significant strategic advantage and can help to demonstrate transparency with GHG reporting – something very sought after in the midst of a lot of green washing claims. If you'd like assistance with ISO 14064-1, visit Carbonology's website and get in contact, they'd be happy to help. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO Standards provide a framework to help businesses manage various aspects of their activities. Whether that's quality, risk, environmental or Information Security management, they provide invaluable guidance to establish an effective Management System. However, for those who are new to ISO Standards, the Standards themselves can seem rather intimidating to interpret. Back in 2015, the Annex SL format was introduced to provide a common high-level structure for Management Systems. With 10 clauses now common in most widely adopted ISO Standards, it can still be a bit difficult to understand exactly how these all work together. Today Ian Battersby will explain how ISO Standard clauses work in tandem to create a cohesive cycle, from context of the organisation through to Improvement. You'll learn · What is the high-level structure? · What are ISO Standards structured this way? · How do ISO Standard clauses interconnect? · How does this apply to Quality Management? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian will be discussing the interconnectedness of clauses, which basically just means explaining the key links between the clauses and how that applies to your management system. [02:40] High level structure – 10 years ago, Annex SL was introduced to create a common framework for ISO Standards. Today, Ian will focus on ISO 9001 as that really is the grandfather of all Management System Standards. ISO 9001 includes elements which are applied to most commonly adopted ISO Standards, and sets the scene in terms of how the clauses link together. [03:20] Why are ISO Standards structured this way? – On their surface, ISO Standards can seem very repetitive in the way that they're written, but there is a good reason for that. There are all based around the Plan-Do-Check-Act cycle. [04:10] What is the Plan Do Check Act cycle? – This is a simple process that all Management System Standards adhere to. So you start with a ‘Plan' to establish objectives, the resources which you need to deliver results, you identify risks and opportunities. From that point you fulfil the ‘Do' part through Implementation and using the Management System. From there you ‘Check' so you monitor against the policies, objectives and any other requirements. Basically monitor against what you said you'd do and then you ‘Act' if you find anything that needs to change, you make that change and you improve as an organisation and you improve that management system. [05:00] A logical path – Management System Standards are designed in such a way that they flow from one clause to the other. One cannot exist without the other. [05:20] How does Clause 4 Context of the Organisation link with Clause 6 Planning? – As clause 4 Context of the Organisation states: ‘external and internal issues relevant to your purpose and strategic direction… …and that affect your ability to achieve intended results' The scope of your management system depends entirely on this. The world in which you operate - what you buy, the people you employ, what you make, who you sell to, the laws you follow… Clause 4 also requires us to identify all interested parties (which we'll address later!). With careful planning, you can align documentation you develop for one clause with other clauses. Clause 4 doesn't tell us how we should work out our context, but it provides some very good clues · NOTE 1 Issues can include positive and negative factors · NOTE 2 Understand the external context by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments So they're not saying how to do it, but they've said what you can consider This sounds a lot like a traditional SWOT/PESTLE analysis… If we skip to Clause 6, Planning, the first thing we must do when we plan is to identify actions to address risks and opps A SWOT will mean you've covered these elements, consider the following = · Weakness = Risk · Threat = Risk · Opportunity = Opportunity We can similarly view the PESTLE in the same light. So you can see that with careful planning, as mentioned you can align documentation for one clause with other clauses. [10:00] How does Clause 6 link with Clause 7 & 8? – Skipping from Clause 6.1 If you've identified what might go wrong (aka - risk), you need to plan to ensure it doesn't happen again. That may involve a single improvement action, which is linked to clause 10 (funnily enough, Improvement) It may be that you need something bigger, involving many steps, over a period of time, say an objective (clause 6.2)? So, the planning of objectives links directly to the context of the organisation, the world in which you operate. It may be that you need an operational control to mitigate risk, a process or procedure that helps to manage the situation as a business as usual situation (clause 7 documented info and clause 8, operation) So the planning of processes and procedures links directly to the context of the organisation, the world in which you operate. In all these circumstances, it's the same for opportunities, except you're putting in place measures to take advantage of the opportunities. [13:05] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [15:10] Clause 7 Support and related links – Moving through the standard, clause 7.4 relates to Communications. You need to determine internal and external communications relevant to the QMS (for 9001). In clause 4, you would have looked at interested parties (i.e. stakeholders). You need to determine who affects the way in which you operate and what they need/expect from you. Parties to consider include: · Customers · Employees · Shareholders · Suppliers · Regulators · Neighbours · Media So, by Clause 7 you will have already identified who's interested and what interests them, so it's only a small step to add to this the communications plan. ISO 9001 doesn't ask for one specifically, but it's a good way to fulfil the requirements of clause 7.3. Clause 7 also mentions Monitoring and measuring resources (7.1.5). This is a very brief clause, but central to establishing the means for demonstrating performance. We need reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements, i.e. do we do what we say we do? Clause 7.5 requires us to document how we do things. Again it's very brief in its requirements (leaves it up to you to decide), but clause 8 is all about operation – which is the way you do things. It's much more specific about understanding what the customer wants, designing it correctly, controlling changes, making it, delivery and addressing issues. This is what you measure: 7.1.5 requires you to ensure you can measure, 7.5 requires you to document how you do things, 8 requires you to do things according to the way you've said you will. [20:10] Clause 9 Performance Evaluation and related links – Moving onto Clause 9, Performance Evaluation, again risk appears. We've already assessed risk right at the start, now we evaluate whether we've successfully controlled risk. We decide what to audit based on the level of risk attached to certain controls (policies, procedures, processes…). We've set objectives based on risks and opportunities and now we must measure performance. We've put in place operational controls to mitigate risk (clause 8) and now we measure whether those controls work. [21:30] Clause 10 Improvement and related links – This one is fairly self-evident. If something goes wrong, find out why and put it right and make sure it doesn't happen again. Look at your system and continually improve based on your evaluations in Clause 9. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
After 5 years of hosting the ISO Show, Mel Blackmore will be taking a step back as she focuses on her sustainability related endeavors. She's passing the baton onto our new host – Ian Battersby. Ian is a Senior isologist at Blackmores, and while relatively new to the team, he has a wealth of Standard and ISO related knowledge to share with you all. Today we Introduce Ian Battersby as the new host for the ISO Show and learn about his background in Standards and ISO. You'll learn · Taking a step back · Introduction to Steph Churchman · Introduction to Ian Battersby · What Standards has Ian worked with? · What Sectors has Ian worked in? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: After 5 years of the ISO Show, Mel Blackmore is handing the hosting baton over to Ian Battersby [02:25] Interim host – Ian will be the main host going forward, but there will be additions from Blackmores' Communication Manager – Steph Churchman. You may recognise her from recent episode such as: · Top 10 Reasons to use ISO 42001 AI Management · Top ISO Standard Trends in the Data Centre Industry Steph will be sharing findings from our own research, standards updates and conducting interviews with our isologists. [03:35] An Introduction to Ian Battersby – Ian has been working for Blackmores since August 2023. Although he is meant to be part-time, he's had a very busy first few months here! Ian began working in British Aerospace, specifically manufacturing, in 1984. He later decided to return to university to study electrical and electronic engineering, which was promptly dropped. His return to BAE lasted a few years before he moved onto the civil service for the Department of Health, working with them to conduct safety investigations and helped to create a broader risk profile. When he moved to work with the NHS, firstly, with the litigation authority setting up governance and risk standards and then as a risk manager. Surprisingly, after moving up a few levels, he decided to move onto run a restaurant! A Curry House to be specific, but after a year of rather stressful work that ended up costing a lot more than expected, he returned to work within the construction industry which is where he became more involved with ISO Standards. From there he went onto work in manufacturing of high pressure pumps for a while before moving onto an organisation who rant he estate for the Department of Work and Pensions. In the end, Ian left them due to being unable to live the life he wanted to live. [05:15] What Standards has Ian worked with? – He started with ISO 9001, ISO 14001 and OHSAS 18001 (now ISO 45001). [06:00] Digital Nomad – Ian currently splits his time between Leeds in the UK and Malaga in Spain. Having a lot of experience working remotely in previous industries, this leap didn't impede on his work in any way. [07:15] What other Standards has Ian worked with? – He has assisted with ISO 44001 (Collaborative Business Management), but admittedly it was not his favorite ISO Standard to work with. It's one of the rare instances in ISO where the Standard doesn't quite align with others. [08:00] What Sectors has Ian worked in – Ian's extensive work history has afforded him the opportunity to work in a number of sectors, including: · Construction and Fit out · Manufacturing · Estate Management · Private enterprise · Healthcare / NHS · Facilities With this list growing at a rapid pace since his introduction at Blackmores! [09:45] What's a big challenge that Ian's had to overcome in the past? – In terms of ISO, it has to be Leadership. Ian's found that to always be an issue within businesses attempting to implement ISO Standards. A good looking Management System will only go so far without leadership commitment. While working in facilitating Standards for an organisation, you won't be implementing the whole system yourself. It's more a case of delivering through others, the organisation controls and delivers their own processes and improvements, and so it's imperative that Leadership are also embedding and encouraging these actions. Ian will be going more in-depth on this topic in a future episode. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Can you believe we've been publishing the ISO Show for 5 years now! We certainly can't! The ISO Show began back in 2019, following a trip to Cumbria by the host Mel Blackmore. She was, and still is, an avid fan of podcasts and while listening to a few of her favourites on the 4 hour trip, she got to wondering if there were any podcasts about ISO Standards. As it happened, there wasn't at the time, and so the idea for the ISO Show was born. Not more than a few months later the first episode went live, and the rest is history. For the past 5 years, we've had the honour of sharing our team's combined 18 years of knowledge, including amazing insights from our clients and industry experts along the way. Today Mel Blackmore will reflect on the ISO Show so far and share it's next evolution as we introduce a new host. You'll learn · Why was the ISO Show created? · Why is Mel taking a step back? · What will be the focus for the future? · An introduction to the new host(s) Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: After 5 years of the ISO Show, it's hitting a turning point as we introduce a new host. [02:25] An amazing journey – It's been an amazing 5 years of digging deep into some of the most pressing issues we've faced, sharing tips and dispelling myths about ISO Standards. We've explored a lot of topics over the years, including: · Sharing our ISO 22301 (Business Continuity) knowledge when COVID hit, to help people with future and current response plans. · Transitioning to new versions of Standards, such as ISO 27001:2022 · Interviewing leaders within the ISO space, such as Kit Oung, who helped to develop the UK's current energy and climate change regulations. [04:05] Mel's sustainability journey – why she's taking a step back as host – Mel's made it no secret that her passion lies with Sustainability Standards. This podcast has helped to amplify their importance within our space, but she wants to take this a step further. Going forward, Mel will be dedicating herself full-time to researching the crucial role of carbon standards in achieving Net Zero emissions by 2050. [05:00] An evolution for the ISO Show – All this to say, the ISO Show isn't going anywhere, rather we are introducing a new main host – Ian Battersby! [05:05] Who is Ian Battersby? – Ian is a senior Isologist here at Blackmores. Ian brings a wealth of knowledge, expertise and a passion for helping businesses raise their game with ISO standards. He's a bit of a digital nomad, splitting his time between working from Span and England, he works part-time at Blackmores. So he is very much involved in the day-to-day understanding of challenges of ISO Management, This includes the frustrations that businesses face and also how ISO standards support the achievement of greater productivity and profitability. Ian will be introducing himself fully on the next episode
Data Centres could be considered the powerhouse of thousands of businesses globally. Long gone are the days of small physical servers being housed on-site, instead we rely on data centres to keep all our critical data safe and secure. But how do we know they are doing just that? Many hold certifications to security-based Standards such as SOC 2 or NIST to display their commitment to data security. However, many also hold various ISO certifications that cover other aspects of the business outside of information security. Today Steph Churchman, Communications Manager at Blackmores, will be sharing the top ISO Standard trends within the UK Data Centre industry. You'll learn · Why did we look into the Data Centre industry specifically? · What are the top 5 ISO Standard Trends in Data Centres? · Why are these ISO Standards essential for Data Centres? · Other commonly adopted ISO Standards within the data centre space Resources · Isologyhub · ISO 27001:2022 Transition Gameplan In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:25] Episode summary: We'll be taking a look at the top ISO Standard Trends within the UK Data Centre Industry [02:30] Why did we look into the Data Centre industry specifically? – In the mid 2010's, we noticed an influx in enquiries from Data Centres in regard to Implementation of ISO Standards. That prompted a research project that led to Blackmores working with some of the top UK Data Centres. Now in 2023 and 2024 we're starting to see a similar push for ISO Standards within the same industry. So, we revived the project to get a grasp on the modern ISO landscape, and took a look at the top 100 Data Centres within the UK. [03:34] #1: ISO 27001 Information Security – Out of the 100 data centres sampled 72% of them were certified to ISO 27001. Security is of upmost importance to data centres, and the great thing about ISO 27001 is that it considers security for not only the digital environment, but also for people and physical security. This Standard is also, in most cases, a stakeholder requirement. Certification to ISO 27001 indicates that you're adhering to best practice in information security, and through the creation of an ISO 27001 compliant Management system, you will have documentation in place such as an information security policy and data retention policy, that often get requested by potential clients. If you'd like to learn more about the Implementation process for ISO 27001, we've got a helpful 3-part podcast series that summarises the entire process from Gap Analysis to Assessment preparation. anyone currently certified to ISO 27001:2013 that you have just over 1 more year to complete your transition to ISO 27001:2022. If you don't do so by October 31st 2025, you'll risk losing your ISO 27001 certification. That's not the only reason you should be transitioning though. The new version of the Standard includes 11 new controls, which cover some newer technologies which really weren't around when the 2013 version was published. So regardless of the risk of losing your certification, it's in your best interest to ensure that you're adhering to the latest version. If this is all news to you, then you can also go back and check out episodes 128 through to 133. This was a little mini-series we did to summarise the key changes to ISO 27001 and what actions you need to take to transition. We also have a Transition Gameplan available on the isologyhub if you'd like a more guided approach, including document templates and training videos covering those new controls. [06:25] #2: ISO 9001 Quality Management – The Quality Management Standard is as popular as ever, even within the data centre space, with 51% of the 100 sampled data centres being certified. ISO 9001 is considered the leading ‘Quality mark' for businesses and is often the starting point for many diving into the world of ISO implementation. ISO 9001 creates a well-rounded base Management system to help you manage your risks and opportunities, as well as ensuring you drive a culture of continual Improvement. Its guidance can help you establish your core policies, processes and procedures to ensure everyone is singing from the same song sheet. The fact that this one is popular among data centres isn't too much of a surprise, it's a universally adopted Standard that isn't limited by industry or organisational size. Currently, there are over 1 million ISO 9001 certificates issued worldwide, and that trend shows no signs of slowing down. [08:25] #3 ISO 14001 Environmental Management – A surprising 25% of the sampled data centres were certified to ISO 14001. From an objective point of view, it makes sense for data centres to consider their environmental footprint. But a lot of that would fall under energy usage rather than just general environmental management, so this likely means it's mainly driven by stakeholder requirements. ISO 14001 is being requested more and more for the likes of large Government contracts, so If you want a chance at bidding for these, ISO 14001 is a must. Now don't get me wrong, I'm sure a lot of data centres have implemented this Standard in an earnest effort to monitor and measure their impact holistically. After all ISO 14001 asks businesses to consider how they can prevent environmental impacts such as pollution and degradation of nature. And the additional guidance provides some helpful starting points for those that may not be sure where to start, for example making commitments to recycling, protection of biodiversity and climate change mitigation. For data centres specifically, this may come into effect when we think of the amount of electronic waste that they could potentially produce. Obviously, this can't just be thrown out in a standard green lidded bin, it'll need to be taken to a dedicated electronic waste facility for processing, disposal and recycling. Racking, shelving and cables will all also need to be replaced at some point, and it's up to each data centre to ensure they have the appropriate processes and policies to ensure this is done correctly and more importantly legally, which again, is where ISO 14001 can help put those frameworks in place. [10:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:45] #4: ISO 50001 Energy Management – With just 13% of the 100 sampled data centres certified! This one is a shocker because, typically, data centres highest cost is in relation to their energy usage. They require enormous amounts of energy to keep their facilities running and to cool down their equipment 24/7. Which I imagine they'd be quite keen to reduce if only to save on running costs. This is where ISO 50001 can come in, to help create a structured approach to effectively monitor that energy usage, so you can identify key trends and opportunities to reduce overall energy consumption, which in turn will save a lot of money. With a healthier proportion being certified to ISO 14001, it seems a shame that so many are missing out on the additional benefits that ISO 50001 can bring, especially when it can very easily be integrated with ISO 14001. In fact, if you're already certified to ISO 14001, then you've already done half the work to implement ISO 50001. Both frameworks are based on that Annex SL format, and both have a lot in common in terms of what documentation is required. It can also help with compliance with some UK and EU based energy initiatives. For example, here in the UK we have ESOS (The Energy Savings Opportunities Scheme) which applies to large organisations that fit within its criteria. They're usually required to provide a report once every 4 years, however as of 2023, Phase 3 now requires organisations to provide an Energy Action Plan which details what actions they plan to take to reduce their energy consumption. There are likely a few data centres that would fall into ESOS's criteria, and if you're sick of going through the ESOS song and dance every few years, then ISO 50001 may be the answer for you, as being certified means that you're going above and beyond ESOS's requirements and will be considered compliant. Meaning no more pesky reporting, or having to locate an ESOS assessor to sign off on those reports. [15:10] #5 ISO 22301 Business Continuity Management – With 12% of the 100 sampled data centres being certified. ISO 22301 is the Standard for Business Continuity, and provides a basis for planning to ensure your long-term survivability following a disruptive event. That 12% may not be truly reflective of all the data centres that have business continuity plans in place however, as according to a recent Business Continuity institute survey, 56% of surveyed businesses use ISO 22301 as a framework but aren't certified to it. There will be a fair few data centres in our sample list that fall under that category. Why should this Standard be a priority for Data Centres? Well, the answer should be simple, if a disaster were to knock out a data centre, that has a massive knock-on effect. Many house servers used by hundreds if not thousands of businesses and users. If they're unable to provide services, that will in-turn cause multiple other businesses to grind to a halt. The true cause of failures at data centres can be many things such as hardware failure, human error or a disaster such as flooding or fires. However, the advantage of utilising ISO 22301 is the ability to be able to effectively deal with these incidents and restore services, which is essential for an industry which is quite literally the powerhouse for millions of other business and people. If you fail to plan, you plan to fail Having a robust business continuity plan should be a top priority for any business, especially data centres, seeing as so many rely on them to keep their own services running. Even if you don't want to go through the full certification process, it's worth grabbing a copy of the Standard, as it provides a lot of helpful guidance. If you'd like to learn more about ISO 22301 in general, go back and check out episode 42 where we go over the Standard in more detail and it's many benefits. [17:45] Runner up: ISO 20000 Service Management – Saw 11% of our sample data centres certified to this Standard. This actually used to be known specifically as the IT Service Management Standard, so that probably clues you into why this would be adopted by many with in tech spaces. However, it truly is applicable to any business offering services. The aim of ISO 20000 is to provide a framework for an effective end-to-end service management system which encompasses the entire lifecycle of a service from concept and design, through to service removal and end-of-life. [18:55] Runner up: ISO 27017 information security controls for cloud services – With just 5% of our sampled Data Centres certified. This one is fairly self explanatory in it's relation to data centres, which operate solely on cloud based services. This Standard was introduced after the 2013 version of ISO 27001 was published, as the main standard didn't really address cloud security controls specifically. Mostly because cloud computing and its related security weren't as widely adopted as they are now. So ISO 27017 was created to try and bridge those gaps. In the latest 2022 version of ISO 27001, there's now a new control for cloud security. So, we may see less interest in ISO 27017 certification going forward. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Working towards a sustainable future is going to require a joint effort from everyone if we're to reach our 2030 and 2050 targets. Several initiatives have come out in recent years to try and address one of our biggest challenges, energy consumption. Many of us in the UK will be familiar with ESOS (The Energy Savings Opportunities Scheme), which involves regular reporting from those that fit its criteria. It's also recently updated to include a stipulation to include an ESOS Energy Plan, which requires you to detail a route to reduce your energy consumption. However, many businesses would prefer a more consistent approach to energy management, such as today's guest – Daisy Corporate Services. Today Mel is joined by Damian Edwards, ISO Standards Manager at Daisy Corporate Services, to discuss why they Implemented ISO 50001, what they've learned from the experience and the benefits gained from implementing an Energy Management System You'll learn · Who is Damian and who are Daisy Corporate Services? · Why did they decide to Implement ISO 50001? · What was the biggest gap identified during their Gap Analysis? · What lessons did they learn from Implementing ISO 50001? · What benefits did they gain from ISO 50001 certification? Resources · Isologyhub · Daisy Corporate Services · Daisy Corporate Services ESG In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] Episode summary: Mel is joined by guest Damian Edwards, ISO Standards Manager at Daisy Corporate Services, to discuss their journey towards ISO 50001 certification. Daisy are not strangers to ISO Standards, already having achieved: ISO 9001, ISO 14001, ISO 27001, ISO 45001, ISO 20000 and ISO 22301! They have also recently won the Sustainability and Tech Awards 2024 and the Green Shoots Awards too. [04:15] Who is Damian Edwards? – Damian has worked at Daisy as their ISO Standards Manager for the past year. A little known fact about Damian: He listens to classical music as a way to focus. [05:25] Who are Daisy Corporate Services? – The are primarily a provider of IT and Communications. They currently supply a range of services including: · Unified Communications · Connectivity · Modern Workplace · Cyber Security · Cloud services · Managed Services · Operational Resilience [06:25] What were the main drivers behind obtaining ISO 50001 Certification? – In addition to the office spaces Daisy controls, they also have a number of data centres, which use massive amounts of energy. Finding ways to monitor, measure and potentially reduce that energy use, and subsequently cost, was essential. The second main driver is mainly for commercial reasons. Without Standards like ISO 50001, you can't bid for larger contracts or Government frameworks. [08:30] Daisy's commitment to ESG – Daisy have a made a solid commitment to ESG, explained further on their website as they break it down into 10 key focus areas. Energy Management is one of the logical steps to tackle reducing carbon emissions. Data centres can be very inefficient, so being able to consistently monitor, measure and improve their energy consumption is a key part of tackling some of their ESG related goals. Also being certified means you have the certificate to back up your claims. It's not you just making a statement, it has to be verified by a third-party. [10:30] How long did it take to Implement ISO 50001? – It took between 8 – 11 months. For a Standard like ISO 50001, it's important to do it properly. Some organisations may request it in 6 months, but for larger organisations, that would be a tough ask, and you run the risk of rushing into certification without having those processes embedded in. [11:45] Did having existing ISO Standards make the process smoother? – Yes, as it was a case of integrating ISO 50001 with our existing systems rather than starting from scratch. Though, having so many ISO's can water the message down a bit, to combat that we've got a single statement that gets across everything you need to know about Daisy. [12:55] What was the biggest gap identified during the Gap Analysis? – Because we already have so many ISO's, we can be a bit big headed and say there weren't many gaps at all, however, there were still some things we could do. One of the biggest areas for improvement was Clause 7, Documentation, as all ISO Standards have their own required documentation. Another was putting in place a plan for monitoring and measuring our energy usage. We have a Property Director who did do that, but he wasn't really documenting it, so we've put in place some proper processes to help show that we're actively monitoring it, looking at the trends and putting in actions to reduce and improve on that. [14:55] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [17:10] Did closing those gaps make a big difference? – We did have a lot of help from Blackmores in order to address those gaps. Out consultant advised us to combine elements of out Management Review with out monthly Team Meetings, as our Director is involved with those, and we avoid another meeting for meeting's sake. We now also produce a pack of all the monitoring and measuring that's done throughout the month, which makes it easy for us to analyse and identify trends in energy use. Any actions from reviewing this are then recorded and followed up on. So, in essence it's just made everything a lot smoother. [19:55] What did Daisy learn from Implementing ISO 50001? – It takes a team to achieve this – you can't do it on your own. You also can't rush it! Another key take away is that the whole project needs to be driven by top management, without all of those elements combined, it's probably not going to work (or be a lot slower and more painful!) It's also really helped with our commitment and messaging around ESG too. So within those monthly Management Review meetings we have a representative from the energy efficiency team, the ESG team and our bids team. They're then all communicating what the customer message is, that they expect of us, in turn they're kept in the loop about our energy usage and related actions and can communicate that outwards. [21:15] What other benefits are there from achieving ISO 50001? – Having our management system verified by a third-party means that we can confidently say we're adhering to best practice. It also just validates that we are doing things correctly! It also means that we can monitor opportunities for improvement. If we identify more gaps in future, we have the processes in place to address them. ISO 50001 has also helped to put some context behind the energy data we're collecting. Thanks to the new processes we can accurately identify key trends and explain why energy usage may be going up and down. [23:25] Damian's top tip – Ensure that your project is driven by top management. They're involvement means it's a lot easier to communicate that message that you're doing the right thing. Also, ISO 50001 helps with your regulatory compliance too. If you're a larger organisation, then you likely have to adhere to schemes like SECR or ESOS. If you're certified to ISO 50001, then you're already complying with both. [24:35] Damian's book recommendation – Beryl in search of Britain's greatest athlete. [26:45] Damian's favorite quotes – “Hard work beats talent when talent doesn't work hard” and “You miss 100% of the shots you don't take.” If you'd like to learn more about Daisy Corporate Services, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
In February 2024, the ISO and IAF issued an unprecedented change to 31 commonly adopted ISO Standards, such as ISO 9001, ISO 14001 and ISO 27001. This change saw the addition of a new ‘Climate Change Amendment', which was applied in part due to the ISO's resolution in support of the ISO London Declaration on Climate Change. So what does this mean for ISO certified businesses? Join Mel as she discusses what this new ISO Climate Change Amendment is, why it was introduced, what are the consequences if you don't address it and the benefits of its introduction. You'll learn · What is the ISO Climate Change Amendment? · Why was it introduced? · What are the consequences if you do not address the change? · What are the benefits of the Climate Change Amendment? Resources · Isologyhub · ISO Climate Change Amendment Workshop In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] Episode summary: We break down the new ISO Climate Change Amendment, including why it was introduced and why you should address it ahead of your next Certification Body visit. [02:55] Join our Workshop– If you're not sure where to start with addressing this amendment, join our interactive workshop taking place on the 20th May (14:00 – 16:00 GMT). There we will explain how you can integrate the new changes into your existing ISO Management System. Register your place here. [04:30] What is the new ISO Climate Change Amendment? – A key clarification before we go into more detail, this is not a new version of a Standard i.e. ISO 27001:2022, where you must transition to a new version. So, what is it? In February 2024, the International Organization for Standardization (ISO) introduced a groundbreaking amendment to integrate climate change considerations into various management system standards. The amendment doesn't assign specific actions. Instead, it adds text to existing clauses in 31 standards (including ISO 9001, 14001, 27001) requiring organizations to consider: · Relevance of climate change: Organizations must assess if climate change is a relevant issue for their operations and context (Clause 4.1). · Stakeholder expectations: Note added: Relevant Interested Parties can have requirements related to climate change (Clause 4.2). As we've learned from our sister company, Carbonology, it is often Stakeholders driving forward that need to verify a business's carbon footprint and take steps towards Net Zero. [09:30] Why was this change Introduced? – This change was in part due to ISO's resolution in support of the ISO London Declaration on Climate Change. The aim is making climate change considerations an integral part of management systems, their guiding policies and practises – not simply as an afterthought. As we all know, climate change will affect everyone, and should be a concern that every business fully considers to ensure they are resilient and adaptable enough to deal with climate related risks. This amendment means businesss will need to address these risks where relevant, and integrate them into strategic objectives and look what can be done from a risk mitigation perspective. The global business community will be one of the driving forces for paving a way to a more sustainable future – It all starts with changing the way we work, making the shift towards embedding environmental consciousness into the very heart of your business. ISO Standards are widely adopted, and this change offers a catalyst for meaningful climate action on a global scale. [11:00] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [13:20] What are the consequences for not addressing this change? - Certification bodies will be asking you about these amendments effective immediately. If you've not addressed them ahead of your next certification body visit, you could run the risk of getting a non-conformity. The amendment added to Clause 4.1 especially states ‘Must' – so there's no getting away with simply ignoring it. [14:50] What are the benefits of this change? – Some of the benefits will likely already be felt by those with existing environmental standards such as ISO 14001 and ISO 50001 in place. So, let's take a look at how you can benefit from addressing this amendment: · Reduced Environmental Footprint: By integrating climate change considerations, businesses can identify and implement practices that lower their carbon emissions and resource consumption. · Enhanced Sustainability: Addressing climate change demonstrates a commitment to sustainability, which is increasingly important for attracting environmentally conscious customers and investors. · Cost Savings: Climate-conscious practices can lead to cost savings through improved resource efficiency, reduced waste, and potentially lower energy bills. · Resilience and Risk Management: By considering climate-related risks (e.g., extreme weather events, resource scarcity), businesses can proactively develop strategies to mitigate these risks and ensure operational continuity. · Innovation: Focusing on climate change can lead to innovation in areas like cleaner technologies or sustainable product development, giving businesses a competitive edge. · Positive Brand Image: Demonstrating proactive action on climate change can enhance a company's brand image and reputation among environmentally conscious stakeholders. This is a particularly important issue to younger generations who are becoming the dominant buying power from a commercial perspective. · Stronger Stakeholder Relationships: By considering stakeholder expectations around climate change, businesses can build stronger relationships with customers, investors, and regulators. · Holistic Approach to sustainability: Integrating climate change considerations strengthens a businesses' overall management system by fostering a more comprehensive and future-proof approach. · Continual Improvement: The amendment emphasizes continual improvement, encouraging businesses to constantly seek ways to reduce their environmental impact, leading to long-term sustainability benefits. If you'd like to learn about what actions you can take to integrate the ISO Climate Change Amendment into your ISO Management System, join our live event on the 20th May – register here. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO 42001 was published in December of 2023, and is the first International Standard for Artificial Intelligence Management Systems. It was introduced following growing calls for a common framework for organisations who develop or use AI, to help implement, maintain and improve AI management practices. However, its benefits extends past simply establishing an effective AI Management System. Join Steph Churchman, Communications Manager at Blackmores, on this episode as she discusses the top 10 reasons to adopt ISO 42001. You'll learn · What is ISO 42001? · What are the top 10 reasons to use ISO 42001? · What risks can ISO 42001 help to mitigate? · How can ISO 42001 benefit both users and developers of AI? Resources · Isologyhub · ISO 42001 training waitlist In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] What is ISO 42001?: Go back and listen to episode 166, where we discuss what ISO 42001 is, why it was introduced and how it can help businesses mitigate AI risks. [02:45] Episode summary: We take a look at the top 10 reasons why you should consider implementing ISO 42001. [02:55] #1: ISO 42001 helps to demonstrate responsible use of AI. – , ISO 42001 helps ensure fairness, non-discrimination, and respect for human rights in AI development and use. Remember, AI can still be bias based on the fact that AI models are typically trained on existing data, so any existing bias will carry over into those AI models – an example of this is the existing lack of representation for minority groups. We also need to take care in the use of AI over people, as staff being replaced by AI is a very real concern and should not be treated lightly. We've already seen a few cases where this has happened, especially across the tech support field where some companies mistakenly think that a chatbot can replace all human staff. We also need to consider the ethics of AI content. It's predicted that 90% of online content will be AI generated by 2026! A lot of this generated content includes things like images, which poses a real concern over the values we're translating to people. The content we consume shapes the way we think and if all we have is artificial, then what message is that conveying? An example of this is Dove's recent advert, which showed an example of AI generating images of very unobtainable ideals of a beautiful face. Which were predictably absolutely flawless, almost inhuman and something that can only be achieved through photo editing. If the internet was flooded with this sort of imagery, then that starts to become the expectation to live up to, which can be tremendously damaging to people's self-esteem. They then went on to show actual unedited people, in all their varied and wonderful glory and stated that they will never use AI imagery in any of their future marketing or promotional material. Which sends a very strong message – AI definitely has its place, but we need to fully consider the implications and consequences of it's use and possible oversaturation. [05:20] #2: Traceability, transparency and reliability - Information sourced via AI is not always correct – It collates information published online, and as many of us are aware, not everything on the internet is correct or accurate. Data sets carelessly scrapped from online sources may also contain sensitive or unsavoury content. We've had cases where people have managed to ‘break' Chat GPT, causing it to spew out nonsense answers which also contained sensitive information such as health data and personal phone numbers. While not usually accessible when requested, it does not stop the risk of this data being dug up through exploits. AI is like any other technology, and is not infallible. So, it's up to developers to ensure that the data used to train models is safe and appropriate for use. It should be expected that data sets will be scrutinised from a legal standpoint – either as a result misuse of AI or a mandatory exercise as a part of future legislation. There's also research that suggests data sets can be potentially poisoned to produce inaccurate results – which is another consideration for developers using live data sets, who will need to stay on top of these risks to ensure the integrity of their tools. ISO 42001 provides specific guidance that covers how developers can ensure transparency and explainability within sample training data. [06:45] #3: It's a framework for managing risks and opportunities – AI, like any other new technology, is going to create new risks and opportunities. Risks include the likes of inaccurate data being used, existing bias in data training sets, plagiarism, information security risks and data poisoning. If you're simply using AI to gather information, it's also a good exercise to ensure that the information is coming from a reputable source. One easy way to so this is to simply ask for the source to be cited when pluging in a prompt into tools like Chat GPT and Gemini. You can then verify how legitimate that source is. For web developers and SEO specialists, Google has recently updated it's algorithm to punish those with a lot of AI generated content on their websites. So those within the SEO space may see some interesting trends over the course of 2024. Another unfortunate risk is that of more complex scams being implemented through the use of AI. An example of this involves those who may use an AI assistant in their systems, which can be affected by malicious emails that contain prompt injections which could be used to send data from a victims machine to outside sources. This is only touching on a few risks, but as you can see, there's a lot to consider and I've no doubt that more complex risks will make themselves known as the technology evolves. However, there are a lot of opportunities to be found with AI use. There's a huge potential for AI to be utilised to tackle mundane and routine tasks which could be automated. AI also has the capability to scan masses of data and provide suggestions based on it's findings. Obviously, humans can't possibly compete with the sheer volume of data that AI can process, and so we can utilise it to help us make better more informed decisions. A lot of commonly used software has already integrated various AI tools which offer great quality of life updates and help make a lot of tasks quicker. Which in turn means our time is better spent elsewhere on tackling the more complex issues that require a more human touch. ISO 42001 can help you balance out these risks and opportunities by helping you build a robust management system to manage and mitigate risks, and drive forward opportunities through continual improvement. [10:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:50] #4: Demonstrate that introducing AI is a strategic decision with clear objectives - Businesses looking to integrate AI should not make this decision lightly. I know it's tempting to play with the newest toy, but we should take care to look at any possible risks, and that it aligns with both your company objectives and ethics before rushing to utilise something. For example, allowing your staff to use ChatGPT for content creation. You need to consider a few things: You need to make sure Staff aren't putting in any confidential or sensitive information into publicly available AI tools. Also, ensuring that Staff understand that content provided by the likes of ChatGPT and Gemini could be plagiarised if used as is. You need to build, adapt and change the content so it's something unique. It's all well and good introducing AI technology if it truly is going to be beneficial to your employees and to the business as a whole, however if you're just introducing it because everyone else seems to be, then you really have to question if it's worth it. If it's not actively making your work lives easier and helping you to achieve your objectives, then is it really worth the potential cost and effort to implement? It may also be worth looking into how the AI tool you're using was created. There is sadly still a lot of exploitation involved in the development of new technology, so it's up to you to ensure that the tools you're using were created in an ethical way. Ultimately, ensure that you are using AI safely, ethically and that it aligns with your businesses established objectives. This will need to be communicated clearly to everyone in the business. ISO 42001 is, at its heart, a Management system standard. Like many other ISO Standards, it includes guidance on setting objectives and communicating these to your wider business. [15:24] #5: ISO 42001 helps to implement safeguards – Certain features of AI may require safeguards to help protect businesses against the extra risks they pose, such as the increased potential of more sophisticated cyber attacks or compromised training data. This can be applied within a particular process or an entire system. Examples of features that may require these safeguards include: · Automatic decision making · Data analysis, insight and machine learning · Continuous learning Something you need to consider: Cyber scams are going to become a lot more complex with the help of AI, so you need to ensure you're staff are both aware of this and how they can avoid falling prey to them. Safeguards may simply involve more training on these new risks, or updating to a more robust security software that is able to detect possible AI cyber scams. Developers are also going to need to keep on top of any data being fed into their tools. Public live data tools especially will be more susceptible to being poisoned and tampered with, so it's up to them to monitor and ensure the integrity of their data. ISO 42001 provides guidance in it's annexes for users and developers to implement these necessary safeguards. [16:30] #6: ISO 42001 Supports compliance with legal and regulatory Standards – More AI focused legislation is an inevitability, with the new EU AI Act being a perfect example. It's important to ensure that you are prepared to comply with legislation as it's released, or you may be held liable and be subject to fines. Currently, the UK has no plans to introduce a new regulator for AI, instead relying on existing technology based regulators like the Information Commissioners Office (ICO), Ofcom and FCA. ISO 42001 includes specific considerations for any potential applicable legislation. [17:06] #7: ISO 42001 Can enhance your reputation – ISO Standards are internationally recognised and ensure you are complying with best practice. Gaining certification to ISO 42001 will show you are confident in your AI related claims, and are happy to have this verified by a third party. [17:30] #8: ISO 42001 Encourages innovation within your business – For as much as we've stressed the potential risks AI could expose your business to, ultimately AI is here to help make our lives easier. We just need to ensure we're responsible when applying it. ISO 42001 ensures you can safety integrate AI tools and systems within your business. It's there to help guide the adoption of this new technology, and drive continual improvement as your management system matures. [17:55] #9: ISO 42001 Can be easily integrated with existing systems – ISO 42001, like many ISO Standards, is based on the Annex SL format and can be easily integrated with existing ISO Management Systems such as an ISO 9001 (Quality management) or ISO 27001 (Information Security management) system. Risks addressed in ISO 42001 include security, privacy and quality among others, and can help to enhance the effectiveness of your Management system in those areas. [18:25] #10: ISO 42001 Does not require an existing Management System to implement – While ISO 42001 would make a great addition to any ISO Management System, it's important to note that this can be implemented independently. It is also not intended to replace or supersede any existing quality, safety or privacy Standards / existing management systems. We'll be releasing a suite of ISO 42001 related training content on the isologyhub, if you'd like to get notified as soon as this becomes available, please register your interest on our waitlist. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Nearly 60% of businesses that are impacted by a cyber incident go out of business within the 6 months following. With our heavy reliance on technology to keep both businesses and services running, it's imperative that everyone take cyber risk seriously. However, incidents will inevitably happen and it's up to you to ensure that your business is prepared to ride out the wave, and hopefully make a full recovery! We invited Jack Morris, Account Director at Epiq, back onto the show to discuss the consequences of not being prepared for a cyber incident and the key steps businesses should take in the event of an incident. You'll learn · Who are Epiq? · What does the current cyber incident landscape look like? · What are the consequences if a business does not respond to a cyber incident effectively? · How can a business detect if they're being attacked? · How should businesses respond in the event of a cyber incident? · What role does a legal team play in incident response? Resources · Epiq · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Jack Morris, Account Director at Epiq, to discuss how businesses should respond to a cyber incident. [03:00] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe. [04:35] What constitutes a cyber incident and why is it so important to respond effectively? – A cyber incident refers to unathorised access or attempted access to an organisation's IT systems. Types of incident include breaches, malicious attacks (e.g. Ransomware), and accidental events (e.g. Fire Damage). Responding effectively is crucial to minimize damage and protect sensitive data. [05:40] What does the cyber incident landscape currently look like, and what challenges will organisations face in responding to an incident? : The cyber incident landscape is ever evolving, but here are some key trends we saw in 2023: Attacks on the rise – the number of organisations posted on ransomware and data theft sites increased by over 70% year-on-year. Business Email Compromise (BEC) incidents surged by 67% in 2023 – these events are where people within an organisation fall victim to phishing or similar – clicking on malicious links which ultimately compromise your mailbox. For me, there are 3 main challenges that organisations face when responding to a cyber incident: · Day-to-day management – balancing the technical aspects of the incident with broader business continuity, communications, financial and legal considerations. This can be hugely difficult for an organisation, during and already high stakes situation. · Expertise and support – navigating the complex legal, technical and operational aspects of an incident · Data-focused impact – understanding and assessing the risk to data after resolving an incident. [10:00] What are the solutions to these challenges? – Understanding the various external expertise and support available to a business, whether that be engaging with a law firm, a cyber incident response expert and cyber insurer will give you access to support with both the day-to-day management of an incident, as well as the legal, operational and commercial impact of said incident. [12:10] What are the consequences for an organsiation that does not respond effectively to a cyber incident? – : Failing to respond effectively to a cyber incident often leads to a variety of sever complications for a business, such as; · Operational Issues: operational disruptions will occur due to prolonged exposure of sensitive information, and if Ransomware has infected systems, the organization will not have access to potentially crucial business information. Financial losses and higher costs to incident response can come as a result of poor planning. · Additional Data Breaches: if an organization doesn't respond effectively to a cyber incident, taking steps to gain control over their systems, additional data breaches can occur from threat actors gaining further access to the organisation's systems. · Financial losses: cyber incidents affect a business' bottom line. Costs including incident investigations, recovery, legal fees and potential fines. Further, knock on effects such as lost business opportunities and damaged investor confidence come from poorly managed cyber incidents. · Damage to Reputation and Trust: Public perception matters for a business. A poorly handled cyber incident damages an organization's reputation. Customers, partners and stakeholders lost trust, affecting long-term relationships and market position. · Legal Consequences: Regulatory fines and potential follow on litigation arise from non-compliance with data protection laws. Organisations failing to report breaches promptly face penalties. Legal battles can be costly and time consuming. [16:25] How can organisations detect if they are being attacked? – signs will vary depending on the type of cyber incident, but organisations and end users could expect to experience; slow systems, locked accounts (no access to mailboxes etc), inability to access documents or shared drives, ransom demands and unusual emails from organisation domains are all tell-tale signs of a cyber incident. If an organisation has invested in Managed Detection and Response software for their end-points, this will proactively scan your environment and provide alerts to potential and actual cyber incidents. [17:40] What are the key steps an organization must take in responding to a cyber incident? – It's a great question, and these key steps will be implemented during a cyber incident response plan – an impacted organization should: · Triage: Assess the severity and impact of an incident (organisations can instruct a first response organization to shut the doors, and assess the damage) · Identify: Understand what is happening to a business post incident? Things like locked accounts, no access to business systems etc. · Resolve: take technical actions to mitigate the incident – shutting off access to accounts – closing the door · Report: Notify relevant stakeholders, including legal obligations. · Learn: analyse the incident to then take retrospective action to prevent further incidents. [21:23] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [23:48] How does Cyber Insurance play a pivotal role in Cyber Incident Response? – like with most walks of life, insurance plays a crucial role in supporting organisations in effectively responding to disasters. · Response Funding: Insurers cover costs related to incident response, including professional services. · Response Time: Insurers bring in experts promptly, improving incident resolution. · Affordability: For small to medium businesses, insurance may be the only way to afford a response team. [26:10] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident. Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it. Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too. Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim. [27:25] What are the legal obligations that exist after a cyber incident, especially in related to personal data breaches? – the legal obligations are clear – an organisation must report personal data breaches within 72 hours of awareness, unless the risk to individuals' rights is unlikely. This quick turnaround is why it's imperative that organisations have an established cyber incident response plan, and know who they should be talking to regarding the legal and operational implications. [28:45] What support is there out there for organisations that are victim to a cyber incident? – On the previous episode, we discussed what organisations can do to be proactive in mitigating the risks associated to a cyber incident, we discussed the important of Cyber Incident Response plans, as they outline what external support an organisation should seek in the event. Having playbooks and relationships with law firms, cyber providers like Epiq, and cyber insurance coverage are 3 key focuses for every business. [30:35] What role does a legal team play in incident response? – Legal support and advice is critical during an incident. As mentioned, they will help support with report the incident to the regulatory bodies required. · Breach Notification – legal support ensures compliance with data breach disclosure laws and regulatory requirements. · Breach Counsel – law firms act as a breach counsel for organisations, enabling them to support and advise on the legal implications of a cyber incident. Most law firm cyber practice groups will have relationships with external vendors, like Epiq, to support with the operational response. They can co-ordinate with these external vendors to ensure compliance. · Privacy Law Compliance – they guide handling of personal data and privacy implications to ensure no further issues. [32:30] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident. Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it. Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too. Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim. [36:00] What should an organisation do in future to prevent further incidents? – Benjamin Franklin's famous quote is so true here – ‘by failing to prepare, you are preparing to fail'. The key point here is to learn from your mistakes. There may have been numerous reasons that the organisation wasn't ready for a cyber incident, but they should learn from what led to the incident previously, and proactively address this to prevent further incidents. 67% of organisations that get hit by a cyber incident are subject to further attacks within 1 year. It's important to reduce your attack surface, and ensure you have cyber security themes running throughout the business. [37:45] What are Jack's top 3 tips to take away from this session to help them respond effectively to an incident? – · Establish an Incident Response Plan – we spoke through IR plans during the first episode, but creating a plan that outlines roles, responsibilities and communication channels during an incident is key. Once implemented, regularly testing the plan and simulating these incidents is key to ensuring effective response. · Engage external experts early – during this session we identified 3 critical external support pillars to an incident – having legal advice, operational and response support and insurance is key. · Prioritise business continuity – enabling the external experts to support you through the incident will free your bandwidth to ensure that you minimise damage and downtime to your business. If you'd like to learn more about Epiq and how they can help you, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023. Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive. As a result, the question of businesses being affected by a cyber incident has become ‘when' rather than ‘if'. However, there are a number of steps you can take to mitigate risks ahead of any potential incidents. We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks. You'll learn · Who are Epiq? · What is a cyber incident? · The importance of being proactive in reducing the risk of an incident · What can organisations do to be proactive in mitigating cyber incident risk? · What are forensic tabletop exercises, and how do they enhance preparedness? · Why might an organisation need to get an incident response retainer? · What role do Information Governance consultants play in reducing cyber risk? Resources · Epiq · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk. [02:40] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe. [04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them. Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director. Jack's role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology. [06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation's information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats. Organisations looking to combat information security risks should consider ISO 27001, as it's key principles include the confidentiality, integrity or availability of your businesses information. [08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business? – Let's look at some startling statistics: In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week. 48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business. This is the most shocking of the statistics, and why it's so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident. 70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don't). Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following! [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024: January saw a rise in cyber incidents predominantly affecting retail, education and local government. In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets. All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident. [13:35] ISO Standard trends – At Blackmores, we've seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries. [15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation's requirements and compliance issues arising from a cyber incident. If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it's imperative that your organisation has established, sound relationships with law firms and consultants. [17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents. Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business. [18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs. The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident. [19:35] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity. In Blackmores' experience, a lot of organisations don't actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it's a bit of an eye opener when they realise they're not as resilient as initially thought. It's always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task. [23:40] Why might an organisation need to get an incident response retainer? – We're starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements. One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements. [26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate. [27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining: · Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements. · Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements. · Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process. · Privacy Compliance: Aligning with regulations such as GDPR, DP, DPA, CCPA. [33:30] What are Jack's top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn't a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against: Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks. These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions. So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security. Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases. Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees. Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure. Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I'm seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur. If you'd like to learn more about Epiq and how they can help you, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Businesses looking to tackle their environmental impact will need to look at how they can reduce their carbon emissions and offset any remaining emissions to ensure that they reach Net Zero. One of the most common ways businesses offset their emissions is through the purchasing of carbon credits that typically go towards planting trees or re-wilding. However, there are a number of new emerging trends following on from the current commodification of nature, resulting in an attitude shift from businesses who are looking to get a lot more involved in the offsetting process. We invited Luke Baldwin, Co-founder and CEO of Nature Broking, back onto the show to explain the latest trends in the carbon market. You'll learn · What are the latest trends in the carbon market? · The importance of high integrity within carbon offsetting · Looking for impactful solutions · Why education around carbon offsetting is key for long-term sustainability commitment · How buying carbon credits now can lead to significant savings Resources · Nature Broking · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss emerging trends in the carbon market that help businesses tackle their carbon offsetting. [02:50] What are the key trends in the Carbon Market – As of 2024, Luke states the leading trends as: · High Integrity · Impactful solutions · Education · Purchase carbon credits now and save later [04:10] High Integrity – There's now a lot of carbon credits available and due to the nature of the unregulated carbon markets, it's led to an increase in bad actors generating revenue in a bad way. Once example of this is Kariba, a project in Zimbabwe that aimed to tackle deforestation, which was recently exposed in the Guardian and The New Yorker for having incorrect calculations. Credits purchased towards that programme were then called into questions and any associated companies were accused of greenwashing. To avoid this, businesses are now putting a greater focus on high integrity solutions, which involves considerations such as: · Are the credits durable? Will the carbon be stored long term? · Are their significant CO2 benefits? · Are the credits contributing anything besides just removing carbon? i.e. regenerative agriculture or woodland plantation [06:20] Impactful Solutions: The carbon markets offers a lot of fantastic solutions and businesses are moving away from the quick commodification of those solutions, and are instead looking to really understand the impact of how they chose to offset their emissions. It's becoming more of a question of buying carbon credits that align with your values, whether this be social values or sustainability values. They're looking to invest in projects that will have a tangible outcome. Which is exactly what Nature Broking sets out to assist businesses with by tailoring bespoke solutions that adhere to their specific values. [08:10] Education – The need for more education around the carbon markets is crucial. Luke remembers the quote “you can't love what you don't know”, which applies as how can a business truly invest in something that they don't fully understand. Sustainability is a mindset, and a cultural shift towards more sustainable practices starts with an education. Carbonology uses an ISO framework, but also provide an education around the carbon reduction plan provided to inspire a mindset shift change towards sustainability. [09:05] Blackmores experience – Blackmores have been implementing environmental and energy Standards for over 18 years, but it's only been in recent years that we've seen a mindset shift in leadership towards sustainability. While people may be aware of Standards such as ISO 14001 or B Corp, but may not be aware of other governance frameworks that can help businesses to manage their carbon footprint and carbon neutrality. [10:20] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [12:25] How can you make significant savings when purchasing carbon credits? – A lot of carbon solutions currently are very cost effective, in particualr forestry credits and carbon removal credits. Some of the more technological ones such as direct air capture or bioenergy and carbon capture and storage can be more expensive now because the technology utilised is still so innovative and in it's infancy. However, that will change in time. If you're looking at building a carbon portfolio for your net zero journey, for example, say are going through a science based targets initiative and you've decided that you cannot avoid the 10% of remaining emissions your net zero journey and you need to buy carbon removals - you're much better purchasing carbon removals now than in the future. This is because there will be a supply shortage in future, especially when we see more enforced regulations come into play between 2030 and 2035. This will mean that the price of those carbon credits will rise significantly. What may cost £20-£30 per tonne for carbon removal now may go up to anywhere between £100 - £150 per tonne! So it's worth investing in your carbon portfolio now, especially in the case of tree planting as those tress are going to take a while to grow and actually start storing carbon. If you finance projects now, you will have already made an amazing impact from the start, and will potentially save yourself a lot of trouble and money in future by planning ahead. If You'd like to learn more about Nature Broking and their solutions, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The UK is the first major economy to achieve it's 50% reduction target for Greenhouse Gas Emissions (between 1990 and 2022). However, we've still got a lot of work to do to reach our 2023 target of a 68% reduction. Many businesses are already making great strides to reduce their Impact, and while you can reduce, achieving true carbon neutrality will involve offsetting a certain amount of emissions. One of the biggest challenges for businesses in terms of completing their offsetting is finding a credible carbon offsetting scheme. Mel is joined by Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature-based solutions for carbon offsetting. You'll learn · Who are Nature Broking? · What is Natural Capital? · How can we restore nature at scale? · Financing transition regenerative agriculture through the sale of natural capital · How have Nature Broking worked with clients to complete their carbon offsetting? · How can you demonstrate a credible carbon offsetting scheme? · What projects are Nature Broking currently working on? Resources · Nature Broking · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature based solutions for carbon offsetting and explore some of the wonderful projects Nature Broking have been involved with. [04:10] What is natural capital? – Natural capital is the idea of creating value from nature. What natural capital does is, it encompasses all the things that we get from nature that we rely on. That could be the shelter in your house all the way through to carbon offsets. [04:55] Who are Nature Broking? – Nature Broking's story starts off on a somber note. Sadly, Luke lost one of his friends in a mountaineering accident, and in his memory, Luke and another friend rewilded one acre of Scottish Borders Woodlands. This is something they make a point to visit every year, to pay tribute and to keep their living, breathing monument of his friends memory alive and well. The experience was an eye opening one. For as lovely as the process was, it was incredibly expensive, and not very easy to do. Luke then realised that philanthropy alone wasn't going to be able to cover the costs of what we required to restore nature. Looking into the matter further he found that 50% of the world's GDP is moderately or highly dependent on nature and that the UK, whilst green and beautiful, sits in the bottom 10%. And so, an idea was sparked. Together his friend and Co-founder Andy started down the nature restoration path and created Nature Broking. [06:20] What is Nature Broking's mission?: Nature Broking have 2 major missions: #1: Help restore nature at scale #2: Help finance a transition to regenerative agriculture [06:34] How can we restore nature at scale? – The UK Government has set targets of halting nature decline by 2030, with a view to increase nature by 2045. The Green Finance Institute has calculated that there is a funding gap of about 56 billion in order for us to achieve our legally binding environmental targets. That's a hefty sum to put on public money and philanthropy, which is where private markets and business can make a big impact. Frameworks like PAS 2060 (ISO 14068) help businesses invest in nature, and with the creation of carbon credits, carbon has been commodified to make it more accessible for businesses to contribute to carbon offsetting. [08:20] How can we help finance transition regenerative agriculture through the sale of natural capital? – Regenerative agriculture is about restoring the soils, restoring nature back to its original level. Modern farming techniques, while fruitful, use tools such as fertilisers and mechanised farming that have damaged the soils biome. That's going to take time and a concerted effort to fix. Now obviously, we can't just stop farming, we need food, so not all land can go back to nature. Currently, 70% of the UK is farmed, so the agricultural sector will play a big part in being more regenerative. However, the current incentives aren't great, so there's a lot of work that needs to be done in terms of financing the mechanisms behind it, i.e. funding and subsidies ect. One way we could do this is by ulitilising the carbon markets, as regenerative agriculture can lead to significant carbon sequestration. [12:20] How do Nature Broking work with clients? – They make sure to work within the bounds of the business itself, as every business is different.. They don't do off the shelf solutions, preferring to work closely with their clients and help them to really spend time in nature at the place where their carbon credits are being implemented. It's ultimately about education on the different solutions available, including asking important questions like: · What impact do you want to have? · What are the challenges with each solution? · What do you need to watch out for? Each solution is tailored to your business. So, if you'd prefer to work in woodland restoration over regenerative agriculture, then Nature Broking would be happy to work with you to achieve that. Carbon credits include their own set of challenges, one of the main ones being that science changes, so the solutions offered through carbon credits will also change. It may be a case of purchasing credits that tackle different solutions over a large area rather than pooling them all into planting trees for example. Nature Broking are here to help advise and facilitate this. [15:30] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [17:45] How can Nature Broking demonstrate credible carbon offsetting? – Nature Broking are at their heart transparent with how they operate. By taking clients to see the actual physical results of their carbon credits, they can educate and help others form a genuine connection to nature. They want clients to truly understand the full impact of their efforts. The second element is due diligence, which can be displayed by utilising one of the many carbon related frameworks now available, such as B Corp and Sylvera. Though these don't always work within a UK setting, so Nature Broking are working towards creating frameworks that do fit within the overall market view. Lastly, they ensure that the standard they're using is of high integrity, using frameworks such as the Integrity Council for the voluntary market, which analyses different standards. The 2nd is understanding the quality of the project developer, so looking at their technical expertise, looking at their financial ratings, and then evaluating the individual project itself in terms of potential risks. [21:50] What are some of the projects that Nature Broking are currently working on? – A broad view of what's available in terms of schemes include: · The Woodland Carbon Code · The Peatland Carbon Code – This is run by the IUCN, which is the International Council for the Conservation of Nature. They are both defined and funded by DEFRA. These are some of the first carbon codes to move into the UK, however there is a lack of available carbon credits, which should change in future. Other's include: · Wilder Carbon – A carbon code focused on rewilding, run by The Wildlife Trust. · Carbon Code of Conduct - A regenerative agriculture code, so it focuses on analysing the full sequestration and full emissions potential of a whole landholding. [25:00] Carbon Credits in practice – There's a current project called Bank Farm in Kent, which is being used as a test site for regenerative agriculture. This includes the likes of agroforestry, which is where you integrate trees into fields which provide shade for animals and store carbon. So, you're not removing those fields from production, simply adapting them to be more sustainable. They're also practicing mob grazing, which is all about using herbivores to maxmise the amount of carbon stored in the soil. You can do this by moving, say cows for example, around a field to graze quickly on small areas before moving them on. [27:05] Mel's conclusion – There's a huge opportunity in the management of agriculture that can be utilised within carbon credit schemes. In addition to helping our economy by creating new jobs within this new approach to tackling emissions and storing carbon. Hopefully we'll see larger corporations investing in these sorts of schemes both here in the UK and abroad. If You'd like to learn more about Nature Broking and their solutions, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The UK recently hit a huge milestone, according to the Department for Energy Security and Net Zero (DESNZ), the UK have reduced their Greenhouse Gas Emissions by 50% between 1990 and 2022. The UK are the first major economy to achieve this, however we've still got a lot of work to do to meet our 2030 target of a 68% reduction. Over the past few years there have been a number of schemes aimed at businesses to help tackle their impact, specifically their energy consumption. Here in the UK, ESOS (The Energy Savings Opportunities Scheme) was introduced as an implementation of the EU Energy Efficiency Directive and has been a mandatory undertaking for large organisations that fit the criteria. Recently, that scheme has been updated and a number of changes have come into effect for Phase 3. Ian Boylan, Chief Executive Officer at ISO Baseline, joins Mel to explain the recent changes to ESOS, how they affect organisations in the UK and EU and how ISO Baseline's software can help businesses consistently manage their energy consumption in alignment with ISO 50001 (The Energy Management Standard). You'll learn · Who are ISO Baseline? · What is the Energy Savings Opportunities Scheme (ESOS)? · What are the changes to ESOS? · How do the changes affect those who currently comply using ISO 50001 · What are the changes to the ESOS eligibility requirements? · How can ISO Baseline help businesses with their ISO 50001 and ESOS compliance? Resources · ISO Baseline · Isologyhub · ISO 50001 In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Ian Boylan, Chief Executive Officer at ISO Baseline, to discuss the changes to The Energy Savings Opportunities Scheme (ESOS), and how the changes will affect the European Directive on energy management and energy reporting. [03:20] Who is Ian and ISO Baseline? – Ian has been involved with ISO Standards for a number of years, starting with the technical aspects of building Management Systems, to working with Certification Bodies as an auditor for Management Systems. From this experience, Ian really got to understand the challenges that organisations face when implementing ISO Standards. Challenges such as maintenance to ensure they are achieving their requirements and objectives. Which is where the concept for ISO Baseline was born. Targeted specifically towards the Energy Management Standard ISO 50001, ISO Baseline's software allows organisations to manage their energy processes and provide evidence that you are meeting your energy objectives. [05:30] What features are included in ISO Baseline's software? – Features include: Energy reporting: Information can be displayed in graph or Sankey diagrams to help visualize your energy performance. Identification of opportunities: Any opportunities for improvement found in the provided energy report will be recorded in an ‘Opportunities Register' Financial Assessments: Work out life-cycle costs for assets, which can be used as a guide to establish possible savings by implementing suggested improvements. [07:25] What is ESOS?: ESOS was introduced when we were still a part of the European Union, when there was a European Directive on energy efficiency. It placed a requirement on member states in the EU to put together schemes for ensuring that large organisations undertake energy audits on a regular 4 yearly basis. In the UK this was adopted as the ESOS regulations. For many years, if a business's ISO 50001 certification scope covered all of its energy usage, then your business was considered compliant with ESOS. If you didn't have an ISO 50001 Management System in place, you would have to undertake energy audits once every 4 years, and have that reviewed, approved and signed off by a lead ESOS assessor. At the time, this had to cover 90% of your energy usage. One of the more updated inclusions into these regulations was the introduction of transport as a source of energy consumption. ESOS also included the requirement to identify significant energy consumption and propose a logical way to reduce energy consumption to improve energy performance. [11:30] Main changes to ESOS: Accounting for your energy consumption – Instead of accounting for 90% of your total final energy consumption, you're now required to account for 95% of your total final energy consumption. The de minimis component of it has been reduced by 50% [012:30] Main changes to ESOS: Activity Metrics – All organisations will be required to develop activity metrics and as part of your audits you'll be required to submit those activity metrics. The aim of this is to allow the UK to effectively assess organisations over established periods (i.e. from Phase 3 to phase 4) to see if and how they are actually reducing their energy consumption. This could potentially lead to benchmarking, where organisations can be measured against each other. [14:45] Main changes to ESOS: Submitting Actions Plans – Previously, you just had to submit your completed audits and overall savings potential, now you will be required to submit a proposed Action Plan to improve your energy performance. You will also be required to report annually on your progress towards that Action Plan. So no longer can companies coast on simply paying to complete an Energy Audit exercise once every 4 years, now you will have to produce publicly available information that will hold organisations to account. Essentially a name and shame for organisations that choose to do nothing. [16:55] Making Actions Plans publicly available – Incidentally, it always has been a requirement that everything that has been reportable regarding resources should be accessible, but previously you were not required to produce Action Plans. So essentially now that will also become part of the publicly available information. [17:30] Making ESOS fit for purpose – When ESOS was introduced, there was already so much other legislation around in the UK, so the main focus then was to align them with one another and to ensure that they were all working towards a common purpose. In this update, it hasn't ultimately required you to determine your energy savings potential in carbon reduction, but quite obviously that would be a little bit ludicrous if an organisation went down this route and not to look at it from a carbon perspective, as It's only a tiny little additional step when you're doing it from a money perspective and an energy perspective to figure out what the carbon impact is. [18:30] Do you need help with your Carbon Reporting? – If you need assistance with GHG emission or SECR reporting, contact our sister company Carbonology®. [19:20] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [21:25] Main changes to ESOS: Confirming your compliance – There are different approaches that you will need to be aware of when submitting your evidence of compliance, and which one you use will depend on which route you're taking. For the full ISO 50001 route, you will need to complete the Annex 1 approach, which is a reduced reporting requirement where you do not need to use an ESOS lead Assessor to submit it on your behalf, the organisation can do it themselves. If you going down either the energy audit route or do not have 100% of your energy consumption covered by ISO 50001 – you will be reporting using the Annex 2 approach. This is where you still require a lead ESOS Assessor to work with you and provide final sign-off on that reporting. [24:15] Are there any changes in the eligibility requirements? – There aren't any major changes in ESOS's eligibility requirements. They have now updated the turnover amounts from Euro to Pound Sterling following our exit from the EU. [25:35] How will these changes impact organisations? – Organisations will have to adapt to a more proactive approach towards their energy reporting and management. No longer can you get away with doing an energy audit once every 4 years and then forgetting about it until the next Phase. You need to start looking at it from the perspective of annual reporting, as all this information is going to be publicly available every year, which is going to be scrutinized if you're seen to not be taking any significant action. Large organisations will be compared against each other, and if one is taking action every year to reduce its impact and another is doing nothing for 4 years, which do you think will gain a more favorable reputation? This level of accountability is long overdue, and will be of benefit to organisations in terms of potential cost savings through reduction of energy use, and also more importantly to the environment. [30:00] How can ISO Baseline ISO 50001 help organisations with their ESOS compliance? – ISO Baselines tools and software are going to be the most benefit to organisations that have a real objective to improve energy performance. If you're just doing the bare minimum to meet requirements, then it's no for you. ISO Baseline ISO 50001 is a tool to help systemise your organisations approach to energy management. It can help to avoid a lot of the bureaucracy that can hold up progress, so you can spend your time focusing on the objectives and what the Management System is meant to lead to. Their software will guide you through the required processes involved with ISO 50001 Energy Management, including Internal Audit planning and completion, Management review, logging and addressing non-conformities and corrective actions. If You'd like to learn more about ISO Baseline and their software, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
According to the ISO Survey, there's been a 82.9% increase in worldwide ISO 22301 certificates issued following 2020. Business Continuity is a must have for businesses who want to ensure long-term survivability following a disruptive event. Many turn to ISO 22301 to help put a framework in place, including today's guest – Lifelong Learner. However, what usually takes businesses a minimum of 6 months, Lifelong Learner managed to accomplish in just 4 months across an international organisation! That is no small part due to the tremendous effort of Lifelong Learner's Manager of Information Security, Governance, Risk and Compliance, Lauren Taylor. Lauren joins Mel on this weeks' episode to share her journey and explains the challenges associated with implementing a Business Continuity Management System in just 4 months. You'll learn · Who are Lifelong Learner? · Why did they decide to Implement ISO 22301? · What did they learn from implementing ISO 22301? · What was the biggest challenge with Implementation? · What are the benefits of implementing ISO 22301? Resources · Isologyhub · Lifelong Learner · PSI Testing Excellence · Talogy In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Lauren Taylor who is the Manager of Information Security, Governance, Risk and Compliance at Lifelong Learner Holdings LLC. Lifelong Learner and it's brands represent a fusion of comprehensive workforce solutions, with a human-first focus of changing lives through assessment. This includes helping people advance in educational and career aspirations, earning or maintaining licensing or certifications, or providing the tools to develop future leaders. Lauren has helped Lifelong Learner accomplish a massive milestone, and that's the implementation of the Business Continuity Standard ISO 22301 across an international organisation, which she managed to do in just 4 months! She's here to share her journey and lessons learned from implementing ISO 22301. [03:30] Not many people know this about Lauren – She had previously trained to be a mental health counsellor. [04:05] Who are Lifelong Learner LLC? – Lifelong Learner is the parent company of two subsidiaries: PSI Testing Excellence: a leading provider of assessment solutions for the licensing and certification markets, to Educational Testing Services. Talogy: A market leader in the talent management space whose core purpose is helping organizations achieve their potential. They manage the talent management side of the business. So what they'll do is they'll put together psychometric tests that help companies find the right person for the right job, and will assist with skills development. [05:00] Adding to Lifelong Learner's ISO Collection: Lifelong Learner already have an impressive ISO Library, being certified to: · ISO 9001 – Quality Management · ISO 14001 – Environmental Management · ISO 27001 – Information Security Management [05:20] What was the main driver behind obtaining ISO 22301? – The main driver, as with most companies, is usually a client contractor requirement, but business continuity has been something that we've wanted to look further into for a while, just because there's elements of ISO 27001 that cover the business continuity. While we were able to get through the audits with what we had, we just felt that it just needed a little bit more building out. Business Continuity is a requirement in part of ISO 27001, but for Stakeholders that want assurance that a business has robust business continuity plans in place, ISO 22301 is the next step. [06:10] The Implementation Timeline – In October 2023, we began with the context workshop where we could kind of get a better idea of the scope of the management system. This was followed by a number of SWOT and PESTLE workshops to help identify what the perceived risks would be. Next came the Business Impact Analysis (BIA) - So essentially what you're needing to find out from these workshops is, the core activities that each of the teams perform on the day-to-day basis. You also need to understand what their systems are that they use, if they have any dependencies, and essentially it all comes down to understanding that if the business cannot perform those activities, what would be the impact overtime if those activities were to stop. Once you have all that information, the next step was to map it across into a risk assessment, which really helps you to understand the granular risks to your business when it comes to business continuity planning. This risk assessment helped to highlight some weaknesses that we hadn't considered before, and gave us a point in the right direction as to what we needed to work on to bridge those gaps. Next was the creation and revamping of documentation inline with ISO 22301 requirements. Thankfully, due to the other ISO's we hold, we already had a lot in place. Same goes for Internal Audits, so this was more a case of integrating ISO 22301 into our existing Management System. Once we had all the documentation, we conducted a ransomware test exercise, which we also documented all the findings from. Then we were we were ready for stage 1! [09:15] What were the biggest gaps Lifelong Leaner needed to address?: Following the BIA and Risk Assessment, we were able to see where we needed response plans because business continuity is always your Plan B. So in our minds, we had an idea of what kind of response plans we would need in terms of i.e. a malware response plan, a ransomware response plan, those sorts of things. But until we actually looked at the BIA we released we needed a few more. [10:25] What difference did addressing those gaps make? – For us it was understanding the real risks to our business. We already had ISO 27001 in place, and we figured if there were to be another pandemic for example, that we'd be covered. However, it wasn't until we did those exercises did we realise that there was a lot we could improve on. [13:25] What did Lauren learn from Implementing ISO 22301? – How much people underestimate the importance of a good business impact analysis. After going through this in a very, very short space of time, I realised that it is actually the driving force behind a good business continuity management system. Also, it highlighted just how many people believe business continuity is just all about IT and physical security, they completely loft out the human element. An example of this is having a single point of failure, which is where if somebody left there would be a gap. [14:40] What benefits have Lifelong Learner experienced since implementing ISO 22301? – Lauren has noticed that more clients are requesting to see their Business Continuity Plans. It's helped with the introduction of the latest ISO 27001:2022 controls – as these too also focus on elements of business continuity. [15:50] Lauren's top tips for implementing ISO 22301 – Definitely give yourself longer than 4 months! Logically think about how everything links together, the clauses all have purpose and flow in a logical pattern to help create a Management System. Your Management Review can be your best friend. It's your opportunity to really engage with senior management and help them understand what your risks are to the business, how your internal audit is coming along, how you manage your nonconformities and it can be all neatly wrapped up in that nice management review bow. [18:00] Lauren's book recommendation – The Matthew Perry Autobiography, Friends, Lovers and the Big Terrible Thing. [19:30] Lauren's favorite quote – “You catch more flies with honey than vinegar.” If You'd like to learn more about Lifelong Learner, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
There's no escaping it, AI is here to stay. Over the course of 2023 we've seen more general and public use of popular AI tools such as ChatGPT and Gemini (previously Google Bard). It's now even being integrated into everyday applications such as Microsoft Word and Teams. There is no doubt that there are a lot of benefits to using AI, however, with new technology comes new risks. So how do we address the growing concerns around AI development and use? That's where the new Standard for AI Management Systems, ISO 42001 comes in! Join Mel this week as she explains exactly what ISO 42001 is, who it's applicable to, why it was created and how ISO 42001 can help businesses manage AI risks. You'll learn · What ISO 42001 AI Management Systems is · Who it's applicable to · Why it was created · How ISO 42001 can help businesses manage AI risks Resources · Isologyhub · ISO 42001 Webinar registration In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today we're touching on a very topical subject – AI, and more specifically the brand new AI Management System Standard – IS0 42001. We'll also be exploring who it's applicable to, why it was created and how it can help businesses manage AI risks. [03:30] What is AI? – AI – otherwise known as Artificial intelligence, as it's most simplest description is the science of making machines think like humans. We've seen a lot of AI tools be released to the public over the last year or so, tools such as ChatGPT and Google Bard. It's already being integrated with some of the most commonly used apps and programs like Microsoft word and Teams. In short, AI integration is here to stay, so we may as well get to grips with it and make sure we're using it responsibly. [05:10] What is ISO 42001? – , ISO 42001 is the first International Standard for Artificial Intelligence Management Systems, designed to help organisations implement, maintain, and improve AI management practices. It was jointly published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The emphasis of ISO 42001 is on integrating an AI Management System with an organisations existing management system – i.e. ISO 9001 or ISO 27001 compliant management systems. Interestingly, a lot of the specific mentions of Artificial Intelligence and Machine Learning are within the Annexes rather than the body of the Standard. The Standard itself is very similar to ISO 27001 in that it's mostly about what organisations should be doing to manage computer systems regardless of any AI components. [08:00] The 4 Annexes of ISO 42001: Annex A: This acts as a Management guide for AI system development, with a focus on trustworthiness. Annex B: This provides implementation guidance for AI controls, with specific measures for Artificial intelligence and Machine Learning – if you'd like to learn more about the difference between the two, go back and listen to episode 135. Annex C: Which addresses AI-related organisational objectives and risk sources. Annex D: This one is about the domains and sectors in which an AI system may be used. It also addresses certification, and we're pleased to see that it actively encourages the use of third-party conformity assessment. This just ensures that your AI claims have more validity. [09:15] Who is ISO 42001 applicable to? – Those annex descriptions may have you assuming that this Standard is only applicable to organisations developing AI technology but in actuality it's applicable to any organisation who is involved in developing, deploying OR Using AI systems. So if you're a company who is only utilising AI in your day to day activities, it's still very much applicable to you! [10:20] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:25] Why was ISO 42001 created?: · To address the unprecedented rapid growth of AI and all the risks that come with this new technology. · To ensure that AI development and use are trustworthy and above all, ethical. · The public are also reasonably wary of this new technology, so ISO 42001 aims to help build more public trust and confidence in the future use of AI . · ISO 42001 acts as guidance for organisations on exactly how to integrate AI Management controls with their existing systems. [14:05] AI risks you should be aware of – This isn't an exhaustive list, as the technology develops, more risks will become known. However, as of the start of 2024, you should be aware of: Inaccurate information – Many of the chat bots and public AI tools are trained on publicly available information, and as we all know, not everything on the internet is true. So the output from these chat bots will need to be checked and verified by a person before being used or published. AI bias – Studies have proven that AI results can still be bias. As all the data fed into it is all based on existing information, it still presents the issue of a lack of information from underrepresented groups, or existing bias based on existing data. Time sensitivity – Not all AI use live data sets. Google Bard does, however Chat GPT is only accurate up until 2021. So double check whichever tool you're using to make sure the information it produces is up-to-date. Plagiarism – Data gathered using AI came from somewhere! If you simply copy and paste information provided by AI platforms, there's a chance you may be plagiarising existing content. Be sure to just use AI as a starting point! Security risks – Use of AI can expose you to additional security risks, For example, malicious actors could send someone an email with a hidden prompt injection in it. If the receiver happened to use an AI virtual assistant, the attacker might be able to manipulate it into sending the attacker personal information from the victim's emails. Data Poisoning – AI uses large data sets to train its models, and we currently rely on these data sets being relatively accurate. However, researchers have found that it's possible to poison data sets – so in future, AI may not be very reliable if preventative measures aren't put in place by AI developers. [17:45] How can ISO 42001 help business manage these risks? – Above all, it provides a structured approach to identify, assess, and mitigate AI risks. ISO 42001 includes the guidance needed to put this in place from the start to ensure you don't fall prey to the risks mentioned, with a view to monitor and update to address new risks in future. It promotes transparency and accountability throughout the AI life cycle. It helps ensure fairness, non-discrimination, and respect for human rights in AI development and deployment. It will help minimise potential legal and ethical liabilities associated with AI. The UK's current GDPR and Data Protection Act can loosely cover aspects of AI, depending on how the terminology is applied, but there are already dedicated AI based regulations being developed within the EU which will likely be adopted by the UK. It can foster innovation and accelerate adoption of responsible AI practices. And lastly, it provides a common language and framework for collaboration on AI projects. [21:35] Don't miss out on our ISO 42001 webinar – We're partnering with PJR to bring you a 2-part webinar series on ISO 42001. Catch the first part on the 5th March 2024 at 3pm GMT, register your interest here. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List