Share The ISO Show
Share to email
Share to Facebook
Share to X
By Blackmores UK
4
22 ratings
The podcast currently has 200 episodes available.
Did you know that only a third of the emissions reductions required to achieve the country’s 2030 target are currently covered by credible plans?
As a result, we can expect to see more mandatory and voluntary regulations that require carbon emissions reporting to verify your ESG and net zero claims.
In this episode, Mel closes out the ESG Reporting Disclosures series by explaining what Corporate Sustainability Due Diligence Directive (CSDDD) is, it’s key emissions reporting requirements, the verification requirements and who qualifies for CSDDD.
You’ll learn
· What is CSRD?
· Key requirements of CSDDD
· Key emissions reporting requirements
· the emissions verification requirements for CSRD?
· Who qualifies for CSDDD?
· The likely impact of CSDDD
Resources
· Carbonology
· Carbonology LinkedIn
· Carbonology Instagram
· CSDDD
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:10] Episode summary: Mel closes out the series on ESG reporting requirements by diving into CSDDD.
[03:10] What is CSDDD? – The Corporate Sustainability Due Diligence Directive (CSDDD) is a new EU directive that promotes sustainable and responsible corporate behaviour in companies’ operations and across their global value chains.
Purpose: It aims to promote sustainable business practices, protect human rights, and address environmental challenges.
The CSDDD was adopted by the European Commission on the 23rd of February 2022 and approved by the Council of the European Union on the 24th of May 2024. The new rules ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe. The CSDDD is expected to start affecting companies from 2027 at the earliest once the directive has been transposed into national legislation.
[05:10] What are the key requirements of CSDDD?:
· Human rights due diligence: Companies must identify, prevent, and mitigate adverse human rights impacts within their value chains.
· Environmental due diligence: They must assess and manage risks related to climate change, biodiversity loss, and pollution.
· Disclosure obligations: Companies must disclose their due diligence processes, findings, and any remedial actions taken.
[06:20] What are the Emissions Reporting Requirements? Under the CSDDDD, companies are required to report on their greenhouse gas (GHG) emissions within a climate transition plan.
This includes considerations for Scope 1, 2 and 3. These were explained in more detail in a previous episode on CSRD, so go check that out if you want to learn more about the individual scope requirements.
What if you fit the requirements of both CSRD and CSDDD, do you have to double report on emissions? In short – No!
The climate transition plan required by the CSDDD will be reported within CSRD reporting, as organisations just need to adhere to the CSDDD’s implementation requirements for the transition plan.
[10:10] What are the Emissions Verification Requirements? More definitive guidance on verification requirements is expected closer to 2027. Companies will more than likely need to verify the emissions data reported through CSDDD, as the directive mandates a climate change transition plan that aligns with the Corporate Sustainability Reporting Directive (CSRD), which does require companies to verify their emissions data.
[09:55] Who qualifies for CSDDD? The Corporate Sustainability Due Diligence Directive (CSDDD) applies to both EU and non-EU companies depending on their workforce size and revenue:
EU and non-EU companies (or the ultimate parent company of a group):
· With more than 1,000 employees and a global net turnover of at least €450 million in the last fiscal year; or
· Which have franchising or licensing agreements in the EU in return for royalties with more than €22.5 million generated by royalties in the EU and have a net worldwide turnover of over €80 million in the last financial year.
[11:10] What is the possible impact of this new directive? Similar to the other ESG disclosures I’ve covered over the past few weeks in this series on reporting disclosures, the impact of the CSDDD will result in 3 key impacts:-
· Increased transparency: This directive will provide stakeholders with a clearer picture of companies' sustainability efforts, to combat greenwashing.
· Enhanced accountability: Companies will be held accountable for their environmental and social performance.
· Stimulation of sustainable business practices: The directive will encourage companies to adopt more sustainable practices, including regular reporting.
If you would like to learn more about CSDDD or inquire about the related course, please get in touch with Carbonology.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
2030 is fast approaching and we’re already falling behind on our Net Zero targets, which will take a coordinated collective effort to get back on track.
As a result, businesses are coming under increasing pressure to monitor, report and reduce their energy use and carbon emissions to meet net zero targets.
This has led to an increase in both mandatory and voluntary regulations that require carbon emissions reporting to verify your net zero claims.
In this episode, Mel continues the ESG Reporting Disclosures series by explaining what the Corporate Sustainability Reporting Directive (CSRD) is, how it affects your emissions reporting, the verification requirements and who qualifies for CSRD.
You’ll learn
· What is CSRD?
· How will the CSRD affect your Emissions Reporting?
· What are the emissions verification requirements for CSRD?
· Who qualifies for ISSB S2?
Resources
· Carbonology
· Carbonology LinkedIn
· Carbonology Instagram
· CSRD
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:10] Episode summary: Over the course of September, Mel will be exploring the latest climate change regulations that may affect your organisation. In this episode she dives into Corporate Sustainability Reporting Directive (CSRD).
[02:55] What is CSRD? – The Corporate Sustainability Reporting Directive (CSRD) is a new EU directive that modernises and strengthens the rules concerning the social and environmental information that companies have to report. It revises the 2014 Non-Financial Reporting Directive (NFRD), extends the scope of covered companies, and strengthens the reporting requirements.
The CSRD was formally adopted by the European Council on 28 November 2022.
The directive is transforming ESG reporting and will start affecting almost 50,000 companies from 2024 by expanding the scope to include all large companies, all companies listed on regulated markets, and non-EU companies with substantial activities in the EU. This includes non-EU companies with subsidiaries operating within the EU or those listed on EU regulated markets.
Many companies located both within and outside the EU will be affected during the CSRD’s phase-in period beginning in fiscal year 2024.
[05:10] How will the CSRD affect your Emissions Reporting?: Under the CSRD, companies are required to report on their greenhouse gas (GHG) emissions. This includes:
· Scope 1 Emissions: Direct emissions from owned or controlled sources. For example, emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc.
· Scope 2 Emissions: Indirect emissions from the generation of purchased energy. This includes emissions from the production of electricity, steam, heating, and cooling consumed by the company.
· Significant Scope 3 Emissions: Other indirect emissions that occur in a company’s value chain. Companies are required to report on significant Scope 3 sources. This could include emissions from business travel, employee commuting, waste disposal, etc.
[07:10] What are the Emissions Verification Requirements? Under the CSRD, companies are required to have their reported GHG emissions data verified by an independent third party. The verification process ensures the accuracy and reliability of the reported information.
Verification options for CSRD include:
· Independent Verification: Companies must engage an accredited third-party verifier to audit and confirm the accuracy of their GHG emissions reports.
· Verification Standards: The verification must be conducted in accordance with recognised international standards, such as ISO 14064-3.
· Assurance Levels: The verification should provide a reasonable level of assurance that the emissions data is accurate and complete.
· Frequency of Verification: Verification is required on an annual basis to ensure ongoing accuracy and compliance with the CSRD.
[10:10] Who qualifies for CSRD? The Corporate Sustainability Reporting Directive (CSRD) applies to a broad range of companies based on the following criteria:
1) Companies listed on regulated markets in the EU (excluding listed micro-enterprises).
2) Large companies, classified as those meeting at least two of the following three conditions:
· More than 250 employees.
· A turnover of over €40 million.
· Over €20 million in total assets.
3) Listed Small and Medium-sized Enterprises (SMEs), although there will be a transitional period when SMEs can opt out until 2028.
4) Non-EU companies with a net turnover of €150 million in the EU, and with at least one subsidiary or branch in the union.
If you would like to learn more about CSRD or inquire about the related course, please get in touch with Carbonology.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Businesses are coming under increasing pressure to monitor, report and reduce their energy use and carbon emissions to meet net zero targets.
As a result, we’re seeing an increase in both mandatory and voluntary regulations that require carbon emissions reporting to verify your net zero claims.
In this episode, Mel continues the ESG Reporting Disclosures series by explaining what The International Sustainability Standards Board Climate-related Disclosures (ISSB S2) are, the emissions reporting and verification requirements and who qualifies for ISSB S2.
You’ll learn
· What is ISSB S2?
· What is the scope of ISSB S2
· What are the emissions reporting requirements for ISSB S2?
· Emissions verification requirements
· Who qualifies for ISSB S2?
Resources
· Carbonology
· ISSB S2
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:10] Episode summary: Over the course of September, Mel will be exploring the latest climate change regulations that may affect your organisation. In this episode she dives into The International Sustainability Standards Board Climate-related Disclosures (ISSB S2).
[03:20] What is ISSB S2? – The International Sustainability Standards Board Climate-related Disclosures (ISSB S2) is a new global standard that mandates entities to provide comprehensive information about climate-related risks and opportunities.
The ISSB S2 was issued by the International Sustainability Standards Board on the 26th of June 2023 and is effective for annual reporting periods beginning on or after the 1st January 2024. The new standard ensures that companies disclose physical and transition risks and their potential impact on the move towards a low carbon economy.
[04:20] Further learning with Carbonology: Carbonology have created a half-day course which walks you through all of the various carbon reporting disclosures and sustainability disclosure reporting requirements.
If you would like to learn more, get in touch with Carbonology.
[07:00] What does ‘Acute and Chronic Physical risks’ mean in the context of ISSB S2? Climate related physical risks are risks resulting from climate change that could be event driven, so an example of an acute physical risk could arise from weather related events like storms, floods and heatwaves, which are increasing in frequency.
These could have a knock-on effect to businesses, taking a heat wave as the example, you will need to consider:
· Can your IT systems and datacentres cope with it?
· Have you got resilience built in to your operations to be able to deal with that sort of disruption to your organisation?
Chronic physical risks arise from longer term shifts in climatic patterns, including changes in precipitation and temperature, which could lead to sea level rises and reduced water availability and changes in soil productivity.
These risks could carry a weighty financial burden either through direct damage to assets, or indirectly through supply chain disruption.
[09:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[11:43] What does ‘Transition risk’ mean in the context of ISSB S2? This is looking for a climate related transition plan, which should include targets, actions and resources for the transition towards a lower carbon economy.
This would include actions such as reducing greenhouse gas emissions.
[12:30] What is the scope of ISSB S2? This Standard applies to:
· climate-related risks to which the organisation is exposed, which are:
· climate-related physical risks; and (ii) climate-related transition risks; and
· climate-related opportunities available to the entity.
Climate-related risks and opportunities that could not reasonably be expected to affect an organisation’s prospects are outside the scope of this Standard.
· The Standard covers:-
· Governance
· Strategy
· Climate related risks and opportunities
· Business Model and Value Chain
· Financial position, financial performance and cash flows
· Climate resilience
· Risk Management
[14:10] What are the emissions reporting requirements for ISSB S2? - Under ISSB S2, companies are required to measure and disclose their greenhouse gas (GHG) emissions across three scopes:
· Scope 1 Emissions: Direct emissions from owned or controlled sources. For example, emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc.
· Scope 2 Emissions: Indirect emissions from the generation of purchased energy. This includes emissions from the production of electricity, steam, heating, and cooling consumed by the company.
· Scope 3 greenhouse gas emissions: Indirect greenhouse gas emissions (not included in Scope 2 greenhouse gas emissions) that occur in the value chain of an entity, including both upstream and downstream emissions. Scope 3 greenhouse gas emissions include the Scope 3 categories in the Greenhouse Gas Protocol Corporate Value Chain (Scope 3) Accounting and Reporting Standard (2011).
[16:20] Emissions verification requirements - Under ISSB S2, companies are required to have their reported greenhouse gas (GHG) emissions data verified.
Verification can provide users of financial reports confidence that the information is complete, neutral and accurate.
Disclosure of inputs to Scope 3 greenhouse gas emissions needs to disclose information about the measurement approach, inputs and assumptions it uses.
[18:30] Who qualifies for ISSB S2? - ISSB S2 applies to all entities that are required by law, regulation, or administrative provision to prepare financial statements. This includes, but is not limited to:
· Publicly listed companies
· Large private companies
· Financial institutions such as banks and insurance companies
· State-owned enterprises
Entities are encouraged to adopt the ISSB S2 voluntarily, even if they are not mandated by law or regulation. Early adoption is permitted and encouraged to enhance transparency and accountability in climate-related disclosures.
If you would like some help with your carbon emissions reporting, please get in touch with Carbonology.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
As the urgency to address the climate emergency heightens, businesses are coming under increasing pressure to monitor, report and reduce their energy use and carbon emissions to meet net zero targets.
As a result, there is an increase in regulations to ensure that companies are taking the climate emergency seriously and not pay lip service to climate action.
During September, we’ll be taking a look at a few of the latest regulations that may affect your organisation, including:
· SECR – Streamlined Energy and Carbon Reporting
· ISSB S2 - International Sustainability Standards Board Climate related disclosures
· CSRD - Corporate Sustainability Reporting Directive
· CSDDD - Corporate Sustainability Due Diligence Directive
In this episode, Mel Blackmore breaks down what Streamlined Energy and Carbon Reporting (SECR) is, its reporting requirements, it’s qualifiers and how it can work in tandem with other carbon management initiatives.
You’ll learn
· How do these regulations relate to ESG reporting?
· What is Streamlined Energy and Carbon Reporting?
· What are the SECR Emissions Reporting Requirements?
· Who qualifies for SECR?
· How can SECR work with other carbon management initiatives?
Resources
· Carbonology
· SECR
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:10] Episode summary: Over the course of September, Mel will be exploring the latest climate change regulations that may affect your organisation. In this episode she dives into Streamlined Energy and Carbon Reporting (SECR).
[03:20] How do these regulations relate to ESG reporting? – ESG requirements include a commitment to sustainability, and reducing your overall impact. All of these regulations contribute towards an organisations ESG reporting requirements, as they require tangible proof to back up your ESG claims.
They will require you to provide comprehensive emissions reporting, the level of detail of which will depend on the specific applicable regulation.
[04:05] Future content to look forward to: During September Mel will look at involuntary emissions reporting schemes, but in October she will be looking into the voluntary schemes that many are already adopting as part of their Stakeholder requirements.
This will include:
· CDP (Carbon Disclosure Project)
· EcoVardis
[05:50] What are the SECR Emissions Reporting Requirements?: SECR has been around since April 2019, and was originally introduced to replace the Carbon Reduction Commitment Scheme.
This is a mandatory scheme, so it is a legal requirement for those that meet it’s criteria. For those that are familiar with ESOS (The Energy Savings Opportunity Scheme), it functions in a very similar way.
This scheme isn’t solely focused on reporting energy usage and carbon emissions, it’s also looking for organisations to report on efficiency measures that are undertaken on an annual basis. Which is reflected in the financial reporting that you will also have to submit.
It’s important to note that SECR has specific requirements for the disclosure of greenhouse gas (GHG) emissions and energy consumption. Emission reporting requirements vary slightly between quoted companies and large unquoted companies and LLPs.
For quoted Companies:
· Global Scope 1 and 2 GHG emissions must be reported. Scope 3 emissions reporting is strongly recommended but voluntary.
For large unquoted companies and LLPs:
· UK based Scope 1 and Scope 2 emissions and associated energy consumption. Scope 3 emissions from the combustion of fuel in vehicles or equipment not owned by the company.
[10:10] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[12:05] Who qualifies for SECR?: All UK Quoted Companies: Any company that has shares listed on the UK Stock Exchange is required to comply with SECR.
Large Unquoted Companies and Large LLPs: These are companies and Limited Liability Partnerships (LLPs) that are not listed on the UK Stock Exchange but meet two or more of the following criteria:
· Turnover: More than £36 million per annum.
· Balance Sheet Total: More than £18 million.
· Number of Employees: 250 or more employees.
These criteria ensure that SECR framework targets large organisations that have a significant impact on the UK’s energy consumption and carbon emissions. By complying with SECR, these organisations can contribute significantly to the UK’s sustainability goals.
[14:10] When is the SECR disclosure made? SECR reporting must occur alongside financial reporting, being included within annual reports and Directors’ Reports, which are then filed with Companies House.
[14:30] The importance of Accurate SECR Reporting and Carbon Reduction - The reporting process can unlock valuable insights and opportunities for operational improvements, leading to enhanced energy efficiency and reduced carbon emissions over time.
Demonstrating your organisation’s commitment to energy efficiency and carbon reduction can enhance brand perception and foster positive relationships with stakeholders, including investors, clients, and regulators.
[16:05] Integrating SECR Reporting with Other Carbon Management Initiatives - You are missing a trick if you’re keeping your SECR reporting separate from the rest of your business activities. It should be included as a part of your sustainability umbrella, and can be invaluable if you’re going for other reporting requirements such as EcoVardis and CSRD.
There’s no need to reinvent the wheel if you already have something like an Environmental Management System in place, simply weave the additional requirements in with your usual annual maintenance. Established systems will already be adhered to across the business, meaning any new requirements will soon become business as usual.
You could incorporate this as part of your Net Zero strategy, or Carbon Reduction Plan if PPN 06/21 is one of your reporting requirements. You could also incorporate this into your supply chain emissions reporting.
If you would like some help with SECR, please get in touch with Carbonology.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached.
It has become clear in recent years that information security isn’t just a ‘nice to have’, it’s a necessity to ensure you and your client’s data are protected. Which is especially the case for those processing personal and financial data, such as today’s guest, Mintago.
In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard.
You’ll learn
· Who are Mintago?
· Who is Tom Catnach?
· What was the main driver behind achieving ISO 27001?
· What was the biggest ‘gap’ identified in the Gap Analysis?
· What have they learned from the experience?
· What are the benefits of certification to ISO 27001?
· What does the threat horizon for information security look like?
Resources
· Mintago
· Isologyhub
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification.
[02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including:
· Finding lost pension pots
· Help to save money through finding discounts
· Retirement planning
· Offering various salary sacrifice products
· Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings
· Helping people to be more financially literate
[05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer.
Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001.
Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights.
[06:30] What was Mintago’s main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it’s security.
Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001.
ISO 27001 also offers the assessment of general business practice, and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand.
[08:30] Aligning Standards with core values: Trust is one of Mintago’s core values and they want to give their clients the assurance that they can be trusted to protect their data.
ISO 27001 can be compared to the likes of Bcorp as it’s an on-going process. It doesn’t just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year.
[10:15] What was the scope of Mintago’s certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service.
This was because all of the sensitive data is handled in those departments and they don’t allow access to any other teams, so it made sense to start there with a view to expand the scope after certification.
That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they’re ready.
[11:50] How long was Mintago’s certification journey?: They started their journey in September 2023, in fact it was Tom’s first project with Mintago!
Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified.
Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it’s an advantage to implement ISO Standards early while your agile so that your management system grows with you.
[14:25] What was the biggest ‘gap’ identified at the Gap Analysis? Mintago are lucky in the fact that they are a new business so are using modern tech, and don’t have the burden a larger site or other physical elements such as rack mounted servers.
However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance.
There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place.
[16:35] Did Mintago experience any significant barriers in addressing identified gaps? Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to.
One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place.
When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago’s size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software.
[18:45] Engagement is key - Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security.
Mintago also has the advantage of being a smaller business, so getting communication out isn’t a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite’.
Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that’s something that people would want to engage in.
It’s also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online.
[23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? - The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don’t work?’, ISO 27001 drilled down to ask specifics such as:
· How do we recover from that scenario?
· Are we 100% confident in our back-ups?
· Will they work near instantaneously?
· What’s Mintago’s availability like in that scenario?
· How do we prevent disruption to our clients during that scenario?
So, while they did have back-ups they weren’t necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system.
In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories.
[25:00] Internal Auditing – A beneficial tool - Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average.
Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified.
Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification.
[27:20] Minor Non-conformities aren’t the end of the line – There’s a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can’t be certified, but that’s simply not true!
If an Assessor is comfortable that you are in a good position for certification, they will recommend you.
ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits.
[29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include:
Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it’s core qualities to the benefit of their own Information Security practices.
Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other’s commitment to information security.
Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow.
[31:10] Any concerns on the threat horizon?: As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They’re going to be a lot more sophisticated and harder to spot and deal with.
Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident.
However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security.
[34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It’s not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place.
If you would like to learn more about Mintago and their financial services, check out their website.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Greenhouse Gas (GHG) accounting has become increasingly important in recent years due to the demand for more environmental accountability.
Whether by choice or due to legislation or mandatory Government led schemes, organisations need to able to effectively calculate their current impact before they can the right steps to reduce and offset the remaining emissions.
There are a lot of different routes to take, and some may look so similar that you have to squint to see a difference.
In this episode, Mel Blackmore breaks down the similarities and differences between the leading GHG emission reporting frameworks, ISO 14064-1 and the GHG Protocol Corporate Standard.
You’ll learn
· What are the 2 leading GHG accounting frameworks?
· What are the similarities between the GHG Protocol and ISO 14064?
· What are the differences between the GHG Protocol and ISO 14064?
· Reporting on indirect emissions
· Choosing the right framework
· How can the GHG Protocol and ISO 14064 complement each other?
Resources
· Carbonology
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:30] Episode summary: Mel will look at the similarities and differences between the 2 leading GHG emissions reporting frameworks, the GHG Protocol and ISO 14064-1:2018.
[02:20] What are the 2 leading GHG accounting frameworks? – Greenhouse gas (GHG) accounting has become increasingly important for organisations seeking to manage their environmental impact and contribute to climate change mitigation efforts. Two prominent frameworks guide this process: ISO 14064-1:2018 and the GHG Protocol Corporate Standard.
Climate change concerns necessitate robust methodologies for quantifying and reporting organisational GHG emissions. Standardised frameworks offer a transparent and reliable approach for organisations to measure their impact and contribute to environmental sustainability goals. This article examines two leading frameworks: ISO 14064-1:2018 and the GHG Protocol Corporate Standard.
[06:10] What are the similarities between the GHG Protocol and ISO 14064? – GHG Scope Definition: Both frameworks categorise emissions into three scopes: Scope 1 (direct emissions from owned or controlled sources), Scope 2 (indirect emissions from purchased electricity, heat, or steam), and Scope 3 (other indirect emissions throughout the value chain).
In general, the GHG Emissions covered in the GHG Protocol Corporate Standard conform to ISO 14064-1 if significant Sope 3 GHG emissions and GHG removals are both considered.
Quantification Principles: Both emphasize the importance of accuracy, completeness, consistency, transparency, and relevance when quantifying emissions.
GHG Reporting Boundaries: Both require clear definition of the organisational boundaries for which emissions are quantified.
GHG Inventory: Both frameworks guide the development of a GHG inventory, a comprehensive record of all organisational emissions.
[09:15] What are the differences between the GHG Protocol and ISO 14064? – Focus: ISO 14064-1 is a more procedural framework, outlining the steps for quantifying, reporting, and verifying GHG emissions. The GHG Protocol, on the other hand, offers detailed guidance on calculating emissions for various activities and sectors but lacks formal verification requirements.
Level of Detail: The GHG Protocol provides a more comprehensive and detailed approach, including calculation methods, guidance on emission factors, and best practices. ISO 14064-1 offers a less prescriptive approach, allowing organisations to choose calculation methodologies based on their specific needs.
Avoided GHG Emissions: The concept of avoided GHG emissions is not addressed in ISO 14064-1. However, the GHG Protocol Corporate Standard addresses the quantification of avoided emissions, which are required to be reported separately.
Verification: Verification by a third-party verifier is optional under the GHG Protocol but mandatory for organisations seeking public disclosure or certification under ISO 14064-1. Verification enhances the credibility and reliability of reported emissions data, this could be to schemes like EcoVadis.
Value Chain Emissions: While both frameworks acknowledge Scope 3 emissions, the GHG Protocol offers a dedicated standard - the Corporate Value Chain (Scope 3) Standard - providing specific guidance on quantifying these emissions.
Addressing GHG Emissions and Removals: ISO 14064-1 clearly address GHG emissions and removals for each category and removals are therefore an inherent part of the GHG quantification. The guidance in the GHG protocol is not as clear but allows for the reporting of removals separately from GHG Emissions.
[13:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[17:05] Reporting on indirect emissions: The main challenge for organisations is the reporting of indirect emissions (Scope 3), often leading to confusion based on a lack of clarity and understanding of how granular the data needs to be, combined with challenges extracting data from third-parties.
ISO 14064-1 is very clear regarding which Scope 3 emissions are to be included, whereas the GHG Protocol standard maybe viewed as more open to interpretation.
In contrast, GHG Protocol standards require the inclusion of Scope 2 (indirect emissions from purchased energy); the inclusion of other indirect GHG Emissions under scope 3 is optional.
The GHG Protocol standard is referred to in various GHG reporting and disclosure initiatives whose requirements for the reporting of the Scope 3 emissions vary. Whereas ISO 14064-1 has been created and approved by representatives from 61 nations to determine a specification for Scope 3 emissions reporting.
[20:30] Choosing the right Framework: The choice between ISO 14064-1 and the GHG Protocol depends on an organisation's specific needs and goals. Here are some considerations:
· Is there a need for Verification? i.e. is it a mandatory requirement
· What level of detail is required? If a detailed approach with extensive calculation guidance is preferred, the GHG Protocol might be more suitable.
· Resource availability – Do you have the resource to do this yourself or will you need a helping hand?
· Disclosure reporting requirements – check what you need to comply with as this could determine which framework you use.
[23:30] How can the GHG Protocol and ISO 14064 complement each other? - This podcast may have you thinking that it has to be one or the other, but in actuality the two frameworks can be used together effectively. Organisations can utilise the GHG Protocol's detailed guidance to develop their GHG inventory and then follow ISO 14064-1's process for verification and reporting.
If you would like some help with GHG reporting or Verification, please get in touch with Carbonology.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ESG is a very broad topic to try and address for any organisation, leaving many scratching their heads on where to start with ESG reporting.
Currently, there is no official certification for ESG, however there are a number of schemes that will give you either a score or rating for your level of compliance against their requirements.
For those currently working towards one of these schemes, you may already have a solid foundation in place if you’re certified to one or many ISO Standards.
In this episode, Ian Battersby and Ali Henshaw discuss ESG compliance and how elements of an ISO Management system can help with ESG reporting.
You’ll learn
· What is ESG?
· Is ESG reporting required?
· Is ESG a nice to have or good solid business practice?
· Is ESG certifiable?
· How can ISO Standards help to address the 3 pillars of ESG?
· How ESG compliance helps to combat Greenwashing
Resources
· Isologyhub
· ESG Audit
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:00] Episode summary: Ian and Ali will be discussing how ISO Standards can help with ESG reporting.
[02:20] What is ESG? – ESG stands for Environmental, Social, and Governance. Analysis and evaluation against these three elements help organisations to consider different areas within their overall sustainability profile.
The Environmental section looks at issues surrounding climate change and actions to address an organisation’s environmental responsibility. This includes monitoring and management of your energy consumption, waste management and pollution. It also seeks to tackle how organisations can address, reduce and mitigate their overall environmental impact.
The Social aspect is based around the relationships an organisation has with its stakeholders. This is focused on employees and looks at a broad range of topics including employee wellbeing, fair and competitive pay, benefits and human resource related policies. Considerations can also include wider business relationships such as supplier relations, local community and government work.
[05:00] The pillars of ESG aren’t silos – You shouldn’t approach each pillar of ESG in isolation, as they cross over in a lot of areas.
For example, in environmental management you may manage hazardous substances, you’ll have a duty to ensure those substances don’t pollute the surrounding area or bodies of water. However, you will also need to consider the health and safety aspect of storing and working with that material. So already you have 1 issue that crosses both the Environmental and Social pillar of ESG.
[05:50] What does the Governance pillar cover? – Governance criteria focuses on creating a business environment that is fair, transparent, and accountable. Considerations in this area include board composition, fairness in pay structures and executive compensation, business ethics and risk management.
[07:05] What types of ESG reporting are required? – For small organisations, there is currently no set requirement as it stands, but you many encounter stakeholder or customer requirements that encourage ESG reporting on some level.
For larger organisations at certain sizes there are mandatory reporting frameworks that you will be required to fulfill. At the moment it’s quite sector specific but this is a trend that will only increase over time.
Like with anything new, this is likely to trickle down to smaller organisations over time, however there will likely be funding and grants available to assist when that time comes.
[08:25] Is ESG a nice to have or good solid business practice? If you want to be a sustainable business, with good legacy that has the ability to grow and develop, ESG is a fantastic tool.
Investors are now looking for sustainable businesses, it’s become a market trend for an ever increasingly environmentally conscious consumer base. You either need to move with the times of get left behind, and sustainability is one key factor that will determine which of those categories you fall into.
[09:50] Which ISO Standards can support ESG?: From a holistic point of view, the structure of ISO standards, the plan do check Act (PDCA) cycle, the need for monitoring and measurement and the need for improvement supports the principles of ESG in terms of quantifiable results.
The additional aspect of having set objectives and proof of tangible improvement actions was something that fulfilled CSR (Corporate Social Responsibility), which in turn has been superseded by ESG.
ISO Standards high-level structure and life cycle approach lend themselves to support various aspects of ESG, depending on the Standard you implement.
ISO 14001 for example, would support the environmental pillar, as it looks at your significant aspects and impacts in addition to that of your supply chain. You’ll need to factor these into your objectives and overall business strategy.
ISO 45001 would tackle elements of the social pillar as it directly addresses the well-being of your employees. It also includes a clause for the consultation and participation of workers, so work directly with employees to identify and address risks that may be missed by management.
[13:40] Is there a certifiable Standard for ESG?: Not currently, but an ISO guidance document is in the works.
Standards that address core elements of ESG include ISO 26000 (Social Accountability) and ISO 20400 (Sustainable Procurement). Again, these aren’t certifiable, but provide invaluable guidance.
Guidance documents have the advantage of being selective in what elements you decide to adopt. The ESG one in development is a good example, ESG as a topic is huge, a smaller organisation may not realistically be able to implement all of the advice.
But, it can be used as a starting point for a materiality assessment that will allow you to be selective of the core subjects you apply to your business.
The idea of guidance documents is not to be a bolt on, as those quickly get forgotten. It’s all about embedding their elements into existing processes.
[17:10] Utilising elements of ISO Implementation for ESG reporting: If you’ve already got an ISO Management System in place, i.e. ISO 14001 or ISO 45001, then you’ll already have objectives, processes and monitoring & measurement in place to address those elements.
ISO 26000 is another good example as it covers a wide range of topics, including human rights, labour practices, the environment, community involvement and development, consumer issues and fair operating practices. Some may not be applicable to you, but as mentioned, it’s a guidance document so you have the freedom to be selective about the aspects you incorporate into your management system.
You need to decide what really applies to you. It’s better to prioritise and take 10 steps on one subject vs 1 on 10 subjects.
[20:25] ESG isn’t a once a year activity: There’s no tick box exercise that you can do once a year and claim compliance, ESG is an on-going endeavor for as long as your business is running. It’s a way of operating, much like ISO Standards. It will develop and grow with your business.
[21:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[23:36] Will elements of ESG become certifiable down the line? We’ll never say never! It’s still very much a developing field. There is currently a framework being developed by the International Standards Organisation, it’s currently in draft form.
Ali herself is on the commenting committee for it’s development, and can confirm that the framework is looking at the links between certifiable Standards and the tangible application.
ISO Standards require third-party verification of your claims before getting certified. In that aspect, they’re the perfect tool to provide tangible proof that you are doing what you say you’re doing, but only in select aspects.
ESG is broad, almost too broad to certify. It’s not really feasible for one person to come in and assess a whole business like they would do for an ISO Assessment, there’s simply too much to cover!
[25:00] The trouble with ESG verification: Currently, a lot of voluntary schemes require you to report against and fulfill, but they are very sector specific because a general one would be too broad and likely will not cover every aspect appliable to every business.
Schemes out there are doing something to battle greenwashing, as the environmental aspects are easier to verify, however social aspects are a lot more tricky and can get even more complicated outside of the UK where there is no HSE annual reporting available.
[26:20] How can you support the Social aspect of ESG?: Measuring your social value can difficult, many think of education as the solution. Here are some ideas to consider:
· Working with local schools – Improvement projects driven by Student run business studies
· Work experience
· Charitable work – allow staff to have a charity day as part of a benefits package
[28:10] How can we prevent the greenwashing of ESG compliance?: Government Bodies are working to tackle this. It’s being built into legislation to prevent greenwashing in future where self-policing hasn’t gone far enough.
Trade Associations are also pushing their members towards more legitimate frameworks to ensure they do remain accountable and transparent about their activities in relation to ESG compliance.
[30:00] What resources do Blackmores have to help? We’ve developed an ESG Gap Analysis, based on the guidance provided in ISO 26000 Social Accountability.
This ESG Gap Analysis will highlight where you’re already compliant and where there is work to be done.
You may be surprised to see that you’re more compliant that you think! Especially if you’re certified to one or many ISO Standards.
We also have a Materiality Assessment, which will help you to determine which topics are of importance to your business and your stakeholders.
You can take the findings from both to help develop your ESG Strategy. If you’re not mandated to do any reporting, you can leave it at that. However, you may want to consider sector specific frameworks to get ahead of the curve for when elements of ESG do become mandated down the line.
[36:00] Where should you start with tackling ESG using ISO Standards? If you’re certified to one or many ISO Standards, then you will have processes in place that can support an ESG initiative program strategy, and you can make it as big or as small as you want.
Start by looking at your environmental, social and governments impacts and work to embed ESG into your existing ISO Management System before they become mandated by stakeholders and legislation – being ahead also feeds into the principles behind social responsibility.
You're embedding a culture, and it becomes a norm which can be developed further. Then, when legislation or customer requirements come in, you’re already prepared to answer.
Also, with ESG there is a focus on people and you can't have a successful business without good people. ESG isn’t only attractive to your customers, but also to potential employees who will want to work for ethical, sustainable businesses. If you aren’t keeping up and fulfilling that, you will struggle to find new talent.
It also goes without saying that being ESG compliant will attract consumers. Greenwashing, as frustrating as it is, exists for a reason - because people want businesses to be sustainable. People wouldn't lie about it if it wasn't important to someone, so stand out by beating the greenwashing allegations and take the right steps towards tacking ESG.
If you’d like to book a demo for the isologyhub, or would like help with an ESG Gap Analysis, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
In July 2024, A logic error in an update for CrowdStrike’s Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete.
Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this?
Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident.
You’ll learn
· What happened following the CrowdStrike crash?
· How long did it take businesses to recover?
· Which ISO management system standards would this impact?
· How can you use your Management System to address the affects of an IT incident?
· How would this change your understanding of the needs and expectations of interested parties?
· How do risk assessments factor in where IT incidents are concerned?
Resources
· Isologyhub
· ISO 22301 Business Continuity
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents.
[03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike’s Falcon software brought down computer systems globally.
8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error.
Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected.
[04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn’t mean that computers affected would be automatically fixed.
In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem.
So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot.
A lot of businesses were caught out as they don’t factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA).
[07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself:
· What systems to you use?
· How reliable are the third-party applications that you use?
· If an issue like this to reoccur, how would it affect us?
· Do we have the necessary resource to fix it? i.e. staff on site if needed?
Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can’t always count on them for a quick fix.
[09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can’t afford to say ‘We don’t use CrowdStrike therefore it did not impact us’ – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies.
Standards that were directly affected by the outage were:
· ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments
· ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness
· ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability
Remember, our management systems should reflect reality and not aspiration
[11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company’s system for capturing non-conformities or continual improvement.
You could liken this to how ISO 45001 requires you to report accidents and incidents.
From the Incident a plan can be created which should include changes to be considered or made to the management system.
The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made.
We are directed in all standards to Understanding the Organisation and its context
The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue.
[15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they’re delivering.
So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services.
This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans.
Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it’s being delivered.
[17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[19:50] Once you have established lessons learnt, what’s next? – The Standards provide a logical path to work through.
One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result.
Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault.
One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider.
It’s also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted.
If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way.
[23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn’t just be a one time thing. You should be addressing these after incidents and any major changes within the business.
Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level.
If you’d like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53.
[25:20] How has our understanding of the needs and expectations of Interested Parties been changed? - How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system:
· Risk Assessment
· BIA for BCP
· Recovery Plans
· DR plans
· Service Continuity
[27:50] What should you be considering with your risks assessments? - Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated.
If a company has set the likelihood as ‘once every 5 years’ it should seriously consider changing this to ‘once every 6 months’ or 'once every year’ to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years’.
The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly.
[33:20] Why should a business carry out a risks assessment as part of lessons learnt? - Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of unintended changes,’ and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses.
So, use your risk assessments as live tools to report on the reality facing the organisation.
Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective.
If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed.
Remember - your management system should reflect reality and not aspiration.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Continual Improvement is at the heart of every ISO Standard.
The cyclical nature of ISO Standards lends itself to regular review and update of your Management System, to ensure it’s working efficiently and to address any issues or opportunities that inevitably crop up.
However, Integrating these improvements can be challenging, even for mature systems.
Today Ian Battersby explains the concept of Improvement as defined in ISO Standards, how to find root cause for non-conformities and integrating improvement actions from multiple sources.
You’ll learn
· What is meant by ‘Improvement’ in ISO Standards?
· Common misconceptions about Improvement in ISO Standards
· How to address non-conformities in your Management System
· Finding the root cause of a non-conformity
· Integrating Improvement actions
Resources
· Isologyhub
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Ian Battersby will be explaining what Improvement means in relation to ISO Standards, how to address non-conformities and integrating the required Improvement actions.
[02:30] What is meant by ‘Improvement’ in ISO Standards? – One of the requirements of all Management System standards is to determine and select opportunities for improvement (Clause 10). This is the fundamental aim of Management Systems: to make things better
In the words of the standards, it is so that an organisation can:
“Implement any necessary actions to meet customer requirements and enhance customer satisfaction
These shall include:
a) improving products and services to meet requirements as well as to address future needs and expectations;
b) correcting, preventing or reducing undesired effects;
c) improving the performance and effectiveness of the management system.”
An organisation going through certification for the first time may never have had in place a system for planning improvements. Some organisations are dealing with improvements, but not necessarily through a single, consistent route.
While you can meet the requirements of the standards without a single route, the standard is not prescriptive in how you go about this.
[04:45] Common misconceptions about non-conformities – the standard does go on to cover nonconformity and corrective action (10.2); is it suggesting these as the main source of non-conformities (NC). It isn’t really explicit about other sources, other than specifically including customer complaints as a form of NC.
However, there’s a strong argument for consolidating data from different sources, so it’s worth considering how complaints data is handled. Other sources of non-conformities can include your Internal Audit findings, addressing where you may not be meeting client expectations, addressing failure to meet legal obligations ect.
As a reminder, ISO 9000 (Fundamentals and vocabulary) includes the definition of nonconformity: non-fulfilment of a requirement: need or expectation that is stated, generally implied or obligatory i.e. Legal / client expectation.
[10:00] Addressing non-conformities – You need to evaluate the need for action to eliminate the cause of the nonconformity, to ensure that the issues doesn’t recur, or pop-up elsewhere.
When a non-conformity does occur, you need to:
· Determine the causes
· Determining if similar nonconformities exist, or could potentially occur;
Any corrective actions should be appropriate to the effects of the nonconformities encountered.
So, you don’t need to commit a huge amount of resource to minor issues.
[11:40] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[13:40] Finding the cause of non-conformities – Without removing the cause, repetition may occur, and this is where integrating improvement data from multiple sources comes into its own.
The idea of Common cause is - a single cause may manifest itself in very different outcomes. For example, a lack of competence could lead to a process being delivered wrongly, leading to reducing level of quality in service or product, which would be picked up as an NC.
Competence is an area which can also lead to NC’s, through the result of a helath & safety incident or environmental incident if people aren’t trained to use equipment or follow set procedures.
It can also lead to a customer complaint where the failed process is apparent to a customer.
If a product NC isn’t spotted until after the product delivered/in service it could lead to a warranty claim
Or even a claim for damages should it lead to harm/loss to the customer
It could lead to regulatory breach or even enforcement or legal action
Some of these outcomes may not be apparent until they have impacted upon a customer or other interested party, so would not be recorded internally through a nonconformity system.
All this to say, finding the root cause will require looking in a lot of different places. Having a common methodology in place to address non-conformities, including considerations for different types of issues, makes life a lot easier.
[15:55] Integrating Improvements from multiple sources: There are many sources which can highlight opportunities for Improvement, including:
Internal Audit – This is a conformity assessment, so any gaps or issues identified will be NC’s that need addressing.
Surveillance Audit / Certification Audit – Your Certification Body will also be conducting a third-party conformity assessment, which may highlight something you’ve missed in your own internal audits.
Supply Chain Audit – Auditing your supply chain can also highlight NC’s that you can encourage them to address, both for your benefit and theirs.
Client Audit – You may be audited by clients, especially where there may be specific technical industry related issues.
Management Review – This is the perfect platform to identify Opportunities for Improvement. You can highlight NC trends from Internal Audits here and define if they need to be addressed separately. You will often have members of senior management present at a Management Review, so there is a greater chance for you to plan tangible actions to address issues, especially if they are business critical.
SWOT / PESTLE – This usually happens early on in the Implementation phase, but there’s no reason why you can’t repeat the exercise on an annual basis. This exercise directly identifies your risks and opportunities, both from internal and external sources. Getting input from all levels of staff as they may also shed light on potential NC’s and opportunities other departments may not even be aware of.
Accident reporting / Safety observations – Any incident should be viewed as an opportunity to improve. Some accidents are unavoidable, but many are a result of someone not following instructions, equipment being left unattended or in the wrongs location ect. Addressing these will help you to ensure a safer environment.
Site inspections – Just walking around your site can yield new insights. Ask other departments that may not visit your area to do a sweep and report any findings. Sometimes all you need is a fresh pair of eyes to highlight issues you’ve missed.
Complaint / Other customer feedback – Allow clients and stakeholders to have input.
Regulatory requirements – You may discover you are breaching a regulation, which needs to be addressed ASAP. Consider a legal register to keep track of all your legal and regulatory requirements.
Enforcement (HSE, EA, professional body) – You may have opportunities for improvement enforced by professional bodies such as the HSE or Environment Agency.
Management Action – Any management meetings should take opportunity suggestions from both management and the general workforce.
Product NC’s – If you’re in the manufacturing industry, you likely already have a system in place for monitoring any product related non-conformities. This process can be applied on a broader scale, as it embodies the same principles: Identify the problem, find the root cause, address the root cause, put preventative measures in place to stop recurrence.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
In the workplace, everyone is responsible for safety.
It’s not just for managers or senior management to worry about where legislation is concerned, everyone from the top to the bottom needs to be actively ensuring the safety of others.
ISO 45001 highlights the importance of this in its most recent iteration, which includes a specific requirement for the consultation and participation of workers. But, how does this work in practice?
Today Ian Battersby explains what consultation and participation of workers in ISO 45001 is, and how you can incorporate elements of reactive and proactive hazard reporting to meet that requirement.
You’ll learn
· What is consultation and participation of workers in ISO 45001?
· What is the identification of hazards?
· What’s the difference between reactive and proactive hazard reporting?
· Common approaches to reactive and proactive hazard reporting
· Proactive hazard reporting in action
Resources
· Isologyhub
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Ian Battersby will be explaining reactive and proactive hazard reporting, and how this relates to the consultation and participation of workers (clause 5.4) requirement in ISO 45001.
[02:30] What is ‘Consultation and Participation of workers? – ISO 45001’s clause 5.4 states:
“The organization must have a process for consultation and participation of workers at all levels and functions, and their representatives in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system.”
ISO 45001 expects occupational health and safety aspects to be fully embodied within the organisation structure. All workers should be aware of their responsibilities, and work together to meet the organisation’s health and safety goals.
Everyone is responsible for safety.
Consultation implies two-way communication, so workers can provide feedback to be considered by the organisation before taking a decision. This is important; the organisation has to consider workers’ feedback before making decisions
Participation implies the contribution of workers, including non-managerial workers, to decision-making related to OH&S performance and to proposed changes.
[05:50] Hazard Identification – A specific issue which must be considered is the identification of hazards:
· Identifying hazards and assessing risks and opportunities (Clauses 6.1.1 and 6.1.2);
· Determining actions to eliminate hazards and reduce OH&S risks
There are numerous sources for consideration when it comes to hazards
· How work is organised
· Routine/non-routine activities
· Past incidents
· Emergency situations
· People
· Processes
· Workplace design
· Equipment
· Change
[07:35] What’s the difference between proactive and reactive hazard reporting? – Proactive is about spotting hazards in advance and putting in place measures to minimise the chances of them materialising and causing harm (eg, through an accident)
Reactive is in response to an event which has already occurred, such as an accident; a hazard existed without being spotted already and dealt with.
[08:20] A common approach to proactive hazard reporting – Risk Assessment. Consider hazard sources (i.e. people, processes, equipment, workplace etc) and consider what may happen; what could go wrong. Then consider what controls could be put in place to try and prevent that happening.
Risk assessment can help you to demonstrate worker consultation and participation by including those affected:
· Involved in or affected by an activity
· Those delivering a process
· Using equipment
· Occupying a workplace
Those people have valuable knowledge and understanding, sometimes moreso than someone in a supervisory / managerial role.
And an absolute must: recording that all employees have read, understand and are committed to the controls included in Risk Assessments; that process may also give rise to workers’ further involvement – through querying, suggesting change etc
This also helps the culture of hazard spotting and promotes engagement among the workforce, both of which are vital in driving a proactive approach
[11:10] A common approach to reactive hazard reporting: Accident reporting systems is the obvious choice. However, there are ways you can make this more proactive.
There are various levels to accident reporting. Traditional systems wait until an accident occurs before recording and acting upon it.
Some organisations also record near misses: where an event has occurred, but no harm has been caused.
This approach in itself can be very valuable; and it provides an opportunity to act before any harm has occurred.
However, we can go a step further and allow the workforce to observe what’s happening; their surroundings and listen to what they feel may present a hazard to them and their colleagues (remember, everyone is responsible for safety).
[13:00] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.
[15:30] Proactive hazard reporting in action: Ian recounts his experience in a previous company where their proactive hazard reporting led to meaningful change.
This took place in a large manufacturing plant, but there was also significant office-based activity as well.
Because of the nature of the work, many people would not have access to online systems so there was both online and paper systems; this is important; if everybody is responsible, everybody needs access and engagement is vital.
In addition to the traditional accident/near miss system, there was a safety observation card (all data ended up in the same database). It was simple to fill out, would have only taken about 5 minutes at most.
In an organisation of 500ish, we received 2200 observation cards per year by the time I left.
When combined with accidents/incidents, there’s a predictable cycle: more reports, poor quality, more accidents, better quality, improved actions, fewer accidents.
[17:30] Creating an observation card: It should be easy to understand and record what’s necessary, recommended content includes:
· Date / Time
· Who was involved – employee / contractor / visitor ect
· Location of hazard / incident
· Description of hazard / incident (ideally in 10 words or less)
You could get more granular and include:
· Identification of an unsafe condition or unsafe act
· Type of hazard or incident: slip, trip or fall / exit obstructed / machinery being used unsafely / unsafe structure / not using PPE
You could also include an option for actions taken if you decide to inform a manager of the issue, if you’ve corrected someone on the use of equipment or PPE ect.
[21:15] The Importance of peer inspections: Often they would have supervisors from one area, checking a different one. This fresh pair of eyes may offer new insight into something that you usually miss!
Note that you should also encourage any site visitors to do the same. The fact that you’d ask them to report any incident also displays that you take safety seriously, and are open to feedback to improve.
[22:40] Hazard scoring: In order to judge that quality, they went a step further and graded all observations from 1-3:
1. Saw something but didn’t act
2. Saw it, acted to put it safe there and then
3. Saw it, acted to prevent it happening again
This allowed them to judge how effective hazard spotting is in removing cause and filters out points-scoring.
[22:45] The results speak for themselves:
Increasing number of observations
Increasing number of participants
Increasing quality of observations
Reducing number and severity of accidents.
Over five years, they increased the number of observations per employee ten-fold.
As a result, they reduced lost time accidents over 75%
This was a superb example of a personal safety campaign and a great demonstration of consultation and participation,
It’s not difficult to do, but it needs leadership commitment, constant and clear comms, user-friendly systems and effective analysis / reporting.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
● Share the ISO Show on Twitter or Linkedin
● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The podcast currently has 200 episodes available.
43,286 Listeners
0 Listeners