Rethinking Green

I recently listened to an audio podcast of Stewart Brand discussing world trends and the environment:

• 5 out of 6 of us live in the developing world.
• The dominant demographic event of the century is screamingly rapid urbanization.
• Urban living promotes an informal economy, which is invisible to authorities, and huge.
• Mumbai is half slums and one-sixth of the gross domestic product of all of India.
• The big event of the next 30 years will be young people in the new cities in the world south. Old people in old cities in the global north.
• Cities are greener than suburbia and way greener than subsistence farming.
• Wealth is coming to the developing world and that requires more energy.
• Coal power is the biggest contributor to climate change.
• Drought is the great civilization killer. Darfur, Australia, and soon the river basins of the Himalayas (where most of the developing world lives).
• The only carbon-free substitutes for coal are nuclear and hydro. Hydro around most of the world has already maxed out.
• Russian warheads are being recycled in nuclear power generating stations around the world. Half of the US nuclear energy comes from these Russian warheads.
• Nuclear waste is tiny compared to coal. The political decision to keep it away from humans for 10,000 years has only led to waste and delay. Protect it for 100 years, when we will probably want it as a resource.
• Coal must be made expensive.
• Micro reactors are cheap and easy to scale. Russia is already building them for Arctic outposts, now that the ice melt has opened the NW Passage shipping lanes.
• Genetically-engineered foods are no different from natural selection taking place in the wild.
• European environmentalists went to enormous lengths to terrify the leaders of African nations that GM foods were poison. People starved for two decades until those leaders wised up.
• There is no good reason for genetically engineered food crops to be controversial.
• Synthetic biology is taking off rapidly.
• Natural ecosystem engineering is happening all over the world. Planned geoengineering will happen soon, as countries respond to climate change. We need debate and governance now, before it happens.

I believe this is the most important lecture I have listened to this entire year. I spent an hour and a half of my time and was well rewarded. I then went to the Fora.tv site and downloaded the video and transcript notes. I intend to watch the video in the evening with my wife.

Some of you may remember that Stewart Brand was the one who came out with the Whole Earth Catalog in the 1970s. With its picture of the Big Blue Marble on the cover, this was a wake up call for the environmental movement in America and around the world. I just placed a request with my local library for his new book, Whole Earth Discipline, when it comes in.

Stewart has many friends who hold the opposite view on several of his opinions. So how do they stay friends? He said it is the difference between the fox and the hedgehog. A hedgehog is focused on one objective. It rules his life. The fox is open to new ideas and approaches. He usually wins. Stewart says he is constantly asking his friends to change his mind. Continuous learning is the key to his friendships.

Social Responsibility Standard

Review of ISO/DIS 26000, Guidance on social responsibility

The essential characteristic of social responsibility is the willingness of an organization to 1) incorporate social and environmental considerations in its decision-making and 2) be accountable for what it does to society and the environment. This implies both transparent and ethical behavior that contributes to sustainable development. Social responsibility a) takes into account the interests of stakeholders, b) is in compliance with applicable law and consistent with international norms of behavior, and c) is integrated throughout the organization and practiced in its relationships.

The standard is written for all organizations, not just corporations. Businesses, non-governmental organizations, community agencies, non-profit groups, trade and labor groups, and governments are all included. The standard is careful to say that governmental agencies may wish to use it, however, the standard in no way changes obligations of the state.

The standard is intended to promote a common understanding in the field of social responsibility. It is not a management systems standard. It is not intended or appropriate for certification purposes or regulatory or contractual purposes. Otherwise, it would contain the word “requirements” in the title.

According to DIS 26000, sustainable development is a widely accepted concept about meeting the needs of society while living within the planet's ecological limits and without jeopardizing the ability of future generations to meet their needs. Sustainable development includes economic, social, and environmental components and is the bigger picture. Social responsibility feeds into and supports sustainable development.

The writing committee presented several possible benefits to an organization implementing these social responsibility practices:

• More informed decision-making by a greater understanding of society and stakeholder expectations. (This is a fundamental concept of quality management systems.)
• Improved risk management practices. (Already part of quality, safety, and environmental management systems.)
• Enhanced reputation of the organization and greater public trust. (Marketing and sales should like this.)
• Improved competitiveness, including access to finance and preferred partner status. (Basic supply-chain concepts.)
• Improved relationships with stakeholders, resulting in more innovation.
• Enhanced employee loyalty, moral, safety, and retention. (Easier to keep employees than break in new ones.)
• Savings associated with increased productivity and resource efficiency. (This is part of the triple bottom line of people, profit, and planet.)
• Improved reliability and fairness of transactions. (This is a major component of ISO 9001, customer requirements.)
• Fewer consumer complaints about products and services. (We call this customer satisfaction.)
• Long-term viability through sustainable practices. (Companies have lifetimes, like people.)
• Contributing to the public good. Making the world a better place. (White teeth and shiny hair too!)

There are seven principles of social responsibility:

1. Accountability: an organization should be accountable for what it does to society and the environment.
2. Transparency: an organization should be transparent in its decisions and activities that affect society and the environment.
3. Ethical behavior: an organization should behave ethically at all times.
4. Respect for stakeholder interests: an organization should respect, consider and respond to the interests of its stakeholders.
5. Respect for the rule of law: an organization should accept that respect for the rule of law is mandatory.
6. Respect for international norms of behavior: an organization should respect international norms of behavior, while adhering to the principle pf respect for the rule of law.
7. Respect for human rights: an organization should respect human rights and recognize both their importance and their universality.

To support these principles, the DIS 26000 devotes nearly 100 pages to defining, explaining, and offering guidance on seven core subjects:

1. Organizational governance
2. Human rights
3. Labor practices
4. The environment
5. Fair operating practices
6. Consumer issues
7. Community involvement and development

This is the real value of the 26000 standard. Each of the seven core subjects is explained in lay terms, with examples on how to implement. I was pleased to see use of the PDCA (plan-do-check-act) methods. The standard is sensitive to the unique needs of smaller organizations.

In the back, several Tables give examples of how social responsibility is contained within various cross-sector initiatives (government and NGO), multisector initiatives, and single stakeholder initiatives. A lengthy table of sector initiatives includes examples from agriculture to electronics to fisheries to tourism. Unfortunately, these tables will be out-of-date before the standard is published. Want more? There is a list of 133 baseline standards, codes, and agreements used in the development of the document.

This is a BHS – Big Honking Standard! There is nothing light and fluffy here. Implementation will take understanding and willingness to change. It certainly will not eliminate fraud and greed from within government and industry. I see this document as one of many that will guide us towards an integrated approach to management. You can get a copy of the DIS for free by going to the ASQ standards site. Comments to the US technical committee are accepted until Dec. 14.

ISO 9004:2009

The 3rd edition of ISO 9004, Managing for the sustained success of an organization - A quality management approach, was approved by 52 of the 54 committee members voting. It should be released as ISO 9004:2009 by the end of the year. This is not a requirements standard and must not be used for registration or certification. It addresses - but in a small way - the integration of quality, environment, safety, and security into one general management system. While it has little practical use, the new edition will be useful when designing your quality management system for the future. It may be a useful transition from the current quality-only focus to social responsibility.

Major Revisions to Int'l Audit Standard

Background

Eight years ago, the International Standards Organization (ISO) issued the 19011 standard for quality and environmental management system auditing. It combined the separate quality and environmental management system audit standards into one. Good step. Unfortunately, the pressure to do this was coming from the conformity assessment community (sometimes called registration or certification) and the big multinational firms. The first 19011 standard reflected this bias and the USA delegation voted “no.” It passed anyway. About three years later, the USA released a supplement to the international version, giving additional guidance on how to apply these principles to small and medium enterprises (SMEs) and internal (first-party) audits. The ANSI version of 19011, with the supplement, was a market success and outsold the international version by a wide margin.

Shortly after the ANSI version came out, the international committee started its required review of the original 19011. ISO procedures require this every five years, although it is often stretched out longer. The choices are revise, reissue, or reject. It was pretty obvious that the 19011 needed revision. Unfortunately, the international committee was upset with the Americans for making the standard better, so we were ignored for several years. The work stalled until a couple years ago, when some fresh faces joined the group, and USA participation was once more welcomed.

In the mean time, the Conformity Assessment committee decided to take over audit standard development for third-party registration/certification. A new committee (17021) was assigned the task. So the 19011 standard revisions will now cover internal audits and supplier audits. Hurray!

Major Strengths

• The auditing standard now covers all management system auditing: quality, environment, safety, security, etc. This fits right in with the trend of organizations integrating their management approaches. The revision is coming closer to other audit standards, such as the yellow book (US Government Accountability Office – GAO) and the red book (Institute of Internal Auditors – IIA).
• As mentioned above, third-party conformity assessment (registration/certification) audits will have their own new standard: ISO 17021. Publication of the new 17021 will probably occur quite soon, as the people writing it have a common focus and the intended audience is smaller.
• For the first time, the concept of risk appears. This is the risk of performing a bad audit, having incorrect conclusions, and not the risks taken by the auditee. For several decades, the IIA has included the concept of audit risk under their banner called quality assurance. While the concept is only briefly discussed in this 19011 revision, it is a good start for a long journey.
• Guidance on training, competency and evaluation of auditors is greatly improved. Gone are the tables of degree requirements, years of service, audits observed or performed, etc. The discussion is quite rational on what competencies are desired, how to achieve them, and how to measure them. Specific examples for various management systems and business sectors are given in an informative annex. The thoroughness of this information will overwhelm many users who just want to get or maintain their registration certificate.
• Sampling strategy is presented in an informative annex. It covers both statistical and judgment sampling in a non-technical manner.
• Most of the “practical Help” information from the earlier USA additions was transferred to this revision. While the additional material makes the document nearly 70 pages long, it significantly increases the understanding. It should result in better internal and supplier audits.

Major Weakness

• The standard continues to use the term client without clear definition. To say that the audit client is the “organization or person requesting an audit” is unsatisfactory. A clarifying note says, “The audit client may be the auditee organization or any other organization which has the regulatory or contractual right to request an audit.” This makes it sound like the majority of internal or supplier audits are requested by the group about to get audited. My experience says it is just the opposite. We should remove this debris for conformity assessment days and be truthful. Either remove the term or define the client as the person(s) in charge of the audit program.

Next Steps

The international committee has recommended the revision as a Draft International Standard (DIS), meaning all of the heavy lifting is done and the proposal is ready for release to the user community for comment. Our USA delegation meets in November to prepare the USA vote on this advancement to DIS. Unfortunately, the committee team leaders feel the revisions are not ready for the DIS stage. They suggest this draft contains too many new concepts, which may not be accepted by the user community, without stating what might be objectionable. This puts us in a very weak position to affect change. The strengths identified above are needed in today’s world of economic uncertainty, advancing technologies, and ecosystem challenges. Promoting sound management system audits, as described in the draft 19011, will make the world a better place to live and work.

The international working group plans to meet in Guadalajara, Mexico, in early March 2010. Comments will be collected, discussed, and another draft prepared. Once it achieves the DIS (draft international standard) level, ISO rules require it be made available to the public for comment. (Available does not mean free, however.) I am optimistic that the new and improved standard will be released a year from now.

Anti-virus Protection for Free

If you are a MS Windows user, it is time to stop paying those recurring fees to Norton, McAfee, etc. Microsoft has released an anti-virus program that serves home and business users quite nicely.

• It works on Windows XP, Vista, and the new Windows 7
• Once installed, it automatically updates as new virus signatures are released
• It uses system resources (CPU, memory, and hard drive) sparingly, without slowing me down
• Did I mention, it is free?

I trust Microsoft here. Because of the Malicious Software Removal Tool that is run every patch Tuesday (second Tuesday of the month), Microsoft has a tremendous set of data on viruses floating around and in the wild.

The Microsoft AV program does not use heuristics as much as the other guys. As a result, a full and complete scan takes an extremely long time. It examines .exe and .dll files in great detail, not relying on approximate heuristics matches based on patterns. As a result, the number of false positive identifications is quite small. (I have had none in the two weeks I have been running it.) Because the full scan is so slow, I have mine set to run at 2 a.m. on Saturday morning. I do not care if it takes several hours while I am still sleeping.

The hardest thing about using the MS product is removing your existing AV program. They generally make it quite difficult to take off your machine. You will probably have to make a couple of restarts before it is all gone. Do not worry about the warnings on the lack of AV protection during this short time period.

Now go to the MS Security Essentials site: http://www.microsoft.com/Security_Essentials/ and click the download button. (There is an underscore between Security and Essentials in the address.) You must be running a legitimate copy of MS Windows for the program to install. Choose the default settings for your initial installation. After it does a quick (couple of minute) scan, it is ready to go.

Feeding on Wikis and Blogs

In the old days, when long-distance telephone calls were very expensive, we attended technical conferences to keep up-to-date with the changes in the profession. Of course, the company or university would only pay for the very important staff members to attend these expensive events. The rest of us had to make due with the public library. Fast-forward to today, when the price of a telephone call is nearly zero and the Internet connects everyone. Access to all this information is cheap. It is also overwhelming. Additionally, our ways of organization are changing. Collaboration and community are quickly replacing the command-and-control pyramidal model. Rather than fight it, perhaps we can use the machines to help us adapt.

Blogs are online diaries. They are posted on web sites and accessible to the whole world through a common Internet browser, such as Internet Explorer, Firefox, Chrome, Opera, or Safari. Blogs are one-to-many communication – you write something and many people read it. The emphasis is on content, rather than flash. People write about things that excite them, like the Care and Feeding of Cats, Landscape Photography, Fonts, Medical Conditions, or Statistics.

"So, what is new? Is that not the same as writing a standard web page?" No, for a couple of reasons: 1) automation has taken the effort out of web page design, and 2) blogs allow for comments. It is the second item that is particularly important. It allows communities to form. Unlike e-mail, an archive of the conversation is kept. Blogs are fluid and rapid.

Wikis are reader-generated and edited web pages. One person will start a page, with a little or a lot of information. Then others will enrich that information. Perhaps they will generate additional pages on a similar topic. The whole thing is linked together. As with blogs, the software does all the formatting work, allowing you to concentrate on the content. If you make a mistake, there is a roll-back feature. If some creep places offensive words on a page, anybody can quickly roll it back. There is built-in version control, allowing every reader to see changes made over time. Wikis (from the Hawaiian word quick) promote collaboration and help to get the whole team working on a project.

"But how does one keep current on all these blog and wiki sites? Must we check them all once or twice a day? What about all the good stuff published while we were traveling to Toledo?" The answer is to let the machines track these changes. This is called RSS – Really Simple Syndication – news feeding. In fact, it is now built into all popular web browsers. You tell the software which sites interest to you. Once or twice an hour (or more!) the computer will send a query: “Any Changes?” If so, it is marked and sometimes a little flag pops up at the bottom of your screen. Once or twice a day, or week, or when you return from Toledo, you open the RSS feeder and scan the summarized changes. Spend time with those that interest you and move on.

Mastery of these three technologies will greatly increase your knowledge of professional matters taking place all over the world. Rather than invent solutions on your own, you recycle solutions and ideas from others. By building your community, you add value to your organization.

Management System Integration

A few months ago, I attended the European Organization for Quality conference in Croatia. I also presented my thoughts about the future. During the entire event in Dubrovnik, the overriding theme was integration. Of quality and safety and environment and security and sustainability and more. I noticed two cultural differences.

1) The European presenters place quality in the center, with safety, environment, etc. all feeding into the quality philosophy. On the other hand, my American colleagues seem to believe that quality is a component of something else. Unnamed as yet, although the ASQ is leaning towards the idea that social responsibility might be that center area. Others are saying that risk management might be the center of this integration. I do not sense a strong believe for either of these models from my Asian friends. (Perhaps it is a wait-and-see attitude.)

2) The European presenters had philosophical differences with the application (implementation) of social responsibility. Some feel it is a concept, being developed by ISO, to be used for the betterment of the enterprise and society. Others believe it should be more a requirement, either through legislation or certification. On the other hand, many of my American friends are hung up on the word social and see the concept of social responsibility as an affront to the free market.

I see all this discussion as healthy. I do not think we (the world of quality-safety-environment professionals) know the answers to this evolving trend. Social Responsibility will develop and mature, with the publication of standards and books, with conference presentations, and with on-line discussions and blogs. We do not know what it is, but we know it is there!

ASQ Recertification Units

Here's a question I answered about a month ago:
--------------------------------
You asked the ASQ about standards for granting recertification units (RUs) from in-house training. There are two main concepts here:

1. Training must cover some part of the affected certification Body of Knowledge
2. Every hour of contact time equals 0.1 RU

Body of Knowledge. The training topics must cover some part of the certification BoK. This is pretty liberally interpreted. Auditor and Manager certifications are the most general, while Software and Inspector are more specific. Each certification has a booklet, available for download off the ASQ web site, showing its BoK as an outline of topics. Make sure the training will support one or more of these topics.

Contact time. A one-day course is typically 6-7 contact hours, which would equate to 0.6-0.7 RUs. You cannot count lunch or break times - just actual training.

Records. Most people receive a certificate of completion at the end of the training class. It shows name, date, course title, contact hours (or RUs), and person granting the certificate (need not be signed). The employee makes a copy of all these certificates and includes them in the recertification journal/logbook. Pay particular attention that the date of the class is within the dates of the three-year ASQ certification. I have attached an example, showing the certificate I issue for in-house classes.

Difference between ISO 9001 and ISO 19011

As one of the member leader experts on standards, ASQ will often ask me to help answer questions they get from the general public. Here is a recent answer I provided.

You asked the ASQ about the differences between the two standards. I can see where the confusion might arise, as the numbers are very similar! But the contents are quite different.

ISO 9001 is the mother of all Quality Management Systems. It lays out the minimal requirements for an acceptable way of managing your business for quality. In the beginning, it was developed as a requirements document to lay on your suppliers. Then it became the foundation for registration (other countries might call this certification) of your own management approach to quality. About a decade ago, various business sectors - aerospace, automotive, medical devices, laboratories, etc. - all used the 9001 document as the base for their specific approaches. They didn't take anything away, but added additional requirements. The year 2000 version is the most used all around the world. The recent 2008 revision is clarification-only. There is no real and substantive difference between the two. By far, the greatest use today is for registration/certification. This is somewhat sad, in that the standard itself is a beautiful way of managing the resources within the enterprise. Registration can get quite bureaucratic and not worth the expense.

ISO 19011 is the International Auditing Standard (my specialty). It was first developed as a means to get all the various registration agencies around the world to do their audits in a consistent manner. It also had support from the multinational companies that had factories - and thus registrations - all around the world and often with different cultures. Norms in Canada are not the same as China! Unfortunately, this registration emphasis in the standard made it somewhat hard for internal auditors and supplier auditors to use it. Plus, there is no requirement to use the standard, other than within the registration industry. For these reasons, the USA wrote a supplement, giving guidance on how to use the principles for internal audits and small organizations. The version you get from ASQ includes that supplement, along with the base document. As this auditing standard was revised, it picked up environmental auditing. Now we are working to get safety auditing in the scope. This supports the premise that auditing is auditing is auditing.