©2016 conforma - milano · 2018. 12. 3. · 2 ©2016 conforma - milano tutti i diritti sono...

2

©2016 CONFORMA - Milano

TUTTI I DIRITTI SONO RISERVATI

Nessuna parte del libro può essere riprodotta o diffusa con un mezzo qualsiasi,

fotocopie, microfilm, o altro senza il consenso scritto dell’editore.

ALL RIGHTS RESERVED

No part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any

means, electronic, photocopying, recording or otherwise, without written permission from the publisher.

This publication is not a regulatory document.

Responsibility for the concepts expressed lies solely with the author.

Author

Conforma - Associazione Organismi Certificazione Ispezione Prove Taratura

September, 2016

3

These Guidelines stem from a project by the ENVIRONMENT working group of Conforma in which the following members participated:

ﾷ ASACERT ﾷ AICQ SICEV ﾷ CERTIQUALITY ﾷ CSI ﾷ CSQA

ﾷ DEKRA ﾷ DNV GL ﾷ ICIM ﾷ ICMQ ﾷ IGQ

ﾷ Istituto Italiano dei Plastici ﾷ IMQ ﾷ RINA SERVICES ﾷ SGS ﾷ U.L. International

The document is the outcome of a CONFORMA ISO 14001:2015 technical panel, in which the following took part:

Stefano ALDINI Certiquality COORDINATOR Chiara BERNARDI SGS Luigi BOTTOS DNV-GL Massimo CASSINARI ICMQ Valentina DORONZO CONFORMA Matteo FERRARI CSQA Cecilia GALIMBERTI AGHION IGQ Lidia GELLI CERTIQUALITY Giulia PENSIERO RINA Services Anna Lisa POLIMENI IMQ Marco SCANAGATTA CSI Saverio SFORZINI ICIM Caterina VILLA U.L.

4

CONTENTS

Introduction ....................................................................................................................................................... 5 4 Context of the organisation ........................................................................................................................... 6 5 Leadership .................................................................................................................................................... 13 6 Planning ........................................................................................................................................................ 16 7 Support ......................................................................................................................................................... 22 8 Operation ...................................................................................................................................................... 26 9 Performance evaluation ............................................................................................................................... 29 10 Improvement .............................................................................................................................................. 32 ANNEX 1 - Context of the organisation: EXAMPLES OF EXTERNAL ISSUES ……………………………………………….33 ANNEX 2 - Context of the organisation: EXAMPLES OF INTERNAL ISSUES…………………………………………….....34 ANNEX 3 – Example of risks……………………………………………………………………………………………………………………….35

5

“Guidelines on implementing ISO 14001:2015” Introduction

Following publication of the new edition of ISO 14001 (which slightly preceded the ISO 9001:2015 one), certification bodies were the first, among the operators concerned, to have to assess and address the impact, from an interpretative and above all implementation point of view, of the new standard.

While waiting for “official” interpretative clarification concerning the new requirements from UNI (and hopefully revision of document UNI TR 11331:2009 and document UNI TR 11405:2011) as well as indications from Accredia, relevant in terms of accreditation (RT 09), CONFORMA believes it is useful and appropriate, as occurred for ISO 9001:2015, to draw up these guidelines.

Thus, this document does not set out to officially interpret the new standard but rather to offer concise indications of a practical implementation nature to certification body auditors on the main elements to be taken into account when verifying the requirements established by ISO 14001:2015 and on the evidence which can reasonably be expected to be found in verifying compliance with these requirements. Of course, also certified organisations and those undergoing certification can use this information as guidance to help them along the road towards compliance with the new standard.

In drawing up this document, particular focus was given to the novel aspects introduced in the new edition of ISO 14001: analysis of the context, risk-based approach, life cycle perspective. Moreover, a reasoned review was carried out of the criteria established in the previous edition and re-proposed in an improved version in the 2015 edition, in the light of the overall formulation of the new standard which requires real integration of the Environmental Management System in an organisation’s business processes and full support from the top management.

The methodological planning adopted in drawing up this document aims to provide concise indications for audits in general, regardless of an organisation’s business sector and specific context. Obviously, this could lead to limitations, from the point of view of completeness and in-depth level of the information contained in these

6

Guidelines; however, this is entirely in line with its purpose, which does not aim to be exhaustive or, as already mentioned, an official interpretation of the new requirements of the standard. Until a consolidated basis of audit experience has been acquired related to ISO 14001:2015 and the pertinent bodies have provided “official” indications concerning implementation of the new requirements, to the certification bodies adhering to CONFORMA it seemed logical and reasonable to opt for a formulation such as the one adopted for these Guidelines.

In describing the examples of evidence to be gathered to comply with the requirements of ISO 14001:2015, in particular those which are entirely novel compared to the previous edition, an approach has been adopted aimed at “substantial compliance”, making use of tools and elements effectively available to the organisation and fully integrated in its processes and system, avoiding excessive and unnecessary formalism, with no added value, perhaps created ad hoc in view of the certification audits.

Of course, this does not mean that an organisation, apart from those cases in which it is mandatory, need not document or record anything. In many cases, it will be necessary and unavoidable to provide documented information to keep under effective control a risk, an environmental aspect, an activity, a process, a requirement, etc. in line with the objectives of the environmental management system. These tools, aimed at describing the methods of a process or providing evidence that a certain activity is carried out, are required to ensure effective implementation of the system in compliance with the pertinent requirements and improve an organisation’s overall management.

This is a general principle highlighted and shared by all new management system standards, whose effective implementation, with the contribution of all operators concerned (organisations, consultants and certification bodies) represents one of the main factors of success of ISO 14001:2015 and of its credibility.

The Guidelines contain a concise description of the requirements (left-hand column), with possible evidence to support compliance (right-hand column). As already said, whereas in the case of the description of the requirements reference is made to what is stated in UNI EN ISO 14001:2015, including the important explanatory information given in appendix A of the standard (“Guidance on the use

7

of this International Standard”), the examples of evidence given in this document are not to be considered exhaustive, as organisations can demonstrate compliance in other ways. Reference is to be made to appendix B to the standard for the table of correspondence between ISO 14001:2004 and ISO 14001:2015.

The purpose and aims of these Guidelines have also been recognised by UNI, which has confirmed the consistency of the terminology with the body of legislation concerning environmental management and conformity assessment.

8

DESCRIPTION OF THE REQUIREMENT AND RELATED CONSIDERATIONS

POSSIBLE EVIDENCE TO SUPPORT CONFORMITY

4. Context of the organisation 4.1 Understanding the organisation and its context

This requirement is entirely new compared to the ISO 14001:2004 edition.

The organisation is to determine and analyse the internal and external issues (positive and negative), which are relevant to its strategic objectives and which influence its ability to achieve the intended outcomes from the environmental management system.

The aim is to raise the organisation’s strategic vision level in developing the environmental management system, bearing in mind the context in which it operates.

Determination of the issues which may influence an organisation’s ability to achieve the intended outcomes is fundamental for “Risk Based Thinking” (see 6.1) and consequently, to appropriately define and develop the environmental management system.

Analysis of the pertinent external and internal issues which characterise the organisation’s context may require the involvement of company functions other than those more directly involved in environmental management: marketing and sales, purchasing, administration and finance, human resources, legal & compliance.

External issues include environmental conditions (related to climate, air quality, water quality, land use, existing contamination, natural resource availability and biodiversity) but should not be limited to these.

The organisation should in fact consider other external issues which could influence the intended outcomes of the environmental management system as, for example, international, national, regional or local cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive circumstances.

Moreover, the organisation’s internal characteristics or conditions are to be taken into consideration, such as its activities, products and services, strategic direction, culture and capabilities (for example knowledge, processes, systems).

Reference is to be made to annex 1 “Context of the organisation: examples of external issues” and to annex 2 “Context of the organisation: examples of internal issues”.

The requirement does not specifically require evidence to be given of context analysis but, considering that this analysis forms the fact-finding basis to plan and maintain the management system and determine risks and opportunities for the organisation and the actions to be taken to address them, it is reasonable to expect the outcomes to be documented so as not to compromise the effectiveness and traceability of the process of system planning. The level of in-depth detail of the documented information depends, as foreseen by the standard, on the size, type and complexity of the organisation and its context. From a combined reading of the requirements in par. 4 and par. 5 of the standard, the responsibility concerning the outcomes of the analysis of the context depends on the organisation’s top management (directly or through a representative) and therefore, evidence should be provided of its involvement in this connection. For example, an interview with the top management (or its representative) could provide information on how the issues have been considered which contribute to an understanding of the context in which the organisation operates. The information related to context analysis is to be kept up to date in relation to changes which have occurred which could influence maintenance of the environmental management system with implications for the organisation’s strategic management (see 9.3 – Management Review). Many organisations certified in accordance with the old edition of the standard may already have some of the information on the context in the environmental analysis document (probably referred to the so-called environmental conditions), to be suitably reviewed to assess consistency and updating of the information. Also specific reports, minutes of meetings may be acceptable or the assessment could form part, as said, of the management review (see 9.3).

The auditor should verify and assess:

- consistency between the context defined by the organisation, risk analysis and planning for the environmental management system (see 6.1);

9



- that the organisation regularly updates the information on external and internal issues.

Should the analysis appear incomplete or insufficient, it should be assessed whether, due to these deficiencies, there could be a real risk related to the organisation’s ability to plan and maintain the environmental management system and program the necessary actions to address the risks and manage the opportunities. Where the analysis of the organisation’s context has omitted to consider, for example, a situation with a high degree of conflict at local/territorial level in relation to certain environmental impacts of the organisation (or implications derived from the need to satisfy a new environmental standard or a requirement imposed by a new authorisation), and due to this deficiency, the management system has omitted to plan the necessary action, with the risk of compromising its effectiveness, a finding may be issued in this regard.

4.2 Understanding the needs and expectations of interested parties

This requirement is entirely new compared to the previous ISO 14001:2004 and, although the concept of interested parties already exists in some requirements of the old edition of the standard, in the new edition it is more extensive and explicit.

The organisation shall determine and take into consideration the needs and expectations of interested parties:

1) relevant or which can influence environmental management in relation to its context and which concern environmental performance;

2) which it is aware of or which have been made known to it by interested parties.

The organisation shall demonstrate that it can meet these needs and expectations of interested parties by transforming them into environmental management system requirements. Some are, as required by “mandatory” sources (laws, rules, authorisations, requirements, etc.), others become «compliance obligations» (or also system requirements) as the organisation voluntarily adopts them to meet these needs and expectations.

As specified in the following paragraphs, all these requirements become "compliance obligations", a term which replaces "legal requirements and other

It is not explicitly required to provide documented evidence of this analysis, but it could be reasonably expected, as mentioned in the previous point, that this information be contained in a document, reviewed and periodically updated (see 4.1).

The management review (documented) is to include considerations about any changes concerning the relevant needs and expectations of interested parties.

Purely as an example, a finding concerning this requirement could be issued, depending on the criticality level, in the case of two situations:

1) to plan its environmental management system, the organisation has omitted to consider and address the need or expectation of a relevant interested party (in its territorial and environmental context) such that the management system is unable, on the whole, to effectively meet the requirements (risks/opportunities, planning of suitable actions, management of compliance obligations, communications, operational control and performance).

2) Though the organisation has identified the need or expectation of the interested party, relevant, noted and known, it has not demonstrated that it has taken it into suitable consideration as a compliance obligation in planning its system. In

10



requirements to which the organisation subscribes ".

Examples of interested parties can be:

- Institutions - control bodies - jurisdictional bodies - clients/consumers - local community - environmental associations and committees - partners and shareholders - investors - upstream/downstream chain subjects - external providers - banks and financers - insurance companies - sectorial associations - consumer associations - company group - employees and trade unions.

The relevant needs and expectations of interested parties form, together with the information on the context, input for the planning and maintenance of the environmental management system (see 6.1.1, 6.1.3 and 6.1.4) and for the management review (see 9.3).

this case, the conformity assessment is to be carried out in parallel with the conformity assessment of other requirements which presuppose the system has taken charge of the relevant needs and expectations of interested parties (i.e. risks and opportunities, planning, management of compliance obligations, operational control, etc.).

These considerations also apply where the environmental management system has omitted to transpose significant changes concerning the needs and expectations of relevant interested parties, noted or known by the organisation.

The auditor should check and assess consistency of the knowledge acquired in 4.2 with what has been analysed in 6.1.3.

4.3 Determining the scope of the environmental management system

The scope of the environmental management system determines the boundaries within which the requirements of the standard apply.

The scope shall be documented and made available to interested parties if the organisation declares that it complies with the standard.

It has now been clarified what is to be taken into consideration in defining the scope. As well as the elements contained in the previous edition of the standard, such as activities, products and services, organisational functions and physical boundaries, the scope is to include internal and external issues and compliance obligations derived from the needs of interested parties, the ability to exercise control and influence activities, products and services in line with the life cycle perspective (see paragraphs 6 and 8).

Once the scope has been defined, all the organisation’s activities, products and services (also grouped according to type), which come within the scope, are to be included

An in-depth analysis of the accuracy of the environmental management system scope is fundamental and should not be misleading to interested parties. It is also required to verify its consistency with the internal and external context in which the organisation operates, with the requirements of interested parties and with the organisation’s activities, products and services.

It is advisable to check that all products/services within the certification scope are covered by the environmental management system and that any exclusion of activities, products and/or services is supported by a pertinent analysis.

In particular, it is necessary to check that the organisation has taken into account also outsourced processes, as indicated in the standard, if relevant to the environmental management system (see 8.1). For this purpose, it is thus necessary for the scope to also consider the ability to influence and exert authority over outsourced processes so as to define the organisation’s level of responsibility towards them.

11



in the environmental management system.

The definition of the scope is not to be used to exclude activities, products, services or structures, which have or may have significant environmental aspects or to avoid compliance obligations.

In line with the life cycle perspective, depending on the organisation’s authority and ability to exercise control and influence, also outsourcing could come within the scope, if relevant to the environmental management system.

To determine the relevance of an outsourced process, in this case it is essential that the organisation assess:

- whether the process is perceived by interested parties as if it were performed by the organisation;

- whether responsibility for compliance with the requirements pertains to the organisation.

Examples:

- Consider the case of an outsourced manufacturing process. It is reasonable to expect that, in this case, where moreover the outsourced process may be perceived by interested parties as being undertaken by the organisation, there will be a high level of control and influence established contractually (i.e. right to access the plants, to carry out inspections and audits, obligation to provide documents, information, reports, etc.). If, from the process in question, according to an overall view covering the whole life cycle, there are significant environmental aspects whose exclusion could compromise the system’s credibility, then this process will have to be included in the scope.

- Consider a different case in which management of a plant owned by the organisation is outsourced. Where there are, for example, mandatory aspects (ownership of the authorisation, plant, compliance with requirements, ownership of the waste produced) for which responsibility leads back to the organisation (even in part), also in this case the process and related control level are to be included in the scope.

4.4 Environmental management system

The requirement was already present in point 4.1. of ISO 14001:2004 (“General requirements”).

Focus is on the general objective, also mentioned in point 4.1 of the 2015 edition, to achieve the intended outcomes, on enhanced environmental performance and on the process approach.

In fact, in ISO 14001:2015, the organisation is required to integrate the environmental management system requirements in the various processes, taking into account also their interactions.

Furthermore, it is specified that in establishing, implementing and maintaining the environmental management system, the organisation is to take account of the knowledge gained when establishing the context (4.1) and of interested parties (4.2), thus including in the environmental management system the elements determined during the general understanding stage, that is the internal and external issues, as well as the needs and expectations of interested parties, which will become

Though documented evidence is not explicitly required to be produced concerning this point, the environmental management system needs to be integrated in the organisation’s processes and therefore in the company’s documentation (for example, operational plans, internal procedures, evaluation documents, multi-year programming, …).

The auditor should check and assess, by examining the documented information and interviews with the top management and with the personnel (at different levels and different functions), the organisation’s ability to:

- incorporate the environmental management system in the company’s system through appropriate process control;

- manage the environmental aspects, fulfil compliance obligations, assess risks and opportunities, in line with what has been analysed in 6.1, 6.2 and 6.3;

12



requirements for the organisation.

The environmental management system is no longer required to be “documented”. However, the requirement to maintain the environmental management system scope as “documented information”, now under 4.3, remains and it is also to be made available to interested parties.

- plan a review of the system in the light of potential or actual changes.

13



5 Leadership 5.1 Leadership and commitment

The top management’s responsibilities and the role it has, in terms of support and incentive regarding human resources and in implementing the environmental management system, have been emphasized.

The new standard no longer mentions a top management representative but explicitly involves the “top management”.

In this connection, the new standard introduces the concept of top management as:

“Person or group of people who directs and controls an organisation at the highest level”.

Top management should be the first to demonstrate awareness of the importance of the environmental management system.

Top management involvement is essential to effectively implement an environmental management system and is mentioned in many standard requirements.

The requirements given in points b and c make the concept of integration more explicit between the organisation’s environmental management system and its business processes.

Compliance with the requirement of the standard should be verified in different ways:

- interview with the top management to assess:

1) actual commitment and awareness of its role and of the effectiveness of its environmental management system;

2) actual involvement and knowledge of the main forms of integration of the system in the organisation’s business processes;

3) knowledge of the intended environmental performance and of the performance achieved in relation to the intended improvement

- management review;

- the organisation’s objectives, policies and strategies;

- interviews with the personnel;

- top management communications;

- actual availability of suitable resources;

- actual involvement of the personnel.

Definitions of strategies and objectives related to the following should be available:

- products/services business within the scope of the system;

- significant environmental aspects;

- compliance obligations;

- risks and opportunities.

Moreover, the following should be assessed:

- evidence that the objectives have been made explicit within the organisation;

- evidence of verification of the state of implementation of the objectives defined.

5.2 Environmental policy

New aspects are reference to the context in which the organisation operates and its communication to relevant

It is necessary to check that the policy is in line with:

14



interested parties.

With reference to the new edition of the standard, it can be said that the period of generic and static environmental policies is definitely over.

The contents of the policy are to be in line with the results of the context analysis, with the impacts of the organisation’s activities/products/services, with the environmental objectives, environmental protection and with fulfilment of compliance obligations.

The commitment to protect the environment is intended to not only prevent adverse environmental impacts through prevention of pollution but also to protect the natural environment from harm and degradation arising from the organisation’s activities, products and services. The specific commitments the organisation pursues should be relevant to its context, including local or regional environmental conditions. These commitments can address, for example, water quality, recycling or air quality and can also include commitments related to climate change mitigation and adaptation, protection of biodiversity and ecosystems and restoration.

The environmental policy shall be communicated within the organisation and shall be made available to other interested parties so as to promote their involvement.

Continual changes related to the organisation and the context in which it operates necessitate a periodic review of the policy.

- analysis of the context; - the organisation’s strategies; - the environmental impacts of the organisation’s

activities, products and services

and contains the following commitments: - protection of the environment; - fulfilment of the organisation’s compliance

obligations; - continual improvement of the environmental

management system to enhance environmental performance.

It is necessary to check that the policy is available as a document, has been appropriately communicated within the organisation and is consequently known and implemented.

It is advisable to verify that interested parties to whom the policy could be made available have been identified as, for example: investors and shareholders, contractors, subcontractors, etc.

Lastly, it should be checked that the policy is reviewed in line with changes which may affect the organisation and its context.

5.3 Organisational roles, responsibilities and authorities

The organisation’s top management is required to establish the responsibilities and authorities in connection with the processes and activities carried out.

Even if the requirement of the standard does not make reference to documented information, there may be different forms of definition of responsibilities and authorities, which depend on existing practices and in any case, on organisational complexity.

The role of “management representative” is no longer foreseen as a specific requirement but assignment of responsibilities is still required to ensure environmental management system compliance and the outcome is to be communicated to the top management. It is, in any case, advisable that the communication channel between the top management and internally as well as externally, concerning the environmental management system, be clearly defined through assignment of the relative

In most cases, organisation charts, organisational directives and job descriptions should be available. However, depending on an organisation’s complexity and related activities, a definition of responsibility at the following levels, is acceptable:

- process flows; - managerial procedures; - operational instructions; - access reserved for company IT systems.

It would, in any case, always be a good idea to check the actual relevance of the functions who have been assigned the responsibilities and authorities and consistency between the latter and those actually noted during the audit related to company processes.

In any case, evidence of communication of the roles and defined responsibilities within the organisation should

15



responsibilities.

The responsibilities and authorities assigned, also to more than one competent person, are to be communicated and known within the organisation.

Elimination of the requirement related to the top management representative need not necessarily lead to cancellation of this figure from the environmental management system.

be available. The effectiveness of these forms of communication, for example by interviewing the personnel, should also be assessed.

16



6 Planning Planning represents the body of the “core” requirements of the standard, which altogether play a top role in the hierarchy of the different requirements of the standard. The preparation and outcome of the planning stage of the environmental management system influence and produce effects transversally on the implementation of the remaining requirements of the standard. During the planning stage, the three main innovative concepts introduced by the standard are implemented and interconnected. These are: - context analysis addressed in point 4; - risk-based thinking; - “Life cycle” perspective. Meanwhile, the standard confirms the importance of consolidated activities, such as determination of the significant environmental aspects and compliance obligations (mandatory and voluntary); however, these activities are required to be reviewed in the light of the new elements mentioned above.

6.1 Actions to address risks and opportunities 6.1.1 General

The concept of risk is an innovative aspect common to all revised management system standards. The intention, by imposing a planning stage based on risk-based thinking, is to integrate and make the environmental management system functional in relation to the organisation’s business strategies, making the system speak the same language as the “strategists” who have decision-making power.

It should be pointed out that in an HLS context, risk is defined as the effect of uncertainty, a “variance/deviation” (more or less) compared to the intended outcomes which, in the case of ISO14001:2015, include as a minimum:

- improved environmental performance; - fulfilment of compliance obligations; - achievement of environmental objectives.

Thus, the concept of risk assumes, generally, a connotation of “neutrality” compared to the potential outcome and may have both a positive and negative meaning.

At the same time, the standard considers it appropriate to introduce also an additional definition of “risks and opportunities” (see 3.2.11), clarifying the meaning to be assigned to the two terms, when used together in the body of legislation. In such a case, on the basis of the additional definition, the term “risks” is to be interpreted as “potential adverse effects (threats/adverse risks)” and

The auditor’s attention should focus on verifying the planning process(es) as a whole. In particular, the auditor should be able, starting from the main outcomes of the planning stage which are to be documented (that is the system objectives (6.2.2) and risks and opportunities (6.1.1) to be addressed), to retrace the activities carried out to reach these results and verify that they:

- comply with the dictates of the standard (significance analysis of environmental aspects, determination of compliance obligations);

- are in line with the documented process; - enable a connection to be established which links, in

a coherent way, the relevant elements of the context (4.1) and of interested parties with the documented outcomes (4.2).

It should be verified whether the organisation applies risk analysis techniques, as for example design, process, product FMEA.

In relation to risk analysis activities, organisations should determine suitable methodologies to assign priorities to risks, as for example indices based on gravity (of the consequences) and on the probability of occurrence of events.

17



“opportunities” as “potential beneficial effects” (beneficial risks). “Risks” and “opportunities” are thus to be understood as two specular concepts.

Lastly, it transpires clearly from the standard that the concept of risk may have beneficial or adverse consequences, in terms of both the external environment, in physical-natural sense, and in terms of the organisation.

Examples of risks to the environment could include: - pollution of the aquifer due to leakage of dangerous

substances from underground tanks not removed or not provided with a control system (adverse risk);

- design, development and implementation in the technology process for the production of thermal and electrical energy from the recovery of heat, with consequent reduction in consumption of resources (beneficial risk/opportunity).

Examples of risks to the organisation, on the other hand, may include:

- increased risk of flooding that could affect the organisation’s premises (adverse risk);

- development of a product which complies with specific environmental requirements leading to increased competitiveness in the organisation’s market (beneficial risk/opportunity).

For further details, see annex 3 – Examples of risks.

Risks and opportunities are, in fact, an “intermediate” outcome of the planning process(es) and represent the fundamental starting point for the definition of environmental objectives and action to be taken in relation to the environmental management system processes or to other processes of the organisation.

Effective determination of the “risks and opportunities”, which it is necessary to address and manage, is recognised by the standard as a basis to ensure not only that the system achieves its intended outcomes but also that it is, to all effects, a tool for prevention, able to avoid and/or mitigate potential effects and undesired consequences on the organisation.

The environmental management system planning stage consists of processes, which have as input elements the context analysis (internal and external) in which the organisation operates (4.1), assessment of the needs and expectations of relevant interested parties (4.2) and the defined limits of the environmental management scope (4.3). During this stage, the organisation is required to determine:

Moreover, it should be checked whether the organisation has identified/planned for the need to review its risks and opportunities and relative action.

It should be checked whether the organisation’s personnel are aware that the approach of the environmental management system and of its processes is based on risk (Risk-based Thinking). This could be done through interviews with the personnel at different levels and functions, (see 7.3) by looking into the reasons for individual operational choices and/or behaviour adopted in relation to the processes they contribute to (see 5.1).

In checking this point, a discussion with the top management is considered particularly important, to understand the level of integration and actual contribution of the environmental management system to the organisation’s strategic aims.

The risk analysis should also consider the framework of responsibilities foreseen by Italian legislative decree 231/2001 concerning the environmental offences contained therein. This issue has taken on particular importance following the recent introduction of new environmental crimes (disaster and pollution) punished also on the basis of negligence. If, following this analysis, relevant risks for the organisation should emerge, (which could be assessed through appropriate risk assessment), the organisation will have to demonstrate that it has also taken into account these risks when planning and maintaining its environmental management system by implementing, if necessary, all the synergies and integrations with the control system required by the organisational model for the prevention of environmental offences as per Italian legislative decree 231/2001.

The standard does not specifically require a formal “risk analysis” or a documented risk management process. An organisation can identify the most appropriate method to determine its risks and opportunities, in relation to its characteristics (complexity, type of processes, activity sector, nature, context, etc.). This may lead to different levels of detail of the methodological approach adopted, which can vary from a simple qualitative analysis to a formal quantitative risk analysis process. Likewise, an organisation may choose to carry out the analysis by integrating the different activities required by the planning stage (for example, by adopting significance criteria of the environmental aspects which are Risk-based) or by keeping them separate and proceeding to

18



- the environmental aspects and their significance (6.1.2);

- the compliance obligations (6.1.3); - the risks and opportunities associated with the

previous elements or derived from the context analysis.

The planning stage also needs to identify emergency environmental scenarios, which may have an impact on the environment or involve adverse effects for the organisation.

In particular, bearing in mind the elements mentioned above and applying Risk-based thinking, the organisation shall determine the risks and opportunities linked to achieving the intended outcomes by identifying the issues which could interfere with the achievement of the objectives or, on the other hand, constitute potential enhancement opportunities.

Assessment of the risks and opportunities should be reviewed, updated or repeated at intervals and, in any case, whenever deemed necessary.

The need for a new assessment or a review of the risks and opportunities may be necessary following:

- results of the context analysis; - results of the analysis of the needs and expectations

of the relevant interested parties; - results of the analysis of fulfilment of the compliance

obligations (mandatory and voluntary); - changes within the organisation which may have an

impact on environmental performance (managerial, organisational, process, operational, etc.).

determine the significant environmental aspects, compliance obligations and consequent risks and opportunities in subsequent steps.

On the basis of the standard, the organisation is however required to keep documented information on:

- risks and opportunities to be addressed/managed - the planning process(es) such as to have confidence

they are carried out as planned.

In assessing risk, it may be useful to refer to internationally recognised methodologies (example: ISO 31000 - 31010, or other) and mentioned in the annex but, as already said, not mandatory.

In the case of organisations which already apply risk analysis techniques, as for example project, process, product FMEA, these may be taken into account, provided they are applied to the environmental management system topics.

6.1.2 Environmental aspects

Determination of the environmental aspects and assessment of their significance is confirmed as a fundamental activity of environmental management system planning.

The requirements of the standard clearly state the need to consider a life cycle perspective when determining, assessing and managing own environmental aspects, whether they are linked to activities, products or services.

Thus, the environmental aspects and related impacts must be the outcome of an analysis which goes beyond the organisation’s production boundary and covers the entire chain value considering the upstream (i.e. procurement, design) and downstream (i.e. sales, use, end of life disposal) processes, independently of the physical location where they occur and of the respective owners, which may

The environmental aspects and the assessment of their significance should be checked at the same time as verification of the planning process in general (6.1.1), taking care to obtain evidence of the documented information required by this point of the standard, that is:

- significant environmental aspects; - criteria used to determine significance.

19



be entities which are different from the organisation.

The extent of the analysis will depend on the control level held by the organisation over each process or on the influence it can exert on the components of the chain.

Apart from the environmental aspects and impacts and significant environmental aspects, the organisation is also required to document the adopted significance criteria.

The significant environmental aspects are to be communicated to the various relevant levels and functions within the organisation.

The significant environmental aspects can involve risks and opportunities which the organisation is required to manage.

6.1.3 Compliance obligations

Compliance obligations derive from an analysis of the needs and expectations of interested parties, within and outside the organisation.

In particular, the needs and expectations, which the organisation must or chooses to comply with, are compliance obligations. Mandatory compliance obligations include legal requirements, as they express the legislator’s expectations or those of other authorities which have prescriptive power in relation to the organisation.

The compliance obligations are to be in documented form.

Compliance obligations can involve risks and opportunities, which the organisation is required to manage.

Compliance obligations should be checked at the same time as verification of the planning process in general (see 6.1.1), taking care to obtain evidence of the documented information required for this point of the standard.

Examples of documented information of compliance obligations could be:

- Registers of fulfilments - Contractual arrangements - Agreements - Chain agreements

Particular attention should be given to the criteria used to identify compliance obligations, starting with an analysis of interested parties (4.2) and whether these are in line with the outcomes obtained from this analysis.

6.1.4 Planning action

The outcomes of the planning process are to be used to plan the environmental management system, in all its stages. In particular, the output of the process is to lead to the identification of the actions to be taken to address:

- significant environmental aspects; - compliance obligations; - risks and opportunities.

The actions can be activities to be integrated in existing processes implemented in the environmental management

For evidence, reference is to be made to point 6.2.2 and chapter 8.

20



system (i.e. review of communication methods within the organisation), elements of a plan drawn up to achieve a specific environmental objective (6.2.2), specific actions aimed at controlling risk.

By determining effective actions aimed at managing the critical aspects of the environmental management system, the type of preventive tool of the system is in fact substantiated. Thus, in the current standard, the specific requirements related to “preventive action” have disappeared, as it is the system, with its risk based thinking, which prevents the occurrence of events which could invalidate the organisation’s environmental performance and objectives.

6.2 Environmental objectives and planning to achieve them As an integral part of the planning process, the top management, when establishing the environmental objectives, shall consider the outcome of the analysis of risks and opportunities and pursue continual improvement, not only in terms of reducing the impacts generated by its activities/processes, but also of being able to take advantage of the opportunities offered by the context in which it operates.

The top management can establish environmental objectives at different levels, for example strategic, tactical, operational. Depending on the level, the auditor should check that the actions identified for each objective and the resources allocated by the organisation are in line with the aims the organisation pursues to ensure, at least during this stage and the variables being equal, a positive outcome.

6.2.1 Environmental objectives

Following the planning process and in order to pursue continual improvement and effective management of risks and opportunities, the organisation shall establish the objectives of an environmental nature which are consistent with:

- the environmental policy; - the significant environmental aspects it has

determined; - the output of the analysis of risks and opportunities;

and ensure they are structured in such a way as to be measurable (where applicable – “practicable”), monitored, communicated and periodically updated. In particular, they should be communicated to those who, under the organisation’s control, are involved in the process and at different levels, can influence it. The top management may establish environmental objectives of a strategic nature (applicable to the whole organisation: i.e. reconversion of plants to renewable energy sources), tactical and operational (optimisation of the firing curve of the furnace).

The auditor’s attention should focus, as a priority, on checking whether the objectives determined by the organisation are consistent with the actual organisation as a whole and with its processes/activities.

For this purpose, the organisation should make documented information available (i.e. plan of objectives, environmental programmes, management review, etc.).

With regard to consistency between the objectives and environmental policy, the auditor needs to check that they are harmonised and aligned with the commitments made by the top management.

An environmental objective need not necessarily be established for each significant environmental aspect.

The auditor should check how the objectives are communicated to the personnel involved (7.4.2).

21



6.2.2 Planning actions to achieve environmental objectives Once the environmental objectives have been established, the organisation shall define the actions needed to achieve them to enable systematic control of their state of progress and if necessary, take corrective action/make adjustments. For this purpose, the following are to be defined: - what needs to be done; - resources used; - responsibilities; - deadlines.

The implementation status of the objectives is to be periodically and systematically monitored by identifying suitable indicators, also to assess the results achieved. The objectives are to be compatible with the organisation’s general strategic policy so as to ensure integration with its business processes.

The auditor should check that: - the objectives are compatible with the

organisation’s business strategies; - what needs to be done, resources used,

responsibilities and deadlines are established for each objective;

- the indicators identified are suitable to monitor the state of progress of the actions defined.

For more detailed information on environmental indicators, the auditor can refer to a number of instruments, among which the ISO 14031 standard.

22



7 Support 7.1 Resources

The organisation shall determine and provide all the resources (i.e. human, economic, infrastructural, etc.) internal and external, needed to implement, maintain and continually improve the environmental management system.

The environmental management system should include (i.e. in the context analysis, in the management review, in the improvement objectives, in the organisation’s budget, etc.) considerations and/or evidence of an analysis of the resources needed and of the relative actions to be taken, to remedy any deficiencies.

It should be possible to verify whether suitable human and infrastructural resources, internal and external, have been allocated, in line with the established objectives, through the following:

- visits to the organisation’s departments/offices and areas;

- interviews with the personnel; - evaluation of the ability to manage, maintain and

improve company activities/plants, infrastructures and of its performance;

- analysis of the state of compliance with the mandatory/voluntary legislation underwritten.

7.2 Competence

The concept expressed by the standard is that the necessary competence is to be established for each person (internal and external) working under the organisation’s control and who could influence the organisation’s environmental performance and its ability to fulfil its compliance obligations.

Competence may be acquired in many ways and is not strictly linked to training, which represents only one of the elements to be considered.

Compliance with the requirement could be verified through:

- identification and analysis of the necessary competence (competence profiles), also in the case of changes;

- management review (identification, confirmation, updating of competence, request for new competence for new business);

- verification of any personnel development plans and related objectives;

- verification of any competence development plans;

- verification of any competence monitoring plans; - corrective action; - examination of the results of internal audits for

the evaluation of new competence or of competence to be updated;

- examination of the results of audits to verify compliance with the applicable legislation;

- on-site assessments (i.e. through interviews and/or observation) of the ability of people to act when carrying out their activities.

Particular attention should be given to assessing how the organisation evaluates the effectiveness of the actions taken to ensure an adequate level of competence.

23



7.3 Awareness

The requirement of “awareness” is confirmed and focuses on the environmental policy, on the significant environmental aspects and impacts associated with each person’s work activities, on each person’s contribution (not only the organisation’s personnel but also that of external providers and external personnel), with the effectiveness of the management system and with the benefits linked to performance enhancement and to the implications/repercussions of non-conforming situations related to the management system.

The auditor should assess personnel awareness throughout the entire audit, mainly through interviews with the personnel and through evidence which can include:

- direct communications; - meetings; - management system audits; - specific training; - sharing of objectives/results; - sharing of non-conformities found; - sharing of the contents of the environmental

policy; - any instructions/procedures.

7.4 Communication 7.4.1 General This is one of the requirements of the standard which has undergone the most changes as it foresees:

- the definition of a communication process (internal and external) divided into a series of key points which, to be defined, requires an adequate context analysis to have been carried out, including determination of interested parties (for example, environmental communication should be functional to understanding the context, to environmental awareness of interested parties, to company image in relation to a specific topic, to the role and influence of opinion leaders on specific issues, etc.);

- planning of the most appropriate tools, through which communication should be made, including for example:

- relevant issues for which a communication is necessary;

- relevant issues for which communication is strategic;

- information needs and expectations of interested parties.

The communication process is to be able to fulfil requirements derived from compliance obligations and from its own communication process. Moreover, consistency is required between the environmental information communicated and the information generated by the environmental management system (i.e. through performance indicators) as well as accuracy/reliability of this information.

Compliance with the requirement could be checked through:

- a plan/environmental communication strategy within and outside the organisation;

- documented records of the types of environmental communications made (examples of external communications can be an Environmental Statement as per Regulation 1221/2009/EC - EMAS or Environmental Product Declaration - EPD);

- complaints, indications and/or requests from interested parties;

- applicable mandatory/voluntary obligations;

- verification of environmental communications to control bodies and/or pertinent authorities (if there are requirements in this sense) according to the applicable environmental legislation (i.e. authorisations, decrees, etc.);

- communication procedures established by the organisation;

- roles, responsibilities and resources assigned to environmental communications;

- situations which have arisen in relation to analysis of the context and determination of the needs and expectations of interested parties.

24



7.4.2 Internal communication

The requirement has not changed significantly compared to the previous edition of the standard, except for the introduction of the concept whereby internal communication is to ensure adequate knowledge, at all levels, of internal changes and how they are managed.

Compliance with the requirement could be checked, apart from through interviews aimed at assessing the effectiveness of internal communications, through:

- evidence of environmental communications made (i.e. e-mails, faxes, internal circulars, internal work orders, etc.);

- improvement proposals (i.e. suggestion box); - improvement objectives and policy; - minutes of meetings.

7.4.3 External communication

Like the previous requirement, also in this case no different concepts compared to those contained in the previous edition of the standard have been introduced.

Reference is made to the need to consider appropriate forms of communication if required by regulatory requirements applicable to the organisation and/or if and when required by the organisation’s communication processes.

Compliance with this requirement of the standard may already have been verified in connection with control activities performed to meet the requirements in 7.4.1 of this standard.

7.5 Documented information 7.5.1 General

“Documented information” replaces the terms record and documented procedure contained in the previous edition of the standard.

This concept is one of the main innovations of the new edition of the standard and contributes, in a decisive way, to simplifying documental requirements.

The organisation shall determine which documents are necessary for the management and effectiveness of the system and how these are to be managed.

It is clearly indicated that the size of the organisation’s environmental management system documental set-up will vary in relation to the elements specifically indicated by the standard, which it is necessary to take into account, also in relation to audit activities.

The standard clarifies that the wording:

- “retaining documented information” refers to those documents which the previous edition of the standard indicated as “records”;

- “maintaining documented information” refers to those documents which the previous edition of the standard indicated, for example, as documented procedure, etc. for which

The documented information explicitly required by the standard is:

- Scope (4.3) - Environmental policy (5.2) - Risks and opportunities it is necessary to address

(6.1.1) - Process(es) required in points 6.1.1 to 6.1.4 - Environmental aspects and associated impacts

(6.1.2) - Criteria used to determine significant

environmental aspects (6.1.2) - Significant environmental aspects (6.1.2) - Compliance obligations (6.1.3) - Environmental objectives (see 6.2.1) - Evidence of competence (see 7.2) - Environmental communications (7.4.1) - Demonstration of compliance of the process as

planned (see 8.1) - Demonstration of compliance of the emergency

preparedness and response process as planned (see 8.2)

- Documentation of evaluation, analysis, measurement and monitoring of own performance (see 9.1.1)

25



controlled management is foreseen and which serve for system management.

The standard specifies for which requirements it is necessary to retain a record (retaining documented information) or maintain a managerial document (maintaining documented information).

- Evidence of own compliance evaluation (9.1.2) - Evidence of implementation of internal audit

programme and related results (see 9.2.2) - Management review outputs (9.3) - Nature of the non-conformities, actions taken

and corrective action (10.2.).

It should be checked whether the organisation has determined as necessary the documentation of external origin (7.5.3).

7.5.2 Creating and updating

There are no substantial differences compared to the previous edition of the standard.

When creating and updating documented information, the organisation shall establish identification and description methods, format and ensure its adequacy through suitable review and approval.

Compliance with the requirement could be verified during the entire audit by examining the status of the various types of documented information implemented by the organisation and relative management, including the updated status.

7.5.3 Control of documented information

There are no substantial differences compared to the previous edition of the standard.

The documented information required by the environmental management system is to be correctly managed to ensure its availability and suitability for use, where and when necessary, and adequately protected (i.e.: from loss of confidentiality, improper use or loss of integrity).

To control the documented information, the organisation shall take into account distribution, access, retrieval and use, storage and preservation – including preservation of legibility and control of changes (version control) - and disposition.

Except where foreseen by compliance obligations in this connection, there is no specific reference to preservation time.

The documentation of external origin necessary for the planning and operation of the environmental management system is to be appropriate and kept under control.

Compliance with the requirement could be assessed by examining how the documented information is managed and could be verified by examining:

- implementation of the management, control and protection methods of the documented information;

- how the documentation of external origin is identified and updated;

- a possible list of documented information with the relevant updated status;

- availability of the appropriate documentation where necessary;

- the forms of documentation protection adopted also in compliance with privacy policies.

26



8. Operation 8.1 Operational planning and control The organisation shall establish, implement, control and maintain the processes needed to meet the environmental management system requirements and to implement the actions identified during the stages of determination of risks/opportunities correlated to environmental aspects, considering the life cycle (6.1.2), to compliance obligations and to other issues established during the context analysis. The organisation should establish operating criteria for the processes and implement control of these processes. The type and extent of control depends on the organisation’s characteristics and its management system scope, bearing in mind what has been planned to ensure the objectives are achieved and prevent or limit risk. This chapter of the standard also takes into consideration management of outsourced processes and the standard requires that they be controlled or influenced.

How the organisation has determined the operating processes, how it has planned their control and management of changes should be verified. With regard to operating management, it is advisable to check, for example, the following:

- Practices, procedures, instructions on operating management of environmental aspects connected with the organisation’s processes. For example:

o Procedures – waste management instructions, purification plant management, management of emission treatment plants, etc.)

- Management and control activities aimed at

ensuring that the environmental aspects and related applicable requirements are taken into account in connection with the design and development processes of products and services, bearing in mind the various life cycle phases. For example:

o Protocols to be followed for design which take account of environmental aspects and impacts.

o Definition of environmental requirements to bear in mind for the functions which deal with the organisation’s marketing.

o Development plans – products and services project which define the environmental requirements for each step of the project.

- Documents where the organisation has

established its environmental requirements for product-service procurement. For example:

o specifications – product purchase orders which contain specific environmental requirements for procurement (i.e. ecolabel products, products with less environmental impact, energy resources produced from renewable sources, materials which can be recycled more at end of life, etc.)

27



o specifications – contracts for the purchase-contracting of services where also environmental type requirements are established (i.e. use of products with low environmental impact, method of managing generated waste, reduced energy resource consumption, etc.)

- Communications intended for external providers,

including contractors, related to its environmental requirements. For example:

o tenders o fact sheets o practice – procedures shared by the

organisation and contractor

- Information on environmental impacts associated with transport or delivery, use, end of life treatment and final disposal of its products and services. For example:

o fact sheets related to the organisation’s products

o contractual documents with companies in charge of transporting products to clients

o identification on fact sheets accompanying the product related to management of the material at end of use.

In relation to outsourced activities/processes, the auditor should check the following elements at the organisation:

- contractual agreements with outsourcers of outsourced processes, with specific reference to requirements of an environmental nature and to their management rules;

- control of environmental aspect management connected with outsourced activities;

- definition of contractual specifications containing environmental type requirements also in relation to outsourcers who are not outsourcers but service providers (i.e. cleaning services, maintenance services, etc.);

- definition of control and evaluation activities/qualification of suppliers in relation to compliance with the environmental requirements included in the above contracts/agreements.

The presence of documented information, related to both programming documents and records, which provide evidence of what is stated above, should be verified.

28



8.2 Emergency preparedness and response The organisation shall establish, implement and maintain the processes needed to prepare for and respond to potential emergency situations which may cause: - undesired effects, including the potential for external

environmental conditions to affect the organisation; - an environmental impact.

The organisation shall: - plan actions to prevent or mitigate adverse

environmental impacts; - respond to actual emergency situations; - take action to prevent or mitigate the consequences

of emergency situations and potential impacts; - periodically test the response actions; - periodically review and revise the processes and

planned response actions, in particular after the occurrence of emergency situations or tests;

- provide relevant information and training to interested parties, including persons working under its control.

The new standard makes it clear that undesired effects can be caused by emergency situations derived from external environmental conditions.

The auditor should verify the existence of the following: - practice/instructions/procedures/plans which

establish the actions to be taken to manage emergency situations;

- records of any emergency situations which have occurred and of the action taken to mitigate/eliminate the adverse effects/impacts;

- records of simulations of emergency situations, of the action taken and of the results achieved;

- records of periodic reviews of emergency situations which have occurred and/or simulated and of confirmation of validity or need to update the pertinent practice/instructions/procedures;

- records of training carried out.

29



In general, in all the paragraphs, it’s no longer a question of “preserving records”, but rather of “preserving documented information” 9. Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General The requirement better clarifies point 4.5.1. of the 2004 version but does not require anything new. Documented information on monitoring activities is required.

The requirement makes clear the need to plan the monitoring activities of the production process in order to control its environmental performance, detailing the points the organisation should follow.

Besides evaluation of the environmental performance, it is reaffirmed that monitoring, measurement and analysis activities should serve to evaluate also the effectiveness of the environmental management system and, therefore, continuous compliance with the requirements/objectives the organisation has established.

The organisation should thus determine what needs to be monitored and how, the most appropriate methods and frequency of control for the execution of these activities and should ensure they are carried out. Moreover, documented information should be retained as evidence of the results.

The importance of internal and external communication of environmental performance, which should be made by the organisation in line with the established communication process and as required by compliance obligations is made clear and highlighted here.

Compliance with the requirement should be assessed through verification of the following tools: - environmental monitoring plan which is to contain

the monitoring required by existing authorisations (water discharge, emissions into the air, etc.), as well as monitoring aimed at ensuring control over significant environmental aspects;

- evidence of monitoring performed in compliance with the plan (analysis reports). The organisation is to guarantee that the results of the analyses are examined, highlighting any critical situations (approaching or exceeding the authorised limits);

- evidence of calibration of the equipment used to measure significant values from the environmental point of view (phonometer, continuous emission monitoring systems, etc.);

- if the organisation uses external providers for the environmental analyses, it is to check that they keep their instruments under control (accreditation, ISO 9001 certification or request for the calibration certificates for the instruments used);

- method of communicating the monitoring results to the control bodies (ARPA, municipality, province, where requested) and to other interested parties, where foreseen.

9.1.2 Evaluation of compliance Compared to point 4.5.2 in the previous edition of the standard, the request for a procedure has been eliminated and is replaced by a reference to the establishment of a process to evaluate compliance, included in the organisation’s normal operating activities and which clearly considers any action to be taken. This process shall guarantee that the organisation maintains knowledge and understanding of its compliance status. The frequency of the evaluations could vary if operation and/or compliance obligations were to change. The standard clarifies that “A non-compliance is not necessarily elevated to a non-conformity if, for example, it is identified and corrected by the environmental management system processes”.

Compliance with the requirement should be assessed by verifying the following tools: - planning compliance evaluation and its inclusion in

the organisation’s operations in line with the framework of company responsibilities in this connection;

- documentation of the outcomes of the compliance evaluation;

- any actions implemented following non compliance in applying the monitoring plan;

- any actions implemented following lack of analysis and/or response to any negative outcomes of the monitoring.

30



9.2 Internal audit 9.2.1 General The audit objectives are unchanged compared to point 4.5.5 of the previous edition of the standard. The standard clarifies the method and requirements to be taken into account when preparing the internal audit programme. Reference is to be made to the ISO 19011 standard for audit execution.

Compliance with this requirement should be assessed by checking internal audit reports.

9.2.2 Internal audit programme Where, previously, the audit results were to be provided to the top management, now the concept has been extended to “relevant management”. Furthermore, as well as taking into account previous audits and the environmental importance of the processes, also changes affecting the organisation are to be considered.

Compliance with the requirement should be assessed by verifying the following tools: - audit planning; - criteria for auditor selection (competence,

independence from the activity being audited and impartiality);

- consistency between the qualifications of the personnel who performed the audits and the established criteria;

- internal audit reports including verification that non-conformities have been resolved and/or evaluation of the effectiveness of the actions taken following previous audits;

- communication of the audit results to the “relevant management”.

9.3 Management review The input data of the review are more detailed and include some new elements, among which:

- the results of previous review, audit, monitoring activities and of the trend of actions taken (corrective and/or related to non-conformities and fulfilment of compliance obligations)

- changes: o in the context (internal and external issues

relevant to the environmental management system);

o in the needs and expectations of interested parties;

o in risks and opportunities. - Evaluation of the adequacy of resources

Also the subject of “interested parties”, addressed in 4.2, does not require documented information; here a record is necessary, at least of the variations. Also the outputs are more detailed and include: - decisions related to continual improvement

opportunities; - decisions related to any need for changes to the

environmental management system, including resources;

Compliance with the requirement should be assessed by verifying the following tools: - planning of the review(s); - report of the review. The topics may also be addressed at different times, by carrying out the review at more than one ad hoc meeting, or performing it on other occasions foreseen by normal business operations (for example meetings, get-togethers, etc.). In the latter case, all the requirements covered by the standard related to management review are to be present and checked.

31



- actions to be taken when environmental objectives have not been achieved;

- opportunities to improve integration of the management system with other business processes and any implications for the strategic direction of the organisation.

In fact, the top management is required to take a stand by defining and/or reviewing the strategies.

32



10. Improvement 10.1 General

This chapter is dedicated to improvement in general, which takes up the previous points (9.1, 9.2, 9.3) where opportunities for improvement and the actions to be taken are identified. Improvement does not only mean enhancement of environmental performance but also improvement of the management system in itself.

Compliance with the requirement should be assessed by verifying the effectiveness of the actions taken following evaluation of performance, compliance, audits and management review.

Evidence of actions to be taken could be found as:

- audit and management review outputs; - consequence of implementation of corrective

action; - consequence of business reorganisation, process

changes or significance of environmental aspects.

10.2 Non-conformity and corrective action

Essentially, there are no significant changes to this requirement.

Preventive action has been eliminated. Reference is to be made to points 4.1 and 6.1. regarding prevention.

The request for a procedure has been eliminated.

The need to control and correct non-conformities has been added.

It is made clear that the organisation shall “deal with the consequences” of non-conformities.

It is specified that it should be determined whether similar non-conformities may occur and to evaluate the effectiveness of corrective action taken.

Compliance with the requirement should be assessed by verifying the following records related to management of: - non-conformities, including analysis of causes; - any complaints; - corrective action, including verification of

effectiveness.

10.3 Continual improvement

Improvement is to be considered a continual activity; each time an opportunity for improvement of suitability, adequacy, effectiveness of the environmental system and of environmental performance is identified. Actions to improve the management system could arise as a result of the management review, corrective action or determination of improvement opportunities.

Compliance with the requirement should be assessed through: - examination of the changes made to the

management system: reasons for the change, how it has been managed (continuing to ensure compliance) and verification of its effectiveness;

- examination of any improvement strategies and policies.

The elements to be checked with reference to this requirement can be found also in connection with other points of the standard (for example, management review, internal audits, environmental performance monitoring, etc.)

33

ANNEX 1 Context of the organisation: EXAMPLES OF EXTERNAL ISSUES

34

ANNEX 2 Context of the organisation: EXAMPLES OF INTERNAL ISSUES

ﾷ Strategic business lines and policies

ﾷ Level of internal sharing of company values

ﾷ Governance, ownership structure and management

ﾷ Contractual system

ﾷ Assets, technological resources, know-how, competence

ﾷ Company turnover and profitability indices

ﾷ Environmental investments

ﾷ Guidelines, voluntary codes, environmental best practices

ﾷ Environmental communication and marketing activities

ﾷ Environmental training

ﾷ Internal control systems

ﾷ Internal organisational climate and awareness of environmental issues

35

ANNEX 3 EXAMPLES OF RISKS

Examples of risks that could compromise the intended outcomes of the EMS:

ﾷ Risk of material damage to company property

ﾷ Risk of material damage to other people’s property which has repercussions on the

company

ﾷ Risk of environmental damage (irreversible or with extremely high clean-up costs)

ﾷ Risk derived from the application of sanctions (personal or against the company)

ﾷ Risk of damage to people’s physical integrity (employees and non employees)

ﾷ Market risks (insufficient development compared to increasing «green» demand;

accessibility to calls for tenders; lack of external providers able to guarantee specific

environmental requirements; rise in the cost of natural resources used in the processes)

ﾷ Financial risks (negative commercial performance of products/services for which significant

environmental investments have been made; accessibility to credit or availability of

suitable insurance products)

ﾷ Risks related to reputation (adverse attacks by the media following reports in the press,

legal action and judicial measures, research publications and studies, placing on the market

of non-conforming products, fraudulent alteration by third parties of products/services,

revocation of authorisations and permits, incidents involving external

providers/contractors)

ﾷ Risks that compromise Business Continuity (environmental incidents also at external

providers, distributors and third parties; lack of external providers with specific

36

environmental requirements; revocation of authorisations/permits; adverse events related

to supply/distribution with repercussions on the chain; inadequate contractual system)

ﾷ Risks due to political changes and institutional relationships

ﾷ Innovation risks (obsolete technology and processes also in relation to legal requirements

or other «restrictive» measures; lack of know-how and availability of external resources)

37

CONFORMA – Association of Certification, Inspection, Testing and Calibration Bodies which operates in the TIC (Testing, Inspection, Certification) sector, that is to say, in the conformity assessment sector, understood as a series of activities, generally carried out under accreditation and/or authorisation of the pertinent ministries, on a voluntary or mandatory basis, related to the certification of management systems, products, personnel and services, inspection, CE marking, laboratory tests and calibration.

It was set up in 2012 by some of the most important national and international organisations in the independent third party conformity assessment sector; it is based in the centre of Milan and has 4 technical sectors: Certification, Inspection, Testing and Calibration.