Auditing the climate amendment

In February of last year, the ISO formally adopted an Amendment to ISO 9001, relating to climate change. (In a stroke of ironic timing, I published an article with Quality Digest just days before the decision, on the subject, "What would it mean if this amendment were adopted?") And right away, voices began calling out, "How do we audit the new requirement?"

Strictly speaking the Amendment added one new requirement to ISO 9001:2015, and one note. The requirement is added to clause 4.1, which discusses Context of the Organization (including the internal and external issues facing the organization), and it provides:

The organization shall determine whether climate change is a relevant issue.

The note is added to clause 4.2, which discusses the needs and expectations of the organization's interested parties, and it reminds the reader:

Relevant interested parties can have requirements related to climate change.

That's it.

Now, the note is literally just a reminder. It is not auditable, which means that there is no need for the organization to show an auditor any objective evidence related to it. But whenever the ISO standard uses the word "shall," that word creates a requirement. The organization has to do it, and has to be able to prove it to an auditor.

Only, ... what questions can the auditor ask to check whether the organization made the determination they are required to make? Auditors started asking for guidance.

And the ISO 9001 Auditing Practices Group rode to the rescue! I don't remember if I've mentioned this group before, but they write papers on how to audit to ISO 9001. They have a website here, which hosts a large library of these papers available for free download. If you ever want official advice on how to audit some part of the ISO 9001 standard, check their library first.

Sure enough, just a month after the Amendment went into effect, the APG published ISO 9001 Auditing Practices Group Guidance on: Auditing Climate Change issues in ISO 9001. You can find it online for free, located here.

As a side note ... I remember when this document first came out, somebody on LinkedIn remarked that the paper is ten pages long. He argued that for it to be so long "proves" that the new requirement "must be" heavy and onerous. I no longer remember if he went so far as to accuse the Lizard People of using this requirement to crush small businesses, and I have lost the link so I can no longer re-read his post to check. But I almost expected him to.

So as a public service, let me reassure you: There is no sign that any Lizard People wrote this paper, and the requirements are not heavy or onerous.

Fine, what does it say?

The basic advice is simple:

• Stay objective.
• Ask if the organization has decided climate change is relevant to them?
• If yes, what steps are they taking?

Let's look at each of these briefly.

Stay objective

When this amendment was first debated, I heard one person say:

"It is impossible for anyone to pretend they aren't affected by climate change. Therefore the answer to the question 'Is it relevant?' has to be Yes, and if someone says No you can write him up!"

The APG rejects this line of thinking. They point out that each organization has a right to make this decision for themselves. The APG paper goes on to say:

In some parts of the world climate change and its causes are controversial topics. Consistent with ISO 19011:2018 Guide­lines for auditing management systems, auditors are to maintain objectivity and neutrality when auditing climate change issues. They should not express personal beliefs relating to climate change. The role of the auditors is to assess whether the organization determined if climate change issues are relevant or not in relation to their QMS and its intended results and, if that is the case, then how it is addressed within the QMS.

This amendment does not require an organization to have climate change initiatives unless it has been identified as a relevant issue to achieve the intended results of the QMS.

Is it relevant?

So the first thing to ask is whether the organization thinks climate change is relevant to them? This means: Do they think that there is a credible risk that climate change can affect their ability to supply their goods or services to customers?

While you are asking that, the paper suggests that you might also check whether the organization has any statutory or regulatory requirements that could affect the answer? And likewise, do they have any contractual requirements that could affect the answer? Obviously you (as an auditor) want to see that the organization's decision on this point is aligned with their legal or contractual requirements.

And then the paper suggests other directions you might explore:

• Is the organization starting to use renewable materials?
• Have they been asked to move to carbon neutral products and services?
• Have energy issues pushed them to reorganize their operations or infrastructure?
• Are they seeing a greater frequency of storms, floods, fires, or drought? And if so, do those developments affect their employees, their supply chain, or their distribution?

And so on. The paper lists many more questions that you might consider.

What steps are they taking?

If the organization determines that climate change is out of scope for their Quality Management System, the discussion ends there. But if they decide that it is a relevant issue, then the basic logic of ISO 9001 requires that they address it one way or another. Naturally the details will be different for every organization. But you can follow the climate theme as a thread throughout the rest of the audit:

• When you audit the scope of the QMS in clause 4.3, you can check whether they still use the same industry codes as before. Are they still making the same products, or in the same line of work?
• When you audit risks and opportunities in clause 6.1, what risks and opportunities have they explicitly identified that relate to the climate? How have they evaluated them? Have they assigned actions to address the risks or capitalize on the opportunities?
• When you audit changes in clause 6.3, consider all the other changes listed here. Has the organization handled them in a planned and controlled way?
• When you audit the work environment in clause 7.1.4, has it been affected by the climate in any way? Has the organization taken any steps?
• When you audit operations in clause 8, how have their operations been affected? (The APG paper offers a full page of suggested questions for clause 8 alone, but of course the details will always depend on the individual organization.)
• When you audit performance evaluation in clause 9, what aspects of climate impact or climate mitigation are the organization monitoring and measuring? Are they monitoring and measuring data that are related to the impact or the risks they have identified? Are the tools and methods that they use for this monitoring and measuring actually fit for purpose? And how is the organization checking to ensure that the changes they have implemented really work?

Again, the paper gives many more suggestions besides these. And of course you would never use every single question. It all depends on what fits, based on the details of the organization.

None of it is heavy or onerous. And it all flows logically from the actual requirements. But I am glad to know that the suggestions are available, as a support.

If you're not familiar with the Auditing Practices Group, be sure to check out their library.