Sarbanes-Oxley

The common theme between SOX and QMS/EMS is managing risks: financial, quality, and environmental. Many companies and Environmental Management System (EMS) consultants equate Environmental Aspects with Environmental Risks. Furthermore they use the EMS to manage environmental aspects or risks.

ISO Definitions:

• Risk is the combination of the probability of an event and its consequences (ISO/IEC Guide 73:2002 definition 3.1.1 “Risk management – Vocabulary – Guidelines for use in standards”)
• Environmental Aspect is an element of an organization's activities, products or services that can interact with the environment. NOTE -- A significant environmental aspect is an environmental aspect that has or can have a significant environmental impact." (ISO 14001 definition 3.5)
• Environmental Impact is any change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization's activities, products or services." (ISO 14001 definition 3.6)
• Risk Management is the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating and controlling risk. (ISO 14971:2000, Application of Risk Management to Medical Devices definition 2.18)
• Risk Management Process is a continuous process for systematically identifying, analyzing, treating, and monitoring risk throughout the life cycle of a product or service. (ISO/IEC 16085 Software Life Cycle Processes—Risk Management  definition 3.12)

The ISO 14004 guidance shows how EMS Significant Aspects are managed using the Plan-Do-Check-Act (PDCA) cycle for ISO 14001:2002 clauses:

• 4.2 Environmental Policy
• 4.3 Planning - 4.3.1 Environmental Aspects
• 4.4 Implementation and Operation
• 4.5 Checking and Corrective Actions
• 4.6 Management Review

Risk management can be applied at various levels: project, organizational, enterprise. For project risk management, ISO 10006:2003 Quality management systems — Guidelines for quality management in projects has the section 7.7 Risk-related processes, with clauses:

• Risk identification
• Risk assessment
• Risk treatment
• Risk control

Companies that are registered to both ISO 9001 and ISO 14001 have the opportunity to integrate the two standards into their management system. Their understanding of risk management from ISO 14001 can be applied to quality and other disciplines, such as financials in SOX.

Posted by John Walz at 03:32 PM | Permalink | Comments (0)

Today I got the email announcements of the ASQ Quality Management Division (QMD) annual conference in Irvine, CA at the Hyatt Regency Irvine hotel. I was looking forward to the details as I am involved in their March 1^st one-day workshop on How to Use ISO 9001 to Reduce the Risk from Sarbanes-Oxley (SOX).

Reading the QMD conference brochure I was pleased to see our workshop has good alignment with the conference vision and preamble:

Quality Drives Economic Value: As we proceed further into the new millennium, the many threats from competition and a tightening economy compel today‘s organizations to provide superior products and services, while optimizing organizational performance. The 18th Annual Quality Management Conference will provide you with “ready-now” tools and strategies for excelling in today's dynamic business environment.

Looking for more synergy with SOX implementation, I see from the conference session details, that I will be definitely attending the following 9 one-hour sessions:

• What Your CEO Wants You to Know by Bill Denney
• Management Review and the Budget by Denise Robitaille
• Human Error Management: Quality Drives Economic Value by Larry Tew
• Impact of Baldrige on Corporate Financial and Non-financial Performance by Denis Leonard
• Quality Costs: Applied by Doug Wood
• Quality Management Systems: Realizing Financial and Economic Benefits by Paul Palmes
• Driving Measurable Business Results by Shane Yount
• Quality Management Information Systems (QMIS) by John Cachat 
• Finally, Getting the Attention of Senior Management by Tom Taormina

Due to SOX, large corporations having been investing vast sums for:

• better policy deployment,
• better controls and business rules,
• more accurate measurements,
• better infrastructure and systems, and
• greater transparency across the enterprise

Now I can see from the QMD conference agenda, the ASQ quality management experts are moving in these same directions with principles and methods to help members move operational quality management up to enterprise-wide quality and risk management.

Posted by John Walz at 05:14 PM | Permalink | Comments (0)

On 30-Nov-05, FEI published "Sarbanes-Oxley Section 404 Compliance: from Project to Sustainability"  by William M. Sinnett and Robert A. Howell ©November 2005. This Executive Report is based on a discussion by 38 Sarbanes-Oxley Section 404 implementation leaders from 33 of the nation’s largest companies on their experiences with compliance with Section 404 during fiscal year 2004 and up to Sept-2005. The Financial Executives International (FEI) is a leading international organization of 15,000 members, including Chief Financial Officers, Controllers, Treasurers, Tax Executives, and other senior financial executives.

The report recommends 33 good current practices for SOX Section 404 Sustainability.

One key recommendation, which impacts QMS/EMS managers, is to "Require self-assessment from the process owners" and use that as input to Management Reviews along with the traditional Internal Quality and Financial audit findings.

QMS/EMS and their auditors can help on most of these recommendations as we possess several useful methods and approaches:

• Action Register
• Audit Plan
• Balanced Score Card
• Business Process Management
• Certified Quality Auditor
• Information Technology
• Internal Environmental Auditor
• Internal Quality Auditor
• Organizational Independence
• Quality Management System
• Risk Management

As a public service, this report is available to nonmembers and non-subscribers by request by emailing Lorna Raagas, [mailto:lraagas@fei.org].

Posted by John Walz at 03:23 PM | Permalink | Comments (3)