Quality Practitioners and Effective Corporate Governance
by Sandford Liebesman
Last October, Paul Palmes and I wrote an article for Quality Progress1 describing how quality and environmental management systems (QMSs and EMSs) can help top management maintain effective corporate governance and satisfy the requirements of the Sarbanes-Oxley (SOX) law.2
We expected to see many letters to the editor either for or against our position. There was only one letter. Why? Is the rest of the quality community deaf to this opportunity for change?
Today I am going to add to what we said in October and talk about how ISO 9001:2000 and ISO 14001:1996 can be used to reduce the risks CEOs, CFOs and boards of directors face when complying with SOX. Note any comprehensive QMS or EMS can be used in place of ISO 9001 and ISO 14001.
What are some of these risks? Of course, there are always financial and competitive risks. But now, because of SOX, the CEOs and CFOs of public companies must certify their financial statements, and each year they must certify the effectiveness of their systems of internal controls mandated by the law.
In the past, top management could claim ignorance of the organizations' operational failures. No longer does this hold. Lack of knowledge of problems is no longer an excuse.
Top management needs to obtain better information about the effectiveness of their organizations. A system developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (a private organization promoting improved quality of financial reporting) in 1985 provides the basis for internal controls used by many organizations.3 This system is the foundation for good governance that preceded SOX. There are five parts to COSO control:
- The control environment.
- Information and communication.
- Risk management.
- Control activities.
For COSO, the control environment is the foundation of the guidelines, which provide discipline and structure. It includes the way management assigns authority and responsibility and organizes and develops its people.4
For a QMS or EMS, clauses 4.1 and 5.3 of ISO 9001 and 4.3 of ISO 14001 require identification of an organization's processes, their sequence and interaction and the definition of quality and environmental policies.
Further, clause 5.4.1 of ISO 9001 requires the establishment of quality objectives, and clause 4.2.3 of ISO 14001 requires definition of environmental objectives and targets. Both standards require control of documents and records. Clause 6.2.1 of ISO 9001 and clause 4.4.2 of ISO 14001 require that personnel be competent based on education, training, skills and experience.
Information and Communication
To satisfy COSO, information must be identified, captured and communicated so people can carry out their responsibilities. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously.5
For a QMS or EMS, clauses 5.5.1 and 5.5.3 of ISO 9001 and 4.3.3 of ISO 14001 are used to enhance the decision making process through information and communication within the organization. Clauses 7.2.3 and 7.4.2 of ISO 9001 require communication with customers and suppliers.
In the COSO guidelines, monitoring requires assessing the quality of system performance over time. This is done through continuous monitoring of processes and periodic assessments. It includes regular management and supervisory activities, and other actions personnel take in performing their duties.6
Clauses 8.2.3 and 8.2.4 of ISO 9001 require monitoring and measurement of processes and products. The raw data obtained here may provide the first warnings of impending problems.
Another monitoring activity, measurement and analysis of customer satisfaction in ISO 9001 clause 8.2.1, is also a tool for early warning of organizational concerns. Implementing clause 8.4 turns these data into information. Clause 4.4.1 of 14001 requires monitoring and measurement of key characteristics of operations and activities that may result in significant environmental impacts.
For COSO, risks must be identified, analyzed and managed. Key inputs are corporate objectives linked at different levels and internally consistent. Because economic, industrial, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.7
The data obtained in ISO 9001 as a result of process and product measurements can be used in risk assessment and continual improvement. Clause 8.4 of ISO 9001 requires analysis of these data, turning them into information that can be used to identify risks to the organization. The standard requires trend analysis, which is a good predictor of developing problems.
In ISO 14001, clause 4.2.1 requires identification of aspects that can interact with the environment, and clause 4.3.6 requires identification of significant aspects and the operations and activities associated with these aspects. Again, we have an early warning tool that can be used to identify impending risk.
The COSO control activities are the actions taken to address risk and achieve the objectives of the corporation. Control activities occur throughout the organization, at all levels and in all functions.8
In ISO 9001, the key to controlling the health of an organization is the "improvement loop" defined in clause 8.5.1. As part of the loop, ISO 9001 requires documented procedures to define corrective (clause 8.5.2) and preventive actions (clause 8.5.3). Both tools provide methodologies to manage or eliminate risks to the organization. One source of corrective actions is the requirement in clause 8.2.2 to implement a documented procedure for internal audits and provide follow-up activities through corrective action (clause 8.5.2).
ISO 14001, in clause 4.5.2, requires taking corrective and preventive actions to mitigate impacts and reduce environmental risk. It requires management of nonconformances and actions to reduce impacts and take corrective and preventive actions. For both QMSs and EMSs, the result is improved alignment of the organization with basic corporate objectives.
Top management asserts control of risk through the management review process in ISO 9001 (clause 5.6) and ISO 14001 (clause 4.6). These meetings are used to pull together the key bits of information and actions used to set the direction of the organization and implement risk reduction activities.
An Elevator Speech
I hope readers are now convinced QMSs and EMSs have a place at the table with the internal, financial auditors. Are you ready to approach your top management with a proposal? Here is an elevator speech you can use:
I am familiar with the Sarbanes-Oxley Law and the need to better identify and manage risk. Quality and environmental management systems are tools that can help with risk management. Our processes link directly to the system of internal controls mandated by the law. I'd like the opportunity to show you how we can help.
I've made the case for quality and environmental people to be at the table when the internal financial auditors develop their reports to top management and the board of directors. You may agree or disagree with me. In any case, I'd like to hear from you. And, if you are already at the table, I'd like to develop a case study that will help others with their elevator speeches.
I would like to credit a team working on the methodology to improve corporate governance. Paul Palmes is helping his company, Northern Pipe Products Inc. of the OtterTail Corp., develop the methodology. Lawrence R. Liebesman, the environmental partner in Holland & Knight LLP, is providing the legal and environmental support. And John Walz, quality management consultant, is our Web surfer and is assisting in the development of presentations.
- Sandford Liebesman and Paul Palmes, "Quality's Path to the Boardroom," Quality Progress, October 2003, pp. 41-43.
- Sarbanes-Oxley Act of 2002, U.S. House of Representatives, July 24, 2002.
- Key Concepts, Internal Controls, www.coso.org.
- Internal Control--Integrated Framework Executive Summary, www.aicpa.org.
SANDFORD LIEBESMAN, a standards consultant and auditor, is former ISO manager for corporate quality and customer satisfaction at Lucent Technologies. He is a member of ISO Technical Committee 176 and the QuEST Forum. Liebesman is also a Registrar Accreditation Board certified lead auditor, a certified TL 9000 lead auditor, author of Using ISO 9000 To Improve Business Processes and co-author of the ASQ Quality Press book TL 9000: A Guide for Measuring Excellence in Telecommunications.