A couple weeks ago, I introduced this short series of articles on Chain of Custody certification for FSC, SFI, and PEFC – all based on two ideas: First, that CoC is too complicated, and second, that it doesn’t have to be that way. The first installment in my series took a look at the “guts” of chain of custody: Inputs, Outputs, and Labels. This second installment will look at the basic organizational infrastructure that your company will expected to demonstrate in order to get (and remain) certified – the Management System Requirements.
When new clients approach me for help in getting certified for FSC, SFI, or PEFC, I find that they are often focused on the specific details of the business situation that brought the need to light. Perhaps an important customer has asked if they can attach a “green” certification label to their widgets. Or maybe a key competitor has begun marketing themselves, using the language of sustainability. This business-first focus is actually a good place to start when exploring certification for the first time. Defining the underlying business need helps ensure the final strategy is a good one.
Before long, however, every certification client has to come to terms with the fact that the Chain of Custody standards we work with – even though they apply specifically to the products we make – are really management system standards. And like all management system standards, they come with a list of “things you gotta do”. This list has its roots in the family of international standards maintained by the International Organization for Standardization (ISO), which is good news for companies who already hold ISO certificates of one kind or another. A lot of CoC companies, though, are new to certification. For them, this list requires a bit a of attention. None of the individual items are particularly challenging. But if they are implemented poorly, or badly coordinated with regular day-to-day business, they can prove troublesome.
There is a trick to keeping the Management System requirements painless. That trick is to embrace them. Accept that you have entered the world of third-party certification and learn to run your day-to-day affairs in a transparent and orderly way. The management system parts of the PEFC, FSC, and SFI standards are just a structured format for doing this. It might not be the exact format we’d pick if we were starting for scratch, but it is the format we will need too learn to live with and the one our auditor will be checking us against every year.
Fortunately, for those of us who regularly work with several standards at once, the Management System requirements is the place where our three CoC standards are the most in synch. MixedWood has a cross-referenced checklist that we use to annotate and track our clients against the PEFC, FSC, and SFI standards. I have reproduced the Management System part of that checklist here for your reference (click on it to enlarge).
At a glance, it may look like a long list. But in practice, we find it pretty easy for most companies to digest and live with. It is best understood in just a few key categories:
- Written Procedures & Policy: All three standards require you to formalize the CoC system into some sort of written document. This often takes the form of a separate CoC procedures manual. Visiting certified companies – as a consultant and an auditor – I have seen hundreds of examples of these (here’s one). Some manuals are carefully and formally written, carefully addressing the standard(s) point by point and filling 30 or 40 pages. The best ones (in my view) are short and simple – suitable to tack up on the office wall. If your company already has a written set of business procedures, work instructions, or SOP’s; there is no reason to write another another one. You can certainly add CoC details to the SOP’s you’ve been maintaining for years. All the programs require some sort of formal policy position. In the case of PEFC and SFI, a simple policy statement suffices. For FSC, a specific document is provided for signature.
- Staffing, Training, and Infrastructure: PEFC, FSC, & SFI all agree that each job needs a trained person assigned to make sure it gets done properly. This starts, of course, with assigning someone to be in charge. In practice, it is this last point where mistakes tend to get made. Wise companies assign the “person in charge” role to someone who is sufficiently engaged in business details to understand what needs to be done and has sufficient authority to actually get things done. This balance can be tricky.
- Records: A very big part of designing and maintaining a certified CoC system is the maintenance of records. Most records that are relevant to the CoC program are standard business documents – packing lists, invoices, manufacturing orders, inventory tags etc. The need for third-party verification adds some additional record-keeping burdens, though. Other items that need to be kept track of will include training rosters, copies of trademark use approval, supplier verification notes, and basically anything else that you’ll need to “demonstrate” your conformance to some part of the standard. This is the least popular, but probably unavoidable, part of third-party certification.
- Internal Audit and Review: PEFC and SFI require this of all certified companies. FSC limits it to multi-site companies. Internal Audits do not have to be formal or time-consuming; and a Management Review can be as simple as having a senior manager sign off on the audit report.
- Complaints and Non-conforming products: Because all of the programs are following international accreditation protocols set by ISO, they have all added recently added requirements for formalized complaint procedures. Most companies treat this as a “boilerplate” requirement that requires a written policy, but little actual work. In their zeal for line-by-line compliance with EU legality regulation, FSC has also added (through it’s back-door Directives process) a requirement for yet another protocol for “non-conforming product”. This essentially formalized the process of acknowledging and correcting supply chain mistakes. Another example – I am afraid – of FSC’s tendency to add complexity in a way that doesn’t really add any value.
The Bottom Line
The title of this post and this series is CoC SHOULD BE EASY. After reading through this list of “stuff you’ve gotta do”, you might conclude that we’ve got a long way to go. I think that is the wrong conclusion. The truth is that any third-party certification is going to include some additional “baggage”. The trick is (and there is always a trick) to keep this baggage to a minimum. These Management System can be broken down into a few simple, sensible categories. And they can be attached to and and absorbed into day-to-day business. With time, they cease to be “something extra”, and become part of how we do our business. Hopefully no longer a burden; but actually something that adds value to the bottom line.
And that’s how it ought to be, right? Because (as I’ve said before) CoC SHOULD BE EASY!