In our busy day-to-day world of work and business, it is natural to take certain things for granted. Things like honesty, fairness, professionalism, and business ethics. Here at MixedWood – in our strange little world of certification consulting and auditing services – it is no different. We assume that most of the folks we interact with are “doing the right thing”, and most of the time that’s true. Once in a while, though, it’s not. And those exceptions can come as a bit of a shock.
MixedWood is deeply engaged in the business of 3rd-party certification. Our clientele includes a lot of wood product companies who subscribe to and certify against programs like FSC, SFI, and PEFC. These programs publish standards and invite companies to secure certifications that allow them to participate in the schemes; either by producing commodity wood products according to rigorous environmental standards or by following the traceability rules used in the marketplace. In addition to our consulting work, MixedWood also provides services to two accredited Certification Bodies (CB’s); as auditors, and for some back-office support services. We find working on “both sides of the table” essential to our business, but it does require close attention to ensure we don’t find ourselves in any conflict.
The credibility and success of 3rd-party certification programs like SFI and FSC rely on a set of ground rules that need to be respected. At the center of these rules is the independence of the three parties:
- The Standard Owner (e.g. FSC) writes, updates, publishes, and provides guidance on the standard(s).
- The implementing company – also called a Certificate Holder (CH) – interprets and implements the standard(s) and submits their implementation for independent review. Implementing companies sometimes engage the services of a consultant.
- The Certification Body (CB) conducts an objective, and independent review (i.e. audit) of the CH’s implementation, and issues a certificate attesting to the CH’s conformance to the requirements. CB’s are prohibited from engaging in consultancy.
This results in a very powerful and credible system, as long as everyone sticks to their assigned role. When they don’t however, things can get messy.
Two True Stories
Here are two, true stories that illustrate the problem. Both occurred recently in North America and were described to us by people involved in the situations.
Story A: Helping with Control Measures
During the recent transition to version 3.1 of the FSC Controlled Wood standard, many companies have had difficulty understanding, interpreting, and implementing the requirements of the newly published National Risk Assessments (NRA) for Canada and the US. In particular, the mandatory Control Measures required for large parts of North America have proven challenging. A company on the west coast encountered this problem during its regular annual audit late last year. Their auditor judged that their implementation of these required elements (FSC-STD-40-005, clause 4.1) to be inadequate and raised a finding of “major nonconformance”. The company lacked an appropriate mitigation measure for one of the Specified Risk subjects in the NRA.
After concluding the audit, the auditor contacted the company again and offered to assist them in resolving their outstanding nonconformance finding. The subject was an identified area of High Conservation Value (HCV) of interest to a regional non-profile conservation organization. The auditor – in her private practice – had a relationship with this conservation organization and was aware of their interest in collaborating with FSC-certified companies to support their ongoing programs. By providing support to the conservation group (i.e. a donation), the company would conform to one of the approved mitigation options provided by FSC-US: specifically, to “engage in and/or provide monetary…resources to conservation planning processes” relevant to the area of Specified Risk.
The client company was pleased to be shown a simple and straightforward solution to their problem. They quickly contacted the conservation group and arranged to make a small donation. A letter and check was written and copies of both sent to the auditor. This was noted as evidence of conformance and the nonconformance finding was closed.
Story B: CoC Procedures Template
An experienced Chain of Custody auditor conducted a surveillance audit for an SFI-certified packaging manufacturer last year. The company had been certified for over 10 years, but not previously audited by this auditor.
The audit proved the be very challenging for everyone. The company’s CoC system had been originally designed for FSC-certification, later adapted for dual FSC/SFI, and still maintained largely intact when FSC was later dropped for market reasons. The written procedures were long, complex, and convoluted. To make matters worse, the original author had left the company and the new manager, reluctant to delete anything, had simply added new clauses from time to time; resulting in a muddled and confusing mess.
At the end of a long and tiring day, however, everything seemed to be in order. Supplier statuses were correct. Inputs were verified and eligible. Claims were accurate and valid. Staff competency and training as it ought to be. It was clear that the system – though inefficient, awkward, and poorly documented – seemed to work. The auditor concluded that no nonconformance findings were needed. He included in his audit report, however, an additional “observation” that read like this:
The organization should consider revising and updating its procedures for Chain of Custody to improve system effectiveness.
He also provided the CoC manager with a copy of a sample Chain of Custody procedures template that was prepared by his CB.
A year later, the auditor re-visited the same client, to find that they had – in fact – fully revised their CoC Procedures document, using the template provided last year. The CoC manager expressed thanks for the auditor’s advice and said that the new, simplified system documentation made his life a good deal easier. As expected, the audit process was also much easier than the previous year.
What’s the Problem?
On the surface, both of these stories seem to have a happy ending. The client companies were struggling with complex details of their certification programs. The auditors provided them with the benefit of their specialized expertise which lead to a good outcome. All’s well that ends well – right?
Not quite. The problem is that these auditors are forgetting their role and crossing lines that should not be crossed. The fact that their intentions and outcomes were good, makes these cases tricky to understand. But it doesn’t change the fact that important ground rules were violated.
A Deeper Look
We did not share these stories because they are simple. They are not. Auditors are just like most professionals. We make mistakes from time to time, and occasionally one of us acts unethically. MixedWood is not interested in writing about that sort of thing. We shared these stories because they are tricky and because they point out some of the complex challenges in our type of work that don’t get discussed enough.
Three Parties -> Three Roles
When we said (above) that lines were crossed and ground rules violated, we were referring to the separation between the three parties involved in the 3rd-party certification process. The process is a powerful one, but it can break down if folks forget or get confused about which role they are playing. To make matters worse, the roles are sometimes shared, and the boundaries can become blurry.
For a Certificate Holder, things are usually pretty straightforward. Most CH’s don’t participate in standard-writing (although we think they should). And CH’s aren’t involved in auditing or issuing certificates. CH’s do hire consultants from time to time, and they regularly contract CB’s. Keeping the two straight is important, as we can see.
The Standard Owners (FSC & SFI) occasionally stray into the role of Certification Bodies (CB’s). This can create all manner of problems but isn’t involved in the stories we shared here. So we’ll leave that subject for another day.
Certification Bodies (CB’s) and the auditors that work for them are in the most difficult position. They are expected to be experts in their subject area; to interpret and explain the standards that they certify against. But they are specifically prohibited from consulting.
ISO 17021 is the common international standard governing the activities of Certification Bodies – recognized by FSC, SFI, and PEFC. It identifies 6 Principals that apply to management system certification, the first being Impartiality. Among the threats to Impartiality is “Self-review”. Here are some relevant excerpts:
Self-review threats: threats that arise from a person or body reviewing the work done by themselves. Auditing the management systems of a client to whom the certification body provided management system consultancy would be a self-review threat.
Management System Consultancy: participating in designing, implementing, or maintaining a management system.
Management of Impartiality: The certification body and any part of the same legal entity shall not offer or provide management system consultancy.
To put it plainly, when auditors (representing a CB) give a Certificate Holder specific advice and assistance in implementing a certification standard, they are likely to find themselves verifying the results of their advice against the standard requirements. They are – in effect – working on both sides of the table.
Did our two stories include self-review, of the sort prohibited by ISO 17021? We think they did. Does it matter? That question is harder to answer.
A big reason why our two stories are so vexing is that they both had happy endings. Even if you agree that the two auditors did violate some important ethical standards, it’s clear that the results may have been positive. Both clients received needed assistance, and both companies ended up with more effective and conforming systems. We think it is worth considering why. Could it be that the root cause of these situations lies with the standards themselves?
The first story is about Control Measures. This is widely – perhaps universally – understood to be an absurdly complex and difficult part of the FSC system. FSC has managed to create a protocol that no one seems to like and almost no one claims to understand. In the US (where our story takes place) the staff at FSC-US have attempted to define a path to acceptable mitigation measures for participating companies. But the path is full of holes and gaps, that the community is still trying to locate and fill.
The second story is about the mundane world of Chain of Custody. CoC can be simple and should be simple, but every experienced practitioner knows that it usually is not. The SFI version (SFIS Section 4) is nearly unreadable on its own. Would it not be better for everyone if we made the whole thing easier? Of course, but an audit is probably not the right place to start.
Do The Right Thing
The point we’re trying to make is this: complexity has many costs. Doing the right thing is one complexity not talked about enough. Our programs depend on credibility, integrity, and trust to exist. If we expect the marketplace to trust us, we need to trust each other. To do that, we need to respect the ground rules we’ve set for ourselves. We need to hold ourselves and each other accountable and keep working to remove the barriers that make it all more difficult.