by Russell T. Westcott with Sandford Liebesman, Ph.D.
Editor’s note: This is the second half of a two-part article that appeared in The Auditor’s November–December 2011 issue.
The first half of this article discussed approaches four management systems that have enough links to consider integrating them within an auditing process called linked management systems (LMS). The focus is on the four systems: an ISO 9001-based quality management system (QMS), an ISO 14001-based environmental management system (EMS), a financial management system, and an information technology-based system.
We now present two case studies that illustrate the development of a LMS. The first is from Competitive Advantage: Linked Management Systems (Paton Professional, 2011) by Sandford Liebesman.
Stonhard division of StonCor Group Inc.
Tom Carpenter, director of corporate compliance, provided this case study, which describes his organization’s experience implementing an LMS. StonCor is an organization of 2,370 employees at sixteen locations that manufactures and installs corrosion protection products and polymer flooring and coatings. The Stonhard division has a QMS based on ISO 9001:2000 and a financial management system based on a combination of the Hyperion and Sarbanes-Oxley (SOX) systems. StonCor used the SOX legislation as a guideline for this integration to ensure that its legal requirements were met. Part of the organization also uses the Baldrige Criteria and StonCor has an EMS that is in the process of being registered to ISO 14001:2004.
LMS implementation phase 1: Planning
The leadership team consisted of the president and department vice presidents. They were involved with the development from the beginning of the project. The finance organization wrote the procedures and controls used to address SOX requirements based on templates provided by the parent organization. Finance wasn’t involved in building the QMS during the mid 1990s but was involved in the integration of the two systems when SOX appeared.
The control plan was developed during this phase with the objectives of standardizing processes and minimizing losses from nonconforming products. The following were the key processes defined in the control plan:
- Document control
- Corrective and preventive actions
- Material review boards
- Internal auditing
The control plan was originally developed with sales and manufacturing as the internal customers. More recently, this has been expanded to all areas of the corporation. The goals of the plan were focused on financial, quality, and environmental issues. The financial goals were to lower repair costs and reduce waste disposal. For quality, it was standardization of manufacturing and test processes and better control and oversight of specifications. The environmental goals were the reduction of waste and lower disposal costs. Phase 1 was complete when plans were completed that linked the QMS to SOX.
LMS implementation phase 2: Development
During the development phase, the organization expanded its documentation of its financial, quality, and environmental management processes and procedures. The ISO 9001 manual was revised and an ISO 14001 manual was created. These manuals included descriptions of the internal control system and their relationships to ISO 9001 and ISO 14001. Other documentation was developed in support of these relationships.
For SOX compliance, narratives were developed that provided details of how each accounting-related function was performed. Potential risks for each process were identified and controls were originated to address each of the risks. Where a control could not immediately be developed for a risk, a “gap” was identified. The gaps were subsequently closed when the control was fully in place.
ISO 9001, ISO 14001, and internal controls training was provided in level 2 documentation and the quality and environmental management manuals. Records were kept of all personnel who completed the training.
Phase 2 was completed based on compliance to ISO 9001 and satisfaction of the SOX requirements.
LMS implementation phase 3: Internal assessment
The financial quality and environmental internal auditors developed a linked audit plan that included the following:
- Identification of key controls
- Evaluation of internal controls at the entity and activity levels
- Evaluation of internal controls at service providers
- Testing the controls
- Documenting audit results
- Evaluation of internal controls at supply organizations
- Documenting the results of corrective actions
A linked internal audit was completed based on the audit plan. The results of the audit indicated that all required systems, processes, and procedures were implemented and functioned as planned. Phase 3 was completed with the documentation of the internal audit results and the corrective actions.
LMS implementation phase 4: External auditing
The major preparation for external audits was based on the company’s internal audit procedures. This included the use of the checklists from internal audits and a review of the system of internal control. Personnel were trained on how to interact with auditors. StonCor had no major findings during its last three third-party audits.
Lessons learned from this case study
The following are critical lessons learned: involvement of key personnel from the very start from all affected areas, training and continual retraining of personnel is essential, and timely follow-up must be done when problems are identified. It was also vital that StonCor corrected processes that couldn’t be followed as written. Training was provided on those processes.
Rafael Defense Systems of Israel
The integration of the management systems at Rafael Defense Systems began with certifications. During these processes a common language was developed between quality, environmental, and safety personnel. Safety personnel learned about management reviews and closed-loop corrective actions, while quality and environmental personnel were exposed to assurance of safety requirements and risk assessment. As a result of the certification processes, the roles of each management system were defined. Effective coordination was developed between the systems because safety and environmental personnel led the technical aspects and quality personnel led the process management and implementation of audits.
As a result of its LMS implementation, Rafael Defense Systems saw the following improvements:
- Increased process effectiveness
- Cost savings
- Enhancement of professionalism
- Creation of a common language
- Integration of environmental and safety requirements in the quality manual and the organization’s procedures
- Inclusion of quality, environmental, and safety in external and internal audits
- Integration of management reviews
- In some cases, integration of functional units
The main problems in this LMS implementation were the result of different professional cultures and training levels. The quality culture was based on prevention and improvement, while the environmental team focused on fixing safety and environmental problems. After the LMS implementation, Rafael focused on extensive assimilation, improving the integration process, and increasing the number of participating processes.
A number of organizations have initiated projects to audit LMS. When starting their planning, many organizations realize that they have huge cultural challenges. For example, while the standards with core-requirement similarities to ISO 9001 are somewhat easier to assimilate into a linked approach, the inclusion of a financial management system and IT systems requirements is much more difficult.
The key that drives linkage consideration are the broad requirements of SOX. Although SOX is focused on the accuracy and integrity of an organization’s financial reporting, it’s imperative that the IT system captures, records, processes, and reports timely and factual data for conversion into information critical to all stakeholders.
Conclusions
As each project in the developing LMS portfolio proceeds through the strategy development, project planning, implementation, and management stages, care must be taken to ensure the new project fits within the framework of the overall strategic plans. Continual risk assessment, at all stages, is vital to identify and remedy any potential pitfalls before they affect the journey toward LMS. Internal and external assessments and evaluation activities should be integrated with the ongoing development of the LMS portfolio to help maintain the balance needed among portfolio projects and smooth the transformation of the organization.
Although there has been a lot written about LMS and case studies performed on the subject by successful organizations, change agents in the organization may initially feel a lack of confidence when starting their own LMS implementation. The LMS initiative is and has to be a process defined and developed specifically to meet the needs for each organization. The auditing/assessing function is critical to ensure that direction is consistent with the strategic objectives and that everyone is marching to the same beat.
About the authors
Russell T. Westcott is an ASQ Fellow, certified quality auditor, and certified manager of quality/organizational excellence. He edited The ASQ Certified Manager of Quality/Organizational Excellence Handbook, Third edition (ASQ Quality Press, 2005), and was a co-editor of the ASQ Quality Improvement Handbook. Westcott authored Simplified Project Management for the Quality Professional (ASQ Quality Press, 2005), and Stepping Up to ISO 9004:2000 (Paton Professional, 2003). He is active in ASQ’s quality management division and the Thames Valley, Connecticut section management.
Westcott instructs the ASQ certified manager of quality/organizational excellence refresher course nationwide. He writes for Quality Progress, Quality Digest, The Quality Management Forum, The Auditor, and other publications.
Westcott is president of R.T. Westcott & Associates, founded in 1979 in Old Saybrook, Connecticut. He guides clients in implementing quality management systems, applying the Baldrige criteria, strategic planning, and project management practices.
Sandford Liebesman, Ph.D., has more than 35 years’ experience in quality at Bell Laboratories, Lucent Technologies, Bellcore (Telcordia), and KEMA Registered Quality. He has presented seminars and published articles on linking management systems and QMS/EMS support of SOX and led the team that developed the 2005 and 2006 ASQ SOX conferences. He taught statistics, quality control, quality management, and operations research at Rutgers University. He is a past chair of the ASQ Electronics and Communications Divisions and a Fellow of ASQ.