One of the common complaints about certification is that users do not always understand what is being certified. This may be caused by a certification claim not lining up with scheme requirements (sometimes accidentally and other times intentionally) or with users not being able to easily understand what a certification mark or claim means.

Sometimes a certification is applied to a single product, and a company may represent the certification as applying to the whole company - or the other way around. If for example, you see a product sold with an ISO 9001 certification claim on the box it can seem that the product is certified. This is not the case since ISO 9001 is a management system certification that applies to the company but does not evaluate individual products. In this case it is the company that is certified, not the products. Using the cetification, the company can make claims about how it is run but not about individual products

The reverse can apply if a company claims that it is certified, for example, to MSC (Marine Stewardship Council). The MSC scheme is designed to certify wild-capture seafood. In this case the source of the seafood is certified, the company is not certified. An MSC certificate means that the company can make claims about products that are or contain MSC certified seafood but not about the how the company is run.

Claims can take many forms, they can be:

• A logo or mark applied to products; 
• A logo that is to be linked to a corporate name;
• A tagline that is printed on a product or used in advertisements;
• A tagline that is associated with a corporate name; or
• Any combination of the above.

Claims can be easily exaggerated - just look a claims made about the healthiness of foods and you can easily see how they can get out of hand.

The challenge in designing a claim that a certificate holder can make about a certification is to make sure that the claim is easily understood and accurate. Currently the ISEAL Alliance is working on developing a Good Practice Guide for Sustainability Claims, it you are working on claims for your scheme this draft will help with your thinking.

One advantage of certification is that the claim can be controlled by the scheme owner through a licencing agreement. The way in which the certification is marketed and a logo is used can be controlled by the signed agreement and enforced by the owner of the scheme.

It should always be the responsibility of the scheme owner to set out the rules about what claims can be made and how a scheme logo may be put on products or corporate mastheads.

The claims that you allow for your scheme should be accurate, clear and easily understood by the user. 

Finally, schemes should always make sure that their rules are being followed and take action when they are not. Your reputation is all that you have and when your scheme is misrepresented it undermines the value of your certifications, trademarks and claims as well as reducing the value of your scheme to users that follow the rules.

The ISEAL Credibility Principles explain that for a certification scheme transparency means:

"Standards systems make relevant information freely available about the development and content of the standard, how the system is governed, who is evaluated and under what process, impact information and the various ways in which stakeholders can engage."

Before a scheme can be transparent the scheme owner must first have documented the key information about how the scheme is run. Having clear documentation is the first challenge because it takes time and resources to write it. In addition, this documentation should be written in clear, simple language that is easy for your stakeholders to understand and use.

Why bother with transparency?

Certification is a trust business. Certificate holders and all those in the value chain rely on your certification to ensure that the products they produce or trade conform to the standard. They rely on the assurance that the scheme is providing to assure their customers and manage their own risk. Consumers and other end users rely on the certification in their specifications and in making purchasing decisions.

Transparency is a means for scheme owners to assure all those that rely on the scheme that they are living up to their obligations in managing and operating the scheme. It is a means of demonstrating to users that the scheme is trustworthy, and as a result there can be confidence in the certification. Also, users, should they choose may examine the scheme to assure themselves that it is meeting their needs.

Transparency means that information is available to anyone that wants it, including governments, users, researchers, advocates, and anyone that is interested (including high school students writing assigned essays).

A minimum list for sharing with the public

The first step to facilitate transparency is to have a package of material available on the web for anyone to download. At a minimum this package should include:

• A procedure that describes how the standard is developed, revised and interpreted. This should include a complete description of the processes including how any interested party can participate, how decisions are made and who makes the decisions. 
• A description of the purpose of the standard and its scope; that is what it is intended to accomplish and when it is applicable.
• An explanation of the governance of the scheme, including the scheme owner's board of directors (listing the members of the board, their terms of office and how they are appointed) and any other technical or advisory boards that play a role in the governance of the scheme.
• A description of the monitoring and evaluation program that is used by the scheme owner to evaluate the quality, consistency, efficiency and other aspects of the performance and operation of the scheme.
• A description of how the scheme evaluates its impacts; that is are the objectives of the scheme being achieved including the procedures used in making the evaluation as well as how conclusions are reached. It is best if in addition to this description that regular reports on performance are published.

• A description of how stakeholders can become involved, this should include involvement in certification audits, standards development, governance and most importantly in commenting, raising a concern or making a formal complaint about a certificate, a certification body or the standard (or any other aspect of the scheme).

In addition to these documented procedures, policies and reports each scheme owner should consider what other information should be made freely available to the public. As a general rule, my advice to scheme owners is to default, wherever possible to being transparent. In other words don't just post the minimum information; only keep confidential the material that is absolutely necessary and make all the rest freely available. 

A guiding principle is to be a generous as possible when it comes to being transparent. While it may mean that more questions come, it also is an opportunity to build trust with key individuals, organizations and institutions. Obviously there are limitations in terms of staff time and available resources but the investment will pay off.

In simple terms, a non-conformity is when a applicant or certificate holder (the client) fails to conform to a requirement for certification. All of the requirements that apply to the client should be written in the standard.

Grading non-conformities

One of the responsibilities of the auditor is to grade a non-conformity; that is to determine whether or not it is really serious or a small matter. Most schemes use the terms major and minor to grade non-conformities. Other schemes use terms such as critical to describe non-conformities that are so serious that it means the client automatically fails the audit.

There are two approaches that a scheme may uses to determine how to grade a non-conformity. And just to complicate things there are hybrid approaches that some schemes use which combine elements of these two approaches.

The first approach, and generally the most common, is for the auditor to take a decision about how serious the non-conformity is based on a set of criteria. An example of the criteria used to grade a non-conformity are as follows:

Major Non-conformity    

A Major non-conformity is normally raised when one or more of the following are found:

• The absence or total failure to meet a requirement and the failure has or is likely to result in the client failing to achieve the objective of a requirement.
• The non-conformity is highly likely to result in a breakdown of an requirement or materially reduce the ability to achieve the objective of a requirement.
• A minor non-conformity that is shown to continue over a specified period of time or occurs repeatedly.

Minor Non-conformity    

A minor non-conformity is usually raised when the client does not meet the requirement and the non-conformity does not jeopardize the integrity of the scheme. This includes one or more of the following:

• Where there is a failure to comply with a requirement is not likely to result in the breakdown of a system to meet a requirement and will not risk the integrity of the products or services that are being certified by the scheme. 
• Where the failure  does not meet the definition of a major non-conformity.

In brief an auditor must determine if the products or services that are being certified are likely or not meet the objective of the scheme. An example is for a scheme that requires that daily records be kept. If the auditor finds only a few records on file the non-conformity is likely to be graded as a major. If only a few days of records are missing, the non-conformity is likely to be graded as a minor.

In the second approach, the scheme determines in the standard how a non-conformity for each requirement is to be graded. 

In these schemes the standard is written so that each requirement is graded and for any non-conformity, no matter how serious is graded as specified in the standard. Schemes that use this approach sometimes use the category of 'critical' for some requirements.  A failure of a critical requirement means an automatic failure of the audit. For example for a non-conformity raised against a requirement that daily records be kept which is graded in the standard as a major in the standard would be graded as a major non-conformity even if only one day's records are missing.

For both of these approaches, an auditor may raise an observation for cases when the auditor finds cases where a non-conformity is likely to occur. Observations are intended to be helpful to the client so that they can address problems before a non-conformity occurs.

A Hybrid approach

Some schemes may wish to grade some requirements in their standard as critical or major, and leave the remaining requirements un-graded. The result is a scheme in which the auditor is required to grade certain non-conformities a certain way while giving the decision about grading for the rest to the auditor based on the severity of the impact.

Hybrid approaches are used most commonly for schemes that wish to specify which non-conformities will result in an automatic failure of the audit, that is to grade just the critical requirements and leave the rest to the auditor to grade according to the severity of the non-conformity.

Choosing an approach to grading non-conformities

Most schemes will decide which approach (or hybrid version) they will used based on their own needs. Often this is driven by the question of how the scheme owner chooses to approach an audit.  In cases where the scheme wishes to ensure that all non-conformities are graded identically across all clients, the second approach may be preferred. In other cases, the scheme owner may prefer to focus less on designing the standard and wishes to have a professional auditor take a decision about grading. 

Neither is better, neither is worse, it is a matter of preference.

How do you make sure that a problem is fixed?

Throughout your certification system there are many points where non-conformities may be found these include:

• Certificate holders or applicants can have a non-conformity raised by an auditor or they could find an error through their internal procedures.
• Certification bodies can have a non-conformity raised by their accreditation body, or can find a error through their own internal audit process or as a result of a complaint.

• Logo license holders may be found to be out of conformity with the terms of licensing rules.

• And yes, even the scheme owner may find through an internal audit or complaint process that it has made an error.

Finding an error or having a non-conformity raised is not the end of the world. The most important factor is what is done about it.

Correction and Prevention

In the world of standards we talk about 'corrective' and 'preventive' actions. These are the things that are done by the organization that has been found to have a non-conformity or has identified an error that it has made.

'Corrective' actions are the things that are done to correct the error. For example if a certificate holder did not track the sales of certified product then it may 'correct' the non-conformity by going back into its records and making sure that sales that have been made are properly recorded.

'Preventive' actions are the things that are done to make sure that the non-conformity does not reoccur. This is where a challenge presents itself - How do you know what caused the problem in the first place? In the case of the sales records you could say the cause was the clerk that entered the data, the software used to record the information, the sales staff not specifying all the required the sale information, the office procedures or a whole bunch of other possibilities. If the action chosen does not fix the root cause then the problem may reoccur. Retraining the sales staff, for example will not fix a software problem.

Root Cause Analysis or Things may not be what they seem

Root Cause Analysis is a way to identify the real cause so that the fix can be directed to the source and ensure that the non-conformiety does not reoccur or so that a new problem does not occur from the same root cause.

There are number of methods available for identifying root causes, these are called root cause analysis methods. The one that fits best with you and your organization can be a subjective choice so I will not recommend that you choose a particular method. Some basic information can be found on Wikipedia or through a web search. There are also load workshops on root cause analysis on offer that your web search will pull up.

The most generic method that I have found is the '5 Whys'. In this method the question 'why' is asked first of the identified error, then the question is asked again of each answer at least 5 times.

On the sales records example:

Question 1: Why were the sales records wrong?

Answer 1: The clerk did not enter all the required information.

Question 2: Why did the clerk not enter all the required information?

Answer 2: The clerk was never trained on how to record sales information.

Question 3: Why was the clerk never trained?

Answer 3: The clerk has been on the job for 6 months and no training has been scheduled.

Question 4: Why has no training been scheduled?

Answer 4: Training is only offered once each year.

Question 5: Why is training only offered once each year?

Answer 5: The training budget has been cut each year for the last 5 years.

As a result of this Root Cause Analysis the proper preventive action would be to fix the training deficit one way would be to make sure that the budget allows for timely training of staff.

If your first thought was to fire the clerk then this action would not solve the problem and it is likely that it would would occur with the next clerk. It is also likely that other seemingly unrelated problems would occur in other parts of the organization because of lack of proper and timely training.

The root cause can sometimes be simple, but it is never a good idea to simply jump on the first idea you have and assume that the problem will be fixed. Often our first idea is more a reflection of our own bias (clerks are lazy) and not a considered analysis of the real cause (management is cheap).  

The design of governance structures is one of the key challenges that a new scheme will confront. This includes what new corporate bodies, if any, should be created, how they are to be structured (for-profit, not-for-profit, charity, co-op, benefit corporation, etc.), and how and by whom are they are to be governed.

Creating governance structures can be a challenge for a number of reasons, first it includes balancing a number of issues such as how to avoiding conflicts of interest, delivering quality services at a fair cost and maintaining stakeholder interest and support. Also, in most cases the folks that have been working to create a new scheme are experts in the topic addressed (i.e. agriculture, human rights, etc.) and are not usually well versed in how to set up of an international business operation. To make things worse, the learning curve can be steep and the pressure can be intense to make a decision quickly.

The first and over-riding concern is to make sure that the new operation is not hampered by built in conflicts of interests. This means that the part of the operation that is required to take independent decisions based on objective information is not the same part that is responsible for making the money. Whatever decisions are taken the priority should be on making sure that the organization is not seen to be taking decisions just to make more money or to gain market share. For this reason, often the body that owns the scheme is separate from the body that manages the money making side of the business, even if the money is made through grants from governments or foundations.

A second question is whether the new bodies should be for-profit or not-for-profit corporations. Some folks feel that the only choice is that all bodies should be not-for-profits, but that is not always the case. (As a side note we should be clear that not all not-for-profits are charities but all charities must be not-for-profit corporations.) This can become more complicated if more than one new body is created. Some schemes create a not-for-profit that is the scheme owner which itself owns one or more subsidiaries that are for-profits, especially when they are responsible for making the money. Another option is to contract these roles out to existing organizations that provide these services professionally.

Finally, there is the question of who makes the decisions. On this point I will be blunt. I am not in favour of managing an international business with a stakeholder board. Governance is a job that requires experience and normally stakeholders are selected based on their role in a network or group. A professional board for each organization is crucial. To ensure that the mission of the organization remains central for the new organization a small professional board can be supported by stakeholder or technical advisory boards. Some organizations create membership bodies (in the case of not-for-profits) or shareholders (in the case of for-profits) whose responsibility is to ensure that the organization remains focused on its mission.

The process of designing corporate structures for a new scheme can be confusing and involve lawyers, accountants and management consultants. It is best to start thinking early about how to structure the operations, how to govern any corporate bodies, who owns what and how to include stakeholders. A well thought out governance structure can make a launch easier and avoid problems that can be easily avoided with time, information and good advice.

I am hearing from some scheme owners and advocates for certification that they want auditors to help out the folks they are auditing by providing them with advice on how to fix the problems that the certification client is facing.

Under ISO, ISEAL and IAF approaches to auditing, impartiality is one of the highest values. The audit should be not benefit the auditor, the certification body or anyone that either the auditor or the certification body have an interest in gaining a benefit for. The goal should be to provide high quality, professional and impartial audit services. A certification decision should be based on the information gathered in the audit and nothing else.

Impartiality is maintained when there is no real or perceived conflict of interest that would lead a reasonable person to believe that an audit decision may be taken for any reason other than the audit evidence as observed by the auditor and a decision based on that evidence by the certification body. On the most obvious level it means that the auditor should not have other business with the certification client or have provided any products or services to the client within  a set amount of time before the audit (IAF sets a minimum of 2 years, other schemes have differing rules).

A key factor to consider in understanding impartiality is that the auditor should not under any circumstance be evaluating a product or service that he provided. First, she may be tempted to approve her own work because it looks better on her. Secondly, he may feel that since his work or product is in use that all is well and not properly evaluate how it is working.

Certification bodies are required to have a decision making entity that is independent from the part of the certification body that is responsible for or directly benefits from revenue generation. So for example a CEO of a certification body would normally not be involved with a certification decision since her job is to increase the revenue to the company. The decision makers must be individuals that neither benefit from or be penalized for a particular decision.

Providing advice to a client on how to best meet the requirements of a standard can lead to a number of conflicts of interest. For example, an auditor may try to sell her consulting services to the client and a client may feel pressured to hire the auditor out of fear that the client may fail the audit if they do not.

Also, a client may feel pressured to do what the auditor suggests even if it does not solve the problem or does not otherwise fit the needs of the client. This could mean installing equipment that is not fully compatible or spending more money than the client can afford.

If the client does what the auditor suggests and it does not work, how will the auditor provide an impartial audit when he returns? Will she feel the need to minimize the problems? Will he feel responsible and want to avoid costing the client more money by giving a negative recommendation? 

Certification bodies that provide services for schemes that require full impartiality may not want to provide services for schemes that want auditors to provide advice since it may complicate the certification body's own efforts to maintain clear and consistent rules for impartiality.

Any scheme that wants to design a program that includes auditors providing advice to clients will need to think through the implications for impartiality. How would you give advice and still conduct an impartial audit?

Another challenge is that some of the best auditors may be in fact really lousy at giving advice. They are trained as auditors to evaluate whether or not the requirements are being met, they may not be very good at recommending how to solve a problem and produce the result that the scheme requires. The same may be the case for the reverse, a really good problem solver may be a really lousy auditor.

One possible implication is that a scheme may become more expensive to clients since the auditors not only have to be top notch auditors but they also have to be great at coming up with solutions.

Finally, how would you design your program to make sure that the clients feel no pressure to implement the solution proposed by the auditor? Maybe there is a better, cheaper, and more effective solution available that may not be used.

The rules against auditors providing advice are in place for good reasons, because they solve real world problems. Any scheme that wants to change these rules will need to find another way to solve these real problems that does not just create new ones.

WHAT is a "Scheme Owner"?

Simply put, a scheme owner is the organization (individual, for-profit corporation, not-for-profit corporation, certification body, government department, agency or other body, trade association, group of certification bodies or other just about any other body or group of bodies) that is responsible for the development and maintenance of the scheme and owns the intellectual property, copyright, trademarks and other rights to a certification scheme. 

Ownership includes the copyright for the standard, the certification system, the name, trademarks, graphics and other identifying texts. Normally the name, trademarks, graphics, domains and other elements are registered in the jurisdictions where they are used.

Every certification scheme must have a scheme owner.  In short someone must be responsible for the development and maintenance of the scheme. Simply writing a standard and letting it loose is not sufficient to create a certification scheme. Standards must be interpreted, reviewed and revised; and certification systems must be maintained so that each use of the scheme is consistent and all audits and certifications are conducted to the same benchmarks.

WHAT does it mean to be a "Scheme Owner"?

Guess what?, there are standards and guidelines that apply to scheme owners (I bet you were not expecting that...).  ISO has the document 17067 titled "Conformity assessment — Fundamentals of product certification and guidelines for product certification schemes". There are a number of other ISO guidelines that are relevant to scheme owners but let's not list them here.... Also, ISEAL has a number of codes (standards writing, assurance, credibility, etc.) that are designed for scheme owners.  

Scheme owners are responsible for the development and maintenance of the scheme. That means that they are responsible for making sure that scheme is up-to-date, that questions about how to interpret the standard are answered and that all parties are equally informed about changes and interpretations of the standard and the scheme requirements.

The biggest worry for a scheme owner is avoiding conflicts of interest and when avoidance is not possible, managing the conflicts of interest that do occur.

WHAT are the major conflicts of interest and HOW they be managed?

First of all, the major conflicts of interest usually involve money but they are not limited to money. If a scheme owner is making money from the scheme then it is crucial that the making money part be as separate as possible from the scheme management part. It is crucial that there be no link between decisions about the scheme and making money, the risk that a scheme owner can be accused of changing requirements to favour one party over another or lowering requirements to get more folks certified just to make more money can dramatically undermine a scheme's credibility.

These risks are as present for for-profit corporations as they are for not-for-profits or other types of scheme owners. As a result the most preferred way to manage the risk is to separate the roles of the application and management of the scheme from marketing, promotion, advocacy or other efforts to sell or grow the use of the scheme. This means that the job of managing the scheme is best left to a 'utility-like' organization whose job it is to provide a professional and neutral service. The job of promoting and marketing the scheme can then be undertaken by others who do not have direct control over the maintenance of the scheme. 

A scheme owner should be impartial in all cases and so the management of real and perceived conflicts of interest should be its primary concern.

The WTO (World Trade Organisation www.wto.org) is an intergovernmental organization that started in 1995 and replaced the badly named GATT (General Agreement on Tariffs and Trade that itself started in 1948). So much for history.

It's the job of the WTO that should be of interest to standards organizations. Its role is to be the guardian of the global agreements that all member countries have reached which sets the rules for what the countries themselves can do to regulate international trade.

For standards organizations, there is one major agreement that relates to your work.  That is Annex 3 to the WTO "Technical Barriers to Trade Agreement" (TBT Agreement).  Annex 3 is the "Code of Good Practice for the Preparation, Adoption and Application of Standards".

All well and good you say, but why should an obscure annex to an incomprehensible trade agreement be of concern to my little sustainability standard?

The first reason is the biggest.  Trade agreements are between governments and when a trade dispute arises anyone caught in the middle can get crushed - and since your standard may get caught you want to do everything to avoid it.  Even though it is rare that independent standards get caught up in WTO disputes the consequences can be devastating for your standard. Just have a look at the case of Dolphin Friendly Tuna (http://www.wto.org/english/tratop_e/envir_e/edis04_e.htm).  In this case the US government linked imports of tuna to Dolphin Friendly Tuna certification and the Mexican government objected.  In the end the US lost and the end result was pretty hard on the Dolphin Friendly Tuna scheme.

As a result of this case it became pretty clear that any standard should be developed in compliance with Annex 3 of the TBT Agreement. 

It is only a few pages long, so download it, read it and make sure that everyone in your organization that has a decision making role related to your standard is trained in its requirements.

It is fairly easy to conform to the Code of Good Practice and every standard should do so.  The bottom line is that it is in your best interest to know about this Code and make sure that everything you do conforms to it.

Of all the international benchmarks that you want to consider as important to your standard, this is the most important.