Risk management is critical to a sound Quality, Environmental, Health, Safety, and Security (QEHSS) program, and often we look to current or new certification standards to give us the systems or protocols we need to support risk management. Most companies leverage multiple standards as the risks they identify span the scope of several independent certification standards, but the more standards a company adopts, the more plans and processes are required. Seamless integration of these standards is not only key to a successful program, but is critical to creating an industry-leading approach to risk management. In a world where poor management of IT assets has taken center stage, it is more important than ever to fully understand our risk exposure and develop innovative ways to manage these risks. From news articles highlighting e-waste in developing countries to data security breaches in many Fortune 500 companies, the public eye is on companies managing the disposition of used IT assets. What we have learned from these reports is that there are environmental, public safety, data privacy, and brand risks that must be considered and responsibly managed by all organizations handling used IT assets. An organization’s exposure to risk is determined by the scale of its QEHSS program. An immature QEHSS program can expose a business to vulnerabilities that may lead to legal, financial, and publicity problems, while a mature QEHSS program can enhance a business’ overall performance and risk management. Still the challenge is determining what the right scale and structure for an organization is to mitigate these risks while allowing the organization to remain nimble enough to successfully deliver on the value proposition to its clients and customers.
Whether an organization is a financial services or healthcare provider, retailer, manufacturer of electronics (OEM), or other organization that has electronic assets that have reached the end of their useful life, it is exposed to risk. Certification standards provide companies with methodologies to identify, mitigate, and prevent exposure to risks. Which standards to leverage with a QEHSS program is a business decision based on many different drivers, including customer requirements, regulations, and corporate policy. These risks will vary based on several factors. One factor is the ownership of an electronics brand and the assets that bear a company’s logo. An OEM is subject to producer responsibility laws and has a legal responsibility to manage old IT equipment in a responsible way that ensures waste is minimized, kept out of landfills, and recycled to recover secondhand commodities. Millions of pounds of e-waste have been exported to developed and developing countries where recovery/recycling technologies and regulatory infrastructure are not sufficient, and this waste has been dumped in rural communities, resulting in negative environmental impacts and the exposure of local populations to toxic materials. This damages the brand and public image of the companies whose brands are represented on these assets. But it’s not just OEMs that have this exposure; many companies’ IT departments assign asset tag labels to their internal IT assets — tag labels that identify these assets as company property — and oftentimes these labels are not removed before disposal.
Another factor is that organizations may also be exposed to data security risks, because most IT equipment has data-retaining media. Take-back programs for businesses and consumers collect old IT assets that retain user data that must be destroyed in a secure environment to prevent a data breach and potential release of private or privileged information. Data breach is a real risk to all companies. We’ve seen many examples in the news over the past several years of large organizations having security vulnerabilities that resulted in the loss of customers’ private information, and government contractor firms that experienced data breaches because old IT assets were not properly managed in their reverse logistics streams. These risks drive us to be more diligent in how we manage these assets and in our approach to identify and validate IT asset disposition (ITAD) firms contracted to perform asset management services. Most businesses will outsource the management of IT assets to ITAD firms that will manage everything from logistics and remarketing to data sanitization and disposition, but how do we manage these firms in a way that minimizes our risks?
This is where a sound and mature compliance program comes into play. Often, we hear about compliance and assume this relates only to regulatory requirements, but this is not true. A strong compliance program is founded on risk management. First, we must identify our risk profile. This is a complete list of all identified risks categorized by severity. Once we understand these risks, we can define what our drivers are. For example, a data security risk has the potential to negatively impact a company’s reputation, reduce the company’s ability to generate revenue, or result in loss of revenue from key customer accounts subject to a potential data breach. So the driver here is the prevention of these negative impacts on the business. Once we understand our risks and drivers, we can design a compliance program around these risks. The foundation of an organization’s compliance program is its global standard or company policies that communicate its risk prevention requirements and are built into ITAD RFPs and contracts. This ensures that any ITAD firm or subcontractor used is legally bound to comply with or conform to the organization’s standard.
The next step is to develop a due diligence process along with the necessary tools to ensure that these firms are adhering to the organization’s standard and requirements; simply put, the organization needs an audit program. Audits are a snapshot in time, so regular auditing improves a company’s risk management and its visibility of the ITAD firm’s performance to its standard. Audit tools will include but are not limited to questionnaires, audit protocols and checklists, and performance-tracking metrics. The audit protocol or checklist should be designed around an organization’s identified risks; for example, risks associated with adherence to industry best practices throughout the downstream channels of recyclers should be verified through questions in the audit checklist that look at downstream auditing, communication of policies in agreements, and verification of documentation that demonstrates appropriate implementation of these systems.
Audits are structured in a three-stage approach — pre-audit, on-site audit and investigation, and reporting and corrective actions. Pre-audit is the collection of general information that gives a detailed view of operational processes, environmental and security policies, permits/insurance, etc. This enables the organization to appropriately scope the next stage. An on-site audit should include a detailed look into evidential documentation of management systems designed to promote process efficiencies and risk management and should verify how robust the implementation of these systems is. The reporting/corrective actions stage allows companies to communicate deficiencies and manage corrective and preventive actions with the ITAD firm to ensure risks are appropriately managed and continual improvement measures are implemented.
Achieving 100% risk avoidance is impossible. We will always be exposed to some level of risk, but with a thoughtful approach to compliance and risk management, we can significantly reduce our exposure to these risks — and the reward will be well worth the investments we make.
For more information about how to ensure your ITAD program aligns with your risk management requirements, visit our website at www.arrowvaluerecovery.com or contact us at firstname.lastname@example.org.