Certification Integration, Quality, Compliance, and Security

By Eric Capps & Scott Venhaus – Arrow Value Recovery

Risk management is critical to a sound Quality, Environmental, Health, Safety, and Security (QEHSS) program, and often we look to current or new certification standards to give us the systems or protocols we need to support risk management. Most companies leverage multiple standards as the risks they identify span the scope of several independent certification standards, but the more standards a company adopts, the more plans and processes are required. Seamless integration of these standards is not only key to a successful program, but is critical to creating an industry-leading approach to risk management. In a world where poor management of IT assets has taken center stage, it is more important than ever to fully understand our risk exposure and develop innovative ways to manage these risks. From news articles highlighting e-waste in developing countries to data security breaches in many Fortune 500 companies, the public eye is on companies managing the disposition of used IT assets. What we have learned from these reports is that there are environmental, public safety, data privacy, and brand risks that must be considered and responsibly managed by all organizations handling used IT assets. An organization’s exposure to risk is determined by the scale of its QEHSS program. An immature QEHSS program can expose a business to vulnerabilities that may lead to legal, financial, and publicity problems, while a mature QEHSS program can enhance a business’ overall performance and risk management. Still the challenge is determining what the right scale and structure for an organization is to mitigate these risks while allowing the organization to remain nimble enough to successfully deliver on the value proposition to its clients and customers.

Whether an organization is a financial services or healthcare provider, retailer, manufacturer of electronics (OEM), or other organization that has electronic assets that have reached the end of their useful life, it is exposed to risk. Certification standards provide companies with methodologies to identify, mitigate, and prevent exposure to risks. Which standards to leverage with a QEHSS program is a business decision based on many different drivers, including customer requirements, regulations, and corporate policy. These risks will vary based on several factors. One factor is the ownership of an electronics brand and the assets that bear a company’s logo. An OEM is subject to producer responsibility laws and has a legal responsibility to manage old IT equipment in a responsible way that ensures waste is minimized, kept out of landfills, and recycled to recover secondhand commodities. Millions of pounds of e-waste have been exported to developed and developing countries where recovery/recycling technologies and regulatory infrastructure are not sufficient, and this waste has been dumped in rural communities, resulting in negative environmental impacts and the exposure of local populations to toxic materials. This damages the brand and public image of the companies whose brands are represented on these assets. But it’s not just OEMs that have this exposure; many companies’ IT departments assign asset tag labels to their internal IT assets — tag labels that identify these assets as company property — and oftentimes these labels are not removed before disposal.

Another factor is that organizations may also be exposed to data security risks, because most IT equipment has data-retaining media. Take-back programs for businesses and consumers collect old IT assets that retain user data that must be destroyed in a secure environment to prevent a data breach and potential release of private or privileged information. Data breach is a real risk to all companies. We’ve seen many examples in the news over the past several years of large organizations having security vulnerabilities that resulted in the loss of customers’ private information, and government contractor firms that experienced data breaches because old IT assets were not properly managed in their reverse logistics streams. These risks drive us to be more diligent in how we manage these assets and in our approach to identify and validate IT asset disposition (ITAD) firms contracted to perform asset management services. Most businesses will outsource the management of IT assets to ITAD firms that will manage everything from logistics and remarketing to data sanitization and disposition, but how do we manage these firms in a way that minimizes our risks?

This is where a sound and mature compliance program comes into play. Often, we hear about compliance and assume this relates only to regulatory requirements, but this is not true. A strong compliance program is founded on risk management. First, we must identify our risk profile. This is a complete list of all identified risks categorized by severity. Once we understand these risks, we can define what our drivers are. For example, a data security risk has the potential to negatively impact a company’s reputation, reduce the company’s ability to generate revenue, or result in loss of revenue from key customer accounts subject to a potential data breach. So the driver here is the prevention of these negative impacts on the business. Once we understand our risks and drivers, we can design a compliance program around these risks. The foundation of an organization’s compliance program is its global standard or company policies that communicate its risk prevention requirements and are built into ITAD RFPs and contracts. This ensures that any ITAD firm or subcontractor used is legally bound to comply with or conform to the organization’s standard.

The next step is to develop a due diligence process along with the necessary tools to ensure that these firms are adhering to the organization’s standard and requirements; simply put, the organization needs an audit program. Audits are a snapshot in time, so regular auditing improves a company’s risk management and its visibility of the ITAD firm’s performance to its standard. Audit tools will include but are not limited to questionnaires, audit protocols and checklists, and performance-tracking metrics. The audit protocol or checklist should be designed around an organization’s identified risks; for example, risks associated with adherence to industry best practices throughout the downstream channels of recyclers should be verified through questions in the audit checklist that look at downstream auditing, communication of policies in agreements, and verification of documentation that demonstrates appropriate implementation of these systems.

Audits are structured in a three-stage approach — pre-audit, on-site audit and investigation, and reporting and corrective actions. Pre-audit is the collection of general information that gives a detailed view of operational processes, environmental and security policies, permits/insurance, etc. This enables the organization to appropriately scope the next stage. An on-site audit should include a detailed look into evidential documentation of management systems designed to promote process efficiencies and risk management and should verify how robust the implementation of these systems is. The reporting/corrective actions stage allows companies to communicate deficiencies and manage corrective and preventive actions with the ITAD firm to ensure risks are appropriately managed and continual improvement measures are implemented.

Achieving 100% risk avoidance is impossible. We will always be exposed to some level of risk, but with a thoughtful approach to compliance and risk management, we can significantly reduce our exposure to these risks — and the reward will be well worth the investments we make.

For more information about how to ensure your ITAD program aligns with your risk management requirements, visit our website at www.arrowvaluerecovery.com or contact us at valuerecovery@arrow.com.

About the Authors

Scott Venhaus joined Arrow in 2009 as a quality leader at Arrow’s OEM Computing Solutions value added services facility in Phoenix.  In his current role, he is responsible for serving as the business leader for the Value Recovery business servicing Asia Pacific and Japan and providing oversight and direction to the quality and compliance organizations for Arrow’s Global Reverse Logistics organization.

Mr. Venhaus has over 20 years’ experience in the electronics technology industry beginning his career with the United States Navy, serving seven years in aviation maintenance management.  He achieved the Master Training Specialist designation as a Naval Aviation Maintenance Management Program Instructor.

In 2001, he joined General Electric (GE) as director of Operations within the Emerging Businesses and Technologies division of Commercial Finance where he was responsible for leading manufacturing and operations for their Utah-based driver development business and its successful divestiture.  Mr. Venhaus then transitioned to a global commodities and operations leadership role identifying and implementing solutions for Commercial Equipment Finance companies globally.

Mr. Venhaus is on the board of directors for RIOS, a steering committee member for the WRF Asia and EMEA and active thought leader in the manufacturing, electronics and electronic asset recovery industries.

Eric Capps is an environmental compliance professional based out of Austin, TX and has spent the better part of his career in the electronics manufacturing and recycling space. His experience includes corporate advisory roles as a consultant to many electronics OEMs, compliance strategy advisor to reverse logistics firms, and subject matter expert for industry organizations and trade associations. His focus has been the development and implementation of global compliance and due diligence programs focusing on Recycling and ITAD companies across more than 30 countries and industry advisory roles as an EHS expert supporting recycling industry standards globally. Eric has managed environmental health and safety programs and projects for various Fortune 500 companies across many industries including oil and gas, manufacturing, aerospace, mining, pipeline and commercial construction, and electronics manufacturing and recycling. In his current role as senior manager of global compliance for Arrow reverse logistics, Eric is leveraging experience and innovation to create a step change in the electronics industry in compliance and sustainability.