R2v3 Transition Time – Deadline Coming Soon
The R2:2013 standards days are numbered. We are exactly 150 days away from June 30, 2023 deadline to be precise. Upon last review of the SERI R2:2013 database there are loads of R2 facilities who have yet to make the transition. If you happen to be one of the facilities in that position, we are here to help you get your transition to R2v3 completed fast. Here is how:
Transition to R2v3 in 3 Easy Phases
1. Scope determination and Gap Analysis
2. Establish and Implement Documentation and Processes
3. Internal Review – Internal Audit, Compliance Evaluation, Data Security Audit
Phase 1 - Scope determination and Gap Analysis
Scope Determination – Organizations making the transition from R2:2013 to the R2v3 standard must first review and revise their current scope of certification. It is essential to accurately determine the organization scope and ensure that it is reflective of current business processes.
Business Processes matching Scope of Certification
Evaluate & Sort
One of the most significant changes between the R2:2013 and R2v3 standard has been a major shift in the way the standard is organized. R2v3 is divided into two major sections:
· Core Requirements and;
· Process Specific Requirements
The Core Requirements are essentially applicable to all R2 facilities while Process Requirements will apply only if those specific processes are carried out by the R2 facility.
Phase one of your transition plan will be to ensure you have reviewed your activities and processes carefully to ensure that your scope statement includes each of the process requirements specific to your organization.
Process Specific Requirements have been listed as Appendices within the R2v3 Standard.
The R2v3 Process Requirements Appendices:
· Appendix A – Downstream Recycling Chain
· Appendix B – Data Sanitization
· Appendix C – Test and Repair
· Appendix D – Specialty Electronics Reuse
· Appendix E – Materials Recovery
· Appendix F – Brokering
SERI has provided several guidance documents on this topic. The R2v3 Appendix Applicability Guidance document offers further explanation and description of each appendices and its applicability.
R2v3 Appendix Determination Tool is another useful guidance document to help ensure your scope has been appropriately updated and revised per the new R2v3 scope of certification requirements.
After determining your R2v3 Scope the next step is to perform a gap analysis. A gap analysis in this particular case is assessing your current business processes, documentation and records to determine if they are in conforming with the R2v3 requirements. While there is some overlap between the R2:2013 and R2v3 standards, the R2v3 standard contains many enhanced and new requirements. Some organizations may be closer to conforming to the new R2v3 requirements if they went above and beyond the R2:2013 standards requirements.
A comprehensive gap analysis will reveal the current state of the management system and identify all the gaps that need to be addressed. With a list of the gaps in hand actions plans can then be established to address and effectively close each gap. We can now proceed to phase 2 of the R2v3 Transition Plan.
Phase 2 - Establish and Implement Documentation and Processes
Once an organization has identified the gaps in the system and developed actions plans those plans will require the organization to establish new documentation and processes.
One example of this is if the organization has reviewed their scope and determine that they currently perform Testing and Repair activities as part of their business processes. In this case, the scope revision would have to include R2v3 Requirements listed in Appendix C – Test and Repair.
The gap analysis would then reveal that Appendix C requires an organization performing test and repair activities to be certified to the ISO 9001:2015 Quality Management System standard.
This is just one such example of how an accurate scope determination drives the inputs into the gap analysis. The gap analysis can then ensure that all the pertinent R2v3 Core and Process Specific Requirements are covered. In this case, the gap analysis has found a large gap in the system with the requirement to implement ISO 9001:2015 Quality Management Certification. This particular gap can take anywhere between 2-3 months and up to 8-12 months to effectively implement depending on the organizations size and complexity.
As action plans are implemented and completed the organization is moving closer and closer to a achieving all the R2v3 requirements. Once complete the organization is required to perform several self-checks in 3 different areas to ensure they are prepared for the third-party R2v3 transition audit.
Phase 3 - Internal Review
Internal Audit, Compliance Evaluation, Data Security Audit
Once gaps have been addressed and action plans implemented the organization must perform several self-assessments. These assessments must be performed by competent individuals which the R2v3 standard defines. The three required assessments include a full system internal audit, compliance evaluation and a data security audit.
The full system internal audit covers all requirements that are covered by the scope of certification for the organization. Thus, all core requirements will need to be audited and all process specific requirements. The organization if certifying to ISO 14001:2015 Environmental Management System and ISO 45001:2018 Health and Safety Management or RIOS will need to audit all applicable requirements from these standards as well. Lastly, if the organization is certifying to ISO 9001:2015 those requirements will need to be covered as well. For efficiency, the internal audit should be conducted by an auditor who is trained in all relevant standards so that an integrated R2v3, Quality, Environmental, Health and Safety Management System audit can be conducted. This will save significant time and resources and ensure the most effective audit is conducted.
R2v3 requires that the R2 facility develop a comprehensive compliance plan. This plan should cover the R2 facilities operations both at the facility and at all associated off-site locations as well. The legal compliance plans should identify and document all pertinent environmental, health, safety, and data security requirements. The plan needs to define the controls, competence, and associated monitoring activities to maintain full compliance. This plan and the requirements to maintain compliance are required to be audited periodically which is generally taken to mean annually but there are some exceptions to the frequency that can be made if justified.
Data Security Audit
One major change in the R2v3 standard has been the enhanced requirements detailed in Core Requirement 7 for Data Security. R2 facilities are now required to document and maintain a Data Sanitization Plan with associated procedures necessary to control data security risks. With the implementation of the plan comes the monitoring of that plan. To ensure that the organization is achieving sound data security practices internal data security and sanitization audits are required to be performed at least annually by a competent and independent auditor. The audits are critical in ensuring that the data sanitization process has been validated ensuring that it effective.
SERI R2v3 Transition Resources:
Wilkshire Consulting - Get R2v3 Transitioned