Latest ITAM News

Balancing Requirement and Risk – Lessons Learned Building an ITAD Due-Diligence Assessment

By Carleen E. Matsuka, Microsoft

ITAK V10 I1

Managing the risk associated with the disposal of assets can be complicated.  Risk around compliance to data protection laws such as the Health Insurance Portability and Accountability Act [HIPAA] in the United States and the United Kingdom’s [UK] Data Protection Act of 1998 makes managing a global program overwhelming to any organization.  Adding the potential of generating revenue from asset sales, the extra scrutiny from your leadership team can be welcome visibility or it may increase the struggle to maintain balance.

IT Asset Disposition [ITAD] focuses on maximizing salvage value while minimizing risk, and the appropriate balance between these factors should be achieved.  Extreme risk aversion can easily result in unnecessarily high operational costs.  On the other side of the tightrope, blinded acceptance of higher risks to keep costs down could ultimately have an extreme negative financial impact including a tarnished brand image.

One headline stating your company allowed the dumping of hazardous waste into the environment or allowed customer data to be released far outweighs the cost and time it would take to provide extra scrutiny, so apply due diligence early in your ITAD supplier management program.  At the end of the day, you want to balance risk while maximizing salvage returns.

Discovery

What is key to managing risk?  Through my experience I have found two common themes; know your suppliers and perform an appropriate due diligence assessment that aligns with the risk level.  You define the areas of importance but at a minimum all the industry experts recommend focusing on data security, environmental compliance, and health and safety.  Here is a recommended focus list you can start from:

1. Company structure and facility overview

2. Accreditations and certifications

3. Data security

4. Environmental compliance

5. Health and safety

6. Quality control and management

7. Logistics:  Material handling and transportation

Certain questions will inform the level of detail you may be able to obtain legally without much discussion and it may inform the level of risk this company may represent.  Documenting your suppliers’ full capabilities may seem like overhead but it could save you “headaches” in the future.  Most suppliers know that being a responsible corporate citizen to the environment and its people is important but here is where you will have to balance requirements with risk.  How the supplier chooses to operate their company, including the actions of their employees become your company’s responsibility regardless of the concept of indemnification.  The key takeaway in this article and the following sections is to solidify the idea of “taking time for due diligence” and to get you one step closer to defining your own due diligence assessment.

1:  Company Structure and Facility Overview

Here are some of the questions and tasks that you may want to include under company structure and facility overview:

* Are temporary employees utilized and in what capacity?

* What types of material and hardware are accepted into the facility?

* Obtain a list of all downstream providers and partnerships

* Document employees responsible for key roles such as environmental compliance, health and safety policies, process adherence and control, and remarketing

Another area that can be grouped under company structure and a standard metric in every asset disposition program is measuring return value versus cost.  Knowing the answers to just a few of these questions could mean the difference in where the decimal point is placed.  Here are a few additional questions that you may want to include:

* How many employees perform hardware sales and are they dedicated resources?

* Are they specialized by hardware type or manufacturer?

* Is parts harvesting a standard part of the ITAD process to improve salvage value?

2:  Accreditations and Certifications

A major area of focus during a due diligence review is the suppliers’ certifications and accreditations.  There are a number of accreditations and certification programs out there.  As the disposal program manager for your organization, understand that there is no specific minimum for any company and requiring every supplier in every region of the world to have the same standard list may not be the best recommendation.  Knowing your business objectives and knowing your greatest risk areas will enable you to come to a consensus on what accreditations and certifications are most important.

Embrace alternatives and a great way to analyze this information starts with a simple matrix listing your areas of focus and identifying which standard or certification program attest or measure compliance.  Supplement the matrix with specific questions within each category including understanding what local legislation and laws may impact your decisions.  The industry supported and recommended standards include ISO 9001, ISO 14001, and OHSAS 18001.

Due diligence assessments in this focus area could include obtaining copies of certifications to verify that they are current and that the site-specific certifications cover all facilities that are in scope for your coverage area.

3:  Data Security

Data security assessments depend on your company policy and processes for data handling.  Some companies such as financial institutions will destroy all data-bearing hardware on-site within their facility before allowing it to leave their control.  Most companies will have varying levels of data security and to address those levels it may require employing the ITAD supplier to perform some of those services.

Here are some general assessment questions and tasks that you may want to include under data security:

How are devices managed to protect them from access until data is removed?

Describe the data erasure procedure and provide evidence to an existing process

What technology solution is utilized?

In addition to having the supplier provide the details to answer the question, require proof of what is verbally stated by walking through the process flow to confirm.  Pay attention to things like the placement of cameras, access control, is the process simple and repeatable, and does the process document flow match up to what was described and visually confirmed.

4 and 5:  Environmental Compliance and Health and Safety

Environmental compliance and health and safety assessments are the areas of your due diligence that can consume the most bandwidth to complete.  These are the areas where downstream providers are vetted, with you performing facility walk-throughs and verifying operating permits.  Here are some sample questions you may want to include under environmental compliance:

* Are hazardous wastes handled in this facility?

* How do you identify hazardous waste storage or handling areas in your facility?

* Do you have the appropriate local permits to handle hazardous material?

* Are downstream providers assessed or audited for environmental compliance?

Here are sample questions under health and safety:

* Are areas of hazard clearly identified in the facility for employees?

* Do employees have the right level of safety equipment available to them?

* Are the employees trained on the tools and equipment used in the facility?

* Is there proof of employee training?

6:  Quality Control and Management

One additional point to be made, especially in the section of quality control and management, is that your due diligence assessment can be as simple as requiring certifications such as one within the ISO 9001 series.  To supplement if required, you may leverage some of these sample questions:

* What cycle time should you expect for a specific type of task?

* What types of reports are available and how are they made available?

* Do they have their own Asset Management system or did they buy something off the shelf?

* Does it provide you with the level of reporting you require?

7:  Logistics

The final recommended focus area pertains to how materials are processed and handled by your ITAD supplier including any transportation services requested (regardless if performed utilizing in-house vehicles or third party transportation companies).  Here are some of the questions you may want to include under logistics, material handling, and transportation:

* At what level is material dismantled in this facility?

* Does the supplier provide in-house transportation services?

* Are the vehicles in compliance with local operating laws?

* Does the supplier provide secure handling from pick up through processing?

Documenting Diligence

Keeping track of this information can be as simple as data in a document or as automated as a full lifecycle management software solution for compliance.  The assessment should be concise and easy to populate while performing.  Create the form in an application like Microsoft Word or Microsoft InfoPath to allow for real-time population of data within the framework.  Pen and paper is always an option but the information will probably have to be transposed at some point which adds to your touch points.  The applications mentioned allow for easy export of the data into a database structure for simple queries and reporting.

Figure 1:  Beginnings of a Due-Diligence Assessment

Conclusion                                             

The objective of this article was to share knowledge and assist with the development of your own due diligence assessment framework.  Don’t be satisfied with what may work for other companies and take the time to invest in your program’s success.  If you don’t have the resources to allocate to your due diligence strategy then, at a minimum, invest in a reputable company to perform this service for you.

About IAITAM

The International Association of IT Asset Managers (IAITAM) is the largest organization providing education, certification and thought leadership to the management of IT as a business. IT Asset Management is the management of hardware, software, mobile and other technology to maximize the value to the organization.