Many EHS professionals are familiar with the International Organization for Standardization (ISO), due to its widely known management systems, ISO 9001 and 14001. Over the past five years, ISO has begun to extend its services more explicitly into the area of risk management—its first two management systems (9001 and 14001) are essentially risk management tools.
This past November, ISO published a generic standard on risk management that provides guidelines that can be used in a wide range of settings. ISO states that “31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets; and that it can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.”
Impact on Other ISO standards
The development of ISO 31000 is potentially very important to EHS management and the development of EHS standards. As a generic standard on risk management, ISO 31000 will be a “high level” document in ISO, or referred to as a “controlling document.” This means that once 31000 is in place, all subsequent ISO documents that address risk management issues will need to conform with 31000. This could have a huge impact on future revisions or versions of ISO 14001 and an ISO OHSMS (if one is ever developed).
Potential Concerns
The standard contains robust general language on risk management. Overall, I would characterize it as a strong document that will provide long-term value. On the EHS front, it’s my view that the document’s current scope is too narrow, in that its focus is on risk management issues internal to an organization and is weak in how it addresses risks that an organization might transfer to others. In environmental economic terms, the issue here is that of “externalities.” That is, how does an organization manage or address costs it passes on to others?
It will be interesting to see how ISO fares in the risk management arena. ISO jumped into a whole new arena in the 1980s with its publication of ISO 9001 on quality assurance. Prior to 9001, ISO’s focus was on technical standards. Moving into the management system area was a bit more nebulous and certainly new. The continuation into the management system area with ISO 14001 was a big deal and represented a progression into yet more new terrain. With ISO 14001, ISO entered into the complex arena of social regulations, where things such as values, benefit/cost, and ethics come into play. With a standard on risk management, ISO put itself smack dab in the middle of complex values and ethical issues.
© Redinger EHS, Inc. (2010)
[...] department with an eye toward ways risk management can be strengthened. • Get, read, and use the ISO 31000 Risk Management standard as a way to organize and structure their EHS/S risk management activities. • Develop a 360-degree [...]