In the sustainability and corporate social responsibility (CSR) “space” there is increasing pressure to report on triple-bottom-line issues through reporting frameworks, such as the GRI G3. There is a trajectory toward quasi-mandatory reporting by value-chain stakeholders and actual mandatory reporting by regulatory-bodies. Quasi-mandatory reporting is seen with the inclusion of GRI sustainability reporting as tracked by Bloomberg’s Index and other financial indices. Mandatory reporting is seen in South Africa, Denmark, and France. Read More
EHS/S and Risk Management Challenges
As part of my research this summer on relationships between EHS/S and risk management, I interviewed a group of EHS/S and risk management executives about various aspects of their activities. Prior to the interviews, the interviewees were given the Redinger EHS white paper titled, “360 Vision for Environmental Health, and Sustainability: Anticipate and Avoid Black Swan Events.” A series of questions focused on the needs and challenges of EHS/S and risk management departments. Some of the responses included:
- “I need to know as much as I can about the risks my company faces. I wrestle with having confidence that my team and I have a good understanding about risks that will bite us. I am not sure we have a good understanding about our EHS risks.” Read More
Risk Management, EHS/S, Business Continuity, and the 360 Risk Management Check-Up™
It has been a while since I’ve posted. The summer has been full, working on developing the 360 Risk Management Check-Up™, a high-level diagnostic to measure the EHS/S and risk management function in organizations. Associated with this work, I have been conducting research on the evolution of organizational risk management and growing attention on non-financial risk management (NFRM).
Organizational risk management (RM) concepts and practices have been evolving from a singular focus on financial risk to a more broad focus on enterprise-wide and non-financial risks. Approaches such as enterprise risk management, strategic risk management, value risk management, etc. have been evolving into what is being called NFRM. Read More
Risk Management and Business Continuity with an Integrated Management System
In my previous post, I briefly discussed the integrated quality, safety, and environmental management system (QSEMS) at the Cannes Convention Center. The trend toward integrated management systems, including ISO’s movement toward a generic management system model for wide application, will provide a new tool for organizational risk management.
As evolved as risk management methods and models are, organizations struggle with integrating risk management practices. A silo phenomenon challenges risk managers as it has EHS managers for many years. In current non-financial risk management writings and research, the need for risk management integration and “silo-busting” is highlighted. An integrated risk management system can provide a way to bust silos in an organization. Read More
ISO 28000 – Security Management, Risk Assessment, and ISO 14001 as a Foundation
The current issue of ISO Focus (February 2011) is dedicated to a wide range of security-related issues and highlights the ISO 28000 series on security risk management.
ISO 28000 was published in 2007 and provides guidance on security management. Its framework follows the ISO 14001 framework closely. 28000 is the core of the family, providing a specification management system standard. ISO 28004 provides implementation guidance in specific areas, such as 28005 (Electronic Port Clearance) and 20858 (Ships and Marine Technology). Read More
Getting Your EHS/S Risk Management Metrics Right: Taking a 360-Degree View
At its core, EHS/S (environmental, health, safety, and sustainability) management is a risk management endeavor and there are numerous ways these activities can be described and reported. Even though many companies have robust EHS/S risk management practices, it is sobering to hear risk professionals continue to report pessimism about their organization’s overall risk management efforts.
The February 2011 issue of Internal Auditor reports on three studies that indicate while there is continued focus on the importance of robust risk management, more times than not, it is not being done well. Research conducted by the Enterprise Risk Management (ERM) Institute at North Carolina State University found that only 28 percent of 460 ERM professionals surveyed described their current state of ERM implementation as “systematic, robust, and repeatable”; 42 percent described the process as immature; and 60 percent described the process as mostly informal and ad hoc.
Corporate board oversight of ERM is hit or miss. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) reports that while directors give their boards high marks for ERM, less than one-half of the boards have ERM accountability assigned to a board subcommittee. Further, a survey of directors, conducted by Protiviti Inc., showed that only 13 percent consider ERM robust and mature. Internal Auditor reports that both of these studies point to challenges with risk reporting to the board. Read More


Many EHS/S management system experts believe that one of the most important components of an integrated MS is management review. Management review is the time during which the overall strategy of an integrated EHS/S MS is assessed. Said differently, it is a time to see if the MS’s purpose and desired outcomes are being fulfilled. Management review is commonly framed as a performance evaluation activity. While this is correct, I would suggest that there is much more available through management reviews—that is, these are strategic opportunities to impact an organization’s Strategic Risk Management (SRM) process, and possibly start developing an SRM MS.
