ISO ‘Misses the Mark’ on Context
SO 31000:2009 included several definitions that provide the support for organizations to understand the meaning of context:
Establishing the context (2.9) – defining the external and internal parameters to be considered when managing risk and setting the scope and risk criteria (2.22) for the risk management policy (2.4).
External Context (2.10) – external environment in which the organization seeks to achieve its objectives.
Internal Context (2.11) – internal environment in which the organization seeks to achieve its objectives.
None of these definitions are included in ISO 31000:2018 or in the practice-specific management system standards (ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018).
Instead of defining ‘context,’ ISO 14001:2015 and ISO 45001:2018 specify in 4.1, (“Understanding the Organization and Its Context”):
“The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its [OH&S/environmental] management system.”
Despite this lack of clarity, both international management system standards clearly state how the information gained from the understanding of the external and internal context will add to the risk management process:
“Risks and opportunities (3.2.11) shall mean – potential adverse effects (threats) and potential beneficial effects (opportunities).”
However, the opportunities and threats are derived by a properly-developed cdontext!
COSO ERM:2017 Offers More Clarity
Principle 6, “Analyzes Business Context,” states:
“The external environment is part of the business context. It is anything outside the entity that can influence the entity’s ability to achieve its strategy and business objectives. It comprises several factors that can be categorized by the acronym PESTLE[i] (political, economic, social, technological, legal, and environmental).”
“The entity’s internal environment is anything inside the organization that can affect its ability to achieve its strategy and business objectives.”
COSO ERM:2017[ii] suggests that the entity use four categories to characterize the internal context: capital, people, process, and technology. A more popular tool for this purpose is TECOP.[iii]
These tools help an organization identify emerging, strategic or operational risks that can disrupt the status when change happens quickly and in unanticipated ways.
Using the Risk Management Process
The opportunities and threats that are identified though understanding the internal and external context serve as the information processed in the ISO 31000:2018 risk assessment that is described in a previous blog[iv].
COSO ERM:2017 provides information on processing opportunities and threats in Principle 10 (Identify Risks), Principle 11 (Assess Severity of Risk) and Principle 12 (Prioritize Risk).
A more complete understanding of how to characterize and organization’s internal and external context can be found in my book[v]
What’s the Problem?
Based on the observations provided above on a relatively simple topic, it appears that we need to think about the current process of making such standards available. The International Organization of Standardization (ISO) has a process for issuing a management system standard that creates approval through the score of the ISO members votes[vi]. COSO has a project team prepare the draft standard and uses an Advisory Council and Observers to work with the project team to finalize the report prior to publication[vii].
ISO has reportedly experienced some difficulties in the user acceptance of the new and revised management system standards. Information regarding these difficulties has been presented in the CERM Academy blog. ISO may want to rethink how it issues its standards and examines COSO’s method as a potential alternate approach. We need standards that do not leave important information out and where the ISO high-level structure wording changes from standard to standard. Maybe the mishandling of the context example mentioned in this blog will serve as an example of what is needed to draft a more acceptable management system standard. What do you think?
Bio:
Robert B. Pojasek, Ph.D.
Harvard University & Pojasek & Associates LLC
Risk Management & Organizational Sustainability
rpojasek@sprynet.com
(781) 777-1858 Office
(617) 401-5708 Mobile & Text
www.linkedin.com/in/bobpojasek
Organizational Risk Management and Sustainability:
A Practical Step-by-Step Guide
Now available as an e-book
http://tiny.cc/xz3fhy
Also available as an online action learning course
Expert as environment, health & safety, and sustainability professional with a record of providing leadership, training and operational support to all levels of the organization; Implements new and revised management systems to drive EHS/sustainability program conformance throughout the operation; Integrates organizational systems of management using the ISO harmonized high-level structure; Provides support for organizations implementing sustainability/risk management practices featured in my book.
[i] http://31000risk.blogspot.com/2011/04/532-external-context-whats-outside-door.html
[ii] https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
[iii] http://31000risk.blogspot.com/2011/05/533-internal-context.html
[iv] https://insights.cermacademy.com/2018/09/217/
[v] http://tiny.cc/xz3fhy Chapter 8
[vi] http://isoupdate.com/resources/6-steps-to-creating-an-iso-standard/
[vii] https://www.coso.org/Documents/COSO-ERM-Presentation-September-2017.pdf