In the Beginning
In 2012, ISO’s ‘Joint Technical Coordinating Group’ (JTCG) completed work to provide a high-level structure, text, and common terms and definitions for all future and revised management system standards. All Technical Committees developing management system standards were required to follow Annex SL found in the ISO/IEC Directives, Part 1, Annex SL[i].
As we approach 2019, it is abundantly clear that the high-level structure mandate has been followed by the Technical Committees with mixed results. All the new and revised management systems used the 10-clause structure and all of them include the same definition of risk and risk management. However, the way risk management was used in the different management system standards varied considerably. What can an organization learn from this exercise?
Management System Integration
The use of risk management is focused in clause 4 (context) and clause 6 (planning). ISO 45001:2018 (occupational health and safety management system provides a well-articulated means of incorporating risk management into a management system using the high-level structure. Let’s see how this can help an organization manage risk when placed in an integrated management system.
First, let’s focus on the following management system standards:
- ISO 9001:2015[ii] – Quality
- ISO 9004:2018[iii] – Quality of an Organization – Guidance to Achieve Sustained Success
- ISO 14001:2014[iv] – Environmental
- ISO 45001:2018[v] – Occupational Health and Safety
- ISO 55001:2014[vi] – Assets
- ISO 22301:2012[vii] – Business Continuity
Collectively, these standards cover “facilities” and the related elements to address the process approach to operations. You could add ISO Guide 82:2014[viii] (Sustainability Guidelines) and ISO 26000:2010 (i.e. Social Responsibility Guidelines) to help create a “sustainable organization.” These documents are not written using the high-level structure but are guidelines that can be easily placed in the high-level structure.
Clause 4 in the integrated management system places the organization in its unique internal and external context. The integrated management system, using the components listed above, enables the organization to scan the external operating environment using a PESTLE tool[ix]. PESTLE is also specifically followed in the COSO ERM:2017[x] risk management standard.
A TECOP tool[xi] is used to scan the internal operating environment. These tools help you find the “effects of uncertainty” that can affect the organization. These effects can be positive (opportunities) or negative (threats). Every one of the ISO management system standards has a slightly different way to handle the articulation of all the opportunities and threats. In an integrated standard, the most stringently-defined (across all the standards and guidelines) is selected for use. The COSO ERM:2017 risk management standard specifies the use of PESTLE for external context. The Project Management[xii] Institute mentions both the TECOP for the internal context.
Clause 6 in the integrated management system uses the “risk assessment process” in ISO 31000 to conduct the risk assessment. The high-level structure uses the term, “risks and opportunities” in describing the focus of the risk assessment. ISO 14001:2015 defines “risks and opportunities” as “potential adverse effects (threats) and potential beneficial effects (opportunities). This helps the organization focus the risk assessment on the significant opportunities and threats.
It is easy to create the integrated management system. The organization can then self-certify and self-declare[xiii] the resultant integrated management system.
Risk Management
Risk management is defined as, “coordinated activities to direct and control an organization with respect to risk.[xiv]” ISO 31000 (risk management guidelines) describes how to integrate risk management across all the standards in Clause 5.2.2[xv]. In this manner, you are managing the risks of the organization rather than the risks associated with each of the management system standards. The same approach is specified in the COSO ERM:2017 standard.
The risk assessment (ISO 31000:2018 and COSO ERM:2017) starts with the opportunities and threats and moves through the following steps:
- Assess the severity of risk (likelihood and consequence)
- Prioritization of the risk (risk matrix with positive consequence for opportunities and negative consequence for threats)
- Selection of risks (high scores with opportunities used to offset the threats)
- Risk response (do not focus on threats and risk “treatments”)’
All organizations are exposed to uncertainty in the form of volatility, uncertainty, complexity and ambiguity[xvi]. Risk management is designed to guide organizations that are coping with VUCA as it affects both the internal and the external contexts. The ISO high-level structure was designed with this in mind. ISO 31000:2018 is based substantially on the world’s first national risk management standard (AS/NZS 4360:1995).
Why Would an Organization Choose NOT to Integrate Its Management Systems?
With the publication of the ISO high-level structure (Annex SL) and the changes made by several different ISO Technical Committees, the stage was set for the use of integrated management systems. The integrated approach to organizational operations with the standards covered in this blog will help the organization to consolidate all the risk management activities into a single program. There are approximately 35 other management system standards and ISO guidance documents that can be used as necessary and placed in the same integrated structure. Some of the users of ISO management system standards want to go back to the previous standard format with six clauses and no risk management. This will make integration very difficult (that is why some want to go back to the past) and will make risk management
Bio:
Robert B. Pojasek, Ph.D.
Harvard University & Pojasek & Associates LLC
Risk Management & Organizational Sustainability
rpojasek@sprynet.com
(781) 777-1858 Office
(617) 401-5708 Mobile & Text
www.linkedin.com/in/bobpojasek
Organizational Risk Management and Sustainability:
A Practical Step-by-Step Guide
Now available as an e-book
http://tiny.cc/xz3fhy
Also available as an online action learning course
[i] ISO/IEC Directives, Part 1 https://www.iso.org/sites/directives/2016/consolidated/index.xhtml
[ii] ISO 9001:2015 https://www.iso.org/obp/ui/#iso:std:iso:9001:ed-5:v1:en
[iii] ISO 9004:2018 https://www.iso.org/obp/ui/#iso:std:iso:9004:ed-4:v1:en
[iv] ISO 14001:2015 https://www.iso.org/obp/ui/#iso:std:iso:14001:ed-3:v1:en
[v] ISO 45001:2018 https://www.iso.org/obp/ui/#iso:std:iso:45001:ed-1:v1:en
[vi] ISO 55001:2014 https://www.iso.org/obp/ui/#iso:std:iso:55001:ed-1:v1:en
[vii] ISO 22301:2012 https://www.iso.org/obp/ui/#iso:std:iso:22301:ed-1:v2:en
[viii] ISO Guide 82:2014 https://www.iso.org/obp/ui/#iso:std:iso:guide:82:ed-1:v2:en
[ix] “Organizational Risk Management and Sustainability: A Practical Step-by-Step Guide” http://tiny.cc/xz3fhy
[x] COSO ERM:2017 https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
[xi] TECOP http://31000risk.blogspot.com/2011/05/533-internal-context.html
[xii] Project Management Forum https://www.projectmanagementforum.net/blog/some-changes-to-risk-identification-pestle-tecop-and-vuca-oh-my
[xiii] https://insights.cermacademy.com/2018/11/223-demonstrating-conformity-iso-management-system-making-self-determination-self-declaration-bob-pojasek/
[xiv] ISO 31000:2018 https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
[xv] IBID. ISO 31000:2018
[xvi] VUCA https://hbr.org/2014/09/a-framework-for-understanding-vuca