Vous êtes sur la page 1sur 5


November 2012

Where ISO 31000 fits into EHS management

ISO 31000 Risk Management Principles and Guidelines is an international noncertifiable standard providing users with principles, a framework and a process for
managing risk, which often prompts the question, where does it fit with ISO 14001 and
OHSAS 18001?

Chartered safety practitioner Sean Coleman, who is a co-author of the NSAIs guidelines on ISO
31000 examines and explains the relationship between the three standards.

In ISO 31000 risk is defined as the effect of uncertainty on objectives. It is necessary to be

aware that reference to risk is in the most general sense. Organisations face risks well beyond the
EHS spectrum but it will be interesting, if not essential to see how risk might be regarded and
managed on an organisational wide basis.

Understanding ISO 31000

ISO 31000, published in November 2009, seeks to provide organisations with guidelines for the
principles and the adequate implementation of risk management (RM). It is designed for a wide
range of RM practitioners, experienced or novice, and for those responsible for RM oversight
and who are interested in developing and/or benchmarking their organisation and practices
against a recognised international reference.

There are also two associated standards:

Vocabulary for Risk Management (ISO Guide 73) which provides definitions of generic
terms related to RM and
Risk Assessment Techniques (IEC/ISO 31010) which provides guidance on selection
and application of systematic techniques for Risk Assessment( in the widest sense).

ISO 31000 is very similar in approach to other management standards in that it follows the Plan
Do Check Act (PDCA) cycle with the usual focus on continuous improvement. EHS
practitioners will be familiar with OHSAS 18001 Health & Safety and ISO 140001
Environmental Standards which themselves closely follow the format of earlier quality
standards. ISO 31001 is therefore evolutionary and at the same time complementary to other
standards. It is a standard/guideline that acts as the mothership for other risk related standards of
which there are many e.g. EHS, IT, BCP, Emergency and Crisis Management. Moreover it
provides guiding principles and structure ( see Fig 1 below) to those who oversee risk throughout
the organisation and wish to aggregate risk in a common language. If used sensibly the standards
greatest attribute should be balanced decision making taking account of threat and opportunity.



One significant difference for most EHS professionals is the definition of risk. Risk is defined as
the effect of uncertainty on objectives .An effect is a deviation from the expected positive
and/or negative. Safety professionals are more used to rating the negative consequences or
looking for threats rather than opportunities. ISO 31,000 helps us to think in terms of the upside
as well as the downside. The term source (of risk) is used rather than hazard to avoid a negative
connotation. Risk is seen as neutral.

Application: when and by whom

ISO 31000 can be applied in a given context for example a project, a division, a function or to
the organisation as a whole and has been developed so that it is generic and not specific to any
industry or sector.
It is likely (but certainly not necessary) that an organisation will already be implementing a range
of management systems (certified or otherwise) before they see the need for, or embark upon the
implementation of ISO 31000, or part thereof. Some organisations which are more risk mature,
will readily see the need for integration of systems whilst others will tread more carefully. Risk
maturity at the highest level requires integrated RM across the business and at all levels. For
those at the lower end of risk maturity, typically a silo approach, it will be of interest to see what
RM best practice looks like and to what such organisations might aspire to over time.

At board and senior management level there is increasing pressure to provide a common risk
language and approach across all areas. For example the probability and impact of poor
succession planning, a human resource risk, may compete with resources for a natural
catastrophe risk like flood at the main premises or that of a key supplier. If different risk criteria
are applied senior management will struggle with allocating resources based on priority.


Be warned, ISO 31000 does not provide suggested risk assessment methodologies but it does
reference the associated standard Risk Assessment Techniques (IEC/ISO 31010) mentioned
above. This allied standard describes and provides a discussion of the pros and cons of different
techniques many of which will be familiar to practitioners in the EHS field. As an aside see also
EEC, Review of Techniques to support the EATMP Safety Assessment Methodology, which
considers hundreds of methodologies

ISO 31000 plots out a framework and process ( Fig 1 above) but does give considerable latitude
in application. For many organisations, it will be interesting to see how much of the framework
and process is in place and how far they have to go to meet the standard. Essentially they need to
carry out a gap analysis.

When we think of the voluminous paper work usually associated with EHS management
systems, we can just begin to imagine the bulk associated with a large or complex organisation.
The use of appropriate software is likely to come into play when the limitations of spreadsheets
become apparent.

The software should be able to address risk identification, assessment, action planning and
provide insight through audit and incident tracking modules. Organisations will need to be able
to provide improved analysis and quantification data to assist with sound decision making
around risk.

Need to know

So do you need to know the standard in depth? The answer is it depends. Having worked in the
operational risk area for more than 30 years in the insurance industry and directly with clients, I
would most certainly advocate it for those who wish to gain a broader appreciation of where
EHS risks sit in the organisation at large. An understanding of the principles will help you win
hearts and minds by driving the EHS agenda in a manner which is more integrated to the overall
business needs. In other words, it should help you in time get a voice at the top table at least
some of the time. Equally it may give you an understanding of the risk pressures facing other

ISO experts are working on the ISO 31004 guide to ISO 31000 due to be published in 2014 but
note that the Irish consultative committee on risk management at NSAI has already drafted Irish
guidelines on the standard. (Seam Coleman, a chartered safety practitioners is an independent
health and safety consultant and an associate with LinkResQ. He can be contacted by emailing
sean@colemanrisk.ie or phoning 087-2470217)