The Off-shoots of ISO 9001

By: Rainier Mark Alcos

Romulos M. Amistad
 The Off-shoots of ISO 9001
Introduction
 The great success of the ISO 9000 family has led to the emergence of similar standards for
management systems.
 The drafting of other management systems standards based on ISO 9001, but not directly
related to quality management, was the next development. Three well-known standards will
be discussed:
• ISO 31000:2009, Risk management – Principles and guidelines

• ISO/IEC 27005:2011, Information technology – Security techniques –

Information security risk management systems.

• ISO 50001:2011, Energy management systems – Requirements with

guidance for use.
The Objective is Quality

“Christmas tree” of management system standards

 The Off-shoots of ISO 9001

 Risk management and ISO 31000:2009

Definition of risk
But what is risk? ISO/IEC Guide 73:2002 (E/F) gives the following definition: a combination
of the probability of an event and its consequence, followed by two remarks:
a) The term is generally used only when there is at least the possibility of negative
consequences.
b) In some situations, the risk arises from the possibility of a deviation from the expected
results or event
 The Off-shoots of ISO 9001
Complexity of the concept of risk:

A) We commonly define two types of risk, although in reality many of them

are somewhere in between these two terms:
 i) Normal risk, which arises from a decision of an authority or a person associated with an act
of management, whose goal is to make a profit, all the while aware that this action, if it misses
its target (due to unforeseen events or an error in judgment, for example), can cause a loss.
 ii) Pure risk, also called static or accidental risk, occurs suddenly and unexpectedly, resulting
in damage and losses. While normal risks are inherent in the purpose and the functioning of an
organization, pure risk is determined by its existence and activities
 The Off-shoots of ISO 9001
B) Another risk segmentation is shown below:
 i) Risk as the unexpected occurrence of a hazard (breaking a leg during downhill skiing, for
example).

 ii) Historical risk, which is characterized by the appearance of a hazard, whose origins go far
back in time, and were unknown, buried in oblivion or simply neglected..

 iii) Emerging risk, a threat whose potential deleterious effects have only been partially identified
or evaluated. Thus, for many years, the release of CO2 and its effect on global warming have been
hotly debated. CO2 production was, therefore, an emerging risk.
 The Off-shoots of ISO 9001

C) Risk is also divided into many categories; a classification of the most used follows, but does not
cover the risks of the financial world for example:
 i. Natural hazards: damaging event with a given probability, or consequence of a natural threat
affecting a vulnerable environment. Tsunamis and volcanic eruptions are natural hazards.
 ii. Environmental risks: these involve natural ecosystems, especially their integrity and
sustainability.
 iii. Technological risks: the possibility of occurrence of an accident caused by a technical
system and which can lead to serious consequences for the staff, population, property, the
working environment or the natural environment. The concept of industrial risk is used in
situations where an industrial plant (chemical plant, power generation plant, etc.) is the source of
the threat.
 The Off-shoots of ISO 9001

ISO 31000:2009, Objectives, goals and expected benefits

ISO 31000:2009 is an international standard that provides a generic approach to risk management.
ISO 31000:
 • provides principles and generic guidelines on risk management;
 • can be implemented by anyone, any public or private company, any community, association,
group or individual; it is not specific to any industry or sector;
 • can be used throughout the life of an organization and for a wide range of activities, including
strategies and decisions, operations, processes, functions, projects, products, services and
assets;
 • can be applied to any type of risk, regardless of its nature, and whether its consequences are
positive or negative.
The Off-shoots of ISO 9001

According to the creators of this standard, its implementation can bring the following benefits to
an organization:
 promotion of a proactive rather than reactive management;
 awareness of the risks identified in the whole organization;
 easier identification of opportunities and threats;
 improvement of the management of the organization, especially by establishing a stable
base for decision-making and planning, while providing clearer financial reporting;
 increased confidence of stakeholders;
 improvement of the performance and operational efficiency, as well as inspections;
 improvement in the prevention of incidents, but also of health and safety;
 reduced losses;
 improvement in the organizational resilience and learning.
 The Off-shoots of ISO 9001
ISO 31000:2009, Objectives, goals and expected benefits
ISO 31000:2009 is an international standard that provides a generic approach to risk management.
ISO 31000:
 provides principles and generic guidelines on risk management;
 can be implemented by anyone, any public or private company, any community, association, group
or individual; it is not specific to any industry or sector;
 can be used throughout the life of an organization and for a wide range of activities, including
strategies and decisions, operations, processes, functions, projects, products, services and assets;
 can be applied to any type of risk, regardless of its nature, and whether its consequences are
positive or negative.
The Off-shoots of ISO 9001

Organizational framework and the PDCA cycle.

 The Off-shoots of ISO 9001

Regarding the “Design of an organizational framework for risk management”

(clause5.3), several steps are considered.
– Understanding the organization and its context (5.3.1):
First, it is important to understand the organization and explicitly take into
account internal and external contexts. The internal context includes the flow of
information, internal stakeholders, pursued policies and strategies, and the
existing values and culture.
 When it comes to the external context, this brings together external
stakeholders, the various environmental aspects, and factors influencing the
objectives of the organization…
 The Off-shoots of ISO 9001

 – A second step in the design of the framework is to have a risk management

policy(5.3.2) clarifying the objectives and commitment of the organization by
defining the different responsibilities, motives, how to deal with conflicts, methods
and tools used, and how to measure the performance of risk management.
 – The third stage of the design involves integration into organizational
processes, which consists in generalizing the risk management over all parts of
the organization.
In this way, integration will affect all sectors and will be addressed in a
comprehensive risk management plan.
 The Off-shoots of ISO 9001

 – The fourth step is financial responsibility, which involves designating the

persons competent in the implementation of the organizational framework,
defining performance measures and establishing the levels of approval and
sanctions.

 – The fifth step involves defining means for allocating resources, such as
information management systems.

 – The last step is the establishment of mechanisms for internal (5.3.5) and
external(5.3.6) instruction-giving and communication, ensuring the relationship
between the organizational framework and results, and providing stakeholders
with a consultation process where useful information is always available; also the
exchange of data with external parties on a legal and transparent basis
enabling the building of trust in the organization while maintaining a minimum of
privacy.
 The Off-shoots of ISO 9001

The implementation of risk management (5.4) can be divided into two parts:
 – Implementation of the organizational framework for risk management
(5.4.1), which is managed as a project and includes steps such as defining a
schedule and strategy, applying the risk management policy and process to the
organizational procedures, observing legal and regulatory constraints, organizing
training and information sessions, as well as consulting stakeholders.
 – The implementation of the risk management process (5.4.2) consists in
ensuring that the process is integrated with the organization’s business activities
and practices at all levels and all functions directly affected by the risk
management.
 The Off-shoots of ISO 9001

 The section Monitoring and review of the organizational framework (clause 5.5) emphasizes
the importance of a regular and continuous agreement between the policy and the risk
management plan on the one hand, and the internal and external context of the organization on
the other hand, through measures of performance and progress with regard to the work plan.
 Finally, the last element is the Continual improvement of the organizational
framework(clause 5.6) by making decisions to improve the framework itself, the risk
management policy and plan, and this by using the results of the examination carried out during
the monitoring and review of the organizational framework.
 The Off-shoots of ISO 9001
 ISO 31000:2009, Risk management process
 The Off-shoots of ISO 9001

Communication and consultation, involves all stages from 6.3 through 6.5. Internal and external
communication with stakeholders must be performed at all stages of risk management. In addition, a
consultative approach based on teams has the following advantages:
 enabling the most accurate definition of the context;
 ensuring that the interests of stakeholders are identified and taken into account;
 ensuring, to a great extent, through the pooling of several different areas of expertise for risk
analysis, that the risks are properly identified;
 The first step in risk management is the establishment of context (clause 6.3), which more
deeply addresses analysis of the same topic conducted to determine the organizational
framework (6.3.1).
 Here, the internal (6.3.2) and external (6.3.4) parameters must be detailed, in particular with
regard to their impact on the particular application domain of the risk management process.
 The Off-shoots of ISO 9001

 The next step, which is the most complex, is the assessment of the risk (clause 6.4)6, which can
be divided into the successive activities below:
• Identification of the risk (6.4.2): At this stage an exhaustive list of risk sources, impact areas,
as well as their potential causes and consequences is produced.
• Risk analysis (6.4.3)10: In this phase, the aim is to develop an understanding of the risks in
order to determine whether these risks should be considered in the risk treatment and, if so, what
strategies and treatment methods are most appropriate.
The risk sources, their probability of occurrence, and the severity of their consequences must be
taken into account here, while also considering the reliability of the information, as well as possible
divergent opinions of the experts consulted.
 The Off-shoots of ISO 9001

 The last part of this process is the risk assessment (clause 6.5) that, on the basis of the risk
analysis, consists in determining which risks need treatment and establishing an order of priority
for the implementation of the treatment. The standard indicates that risk assessment:
• should take into account the tolerance of a wider context of the risk and the risk tolerance of
stakeholders other than those of the organization affected by the risk;
• can result in a status quo by maintaining the status quo of existing means of control, or
alternatively can lead to a more detailed analysis. This decision depends on the risk appetite of the
organization, its risk attitude, or the selected risk criteria.
 The Off-shoots of ISO 9001

 Then comes the most visible part, which can also be the most expensive for the organization:
risk treatment (clause 6.6)11.
This process is iterated until the level of residual risk meets the expectations. The treatment
options may include:
• Avoiding the risk, either by stopping the activity under scrutiny or by never initiating it
(abandoning a production process that is too polluting and replacing it by a “greener” one).
• Removing the source of the risk, for example by destroying a dangerous staircase and
replacing it by a safe means of access. An alternative is to reduce the occurrence of risk to an
acceptable probability of occurrence. Since zero risk does not exist for sure, this scenario is
common
 The Off-shoots of ISO 9001

 • Changing the nature and importance of the likelihood of the risk.

 • Changing the consequences by, for instance, treating a polluting effluent before
discharging it into the environment.
 • Sharing the risk with several parties; the pooling of risk-taking in the creation of a
corporation.
 • Voluntarily taking the risk, such as organizing a large festive event, while accepting the
small risk of fire, for example. In this case, even if preventive measures are taken, the risk is
never zero and the voluntary risk is usually the chosen path.
 The Off-shoots of ISO 9001

 The two operations of risk treatment are selecting options and preparing (6.5.2), and
implementing risk treatment plans (6.5.3). For the former, a detailed assessment of the cost/
benefit ratio, as well as the appropriateness of the measure in relation to the expectations of the
stakeholders should be considered. For the latter, documented risk treatment plans must be
presented to and discussed with the stakeholders.
 As with any element of a management system of the ISO family, the process of risk management
includes continual improvement, and monitoring and review (clause 6.6) applied at all of its
stages. The last item of the standard includes recording the risk management process (clause
6.7): the text focuses on the importance of records for the traceability of processes, but also the
sensitive nature of the information contained therein, which also implies a regulation of access.
Recording the process is of course a source of information for its monitoring, review and
continual improvement.