Who “owns” EHS risk management?
New standards will revolutionize best practices
When the ISO risk management standards were released, their value to environmental safety and health pros was evident. The American Society of Safety Engineers (ASSE) endorsement of the ANSI Z690 standards further demonstrates the importance of risk management to EHS pros. The Z690 standards “… are expected to revolutionize best practices …” for EHS pros, according to the ASSE Council of Practices & Standards.
Take a look
Although the risk management standards are available for purchase from ISO, ANSI, ASSE and other sources, there is a free way to get a look at the general language in the standards. Run a Google search for < ISO 31000 draft download>. The search will provide the draft to the ISO Risk Management – Principles and Guidelines. The language in the draft document is close enough to the final to get a good idea of what the standard says. If you understand and appreciate the language in the draft, purchase the final standards.
The risk management standards contain familiar concepts for EHS pros. Most particularly, risk assessment clause 5.4, that includes risk identification (5.4.2), risk analysis (5.4.3), and risk evaluation (5.4.4) probably take up most of a EHS pro’s time; where the risk is an occupational safety or health hazard. Clause 5.5., risk treatment, should be familiar to EHS pros, too.
Understanding and evaluating context, both internal and external to an organization, is the most important part of risk management. Understanding the organization and its context comes before building the framework for risk management. Establishing context comes before initiating risk assessment and risk treatment. Why and how your organization exists and what influences organizational objectives is context.
If your organization does not practice formal risk management, there may be no “risk owner” who is the “person or entity with the accountability and authority to manage risk.” If this is the case, then you should initiate the process. Eventually, all EHS pros may need a working knowledge of modern risk management principles.
The beauty of the ISO and ANSI/ASSE risk management standards is that they are not prescriptive. The standards simply provide guidance on what should be included when context is considered. How context is evaluated is also left up to an organization. As needed, an organization may refer to Risk Assessment Techniques to help choose methods to evaluate context.
Evaluate context — framework
Assume there is no formal risk management process in your organization. The first step to evaluate context should be simple and direct. Provide each of the ISO 31000 internal and external context examples with an observation statement. For example:
• Internal context: “standards, guidelines and models adopted by the
• Observation statement: “Our organization conforms to OSHA regulations, human resource management guidelines from our trade association, and ISO 9000 quality standards.”
The length, detail or even accuracy of each observation statement is not important for the first pass. Try to fill out all the observation statements by yourself. This is why and how you believe your organization exists and what influences organizational objectives.
Next, pass the entire context picture to other stakeholders in your organization and have them contribute and edit the observations. Convince stakeholders that their involvement should not be looked at as a burden but involvement will help them better manage risk in their areas.
The context picture will get clearer after each pass from stakeholders. Use as many passes as needed until stakeholders feel the picture is complete.
Establish context — risk management process
Evaluation of context is needed to help determine the design of the organization’s risk management framework. EHS pros need to expand on initial context evaluation and establish context for their particular risk management process (such as injury and illness prevention or a specific risk profile).
Developing a risk profile(s) at this point may help establish context in greater detail. A risk profile identifies a risk source, event, and consequence. An example: Employer failure to adequately treat developmental health hazards may damage an unborn child and cause the organization to possibly incur a $100 million dollar tort liability. You may discover other risk profiles to engage management.
Communication and consultation
The team approach for establishing context for the risk management process “brings different areas of expertise together for analyzing risks” and “secures endorsement and support for a treatment plan.”
Although greater detail is expected when establishing context for the risk management process, as compared during context evaluation, you may establish the context in a similar manner by providing an observation statement for each external (clause 5.3.2) and internal (clause 5.3.3) example provided in the ISO 31000 risk management standard. Again, context may be kept simple and direct. Refinement of the context may be accomplished through monitoring and review (clause 5.6).
Basic is OK
ISO 31000 and identical ANSI/ASSE Z690.2-2011 and companion standards for risk management may be applied in different ways by similar organizations. Although in-depth application of risk management principles should be the goal, basic application is better than none. If your organization does not have a formal risk management process, you should initiate its start. Considering the internal and external context in which your organization seeks to meet its objectives is the place to begin.