Not your father’s risk management
You want to prevent problems, not manage them
Yesterday’s risk management practices are no longer adequate to deal with today’s threats and they need to evolve. This reasoning drove ISO to revise risk management standard 31000:2009 to 31000:2018.2 Per ISO, risk can be positive, negative or both, and can address, create or result in opportunities and threats. The key driver for effective risk management is to create and protect value.
OHS and risk management
ISO defines risk as the “effect of uncertainty on objectives.” Keeping workers healthy and safe is the most basic objective for every occupational health and safety pro. OHS’s foundational job safety analysis (JSA), which can be expanded into complex risk assessments, deals with basics of uncertainty: identify the hazard, the risk (severity and likeliness of occurring), and the controls to keep workers healthy and safe at each job step. JSAs drive nearly every OHS decision. Risk management, therefore, is the DNA of OHS.
Everyone manages risk
Everyone in an organization has responsibility for managing risk, per ISO 31000. Section 5.2 (leadership and commitment) states, “Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities …”
Oversight bodies are accountable for overseeing risk management. Oversight bodies are often expected or required, per ISO, to:
- ensure that risks are adequately considered when setting the organization’s objectives;
- understand the risks facing the organization in pursuit of its objectives;
- ensure that systems to manage risks are implemented and operating effectively;
- ensure that such risks are appropriate in the context of the organization’s objectives;
- ensure information about such risks and their management is properly communicated.
Oversight bodies are not defined by ISO, but they can be anybody. After joining a global corporation (with roots as a Fortune 200 company) a few decades ago, I observed that risk management was practiced in silos. Top management received risk information from various departments such as finance, legal, and HR to help make leadership decisions. The company, however, lacked an integrated risk management process. Each silo viewed risk from its own, usually monetary, lens. OHS was often last to the budget buffet table.
Making a risky decision (that could have cost me my job), I explained my observation and frustration alone to the CEO. The company was managing problems, not preventing them. The CEO wanted the corporation to be one of the world’s best managed. The CEO often mentioned that risk to corporate reputation “kept him up at night.”
Break down silos
Risk management should be customized to the organization’s needs and culture, per ISO. This modern concept was true years ago. Without going into detail or strategy, the CEO appointed me (an industrial hygienist non-lawyer) to chair the task force charged with coming up with suggestions to reorganize the legal department -- a very entrenched and powerful silo. Part of the strategy included that no internal lawyer could serve on the task force and no internal party, e.g. my lawyer boss, could put undue influence upon the task force’s efforts or conclusions.
One outcome of the task force was to establish the Risk Identification and Prevention (RIP) section within the legal department. RIP was given full corporate authority and support to identify and treat any risk, including risk to corporate reputation. Under RIP, OSHA was not perceived as a threat (where it was before) and all plants were required to obtain VPP.
Risk management helped the CEO to achieve an objective. The corporation received IndustryWeek’s “100 Best Managed Companies” in the world award in 1997 and 1998. Risk management, particularly modern concepts from ISO 31000:2009 and the 2018 revision, has served me well running my own OHS solo-practice consulting business for many years.
A “thinking standard”
ISO 31000:2018 is designed for voluntary adoption and not third-party certification. The standard may be audited, however. If the organization has not issued a statement or policy that establishes a risk management approach, plan or course of action, for example, that is non-conformance with section 5.4.2 of the standard.
Section 5.4.1, Understanding the Organization and its Context, should be familiar to those organizations that certified within the last few years to ISO 9001 (quality) and ISO 14001 (environmental); and those organizations that may seek certification to ISO 45001:2018 OHSMS.
Section 6.4.2, Risk Identification, is near to my heart because of my involvement back in the days with RIP. This section lists “biases, assumptions and beliefs of those involved” as a risk factor that organizations should consider – which was missed back in my early corporate days and where the CEO accepted my evidence for necessary change.
If you break down silos, e.g. challenge the “biases of those involved,” know that there is high personal risk -- opportunities and threat. P.S. It was well worth my risk.
ISO 31000:2018 is not a specification standard. The standard does not say that an organization must specifically do this or that. Particularly, the revised standard places greater emphasis “on the iterative nature of risk management, noting that new experiences, knowledge and analysis can lead to a revision of process elements, actions and controls at each stage of the process.”
ISO 31000 encourages organizations to think. Because of standard’s organized way of thinking, it is, in my mind, the most valuable among all consensus standards.
ISO 31000 and OHS
The many things that help drive an organization, such as OSHA requirements, may be views as “gears.” Smooth integration among many formal gears (standards) help drive successful organizations. Given this concept, ISO 31000 should be the lead gear that drives all other organizational gears.
Between ISO 31000 and OSHA is there a gear that may help OHS operate more smoothly? An OHS management system, such as ISO 45001, is one example. Additional formal gears such as applicable OSHA, NFPA, ANSI and ASTM standards may also be integrated into the organizational machine. Audits may be viewed as the lubrication that helps the gears mesh smoothly.
Should your organization implement an safety and health management system or conform to a consensus standard such as NFPA 70E? If 5G (super internet connectivity) may revolutionize the robotics factory, support autonomous vehicles fleets or facilitate cyber-crime by the projected date of 2020, how may this risk impact OHS? What’s the next asbestos ligation? Will global warming spawn “super-bugs” or force coast-line resettlements? Should you pursue an OHS certification such as CIH®? Will North Korea nuke the USA? Risks abound and ISO 31000:2018, if properly used, helps organizations and individuals make sense of it all.