The buzz is building over the International Organization for Standardization (ISO) 31000 Risk Management — Principles and Guidelines on Implementation. After years of hashing things over, the final standard is expected soon (the ISO website shows a release date of June 30, 2009). You can find a link to ISO 31000 draft at

The reason a lot of people are excited about ISO 31000 is that it brings together a global consensus on risk management condensed into about 20 pages of information. All forms of risks such as financial, security, safety, health, and environment are included. “Not pursuing an opportunity” is also a risk. According to the standard, risk is not always negative, but simply viewed as the “effect of uncertainty on achievement of objectives.”

Figure 1 – ISO 31000 Risk Management Process

Risk management process

The ISO 31000 risk management process is summarized in Figure 1 (above). The process should be familiar to EHS pros. For example, the definition of industrial hygiene from the American Industrial Hygiene Association (AIHA) includes “anticipation, recognition, evaluation and control” of environmental hazards that may impact workers. Although the words used by AIHA and ISO may differ, their meaning remains much the same. For example, “treatment” according to ISO is similar to AIHA’s “control”; although ISO is more inclusive and would include sharing risk with another party, i.e. insurance.

Who will use ISO 31000?

Typically, as most ISO standards go, advanced organizations will be the first to apply the information. It’s the concept of applying risk management to anindividualthat should peak your interest. Your career and job contain risks that should be managed. ISO 31000 may help you to focus on managing individual risks.

Will it work?

Back in the early 1990s the corporation I worked for embarked on massive organizational change. “How do we become the best” was the CEO’s vision. Task forces were developed to propose and implement actions to achieve the vision. Successes followed. The corporation receivedIndustryWeek’s“100 Best Managed Companies” in the world award in 1997 and 1998.

I served on a task force that looked at how the corporation should manage risks. We applied many of the strategies now found in ISO 31000. This led to my traditional role of an industrial hygienist being changed to a role of considering all risks, such as risks to reputation, to the corporation. I worked out of the newly established “Risk Identification and Prevention” section of the corporation’s legal department.

Here’s what I learned from this experience: It was in my own best interest to consider individual risks to my job. I developed a career plan filled with “what if” considerations and treatments, i.e. control. An acquisition by another company indeed put my job at risk. But I was prepared for the effect of uncertainty on achieving my objectives.


ISO 31000 states that risk management should contain the following principles: a) create value; b) integral part of the organizational process; c) part of decision-making; d) explicitly address uncertainty; e) systematic, structured and timely; f) based on the best available information; g) tailored; h) takes human and cultural factors into account; i) transparent and inclusive; j) dynamic, iterative and responsive to change; and, k) facilitates continual improvement and enhancement of the organization. All these principles can be applied to you and your career planning.


The framework for managing risk under ISO 31000 is simple. Once commitment is established there is a loop of actions that include: 1) design the framework, 2) implement risk management, 3) monitor and review the framework, and 4) continual improvement of the framework.

Will you use ISO 31000?

You have individual professional objectives. Uncertainties that may affect these objectives are your risks. These uncertainties, however, may be positive. Remember, “Not pursuing an opportunity” is a risk identified in ISO 31000. Are thereindividualopportunities that you have not identified, analyzed, and evaluated?

While your employer may be slow to apply the principles and guidelines necessary to implement risk management in accordance with ISO 31000, this does not mean that you can’t apply the information to help meetindividualobjectives. If you read ISO 31000 with this in mind, it becomes easier to understand its application and value. And the better you understand the standard, the easier it will be to help your employer commit to a global consensus on risk management that may help them achieve EHS objectives.