The buzz is building over the International Organization for
Standardization (ISO) 31000 Risk Management - Principles and Guidelines
on Implementation. After years of hashing things over, the final
standard is expected soon (the ISO website shows a release date of June
The reason a lot of people are excited about ISO 31000 is that it brings together a global consensus on risk management condensed into about 20 pages of information. All forms of risks such as financial, security, safety, health, and environment are included. "Not pursuing an opportunity" is also a risk. According to the standard, risk is not always negative, but simply viewed as the "effect of uncertainty on achievement of objectives."
Risk management process
ISO 31000 risk management process is summarized in Figure 1 (above).
The process should be familiar to EHS pros. For example, the definition
of industrial hygiene from the American Industrial Hygiene Association
(AIHA) includes "anticipation, recognition, evaluation and control" of
environmental hazards that may impact workers. Although the words used
by AIHA and ISO may differ, their meaning remains much the same. For
example, "treatment" according to ISO is similar to AIHA's "control";
although ISO is more inclusive and would include sharing risk with
another party, i.e. insurance.
Who will use ISO 31000?
Typically, as most ISO standards go, advanced organizations will be the first to apply the information. It's the concept of applying risk management to an individual that should peak your interest. Your career and job contain risks that should be managed. ISO 31000 may help you to focus on managing individual risks.
Will it work?
Back in the early 1990s the corporation I worked for embarked on massive organizational change. "How do we become the best" was the CEO's vision. Task forces were developed to propose and implement actions to achieve the vision. Successes followed. The corporation received IndustryWeek's "100 Best Managed Companies" in the world award in 1997 and 1998.
I served on a task force that looked at how the corporation should manage risks. We applied many of the strategies now found in ISO 31000. This led to my traditional role of an industrial hygienist being changed to a role of considering all risks, such as risks to reputation, to the corporation. I worked out of the newly established "Risk Identification and Prevention" section of the corporation's legal department.
Here's what I learned from this experience: It was in my own best interest to consider individual risks to my job. I developed a career plan filled with "what if" considerations and treatments, i.e. control. An acquisition by another company indeed put my job at risk. But I was prepared for the effect of uncertainty on achieving my objectives.
ISO 31000 states that risk management should contain the following principles: a) create value; b) integral part of the organizational process; c) part of decision-making; d) explicitly address uncertainty; e) systematic, structured and timely; f) based on the best available information; g) tailored; h) takes human and cultural factors into account; i) transparent and inclusive; j) dynamic, iterative and responsive to change; and, k) facilitates continual improvement and enhancement of the organization. All these principles can be applied to you and your career planning.
The framework for managing risk under ISO 31000 is simple. Once commitment is established there is a loop of actions that include: 1) design the framework, 2) implement risk management, 3) monitor and review the framework, and 4) continual improvement of the framework.
Will you use ISO 31000?
You have individual professional objectives. Uncertainties that may affect these objectives are your risks. These uncertainties, however, may be positive. Remember, "Not pursuing an opportunity" is a risk identified in ISO 31000. Are there individual opportunities that you have not identified, analyzed, and evaluated?
While your employer may be slow to apply the principles and guidelines necessary to implement risk management in accordance with ISO 31000, this does not mean that you can't apply the information to help meet individual objectives. If you read ISO 31000 with this in mind, it becomes easier to understand its application and value. And the better you understand the standard, the easier it will be to help your employer commit to a global consensus on risk management that may help them achieve EHS objectives.
by Dan Markiewicz, MS, CIH, CSP, CHMM