The 2015 revisions of ISO 14001 and ISO 9001 gave both standards
a common framework based on ISO’s High Level Structure. It also some introduced new similarities with the international risk management standard, ISO 31000:2009, through the Risks
and Opportunities clauses added to ISO 14001 and ISO 9001.
The common ground for the management system and risk
standards starts with the definitions of risk.
Both ISO 9001 and ISO 14001 have added definitions for risk as the
“effect of uncertainty”. In ISO 31000, risk is defined as the “effect of uncertainty on objectives”. All of the standards include notes explaining
an effect is “a deviation from the expected”, positive or negative (although
ISO 9000 makes an additional point that risk “is sometimes used only for
negative consequences”). ISO 31000 does
not use the term Opportunities in the
same way as the management system standards have Risks and Opportunities. In practice these definitions will have the
same effect for quality and environmental managers.
The management systems standards have also added a clause
for Context of the organisation, a concept
which was already a key part ISO 31000 (Cl. 5.3). While the quality and environmental standards
don’t go beyond determining “internal and external issues”, establishing the context is a major input into the ISO
31000 approach and it applies a process of communication and consultation to
help establish the context appropriately.
ISO 31000’s approach to establishing the context can assist quality
and environmental managers to bring their systems up to the new standards. The risk management standard follows a
process of establishing internal and external context from the external stakeholders
and the internal environment. The
external context may look at:
- social, cultural, political, regulatory, financial, technological, natural and competitive environment,
- key drivers and trends which impact on the objectives and values,
- perceptions of stakeholders (which is similar to the “Interested Parties” of clause 4.2 in the management systems standards)
The internal context is based on the:
- governance, organisational structure, roles, accountabilities,
- policies, objectives, strategies,
- resources (capital, people, time, systems, technologies),
- organisational culture,
- systems, decision making processes,
- the organisation’s risk management processes
ISO 31000 also evaluates the significance of risk (Cl. 5.3.5),
which aligns with determining significant aspects in ISO 14001. Both ISO 14001 and ISO 31000 expect defined criteria
to determine significance.
As its focus is risk management, ISO 31000 steps through the
risk assessment process, looking at risk identification, analysis, evaluation and
treatment. This description, along with the
accompanying standard for Risk Assessment Techniques (IEC/ISO 31010:2009) may provide
extra insight into risk assessment for environmental and quality managers.
ISO 31000 is currently undergoing its own revision and is expected
to be updated at the end of 2017 or into 2018. ISO claims the draft text of the standard “has
been reduced to its fundamental concepts to create a shorter, clearer and more
concise document that is easier to read whilst remaining widely applicable.”
Sum Up
The 2015 revisions of ISO 9001 and ISO 14001 have not only
increased the alignment between the two standards, they have also adopted some of ISO
31000’s key risk management concepts. As
a standard specialising in risk management, ISO31000 can provide environmental
and quality managers with extra guidance on the context of their organisation
and establishing its risks and opportunities.