01 April 2017

Similarities between ISO 9001, ISO 14001 and ISO 31000

The 2015 revisions of ISO 14001 and ISO 9001 gave both standards a common framework based on ISO’s High Level Structure.  It also some introduced new similarities with the international risk management standard, ISO 31000:2009, through the Risks and Opportunities clauses added to ISO 14001 and ISO 9001. 

The common ground for the management system and risk standards starts with the definitions of risk.  Both ISO 9001 and ISO 14001 have added definitions for risk as the “effect of uncertainty”.  In ISO 31000, risk is defined as the “effect of uncertainty on objectives”.  All of the standards include notes explaining an effect is “a deviation from the expected”, positive or negative (although ISO 9000 makes an additional point that risk “is sometimes used only for negative consequences”).  ISO 31000 does not use the term Opportunities in the same way as the management system standards have Risks and Opportunities.  In practice these definitions will have the same effect for quality and environmental managers.

The management systems standards have also added a clause for Context of the organisation, a concept which was already a key part ISO 31000 (Cl. 5.3).  While the quality and environmental standards don’t go beyond determining “internal and external issues”, establishing the context is a major input into the ISO 31000 approach and it applies a process of communication and consultation to help establish the context appropriately. 

ISO 31000’s approach to establishing the context can assist quality and environmental managers to bring their systems up to the new standards.  The risk management standard follows a process of establishing internal and external context from the external stakeholders and the internal environment.  The external context may look at:
  •          social, cultural, political, regulatory, financial, technological, natural and competitive environment,
  •          key drivers and trends which impact on the objectives and values,
  •          perceptions of stakeholders (which is similar to the “Interested Parties” of clause 4.2 in the management systems standards)

The internal context is based on the:
  •          governance, organisational structure, roles, accountabilities,
  •          policies, objectives, strategies,
  •          resources (capital, people, time, systems, technologies),
  •          organisational culture,
  •          systems, decision making processes,
  •          the organisation’s risk management processes

ISO 31000 also evaluates the significance of risk (Cl. 5.3.5), which aligns with determining significant aspects in ISO 14001.  Both ISO 14001 and ISO 31000 expect defined criteria to determine significance.  

As its focus is risk management, ISO 31000 steps through the risk assessment process, looking at risk identification, analysis, evaluation and treatment.  This description, along with the accompanying standard for Risk Assessment Techniques (IEC/ISO 31010:2009) may provide extra insight into risk assessment for environmental and quality managers.  

ISO 31000 is currently undergoing its own revision and is expected to be updated at the end of 2017 or into 2018.  ISO claims the draft text of the standard “has been reduced to its fundamental concepts to create a shorter, clearer and more concise document that is easier to read whilst remaining widely applicable.”

Sum Up

The 2015 revisions of ISO 9001 and ISO 14001 have not only increased the alignment between the two standards, they have also adopted some of ISO 31000’s key risk management concepts.  As a standard specialising in risk management, ISO31000 can provide environmental and quality managers with extra guidance on the context of their organisation and establishing its risks and opportunities.