Navigating Risk in ISO Standards: A Quick Guide
Risk management is a big aspect of many ISO management systems. it’s core principle and even has its own dedicated standard – ISO 31000 (2018). ISO 31000 provides principles and guidelines for managing risk across your entire business and looks at how you identify, analyse, evaluate, treat, monitor and communicate those risks.
Intense right? I already know how exhausting the thought of doing this yourself can be!
But don’t get too stressed out. You don’t have to apply the same crazily detailed assessments for all the different ISO’s but you do need to have something in place. What we like to suggest is that you have assessments that are effective at meeting the requirements but are still efficient enough to be practical and not cause brain aneurysms.
As it’s a core principle across various ISOs; ensuring that organisations can identify, assess, and mitigate risks is important. Whether in quality management (ISO 9001), information security (ISO 27001), environmental management (ISO 14001), or occupational health and safety (ISO 45001), risk-based thinking is essential to achieving compliance. Lets do a quick breakdown of how risk management applies to the different common ISO standards and how you can go about scoring the risks you might find.
The Role of Risk Management in ISO Standards
ISO 9001: Quality Management System (QMS)
ISO 9001 currently requires organisations to adopt a ‘risk-based’ approach to quality management (this might change in the planned update but we can’t say for sure right now, so were basing this off the 2015 ed.). Clause 6.1 says that you need to identify risks and opportunities that can impact the intended outcomes of the QMS. Risk management in this context focuses on preventing non-conformities and improving customer satisfaction. You don’t actually need to document your risks for 9001 so long as you know what they are and have processes in place to control them.
Practically speaking, this means that if you talk through your risks with an assessor and then show you’ve put controls in place, such as goods in/out checks or peer review on what you are selling and you aren’t getting huge numbers of issues then you should be okay.
ISO 14001: Environmental Management System (EMS)
On the otherhand, ISO 14001 differs from Quality; sections 6.1.1 and 6.1.2 lay out the groundwork that you are actually required to document your risks and opportunities. These need to based off your operations, their environmental aspects, the expectations of your interested parties, legal compliance and anything else you can think of that’s relevant. BUT, only the environmental impacts. So, how you dispose of waste electronics should be a risk in there, but you don’t need to include risks like someone slipping on spilt boiling water in the kitchen. Some risks can fall into multiple categories; when looking at the spillage of paint that’s primarily going to be a health and safety risk of slips and trips but depending on the kind of paint it could also be environmental, some paints you can’t just wash down the drain as they can be poisonous to wildlife; in that situation you’d need to bag the paint as well as any paper towelling or spill kit materials you used and then potentially dispose of them as hazardous waste; this does of course depend on how your waste processor wants to handle the paint; some county councils require specialist waste processes, others may tell you that its fine to put paint in the general waste provided its completely dried out. We’d recommend you check with them though.
ISO 27001: Information Security Management System (ISMS)
Risk assessment within information security is another pretty big one. There’s a requirement for you to document the risks you identify along with how you’ve mitigated them. ISO 27001 differs a bit from the others because we also have the glorious Annex A in place, for those who don’t know, Annex A is a series of Controls that you need to respond to within your documentation. These controls look at aspects of how you should manage your organisational structure, people that can impact your org, physical aspects of your org & the technological structure within your work.
Because you have to respond to the Annex A; a great way of hitting two birds with one stone is by linking your risk assessments to the Annex and vice-versa. For example; a potential risk to your business’s information security is people having access to information that they shouldn’t have. This links up with multiple controls, primarily ‘A.5.18 Access Rights’ this control says that you need to have a process in place for issuing, reviewing, managing and removing someones access to information as needed within the organisation. So, the risk is people having uncontrolled access, the control to mitigate this risk would be to implement an access control system that you regularly review. You can then also tie this into how you classify and label information as these can make how you define access a bit easier, and so on.
ISO 45001: Occupational Health & Safety Management System (OH&S MS)
ISO 45001 focuses on identifying hazards and risks related to workplace safety. Thankfully there is a logic to the madness within most standards so ISO 45001 follows a very similar structure to 9001 and 14001. The risk assessment sections in this standard are also 6.1.1 and 6.1.2, like ISO 14001 you are required to document your risks. The intention is that you identify risks with the aim to prevent work-related injuries and illnesses, ultimately ensuring a safe work environment.
6.1.2 has a good list of areas to consider when thinking about where risks could present themselves, it ranges from your processes and the equipment you use, to things that can contribute towards increased risk such as social factors in the workplace – workload, excessive hours, bullying, etc.
When generating and reviewing these risks you will also need to get your workers involved. ISO 45001 includes clause “5.4 Consultation and participation of workers”, non-managerial staff need to be able to have some input into the risks that are identified; to be fair they are also the ones most likely to be exposed to those risks. This is also a legal requirement under the Health and Safety at Work Act 1974 (in the UK).
ISO 31000: Risk Management - Guidelines
As mentioned above, ISO 31000 provides a generic framework applicable to all types of risks. It sets principles and best practices for risk identification, assessment, treatment, monitoring, and communication. Basically, names on the tin here so to speak.
How to Score Risks in ISO-Based Risk Management
There is no definitive model or required structure to risk assessments or to risk assessment scoring within the ISO standards I’ve mentioned. They just aren’t that prescriptive.
They just want you to ‘effectively manage the risks’, and they say that your assessment method needs to be structured and use a consistent scoring methodology.
This typically involves the following steps:
1. Identify Risks
As we already covered, each ISO looks for risks within a specific context; you should ideally keep your assessment on point and flag the risks that are relevant and within the context of the standard you are going for. Brainstorm (or mind-map if you want) what your processes and procedures are, look at historical issues/data, and don’t forget to account for the human factor.
2. Assess Risk Likelihood and Impact
Once identified, risks must be evaluated based on their likelihood (probability of occurrence) and their impact (severity of consequences) then multiply one by the other. A common method for doing this is using a risk matrix; some people like to use number scoring for likelihood and impact. I’ve even seen someone use a 10 x 10 grid but I’ve not yet found someone who can tell me what the tangible difference is between a score 87 and 85. There is no requirement to use numbering, a lot of people also just use Low/Medium/High like below, but numbers and colour coded risks can be helpful.
3. Establish Risk Criteria
With your risks scored; what you then need to do is decide what score you consider acceptable; this will be your defined threshold or risk tolerance. Anything above that score needs to be addressed using controls or ‘Risk Treatments’.
4. Implement Risk Treatment Measures
You’ve got your threshold/tolerance level, and your risks are scored; now you need to try to address and treat those risks, you should consider this hierarchy to determine the appropriate response (see image):
5. Monitor and Review Risks
Risk assessments must be ongoing, so make sure you are having regular reviews to check the effectiveness of your controls. ISO’s require periodic audits and management reviews that look at your existing risks and any possible new ones, make sure you are reviewing them all at least once annually, but ideally more!
Conclusion
Risk management is a core aspect within ISO standards, this can help you anticipate threats and opportunities.
Use a structured approach to risk identification, assessment and treatment. This will improve how your business works and will help with your legal compliance, business resilience and operational effectiveness. Ultimately, implement a risk scoring system that works for you so that it helps you prioritise your risks appropriately.
If you’d like any help with your ISO journey then please drop us a message as we’re here to help make sense of certification.
Contact us HERE