On 13 November 2009, the International Organization for Standardization (ISO) issued the international standard: ISO 31000:2009 – Risk Management. This international standard recommends the development, implementation and continuous improvement of a risk management framework as an integral element of organisations’ management systems. The development of ISO 31000 is grounded on the Australian and New Zealand Risk Management Standards, AS/NZS 4360:2004.
For over 5 years now, Enhesa has been offering its customers the possibility of using risk management metrics as part of Enhesa’s EHS regulatory compliance audit ScoreCard. The Enhesa risk management metrics were based, in part, on the Australian standard and are in line with the ISO 31000:2009 standard.
How does ISO 31000 define risk?
Under ISO 31000, risk is defined as the effect of uncertainty on objectives. For example, risk is not the chance of a hoist breaking, but the chance that a crash will disrupt or affect the organization’s objectives. In the past, risk has been regarded as a negative concept that organizations should try to avoid or transfer to others. Today, if an organisation understands risk and how it is caused or influenced, it will be able to ‘treat’ the risk so that it increases the likelihood of achieving or even improving its objectives.
ISO 31000 is a practical document that seeks to assist organisations in developing their own approach to the management of risk. It is not a standard for which organisations can seek certification. ISO 31000:2009 comprises the core elements of the risk management process, which are:
– communication and consultation;
– establishing the context;
– risk assessment (comprising risk, identification, risk analysis and risk evaluation);
– risk treatment; and
– monitoring and review.
How are risk management metrics built into Enhesa’s ScoreCards?
For each audit finding, the Enhesa ScoreCard prompts the auditor to perform a risk assessment. The risk assessment is based on exposure, likelihood, and consequence. Exposure is about identifying under what circumstances and how often there are situations where things could go wrong. Likelihood is about assessing how likely or unlikely it is that such things could go wrong. Consequences are about determining what happens if such things go wrong.
The risk is to be assessed in terms of:
– environmental risk (damage to the environment),
– health risk (damage to worker health and public health in general),
– safety risk (damage to the facility, production process, equipment, raw materials, neighboring property), and
– business risk (damage to the capability of producing, capability of selling the product, or corporate reputation in general).
Most of the audit findings will involve a combination of the four risks, of which the highest is retained for the overall assessment. What makes the Enhesa ScoreCard unique is that it provides an intuitive menu-driven tool for the auditor that uses a weighted calculation in the background to determine the level of risk. The experience gained by hundreds of auditors at thousands of audits has resulted in some minor adjustments over the years to further refine the tool. Minor variations in perceptions of auditors have little or no impact on the ultimate risk ranking for each finding.
The use of the risk factor in the Enhesa ScoreCard comes on top of the compliance factor, together with the system factor and the cost factor. The use of the four factors puts the findings into perspective and allows companies to focus scarce resources where they are most needed.