Risk Management in ISO 14001:2015 – What, why and how?

The 2015 revision of the ISO 14001 Standard, which will be released later this year, speaks of an extra reliance on managing and assessing risk, which will replace the current “preventive action” process employed by ISO-compliant companies. Therefore, this change is designed to promote and provide an environment of continual improvement, which is at the heart of the ISO standards, but what does the term “risk prevention and management” mean to you and your organization?

Previously, we looked at the role of risk management in ISO 14001:20015 (see The role of risk management in the ISO 14001:2015 standard), but let us examine more carefully exactly what constitutes “risk” in terms of the 14001:2015 standard.

How do we define “risk”?

ISO 31000 is an ISO standard designed specifically to deal with risk management, and it defines “risk” as “the effect of uncertainty on objectives.” From that description, it is easy to envisage how any type of definable risk can have a negative effect on key performance indicators, which are effectively an organization’s “vital signs,” as well as a negative effect on the environment as a whole.


Risk can come in many forms, for example financial uncertainty, project failure, security aspects, competition, technology problems, the effect on the environment from operations carried out by your business, whether waste produced, dangerous emission, or energy consumption. Therefore, it is sensible that the ISO 14001 Draft International Standard seeks to add extra emphasis and importance to this aspect, which potentially affects every business and its impact on the environment. But, how will these changes affect us and our Environmental Management System on a day-to-day basis?

Identifying “risk” within an Environmental Management System

Traditionally, most organizations have used risk assessment and preventive action to try and control environmental performance and prevent any aspects or risks becoming so tangible that they affect the company results, and critically, the environment. Risks should be identified in a similar fashion to quality or health and safety systems, using assessments of threats, impact, likelihood, vulnerabilities, and so on. In most organizations this would be the responsibility of the environmental representative, and in some cases that employee would be working almost alone to identify and mitigate risk against an organization’s environmental performance. The 2015 revision of the 14001 standard will change this in three critical ways:

  • Increased leadership from top management
  • Preventive action replaced by risk
  • The focus on risk prevention

Every organization needs a key risk assessment process and schedule as before, but input from top management is now desirable during this process, instead of potentially being left to one individual within the organization. Therefore, it should become normal for your top management team to play a much more active role in identifying where your areas of risk lie. Perhaps regular “risk identification” meetings with your management team would be a good idea? Or inviting a member of your top management team to your monthly or quarterly meetings to provide input on risk identification? This should provide a more accurate and complete picture of risk within your organization and your EMS.

The process of risk management and prevention also should be driven by top management, as opposed to the quality representative or EMS Manager, which should enable a broader scope of knowledge and ability to be brought to the risk prevention process – after all, it’s very possible that the Managing Director and EMS representative share a different perspective on what constitutes an immediate risk to your company, and this sharing of views is an improvement to your ability to identify and eliminate risks.

To learn about the reason why the risk assessment has replaced the preventive actions, read this article: The role of risk management in the ISO 14001:2015 standard.

How and when can I implement these changes?

Why not start now? If you already are ISO 14001 accredited, then you already have an established risk assessment and internal audit process. You can enlist the help and gain the commitment of your own management team by taking them through the changes explained above. Use them to brainstorm your perceived risks. Improve your risk management process on the basis of these discussions, as constant continual improvement is also key to the process. You can give risk management priority, in terms of time spent and brainpower, that preventive action did not receive previously in your Environmental Management System. In this way, you will be ready to comply with the new standard, while improving your business performance and removing risk to the environment at the same time. Surely that can only be a good thing for everyone.

Click here to see a free preview of  Procedure for identification and evaluation of environmental aspects and riskswhich will give you an overview of how to manage risks in the EMS.

Advisera John Nolan
Author
John Nolan
John Nolan is a Fellow of the Institute of Leaders and Managers in the United Kingdom, and Prince 2 accredited with a background in Engineering and Electronics and Data Storage and Transfer. Having studied and qualified as both a Mechanical and Electronic Engineer, he has spent the last 15 years designing and delivering Quality Systems and projects across many sectors in the UK, including both national and local government.