The ISO standards world on the move
A standardized management system should address both business objectives and political commitments, respectively, leading to appropriate business performance. These objectives and commitments cover many dimensions: Quality and Environment, Financial, Safety to Social. However, all these areas must be aligned with each other.
With a growing wealth of information and increasing requirements, the design of efficient processes and a structured approach to risks are not becoming any easier; what is needed is a coordinated basis. ISO has reacted - management standards are being successively unified with increased inclusion of risk management in accordance with ISO 31000 - an interim report on the status of the work.
Unifications
The increasing number of management system standards (MSS) with different structures and system elements posed problems for companies applying several standards in an integrated manner.
Therefore, in 2012, ISO decided that in the future all ISO management system standards will be based on the same structure and elements, as well as on a set of identical core requirements. This is referred to as the High-Level Structure (HLS) for management system standards.
The high-level structure specified in the ISO guidelines (see References 1) makes it easier for companies to create a multi-aspect and holistic integrated management system. Although individual clarifications of terms and procedures still need to be made, all recent ISO standards for management systems are based on the concept of risk-based thinking. An "ISO-MSS system" offer coordinated in this way is now available for practical use.
Updated ISO guidelines
The 2018 revisions to the ISO guidelines now state that any new ISO document must refer to ISO 31000 that contains risk management requirements or guidance for a specific product, process or sector (2). ISO has thus taken a further step towards overcoming established duplications and moving towards coordinated structures and concepts. Management systems of different types, based on the respective ISO management system standards such as ISO 9001, ISO 14001 or ISO 45001 are based on the high-level structure (3).
The concept of risk management according to ISO 31000 can be integrated into the individual management systems on the basis of these standards or optimally used in a holistic integrated management system, the benefits of which are known to be considerable and numerous. For additional information, reference is made to the ISO handbook "The Integrated Use of Management Systems Standards (IUMSS)" (4). The many and varied ISO standards are constantly being further developed in the international committees independently of one another over time, and further sector standards are being added, cf. chart 1.
In practice, the required integration of risk management according to ISO 31000 into a historically grown management system also brings certain challenges. Even as the creator of the standard, it is sometimes difficult to keep track of the existing wealth of information and to separate fundamental structural considerations from sector-specific innovations, as well as to recommend specific practical implementations to users.
To simplify the required integration activities, experts from various ISO technical committees and interested business representatives are currently working together on an "International Workshop Agreement IWA 31". Beyond language and cultural differences as well as diverging business interests, there is a struggle for uniform terms and agreement on recommended procedures for the broad implementation of the ISO requirements.
The IWA 31 document aims to enable organizations to benefit by using ISO 31000 in their existing management systems, as well as to assist users in planning the implementation of an ISO 31000 management system in their organization. The publication of IWA 31 is expected in the course of 2019.
Elements of ISO 31000
ISO 31000 provides a common, systematic approach to managing all types of risks that organizations face throughout the life of the business. By applying the guidelines for determining risks, it ensures that management systems achieve their intended results, improve desirable effects, reduce undesirable effects and implement continuous improvement.
The integration of ISO 31000 into management systems can be done via the high-level structure. In order to achieve an effective and efficient integration and implementation of the ISO 31000 framework and process into other MSS organizations, the ISO 31000 principles should be used as a basis.
The ISO 3100 framework needs to be merged with other MSS management systems by applying a gap analysis to incorporate all ISO 3100 framework elements into the MSS management system functions and avoid duplication and/or conflicts between them.
The ISO-31000 process should be adapted to the external and internal context of the company in such a way that it becomes an integral part of the management system, integrated into the structure, procedures and processes of the company.
Elements of the HLS system
The high-level structure with its elements (diagram 2) offers good possibilities for a so-called horizontal and vertical integration of management aspects and a system-immanent risk management according to ISO 31000 as one of the most important features of an integrated management system.
Vertical integration means the link between a company's strategy and its operations. Horizontal integration involves an integrated approach to assessing and addressing critical aspects for successful business operations, i.e. risks with a view to issues and developments in the context of the company and the needs and expectations of its stakeholders.
Risk management in the HLS system includes context analysis (issues, stakeholders), strategic and operational risk assessment, operational control (risk treatment), monitoring the effectiveness of controls and taking corrective action.
Context analysis refers to the company's strategies and objectives, which provide the framework for operational activities. In management reviews, top management assesses whether operations at the operational level are effective and contribute to the success and achievement of their company's strategic objectives. The cycle at the operational level is driven by policy implementation, i.e., the translation of policy to operational objectives. As a basis for establishing risk controls in the operational processes, the strategic context analysis is complemented by an operational risk assessment. Deviations from the expected, positive, negative or both are taken into account in this, following ISO 31000.
When there is new information or development that initiates or contributes to a relevant process or activity, a company should initiate risk identification immediately. Moreover, the structured assessment of risks enables appropriate treatment and provides a basis for increasing the effectiveness of the company's management system, achieving improved results and preventing negative outcomes.
With a management system in the high-level structure and the guidelines of ISO 31000, the practice has the instruments for a holistic integrated risk management at its disposal.
