One of the key components to establishing a management system is the determination of risk. This is true whether it is an OHSMS system for occupational health and safety, an EMS system for the environment, or a QMS for quality.
Prior to determining the risk is the need to identify the organization’s processes. There are basically three types of processes to identify:
- revenue generating processes (sometimes called customer oriented processes, or COPs);
- revenue depleting processes (sometimes called support oriented processes, or SOPs); and
- the ISO processes (sometimes called management oriented processes, or MOPs) – for example…document control, management review, communication, product realization, etc.
The identification of processes is a formal statement of what the organization does and, along the way, what risks it generates that could impact a customer, the environment or occupational health & safety.
Think of the famous “turtle model” used as a tool for understanding a process (see our Resource Library under “Process Control and Improvement”). There are inputs, activities, outputs and the four paddles; Who, Resources, Documents and Monitoring/Measuring. At the core of the Turtle model are the activities that are used to change inputs into outputs. These individual activities may each present a risk. Sometimes the risk is failing to meet customer needs, sometimes failing to protect the environment, and sometimes failing to prevent injury and ill health.
OHSAS 18001 and ISO 14001 have always been looked upon as risk based standards. ISO 9001 has not been defined as a risk based standard (even though it is), but that is about to change with the arrival of the revised ISO 9001 standard expected in 2015, which demands much more assessment of risk. So looking into the future, all the standards will define a requirement to identify processes and then to identify the risks within those processes.
OHSAS 18001:2007 defines risk as “combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s).”
Similarly, ISO 14001:2004 requires an organization “to determine aspects it can control or influence and to determine those which have or can have significant impact “(i.e. determine the actual or potential risk to the environment).
ISO 9001:2008 requires an organization to “determine criteria and methods needed to ensure that both the operation and control of these processes are effective” (i.e. determine risks to customers and put controls in place to manage these risks).
So, clearly, all three standards require an organization to address risks.
Furthermore, if you delve deeper into the standards, all three standards require that you manage change. That is, to:
- Identify any potential risks that may arise from making a change in either process (e.g. activities, products or services) or in procedures or work instructions; and then
- Put controls in place to prevent any negative impact to either quality, environment or OH&S depending on which standard(s) you are meeting.
The standards all require an organization to meet “requirements”, which could be any combination of the following:
- statutory and regulatory (including other requirements to which the organization subscribes);
- customer requirements;
- an organization’s own requirements; or
- the “ISO” standard requirements.
There are risks to an organization in not knowing and/or meeting those applicable requirements. All three standards require controls to manage risk to be able to meet the requirements.
Let’s visit the Policy Statements for these standards.
- The Quality Policy Statement requires a “commitment to comply with requirements” and a “commitment to continually improve”.
- The OHSAS Policy Statement requires four commitments:
- a commitment to prevention of injury and ill health;
- a commitment to continual improvement of OH&S management and of OH&S performance;
- a commitment to comply with applicable legal requirements; and
- a commitment to comply with other requirements to which the organization subscribes.
- The Environment Policy Statement also has four commitments:
- a commitment to continual improvement;
- a commitment to the prevention of pollution;
- a commitment to comply with applicable legal requirements; and
- a commitment to comply with other requirements to which the organization subscribes.
The Policy Statement for each of the three standards actually drives the whole system. Everything an organization establishes – all the procedures and all the work instructions – are designed to meet the commitments laid out in the Policy Statements. In other words, the whole management system is built to meet the policy commitments.
In order to meet these commitments, the organization is required to identify the risks that could keep it from meeting those commitments and then put in place the appropriate controls.
- OHSAS 18001 and ISO 14001 state this very clearly in Operational Controls where there is a sentence that specifically states: “the organization must establish, implement and maintain documented procedures to control situations where their absence could lead to deviation from the policy and objectives.”
- ISO 9001 states a need for controls in section 4.1.
To sum it all up, an organization needs to identify processes, then identify the activities within those processes that present a risk to the organization meeting requirements, and then finally place controls to ensure those risks are managed.
Once the processes and risks are defined, then competency requirements can be identified, monitoring and measuring activities can be established, and areas to audit can be scheduled as well as the rest of the components of the standards. But the key to building a sound management system is the identification of risk related to processes.
