ISO 31000:2018 Risk Management – Accelerate Business Performance

Share on facebook
Share on email
Share on twitter
Share on linkedin

The World Economic Forum describes the current competitive business landscape in a word: disruptive. How well an organisation approaches risk management in a climate of volatility can affect its ability to make robust and informed strategic decisions and achieve its objectives.

Download our FREE GUIDE ISO 31000:2018 How do I get started? where we investigate the 8 Principles that set out the requirements for a risk management initiative.

Traditionally, risk management played a supporting role at board level. However, over the past decade, organisations have adopted the view that risk management must be embedded in the general management of an organisation, and fully integrated across an enterprise with functions such as finance, strategy, internal control, procurement, continuity planning, human resources, and compliance.

Voices of stakeholders have become louder in their demand for transparency and accountability in managing the impact of risk, and evaluating the ability of leadership to embrace opportunities. The use of technology and economic globalisation have made risks increasingly entwined, placing even more emphasis on sound risk management within any organisation.

To keep pace with a rapidly evolving world and future threats, the International Organization for Standardization published a revised version of its Risk Management Standard in February 2018. Essentially, ISO 31000:2018 reflects the evolution of risk management thinking from a separate ‘siloed’ activity to an integrated management function. The overarching strategy of the standard is to embed risk management best practices on a micro-level within organisations so as to manage threats that stand in the way of enterprises achieving their objectives, and create value by finding and exploiting opportunity. This should grab the attention of anyone looking to gain competitive advantage, improve operations, or reduce costs within their organisation.

ISO 31000:2018 - Five Things to Know

1. It is clear and concise

The standard delivers a clear and concise guide to help all organisations manage risks. Risk management concepts are simply explained, giving diverse organisations and people the ability to access the tools that can drive change in order to protect and create value. ISO 31000:2018 is supplemented by ISO Guide 73:2009, a vocabulary index used to support ISO 31000:2018, and ISO 31010:2009 that focuses on risk assessment concepts, processes and the selection of risk assessment techniques.  ISO 31000:2018 has been trimmed down to just 15 pages, and risk management principles reduced from 11 to 8, which streamlines the process for implementation.

2. It is easy to implement

All organisations make decisions that shape their future every day. ISO 31000:2018 provides guidance on how to manage uncertainty to meet objectives, and how to implement risk management to support strategic decision making. This promotes intelligent risk taking at all levels of a business. Risk management best practices promote critical thinking about the role of uncertainty in decision making, and encourage the identification, assessment, and treatment of uncertainty that can impact daily business activities. Small organisations with limited room for exposure to adverse internal and external risks now have the ability to access invaluable tools to create a tolerable risk environment and protect value.

3. It creates and protects value

Creating and protecting value is the central tenant of ISO 31000:2018. If processes are not adding value, they are simply adding costs. The standard helps enterprises improve performance by embedding risk management into all business decision-making processes and making risk-based thinking a daily activity.

4. It reinforces integration

Integration is mentioned throughout the standard. Here are a few examples:

  • Risk management should be part of the organisational purpose, governance, leadership and commitment, strategy, objectives and operations.
  • Properly designed and implemented, the risk management framework ensures that the risk management process is a part of all activities throughout the organisation.
  • The organisation should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
  • The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processes of the organisation.

5. It focuses on leadership

Support from top management is essential for successful implementation of the risk management framework and processes. Leadership support for risk management becoming a strategic planning and decision-making tool creates a risk aware culture at all levels of the organisation.

CONCLUSION

ISO 31000:2018 can help create and protect value for any organisation by providing a flexible framework. If individuals are given the tools to promote critical thinking on how uncertainty can impact meeting objectives then the organisation should see an increase in value from an integrated risk management framework.

Ready to get started?

Risk ZA is a leading provider of enterprise risk management training programmes, which aim to improve your business performance. Contact us on +27 (0) 31 569 5900, email info@riskza.com or visit www.riskza.com.

PLUS! Download our FREE GUIDE ISO 31000:2018 How do I get started? where we investigate the 8 Principles that set out the requirements for a risk management initiative.

For more information or guidance on which ISO standard(s) and services would best suit the needs of your organisation, please email Risk ZA at info@riskza.com or contact us on 0861 Risk ZA / +27 (0) 31 569 5900.

You can share this blog on your preferred social media platform:

Share on facebook
Share on twitter
Share on linkedin
Share on email

ISO 14001:2015 – Internal Audits Drive Real Improvements

ISO 14001:2015 - Internal Audits Drive Real Improvements

Confronted with dramatic environmental challenges, plus a slew of regulatory requirements, many organisations have implemented environmental management systems (EMSs). An ISO 14001:2015 based EMS is the most popular, used to meet compliance obligations, monitor environmental policies and procedures, manage resources and control environmental harms.

ISO 14001:2015 is a systems-based management tool centering around the Plan-Do-Check-Act method, which drives continual improvement. The standard outlines in Clause 9.2 that internal audits at set intervals are necessary to support the theme of continual improvement underpinning the management system.

The purpose of internal audits is to ensure that the organisation’s environmental policies, objectives, compliance obligations and performance requirements are met and recorded, and that any corrective action is taken where necessary.

DOWNLOAD FREE GUIDE

Our FREE Downloadable Guide How To Conduct An Environmental Management Systems Audit explores more about the ISO 14001 Environmental Audit process. You can get hold of it by clicking the button below.

What to expect from an ISO 14001:2015 audit

A key point to emphasise is that the intended outcomes of ISO 14001:2015 have not changed. The EMS must:

  • Protect the environment.
  • Meet compliance obligations.
  • Enhance environmental performance.

ISO 14001:2015 does, however, have a number of new requirements that will change the focus of an audit, which include:

  • Context of the organisation
  • Leadership
  • Planning
  • Support
  • Documentation
  • Operations
  • Performance evaluation
  • Improvement

ISO 14001:2015 - Clause 9: Performance evaluation

Performance evaluation is about measuring and evaluating an EMS to establish whether it meets the organisation’s planned outcomes. Evaluation provides valuable information for continual improvement by:

  • Evaluating the EMS’s effectiveness.
  • Establishing whether requirements of the standard are being met.
  • Verifying whether compliance obligations have been met.
  • Reviewing the EMs’s suitability, adequacy, effectiveness and efficiency.
  • Demonstrating that planning has been properly implemented.
  • Assessing the performance of processes against outcomes.
  • Determining the need or opportunities for improvement.

Monitoring, measurement, analysis and evaluation

Monitoring in the sense of ISO 14001 means checking, reviewing, inspecting and observing  planned activities to ensure that they are occurring as intended. So, for example, if an operational control states that water quality will be inspected twice weekly, then this is a monitoring process. Monitoring and measurement :

  • Evaluates environmental performance;
  • Analyses root causes of problems;
  • Assesses compliance with compliance obligations;
  • Identifies areas for corrective action;
  • Improves performance and efficiency.

The Internal audit programme

Unlike an audit schedule or audit plan, an audit programme includes the full life-cycle of auditing. From the very decision to use audit as a tool through planning and initiating the audit, performing, reporting and follow-up, to improvement of the entire programme and its constituent parts.

All parts of the EMS should be audited at minimum yearly, this is typically dealt with in an annual audit schedule. The entire EMS can be audited at once or in parts for more frequent audits. To establish the frequency of EMS audits, consider:

  • The nature of your operations;
  • Risks and opportunities;
  • Statutory and regulatory requirements and compliance obligations;
  • Significant environmental aspects / impacts;
  • Results of your monitoring programme;
  • Results of previous audits.

There are two principle considerations when auditing:

Compliance/conformance audits – ensure that management arrangements, like procedures, are being followed in order to comply with the requirements of ISO 14001.

Performance Audits –  ensure that the outputs of the management arrangements are achieving their intended outcomes. For example, the results of engineering controls applied to mitigate air pollution are achieving the legal limits.

ISO 14001 demands an approach that combines both a compliance/conformance and a performance approach to auditing.

Who should perform an environmental audit?

ISO 19011:2018 – Guidelines for auditing management systems – contains information on how to choose an Environmental Auditor. Environmental Auditors should have personal attributes, such as ethics, open-mindedness, perceptiveness and tact. They should understand audit principles, procedures and techniques, and have gained experience by conducting audits. They should know the subject matter they are auditing against and how this applies to different organisations.

Audit Team Leaders should be able to plan and resource effectively, have good communication and leadership skills. Environmental Auditors should complete training and have attained an appropriate level of education. When seeking an External Auditor consider the skills outlined here.

Auditor qualifications

All auditors need to receive initial and ongoing training. EMS auditors should be trained in auditing techniques and management system concepts, environmental regulations, and facility operations. For performance audits, an auditor needs to have a good understanding of the standard and the EMS, and a broad understanding of environmental issues. Auditors should be reasonably independent of the area or activity that is being audited and can definitely not audit their own work.

An effective audit programme should:

  • Develop audit procedures and protocols.
  • Establish an appropriate audit frequency.
  • Train auditors.  
  • Maintain audit records.
  • Link audit results to the corrective action system.

NEW! ISO 19011:2018: Guidelines for auditing management systems

Auditors are the ears and eyes of top management because they can provide an independent appraisal of an organisation’s operations and activities. In addition, a skillful auditor will add value to a management system by finding opportunities for improvement. It’s important to note that ISO 19011:2018 has significantly raises the bar on what constitutes essential competencies that management-systems auditors need to possess or acquire.

Revisions to ISO 9001:2015 (QMS), ISO 14001:2015 (EMS), and ISO 45001:2018 (OH&S) are all based on Annex SL of ISO Directive 1, the ISO High Level Structure. Consequently, ISO 19011 includes an annex to deal with how to audit organisational context, leadership and commitment, compliance and the supply chain, amongst others. The new standard will help with the effective audit of these management systems and facilitate a uniform approach to the auditing process where multiple systems are in place.

DOWNLOAD FREE GUIDE

Our FREE Downloadable Guide How To Conduct An Environmental Management Systems Audit explores more about the ISO 14001 Environmental Audit process. You can get hold of it by clicking the button below.

For more information or guidance on which ISO standard(s) and services would best suit the needs of your organisation, please email Risk ZA at info@riskza.com or contact us on 0861 Risk ZA / +27 (0) 31 569 5900.

You can share this blog on your preferred social media platform:

Share on facebook
Share on twitter
Share on linkedin
Share on email

ISO 45001:2018 – How to become an OHS Auditor

How to become an OHS Auditor
Share on facebook
Share on twitter
Share on linkedin
Share on email

ISO 45001:2018 has been heralded as a ‘game changer’ in the world of voluntary safety management standards. Earlier this year, ISO 45001 was approved by voters of countries from around the world, and has been praised by the American Society of Safety Professionals as a ‘watershed moment’. It is one of the most significant developments in workplace safety over the past 50 years, presenting an opportunity to move the needle on reducing occupational health and safety risks.

The addition of ISO 45001 to the suite of ISO management system standards reinforces that Occupational Health & Safety is a key area of business performance for organisations, and that OH&S is about a lot more than legal compliance. When it is well integrated into the management of an organisation, good OH&S management is an enabler and an asset for a business rather than a cost.

To assist you in understanding the requirements for an ISO 45001:2018 OHS Management System Auditor, we have created a free guide with points from ISO 19011:2018: 10 STEPS TO AUDITING AN ISO 45001:2018 OHS MANAGEMENT SYSTEM.

Key considerations in the new standard

  • Setting the organisational context. Organisations will have to look beyond their own health and safety issues and consider what society expects from them, in regard to health and safety issues.
  • Increased top management accountability in a number of areas.  
  • Worker engagement. Siloed management systems have hampered effective OH&S management, and in respect of ISO 45001 workers need the opportunity to contribute and participate in all aspects of the Health & Safety Management System.  
  • Communication and risk management. ISO 45001 requires that risks and opportunities be established with all workers as part of the planning and implementation process of an OHSMS and that consultation be ongoing.

Auditing of Occupational Health & Safety management systems forms an important part of the process to demonstrate continual improvement. Continual improvement is a core component of every ISO management system. ISO 45001 further refines this, and ‘preventive action’ now becomes a distinct concept of the system as a whole. This means organisations will need to adopt a systemic approach for measuring and monitoring OH&S performance and compliance on a regular basis, as an integral part of the management system function.

Auditors needed for ISO 45001 OHS Management systems

As more organisations move towards seeking validation of their management system against ISO 45001, the demand for auditors will continue to rise. Whether you are new to safety management systems or transitioning from OHSAS 18001, the journey towards becoming a competent ISO 45001 auditor begins by becoming familiar with:

  • The high level structure for management systems based on Annex SL and how this affects auditing.
  • The new requirements for understanding the organisation and its context and how they may be audited.
  • The new and enhanced requirements for leadership and worker participation and how this affects auditing.
  • Risk-based thinking in an OHSMS and how this extends to requirements for risks and opportunities and how these may be audited.
  • The changes from a procedural approach to a process approach and how they may be audited.
  • How to adapt your auditing technique to accommodate the new and amended requirements in ISO 45001:2018.
  • Migration time frames for ISO 45001 and their impact on existing OHSAS 18001 certified organisations.

How can Risk ZA assist you?

To encourage the internal and supplier auditing functions, Risk ZA has developed a practical 2 Day ISO 45001:2018 Auditing course. The course provides the theoretical and practical knowledge of OHS auditing required to determine the conformance of the management system arrangements and its performance; based on outcomes. Delegates complete practical exercises and other assessments which relate to the requirements of ISO 45001:2018, hazards and other significant factors which influence the organisations OHS performance.

Persons attending this course will be able to facilitate internal Occupational Health & Safety management system audits based on the ISO 45001:2018 Standard and the ISO 19011 Standard for management system auditing. Plan and facilitate audits, set and recommend corrective actions, follow up and close out audit findings.

This course is recommended for Occupational Health and Safety Practitioners, Line Managers, Supervisors, and Management.

Download our free guide

Uncover the tools necessary for an ISO 45001:2018 Auditor by downloading our FREE downloadable guide: 10 STEPS TO AUDITING AN ISO 45001:2018 OHS MANAGEMENT SYSTEM

For more information or guidance on which ISO standard(s) and services would best suit the needs of your organisation, please email Risk ZA at info@riskza.com or contact us on 0861 Risk ZA / +27 (0) 31 569 5900.

You can share this blog on your preferred social media platform:

Share on facebook
Share on twitter
Share on linkedin
Share on email

ISO Standards Provide the Foundation for Building Customer Relationships

ISO Standards Provide the Foundation for Building Customer Relationships

ISO Standards Provide the Foundation for Building Customer Relationships

The aftershock of the global debt crisis set the scene for a change in public sentiment towards big business. Since the credit crunch, house prices have fallen, consumer confidence has plummeted, taxes and prices have increased, and unemployment has risen.

The international organisation GlobeScan’s research shows that public trust particularly in banks and oil companies is ‘deep in negative territory’, and the top two issues banks need to address to regain trust are operating ethically and improving customer / online services.

In 2011 former Nokia CEO Stephen Elop wrote his famous Burning Platform memo, in which he lamented missed opportunities and indicated multiple strategic challenges to the mobile phone company. Distilled, the lesson of the burning platform is that it is far better to anticipate the crisis and change your behaviour long before the explosion.

In these uncertain times, operating ethically and building trust with your customers and stakeholders is vitally important for the long-term success of your organisation.

What lies at the heart of public scepticism?

In the run-up to the debt crisis, traders and investment bankers focused on selling customers financial products, particularly subprime mortgages loans. Whether the client or borrower defaulted, was of little interest to banks. These groups were interested in lining their pockets and not on building long-term relationships with clients. Bank executives and managers, too, focused on sales and bonus targets rather than thinking of long-term performance and sustainability.

When the US subprime mortgage catastrophe began unravelling, the world entered a global financial crisis. In the wake of 9 August 2007, panicking customers queued to withdraw their savings and the first bank run in years began. With default a real possibility, investors began demanding higher yields for bonds issued by Portugal, Ireland, Italy, Greece, and Spain. As a result, Spain’s housing market collapsed, Greece’s economy imploded and Ireland slid into recession.

The depth and duration of the financial crisis shook investor confidence and waves of violent protests swept through Europe.

public protest

Tighter liquidity following the debt crisis undoubtedly severely constrained South Africa’s economy, but government corruption compounded the problem, resulting in sluggish growth, company closures, unemployment and deepening poverty. Deviant conduct is so entrenched within institutions of government that it threatens their survival.

In what seems to be another instance of too little too late, treasury is hastily attempting to restore voter confidence ahead of elections by financing a commission of inquiry into state capture and stabilising state-owned enterprises (SOEs) hollowed out from years of poor governance, procurement irregularities and fraud.

“We are working on rebuilding trust in public institutions,” Finance Minister Nhlanhla Nene proclaimed before the standing committee on finance in Parliament on Tuesday 8 May.

Customer trust is hard won and easily lost

But it’s not only bank executives, politicians and their cronies who are guilty of such transgressions.

In what has become known as the ‘meat-scandal’, big name South African supermarket brands were tarnished when they were caught stocking incorrectly labelled meat products. Tested meat samples revealed ingredients not listed on product labels, including donkey, water buffalo, goat and pork meat. This not only violated food-labelling regulations, but presented religious and ethical concerns for the Jewish and Muslim communities.

Shortly before the supermarket ‘meat-scandal’, a Cape Town based importer admitted to re-labelling kangaroo meat from Australia and water buffalo meat from India as halal, causing outrage in the Muslim community.

Internet giant Facebook is embroiled in a world of trouble as the US federal government investigates the sharing of users’ private information with Cambridge Analytica and others unknown, while auditing firm KPMG South Africa recently appointed new board members in an attempt to restore trust after its involvement with the politically-connected Gupta family.

meat scandal

Iraj Abedian, CEO at Pan-African Investments and Research Services, commented in a press statement that:

“KPMG has to come clean before it can win back the trust of society. Changing a few characters around before coming clean is ignoring and not dealing with the issues.”

Barclays Africa, one of the continent’s largest banks, is the latest of several big corporate clients to announce that it will no longer be using KPMG auditing services. In a statement to the press on May 3, the bank announced:

“ongoing and more recent developments were evaluated by the board, which decided that it can no longer support the reappointment of KPMG”.

Customer trust is priceless

We all know how Twitter, Facebook and other social media networks can sink a product range, taint a brand’s image or batter an organisation’s reputation in a matter of minutes. It can take just one disreputable supplier, or one perceived hypocrisy, and marketing spend goes up in smoke.

Consumers frame their opinions around green and ethical claims made by organisations from what they read on social networks and trust the opinions of friends, family and people in the community in product-purchasing decisions above all advertising and marketing efforts.

sustainable-forestry

“The power relationship between people and brands has forever changed because of social networks.” – Dion Chang, Flux Trends.

American management expert, Dr. Gary Hamel puts five issues at the centre of whether a business will thrive or fail in the years ahead: values, innovation, adaptability, passion and ideology.   

Of all these challenges, the issue of trust is the one most open to change in the short term.

ISO Standards provide a foundation on which to build trust

Rigorous corporate and sustainability standards and third-party certification are important foundations that can chip away at consumer and stakeholder scepticism and build trust.

“I believe standards instil trust. Standards are no longer about product differentiation but about creating a uniform experience that gives your customers confidence in your products and services.” – Datuk Fadilah Baharin, Director General, Department of Standards Malaysia.

trust

How can ISO standards help?

Maintaining a social license to operate

As powerful influencers, organisations can act as agents for societal change. The ISO 26000 publication, Guidance on Social Responsibility – helps organisations understand the principles of SR, and addresses questions like, what SR means, the types of issues an organisation needs to address, and best practice.

Ethical Environmental Behaviour

More consumers are selecting products that are produced respecting environmental standards. The ISO 14000 family of standards provides practical tools for organisations of all kinds to manage their environmental responsibilities.

Food Fraud & Food Safety

Food supply chains are complex, creating more opportunities for criminals to practise food fraud and affect food safety. The ISO 22000 Food Safety Management System helps organisations produce safe food and gain the trust of customers.

Inspire a customer-centric culture

The quality of a product is about whether or not it meets customer requirements. The ISO 9001:2015 Quality Management System redefines quality by changing focus from adhering to product specifications and requirements to meeting customers’ expectations and satisfaction.

Prevent Corruption

ISO 37001, Anti-bribery management systems – is designed to help organisations implement effective measures to prevent and address bribery, and instil a culture of honesty, transparency and integrity.

Proactively Protect Customer Data

Securing third party data is a legal imperative. The ISO/IEC 27000 family of standards helps organisations keep information assets secure. ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).

Deliver transparency in products

Millennials are front and centre of the ethically conscious consumer trend. The ISO 20400:2017 Standard can be used to improve supply chain transparency. Embedding sustainability requirements has been shown to cause a so-called green bullwhip effect, whereby they become a signal that then transfers vertically down a supply chain from buyer to distributor to assembler to manufacturer.

In Conclusion

In addition to offering ISO standards training and consulting services, Risk ZA has key expertise in Governance, Risk and Compliance (GRC) Management Systems, which are essential controls for corporate success and relationships of trust with customers and stakeholders.

For more information or guidance on which ISO standard(s) and services would best suit the needs of your organisation, please email Risk ZA at info@riskza.com or contact us on 0861 Risk ZA / +27 (0) 31 569 5900.

You can share this blog on your preferred social media platform:

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
iso