Download this file (iosh 31000.pdf)iosh 31000 for ehs professionals[ ]964 kB

Further to Seans artice of Nov 2012 see attached copy of presentation given to IOSH eastern district in April 2013  



Sean Coleman discusses the ISO 31000 Risk Management Standard in the context of EHS professionals in recent article in Health and Safety Review Magazine

isoehsISO 31000 Risk Management
 – Principles and Guidelines is an international non-certifiable standard providing users with principles, a framework and a process for managing risk, which often prompts the question, where does it fit with ISO 14001 and OHSAS 18001?

Chartered safety practitioner Sean Coleman, who is a co-author of the NSAI’s guidelines on ISO 31000 examines and explains the relationship between the three standards.  

In ISO 31000 risk is defined as “the effect of uncertainty on objectives. It is necessary to be aware that reference to risk is in the most general sense. Organisations face risks well beyond the EHS spectrum but it will be interesting, if not essential to see how risk might be regarded and managed on an organisational wide basis. 

Understanding ISO 31000

ISO 31000, published in November 2009, seeks to provide organisations with guidelines for the principles and the adequate implementation of risk management (RM). It is designed for a wide range of RM practitioners, experienced or novice, and for those responsible for RM oversight and who are interested in developing and/or benchmarking their organisation and practices against a recognised international reference.

There are also two associated standards:

  1. •Vocabulary for Risk Management (ISO Guide 73) which provides definitions of generic terms related to RM and
  • •Risk Assessment Techniques (IEC/ISO 31010) which provides guidance on selection and application of systematic techniques for Risk Assessment( in the widest sense).

ISO 31000 is very similar in approach to other management standards in that it follows the Plan Do Check Act (PDCA) cycle with the usual focus on continuous improvement. EHS practitioners will be familiar with OHSAS 18001 Health & Safety and ISO 140001 Environmental Standards which themselves closely follow the format of earlier quality standards. ISO 31001 is therefore evolutionary and at the same time complementary to other standards. It is a standard/guideline that acts as the mothership for other risk related standards of which there are many e.g. EHS, IT, BCP, Emergency and Crisis Management. Moreover it provides guiding principles and structure ( see Fig 1 below) to those who oversee risk throughout the organisation and wish to aggregate risk in a common language. If used sensibly the standards greatest attribute should be balanced decision making taking account of threat and opportunity.


One significant difference for most EHS professionals is the definition of risk.  Risk is defined as “the effect of uncertainty on objectives” .An effect is a deviation from the expected — positive and/or negative. Safety professionals are more used to rating the negative consequences or looking for threats rather than opportunities. ISO 31,000 helps us to think in terms of the upside as well as the downside. The term source (of risk) is used rather than hazard to avoid a negative connotation. Risk is seen as neutral.

Application: when and by whom

ISO 31000 can be applied in a given context for example a project, a division, a function or to the organisation as a whole and has been developed so that it is generic and not specific to any industry or sector.

It is likely (but certainly not necessary) that an organisation will already be implementing a range of management systems (certified or otherwise) before they see the need for, or embark upon the implementation of ISO 31000, or part thereof. Some organisations which are more risk mature, will readily see the need for integration of systems whilst others will tread more carefully. Risk maturity at the highest level requires integrated RM across the business and at all levels. For those at the lower end of risk maturity, typically a silo approach, it will be of interest to see what RM best practice looks like and to what such organisations might aspire to over time.

At board and senior management level there is increasing pressure to provide a common risk language and approach across all areas. For example the probability and impact of poor succession planning, a human resource risk, may compete with resources for a natural catastrophe risk like flood at the main premises or that of a key supplier. If different risk criteria are applied senior management will struggle with allocating resources based on priority.


Be warned, ISO 31000 does not provide suggested risk assessment methodologies but it does reference the associated standard “Risk Assessment Techniques (IEC/ISO 31010)” mentioned above. This allied standard describes and provides a discussion of the pros and cons of different techniques many of which will be familiar to practitioners in the EHS field. As an aside see also EEC, Review of Techniques to support the EATMP Safety Assessment Methodology, which considers hundreds of methodologies

ISO 31000 plots out a framework and process ( Fig 1 above) but does give considerable latitude in application. For many organisations, it will be interesting to see how much of the framework and process is in place and how far they have to go to meet the standard. Essentially they need to carry out a gap analysis.

When we think of the voluminous paper work usually associated with EHS management systems, we can just begin to imagine the bulk associated with a large or complex organisation. The use of appropriate software is likely to come into play when the limitations of spreadsheets become apparent.

The software should be able to address risk identification, assessment, action planning and provide insight through audit and incident tracking modules. Organisations will need to be able to provide improved analysis and quantification data to assist with sound decision making around risk.

Need to know

So do you need to know the standard in depth? The answer is – it depends. Having worked in the operational risk area for more than 30 years in the insurance industry and directly with clients, I would most certainly advocate it for those who wish to gain a broader appreciation of where EHS risks sit in the organisation at large. An understanding of the principles will help you win hearts and minds by driving the EHS agenda in a manner which is more integrated to the overall business needs. In other words, it should help you in time get a voice at the top table at least some of the time. Equally it may give you an understanding of the risk pressures facing other colleagues.

ISO experts are working on the ISO 31004 guide to ISO 31000 due to be published in 2014 but note that the Irish consultative committee on risk management at NSAI has already drafted Irish guidelines on the standard. (Seam Coleman, a chartered safety practitioners is an independent health and safety consultant and an associate with LinkResQ. He can be contacted by emailing or phoning 087-2470217) 

Latest News

linkedin logo 1-300x79

| + -