Home Resources Blog June 2019

Making Sense of “Risks and Opportunities”

14 June 2019
It's been made quite clear that ISO 14001:2015 does not require a formal risk assessment process, it's up to you as an organization to decide what risk assessment methods are appropriate to you and your business. 

One of the requirements in the revised standard that the organization determines the risks and opportunities that it must address in order to:

  • give assurance that the environmental management system can achieve its intended outcomes
  • achieve continual improvement.

To put more simply and in a less ‘procedure style’ language:

The 2015 standard has an expected outcome which is the continual improvement of an organization’s environmental performance. In order to achieve this, that organization needs to work out what is going to help it achieve this aim and what is going to get in the way. The positives become opportunities that need to be enhanced if possible and the negatives become risks that need to be removed or at least mitigated.

The key thing to remember about this new requirement is that not every risk and opportunity an organization faces is required to be included in this risk determination and analysis. Also remember that of ISO 14001 is implemented as a stand-alone system then we are simply talking about environmental risk and not the wider business risk.

For example, risk associated with oil storage and the potential to spill down the drain is an environmental risk, whereas issues/risks around data protection are clearly not.  

It must be remembered that this risk process is also subjective – it is meant to be. It must be based on the opinions, interpretations, and judgment of those within the organization. It does not have to be an objective determination, one based on numbers, calculations, or complex spread-sheets. Of course if you would rather do this then that is your choice entirely.

However, those involved in the drafting of the standard have been quite clear in stating that ISO 14001:2015 does not require a formal risk assessment process. It is up to you as an organization to decide what risk assessment approaches are appropriate to you and your business.

You can choose the assessment methods, approaches, or criteria that you want. You can use a qualitative approach or it can use a quantitative approach. It can use a single approach or combination of approaches. It can create a single master risk matrix or use a combined risk register.

These risk assessment processes can be a component of its other EMS processes, they can be part of other business processes, or they can be set up as a separate process. Your choice – you decide.

As an assessment body we get to see many varying approaches – some better than others however they are all appropriate to the organization concerned and work for them. We will judge the success of an approach by the results it gives.

In other words, is what we expect to see as the key risks and opportunities actually what has been delivered. I would ask you to use that same approach – sense check it. Does it look and feel right?

The standard does not decree a level of documentation required, simply that:

“The process, or processes, used must be documented to the extent necessary to have confidence they are carried out as planned.”

Once the risk assessment is complete, you must record the results. In the words of the standard, you must:

“Maintain documented information of the risks and opportunities that need to be addressed.”

Most importantly you do NOT have to maintain documentation of all risks and opportunities, only those that need to be addressed.

Don’t let anyone say that you have to - this is an impossibility.  Since risks and opportunities are by definition in the future and the future is not certain, no one can know all potential risks and opportunities.
Therefore, to summarize:

The standard only requires that the organization document those risks and opportunities that it has determined need to be addressed within its EMS using whatever risk assessment processes it has established. In other words we would expect to see some kind of list prepared.

How to Identify and Evaluate Risks and Opportunities

So what does the process look like?

Once the priority or material risks and opportunities – i.e. those that need to be addressed – have been identified, you then need to address the plan at a high level and focus on making the changes needed.

Action can be taken in a variety of ways. It may include establishing environmental objectives or be incorporated into other EMS processes, either individually or in combination, for example operational control procedures. Some actions may be addressed through other management systems, such as those related to occupational health and safety or business continuity, or through other business processes, such as supplier evaluation or competency or training processes. As a result, the organization is likely to see the EMS filter into other areas of the business which were previously excluded.

With the scope for identifying environmental risks and opportunities widening to now cover the effects on the organization and its management systems, ISO 14001 brings with it the potential to add extra value to your business. Taking the premise outlined here, companies can effectively and efficiently identify opportunities and mitigate risks to make more informed decisions in the environmental area, help the wider organization reap the benefits and ultimately reduce your impact on the environment.