One of the key changes to the revised ISO 9001 and ISO 14001 standards and the migration of OHSAS 18001 to ISO 45001 is the increased priority given to risk-based thinking across all areas of an organisation.
The changes to these standards require a pro-active approach by management and particularly top management, to identify and manage the risks associated with the operations of the organisation.
If you are not already aware, ISO 9001 and ISO 14001 revisions are complete and all audits are now carried out to the revised standards; old certification prior to September 2018 is now invalid. OHSAS 18001 is currently being migrated over a period of 3 years. The final date for migration to ISO 45001 is 12th March 2021.
Risk is inherent in every organisation; whether you are a business or institution, profit or non-profit, every decision made and operation undertaken involves an element of risk.
Risks to an organisation may include:
- Risks to employees and customers from health and safety issues.
- Risks from disasters such as fire and flooding.
- Environmental risks from business operations.
- Risks associated with industry regulations.
- Security risks to physical structures including IT infrastructure from cybercrime.
- Risks to the financial security of the organisation.
Risk management planning
Preparing a risk management plan will help you to achieve certification to the above standards. It will also provide the organisation with a framework to identify risk, assess the frequency and impact of the risk and work out a process to manage the risk.
Time and resources need to be allocated to the process by top management and implemented throughout the organisation. An effective plan will increase profitability, reduce costly incidents and create a safer environment for your employees.
Your plan may include:
- A list of risks that could affect all areas of the organisation.
- An analysis of the risk and rank the likelihood and level of effect.
- How you will manage the risk.
- Implementation of ongoing monitoring and reviewing.
Depending on your organisation, a good way to start might be by setting up a risk matrix to rank the risks you have identified.
Ranking the impact of a risk on the organisation between a range of “negligible” to “critical”, for example, and including an estimate of the financial loss and the disruption it would cause, will provide information to help you to manage and minimise the risks going forward.
The above could provide the framework that your ISO auditor will be looking for when they audit your organisation for certification to the revised standards.
If you need help with your risk management planning, please visit http://a-ec.co/contact/