Kevin has been president of ECSI for over 25 years. His practice focuses on environmental and health and safety management systems training, consulting and auditing. He is an active member of the US Technical Advisory Committees to ISO 14001 and ISO 45001. He represents that USA at international meetings of these committees. He is also the lead developer of the CorrectTrack corrective action tracking app.
The Securities and Exchange Commission (“Commission”) is proposing for public comment amendments to its rules under the Securities Act of 1933 (“Securities Act”) and Securities Exchange Act of 1934 (“Exchange Act”) that would require registrants to provide certain climate-related information in their registration statements and annual reports. The comment period closed May 22, 2022.
The proposed rules would require information about a registrant’s climate-related risks that are reasonably likely to have a material impact on its business, results of operations, or financial condition. The required information about climate-related risks would also include disclosure of a registrant’s greenhouse gas emissions, which have become a commonly used metric to assess a registrant’s exposure to such risks. In addition, under the proposed rules, certain climate-related financial metrics would be required in a registrant’s audited financial statements.
The first 465 pages of the document are the SEC response to comments provided during the development phase of the proposed rules last year. The proposed new rules begin on page 465. There is some interesting stuff on what SEC is looking for regarding how registrants assess climate related risk (see § 229.1503 (Item 1503) Risk management starting on page 482).
Join us at the conference. We are presenting on E-Tools for OHS Risk Management. Learn about how cloud based app and relational database are emerging as essential tools for EHS Managers. We will cover how to use these tools to:
Covid made us change how we work. Virtual meetings are the new normal when connecting with others and conducting business. Our certified training courses, internal and third party audits are conducted virtually with great results. A positive is dramatic reduction in effort and resources invested in travel to and from our clients or public courses. The negatives include more difficulty in performing audits on specific processes. Hand held devices do not show what is happening on the manufacturing floor well. They are also prone to loosing connection due to poor WiFi in some areas of the facility.
Contact us to learn more about how we are adapting and what we can do to help your organizations as it adapts to the new normal of Covid 19.
ISO 45001:2018, 14001:2015 and 9001:2015 are based on the High Level Structure. The International Organizations for Standardization (ISO) High Level Structure (HLS) is about to enter another phase of revision of the HLS. The definition of “Risk” in the ISO HLS and the term “risk and opportunity” is causing confusion with drafters and users of ISO 45001.
Removing the special definition of term risk and eliminating use of the term risk and opportunity will help standards drafters reduce ambiguity in the standard requirements and help other users better understand how to plan. implement, operate and audits ISO management systems.. The following discussion is based on our extensive experience auditing, teaching and consulting for ISO 45001, 14001 and 9001.
The Definition of “Risk” and Use of the Term “Risk and Opportunity” in ISO High Level Structure
The HLS was introduced in 2012 to “harmonize” management system standards around a common structure. The common structure helps organizations integrate quality, environmental, health and safety and other management systems.
Figure 1 is the Table of Contents of the HLS as currently proposed in Draft ISO/DGuide 83 – 06/03/2020.
In this post we discuss two issues being raised during the HLS revision process.
the definition of the term risk in the HLS,
use of the terms risk and opportunity in the HLS.
Resolving these two issues is important to users understanding of what ISO 45001 is designed to manage.
In a previous post, we provided an overview of proposed changes to the HLS duirng the minor revision stage, As the HLS revision begins to enter the major revision stage we believe there are important issues to be addressed by ISO. We believe that ISO should carefully consider the unintended negative consequences of creating a special definition of risk and using the term risk and opportunity in future versions of the HLS.
Risk as a “defined term”.
Definition of risk
The Oxford English Dictionary (OED) is the official dictionary of ISO and defines risk as the “possibility of loss, injury, or other adverse or unwelcome circumstance”. The Merriam-Webster definition is similar, “possibility of injury or ill health”. These definitions of risk have been in use for many decades and with great success by organizations managing Occupational Health & Safety (OH&S) performance.
In 2012 ISO introduced the term risk as a “defined term” giving it a different definition than OED or Merriam -Websters. The HLS definition of risk is now “the effect of uncertainty” (see Figure 2).
The new definition is designed to encourage organizations to take a broader view of both the positive and negative characteristics of risk. This approach is supported by the ISO technical committee that develops guidance standards on risk management (TC 262). ISO 31000 is the flagship standard in this series. ISO 31010 is guidance on risk assessment techniques.
Use of “on objectives” in the HLS definition of risk
TC 262 isnow promoting another revision to the definition of risk that adds the words “on objectives” to the HLS definition of risk They believe the concept of risk cannot be comprehended without reference to the term objectives in the definition of risk (Figure 3).
However, adding the words “on objectives” creates ambiguity and confuse drafters and users of ISO 45001. This is because the term objectives is already used in 45001 referring to specific goals the organization needs to achieve to improve OH&S performance.
The objectives refereed to in the ISO 31000 definition of risk are more broad and include business and societal objectives. The potential unintended consequence of adding the words on objectives to the definition of risk is users will only address risk associated with objectives and not more broadly address OH&S risk to workers and the organization..
Unintended consequences of changing the definition of risk
The addition of a special definition of risk has increased ambiguity about the meaning of the term risk. It has also had unintended consequences for both those using the HLS when developing management system standards, and those using these standard to plan and implement OH&S management systems..
As an example, because of the way ISO has now defined risk, the developers of ISO 45001 found it necessary to add two additional notes to the definition of risk (Figure 4). The ISO 45001 definition of risk now has 6 notes (198 words) to explain the three word definition of term risk.
The drafters of ISO 45001 also found it necessary to create another defined term OH&S risk (Figure 5). This new definition was added to clarify ambiguity caused by the HLS definition of risk and how OH&S professionals had traditionally understood the concept of risk in the OH&S management discipline.
The intent of the new ISO special definition of risk was to shed light on the practice of risk management and encourage organizations to take a broader view of the dynamics between risk and opportunity. That objective may have been achieved but with significant additional confusion by standards drafters and users. ISO should consider removing the special definition of risk from the HLS and return to use of the Oxford English Dictionary of risk.
Risk and Opportunity in the High Level Structure.
The association of the word risk with the word opportunity (risk and opportunity) in HLS clause 6 has confused drafters and users of ISO 45001. There is uncertainty if the term risk and opportunity refers to a single concept or two different concepts. To help explain what is meant by risk and opportunity ISO prepared a white paper titled Risk Based Thinking in ISO 9001:2015. Although the title indicates the topic is ISO 9001 Quality Management systems, the examples used in the white paper are also applicable to an ISO 45001.
To clarify ambiguity about the term risk and opportunity, drafters of ISO 45001 added a new defined term OH&S opportunity (Figure 6).
The ISO 45001 definition of OH&S opportunity refers the concept of OH&S performance improvement, another defined term in ISO 45001 (Figure 7) . The definition of OH&S performance references another 5 defined terms in ISO 45001. The need to create a separate defined term of OH&S opportunity and then refer to 5 other defined terms to explain the OH&S performance, This tortured effort to reduce ambiguity is further evidence of the confusion the term risk and opportunity has introduced to ISO 45001.
ISO 45001 also refers to other risks and other opportunities that the organizations needs to address (Figure 8). These terms are not defined in ISO 45001. This adds uncertainty about the concept of risk and opportunity in ISO 45001.
Figure 8 – ISO 45001 Other Risk and Other Opportunities
These many terms associated with the concept of risk and opportunity in Clause 6 creates uncertainty about what ISO 45001 is supposed to manage. Those implementing, operating and auditing an OHSMS are confused, especially when identifying what is important to the organization’s OH&S performance. The unintended consequence of adding the term risk and opportunity is user confusion about answers to important questions like:
When the HLS uses the term opportunities is it referring to potential financial or societal gain or to a discipline specific intended result such as a safer workplace?
What is the difference between the concept of risks and opportunities and the concept of OH&S risk, OH&S opportunity and other risk and other opportunity or are these the same thing?
Are the concepts of hazards and risks being tre focus of OH&S management systems now obsolete, or can it still be used when planning an OH&S management system?
Conclusion and Recommendation
The introduction of a special definition of risk and the use of the term risk and opportunity in the HLS has led to unintended and unnecessary confusion by drafters and users of ISO 45001. ISO should remove the definition of risk and use of the term risk and opportunity from the ISO HLS. during the next phase of the HLS revision.
Here is a webinar we lead for ASSP on Covid-19 recently. The webinar discusses how organizations can use occupational health and safety management system audits and the corrective action process to respond to Covid-19 challenges.
Leadership commitment to a management system is critical to its performance. Encouraging support is sometimes challenging. The management review process required by ISO management system standards can help gain leadership commitment.
Do’s and Don’ts
Coordinate management review with management other business review meetings. Conducting “management review” during regular business review meetings gives the sense that the management systems is part of the overall business. Management reviews conducted infrequently and apart from the other important business management meetings leads to a silo-ed perception of the management system.
Make management review value added. Ensure the information being presents is actionable by leadership. Give them a few choices for recommendations with supporting information and ask them to decide. They will appreciate your opinion and recommendations to help make decisions.
Do the Math and Have Backup.
Defend your recommendations for improvement with cost and return on investment information. Showing leadership how the management system helps save and even makes money, contributes to their support and commitment.
Take Good Notes
Recording leadership decisions during the management review helps ensures follow-up. Records of management review are also evidence of their leadership commitment, especially during audits.
Timely Management Review Follow-up
Follow-up on management review recommendations in a timely fashion and report on progress at the next management review opportunity. This will enhance leaderships perception of the management system, their support and commitment.
Management Review Frequency
Most organizations perform periodic reviews of the business performance to make sure things are going along smoothly and to make any course corrections needed. Integrating the ISO system management review with these regular business review meetings will help ensure that:
Management system performance issues are addressed in a timely fashion
The management system is integrated with all other business processes
Timely information is provided to leadership to help make important business decisions
Management Review Inputs
Management review meetings should not necessarily address all management review inputs during each meeting. Management review inputs that should be reviewed at every management review include:
Follow-up from previous management reviews
Status of actions from previous management reviews;
Status of corrective actions and incident investigation
Progress toward achieving objectives.
Management review inputs to be reviewed less frequently and as needed such as
Customer Complaints and interested party concerns
Changes including new compliance obligations
Adequacy of resources
changes in risks and how they are being addressed
Management Review Outputs
The purpose of management review is to ensure the management system is able to achieve it intended outcomes. The outputs of management review are an important part of the Act part of the Plan-Do-Check-Act continual improvement cycle. It is where leadership has the opportunity to review the information generated in the “Check part of the PDCA cycle and intervene (Act) and continually improve the management system
Records of management review are the notes of the meeting (output notes). They are required by all ISO management system standards. Outputs are what leaderships asks the organization to do to improve performance. These records are also excellent evidence of leadership commitment during third party audits.
The goal of management review is to provide information to leadership that it can act on. Planning and conducting good management reviews will enhance leaderships opinion and support of the management system.
The ISO High-Level Structure (HLS) is the basis for all management system standards and is now being revised by ISO. These changes will affect all management system standards. Users of ISO management system standards such as ISO 14001, 9001 and 45001 will need to evaluate how these changes will affect the organizations ISO management systems.
Introduced in 2012, the HLS was created to help better integrate quality, environmental and health and safety management systems. Prior to its introduction ISO 9001 had a different structure that ISO 14001 that complicated integration of the management core processes such as corrective action and management review. The HLS solved that problem. The revision introduced a new name for the HLS and it is now called Annex L, Appendix 2.
The revision will also introduce guidance on use of the HLS for standard writers and users. This guidance is called Annex L, Appendix 3. Both Annex L, Appendix 2 and 3 will be combined as a table.
Appendix 2 is in the final stages of an initial “limited” revision and not yet available to the public. Appendix 3 is in mid-stage revision and should be approaching the final stage later this year.
Here are a few of the most important changes to Annex L, Appendix 2 from the “limited” revision:
Definition of Risk
A lengthy debate is ongoing within ISO about if a revision to the definition of “Risk” is needed. “Risk” is currently defined in the HLS as “the effect of uncertainty”. Some within ISO argue that a better definition is “the effect of uncertainty on objectives“.
Others fear that the addition of the words “on objectives” to the definition of risk will cause confusion in standards like ISO 9001, 14001 and 45001. They believe this because these standard have a specific requirement to create measurable “objectives” within the management system.
The debate over the definition of risk has lead to several proposals including eliminating the definition of risk entirely from the HLS. A subgroup has been assigned the task of sorting this difficult issue and the results will be reflected in a future revision of the HLS. For now however the definition of “risk” will remain as it is in the HLS.
Expected Outcomes Vs Results
The previous version of the HLS used the term “expected outcomes” to describe the results organizations should expect from its ISO management system. Some users found the term “expected outcomes” confusing so it has been changed to “expected results”. The change was also made to simplify translation to other languages.
The old HLS used the term “outsourced processes”. Manufacturers sometimes send their products to other organizations who perform specialized processes like heat treating or electroplating. This relationship between organizations was called “outsourcing” in the previous version of the HLS. The concept of “outsourced processes” however does not apply as well to other disciplines such as environmental management or health and safety management systems.
The term “external provider” is now being used in place of outsourced process. This change has been made in response to several comments that found the term “outsource” unclear. The use of external provider clarifies that outsourced, contracted, and purchased products, services and processes all need to be controlled by the management system.
The use of the terms “maintain” and “retain” to describe what needs to be done with certain types of documents in the management system has been replaced with the term “shall be available”. This change has been made to avoid confusion between maintaining and retaining documented information. This change is not expected to impact organizations with mature document control process and management systems.
This part of the HLS has been substantially reorganized. The title of 9.2.1 was changed to General and 9.2.2 Internal Audit Program has been added. This change has been made for ease in understanding. Now the two distinct concepts covered in the paragraph (what an audit program entails and what should be considered when establishing an audit program) are listed separately.
Effects of the Annex L, Appendix 2 and 3 Revisions (Whats Next?)
The revision of Annex L is not expected to have a significant immediate effect on ISO standards or ISO management system audits. The revisions will not requires revision of any of the ISO management system standards until these standard are revised and updated as required by ISO. However, organizations in the process of implementing an ISO management system or integrating a new discipline specific standard such as ISO 45001 into an existing management system structure, should anticipate that these changes will appear in future revisions of ISO management system standards.
A long-time professional college “The Honorable Scott Weyburn”, recently posted an interesting question focusing on benefits of ISO 9001 registration. I posted a response that prompted Scott to ask for more so here it is. Here is a link to Scott’s post which you might want to read first.
Understanding the Problem
The cause of the problem is easy to understand but difficult to correct. In my three decades performing nonfinancial audits for CBs if have found the CB customers primary interest is in sending a signal of sustainability to customers and other interested parties. Improving sustainability performance is subordinate to that perceived imperative. As a result, the organization focuses on passing the audit, not on having an effective management system. Investment is in readying for the audit not on the resources of an effective system. This is partially due to naivety and a lack of readiness in leadership in the organizations.
It is also due to financial tension within the organization. Investing in audit readiness only cost less than skillful implementation of an effective management system. Leadership calculates “If all I want is certification for messaging and developing a MS with that goal is cheaper than an effective system, why would I invest in an effective system?”. Leaderships misunderstanding is almost excusable considering the misrepresentation bombardment from CB’s and AB’s that their certifications and accreditation’s are evidence of system effectiveness.
Audit Services as Commodities
Another reason the certification process is failing is organizations seeking certification services perceive them as a commodity to be purchased from the lowest bidder. They do not understand certification audits are a professional service where auditor and CB competence are critical to obtaining a return on their certification investment.
To be competitive CB’s in the past would reduce the number of audits days and thereby reduce the cost of their service over their competitors. IAF implemented MD-5 to try to control this audit day downward trend. MD-5 is a complex system for determining audit days that was of some help early on. However, as time went on CBs recognized that the only way to be competitive was to reduce the day rates for auditors. Subsequently there has been a continuing downward spiral in compensation of qualified auditors, especially for contract auditors with no employment benefits.
Many experienced auditors like myself have subsequently reduced the number of audits we perform for accredited CBs doing only enough to remain competent for purposes of certification. The CBs now rely on inexperienced, inexpensive, and often incompetent auditors to perform audits on their behalf.
ABs Playing a Role
The ABs have also found themselves in a difficult financial conundrum. There has been much consolidation in the CB business reducing the ABs revenue streams. They recognize the threat to their clients, that major findings of auditor incompetence would bring, and are reluctant to issue meaningful nonconformities that compel change. The incentives created by the ABs for CBs to improve their performance are more prescriptive and lead to “lipstick on a pig” corrective actions that exacerbate the problem.
These are tough problems to solve that cannot be wrestled to the ground overnight. The financial assurance industry addressed similar problems with Sarbanes–Oxley Act of 2002 as well as in the Accounting Standards Codification issued by the Financial Accounting Standards Board (FASB). The best chance of fixing the underlying problems with assurance in the non-financial sector is to enact similar legislation which is unlikely to happen in the foreseeable future.
The Exemplar Global certified ISO 14001:2015 EMS lead auditor courses are presented over a two week period 4 hours per day Monday thru Thursday. In the first week students take the ISO 14001:2015 Environmental Management System content (EM) . The EM content is delivered from 8:00am to 12:00pm each day of class.
The first two days of the second week of the class is the Auditor content (AU). The second two days of the second week is the Team Leaders content (TL). A test is administered after each course module.
ISO 14001 – EM
July 6-9, 2020 August 3-6, 2020
Auditor – AU
July 13-14, 2020 August 10-11, 2020
9:00am – 1:00pm
Team Leader – TL
July 15-16 2020 August 12-13, 2020
9:00am – 1:00pm
Exemplar Global Certified Course Schedule
Certified by Exemplar Global
Understand environmental terms and definitions
View the ISO 14001:2015 requirements from an auditor’s perspective
Plan, manage, and schedule an audit program
Identify, understand, and manage environmental aspects and impacts
Understand the requirements of ISO 14001:2015 to be able to conduct a successful audit. The course includes hands-on workshops to prepare you for real-life auditing situations. You’ll learn to manage the audit process and complete reporting..
This is a four-day, instructor-led classroom course. There are written tests on each of the competency units on days 2, 3, and 4. Days 1 and 2 will cover ISO 14001:2015 along with a corresponding competency exam. Day 3 will cover management systems auditing (AU) along with a corresponding competency exam. Day 4 will cover leading management systems audit teams (TL) along with a corresponding competency exam.
Who Should Attend
Those responsible for planning and scheduling an internal audit program for ISO 14001:2015 and those who must perform audits to ISO 14001:2015, environmental, suppliers, managers, or anyone interested in conducting first-party, second-party, or third-party audits.
All attendees are required to bring their own copy of the ISO 14001:2015 Environmental Management Systems – Requirements. Copies will not be provided for you.
Describe the ISO 14001 Environmental Management System (EMS)-Requirements standard and development process
Describe the intent and requirements of ISO 14001:2015
Determine the evidence needed to demonstrate conformity to ISO 14001:2015
Apply the process approach and Plan-Do-Check-Act (PDCA) methodology
Identify aspects and impacts
Apply the principles, processes, and methods of auditing
Demonstrate the activities involved in preparing for an audit
Determine an effective audit in the context of the auditee’s organizational situation
Apply effective audit skills and practice personal behaviors necessary for an effective and efficient conduct of a management system audit
Establish and plan the activities of an audit team
Manage the audit process
Prepare the audit report and perform an audit follow-up
The purpose of this brief webinar is to discuss the advantages of using internal audits and corrective actions to check that an organizations Covid-19 program is effective. The webinar explores how organizations can use ISO 45001 management system tools to respond to new challenges from the Covid -19 pandemic.
As the economy reopens organizations are being required to establish new programs and controls to minimize the spread of the virus among employees. Internal audits combined with corrective action programs help organizations establish and operate effective Covid-19 programs rapidly.
The webinar covers the following topics:
Identifying Covid-19 compliance obligations
Risk assessment methods for determining which Covid-19 Risk to addressed
Establish operational controls for Covid-19 risks to employees
When and how often to audit the Covid-19 program
How to safely conduct Covid-19 audits
How to effectively address Covid-19 internal audit findings through corrective action.
Report the results of Covid-19 audits and corrective action to leadership
Kevin Lehner is a member of the US Technical Advisory Group (US-TAG) to ISO 45001: He is an expert and represents the US-TAG at international meetings. He recently traveled to Kigali, Rwanda to attend the 9th international meeting of TC 283 (interview with Martin Cottam in Kigali). Kevin is a certified lead auditor conducting ISO 45001 audits for clients including accredited ISO 45001 certification bodies.