Definition of Risk in the ISO High Level Structure

ISO 45001:2018, 14001:2015 and 9001:2015 are based on the High Level Structure. The International Organizations for Standardization (ISO) High Level Structure (HLS) is about to enter another phase of revision of the HLS. The definition of “Risk” in the ISO HLS and the term “risk and opportunity” is causing confusion with drafters and users of ISO 45001.

Removing the special definition of term risk and eliminating use of the term risk and opportunity will help standards drafters reduce ambiguity in the standard requirements and help other users better understand how to plan. implement, operate and audits ISO management systems.. The following discussion is based on our extensive experience auditing, teaching and consulting for ISO 45001, 14001 and 9001.

The Definition of “Risk” and Use of the Term “Risk and Opportunity” in ISO High Level Structure

The HLS was introduced in 2012 to “harmonize” management system standards around a common structure. The common structure helps organizations integrate quality, environmental, health and safety and other management systems.


Figure 1 is the Table of Contents of the HLS as currently proposed in Draft ISO/DGuide 83 – 06/03/2020.

In this post we discuss two issues being raised during the HLS revision process.

These are:

  1. the definition of the term risk in the HLS,
  2. use of the terms risk and opportunity in the HLS.

Resolving these two issues is important to users understanding of what ISO 45001 is designed to manage.

In a previous post, we provided an overview of proposed changes to the HLS duirng the minor revision stage, As the HLS revision begins to enter the major revision stage we believe there are important issues to be addressed by ISO. We believe that ISO should carefully consider the unintended negative consequences of creating a special definition of risk and using the term risk and opportunity in future versions of the HLS.

Risk as a “defined term”.

Definition of risk

The Oxford English Dictionary (OED) is the official dictionary of ISO and defines risk as the “possibility of loss, injury, or other adverse or unwelcome circumstance”.  The Merriam-Webster definition is similar, “possibility of injury or ill health”. These definitions of risk have been in use for many decades and with great success by organizations managing Occupational Health & Safety (OH&S) performance.

In 2012 ISO introduced the term risk as a “defined term” giving it a different definition than OED or Merriam -Websters. The HLS definition of risk is now “the effect of uncertainty (see Figure 2).  

Definition of Risk

The new definition is designed to encourage organizations to take a broader view of both the positive and negative characteristics of risk. This approach is supported by the ISO technical committee that develops guidance standards on risk management (TC 262). ISO 31000 is the flagship standard in this series. ISO 31010 is guidance on risk assessment techniques.

Use of “on objectives” in the HLS definition of risk

TC 262 isnow promoting another revision to the definition of risk that adds the words “on objectives” to the HLS definition of risk They believe the concept of risk cannot be comprehended without reference to the term objectives in the definition of risk (Figure 3).

31001 definition of risk

However, adding the words “on objectives” creates ambiguity and confuse drafters and users of ISO 45001. This is because the term objectives is already used in 45001 referring to specific goals the organization needs to achieve to improve OH&S performance.

The objectives refereed to in the ISO 31000 definition of risk are more broad and include business and societal objectives. The potential unintended consequence of adding the words on objectives to the definition of risk is users will only address risk associated with objectives and not more broadly address OH&S risk to workers and the organization..

Unintended consequences of changing the definition of risk

The addition of a special definition of risk has increased ambiguity about the meaning of the term risk. It has also had unintended consequences for both those using the HLS when developing management system standards, and those using these standard to plan and implement OH&S management systems..

As an example, because of the way ISO has now defined risk, the developers of ISO 45001 found it necessary to add two additional notes to the definition of risk (Figure 4). The ISO 45001 definition of risk now has 6 notes (198 words) to explain the three word definition of term risk.

ISO 45001 Definition of risk

The drafters of ISO 45001 also found it necessary to create another defined term OH&S risk (Figure 5). This new definition was added to clarify ambiguity caused by the HLS definition of risk and how OH&S professionals had traditionally understood the concept of risk in the OH&S management discipline.

Definition of OH&S Risk

The intent of the new ISO special definition of risk was to shed light on the practice of risk management and encourage organizations to take a broader view of the dynamics between risk and opportunity. That objective may have been achieved but with significant additional confusion by standards drafters and users. ISO should consider removing the special definition of risk from the HLS and return to use of the Oxford English Dictionary of risk.

Risk and Opportunity in the High Level Structure.

The association of the word risk with the word opportunity (risk and opportunity) in HLS clause 6 has confused drafters and users of ISO 45001.  There is uncertainty if the term risk and opportunity refers to a single concept or two different concepts. To help explain what is meant by risk and opportunity ISO prepared a white paper titled Risk Based Thinking in ISO 9001:2015. Although the title indicates the topic is ISO 9001 Quality Management systems, the examples used in the white paper are also applicable to an ISO 45001.

To clarify ambiguity about the term risk and opportunity, drafters of ISO 45001 added a new defined term OH&S opportunity (Figure 6).

Definition ofOH&S Opportunity

The ISO 45001 definition of OH&S opportunity refers the concept of OH&S performance improvement, another defined term in ISO 45001 (Figure 7) . The definition of OH&S performance references another 5 defined terms in ISO 45001. The need to create a separate defined term of OH&S opportunity and then refer to 5 other defined terms to explain the OH&S performance, This tortured effort to reduce ambiguity is further evidence of the confusion the term risk and opportunity has introduced to ISO 45001.

Definition of OH&S Performance

ISO 45001 also refers to other risks and other opportunities that the organizations needs to address (Figure 8). These terms are not defined in ISO 45001. This adds uncertainty about the concept of risk and opportunity in ISO 45001.

Figure 8 – ISO 45001 Other Risk and Other Opportunities

These many terms associated with the concept of risk and opportunity in Clause 6 creates uncertainty about what ISO 45001 is supposed to manage.  Those implementing, operating and auditing an OHSMS are confused, especially when identifying what is important to the organization’s OH&S performance.  The unintended consequence of adding the term risk and opportunity is user confusion about answers to important questions like:

  • When the HLS uses the term opportunities is it referring to potential financial or societal gain or to a discipline specific intended result such as a safer workplace?
  • What is the difference between the concept of risks and opportunities and the concept of OH&S risk, OH&S opportunity and other risk and other opportunity or are these the same thing?
  • Are the concepts of hazards and risks being tre focus of OH&S management systems now obsolete, or can it still be used when planning an OH&S management system?

Conclusion and Recommendation

The introduction of a special definition of risk and the use of the term risk and opportunity in the HLS has led to unintended and unnecessary confusion by drafters and users of ISO 45001. ISO should remove the definition of risk and use of the term risk and opportunity from the ISO HLS. during the next phase of the HLS revision.

Integrating Covid-19 Internal Audits with an ISO 45001 OHSMS

June 4, 2020

1:00 PM – 1:30 PM – Central Time

The purpose of this brief webinar is to discuss the advantages of using internal audits and corrective actions to check that an organizations Covid-19 program is effective.   The webinar explores how organizations can use ISO 45001 management system tools to respond to new challenges from the Covid -19 pandemic.

As the economy reopens organizations are being required to establish new programs and controls to minimize the spread of the virus among employees.  Internal audits combined with corrective action programs help organizations establish and operate effective Covid-19 programs rapidly.

The webinar covers the following topics:

  • Identifying Covid-19 compliance obligations
  • Risk assessment methods for determining which Covid-19 Risk to addressed
  • Establish operational controls for Covid-19 risks to employees
  • When and how often to audit the Covid-19 program
  • How to safely conduct Covid-19 audits
  • How to effectively address Covid-19 internal audit findings through corrective action.
  • Report the results of Covid-19 audits and corrective action to leadership

About the presenter

Kevin Lehner is a member of the US Technical Advisory Group (US-TAG) to ISO 45001: He is an expert and represents the US-TAG at international meetings. He recently traveled to Kigali, Rwanda to attend the 9th international meeting of TC 283 (interview with Martin Cottam in Kigali). Kevin is a certified lead auditor conducting ISO 45001 audits for clients including accredited ISO 45001 certification bodies.

Register for this Webinar

Auditing ISO 45001:2018 – 5.4 Consultation and participation of workers

Note. I want to be clear upfront that my intention is not to discredit the contribution organized labor made to the development of ISO 45001:2018.  The point I make here is that they had a significant impact on the requirements in certain sections of ISO 45001:2018.  This fact may help inform users about the intent of the requirements for purposes of implementation and conformity assessment. 

Clause 5.4 of ISO 45001:2018 discusses requirements for consultation and participation of workers and is the result of an interest groups desire to ensure their constituents were give certain rights to have influence over the organizations OHSMS.   Organized labor got a symbolic win here for their constituents but does this additional language add value to the standard or simply create unnecessary complexity and confusion for users of the standard?

As an auditor my approach would be to check if the workers themselves believe that their opinions about the OHSMS have been considered in its development and implementation.  The best way to do this is to ask them directly. Here is a line of questioning I would use to get objective evidence of conformity to the participation and consultation requirements in 5,4 of ISO 45001:2018.

My first question would be something like “Have you heard about the OHSMS here?”.  The answer to this question helps me get a sense of the organizations general awareness of the existence of an OHSMS.  You might have to rephrase the question to get them to understand what you are asking.

The next questions would be something like… Can you tell me about what you do as your job here and what you do to keep yourself safe from injury or ill health?  A good answer would be something like… My job is to load railcars.  I need to stand on top of the railcar and inspect it after it is loaded.  I need to wear this fall protection harness when I am on the railcar in case I accidently fell off.  The harness would break my fall and prevent or reduce my chances of injury.

The next question would go directly to participation and consultation and would be something like this.  Did you participate in any of the planning part of the OHSMS giving leadership your opinion of your comfort level with safely performing you job.  Another good answer would be something like…Yes, our entire crew participated in a hazard identification and risk assessment meeting where we went over all the job tasks and risks.  We were asked if we felt safe doing these tasks given the safety procedures and equipment that was in place.  One of the areas we raised as potentially unsafe was the absence of fall protection.  Based on that, our leadership has provided us with these ladders, harnesses and showed us how to use them.  I feel much safer now with this enhanced risk control.

Based on the results of this interview I would have good objective evidence that the intent of 5.4 had been achieved.  If most other worker interviewed had a similar tale to tell I would feel comfortable in concluding that the organizations had meet the requirements of clause 5.4 of the standard.

Of course, this line if questioning could have gone in many other directions and the answers given may not have supported a finding of conformity to varying degrees.  Auditors are certified and calibrated to make decisions during audits while considering all the evidence presented much like a judge does in a legal case.  Auditors who focus on too much detail like expecting the auditee to produce evidence of each of the 21 individual requirements of 5.4 are missing the point and need to step back and look at the bigger picture.

A True Story – Why ISO 14001 Works


It has been over seven years since we first began helping a medium sized automotive equipment manufacturer in the midwest implement a company wide ISO 14001 EMS. They were getting pressure from their customers to prove they were good environmental performers and an ISO 14001 certificate was the best solution. We helped them with environmental aspects, setting up the EMS and identifying regulatory compliance requirements. As we were completing the project we performed a round of internal audits to check that each facility was complying with the applicable  legal requirements.

The Audit Finding

One of the findings of our compliance audit was that at one location, the company was operating unpermitted production painting equipment. The audit team could find no records of correspondence with the State permitting authority about this new equipment. It had been commissioned sometime after an initial Title V permit application had been prepared for the facility. The paint operation was an important part of the manufacturing process and it was not possible to simply shut the process down. Doing so would have resulted in delayed shipment of product and dissatisfied customers.

The Response

Although the discovery of this potential noncompliance was uncomfortable news for the organization, at least they now had a better picture of the potential risks they were facing. They examined the process closely and decided that it was time to upgrade. They worked it out with the state permitting authority to replace the old system with a new more efficient paint system.

Fast Forward

Over the last several years we have continued to perform periodic EH&S compliance, ISO 14001, and OHSAS 18001 internal audits to support their continued certification to these standards.. During a recent compliance audit at one of the facilities we were delighted to see a new process being installed. It means the company continues to grow but, from an auditors perspective, the stack ducting through the roof becomes a great opportunity to check the EMS effectiveness to control noncompliance risk. As we walked by the new process I could see the auditee cracking a half smile as I asked a few questions about the new equipment and construction underway. He knew where this audit was going.

The audit was actually a combined one-day environmental and OSHA compliance audit so we had a lot of ground to cover in 8 hours. When the audit schedule called for review of compliance with state air emission permits, I asked what they knew about the potential emission from the new process. The audtee said “the process had the potential to emit a hazardous air pollutant at levels requiring permitting before installation of the equipment”.  The auditee then produced the construction permit they had been issued by the state?  The EMS had worked to help the organization identify the need to obtain a permit, well in advance of beginning construction on the new process.

Results Matter

Discovery of unpermitted emission sources during internal and compliance audits is not uncommon for us even today. Helping organizations identify and manage risks of noncompliance in the short term provides some satisfaction in our work. But having the opportunity to see the results of an effective EMS that we helped implement and, how that EMS has helped manage risks long term, is particularly gratifying.

Skepticism of the benefits of ISO 14001 will continue to linger especially with the uniformed. However, organizations interested in managing environmental risk and becoming more sustainable need to understand how the audit processes, embedded in ISO 14001, can be used to support an organizations sustainability efforts, promote successful outcomes and provide confidence by other stakeholder that environmentally, things are as they should be.

Disappointing News from ANAB

In late spring we meet with ANAB at their headquarters in Milwaukee to kick off the process of becoming an ANAB accredited registrar. Our hope was to issue ISO 14001, OHSAS 18001 and ISO 50001 accredited certificates to business in the upper Midwest.  To our surprise during that meeting ANAB made it clear that consultancies are prohibited from accreditation as certification bodies.  In ANABs eyes consultancies and anyone involved in governance of a consultancy is incapable of impartiality when performing ISO certification assessments.

We continue to believe that consultants make good auditors and vice versa.  The financial audit sector (accounts) has operated successfully for many decades using the model to ensure competency of both auditors and consultants.  We believe that ANAB, IAF and ISO’s conclusion that the threats to impartiality by consultancies are irreconcilable is not based in fact.  We also believe that the threats of financial self-interest by ANAB accredited certification bodies are at least as potent as any threat to impartiality from a consultancy performing certification activities.  This is because accredited CBs can (or should) only be allowed to generate revenue from one source, their certification activities.

We remain committed to trying to work with ANAB to find a way to offer ISO certification services in the upper Midwest but for the time being have placed this lower on our priority list of objectives.

Here Come the Bean Counters!

Having lead hundreds of sustainability performance assurance engagements over the last several decades I admit bias but have seen first hand evidence that organizations exaggerate and in some cases misrepresent their sustainability performance. This is especially true when the marketing departments are tasked with the job of turning an organization green.

As non-financial sustainability performance information is relied upon to make important decisions about investment and other business relationships, assurance of organizations sustainability performance assertions will become more common. An important question is who will do this assurance work? Recognizing opportunity the financial accounting profession is hard at work tooling up to fill this emerging niche

The confidences stakeholders can place in the results of an assurance engagement are directly proportional to the competence of those performing the audits. It will be interesting to see how the bean counters do at assessing environmental, health, safety and social performance as they endeavor to to learn the practice in this market.

Gap Assessment and Internal Audits

If you are doing a Gap Assessment I would start at the top of the standard and march right through it clause by clause. Use the EMS manual as a reference and make sure all elements of the standard have been addressed.

If you are planning an internal audit I would consider using a process approach where you audit many of the clauses almost simultaneously in each department or functional area of the organization. The following is an example of a line of questioning you might consider when you are interviewing employees in a Maintenance Department (MD).

Auditor: What are some important environmental aspects of the maintenance department?
MD: We clean and paint equipment used in the mine so we generate solvent waste and we have air emissions from the spray paint operations.

Comment: If the aspects match those on the record required by 4.3.1 you have some evidence of conformance to 4.3.1 and 4.4.2. If you see parts cleaning operations and painting operations being performed but these have not been identified as environmental aspects you may have nonconformity to 4.3.1. If these aspects have been identified but the MD representative you interview has no idea about what an aspect is or any of the impacts from parts cleaning or painting you may have nonconformity to 4.4.2.

Auditor: How do you make sure that waste solvents are handled properly?
MD: There are some important laws we must comply with for these waste solvents and we follow our Waste Solvent work instruction.

Comment: You now have some evidence that they have identified the legal requirements 4.3.2 and have established operational controls of significant aspects 4.4.6.

Auditor: This section of the Waste Solvent work instruction says the waste solvent storage area will be inspected weekly and the results recorded on the inspection sheet. Can you show me a record of the inspection that was performed 2 weeks ago?
MD: Sure here it is.

Comment: With this question you are looking for evidence of Operational Control 4.4.6, Monitoring and Measurement 4.5.1, Internal Audit 4.5.5 and Record 4.5.4. You could even get Corrective Action 4.5.3 if problems are found during the inspections which were corrected.

Auditor: Can you tell me about what you do if you see a fire somewhere in the facility
MD: We have been trained in proper use of fire extinguishes so if I think I can put the fire out I will try. No matter what, I will call the designated emergency coordinator who will follow-up and I will evacuate to my designated assembly area in the parking lot across the street.

Comment: Here is evidence of 4.4.7 and 4.4.2 and maybe 4.4.3.

The potential audit trails you can follow in a department are almost endless and each trail should be able to give you evidence for one or more clauses of the standard.

Audits and the Good news – Bad News – No News Comparison – My opinion based on 30 years of EHS audit experience.

Good news from audits is really no news for management. Good news from audits means that things are going as planned and there is no need for management intervention. System effectiveness has been confirmed through the audit process.

Bad news from audits is actually good news for management! The audit findings give management the opportunity to act (create incentive for change). Hopefully that change will correct the bad news situation discovered during the audit.

No News is Bad News. Organizations not performing audits have no means to assess the effectiveness of the management system. They are not getting information feedback about the organizations EH&S performance.

I encourage organizations to continue to audit even if they struggle to correct all the problems discovered. At some point the light bulb will turn on and the organization will recognize they have a problem with the corrective action process and hopefully figure out a fix.

The Future of ISO as a Measure of EH&S and Sustainability Performance

Over the past few years I have been watching the development of various corporate sustainability reporting initiatives such as GRI (Global Reporting Initiative) and financial industry indexes such as Dow Jones Sustainability Indexes. Recently the Prince of Wales has weighed in on the issue with the development of an initiative to promote something call Integrated Reporting.

I have been trying to assess whether the criteria used in these newer measures of performance are on a path to eclipse the ISO standards or if the ISO standards will become an important part of these reporting and indexing products especially the assurance parts. I sometimes wonder if a parallel assessment process with its own set of performance criteria is coming that will make the ISO standards obsolete and with it the certification body accreditation process IAF and ISO certification business.

What are your thoughts? Is ISO gaining credibility as a measure of an organizations performance or are the common myths we hear about ISO so deeply entrenched and stakeholder confidence eroded to the point that the world is likely to seek other methods to assess organizations performance rather than ISO and IAF.