Definition of Risk in the ISO High Level Structure

ISO 45001:2018, 14001:2015 and 9001:2015 are based on the High Level Structure. The International Organizations for Standardization (ISO) High Level Structure (HLS) is about to enter another phase of revision of the HLS. The definition of “Risk” in the ISO HLS and the term “risk and opportunity” is causing confusion with drafters and users of ISO 45001.

Removing the special definition of term risk and eliminating use of the term risk and opportunity will help standards drafters reduce ambiguity in the standard requirements and help other users better understand how to plan. implement, operate and audits ISO management systems.. The following discussion is based on our extensive experience auditing, teaching and consulting for ISO 45001, 14001 and 9001.

The Definition of “Risk” and Use of the Term “Risk and Opportunity” in ISO High Level Structure

The HLS was introduced in 2012 to “harmonize” management system standards around a common structure. The common structure helps organizations integrate quality, environmental, health and safety and other management systems.

ISO HLS TOC

Figure 1 is the Table of Contents of the HLS as currently proposed in Draft ISO/DGuide 83 – 06/03/2020.

In this post we discuss two issues being raised during the HLS revision process.

These are:

  1. the definition of the term risk in the HLS,
  2. use of the terms risk and opportunity in the HLS.

Resolving these two issues is important to users understanding of what ISO 45001 is designed to manage.

In a previous post, we provided an overview of proposed changes to the HLS duirng the minor revision stage, As the HLS revision begins to enter the major revision stage we believe there are important issues to be addressed by ISO. We believe that ISO should carefully consider the unintended negative consequences of creating a special definition of risk and using the term risk and opportunity in future versions of the HLS.

Risk as a “defined term”.

Definition of risk

The Oxford English Dictionary (OED) is the official dictionary of ISO and defines risk as the “possibility of loss, injury, or other adverse or unwelcome circumstance”.  The Merriam-Webster definition is similar, “possibility of injury or ill health”. These definitions of risk have been in use for many decades and with great success by organizations managing Occupational Health & Safety (OH&S) performance.

In 2012 ISO introduced the term risk as a “defined term” giving it a different definition than OED or Merriam -Websters. The HLS definition of risk is now “the effect of uncertainty (see Figure 2).  

Definition of Risk

The new definition is designed to encourage organizations to take a broader view of both the positive and negative characteristics of risk. This approach is supported by the ISO technical committee that develops guidance standards on risk management (TC 262). ISO 31000 is the flagship standard in this series. ISO 31010 is guidance on risk assessment techniques.

Use of “on objectives” in the HLS definition of risk

TC 262 isnow promoting another revision to the definition of risk that adds the words “on objectives” to the HLS definition of risk They believe the concept of risk cannot be comprehended without reference to the term objectives in the definition of risk (Figure 3).

31001 definition of risk

However, adding the words “on objectives” creates ambiguity and confuse drafters and users of ISO 45001. This is because the term objectives is already used in 45001 referring to specific goals the organization needs to achieve to improve OH&S performance.

The objectives refereed to in the ISO 31000 definition of risk are more broad and include business and societal objectives. The potential unintended consequence of adding the words on objectives to the definition of risk is users will only address risk associated with objectives and not more broadly address OH&S risk to workers and the organization..

Unintended consequences of changing the definition of risk

The addition of a special definition of risk has increased ambiguity about the meaning of the term risk. It has also had unintended consequences for both those using the HLS when developing management system standards, and those using these standard to plan and implement OH&S management systems..

As an example, because of the way ISO has now defined risk, the developers of ISO 45001 found it necessary to add two additional notes to the definition of risk (Figure 4). The ISO 45001 definition of risk now has 6 notes (198 words) to explain the three word definition of term risk.

ISO 45001 Definition of risk

The drafters of ISO 45001 also found it necessary to create another defined term OH&S risk (Figure 5). This new definition was added to clarify ambiguity caused by the HLS definition of risk and how OH&S professionals had traditionally understood the concept of risk in the OH&S management discipline.

Definition of OH&S Risk

The intent of the new ISO special definition of risk was to shed light on the practice of risk management and encourage organizations to take a broader view of the dynamics between risk and opportunity. That objective may have been achieved but with significant additional confusion by standards drafters and users. ISO should consider removing the special definition of risk from the HLS and return to use of the Oxford English Dictionary of risk.

Risk and Opportunity in the High Level Structure.

The association of the word risk with the word opportunity (risk and opportunity) in HLS clause 6 has confused drafters and users of ISO 45001.  There is uncertainty if the term risk and opportunity refers to a single concept or two different concepts. To help explain what is meant by risk and opportunity ISO prepared a white paper titled Risk Based Thinking in ISO 9001:2015. Although the title indicates the topic is ISO 9001 Quality Management systems, the examples used in the white paper are also applicable to an ISO 45001.

To clarify ambiguity about the term risk and opportunity, drafters of ISO 45001 added a new defined term OH&S opportunity (Figure 6).

Definition ofOH&S Opportunity

The ISO 45001 definition of OH&S opportunity refers the concept of OH&S performance improvement, another defined term in ISO 45001 (Figure 7) . The definition of OH&S performance references another 5 defined terms in ISO 45001. The need to create a separate defined term of OH&S opportunity and then refer to 5 other defined terms to explain the OH&S performance, This tortured effort to reduce ambiguity is further evidence of the confusion the term risk and opportunity has introduced to ISO 45001.

Definition of OH&S Performance

ISO 45001 also refers to other risks and other opportunities that the organizations needs to address (Figure 8). These terms are not defined in ISO 45001. This adds uncertainty about the concept of risk and opportunity in ISO 45001.

Figure 8 – ISO 45001 Other Risk and Other Opportunities

These many terms associated with the concept of risk and opportunity in Clause 6 creates uncertainty about what ISO 45001 is supposed to manage.  Those implementing, operating and auditing an OHSMS are confused, especially when identifying what is important to the organization’s OH&S performance.  The unintended consequence of adding the term risk and opportunity is user confusion about answers to important questions like:

  • When the HLS uses the term opportunities is it referring to potential financial or societal gain or to a discipline specific intended result such as a safer workplace?
  • What is the difference between the concept of risks and opportunities and the concept of OH&S risk, OH&S opportunity and other risk and other opportunity or are these the same thing?
  • Are the concepts of hazards and risks being tre focus of OH&S management systems now obsolete, or can it still be used when planning an OH&S management system?

Conclusion and Recommendation

The introduction of a special definition of risk and the use of the term risk and opportunity in the HLS has led to unintended and unnecessary confusion by drafters and users of ISO 45001. ISO should remove the definition of risk and use of the term risk and opportunity from the ISO HLS. during the next phase of the HLS revision.

This entry was posted in Audits and tagged , by Kevin Lehner. Bookmark the permalink.

About Kevin Lehner

Kevin has been president of ECSI for over 25 years. His practice focuses on environmental and health and safety management systems training, consulting and auditing. He is an active member of the US Technical Advisory Committees to ISO 14001 and ISO 45001. He represents that USA at international meetings of these committees. He is also the lead developer of the CorrectTrack corrective action tracking app.