Happy New Year! I wish you a fulfilling, successful, happy and a healthy 2018!
Today, I will talk about “Risk and Opportunities” per ISO 14001:2015. This concept seems to be quite confusing for numerous organizations. As you know, the new ISO 14001 is a process based Standard with a more emphasized preventive nature. Within Section 4, “Context of the Organization”, companies are required to identify their intended outcomes, internal and external issues, interested parties along with their needs and expectations, and the scope of their environmental management system (EMS).
Let’s try talk about the intent of Section 4 a little bit:
Regarding intended outcomes; think about it as a project that you are trying to accomplish. You establish the project goal first, and identify why you’re doing this project to begin with right? That’s pretty much the same thing. You just need to establish what you’re trying to accomplish by implementing an EMS.
Regarding issues; when you think about the “issues”, don’t just think of any environmental incidents, like spill, etc. Issues could be environmental, financial, social, political, cultural, international, competition related, internal, external, etc. Issues can either positively or negatively impact your EMS.
Regarding interested parties; there is a wide range of interested parties for an organization like customers, employees, neighbors, corporate, regulatory agencies, insurance companies, etc. In addition to identifying who these interested parties are, you should also identify their needs and expectations from your organization. For example, if you have an air permit with Florida Department of Environmental Protection, and they require you to submit annual air emissions, their needs and expectations would be just that. Another example is that if your Corporate Environmental Department requires the submission of quarterly environmental metrics like waste generations, energy consumption, etc., your corporate would be an interested party.
Please remember to refer to ISO 14001:2015 definitions for additional information.
Within Section 6, “Planning”, companies are required to document the risks and opportunities that they will be addressing. You can identify your risks and opportunities while you’re identifying the context of your organization, at a minimum, the ones that would be related to your facility’s internal and external issues.
Risks and Opportunities can rise from:
- Internal or External Issues
- Significant Environmental Impacts
- Compliance Obligations or
- Other Company related Circumstances
My suggestion is to list and document all risks and opportunities identified in addition to the ones that will be addressed. That way, everything is out in the clear, and when you go back one year down the road to revisit this concept, you’ll know which ones were discussed previously, their feasibility, etc. See the attached documents for a sample form to identify your context and risks and opportunities: Context
One quick note: Please do not mix up the “risks” mentioned here with the occupational health and safety risks. For the purpose of ISO 14001:2015, the risks are related to the environmental management system, anything that can affect the EMS in regards to achieving its intended outcomes, whatever that may be based on the investigation conducted by your organization.
Today’s interview is with Mr. Jim O’Connor. Jim is a third party lead auditor who is internationally accredited by Exemplar Global on EMS, QMS and OHSAS with 16 years of experience in the field. Mr. O’Connor is the owner of Anlo Management Systems since 2011. He can be contacted at: firstname.lastname@example.org
Mel DeGregorio (MD): Jim, could you please briefly describe the risks and opportunities per ISO 14001:2015. What’s the intent behind it?
Jim O’Connor (JO): The intent of this requirement is to identify the potential risks associated with the EMS. The standard requires the organization to identify risks associated with their environmental aspects, compliance obligations and the requirements of their interested parties. When each risk is identified, the organization needs to apply suitable action plans to achieve the desired outcomes of these requirements.
MD: In your experience, what are the most common nonconformities you see on the Risks and Opportunities and Context of the Organization section of ISO 14001:2015?
JO: With this requirement being new, there is no set method for identifying and establishing controls, therefore, the documentation of this requirement may be very broad. In the limited amount of upgrade audits that I have performed, I’ve found that most organizations have addressed the risks associated with compliance obligations and aspects, however, the interested parties have been neglected. This may be because of the lack of understanding of the requirement for determining the organization’s context, which included identifying the interested parties. This is the most crucial part of this exercise. Without identifying the interested parties, it makes it difficult to fulfill the other requirements of the ISO 14001 Standard.
MD: What are the most common risks and opportunities you observed during your audits?
JO: The most common risks that I’ve encountered are the ones that are related to the organization’s compliance obligations and its significant aspects. Action plans for these risks are not anything new as the 14001:2004 Standard had already required implemented controls related to these.
Interested parties that are commonly observed for external parties include contractors, corporate requirements, shareholders, financial institutions, insurance companies, etc. Some organizations have been weak in identifying internal interested parties such as employees, training needs, and requirements that may stem from their business plan or strategic direction. I observed that this component of the risk assessment has been weak, and sometimes led to nonconformance.
MD: What are the most frequently asked questions about risks and opportunities?
JO: The most frequently asked questions that I get asked are:
- What does the context of the organization mean? and
- How do I identify and apply a risks assessment?
Since I’m not allowed to answer those questions for the clients where I conduct third party registrar audits due to conflict of interest purposes, I always try to lead them in a certain direction in regards to using their old preventive action method for identifying potential failures and applying controls.
(MD: Please see above regarding the context of the organization. A comprehensive risk assessment is not required. You can do it if you like but you don’t have to. Look into your significant environmental aspects, compliance obligations, internal and external issues, the needs and expectations of your organization’s interested parties and other circumstances that may potentially prevent your EMS to achieve its intended results or impact your EMS. The results of this investigation would give you your risk and opportunities. Also, please remember to check out the sample document I included above [Context].)
MD: Any best practices you would like to share about risks and opportunities?
JO: As far a best practices go, I will sometimes tell the organization to put the language of the standard aside and ask themselves: “ What could go wrong here or what could create a significant environmental impact (potentially a risk)?”
After you answer that, then ask: “What can we do about it now to prevent that risk from becoming a reality?”
Sometimes, the organization tends to overthink the Standard. A best practice that I have seen was a simple one page document where:
- First column included: interested parties, compliance obligations and significant aspects
- Second column included: the needs and expectations of the interested parties, compliance obligations requirements and environmental aspect requirements
- Third column included: potential risk if controls are not maintained, and
- Fourth column included: the controls to prevent the risk from becoming a reality.
MD: Thanks Jim for sharing your experience and expertise with us.
Thank you so much for reading. Please let us know if you have any questions. If you are interested finding out more about how to properly and effectively implement ISO 14001:2015 at your facility, please contact us, that’s what we are here for. If you choose to do the implementation internally, then take a look at our ISO 14001 and other related environmental webinars and classroom courses right here at this link:
Thanks again and best of luck with your environmental management system and its programs.
GreenUp Consultants, LLC – GreenUp Academy, LLC
Owner/ Principal Consultant
Exemplar Global certified Lead Auditor:
EMS – OHSAS – EHS Regulatory Compliance
QMS – e-Stewards/R2/RIOS Lead Auditor