Does your EMS need a risk and opportunity procedure?

Of the changes seen in the new ISO 14001:2015 standard, many experts rate the changes surrounding risk and opportunity in the EMS (Environmental Management System) as being amongst the most important. In a previous article, The role of risk management in the ISO 14001:2015 standard, we looked at how assessing and managing risk had replaced preventive action within the workings of the EMS and what the key benefits to the environment could be if risk and opportunity were identified and handled correctly. So, given that risk and opportunity is one of the most critical elements of EMS performance, does a procedure need to be written to define this process? And, if so, what should we include to ensure maximum effectiveness?

Documenting a risk and opportunity procedure – Is it mandatory?

Technically, no, but it may make sense for your organization to create one. The ISO 14001:2015 standard states that documented information of the risk and opportunity must be maintained by the organization to ensure the necessary confidence that the issue has been tackled effectively. Critically, documented evidence also needs to be kept of the “risks and opportunities that need to be addressed”; so, in effect, specific details need to be documented of the exact nature of risks and opportunities identified and the actions taken to address them. So, now that you understand what type of documented information is mandatory regarding risk and opportunity, what formats should you consider to ensure it fulfills the terms of the standard and gives maximum benefit to your organization?


Risk and opportunity procedure – What is required?

Risk and opportunity comes in many forms for most businesses, and tends to be viewed differently by many people within that organization. If you ask a member of top management, a member of middle management, and a shop floor operator what they think are the single most important risks and opportunities to a business, you may well get several very different answers, though all may be valid to some extent. For example, a production employee may see a flaw in a production process to be the greatest risk, a middle manager may consider resource issues to be the greatest risk to operations, and a top manager has knowledge of an imminent product launch by a competitor, and considers that to be the organization’s biggest risk. Therefore, one thing becomes very clear: it is good practice to share information and opinions on this topic, and this should undoubtedly be something to consider when documenting your risk and opportunity procedure, as follows:

  • Channeling your risk and opportunity information: Some organizations use risk logs that are open to all employees, or even have risk forums and meetings. Other organizations have risk discussions at several different levels – such as the monthly quality & environmental meeting and the monthly board and management meetings – and then the outputs and ideas are put together, assessed, and actions taken to mitigate risk and take advantage of opportunity – with this information being clearly recorded in the EMS. What is clear is that several combinations of these methods can fulfill the terms of the standard, so bear in mind that it will benefit your organization if you can find the process that suits you best, and document it accordingly. You can gain information on the benefits of a risk register in the article Should you use a risk register in ISO 14001?
  • Ensuring you capture actions and responsibilities: This sounds obvious, but it is critical to the success of your process. Create your documented information to leave no doubt regarding what details of responsibility and specific actions need to be recorded; otherwise, the possibility of failure will increase.
  • Set a review or monitoring method into your process: Most risks and opportunities can’t be resolved in a matter of days, and many risks take months to be eliminated. Opportunities can also take long periods to realize. It is therefore critical that your documentation or form facilitates a regular review process, whereby a check can be made against the progress seen, and further actions initiated if the circumstances of the risk or opportunity have changed. Again, this can be vital to the business of dealing with risk and opportunity, and if you build this into your documentation, then it will become second nature to those dealing with risk and opportunity topics to consider this.
  • Learn lessons from your experience: This is another vital part of the risk and opportunity process that can often be overlooked. By creating documented information that prompts your team for “lessons learned,” you can ensure that records are kept of vital information that can help you in the future. This can be especially helpful if your management team carries out a periodic review of risk and opportunity, and this type of summary can be used for future reference.
  • Risks that arise from compliance obligations: Fulfilling compliance obligations normally leads to risks and opportunities; to comply with the standard, it is vital that your organization identifies these and keeps record of actions taken against these risks and opportunities.

Aligning your risk and opportunity process with your needs

We can see that documenting your risk and opportunity process and its outcomes is indeed mandatory under the terms of ISO 14001:2015. However, it is important that you recognize that any procedures created must assist you in identifying and mitigating risk, and identifying opportunities to improve in your EMS. Good risk and opportunity procedures will encourage your team to think in a certain way, depending on how they are structured and what information they require. Structure these documents correctly and you will see subsequent improvement in your environmental performance.

Use our free online training  ISO 14001 Foundations course to learn about risk and opportunity requirements in ISO 14001.

Advisera John Nolan
Author
John Nolan
John Nolan is a Fellow of the Institute of Leaders and Managers in the United Kingdom, and Prince 2 accredited with a background in Engineering and Electronics and Data Storage and Transfer. Having studied and qualified as both a Mechanical and Electronic Engineer, he has spent the last 15 years designing and delivering Quality Systems and projects across many sectors in the UK, including both national and local government.