« Quality Drives Economic Value | Main | Risk management in ISO 9004 standard »

Risk management in ISO standards

The common theme between SOX and QMS/EMS is managing risks: financial, quality, and environmental. Many companies and Environmental Management System (EMS) consultants equate Environmental Aspects with Environmental Risks. Furthermore they use the EMS to manage environmental aspects or risks.

ISO Definitions:

  • Risk is the combination of the probability of an event and its consequences (ISO/IEC Guide 73:2002 definition 3.1.1 “Risk management – Vocabulary – Guidelines for use in standards”)
  • Environmental Aspect is an element of an organization's activities, products or services that can interact with the environment. NOTE -- A significant environmental aspect is an environmental aspect that has or can have a significant environmental impact." (ISO 14001 definition 3.5)
  • Environmental Impact is any change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization's activities, products or services." (ISO 14001 definition 3.6)
  • Risk Management is the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating and controlling risk. (ISO 14971:2000, Application of Risk Management to Medical Devices definition 2.18)
  • Risk Management Process is a continuous process for systematically identifying, analyzing, treating, and monitoring risk throughout the life cycle of a product or service. (ISO/IEC 16085 Software Life Cycle Processes—Risk Management  definition 3.12)

The ISO 14004 guidance shows how EMS Significant Aspects are managed using the Plan-Do-Check-Act (PDCA) cycle for ISO 14001:2002 clauses:

  • 4.2 Environmental Policy
  • 4.3 Planning - 4.3.1 Environmental Aspects
  • 4.4 Implementation and Operation
  • 4.5 Checking and Corrective Actions
  • 4.6 Management Review

Risk management can be applied at various levels: project, organizational, enterprise. For project risk management, ISO 10006:2003 Quality management systems — Guidelines for quality management in projects has the section 7.7 Risk-related processes, with clauses:

  • Risk identification
  • Risk assessment
  • Risk treatment
  • Risk control

Companies that are registered to both ISO 9001 and ISO 14001 have the opportunity to integrate the two standards into their management system. Their understanding of risk management from ISO 14001 can be applied to quality and other disciplines, such as financials in SOX.

Posted by John Walz on December 29, 2005 03:32 PM |

Email this entry to:


Your email address:


Message (optional):




Post a comment