Featured Product
This Week in Quality Digest Live
Risk Management Features
Stephanie Ojeda
How addressing customer concerns benefits the entire quality process
Denise Robitaille
Without ISO 9000, ISO 9001 lacks context
Jamie Fernandes
From design to inspection to supply chain management, AI is transforming manufacturing
James Chan
Start the transition to preventive maintenance
Erin Vogen
Eight steps to simplify the process

More Features

Risk Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Recognized among early adopters as a leading innovation for the life sciences industry
Handle document, audit, and concerns management more effectively
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance

More News

Risk Management

Risk Management in ISO 9001 and ISO 14001

Understanding the upcoming revisions

Published: Thursday, February 19, 2015 - 14:03

In the years since ISO 9001 and ISO 14001 were first published, many organizations have followed the models of these standards in designing their own management systems. However, many of those systems haven’t been utilized to effectively manage risk. Many have been minimally developed to meet customer requirements or legal regulations.

The draft revisions to ISO 9001 and ISO 14001 will provide a way for companies to look at their processes in a new light and to take a more active approach to risk management. For example, if a company wishes to pursue ISO 14001 certification, its prevention of pollution policy will have to be revamped to focus on protection of the environment. As the company moves in that direction it will truly become more competitive on a global basis.

Although we’ve seen this trend coming, the upcoming revisions to ISO 9001 and ISO 14001 are proof that quality management and risk management can no longer be considered separate issues for your organization. The revisions call for greater flexibility and recognize the need for businesses to integrate their quality or environmental management processes into the overall business strategy.

As the basis for many other standards, many of the changes found in the draft international standard (DIS) ISO/DIS 9001:2014 are in the ISO/DIS 14001:2014 document as well. The ISO/DIS 9001:2014 revision addresses global and technological changes in the market and reinforces a new risk-based sensitivity. It also departs even further from the traditional ideas of command and control from a small cadre of top managers on down. Risk management, change management, and knowledge management are each given a sharper focus.

One major change to the ISO 9001 standard you will notice is the removal of any mention or requirements for “preventive actions.” This may sound counterintuitive, but this is actually because there is a larger focus on risk management and prevention. The new standard assumes that management structure and the quality management system are designed in a way to prevent potential risks to the greatest extent possible. For example, clause 6.1 requires a company to identify risks, in addition to ways those risks can be addressed for the management system to work properly.

New clauses have been introduced to section four, entitled “Context of the Organization.” The organization is now required to identify, analyze, and determine how external and internal issues can affect the organization’s ability to achieve the expected outcomes of their quality management system.

External issues to be considered could be changes in the competitive landscape, economic issues, environmental issues, legal requirements, regulatory issues, and technological changes, regardless if they are domestic or global. Internal issues could be related to the organization’s culture and the beliefs, values, or principles therein.

ISO/DIS 9001:2014 increases the importance in finding the root cause of a problem that may occur within the organization. Currently, once the problem is identified, the organization is required to fix it and keep it from happening again. The new revision escalates this entire concept of organizational risk management to another level, looking at the concerns to all aspects of the organization, not only customers but employees, vendors, and even the communities in which the company operates.

The ISO 14001 revision expresses a greater focus on preventing organizational risk within the organization’s environmental management system. The environmental policy refers to organizational context, implying that the policy should focus on the overall environmental management system. This applies not only to key environmental risks, but also to broader threats and opportunities posed to the organization. This is a big difference from the narrower focus on pollution prevention found in the 2004 version.

The ISO 14001 revision also emphasizes the benefits of determining where in the value chain the organization can control or influence performance, so that the consequences of environmental aspects can be reduced or mitigated. The objective is to encourage the consideration of external opportunities for improvement. For some organizations, the revised requirements will require an expansion of scope beyond the typical property “fence line,” to ensure the consideration of the aspects and compliance obligations associated with the value chain; services/activities; and product performance, use, and disposal.

Again, “preventive action” has been removed and replaced by the wider concept of risk management as a core element of planning. Indeed, all references are made to risk, identification of risks and opportunities, and planning actions to address risks and opportunities identified. In fact, the “planning” section of the ISO/DIS 14001:2014 standard requires actions to address risk associated with threats and opportunities.

The ISO 14001 revision includes a greater focus on the context of the organization. In fact, the new clause 4 now requires the organization to consider itself within its context, and then determine the scope of its environmental management system. Two new clause headings include:
4.1—“Understanding the organization and its context”
4.2—“Understanding the needs and expectations of interested parties”

Together these clauses require the organization to determine the environmental issues and requirements that can affect the planning of the environmental management system. This would result in a broader business outlook that would imply a more detailed operational planning, always considering the environmental issues within its context.

The expectation for organizations has been expanded to commit to proactive initiatives to protect the environment from harm and degradation, consistent with the context of the organization. Identification and managing aspects and risks must take into account the issues determined to be within the context of the organization, as well as the needs and expectations of other interested parties.

Paula Oddy and Jeff Eves are managers at Intertek, a Quality Digest content partner.

For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”


About The Authors

Paula Oddy’s picture

Paula Oddy

Paula Oddy is the technical and quality management system manager at Intertek’s business assurance group. She has more than 25 years’ experience in the auditing and certification industry, with extensive quality management system experience with Entela and Intertek. Oddy is responsible for overseeing the technical review of audit files, qualification of auditors, and ongoing training. She holds a bachelor’s degree in industrial technology from Grand Valley State University with a concentration in quality science from Grand Rapids Community College.


Jeffrey Eves’s picture

Jeffrey Eves

Jeffrey Eves is the green services program manager in North America for Intertek’s business assurance group. He is responsible for sustainability auditing and verification services for ISO 14001 Environmental Management Systems, ISO 50001 Energy Management Systems, and Occupational Health and Safety (OHSAS) 18001 certification programs, sustainability assessment services, greenhouse gas verification services, and various environmental and safety-related, second–party, and supplier/vendor auditing services. Eves also manages Intertek’s green services global center of excellence while supporting business development, auditor recruitment, qualification, and development activities. He is a lead auditor for ISO 50001, ISO 14001, and OHSAS 18001.