Opportunity: a new way to think about risk

People usually think of risk as a bad thing –  the exposure to danger, harm or the potential for losing something of value.  Whilst it is essential that business leaders identify and reduce the likelihood of these consequences, it is equally important to consider how the same sources of risk can represent opportunities to strengthen the business.

I’ve recently discovered that the added-value potential of opportunities can be determined in a very similar way to assessing the risk of harm. Its not at all difficult and can add rigour to the planning process, highlighting the actions for the business to prioritise.

The new ISO management system standards define risk as the “effect of uncertainty”.  An effect is “a deviation from the expected – positive and/or negative”. Uncertainty is the “state, even partial, of deficiency or information related to, understanding or knowledge of, an event, its consequences and likelihood”.  This tells us that risk is not necessarily a “bad” – its just something we all need to manage.

The primary task of business leaders is to meet or exceed stakeholder expectations. Typical stakeholders include customers, workers, supply chain partners, regulatory authorities, investors and the general community. It is fundamental to good business management that business leaders know who their key stakeholders are.

Non-fulfilment of interested parties’ expectations poses strategic risks beyond mere reputational damage – loss of a key customer, huge financial penalties, court action or revocation of the site license to operate.

Executives who are proactive and improvement-focused determine key stakeholders and put processes in place to actively engage with them.  Common expectations that relate to the environment are the prevention of pollution, energy and resource efficiency, biodiversity conservation and the minimisation of nuisance impacts – noise, vibration, odour and dust.

For worker health and safety, its the elimination of hazards and the systematic reduction of work-place accidents, injury and ill-health. Many of these broad expectations are shared by more than one stakeholder group – so its not too difficult to conduct a simple, top level review and keep it up-to-date.

But businesses don’t exist in a vacuum. Proper identification of the sources of risk and opportunity involves more than knowing customers. It involves scanning the entire internal and external environment to determine the relevant issues at any given time.

Consider the political/regulatory situation; economic/financial issues; social/community expectations; technological advancements and the natural environment – mother nature herself. These are sources of risk and opportunity that are constantly changing.

Most HSEQ systems lack a clear and transparent process for stakeholder needs identification, risk and opportunities assessment and the incorporation risk in decision making. But doing this well is not only good business practice, its a requirement of the new international standards.

We’ve developed a set of tools and can create a customised workshop to help your organisation incorporate these new requirements into existing management systems. Feel free to call me, (Suzy) on 0418862899 to discuss your particular needs.

This article was updated in May 2018 to reflect the release of ISO45001:2018. 

9 Replies to “Opportunity: a new way to think about risk”

  1. Great picture! This says so much about venturing forward into the unknown and do I detect a subtle reference to climate change?

    1. Yes -the uncertainty with climate change can work either way. Things may be turn out worse or better than we imagine even with the most powerful and sophisticated climate modelling and thousands of IPCC scientists. Human societies are entering the unknown. Its a big U-Factor.

  2. Hello Suzy! My name is Felipe (Phil). I’m an environmental management student in Brazil and I read your article about these “U-Factors” and they seem to be something of great value applied here. Therefore I’m emailing you to get more information on this subject. I’m always seeking additional knowledge to improve my academic information. I believe that after i graduate, this kind of management can be applied here, I like the idea. Brazil needs to adopt more sustainable ideas.

    1. The U-Factors vary a great deal depending on the specific geographic location and the activities and processes going on at the site in question. I’ll put forward some general guidance on this and email it to you within a few days. Thanks for your interest and I wish you well with your studies.

  3. This is just good management? It (Risk analysis) can be achieved with a simple SWOT and PESTLE analysis and a stakeholder mapping excercise linking strategic objectives with reasonable expectations of stakeholders. I don’t see what it has to do with the New 14001 DIS? The new requirements don’t add value beyond the previous standard, so existing systems for risk management can be used if certification to the new standard is beneficial. It is the effectiveness of the management system that is important not certification to the new standard? If the existing system works in terms of meeting the needs of the organisation there is no need to continue certification as long as the system in use is effective and meeting stakeholders reasonable expectations.

    1. Your comment:
      This is just good management?
      My reply:
      Yes its fundamental to good management and clear to those of us who have studied the subject. But out there??? There are many companies who aren’t managing their business effectively and the standards are there to help them lift their performance.
      Your comment:
      It (Risk analysis) can be achieved with a simple SWOT and PESTLE analysis and a stakeholder mapping excercise linking strategic objectives with reasonable expectations of stakeholders. I don’t see what it has to do with the New 14001 DIS?
      My reply:
      The DIS has new requirements regarding stakeholders in clause 4.2 “Understanding the needs and expectations of interested parties” and this flows through to other clauses that talk about interested parties and risk.
      Your comment:
      The new requirements don’t add value beyond the previous standard, so existing systems for risk management can be used if certification to the new standard is beneficial.
      My reply:
      Regarding risk, the placement of some of the requirements of the risk standard ISO31:000 into ISO14001 does add value, I believe. All the standard includes currently is the requirement to identify aspects and determine those that are significant – a very narrow focus. In adidition to the incorporation of risk, the DIS also has a whole new section on “Leadership and commitment” and it will be interesting to see if this achieves its intent of lifting the EMS from what is commonly an operational tool to the strategic level.
      Your comment:
      It is the effectiveness of the management system that is important not certification to the new standard?
      My reply:
      I strongly agree that effectiveness is paramount – that’s the whole point! The issue of whether certification is beneficial or not depends on the stakeholders themselves. In my article I was really talking to those companies that need to keep their certification in order to tender for government work here in Australia. Some principle contractors or large companies have EMS as a prequalification requirement and companies want to retain it.
      Your comment:
      If the existing system works in terms of meeting the needs of the organisation there is no need to continue certification as long as the system in use is effective and meeting stakeholders reasonable expectations.
      My reply:
      I agree and thanks for your comments and additing to the discussion. Have a great day!

      1. Hi Suzzanne ??Thanks for your response, most of which seems fairly agreeable. There seems to be a couple of assumptions in the response around the need to be certified for government contracts (Not nearly as strong in the UK) and That the inclusion of the risk “requirement” can be objectively audited along with context, and senior management behaviour (Leadership measured how?) relative to the new “shalls” introduced by the HLS? Could you perhaps pinpoint the added value you say the new standard provides ? The 2004 version required the organisation to identify significant aspects and put controls in place to minimise negative impacts to the environment. Crucially it was for the organisation to determine “how” it did this, not necessarily a narrow focus? . The statement that using a standard can improve performance I agree with, but this doesn’t necessarily imply this new approach is more “effective” (Measured how?) Also how will the understanding of the needs and expectations of 3rd parties be “objectively audited”? How come Top Management Review (4.6 2004) failed in making EMS a strategic part of the management strategy overall in many organisations? (Embedding the EMS) EMS is seen as an operational tool quite rightly, that is what a management standard is. The use of EMS as a PQQ gateway for work contracts proves this is indeed the case as it excludes many SMEs and not for profits from tendering for the work they may well be equiped to do? How would one choose between three companies tendering for work where all are certified to the standard…..? Count the number of nonconformances over the previous year? Certification only proves that a certification body thinks the organisation’s EMS (QMS or what ever) meets the requirements of the relevant standard – nothing more? It does not mean that a certified company tendering for work would deliver a better outcome than a company with the same capability that lacked a cerfified EMS. The assumption that a certified company is “better” in some way is just that, an assumption! It doesn’t reduce risk either many certified organisations doing work for others have been found to be embarassingly un-green when caught doing something like exporting WEEE for example in spite of their claimed procedures stating otherwise? ??You are of course entitled to believe the HLS adds value – I just don’t see it? All the best.

        1. Yes – ISO14001 certification, though not legislated, is a stronger supply chain requirement here in Australia. As you say, there is no guarantee that a certified company is better than one that is not. IS014001 is just a minimum set of requirements. Companies that are genuinely committed to sustainability will go far beyond this. One criticism of the standard is that it doesn’t differentiate between companies that just scrape over the line and those tha forge ahead in leaps and bounds.
          The new ISO14001 requirements, I believe, are designed to lift the bar of low performers in a number of areas. In the next 2 years companies will need to put a process in place to be able to demonstrate the things you mention – risk, senior management behavior, 3rd parties, performance etc. The process they use for doing this is up to them and, like any process, it will be objectively audited using observations, interviews, procedures and records of various kinds. Effective auditors will be expecting to see actual results – improvement in environmental performance. The new communications requirements will add to transparency and this will drive improvement as companies won’t be able to hide behind a certification tick.
          Whether the DIS makes any meaningful difference remains to be see of course!

Leave a Reply to Monika Freeman Cancel reply

Your email address will not be published. Required fields are marked *