The U-Factors: a new way to think about risk


The Final International Standard of the Environmental Management Systems Standard, ISO14001:2015, was published in September 2015. All requirements are now finalised and the rules allow for only editorial adjustments from now on. There are a number of changes to note between the Draft International Standard (DIS) and the final version. Of relevance to this original article below is the change in the definition of “risk” and the use of the prevalence of the word “opportunity”.

In the DIS, risk is defined as “the effect of uncertainty on objectives” but the final standard omits the words “on objectives” from the definition. This has the effect of broadening the concept of uncertainty to cover all types of issues, not just those associated with objectives.

The word “threat” was confusing and was removed from many clauses. Instead the final standard includes a new definition – “risks and opportunities”. These are potential adverse effects (threats) and potential beneficial effects (opportunities).  

People usually think of risk as the exposure to danger, harm or loss or the potential for losing something of value.  While it is essential that businesses identify and reduce the likelihood of these consequences, it is equally important to consider how they may affect the business as a whole. In the new ISO standards risk is defined as the effect of uncertainty on objectives and this is intrinsically linked to stakeholder expectations.

Objective – a result to be achieved

When you are driving a car an objective or result to be achieved is for you and your passengers to arrive at your destination safely and on time. Other stakeholders, your family and friends at the destination, expect that you will arrive fit and healthy within a reasonable timeframe.  But there may be deviations from the expected, positive or negative, impacting on these objectives – typically the amount of traffic congestion, road conditions and weather events. These are the unknowns, uncertainties or what I call “U-Factors”. In the worst case scenario of non-arrival due to serious injury, U-Factors can be considered to be catastrophic.

Applying this thinking to business, all leaders have the overall objective of meeting stakeholder expectations and requirements.   Non-fulfilment can represent threats such as loss of an important customer or revocation of the site licence to operate. Typical stakeholders include customers, supply chain partners, regulatory authorities, investors and the general community.  Executives who are proactive and improvement-focussed will identify key stakeholders, actively engage with them and develop measurable objectives, programs and initiatives to meet their requirements and expectations.  Examples of expectations that relate to the environment are the prevention of pollution, energy and resource efficiency, biodiversity conservation and the minimisation of nuisance impacts – noise, vibration, odour and dust.

Risk – the effect of uncertainty 

There are many types of uncertainty or U-Factors.  ISO14001:2015  defines uncertainty as the state, even partial, of deficiency or information related to, understanding or knowledge of, an event, its consequences and likelihood.

We are familiar with natural variations in the weather, human error and differences in individual perception.  Other types of uncertainty include measurement uncertainty relating monitoring equipment, scientific uncertainty such as the GWP of certain gases and estimation uncertainty due to data handling errors.  In GHG accounting an uncertainty assessment estimates the amount of uncertainty in a range of values eg. +/- 0.5.

To properly identify U-Factors one must cover the entire internal and external environment in a broad sense including the political/regulatory situation; economic/financial issues; social/community expectations and technological risks.

What are risks and opportunities?

The environmental aspects, programs, initiatives and risk control mechanisms that companies implement have associated “U-Factors”. I’ll illustrate this with the example of tree removal (a potential threat) and tree planting (a potential opportunity). In both these examples lets assume that the activities are legal, that is, they have been approved by the relevant regulatory authority.

Example 1 – Tree removal

Stormwater pollution is a potential adverse impact associated with the removal of vegetation. In the worst case scenario a significant pollution event may prevent the business from tendering for future lucrative construction projects due to their failure to meet the expectations of regulators (EPA, Department of Planning) and the Principal Contractor (customer).  Under the approval conditions the company must, among other things, install and maintain sediment fences, diversion channels and retention basins. Nevertheless these devices may fail during a heavy rain event causing increased turbidity of the river. The ‘U-Factor” of heavy rain means that the company failed to realise the objective of meeting the needs of key stakeholders.  The EMS therefore must address this through monitoring weather reports and predictions of heavy rain events.

Example 2 -Tree planting

The increase in storage of carbon dioxide in a forest sink is a beneficial impact providing an opportunity for companies wishing to sell the carbon abatement through recognised schemes such as the Carbon Farming Initiative in Australia or the UN Clean Development Mechanism (CDM) internationally. The likelihood of carbon removal is increased by conservation soil tillage and other sustainable land management practices. Nevertheless some or all of the trees may die through disease, fire or illegal logging resulting in “reversal”. That is, carbon dioxide is returned to the atmosphere at some future time.  Any of these ‘U-Factors” could mean that the company fails to realise the objective of meeting the requirements of the UN, investor parties or the Clean Energy Regulator. The EMS therefore must address these U-Factors through constant monitoring of pests and disease and 100 year land tenure agreements.

How we can help

Update July 2018

Organisations holding ISO14001:2004 certification will have to meet the additional requirements of ISO14001:2015 by September 2018. Most Environmental Management Systems (EMS) lack a clear process for stakeholder needs identification, risk and opportunities assessment and the incorporation risk in decision making.

We’ve developed a set of simple tools to help you incorporate these new requirements into your existing management system. Feel free to send an email to me (Suzy) at  to find out more.

8 Replies to “The U-Factors: a new way to think about risk”

  1. Great picture! This says so much about venturing forward into the unknown and do I detect a subtle reference to climate change?

    1. Yes -the uncertainty with climate change can work either way. Things may be turn out worse or better than we imagine even with the most powerful and sophisticated climate modelling and thousands of IPCC scientists. Human societies are entering the unknown. Its a big U-Factor.

  2. Hello Suzy! My name is Felipe (Phil). I’m an environmental management student in Brazil and I read your article about these “U-Factors” and they seem to be something of great value applied here. Therefore I’m emailing you to get more information on this subject. I’m always seeking additional knowledge to improve my academic information. I believe that after i graduate, this kind of management can be applied here, I like the idea. Brazil needs to adopt more sustainable ideas.

    1. The U-Factors vary a great deal depending on the specific geographic location and the activities and processes going on at the site in question. I’ll put forward some general guidance on this and email it to you within a few days. Thanks for your interest and I wish you well with your studies.

  3. This is just good management? It (Risk analysis) can be achieved with a simple SWOT and PESTLE analysis and a stakeholder mapping excercise linking strategic objectives with reasonable expectations of stakeholders. I don’t see what it has to do with the New 14001 DIS? The new requirements don’t add value beyond the previous standard, so existing systems for risk management can be used if certification to the new standard is beneficial. It is the effectiveness of the management system that is important not certification to the new standard? If the existing system works in terms of meeting the needs of the organisation there is no need to continue certification as long as the system in use is effective and meeting stakeholders reasonable expectations.

    1. Your comment:
      This is just good management?
      My reply:
      Yes its fundamental to good management and clear to those of us who have studied the subject. But out there??? There are many companies who aren’t managing their business effectively and the standards are there to help them lift their performance.
      Your comment:
      It (Risk analysis) can be achieved with a simple SWOT and PESTLE analysis and a stakeholder mapping excercise linking strategic objectives with reasonable expectations of stakeholders. I don’t see what it has to do with the New 14001 DIS?
      My reply:
      The DIS has new requirements regarding stakeholders in clause 4.2 “Understanding the needs and expectations of interested parties” and this flows through to other clauses that talk about interested parties and risk.
      Your comment:
      The new requirements don’t add value beyond the previous standard, so existing systems for risk management can be used if certification to the new standard is beneficial.
      My reply:
      Regarding risk, the placement of some of the requirements of the risk standard ISO31:000 into ISO14001 does add value, I believe. All the standard includes currently is the requirement to identify aspects and determine those that are significant – a very narrow focus. In adidition to the incorporation of risk, the DIS also has a whole new section on “Leadership and commitment” and it will be interesting to see if this achieves its intent of lifting the EMS from what is commonly an operational tool to the strategic level.
      Your comment:
      It is the effectiveness of the management system that is important not certification to the new standard?
      My reply:
      I strongly agree that effectiveness is paramount – that’s the whole point! The issue of whether certification is beneficial or not depends on the stakeholders themselves. In my article I was really talking to those companies that need to keep their certification in order to tender for government work here in Australia. Some principle contractors or large companies have EMS as a prequalification requirement and companies want to retain it.
      Your comment:
      If the existing system works in terms of meeting the needs of the organisation there is no need to continue certification as long as the system in use is effective and meeting stakeholders reasonable expectations.
      My reply:
      I agree and thanks for your comments and additing to the discussion. Have a great day!

      1. Hi Suzzanne ??Thanks for your response, most of which seems fairly agreeable. There seems to be a couple of assumptions in the response around the need to be certified for government contracts (Not nearly as strong in the UK) and That the inclusion of the risk “requirement” can be objectively audited along with context, and senior management behaviour (Leadership measured how?) relative to the new “shalls” introduced by the HLS? Could you perhaps pinpoint the added value you say the new standard provides ? The 2004 version required the organisation to identify significant aspects and put controls in place to minimise negative impacts to the environment. Crucially it was for the organisation to determine “how” it did this, not necessarily a narrow focus? . The statement that using a standard can improve performance I agree with, but this doesn’t necessarily imply this new approach is more “effective” (Measured how?) Also how will the understanding of the needs and expectations of 3rd parties be “objectively audited”? How come Top Management Review (4.6 2004) failed in making EMS a strategic part of the management strategy overall in many organisations? (Embedding the EMS) EMS is seen as an operational tool quite rightly, that is what a management standard is. The use of EMS as a PQQ gateway for work contracts proves this is indeed the case as it excludes many SMEs and not for profits from tendering for the work they may well be equiped to do? How would one choose between three companies tendering for work where all are certified to the standard…..? Count the number of nonconformances over the previous year? Certification only proves that a certification body thinks the organisation’s EMS (QMS or what ever) meets the requirements of the relevant standard – nothing more? It does not mean that a certified company tendering for work would deliver a better outcome than a company with the same capability that lacked a cerfified EMS. The assumption that a certified company is “better” in some way is just that, an assumption! It doesn’t reduce risk either many certified organisations doing work for others have been found to be embarassingly un-green when caught doing something like exporting WEEE for example in spite of their claimed procedures stating otherwise? ??You are of course entitled to believe the HLS adds value – I just don’t see it? All the best.

        1. Yes – ISO14001 certification, though not legislated, is a stronger supply chain requirement here in Australia. As you say, there is no guarantee that a certified company is better than one that is not. IS014001 is just a minimum set of requirements. Companies that are genuinely committed to sustainability will go far beyond this. One criticism of the standard is that it doesn’t differentiate between companies that just scrape over the line and those tha forge ahead in leaps and bounds.
          The new ISO14001 requirements, I believe, are designed to lift the bar of low performers in a number of areas. In the next 2 years companies will need to put a process in place to be able to demonstrate the things you mention – risk, senior management behavior, 3rd parties, performance etc. The process they use for doing this is up to them and, like any process, it will be objectively audited using observations, interviews, procedures and records of various kinds. Effective auditors will be expecting to see actual results – improvement in environmental performance. The new communications requirements will add to transparency and this will drive improvement as companies won’t be able to hide behind a certification tick.
          Whether the DIS makes any meaningful difference remains to be see of course!

Leave a Reply to Frank Cancel reply

Your email address will not be published. Required fields are marked *