John Nolan One of the key elements of the ISO 14001:2015 standard involves risk and opportunity. Previously, in the article The role of risk management in the ISO 14001:2015 standard, we considered exactly what the standard prescribes in terms of risk, and how this element has replaced preventive action within the management of an ISO 14001:2015 EMS (Environmental Management System). However, many EMS managers disagree on whether a risk register is mandatory, or even advantageous in the company EMS when seeking certification against ISO 14001:2015. So, what can we do to clarify this?
Recording risk – Why?
Section 6.1.1 of the ISO 14001:2015 standard deals with addressing risk and opportunity, and while it does not specifically mention a “register,” it does outline the requirement to maintain “documented information” required to address the identified risks and opportunities, and the processes needed to ensure that this element can be executed successfully. So, clearly, while a formal risk register is not mandatory, the EMS manager or administrator must decide how to record the risk-related actions and outcomes that the organization undertakes to ensure that proof is available for the auditor at the certification audit. In light of this requirement, what are the best options?
The risk register in your EMS
A risk register still stands as an efficient and reasonable way to record the inputs and outputs from a company’s risk process. Let us consider what should be captured here if your organization decides to use a risk register in its EMS:
- Date of the definition of risk
- Source of the definition of risk – This is critical given the leadership requirements in the ISO 14001:2015 standard. Ideas and input for risk assessment can come from any level of the organization, but due to the requirement for increased involvement from top management, it is vital that the organizational leaders play their part in the risk identification process. For more details, see the article How to demonstrate leadership according to ISO 14001:2015.
- Brief description of the risk
- Responsibility for action
- Timeline predicted for closure
- Status – that is, whether the issue is open or closed
Again, more details can be kept on the formal risk assessment document itself, which will normally be developed to outline specific details and keep track of multiple external and internal actions that may be required to record the history and closure of an identified risk. While the elements described for an EMS risk register above are again not mandatory against the 14001:2015 standard, they are sensible as a record of your organization’s EMS risk identification and action and will help to satisfy the certification process that “documented information” has been maintained. So, are there any other options that can be used to record risk?
Recording risk – Other options
Many organizations choose not to use a risk register and may use various methods of recording risk to meet the terms of the standard. Let’s examine one alternative method of recording risk:
- Record “risk-based discussions” in board or top management meeting minutes, with any topics deemed necessary for formal risk assessment passed onto the EMS team for execution.
- The EMS team records the receipt of these topics and delegation for responsibility in the minutes of its regular meetings.
- A formal “risk assessment” with details of action, links to any associated corrective actions, and so forth are outlined in the EMS.
- The top team reviews these risk assessments and outcomes and records any feedback or further actions in the regular meeting minutes, and critically – in the management review minutes.
While this method may not seem so clean, it clearly provides an auditable history of the organization’s attitude and action towards environmental risk, and critically, also demonstrates that there is leadership and top management involvement in the risk process in a way that the risk register immediately does not.
Which method is best for your EMS?
As with all non-mandatory elements of the EMS, your organization will have to evaluate the advantages and disadvantages and decide for itself. The risk register can provide a focal point for your risk-based discussions and outcomes, but more informal methods can provide more information and also provide proof of other mandatory elements of the ISO 14001:2015 standard, like leadership commitment, for example. Whatever you choose, make sure that you take care of the details – this will help ensure that your risk process is effective and compliant when your certification audit date comes around.
Why not undertake our free online ISO 14001:2015 Foundations course to learn about risk management?
