Organizational risk management has evolved from a singular focus on financial risk, to a broader perspective that includes enterprise-wide and non-financial risks. Approaches such as enterprise risk management, strategic risk management, value risk management, etc. are morphing into an area called non-financial risk management (NFRM). A paradox in this arena is that even though risk management is important, it is fragmented, siloed and poorly integrated in companies. NFRM frameworks are weak or non-existent.
A solution to this paradox can be found right down hall in the EHS/S (environmental, health, safety and sustainability) department. But the decades of risk management experience that the EHS/S function has, often goes unnoticed because of the historic focus on regulatory compliance.
In many organizations, the EHS/S function is more mature than the broader NFRM function. The challenges that EHS/S has had to address closely parallel the NFRM challenges, such as: comprehensive risk assessment; increasing employee engagement; breaking down silos; developing reliable frameworks; and developing meaningful metrics.
The EHS/S function and its professionals have well-developed structures and skills that can be used to address the accelerate development of the risk management function. This could be bad news for some readers who are worried about more work. On the other hand, it can be viewed as an opportunity to make a significant contribution in your organization.
Consider these EHS/S structures, practices and skills:
- EHS/S departments engage with every operational function in the organization;
- They have expertise in understanding regulatory compliance and “beyond compliance” approaches;
- They have unique sets of data that quantifies and measures a wide range of operations
- They have experience breaking down organizational silos and strength in generating engagement from the C-Suite downto the plant floor;
- They have the ability to analyze data used to predict outcomes;
- They have the skills to design and employ new systems within the various operations of the organization;
- With a robust EHS/S management system, they have a platform to build a strong ISO 31000-based risk management framework;
- EHS/S auditing functions are mature and can support evolving risk management performance measurement activities.
Possibly the most valuable of the above is the ability to quickly develop a strong risk management framework (or you could say, a Risk Management System) using the existing integrated EHS/S management system. The blending of ISO 31000 into a mature ISO 14001/OHSAS 18001 EHS/S MS, provides the strong risk management framework that can unify a fragmented risk management function.
Strictly speaking, ISO 31000 is not a management system. The intent of this standard is to augment existing management structures to achieve risk management goals. Not only can an ISO 14001/OHSAS 18001 management system provide a strong risk management foundation, when augmented with ISO 31000, the converse is also true. A 14001/18001 integrated system can be turbo-charged by folding in key elements of 31000, such as 31000 pieces on “establishing the context” (Sec. 5.3) and with EHS/S integration in an organization (Sec. 4.3.4). Finally, 31000 provides the lens through which a wide range of “risks” can be identified and controlled (Sec. 5.4 and 5.5), such as those associated with social responsibility, sustainability, and supply-chain issues.
When it comes to developing a framework for addressing non-financial risks, what has been your company’s approach? What other lessons do you think we could learn from the evolution of the EHS/S function?