The implementation of several ISO standards within an organisation sometimes seems to offer the guarantee of total Risk Management for all risks. But what really happens? Here is an overview of this recurring subject by our risk management specialist Grégoire Mottier.
Consequences of the application of ISO standards in Risk Management
With the most quoted standards, to confirm the existence of a risk management system we find:
• ISO 9001 covering quality management
• ISO 4001 covering environmental management
• ISO 27001 covering information systems security
These certifications provide evidence of added value for risk treatment, common to all companies or public bodies. We realise that each of these three standards has a positive influence on the organisation: quality management has positive consequences on economic sustainability, rigorous environmental management on the preservation of its reputation and finally, IT security control has become a must due to potential emerging risks that have arisen exponentially in these past months.
Where to start? What are the choices?
What is the best strategy? Is it necessary to first pass the different certification processes before a global risk audit? Or is it the other way round? Apart from the fact that certain certifications can be required by the market to provide a competitive advantage, we believe that a risk management process conducted beforehand makes sense for various reasons:
- A comprehensive approach will make use of certification processes as efficient answers to treat certain risks.
- If led in a “bottom-up” manner, risk management will include all stakeholders, and the corollary will be a company culture directed towards sustainable and robust solutions in terms of general security. Furthermore, it will enable an attitude based on fully accepted sustainability.
- Real Enterprise Risk Management (ERM) is holistic and will obviously deal with matters “outside of certification”. The maintenance of a positive social climate, efficient management of projects, and unaffected financial resources also depend on good risk management.
- A good risk treatment policy is a prerequisite to preparing for access to certain certifications. Here again, Risk management is a profitable investment in the long run with advantages often non-perceived at the start.
Don’t hide behind the standards
Organisations that agreed to sacrifice resources to acquire significant certifications in their activities, should be commended. This approach is a sign of maturity and competitiveness that deserves all our respect! But as Voltaire would say, “humility is the antidote to pride”.
The adoption of a set of certifications should not constitute a pretext for ignoring all topics related to hazards and their consequences, possibly unidentified for the simple reason that they fall outside the subjects addressed by the ISO world. Let us remind you of the classification method generally used by Risk Managers to convince themselves:
- Exogenous risks
- Financial risks
- Operational risks
- HR-related risks
- Strategic risks (upstream and downstream)
Taking these categories into account will enable organisations to determine the granularity with which they wish to proceed with the implementation of an efficient risk management that will be conductive to the ulterior adoption of specific ISO standards.