Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
In CERM Risk Insights #354 I discussed the risk management study of local governments in New Zealand. One of the cases in the study was Environment Canterbury Regional Council. The regional council’s focus and the increasing concerns about environmental risks by both the public and private sector represents a challenge to the common approach used by most of the New Zealand local governments, ISO 31000:2018 and the International Organization for Standardization (ISO) more generally. This piece discusses this challenge to ISO 31000:2018 and its implications.
Environment Canterbury Regional Council
The purpose of the Environment Council is to set out objectives, policies, and methods to resolve resources management issues and to achieve an integrated management of the natural and physical resources of Canterbury.
The Environmental Council’s areas of responsibilities include:
- Air quality
- Biodiversity and biosecurity
- Freshwater management
- Climate change, hazards, risk, and resilience
- Transport and urban development
Under each of the areas, the Environment Council identifies service level targets. For instance, the 2019-20 Summary Annual Report notes that for Hazards Risk and Resilience, 21 of the 24 target levels were achieved. The interrelationship between the work of the Environment Council and environmental risk faced by local governments can be seen in the Waimakariri Flood Protection Project. The report indicates:
“In August 2019 we celebrated the completion of the 10-year $40 million Waimakariri Flood Protection Project. Delivered ahead of schedule, it protects an estimated $8 billion of property and assets, and significantly improves the Greater Christchurch and Waimakariri District’s resilience to a major flood event and climate change.” (1)
Climate change risk and mitigation is a major responsibility of the Environment Council. While the Council is specifically chartered to deal with environmental risks, such risks can impact any organization, public or private, at the operational level. This recognition has increased the interest in environmental risk identification and mitigation. Unfortunately, the growing concern about environmental risks creates a problem for ISO 31000:2018.
ISO 31000:2018 Environmental Risk Problem
The key problem for ISO 31000:2018 is that it does not specifically include environmental risks in the model. While there is nothing that precludes their inclusion, it simply does not focus on environmental risks. This is unlike the approach used by Committee of Sponsoring Organizations’ (COSO) ERM.
In 2018 COSO in conjunction with the World Business Council for Sustainable Development created a supplement to COSO ERM. The supplement is entitled “Enterprise Risk Management: Applying Enterprise Risk Management to Environmental, Social and Governance – related risks”. (2)
The supplement stresses the need for businesses to include Environmental, Social and Governance (ESG) risks in their Enterprise Risk Management (ERM) process and risk register. It also identifies ESG issues and themes an organization should consider. A short list is presented in Table 1 below.
While the list above is extensive, each organization can add or subtract as necessary for its specific circumstances. This makes COSO ERM ESG more competitive with respect to the growing environmental risk management concerns.
The lack of ESG risk in ISO 31000:2018 means that, if ISO 31000:2018 is to remain competitive and the dominate model, at least in the public sector, it will have to include ESG risks. The problem is that ISO has another model to which it recently added risk management. That is ISO 9001:2015, its quality management certification. The presence of the two creates a dilemma for ISO.
The dilemma whether to add ESG to each or just one. ISO 31000 was updated in 2018. Thus, it is not scheduled for an update until 2023. ISO 9001, on the other hand, was scheduled for an update in 2021. The 2021 update has yet to occur. This is because two surveys of 9001 technical committee members recommended no update. Whether the recommendation will be adhered to is uncertain.
There is speculation that ISO corporate is not happy with the results. It badly wants to update 9001. The reason for this speculation is the fact that a second survey was conducted just months after the first. The motivating factor for wanting an update is money. It is believed ISO is not in a strong financial situation. Consequently, it can use the revenue from updating current publications.
Time will tell the veracity of the speculation. What is certain is that 31000 is a guide, while 9001 is a certification. ISO’s money maker is 9001. If, however, ISO moves 9001 further into the risk arena, particularly by adding ESG risks, it dilutes the quality management emphasis. This may cause many corporations to question whether continued ISO 9001 certification is necessary. Under a scenario where organizational and ESG risks are emphasized, poor quality management becomes just another risk corporations must deal with. Under such a scenario, why is 9001 certifications necessary?
With respect to ISO 31000, ISO could issue a ESG supplement. This would make 31000 more competitive with COSO ERM ESG. However, because 31000 is a guide and not a certification ISO will not make as much money. Waiting until 2023 to update ISO 31000 with ESG, means that ISO 31000:2018 will be less competitive in the interim. While ISO 31000:2018 does not make as much money as ISO 9001, as it becomes less competitive relative to COSO ERM ESG, its relevance and the accompanying revenue may decrease.
Concern with environmental related risks is increasing. This creates a problem for ISO. ISO has two risk-oriented models. One is the 31000:2018. It is a guide, which focuses on enterprise-wide risk management. The other is ISO 9001:2015. It is a quality management system certification. In 2015 ISO included risk management to the 9001. Neither 9001:2015 nor 31000 :2018 have environmental risk elements. This is unlike the COSO ERM ESG which has environmental risk elements.
The problem ISO faces is that 31000:2018 is not up for revision until 2023. ISO 9001:2015 is due for revision in 2021. Unfortunately, two recent surveys of ISO 9001 technical committees determined that no revision was necessary.
With the increasing concerns for environmental risks and their mitigation, ISO has a decision to make. That decision is whether to add ESG risks to one or both models. If they do not, then ISO 31000:2018 could be made obsolete by COSO ERM ESG. On the other hand, while adding ESG risks to 9001:2015 would be consistent with current concerns, it could make 9001:2015 less desirable as a certification. This is because a poor-quality management system would be just one of many enterprise-wide risks. Further, it is conceivable that management could decide that given the need to focus on environmental risks, a quality management certification, such as 9001:2015, is not necessary.
- Canterbury Regional Council, 2020, “Summary Annual Report 2019/20, page 8, https://www.ccan.govt.nz/get-involved/news-and-events/2020/council-adopts-2019/2020-annual-report
- COSO, 2018, “Enterprise Risk Management: Applying Enterprise Risk Management to Environmental, Social and Governance – related risks”, https://www.coso.org/Documents/COSO-WBCSD-ESGERM-Executive-Summary.pdf
James J. Kline has a PhD from Portland State University. He has worked for federal, state, and local government. He has consulted on economic, quality and workforce development issues. He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He can be contacted on LinkedIn or firstname.lastname@example.org