ERM in ISO is Enhanced Risk Management

ISO maintains risk has implicitly been a part of the standard since the ISO 9001:2015 revision.  How?  In the new standard, ‘preventive action’ has evolved to ‘actions to address risk and opportunities.’  This changes the Corrective Action – Preventive Action (CAPA) model.  In the past, Preventive Action was implemented as a result of Corrective Action specifically to prevent the recurrence of the nonconformity.

Some quality authorities follow this logic:  RBT has always been a part of the ISO management systems ethos since its inception in 1987 because Statistical Process Control (SPC) deals with the control of process variation.  And, the control of process variation is all about risk management.  Since it was always implicit, now it is explicit in ISO 9001:2015 revision.

We are seeing something similar with ERM and ISO 31000.  ISO 31000 is the risk reference to support ISO 9001:2015 and RBT.  ISO 31000 risk authorities now affirm that ISO 31K is an ERM standard.  So if we follow this logic, ISO 9001:2015 having adopting RBT may be moving towards ERM.

Another interesting point comes up.  Does it matter if ISO 31000 is ERM as an Enhanced Risk Management framework?  Not really.  ISO 31000 offers two options to a company in terms of implementing risk management: 1. Implement the standard risk management system as written or 2. Adopt the attributes of ‘Enhanced Risk Management’, which is in Annex A (informative) part of ISO 31000.  Annex A has a few more risk guidelines, but is largely similar to the main text of the ISO 31000 standard.  We cover Enhanced Risk Management in Chapter 5.

Lesson Learned:  The future of ISO management systems may be RBT, risk assessment, risk management, and finally ERM.  So, purchase ISO 31000 guidelines and see if risk management or Enhanced Risk Management may fit your organization and context.  Remember, apply and tailor them to your RBT and QMS processes.