The new draft international standards for ISO 9001:2015, ISO 14001:2015, and ISO 45001:2016 are sending mixed messages with regard to risk. Both ISO 9001 for Quality and ISO 45001 for OH&S say that organizations need to address risks and opportunities (clause 6.1) which suggests that risks are negative and opportunities are positive.
However, this is not the case in ISO 14001 for the Environment which requires organizations to address risks associated with threats and opportunities, suggesting that risks themselves can be either negative or positive.
Which is correct?
ISO 31000:2009 Risk management – Principles and guidelines, which as the title implies and it states in its scope is intended to harmonize risk management processes in existing and future standards, and to provide a common approach. It also explains that risk is the effect of uncertainty on objectives and can be either positive and/or negative.
ISO 31000 goes on to say that risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence, and that a consequence can have positive and/or negative effects on objectives.
So, based on ISO 31000, and considering that all of these standards are being written by ISO, it would seem that only the Environmental technical committee actually understand that it is risks that can be both positive and negative, and that organizations have to manage both threats (negative) and opportunities (positive) in the risk management process.
It will be interesting when ISO 9001:2015 is actually released in September 2015 if it has been aligned with risk approach in ISO 31000. Let’s wait and see.