HOW TO USE AND APPLY ISO/TR 31004:2013

The convergence of Quality & Risk Management Mr Jeff JONES

AQUAS Pty Ltd

BIOGRAPHY

How to use and apply ISO/TR 31004:2013 - the convergence of Quality & Risk Management

Jeff Jones

AQUAS, Level 7, 116 Miller Street, North Sydney, jeff.jones@aquas.com.au

Jeff is an independent management systems consultant with over twenty five years’ experience in application of management practice; including auditing, project reviews & system implementation and training. From his operations based project career (including 10 years in Esso Australia & 12 years in Thiess) Jeff has been involved in both the development and application of integrated business management systems for a variety of large multi-national companies. As well as a RABQSA qualified Lead Auditor , Jeff is a Certified Practicing Risk Manager by the Risk Management Institution of Australasia Limited, a Registered Professional Engineer of Queensland and member of The Institution of Engineers Australia and takes an holistic governance, risk and compliance approach to auditing and management system improvement. One of Jeff's key consulting roles has been 10 years with AQUAS Pty Ltd, where he has conducted in excess of 150 audits in a variety of management systems against a wide range of compliance standards and regulation requirements. He regularly acts as Lead Auditor in teams conducting multi-disciplined and integrated system auditing. Jeff's other main consulting area is in development and implementation of enterprise risk management frameworks and conducting qualitative & quantitative risk workshops for Clients in the oil & gas, mining and infrastructure sectors.

141001 Qualcon Paper - Jeff Jones (final) Page 1 of 12

QUALCON 2014

ABSTRACT

Risk Management has evolved in most organisations since the release of ISO 31000 in 2009. However, many organisations and practitioners struggle with mandate and commitment and aspects of implementation, particularly with integrating risk management (RM) practices and processes within a myriad of management systems. ISO/TR 31004 has been released in 2013 to help provide guidance for organisations with how to implement RM in context of underlying quality concepts and the intended principles and framework of ISO 31000. This presentation will inspire the audience to leverage off the existing standards (ISO31000, IEC/ISO 31010 & ISO Guide 73) and embrace ISO/TR 31004 as the next bastion of quality based risk management doctrine and to keep up and ahead to ensure effectiveness within their organisations. The vision planted in ISO 31000 Appendix A “Attributes of Enhanced Risk Management” will be explained along with providing a general overview of ISO/TR 31004. A key focus will be on how to approach integrating RM into existing quality management systems (Annex D) and tools for ensuring the effectiveness of RM systems and processes. How value to the organisation is derived and how to demonstrate it as part of monitoring & review (Annex C) will also be explored.

1 INTRODUCTION

Risk Management has been embraced by many organisations as a fundamental basis within the organisations business planning, operational and strategic processes. For many companies, risk management often started from application of the risk assessment process for managing hazard risks within functional arena such as Health & Safety or the Environment, with many utilising the often used risk matrix tool. Over more recent years, attention has turned to the necessity for evolving the frameworks underpinning the risk assessment process and how organisations can benefit more fully from the doctrine.

ISO 31000 was released in 2009 and adopted in Australia as AS/NZS ISO 31000:2009 to supersede AS/NZS 4360:2004, from which it was essentially based. A key development in the standard was there was much greater emphasis and guidance on how risk management should be implemented and integrated into organisations through the creation and continuous improvement of a framework. The continuous improvement aspect is evident, akin to the P-D-C-A cycle familiar to Quality Management practitioners, within the definition of the process and framework diagram within the standard. The aspect of continual improvement was also explicitly expressed as one of the eleven principles within ISO 31000.

This nexus point in the evolution of ISO 31000 and risk management has led to a plethora of activity toward assessing and improving the maturity of risk management systems. More fundamentally, it has led to the realisation that the risk management framework needs to be considered within the holistic realm of organisations management systems, either embedded or complimentary.

ISO/TR 31004 was released in late 2013 and is focused on providing guidance for the implementation of ISO 31000. Apart from providing further informative detail on the underlying concepts and principles and how to implement ISO 31000, the publication very much focuses on integration of ISO 31000 into the organisations management systems and pursuit of continual improvement.

This aspect of the convergence of quality and risk management is the emphasis of this paper within the AOQ 2014 conference theme of “innovation in standards”.

141001 Qualcon Paper - Jeff Jones (final) Page 2 of 12

QUALCON 2014

2 ENTERPRISE RISK MANAGEMENT

2.1 Overview of ERM

Organisations use various methods to manage the effect of uncertainty on their objectives i.e. to manage risk, by detecting and understanding risk and modifying it where necessary. It is an organisation’s inherent prerogative to choose to adopt a suitable form of risk management framework. My assumption is that readers of this paper will be already familiar with both ISO 9001 and ISO 31000 and the merits of risk management adopted at an enterprise level of an organisation. I also presume that readers are aware that ISO 31000 expresses emphasis and guidance on how risk management should be implemented and integrated into organisations through the creation and continuous improvement of a framework. 2.2 Figure 1

ISO 31000 essentially took the PROCESS from AS4360 (Clause 5), introduced it under a RM framework (Clause 4) according to a set of Principles (Clause3).

Figure 1 – Figure 1 from ISO 31000 Introduction (noting copyright)

It is presumed that readers of this papers are reasonable comfortable with the risk management process. The Process (Clause 5) is often referred to as the “RM101” element of managing risk. Note that it was not specifically aimed at unilaterally undertaking a qualitative risk assessment with a risk matrix as the only tool to perform a risk assessment. In fact, the process is highly generic and allows for the plethora of tools & techniques to address the various steps in the iterative process. It’s about assessing (identifying/analysing/evaluating) the risk and getting on with treating it. Also, the box that a lot of people miss to recognise in Figure 1 is the box labelled “Risk Assessment”, which does not equal or constitute “Risk Management”.

141001 Qualcon Paper - Jeff Jones (final) Page 3 of 12

QUALCON 2014

2.3 Quality Aspects of ISO 31000

2.3.1 Figure 1 PDCA

The Framework (Clause 4) provides the foundation and arrangements that will embed it throughout the organisation at all levels, and assists in managing risks effectively through the application of the risk management process to the specific context of the organisation. The framework ensures that the identified risks are used as the basis for decision making and accountability at the relevant levels of the organisation. The continuous plan, do, check, act (P-D-C-A) loop between the elements of the framework are noted in the Figure 1 diagram.

The Principles (Clause 3) are expressed as eleven (11) statements that an organisation should comply with at all levels to ensure that risk management is effective. Principle K is noted, that “Facilitates continual improvement and enhancement of the organisation”.

The whole picture forms a holistic view of risk management, with component inter-relationships indicated by the arrows between the Principles, Framework & Process, akin to P-D-C-A on a broader view. The Principles underpin the Mandate & commitment and implementing risk management in the Framework is pivotal with the process.

These aspects and relationship to Quality Management system principles will be further explored later in this paper.

2.3.2 Attributes of enhanced risk management

ISO 31000 provided Annex A (the only annexure in the Standard) which essentially listed five (5) attributes of enhanced risk management. The attributes are considered to represent a high level of performance in managing risk, with some indicators on what that it might look like in organisations with advanced risk management.

1) Continual Improvement 2) Full accountability for risks 3) Application of risk management in all decision making 4) Continual communications 5) Full integration in the organisations governance structure

Two of the attributes are noted to contain aspects directly akin to Quality Management system aspects, namely continual improvement and integration in the organisation’s governance structure.

2.3.3 Continual Improvement – Maturity Assessments

For many practitioners ISO 31000 Annex A has become a guiding beacon for embedding risk management framework into organisations aiming for enhanced application. The following spider diagram is an example I have used to assess one organisation’s journey with risk management, expressed using the attributes with assessments taken twelve months apart.

The attributes have essentially provided a tool for assisting in undertaking a maturity assessment or health check on an organisation’s status and implementation of risk management, in the pursuit of continuous improvement.

141001 Qualcon Paper - Jeff Jones (final) Page 4 of 12

QUALCON 2014

Figure 2 – Spider Diagram of Risk Management maturity assessment

3 ISO/TR 31004 PUBLICATION

3.1 Background

The document ISO/TR 31004 is the result of Technical Committee ISO/TR 262 Risk Management and has been released as a Technical Report (TR) in October 2013, noting a couple of months prior to the revised Standards Australia HB 436 which was released in December 2013. The TR is intended to assist organisations to make a transition and/or enhance the effectiveness of their risk management efforts by aligning with ISO 31000. ISO 31000 explained how to manage risk effectively (including the risk assessment process) but rightly so did not go into much detail explaining how to integrate risk management into the organisation’s management processes. The TR is intended to be used by those in organisations who make decisions that impact on achieving its objectives, including those responsible for governance, risk management advice and support services, and also legislators and regulators. Importantly, I regard ISO/TR 31004 as quite different but certainly complementary to HB 436. Some of the implementation material from the TR is re-produced exactly the same in AS HB 436 whereas ISO/TR 31004 does not cover the “process” in any detail but offers more detail in the areas of the underlying concepts, principles and integrating risk management within an overall management system, akin to ISO 9001. For this reason, I would assert that the TR is much more concise and fundamentally about the implementation at a framework level and goes into much more detail around the principles with “Practical Help” tips, not provided in the AS HB436. To be clear, the author believes that risk and quality practitioners need both documents in their tool bag and AS HB 436 should be consulted when the detail and guidance on the implementation of risk management process is required. Also referenced in the Bibliography of ISO 31000 are 2 other important ISO documents; 1) IEC/ISO 31010 Risk Assessment Techniques; and 2) Guide 73 for risk management Vocabulary

141001 Qualcon Paper - Jeff Jones (final) Page 5 of 12

QUALCON 2014

Interestingly, ISO/TR 31004 provides these additional references within its Bibliography; 1) ISO 9000, Quality management systems – Fundamentals and vocabulary 2) ISO 9001, Quality management systems - Requirements 3) ISO 19011, Guidelines for auditing management systems

Although ISO 31000 was specifically structured as to not be suitable or prescribed for certification, for risk management to be effective it needs to be integrated into an organisations management systems, as per Principle b) and use of the P-D-C-A concept embedded in the framework as previously observed. 3.2 Contents

Figure 3 – Contents page of ISO/TR 31004

3.3 Section 3

An overview of the core section (3) of ISO/TR 31004 will be provided in the following section.

3.3.1 Section 3.1

This section is about comparing an organisation’s current RM practises with that described in ISO 31000. It is about identifying what potentially needs to change and preparing and implementing a plan for doing so.

It also covers maintaining ongoing monitoring and review to ensure currency and continuous improvement – again akin to a Quality Management System (QMS) P-D-C-A concept.

The section provides a general methodology, irrespective of the nature of the organisation’s current management arrangements. It recognises that most organisations do manage risk to some extent. I would add some better than others; some formally in a consistent and structured way, some ad-hoc, some fully embedded in core business processes and procedures top-to-bottom.

141001 Qualcon Paper - Jeff Jones (final) Page 6 of 12

QUALCON 2014

The premise here is really about taking stock and measuring up against ISO 31000 Principles and understanding the nature of how the organisation wishes to adopt the various elements of a risk management framework as defined in ISO 31000.

I would postulate that a risk / quality practitioner needs to ascertain if indeed an organisation wishes to achieve some or all of the principles and in what timeframe. After all, RM doctrine is not gospel and it’s certainly not intended for certification. Some principles may not be as immediately important or applicable as others, although most (all) definitely need to be considered in context.

With the pursuit of all ISO 31000 principles in mind, the details in Section 3.1 provides an excellent narration on what constitutes a solid framework approach, including: integration (covered more in later annex), the organisation’s understanding of uncertainty, tailoring to the size of the organisation, governance, reporting, risk management performance as an integral part of organisational performance, communication, risk management silos focus on common objectives, risk treatment & controls as an integral part of daily operations.

Undertaking a review per section 3.1 is probably the pivotal point in applying ISO/TR 31004.

3.3.2 Section 3.2

I do not wish to cover Section 3.2 in detail in this paper. However, one important point made is “aspects of transition may be helped by drawing on the experience of other organisations which manage similar types of risks or have gone through a similar process”.

Whilst not advocating plagiarism, as one risk management framework is next to useless in another context, it condones constructive benchmarking, an accepted element of the pursuit of continuous improvement.

3.3.3 Section 33

Section 3.3 provides the essential bulk of content in ISO/TR 31004 and should be read in full by practitioners wishing to embrace the merit of the guideline.

Some key points are as follows;

3.3.2 Mandate and commitment - is a must have and the reason to start with the Boards or Governing Bodies (Top Management) of organisations in starting with framework implementation, otherwise much time and energy can be wasted pushing a new doctrine uphill with limited uptake and effectiveness. The implementation risk is that it will die before it survives. Hopefully, a practitioner’s efforts will survive the practitioner’s tenure in the organisation.

3.3.3 Designing the framework - this section contains 3.3.3.1 – 3.3.3.4 and is all about designing the framework, which has cross-references back to ISO 31000 in this regard. Sub-clause 3.3.3.2 is actually quite good in that it makes you review what’s working and therefore carried forward versus what’s fine to leave well alone. To quote an old saying – “if it aint broken don’t muck with it”.

3.3.4 Implementing risk management – will not be covered in this paper as its essentially about having a detailed plan and per project management “PM 101” principles.

141001 Qualcon Paper - Jeff Jones (final) Page 7 of 12

QUALCON 2014

3.3.4 Section 3.4

This section is strongly aligned with ISO 9000 principles for continual improvement, to ensure that the risk management process is reviewed to assess whether the design is appropriate and whether the implementation is adding value to the organisation as intended, as well as some triggers for continual improvement. These will be covered in the presentation of this paper.

Figure 4 – Section 3.4 Continual Improvement

4 ANNEXURES

4.1 Overview

Beyond the material in Section 3 mainly focusing on implementation and integration, ISO/TR 31004 contains Annexes A to E. The annexures provide further advice, examples and explanation regarding the implementation of selected aspects of 31000.

I consider the most useful Annexures as B & E – which is what I would like to focus on in this paper.

However, Annex A gives some really good up to date views on practical application such as “you can modify risk by changing any source of uncertainty (eg by making it more or less likely that something will occur) or by changing the range of possible consequences and where they may occur.” And, “risk treatment is the process that is intended to change or create controls and includes retaining the risk”. For those readers that are members of the various LinkedIn forums such as “G31000” the content of Annex A may help to de-mystify and provide ISO accepted content and definitions on these often debated but mis-informed concepts.

Similarly, Annex C is really practical and has a good expression of key characteristics. It also has an extensive Practical Help box and guidance on developing the mandate & commitment including “Establishing the mandate for risk management requires careful thought, a strategic perspective and consultation between the oversight body and top management and needs to be considered on both the tactical and strategic levels”.

141001 Qualcon Paper - Jeff Jones (final) Page 8 of 12

QUALCON 2014

4.2 Annex B – Application of ISO 31000 principles

ISO 31000 listed eleven (11) principles for effective risk management as discussed earlier, with the role of the principles to inform and guide all aspects of the organisations approach to risk management.

Figure 5 – ISO 31000 Principles (Clause 3)

ISO/TR 31004 Annex B contains a thorough explanation and guidance (11 pages) on the application of the ISO 31000 principles, including very good “Practical Help” Boxes for most of the principles.

In line with the approach proposed in Section 3, all principles should be considered (and kept in mind at all times) but I consider that key principles might be pragmatically focused on as a priority in a framework implementation, particuarly with the reality of limited resources and/or limited access to the organisation. ie bang for buck. For example, from my experience, by addressing Principle C in an initial framework implmentaion, all other principles can in fact flow on from that foundation. Or put another way, even if you do a fantastic job of addressing all of the others, it will fail in being effective if it’s not embedded as part of decision-making.

4.3 Annex E – Integrating risk management within a management system

ISO 9001 (Quality Management System) is a well-regarded standard and at around a dozen pages is considered a concise representation of the basis for a (quality) management system. Despite the age of the current 9001 version being 2008 the standard contains two key references to risk management in the introduction section of the standard;

1. section 0.1 General 2. section 0.4 Compatibility with other management systems

141001 Qualcon Paper - Jeff Jones (final) Page 9 of 12

QUALCON 2014

4.3.1 Section 0.1 General

The standard states that “the adoption of a quality management system should be a strategic decision of an organisation. The design and implementation of an organisation’s quality management system is influenced by its organisational environment, changes in that environment, and the risks associated with that environment”. The inclusion of risk in the 2008 version, effectively pre-dating the release of ISO 31000 (2009) is considered forward thinking and progressive for the time.

4.3.2 Section 0.4 Compatibility with other management systems

The standard states that “the international standard does not include requirements specific to other management systems, such as those particular to environment management, occupational health and safety management, financial management or risk management.” Again, as above, this is considered forward thinking and progressive for the time to at least mention and acknowledge the existence of risk management in this context.

4.3.3 Basic principles

In order to consider the integration of risk management within an organisations management system/s the basic principles of a management system need to be examined and understood. An over-arching framework is essentially required to establish the management practices and procedures to direct & control its activities. A management system is essentially a set of inter-related or interacting elements to achieve objectives.

The common source of public domain definitions (Wikipedia) defines Management System as per Figure 6 below.

Figure 5 – Wikipedia definition of Management System

From a business management perspective, it is commonly considered that efficiency is gained by having one integrated system of management system/s under a single governance structure and system architecture, with the P-D-C-A concept an integral component.

4.3.4 System Improvements

Although this paper does not explicitly aim to discuss the pending update to ISO 9001:2015 the point is made that many aspects discussed in this paper are in line with the update, in terms of greater alignment with ISO 31000 principles and a risk-based approach being taken to various to QMS elements. Eg: risk based approach to identifying Corrective and Preventative actions.

141001 Qualcon Paper - Jeff Jones (final) Page 10 of 12

QUALCON 2014

Figure 6 – Management System PDCA Cycle

5 CONCLUSIONS

The key conclusions that this paper desires to establish are as follows;

• integrating risk management should be undertaken within core business processes • interaction should be defined and implemented between all management sub-systems • an integrated management system allows all risks to be handled according to ISO 31000

principles • system integration can involve application of risk assessment techniques within a QMS • application of P-D-C-A with a focus on continual improvement is crucial to all

management systems, particularly RM since an organisations risk are seldom static • triggers for continual improvement to a risk management system should be part of the

framework and management systems eg as new knowledge becomes available or there is a substantive change to the organisations internal and external context

• routine monitoring and review of the risk management framework and the risk assessment processes should be undertaken, which in turn identifies opportunities for continual improvement

Many quality and/or risk practitioners may not have explicitly thought about risk management within management system context before.

The author hopes that the reader has been made aware of ISO/TR 31004 and has been inspired to look at their Management System (Quality or otherwise) and seek to determine the worth of integration and application of the principles of ISO 31000 as per ISO/TR 31004 publication. The underlying connection between RM and QMS is arguably very clear with further convergence inevitable and beneficial to both doctrines alike.

141001 Qualcon Paper - Jeff Jones (final) Page 11 of 12

QUALCON 2014

ACKNOWLEDGMENTS

Management System auditing company AQUAS Pty Ltd is acknowledged for sponsoring the author’s attendance at AOQ Qualcon 2014 conference and the catalyst in the compiling of this paper and subsequent presentation.

The author looks forward to presenting this paper at the Qualcon conference and obtaining constructive questions and feedback as per the spirit of the P-D-C-A cycle and the author’s passion for the convergence of RM and QMS.

REFERENCES

AS/NZS ISO 31000:2008

ISO/TR 31004:2013

ISO/NZS ISO 9001:2008

ACRONYMS

AOQ Australian Organisation for Quality

HB Handbook

LinkedIn Public domain application for professional networking

PDCA plan, do, check, act

QMS Quality Management System

TR Technical Report

Wikepedia Public domain website tool for open-source definitions

141001 Qualcon Paper - Jeff Jones (final) Page 12 of 12