Category Archives: ISO 14001

Risk Assessments and Management Methods for ISO Management Systems

Important enhancements have been made to the QMSCAPA™ software module for Risk Assessments and Management.

The QMSCAPA Risk Assessment (RA) module consist of:

  • Table of Risk Assessments (current and historical assessments)
    • A sub-table of specific aspects of the risk assessments
    • A look-up table of the risk impact values with regard to the
      • Probability (P) {likelihood}
      • Severity (S) {impact}
      • Detection (D) {overall detection ability reduces risk
    • Five user-defined boundaries, e.g. Very Low, Low, Medium, High, Very High.

The impact values are used to calculate the Risk Priority Number (RPN) for each aspect.

RPN = (P * S * D)

The module is developed around the concepts typically found in a Failure Mode Effects Analysis (FMEA).

The single-user version of QMSCAPA software may be downloaded free of charge, simply click here to join the QMSCAPA users-group.

The Risk Assessments browse table can store a large number of current and/or historical assessments.

  1. The browse window contains sort tabs for instant viewing of data according to the key value of the Tab.
  2. Risk assessments can be performed and recorded for virtually any type of risk related to the organization, relevant interested parties, product, service, staff, logistics, transportation, and cost, including environmental, health and safety.
  3. View RiskAspects button: Opens a sub-table of related aspects to the highlighted risk assessment may be viewed, added, edited or deleted as needed.
  4. RIP icon button: Access the Relevant Interested Parties table (RIP).
  5. Print Assessment button: Use the button to print a Risk Assessment, which includes all aspects and impacts recorded.
  6. Copy Assessment or Template button: The copy button control copies the currently highlight assessment record.
  7. The tab 10) Templates applies a filter that only shows the Risk Assessments designed to be templates.

The Risk Aspect module form is configured with 4 main Tabs or sections:

  1. The General Tab contains information about the failure (generic for incident, breach, non-conformance). The assessment calculation tool (pre and post mitigation results) is designed for rating or assessing a specific aspect of the Risk identified and associated in the Risk Assessment Table. Therefore, a one to many relationship exist between the Risk (parent table) and the Aspects (child table).
  2. Tab 2) contains fields for additional consequences.
  3. Tab 3) contains fields for mitigation or risk treatment actions.
  4. Tab 3) contains a method of generating risk impact statement based upon availability, confidentiality, integrity and financial effect.

1) General tab

(A) In the form image below/right, Describe the failure and the failure mode.

(B) Describe what may cause the failure and the failure effect.

(C) The impact values for calculating the Risk Priority Number (RPN) (pre-mitigation treatments); see the look-up table for impact values:

  • RPN = Probability (P) * Severity (S) * Detection

(D) The impact values for calculating the Risk Priority Number (RPN) (post-mitigation treatments);

(E) Look-up Tables for Response to Risk Aspect and the current/last Status of the Risk Aspect.

(F) The RPN can report the pre or post-mitigation action [√] RPN Post Mitigation Action is check-box.

Additional QMSCAPA risk assessment and management information has been published at

General US Legal & Regulatory Requirement Considerations for ISO 14001:

This a partial list of the US Code for Federal Regulations (CFR) Title 40:

  • Clean Air Act (CAA) [40 CFR Parts 50-99] Establishes ambient and source emission standards and permit requirements for conventional and hazardous air pollutants.
  • Clean Water Act (CWA) [40 CFR Parts 100-145, 220-232, 410-471] Establishes ambient and point source effluent standards and permit requirements for water pollutants, including sources that discharge directly to a waterbody or to a public sewer system.
  • Federal Insecticide, Fungicide and Rodenticide Act (FIFRA) [40 CFR Parts 150-189] Establishes a program for Federal review of, registration and control of pesticides.
  • Resource Conservation and Recovery Act (RCRA) [40 CFR Parts 240-299] Establishes regulations and permit requirements for hazardous waste management.  Also, creates standards for underground storage tanks that hold oil or hazardous substances.
  • Toxic Substances Control Act (TSCA) [40 CFR Parts 700-799] Regulates the use, development, manufacture, distribution and disposal of chemicals.  Certain chemicals (such as PCB’s) are subject to specific management standards. Comprehensive Environmental Response, Compensation and Liability Act (CERCLA, also known as “Superfund”)
  • [40 CFR Parts 300-311] Establishes a program for cleaning up contaminated waste sites and establishes liability for clean-up costs.  Also, provides reporting requirements for releases of hazardous substances
  • Emergency Planning and Community Right-To-Know Act (EPCRA) [40 CFR Parts 350-374] Establishes a program (also known as the “Toxic Release Inventory”) to inform the public about releases of hazardous and toxic chemicals.  Reporting requirements apply to companies that use, process or store specific chemicals over specified quantities.
  • Hazardous Materials Transportation Act (HMTA)  [49 CFR Parts 100-180] Establishes standards for the safe transportation of hazardous materials.

What would you add or delete to this ‘general list’ for an environmentally low impact business/organization in California?

Always insist on an ISO Certification issued by an ACCREDITED Registrar

Always insist on an ISO Certification issued by an ACCREDITED Registrar

Combining ISO-14001 (Environmental Management) and OHSAS-18001 (Health & Safety Management) Into a Single Unified System

Combining the ISO-14001 Environmental Management and OHSAS-18001 Health and Safety Management standards into a single, unified system, can offer substantial advantages over implementing these systems separately. Costs can be greatly reduced with a single, combined set of documentation, greatly reduced training costs, and a lower registration audit cost. This is the most practical and least time consuming path to registration.

ISO-14001 and OHSAS-18001 are the two most common and most requested ISO management systems outside of the ISO-9001 (or the more industry specific AS-9100, ISO/TS-16949, and ISO-13485) Quality Management System. More and more forward thinking companies are requesting that their suppliers have an effective Environmental Management system in-place. This is especially important when dealing with companies whose public image is important to them. Many European companies are flowing down their environmental management requirements to their sub-tier suppliers as well.

Always insist on an ISO Certification issued by an ACCREDITED Registrar

Always insist on an ISO Certification issued by an ACCREDITED Registrar

Once you are registered to the ISO type quality system, adding registration to the Environmental and Health and Safety standards is not difficult at all. You already have the understanding of how these systems work and how they are administered, improved and maintained. This means that implementing both can not only save you considerable money over implementing one at a time, but it will also improve your company’s bottom lime when the savings of managing these critical aspects of business starts to kick in. Implementing these two management systems greatly reduces your company’s exposure to lawsuits as well.  Let’s examine each of these systems and discuss how effective implementation can save you money and control risks.

ISO-14001 is the International Environmental Management standard. This is the second most implemented ISO system. As of 2012, nearly a quarter of a million companies have become ISO certified. The ISO 14001 standard does not dictate environmental performance requirements. Instead, it serves as a framework to assist organizations in developing their own environmental management systems. ISO 14001 can be integrated with other management functions and assists companies in meeting their environmental and economic goals. ISO 14001, like ISO-9001 is very scalable, so it may be applied to any size or type of organization, product or service, in any sector of activity, so whether you have three or 5,000 employees, manufacture hazardous chemicals, or only produce intellectual property, you can certify your business to ISO-14001.

OHSAS-18001 is a virtual mirror of ISO-14001 with the exception that it focuses it’s management efforts on the company’s health and safety issues rather than its environmental issues. For this reason implementing both is not much more difficult than implementing only one. The majority of the effort in implementing these is training your employees how to effectively use them. ISO accreditation bureaus and registrars recognize this so they can offer a discounted registration audit when doing both systems simultaneously – as much as a 30% reduction.

In addition to improved operations efficiencies, implementing these standards can result in a big discount in insurance costs. Both liability insurance, because you have substantially less exposure to lawsuits, and worker’s compensation insurance, because you address, monitor and manage your company’s health and safety issues, can be reduced – sometimes paying back the cost of implementation is a single year, depending on your company’s size, exposure and other relevant issues.

Learning and implementing the ISO-14001 Environmental Management and OHSAS-18001 Health and Safety Management standards, while not difficult for an already qualified ISO-9001 Quality System manager, simply requires investing the time to receive training in these two standards and in how to combine them. Many procedures and methods can be combined. For instance, you only need one corrective action procedure, one management review meeting, and one set of documents that will cover the requirements of both standards. One way to ease this time consuming process is by using qualified and trained consultants. If you elect to go this route, be sure your consultants are not only trained on both the ISO-14001 and  OHSAS-18001 standards, but also on how to combine them into a single combined system. ANAB accredited registrars are now offering Lead Auditor training for combined management systems.

Jeff Spira is a senior partner with ABCI Consultants.