All posts by Liliana Barajas

Part II. Challenges in organizations to achieve a safer and healthier working environment. 

Health and safety in the workplace

Authors: D. Pena and C. Valenzuela 

 

The current way in which workplaces are perceived by society has led organizations to incorporate, as fundamental aspects within their policies, the health, safety, and welfare of workers. These aspects, in addition to demonstrating their commitment to society, enable organizations to improve their productivity, competitiveness, and economic performance. 

 

Several studies have shown that organizations that can identify current safety and health challenges in their workplaces are among the most successful and competitive in the long term, as they tend to have the highest employee retention rates.[1] 

 

The ISO standardization body, in its article entitled “Challenges for a Safer and Healthier World of Work,” groups classifies current challenges related to worker safety and health into four pillars: climate change, psychological health and well-being, new technologies, and demographic changes. 

 

In this blog, we will focus on two of these pillars: New technologies and psychological health and wellness. In our last blog, we already addressed climate change and demographic changes. 

CHALLENGES IN ORGANIZATIONS TO ACHIEVE A SAFER AND HEALTHIER WORKPLACE. Part I 

 

 

  • New technologies. 

 

Technology presents the opportunity for the use of drones instead of people in hazardous environments, as well as the use of smart personal protective equipment with real-time monitoring technology, which provides workers with greater physical protection.  

 

Artificial intelligence (AI) has significant potential to help organizations analyze data more efficiently, identify problems quicker, and make more informed and data-driven decisions [2]. 

 

Virtual reality enables worker safety and health training and development. 

 

Technology continues to change the way we work, creating opportunities and challenges related to employee health and safety. Its use will help reduce risks, if risks from hacks or malfunctions can be addressed and the right balance is struck between embracing innovation and maintaining proven safety practices ([3]). 

 

 

  • Psychological Well-Being. 

 

In recent years, concepts such as unemployment, precarious working conditions, job instability, and underemployment, among others, have led today’s society to characterize the world of work as conflictive, generating greater awareness among workers of the potential impact of work on their psychological health and well-being. This situation brings with it the expectation that organizations could and should do more to manage this impact. 

 

Mental health risks at work are related to specific characteristics of the workplace, career development opportunities, excessive workloads or pace of work, understaffing, excessively long working hours, lack of control over work design or workload, and unsafe or poor physical working conditions, among others ([4]). 

 

This new scenario, perceived as stressful, has a profound impact on the psychological well-being of workers. While some individuals can cope with these situations better than others, it becomes necessary for organizations to develop strategies to manage this scenario. 

 

 

Bibliography: 

 

[1] OMS. Ambientes de trabajo Saludables: un modelo para la acción. 2010. Recuperado de: Healthy Workplaces_Template_Spanish.pub (who.int) el 28/06/2024. 

 

[2] American Society of Safety professionals, Tackling Today’s Safety Challenges. 2024. Recuperado de: https://www.assp.org/about/tackling-todays-safety-challenges el 28/06/2024. 

 

[3] C. Martin. Los numerosos desafíos para conseguir un mundo laboral más seguro y saludable. ISO. Recuperado de GUEST ARTICLE_Occupational health and safety_Martin Cottam_TEMPLATE FINAL_Avec image (ES).pdf (iso.org) el 07/06/2024.  

 

[4] OMS. La salud mental en el trabajo. 2022 visto en línea en La salud mental en el trabajo (who.int) el 28/06/2024. 

Environmental risk management and future perspectives 

Environmental

Environmental risk management has become a central issue for organizations in a world increasingly affected by climate change, overexploitation of natural resources, and pollution. 

 

Environmental risks, such as increased greenhouse gas emissions, biodiversity loss, as well as water and air pollution, affect the environment and the global economy [1]. 

 

Regardless of their size, organizations must recognize that their operations directly impact the environment, and therefore, proper risk management is essential for their long-term sustainability. For example, in the context of climate change, organizations must prepare for extreme weather events, such as hurricanes, droughts, or floods, but also implement actions to help reduce them. This requires planning to protect their infrastructure, supply chains, and local communities. 

 

Future perspective [2]. 

 

Environmental risks seem increasingly inevitable in the outlook, but there is also an opportunity for transformation. Policies and regulations will strengthen as environmental concerns gain ground globally, driving organizations to adopt more sustainable practices. 

 

Technological progress will be key in environmental risk management. Innovations such as renewable energies, carbon capture technologies, and circular economy-based solutions are tools that offer solutions to the most urgent environmental problems. 

 

On the other hand, social pressure and consumer demand for more sustainable products and services will accelerate the need for organizations to adequately manage these risks. Organizations that do not adequately manage their environmental risks could face economic costs, reputational damage, and loss of competitiveness.  

 

Therefore, integrating sustainability into business strategy will be an ethical choice and a strategic necessity. 

 

Actions to be taken. 

 

Some key steps that organizations can take now and in the future to properly manage environmental risks include: 

 

  • Implement an Environmental Management System (EMS). 
  • Adopt Clean Technologies and Renewable Energies. 
  • Implementing the Circular Economy. 
  • Adopt Climate Change Adaptation Policies and Strategies. 
  • Promoting Corporate Social Responsibility (CSR) 
  • Participation in Global Initiatives 

 

Environmental risk management is an opportunity to create long-term value. While the future is challenging, it also offers innovation, international cooperation, and sustainable growth prospects. Organizations that take a holistic approach to managing these risks will be better positioned to address environmental challenges and contribute to global well-being, as sustainability and environmental stewardship are the path to a more resilient and prosperous future for all. 

 

References. 

 

[1] International Monetary Fund. IMF Strategy to help members address climate change-related policy challenges: Priorities, modes of delivery, and budget Implications. IMF Policy Paper. 2021. Retrieved from: IMF Strategy to Help Members Address Climate Change Related Policy Challenges-Priorities, Modes of Delivery, and Budget Implications on 02/25/2025. 

 

[2] World Economic Forum. The Global Risk Report 2025. Insight Report. 20th Edition. 2025. Retrieved from: https://www.weforum.org/publications/global-risks-report-2025/ on 02/25/2025. 

 

Applicability, Design, and Development.  

Quality

Different approaches are used to determine the applicability of design and development in management systems and certification scopes, so it is necessary to understand the intent of the standard’s requirements. 

 

ISO 9000 defines Design and Development as the set of processes that transform requirements for an objective into more detailed requirements for that objective.  

 

The requirement generally intends to ensure that the organization establishes, implements, and maintains a design and development process to ensure that products or services meet the requirements defining their characteristics.  

 

The requirements to be considered in the design and development process are as follows: 

 

a) Design and development planning to determine the activities and tasks required. 

 

b) When determining inputs for design and development projects, these inputs must be unambiguous, complete, and consistent with the requirements that define the characteristics of the product or service.  

c) Design and development controls and review, verification, and validation activities are essential to control the design and development process.  

 

d) Ensure that design and development outputs precisely provide the necessary information to all processes required to deliver the intended products and services. 

 

e) Determine, review, and control changes made during or after the design and development.  

 

 

Upon further review of these requirements, organizations could determine the applicability of all, some, or none of the requirements of the Design and Development section. For example, they could consider only the requirements for design and development changes or not consider any requirements of the Design and Development section because all product specifications come from a customer.  

 

Some criteria that could help determine the applicability of the Design and Development requirements in organizations are:  

 

  • When the organization has the ability to offer new products or services to its customers; or modify the characteristics of those it is already offering, the design and development requirement becomes applicable. 

 

  • When the organization owns the intellectual property of the product or service, Design and Development are applicable.  

 

  • Adjustments in the process are not design and development.  

 

  • In management systems, design, and development are synonymous  

 

  • Design and development are exclusive to products and services, not to processes.  

 

  • Sections may be excluded from the design and development requirements, even if they apply to you.  

 

  • Design and development are sets that cannot be applied separately. 

 

  • When design and development are not applicable in the scope of the management system, the scope of certification cannot refer to the word design and development, or design or development, even if they are found in the name of a main process of the organization.  

 

  • Design and development do not apply to product packaging processes in non-functional packaging. 

 

  • Design and development do not apply to maquiladora plants. 

 

  • The following terms may be included in the scope of the certificate when design and development apply: 

 

  • Design of… 

 

  • Development of… 

 

  • D&D of… 

 

  • Design Management… 

 

  • Provision of D&D Services of…

 

  • Course development… 

 

 

Note: The terms scope of the quality management system and scope of certification are not the same; the former is based on the nature of the organization’s products and services for which the organization decides to implement the requirements of the standard; it includes the processes and activities for the realization of the final product or service delivery, while the scope of certification is a term used to refer to the scope in the certification document (certificate). Usually, it is a statement that describes the “type of activities, products, and services applicable at each site without being misleading or ambiguous.” 

 

 

References:  

ISO 9001 Auditing Practices Group (ISO & IAF) – Guidance: Design and Development Process 

ISO 9001:2015 Quality Management System 

 

Guide for the application of UNE-EN ISO 9001:2015 

ISO/TS 9002:2016 Guidelines for the implementation of ISO 9001:2015. 

ISO 9000:2015 Quality Management System – Fundamentals and  

Turtle Diagram, a simple tool for auditing.

Quality

By Diego Ayala.

 

Do you remember the first audit you did? Was it satisfactory? was it frustrating? was it friendly? Was it effective? Did you feel that you did not do your job because you did not leave non-conformities, or did you leave delighted because you left quite a few non-conformities? Indeed, before starting your first audit, you wondered how the result of the audit and interview process would be. You asked whom you were going to audit with whom you would face; all these questions are common in the first audit we do as internal auditors or in any audit process. Even if you were the most prepared, you realized along the way that you missed something to ask or delve deeper into some topic, and most likely derived from this first audit, you did not leave satisfied.

 

We have always been told that checklists are an excellent guide to an audit, which is correct. However, this checklist is the beginning of great learning in the audit process; it is more of a teaching tool for the auditor, in which he has the script of all his “movies” rather than seeing the content and expectations of that “movie.” Surely, over time, you will realize that this checklist is becoming less and less effective since the sequence of questions versus the auditee’s answers does not carry a certain congruence, which will continue to frustrate us.

 

In this sense, a multidirectional tool can be used to carry out an audit with a more flexible methodology that is very easy to understand: the Turtle Diagram, a simple tool for auditing.

 

How does it work? If we take as a basis that “Processes” have “Input Elements (IE) and Output Elements (OE) and have the “4 basic questions” to “document” a process, we can interpret it as in the following image:

If we add the other clauses to the process (what corresponds to it “as a process”), we will indeed have a very well-documented process; in other words, almost the entire standard (ISO 9001 is taken as a reference, but it can be any standard), is immersed in this “Turtle Diagram”:

This would be the “same principle” to conduct a proper audit, considering the “should of the standard” when asking questions. Based on this, we can determine the different “Audit Paths” to conduct and conclude a simple and efficient audit process; referring to the “Audit Path,” you can do the audit from left to right, top to bottom, diagonally, or vice versa. It is all about performing the audit based on a Turtle Diagram.

 

Example: Audit Trail: from “Left to Right.”

 

This example is from left to right, but you can choose the “audit path” that best suits the audit you perform. With this simple tool and understanding of its concept, any audit challenge you are given will be easy to complete.

The Net Zero

Environmental

Authors: D. Peña and C. Valenzuela.

 

The quest for a more sustainable future has become a global priority, and one key concept in this effort is “Net Zero.” This approach is becoming a cornerstone of environmental policies and organizational strategies worldwide.

 

What is Net Zero?

 

The concept of “Net Zero” implies that an organization should reduce its GHG emissions to a level that can be matched or offset by the amount of GHGs removed or absorbed into the atmosphere. This can be achieved through a combination of emission reductions and offsets, such as reforestation and carbon capture. The idea is to minimize the net impact of climate change, thus contributing to a more sustainable future.

 

We invite you to watch our next short film, Net Zero: A Crucial Step towards a Sustainable Future | In short – YouTube

 

Transition to Net Zero

 

The transition to Net Zero has become imperative due to growing evidence of climate change’s impact. Global temperatures are rising, extreme weather events are becoming more frequent, and sea levels are rising. Through the Paris Agreement and other initiatives, the international community has set ambitious targets to reduce emissions and limit global warming to 1.5 °C above pre-industrial levels.

 

Strategies to Achieve Net Zero.

 

  • Emissions Reduction: The first and most important strategy is to reduce GHG emissions. This includes improving energy efficiency, adopting renewable energy sources such as solar and wind, and promoting sustainable practices in industry and transportation.
  • Carbon Capture and Storage (CCS) Technologies: These technologies allow capturing the CO₂ emitted and storing it safely underground or using it in industrial processes.
  • Reforestation and Sustainable Agriculture: Reforestation projects and sustainable agricultural practices help absorb CO₂ from the atmosphere. Ecosystem restoration and proper forest management are crucial to increasing natural carbon sinks.
  • Carbon Offsets: When emission reductions are not possible, carbon offsets may be an option. These offsets finance projects that reduce emissions in other parts of the world, such as renewable energy generation in developing countries.

 

We invite you to review the following article from the ISO Standardization ISO – Embracing Net Zero: a crucial step towards a sustainable future.

 

How can organizations contribute to Net Zero?

 

Organizations play a crucial role in the transition to net zero due to their significant impact on greenhouse gas (GHG) emissions. Some strategies that could be adopted are:

 

  • Environmental Management System: This helps organizations continuously improve their environmental performance by setting objectives, implementing measures, monitoring progress, and making necessary adjustments.
  • Energy Audits: Conduct regular audits to identify areas for improvement in energy consumption.
  • Efficient Technologies: Invest in more efficient machinery and equipment that consumes less energy.
  • Heat Recovery: Implement heat recovery systems to utilize waste thermal energy instead of wasting it.
  • Investment in R&D: Support research and development of new technologies for more efficient and cost-effective carbon capture and storage.
  • Effectively manage waste: Implement practices to reduce waste generation and use technologies and methods that minimize waste’s environmental impact.
  • Training Programs: Provide training on sustainability and energy efficiency to employees.
  • Corporate Awareness: Promote an organizational culture focused on sustainability.
  • Circular Supply Chains: Promoting the circular economy by collaborating with suppliers and customers to recycle and reuse materials.

 

We invite you to watch our free lecture on the Circular Economy. Conference: Circular Economy – YouTube

 

By adopting these strategies and committing to net zero, organizations contribute to global sustainability and position themselves as leaders in a world increasingly focused on emissions reduction and sustainable development.

 

The concept of Net Zero is not just an environmental goal; it is a comprehensive strategy that requires the collaboration of governments, organizations, and citizens. We can move towards a more resilient and equitable future by reducing emissions and adopting sustainable practices. The key is to act decisively and with commitment, seizing opportunities to build a world where economic growth and sustainability go hand in hand.

 

We hope this information has been of interest to you; remember that at Global Standards, we share knowledge.

 

References

 

[1] International Energy Agency (IEA). Carbon Capture, Utilisation, and Storage: The opportunity in Southeast Asia. June 2021. Retrieved from: Carbon Capture Utilisation and Storage_The Opportunity in Southeast Asia (iea.blob.core.windows.net) on 02/09/2024.

 

[2] International Energy Agency (IEA). The Net Zero Roadmap is a global pathway to keep the 1.5°C Goal in Reach. September 2023. Retrieved from: Net Zero Roadmap: A Global Pathway to Keep the 1.5 °C Goal in Reach – 2023 Update (iea.blob.core.windows.net) on 09/02/2024.

 

Countless regulations, codes, and legal requirements; one single standard: ISO 37301

Antibribery

Author: Mario Quintana

 

“Organizations want to work and collaborate with companies that can be trusted, and that trust is built with a company culture of doing the right thing […] “

 

This is according to Howard Shaw, the former ISO 309 technical committee chairman who developed this standard.

 

In a constantly developing world, there are countless regulations, codes, standards, and legal requirements, so it is important to determine which organizations are committed to monitoring and complying with them.

 

ISO 37301 is an international standard that establishes the requirements for developing a compliance management system. It interests any company or organization that wants to demonstrate its adherence to legal requirements and ethical standards within its operational context. Consequently, it also serves as a tool to combat bribery, corruption, export/import control, money laundering, etc.

 

How does ISO 37301 help companies?

 

▪ Makes them aware of existing and new legal requirements.

 

▪ Alerting them to any violation or deviation concerning any regulation.

 

▪ Correcting such violations or deviations quickly and effectively.

 

▪ Safeguards reputation from any interested party.

 

▪ Reduces the risk of legal repercussions and, consequently, economic losses.

 

▪ Strengthens the company’s position in the face of any potential business.

 

This standard has the structure of 10 sections in which the following aspects of a compliance management system are highlighted:

 

– Identification of stakeholders.

 

– Context of the organization, as well as processes involving compliance obligations.

 

– Senior management commitment to demonstrating support for internal policies, processes, and procedures essential to achieving compliance.

 

– Monitoring mechanisms that can evaluate and measure program compliance based on objectives, controls implemented, and follow-up on deviations.

 

– Continuous system improvement and maintenance, following up on non-conformities, deviations, risks, and opportunities.

 

In a business context where the public eye is focused on headlines about legal scandals, boycott movements in the face of questionable practices, and transparency, ISO 37301 is the ideal tool to provide any organization with the tools to demonstrate commitment to compliance by shaping its purpose and values as well as the products and/or services it can offer.

 

 

References.

International Organization for Standardization (ISO) (2021). ISO 37301:2021 – Compliance management systems: Requirements with guidance for use.

 

International Organization for Standardization (ISO) (2021, April 14). The new standard for compliance management makes everyone a winner. Retrieved September 20, 2024, from: https://www.iso.org/news/ref2656.html

 

International Organization for Standardization (ISO) (2024). Defining good governance: A critical step towards sustainable development. Retrieved September 20, 2024, from: https://www.iso.org/contents/news/thought-leadership/defining-good-governance.html

Challenges in organizations to achieve a safer and healthier workplace

Health and safety in the workplace

Authors: D. Peña and C. Valenzuela

 

The world of work has become such a fast-paced, ever-changing environment that organizations must be able to keep up with the pace and even stay one step ahead to preserve the safety and health of their employees.

 

Under the current scenario, data from the International Labor Organization (ILO) estimate that currently, 2 million people die each year because of work-related accidents, illnesses, or injuries. About 268 million disabling incidents occur, and additionally, 8% of the global rate of depressive disorders is related to occupational hazards [1].

 

To address this, organizations need to identify current challenges related to the safety and health of their employees to achieve a safer and healthier workplace.

 

Current challenges.

 

ISO/TC 283 technical committee chairman Martin Cottam, in the article “Challenges to achieving a safer and healthier world of work,” groups current challenges into four pillars: climate change, psychological health and well-being, new technologies, and demographic changes [2]

 

Climate change.

Many organizations continue to treat the effects of climate change as isolated events, but climate change is significantly impacting worker safety and health by intensifying heat stress, exposure to ultraviolet radiation and air pollution, increased vector-borne diseases, and increased exposure to agrochemicals. 

 

Demographic change.

Many organizations are experiencing great diversity within their workforce, with people continuing to work into old age and more women and immigrant workers. This leads to various learning styles, literacy levels, and information capture methods. Therefore, organizations must implement measures to better engage, train, develop, and communicate with this diversity of employees.

 

In addition, the younger generation has a very different attitude toward work than the older generation, as they rarely plan to stay with one employer for an extended period. Organizations must, therefore, address these expectations of the new generation and be prepared for higher employee turnover.

 

We invite you to review the American Society of Safety Professionals’ report, Tackling Today’s Safety Challenges, where you will find some questions and steps your organization can take to address these challenges. https://www.assp.org/about/tackling-todays-safety-challenges

 

 New technologies.

 

Technology allows drones to be used instead of people in hazardous environments or intelligent personal protective equipment with real-time monitoring technology that provides workers with greater physical protection.

 

Artificial intelligence (AI) has great potential to help organizations analyze data more efficiently, identify problems faster, and make better data-driven decisions.

 

Virtual reality enables worker safety and health training and development.

 

Technology continues to change the way we work and creates opportunities and challenges related to employee safety and health; its use will help reduce risks if risks from hacks or malfunctions can be addressed and the right balance is struck between embracing innovation and maintaining proven safety practices [3].

 

Psychological Well-Being.

 

In recent years, concepts such as unemployment, precarious working conditions, job instability, and underemployment, among others, have led today’s society to characterize the world of work as conflictive. This has generated greater awareness among workers of the potential impact of work on their psychological health and well-being. This situation implies that organizations could and should do more to manage this impact.

 

Mental health risks at work are related to specific workplace characteristics, career development opportunities, excessive workloads or pace of work, understaffing, excessively long hours, lack of control over work design or workload, and unsafe or poor physical working conditions, among other things [4].

 

This new scenario, perceived as stressful, strongly impacts workers’ psychology. While some can cope better with these situations, organizations must develop strategies to cope with this scenario.

 

References.

 

[1] World Health Organization. WHO. WHO Fundamentals for Healthy Work Environments: WHO Model and Rationale. Retrieved from Microsoft Word – HWP Spanish for posting.DOC (who.int) on 06/06/2024.

 

[2] C. Martin. There are many challenges to achieving a safer and healthier world of work. ISO. Retrieved from GUEST ARTICLE Occupational health and safety Martin Cottam TEMPLATE FINAL_Avec image (EN).pdf (iso.org) on 06/07/2024. 

 

[3] C. Martin. There are many challenges to achieving a safer and healthier world of work. ISO. Retrieved from GUEST ARTICLE_Occupational health and safety_Martin Cottam_TEMPLATE FINAL_Avec image (EN).pdf (iso.org) on 06/07/2024.

 

[4] WHO. Mental health at work. 2022 viewed online at Mental Health at Work (who.int) on 06/28/2024.

FSSC 24000 international traceability.

Social Responsibility

Throughout the years, labor’s evolution has been a great driver of products and services in competitive markets, but at what cost? Some organizations have taken advantage of their most valuable resource: their personnel. To reduce operating costs, they violate legal and regulatory aspects associated with working conditions, such as child labor, forced labor, and discrimination, among others.

 

However, the current global labor market, together with the awakening of society, business groups, and interest groups, among others, has generated significant social pressure, so laws, regulations, and policies have been determined to ensure that workers are doing their work within a legal and regulatory framework properly.

 

In this sense, several evaluation models relate to social responsibility, as is the case of FSSC 24000, a management system that allows organizations that implement and certify this program to comply with legal and regulatory aspects, stakeholders’ requirements, and corporate governance policies, which contributes to good working conditions.

 

What is FSSC 24000?

 

It is a Social Management System created and developed to help organizations meet the requirements of and determine their “Social Performance and Sustainability” in the following areas:

 

  • Human Rights Policy.
  • Forced Labor.
  • Child labor.
  • Freedom of Association (Unions).
  • Discrimination/fair treatment of workers.
  • Occupational Health and Safety.
  • Facility Security.
  • Employment and contractual relations.
  • Complaint mechanism and
  • Business Ethics.

 

Who regulates it, and what international traceability does it have?

 

FSSC 24000 is recognized by the SSCI (Sustainable Supply Chain Initiative) and endorsed by the MLA (Multilateral Recognition Arrangement) of the IAF (International Accreditation Forum).

 

What is SSCI?

 

SSCI is an organization that recognizes third-party auditing, monitoring, and certification schemes and programs that cover essential sustainability requirements and apply relevant governance. It was launched by the CGF (Consumer Goods Forum) to ensure organizations do their Due Diligence before choosing the best Social Management Systems Certification program.

 

What is MLA?

 

The Multilateral Recognition Arrangement is an agreement to ensure international mutual recognition of certifications among MLA members/signatories and the acceptance of accredited certifications in many markets based on a single accreditation. In other words, certification will be valid worldwide.

 

What is the IAF?

 

A global association of accreditation bodies and other bodies concerned with the conformity assessment of management systems, its primary role is to develop a single global conformity assessment program that reduces risk to organizations and their certified clients by assuring them that globally accredited certificates can be relied upon.

 

What levels of monitoring/evaluation are there?

 

 

Can it be integrated with other standards?

 

Yes, this program is aligned with the Management System approach and the ISO Harmonized Structure, which facilitates integration with other ISO management standards.

Structure of FSSC 24000.

Conclusions:

 

  • Social Management System (SMS) – Aligned with ISO,
  • Voluntary certification scheme, developed in broad and open consultation with stakeholders worldwide,
  • Objective: To ensure that organizations provide safe and fair working conditions, comply with business ethics requirements, and apply due diligence in their supply chain management.
  • Recognition of certified organizations through a public registry.
  • Governance and oversight of certification through the Foundation’s Integrity Program =
  • It has an effect linked to the UN’s Sustainable Development Goals.

 

References:

  • SSCI: https://www.theconsumergoodsforum.com/social-sustainability/sustainable-supply-chain-initiative/
  • MLA: https://iaf.nu/en/mla-purpose/
  • IAF: https://iaf.nu/en/home/
  • FSSC 24000: https://www.fssc.com/schemes/fssc-24000/

Main tools for risk analysis

Quality

BY: Indra Mendoza, Global Standard Auditor.

 

 

Every organization, regardless of whether it is small or large, faces external and internal factors that take away certainty from the possibility of achieving its objectives. This effect of lack of certainty is a risk, and it is inherent to all activities (Kevin W. Knight, 2009).

 

That is why it has become a constant need to establish strategies to protect themselves, manage risks, and make decisions. These factors can be of any type and represent risks of processes, internal and/or external fraud, financial and/or economic, technological and/or computer, human, commercial practices, natural disasters, raw materials, product and/or service quality, labor or work, environmental, social, logistical, documentary, physical and psychological, food, insecurity, and sabotage, among many others.

 

A reference framework for managing these risks is ISO 31000:2018. Risk management – Guidelines, as well as ISO/IEC 31010:2019 Risk management – Risk assessment techniques. These standards recommend that organizations develop, implement, and continuously improve a framework or support structure, that aims to integrate the risk management process into the organization, planning and strategy, processes, policies, values, and culture.

 

The risk management process consists of:

 

  • Define the scope of risk management:
    The organization should define the scope of its risk management activities.

  • External and internal context:
    Risk management should be established based on an understanding of the environments in which the organization operates.

  • Define criteria:
     The organization should define criteria for assessing the significance of risk and support decision-making processes.

  • Risk assessment.

 

 

Identification: Is the process by which risks are discovered, recognized, and recorded. Risks must be identified, whether or not their sources are under control.

 

Analysis: This is to understand the nature of the risk and its characteristics, this involves a detailed consideration of uncertainties, risk sources, consequences, probabilities, events, scenarios, controls, and effectiveness. It consists of determining the consequences and their probabilities, these are then combined to determine a level of risk. The methods used in risk analysis can be qualitative, semi-quantitative, or quantitative.

 

 

  • The qualitative assessment defines the consequences, probability, and level of risk, indicating levels such as “high”, “medium” and “low”.
  • Semi-quantitative methods use numerical rating scales that may be linear or logarithmic.
  • Quantitative analysis estimates realistic values for the consequences and their probabilities and obtains values for the level of risk in specific units defined when the context is developed.

 

Evaluation: The purpose of risk assessment is to support decision-making.

 

Risk treatment: The purpose of risk treatment is to select and implement options to address the risk.

 

 

Select risk treatment options a process aimed at modifying the risk, which may involve avoiding the risk by deciding whether or not to initiate or continue with the activity that motivates the risk, accepting or increasing the risk to seek an opportunity, eliminating the source of risk, changing the probability or frequency of occurrence (decreasing), sharing the risk with others or other interested parties (including contracts or risk financing), and maintaining the risk based on an informed decision.

 

Preparation and implementation of plans. The information provided in the treatment plan should include the treatment of the risk, including expected benefits, persons responsible, proposed actions, resources needed, contingencies, performance measures, constraints, required reporting and monitoring, expected timelines for completion, and completion of actions.

 

Monitoring and review. Factors should be identified for monitoring and review so that the risk assessment can be updated as necessary.

 

Risk analysis can be carried out in varying degrees of depth and detail and using one or more methods ranging from simple to complex. This will depend on the objectives of the study, the type and range of risks being analyzed, the potential magnitude of the consequences, the degree of expertise, human and other resources required, the availability of information and data, the need for modification/updating of the risk assessment, any contractual and regulatory requirements, and whether the method can provide a quantitative result.

 

 

Risk analysis techniques are listed below:

 

 

A: applicable,                          SA: strongly applicable,                            NA: not applicable.

Tools and tchniques

Risk assessment process

Risk identification

Risk analysis

Risk evaluation

Consequence

Likelihood

Level of risk

ALARP, ALARA and SFAIRP

NA

NA

NA

SA

SA

Bayesian analysis

NA

NA

SA

NA

NA

Bayesian networks

A

NA

SA

SA

SA

Bow tie analysis

SA

SA

A

A

A

Brainstorming

A

A

NA

NA

NA

Business impact analysis

A

SA

NA

NA

NA

Casual mapping

A

A

NA

NA

NA

Cause-consequence analysis

SA

SA

SA

A

A

Checklists, classifications and taxonomies

SA

NA

NA

NA

NA

Cindynic approach

NA

NA

NA

NA

NA

Consequence/likelihood matrix

NA

A

A

SA

A

Cost/benefit analysis

NA

SA

NA

NA

SA

Cross impact analysis

NA

NA

SA

NA

NA

Decision tree analysis

NA

SA

SA

A

A

Delphi technique

SA

NA

NA

NA

NA

Event tree analysis

NA

A

A

A

A

Failure modes and effects analysis

SA

NA

NA

NA

NA

Failure modes and effects and criticality analysis

SA

SA

SA

SA

SA

Fault tree analysis

A

NA

SA

A

A

F-N diagrams

A

SA

SA

A

SA

Game theory

A

SA

NA

NA

SA

Hazard and operability studies (HAZOP)

SA

A

NA

NA

NA

Hazard analysis and critical control points (HACCP)

SA

SA

NA

NA

SA

Human reliability analysis

SA

SA

SA

SA

A

Ishikawa (fishbone)

SA

A

NA

NA

NA

Layer protection analysis (LOPA)

A

SA

A

A

NA

Markov analysis

A

A

SA

NA

NA

Monte Carlo simulation

NA

A

A

A

SA

Multi-criteria analysis (MCA)

A

NA

NA

NA

SA

Nominal group technique

SA

A

A

NA

NA

Pareto charts

NA

A

A

A

SA

Privacy impact analysis/ data privacy impact assessment (PIA/DPIA)

A

SA

A

A

SA

Reliability centred maintenance

A

A

A

A

SA

Risk indicices

NA

SA

SA

A

SA

S-curves

NA

A

A

SA

SA

Scenario analysis

SA

SA

A

A

A

Structured or semi-structured interviews

SA

NA

NA

NA

NA

Structured “What if?” (SWIFT)

SA

SA

A

A

A

Surveys

SA

NA

NA

NA

NA

Toxicological risk assessment

SA

SA

SA

SA

SA

Value at risk (Var)

NA

A

A

SA

SA

 

Source: ISO/ IEC 31010:2019 Risk management – Risk assessment techniques.

 

The most commonly used are described:

 

  1. BRAINSTORMING.

 

Brainstorming can be used in conjunction with other risk analysis methods or as a stand-alone technique to stimulate imaginative thinking at any stage of the risk management process and any stage of a system’s life cycle and can be formal or informal. In formal brainstorming, participants must be prepared in advance, and the session has a defined purpose and outcomes with a way to evaluate advanced ideas. Informal brainstorming is less structured and is often more case-specific.

 

  1. STRUCTURED OR SEMI-STRUCTURED INTERVIEWS.

 

Structured and semi-structured interviews are useful when it is difficult to bring people together for a brainstorming session or when a free-flowing group discussion is not appropriate for the situation, or the people involved.

 

These interviews are often used to identify risks or to note the effectiveness of existing controls as part of the risk analysis. They can be conducted at any stage of a project or process and are a means of providing input for risk assessment to stakeholders.

 

  1. DELPHI TECHNIQUE.

 

The Delphi technique is a procedure for obtaining a reliable consensus from a group of experts. Although the term is widely used to refer to some form of brainstorming, an essential feature of the Delphi technique is that experts express their opinions individually and anonymously, while access to the opinions of other experts is provided as the process progresses.

 

It can be applied at any stage of the risk management process, at any stage of the life cycle of a system, or anywhere where the consensus of expert opinions is needed, and questions are asked through a semi-structured questionnaire. It is important to mention that experts are not brought together to have their opinions be independent.

 

  1. CHECKLISTS.

 

Checklists can be used to identify hazards and risks or to assess the effectiveness of controls. They can also be used as part of other risk assessment techniques but are most useful when applied to check that the entire system has been covered after a more imaginative technique has been applied to identify new problems.

 

  1. PRELIMINARY HAZARD ANALYSIS (PHA)

 

It is the most commonly used analysis at the beginning of project development when there is little information. It can also be useful for analyzing existing systems to prioritize hazards and risks for further analysis or when circumstances prevent the application of a more extensive technique than the one being used.

 

A list of hazards and generic hazardous situations and risks is formulated, considering characteristics such as the materials used or produced and their reactivity, the equipment used, the operating environment, the overall layout, the interfaces between system components, etc. To identify risks for later assessment, a qualitative analysis of the consequences of an undesirable event and its probability of occurrence can be performed.

 

The PHA should be updated to detect any new hazards. The results obtained can be presented in different forms, such as tables and tree diagrams.

 

  1. HAZOP (RISK AND OPERABILITY ANALYSIS).

 

HAZOP is the acronym for hazard analysis (HAZard) and operability (OPerability), which is a structured and systematic examination of an existing or planned product, process, procedure, or system to identify risks to people, equipment, environment, and/or organizational objectives. Usually done by a multidisciplinary team during a series of meetings. HAZOP is similar to FMEA (failure mode and effect analysis) in that it identifies failure modes. It differs in that the working group considers undesirable results and deviations from expected results, and conditions and work are repeated to locate possible causes and failure modes, whereas FMEA begins by identifying failure modes.

 

***Standards for reference: IEC 61882, Hazard and Operability Studies (HAZOP studies). Application guide.

 

  1. HAZARD ANALYSIS AND CRITICAL CONTROL POINTS (HACCP).

 

HACCP provides a framework for identifying hazards and establishing controls at all important parts of a process to protect against hazards and to maintain the reliability and safety of a product’s quality.

 

It is intended to ensure that risks are minimized by controls throughout the process, rather than by an inspection of the final product. It starts with a process diagram and information on hazards that could affect the quality, safety, or reliability of the product or process results.

 

HACCP analysis consists of seven principles: identifying hazards and preventive measures, determining the points in the process where hazards can be controlled or eliminated, determining critical control points (CCP), establishing a critical limit(s), CCP control monitoring system, corrective actions to be taken when monitoring indicates that a particular CCP is not controlled, testing procedures to confirm that the system is working effectively, and the documentation system.

 

***Standards of reference: ISO 22000, Food Safety Management Systems. Requirements for any organization in the food chain/ NOM-251-SSA1-2009, Hygiene Practices for the processing of food, beverages, or food supplements.

 

  1. TOXICITY ASSESSMENT.

 

This process is used to assess risks to plants, animals, and humans as a result of exposure to hazards from chemicals, microorganisms, or other species. This method requires reliable data on the nature and characteristics of the hazards, the susceptibility of the population model (or populations), and how the two react to each other. These data are usually based on laboratory research or obtained from epidemiological statistics.

 

The procedure is as follows: problem formulation, hazard identification, and hazard analysis, this involves understanding the nature of the hazard and how it reacts with the population model, exposure analysis, determining how and the quantity of hazardous substance or its residues could reach a sensitive population model, risk characterization, the information obtained from the hazard analysis and exposure analysis being grouped to estimate the probabilities of particular consequences occurring. 

 

  1. STRUCTURED “what if” TECHNIQUE (SWIFT).

 

The SWIFT technique was initially developed as a simpler alternative to the risk and operability study (HAZOP). This technique consists of a systematic workgroup-based study using a set of “immediate effect” words or phrases used by the coordinator within a workgroup meeting to stimulate participants to identify risks. 

 

The coordinator and working group use standardized “what if….?” phrases combined with the prompts to investigate how a system, plant item, organization, or procedure will be affected by deviations from normal operation and behavior. 

 

 The SWIFT technique is normally applied to more than one level of systems at a lower level of detail than in the HAZOP study and is used to examine the consequences of changes and altered or created risks.

 

  1. SCENARIO ANALYSIS.

 

Scenario analysis is the name given to the development of descriptive models of what might happen in the future. The structure of the scenario analysis can be informal or formal, and once the working group and the corresponding communication channels have been established, and the context of the problem and the issues to be considered have been defined, the next step is to identify the nature of the changes that might occur: external changes; decisions that will need to be made soon, but which may have a variety of outcomes; stakeholder needs and how these needs might change; macro-environmental changes (regulations, demographics, etc.). Some will be inevitable, and some will be uncertain.

 

Local and macro factors or trends can be listed and ranked by importance (1) and uncertainty (2), with special attention given to the factors that are most important and uncertain. The key factors or trends are delineated from each other on a map to show the areas where scenarios can develop. A series of scenarios are proposed, each focused on a plausible change in parameters.

 

  1. ROOT CAUSE ANALYSIS (RCA).

 

The analysis of a major loss to prevent recurrence is referred to as Root Cause Analysis (RCA), Root Cause Failure Analysis (RCFA), or loss analysis. This analysis attempts to identify the root or original causes rather than addressing only the immediately obvious symptoms. It is recognized that corrective action may not always be effective, and that continuous improvement may be necessary.

 

RCA analysis is applied in various contexts with the following areas of use: safety-based RCA is used in accident investigations and the areas of occupational health and safety. Failure analysis is used in reliability and maintenance-related technology systems, production-based RCA is applied in the field of quality control within industrial manufacturing, process-based RCA is focused on business processes, system-based RCA has been developed with a combination of the above areas to deal with complex systems with application in change management, risk management, and systems analysis.

 

  1. FAILURE MODES AND EFFECTS ANALYSIS (FMEA) AND FAILURE MODES AND EFFECTS AND CRITICALITY ANALYSIS (FMECA).

 

There are several applications of FMEA analysis: design (or product) analysis used for components and products, system analysis used for systems, process analysis used for manufacturing and assembly, service analysis, and software analysis. However, to improve reliability, changes are usually easier to implement at the design stage.

 

FMEA and FMECA analysis can be used to assist in the selection of design alternatives with high reliability, ensure that all system and process failure modes and their effects on operational success have been considered, identify human error modes and their effects, provide a basis for planning the testing and maintenance of physical systems, improve the design of procedures and processes, provide qualitative or quantitative input to analysis techniques such as fault tree analysis. They can provide inputs for other analysis techniques such as fault tree analysis at a qualitative or quantitative level.

 

**Standards for reference: IEC 60812, System reliability analysis techniques. Failure mode and effects analysis procedure (FMEA).

 

  1. FAULT TREE ANALYSIS (FTA).

 

A fault tree can be used qualitatively to identify the potential causes and paths by which a failure occurs (the top event), or quantitatively to calculate the probability of the top event, providing knowledge of the probabilities of the causal events. It can be used in the design stage of a system to identify potential causes of failure and thus to select between different design options. It can be used in the operation phase to identify how major failures may occur, and the relative importance of the different paths leading to the top event.

 

A fault tree can also be used to analyze a fault that has occurred, to represent in a diagram how different events came together to cause the fault.

 

**Standards for reference: IEC 61025, Fault Tree Analysis (FTA).

 

  1. LAYERS OF PROTECTION ANALYSIS (LOPA).

 

The LOPA is a semi-quantitative method for estimating the risks associated with an undesired event or scenario. It is used to analyze whether there are sufficient measures to control or mitigate the risk. LOPA is performed by a group of experts where the initiating causes of an unintended consequence are identified, data on their frequencies and consequences are sought, a cause-consequence pair is selected, the layers of protection that prevent the cause leading to the unintended consequence are identified and analyzed for their effectiveness, the independent layers of protection that prevent the cause leading to the unintended consequence are identified, independent protection layers (IPLs) are identified (not all protection layers are IPLs), the probability of failure of each IPL is estimated; the frequency of the initiating cause is combined with the probabilities of failure of each IPL, and the probabilities of all conditional modifiers to determine the frequency of occurrence of the unintended consequence. Orders of magnitude are used for the frequencies and probabilities; the calculated risk level is compared to the risk tolerance levels to determine if additional protection is required.

 

**Standards for reference: IEC 61508 (all parts), Functional Safety of Safety-Related Electrical/Electronic/Programmable Electronic/Electronic Systems/ IEC 61511, Functional Safety. Safety instrumented systems for the process industry sector.

 

  1. DECISION TREE ANALYSIS.

 

A decision tree is used to manage project risks and in other circumstances to help select the best course of action when uncertainty exists. The graphical presentation can also help communicate reasons for decisions. A decision tree starts with an initial decision, for example, to proceed with project A rather than Project B, as the two projects above are hypothetical, different events will occur and different foreseeable decisions will need to be made. These are presented in a tree format, similar to the event tree.

 

  1. BOW TIE ANALYSIS.

 

The bowtie analysis is used to present a risk by showing a range of possible causes and consequences. Used when the situation does not warrant the complexity of a full fault tree analysis or when trying to ensure that there is a barrier or control for each failure path, this analysis is useful when there are clear independent paths that address the failure. 

 

  1. RISK INDEXES.

 

Indexes can be used to rank different risks associated with an activity when the system is well understood. Risk indexes allow the integration of a range of factors that have an impact on the level of risk into a single numerical risk level score. They are used for many different types of risk, usually as a means of defining the scope of the risk rating according to the level of risk. This can be used to determine risks that need additional in-depth and possibly quantitative risk assessment.

 

  1. CONSEQUENCE/PROBABILITY MATRIX.

 

The consequence/probability matrix is used to rank risks, risk sources, and risk treatments based on the level of risk. It is normally used as a filtering tool when many risks have been identified, for example, to define which risks need further or more detailed analysis. A form of the consequence/probability matrix is used in FMEA or to adjust priorities after HAZOP (hazard and operability studies). It can also be used in situations where the data are insufficient for a detailed analysis, or the situation does not warrant the time and effort for more quantitative analysis.

 

 

BIBLIOGRAPHY:

  • ISO 31000:2018. Risk management – Guidelines.
  • ISO IEC 31010:2019 Risk management – Risk assessment techniques.

 

ISO/IEC 42001:2023 Artificial Intelligence Management System

Information Security

 Author: Santiago Gonzalez Esparza, Eng.

 

With the exponential growth of information technologies in recent years, different tools have emerged that modify the way we work; minimizing the time it takes to execute an action and opening new perspectives on how to solve a particular problem. Among all these tools, there is one that has had an incredible boom in recent times and continues to grow: Artificial Intelligence.

 

Artificial intelligence (AI) refers to the ability of machines or computer systems to perform tasks that regularly require human intelligence. This includes the ability to learn from experience “machine learning“, reason, understand natural language, recognize patterns, and adapt to new situations. The lack of knowledge and distrust of applications and their capabilities has generated the need to manage the risks of AI and its applications.

 

That is why the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have published ISO/IEC 42001:2023 Information Technology – Artificial Intelligence – Management System. This is the first international standard for the development and implementation of reliable AI management systems, balancing innovation with governance.

 

Previously ISO had standards such as ISO/IEC 22989 where AI terminology and the field of AI are established, ISO/IEC 23053 which establishes an AI and ML (Machine Learning) framework, as well as ISO/IEC 23894 which provides guidance on AI-related risk management for organizations.

 

Implementing this standard means activating policies and procedures for good governance of an organization concerning AI, using PHVA methodology, rather than looking at the details of specific AI applications, provides a practical way to manage AI-related risks and opportunities across an organization.

 

The objectives of ISO/IEC 42001:2023 are as follows:

 

  • Cost savings and efficiency gains.
  • Promote the development and use of reliable, transparent, and accountable artificial intelligence systems.
  • Use of data analytics, knowledge, and machine learning.
  • Framework for risk and opportunity management.
  • Build confidence in the management of artificial intelligence by encouraging organizations to prioritize human well-being, safety, and user experience during the AI design and implementation process.

 

The benefits of implementing ISO/IEC 42001:2023 are as follows:

 

  • Responsible AI: guarantees the ethical and responsible use of artificial intelligence.
  • Reputation management: enhances trust in AI applications.
  • AI governance: supports compliance with legal and regulatory standards.
  • Practical guidance: effectively manage AI-specific risks.
  • Identify opportunities: fosters innovation within a structured framework.

 

ISO/IEC 42001:2023 specifies the requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.

 

Like other ISO standards, the standard can be implemented in companies and organizations of any type, regardless of size, line of business, sector, etc. The AI management system provides specific requirements for managing the issues and risks arising from the use of AI in an organization. This common approach facilitates implementation and consistency with other management system standards, for example, those related to Quality (ISO 9001:2015) and/or Security and Privacy (ISO 27001:2022).

 

The structure of this standard is like the other ISO standards, consisting of 10 chapters:

 

1.- Scope: the objective is to provide clarity on the limits and application of the standard – (Informative)

 

2.- Normative references: lists the standards and reference documents for the application – (Informative)

 

3.- Terms of reference: key terms used in the standard are provided, along with their definitions. – (Informative)

 

4.- Context of the organization: focuses on understanding the context in which the organization operates – (Normative)

 

5.- Leadership: sets out the requirements for leadership and top management commitment to the system – (Normative)

 

6.- Planning: describes the requirements for the planning of the management system, including the identification of risks and opportunities that may affect the organization. (Normative)

 

7.- Support: addresses the requirements to provide the necessary resources for the system – (Normative)

 

8.- Operation: addresses the execution of planned activities to satisfy customer requirements and quality objectives. – (Normative)

 

9.- Performance evaluation: establishes the requirements for monitoring, measuring, analyzing, and evaluating the performance of the system – (Normative)

 

10.- Improvement: addresses the fundamental principle of continuous improvement. It establishes the requirements for identifying opportunities for improvement and taking action to address them. – (Normative)

 

 

As with any ISO standard, ISO/IEC 42001:2023 is no exception and has a high-level structure, meaning that it is a standardized model established by the ISO Committee so that all new management standards respect and share a common objective: the standardization of management standards that supports the synchronization of different standards, adopting a common language to make it easier for organizations to integrate different management systems and enjoy certain advantages, such as the elimination of duplicate documentation.

 

As previously mentioned, there is an established model, although depending on the scheme, it is the approach that will be given to such a structure. In this standard the changes that are presented, compared to the ISO 9001 scheme, are found in chapter 8 of this standard, this chapter only has 4 subtopics:

 

  • 1 Operational planning and control: discusses how the organization is required to plan, implement, and control the processes necessary to comply with the requirements.

 

  • 2 AI risk assessment: shall conduct AI risk assessments and keep all documented information of such results.

 

  • 3 AI risk treatment: implement the AI risk treatment plan as required.

 

  • 4 IA system impact assessment: IA system impact assessments must be conducted as established, at planned intervals, or when significant changes are proposed.

 

 

This standard has four annexes, divided into two Normative and two Informative:

 

 Normative (Annex A and B)

 

  • Annex A: provides a reference for meeting organizational objectives and addressing risks related to the design and operation of IA systems, which are detailed in Table A.1.
  • Annex B: guides the implementation of the controls mentioned in Table A.1.

 

Informative (Annex C and D)

 

  • Annex C: describes the possible organizational objectives, sources of risk and descriptions to be considered for managing risks, this annex is not intended to be exhaustive or applicable to all organizations.
  • Annex D: mentions that the management system applies to any organization that develops, provides, or uses products or services using an IA system.

 

In conclusion, we can say that we are in a place where guidelines have been set or paths have been opened that have not been used or traveled yet, these advances are promising in all areas, but like any other tool, this must be used correctly, to get the most out of it in all organizations that want to implement this innovative management system.

1 2 »