Eckehard Bauer is the vice president of Quality Austria, a worldwide active certification body and organization for training. In his function as manager in Quality Austria, he is responsible for safety, transport, Business Continuity Management and Risk Management. He is a member of the mirror committee of the Austrian Standards Institute (ASI).
This interview was conducted for ISO TC 262.
Ecki: Unfortunately, after making all the arrangements for coming to Amman I had to cancel them due to significant personal issues. I am back in business since the end of December 2016, following again all the developments in the ISO/TC 262 committee. I look forward to being again an active participant at the upcoming meetings.
Ecki: We have a lot of laws and regulations which are directly linked to risk management or to risk evaluation. Sometimes we name it a little bit differently, for example “work place evaluation” or “hazard evaluation” etc. In Austria, we have a local Standard, the ONR 49000ff which took the ISO 31000 (guideline) and transformed it into risk management system requirements. This standard is also popular in Germany, Switzerland and in the German speaking parts of Italy.
Ecki: The impact of ISO 31000 in Austria is not as big as it could be. The ONR 49000ff, which I mentioned before is of greater importance in the country, thought this standard is based on the ISO 31000. Now, there is a great interest on risk management in Austria since it is based on the “risk based approach – risk based thinking” concept of ISO 9001:2015 and ISO 14001:2015.
Ecki: We do not have special key stakeholders of risk management because this topic is already quite well established in many different groups in Austria. Risk management is being implemented to different degrees in a broad range of branches and sectors, from finances to industry and small enterprises, as well as from work safety to public healthcare etc.
Ecki: I think the philosophy for risk management is very well established in companies in Austria. Though a separate risk management standard and certification is not perceived as needed, especially since the ISO 9001:2015 and the other Annex SL based standards are in use, which already include the risk based approach. The ISO 31000 (current version) is now not being used to establish risk management in companies. A statement from companies that I often hear is, that there are too many gaps between the (current) ISO 31000 and the requirements of ISO 9001:2015 / ISO 14001:2015. This is also a reason why companies prefer to use the national ONR 49000ff or other existing standards to establish risk management in the company.
Ecki: I think this is the past. When the ISO 31000:2009 was published, it was (more or less) the only risk management standard recognized worldwide. Now there are more standards existing, which have included (at least partly) risk management (ISO 9001:2015, ISO 22301, etc.). I think the ISO organization may have diminished the possible success from a revised ISO 31000 by over-diversifying ISO standards, which is still ongoing with an increasing number of ISO standards being produced.
Ecki: From my point of view, it is quite simple. It is about what the customer wants, expects and needs, especially the companies which are already using the new ISO 9001:2015 / ISO 14001:2015 standards or will use them in the future. If we follow their wishes, expectations and needs, we will have success with the new ISO 31000 standard. If we only write a standard from experts for experts, there will be no need to use the ISO 31000 to establish risk management systems in these companies.
Ecki: I think the mirror committee in Austria does a very good job, especially the chairperson Mr. Josef Winkler. The committee is very active in communication and internal work; there is also a broad range of experts in the team. If any expert wants to participate in the ISO /TC 262 mirror committee, they should contact Mr. Winkler or another member of the committee.