Risk Management and ISO 31000 in Austria
Eckehard Bauer is the vice president of Quality Austria, a worldwide active certification body and organization for training. In his function as manager in Quality Austria, he is responsible for safety, transport, Business Continuity Management and Risk Management. He is a member of the mirror committee of the Austrian Standards Institute (ASI).
This interview was conducted for ISO TC 262.
Ecki, you are a member of the Austrian mirror committee to ISO/TC 262. Can you briefly introduce the Austrian Standards Institute (ASI), your national standardization organization, please?
Ecki: The ASI is located in Vienna and is the only organization in Austria which releases standards from ISO, EN, and other national standards. Since last year, we created a new law on standards in Austria which is very challenging for ASI.
You have been a »regular« at TC 262 meetings in the past but were prevented from coming to Amman – will you be back at the next meeting and what is Austria’s principle message regarding the last drafts of ISO 31000?
Ecki: Unfortunately, after making all the arrangements for coming to Amman I had to cancel them due to significant personal issues. I am back in business since the end of December 2016, following again all the developments in the ISO/TC 262 committee. I look forward to being again an active participant at the upcoming meetings.
What is risk management based on in Austria (e.g.: are there any laws, regulations, national standards or other rules)?
Ecki: We have a lot of laws and regulations which are directly linked to risk management or to risk evaluation. Sometimes we name it a little bit differently, for example “work place evaluation” or “hazard evaluation” etc. In Austria, we have a local Standard, the ONR 49000ff which took the ISO 31000 (guideline) and transformed it into risk management system requirements. This standard is also popular in Germany, Switzerland and in the German speaking parts of Italy.
What is the impact of risk management and in particular ISO 31000 in Austria?
Ecki: The impact of ISO 31000 in Austria is not as big as it could be. The ONR 49000ff, which I mentioned before is of greater importance in the country, thought this standard is based on the ISO 31000. Now, there is a great interest on risk management in Austria since it is based on the “risk based approach – risk based thinking” concept of ISO 9001:2015 and ISO 14001:2015.
Who are the key stakeholders of risk management in Austria?
Ecki: We do not have special key stakeholders of risk management because this topic is already quite well established in many different groups in Austria. Risk management is being implemented to different degrees in a broad range of branches and sectors, from finances to industry and small enterprises, as well as from work safety to public healthcare etc.
What are the biggest obstacles for integrating risk management in all organizational activities for managers in Austria?
Ecki: I think the philosophy for risk management is very well established in companies in Austria. Though a separate risk management standard and certification is not perceived as needed, especially since the ISO 9001:2015 and the other Annex SL based standards are in use, which already include the risk based approach. The ISO 31000 (current version) is now not being used to establish risk management in companies. A statement from companies that I often hear is, that there are too many gaps between the (current) ISO 31000 and the requirements of ISO 9001:2015 / ISO 14001:2015. This is also a reason why companies prefer to use the national ONR 49000ff or other existing standards to establish risk management in the company.
ISO 31000 quickly became one of the bestselling and most well recognized standards in ISO. What do you think about the future of the standard and how will it change to adapt to new challenges?
Ecki: I think this is the past. When the ISO 31000:2009 was published, it was (more or less) the only risk management standard recognized worldwide. Now there are more standards existing, which have included (at least partly) risk management (ISO 9001:2015, ISO 22301, etc.). I think the ISO organization may have diminished the possible success from a revised ISO 31000 by over-diversifying ISO standards, which is still ongoing with an increasing number of ISO standards being produced.
Is there a message that you want to give to the risk management community?
Ecki: From my point of view, it is quite simple. It is about what the customer wants, expects and needs, especially the companies which are already using the new ISO 9001:2015 / ISO 14001:2015 standards or will use them in the future. If we follow their wishes, expectations and needs, we will have success with the new ISO 31000 standard. If we only write a standard from experts for experts, there will be no need to use the ISO 31000 to establish risk management systems in these companies.
What advice can you give to interested parties in Austria who want to offer their input to the work of ISO/TC 262 and who should they address?
Ecki: I think the mirror committee in Austria does a very good job, especially the chairperson Mr. Josef Winkler. The committee is very active in communication and internal work; there is also a broad range of experts in the team. If any expert wants to participate in the ISO /TC 262 mirror committee, they should contact Mr. Winkler or another member of the committee.