ISO 31000 the risk management standard - WHS/OHS legislation consequences
One of the most common questions we receive as due diligence engineers is around ISO 31000, the risk management standard and its consequences in relation to Australian and New Zealand WHS and OHS legislation.
ISO 31000 is a well-known and highly adopted risk management framework with the vision to make lives easier, safer and better. Specifically, the standard aims to provide “principles, a framework and a process for managing risk.
The problem from a due diligence perspective is this generalised standard can add confusion and a false sense of security for Australian organisations in terms of their governance processes and duty of care in relation to their obligations under health and safety legislation.
The OHS Act started in Victoria in 2004; the Model WHS Act commenced in most jurisdictions in 2011-2012, while Western Australia adopted it in 2022. New Zealand adopted it in 2015. The legislation is clear in its objectives that its purpose is to achieve the highest level of protection as is reasonably practicable for everyone.
The ISO 31000 process is contradictory to the WHS/OHS Act, at least when you're dealing with health and safety.
Unfortunately, this (similar) confusion is reflected throughout other Australian Standards. For example, there's no such thing as a target level or tolerable level of risk or safety. The legislation's clear you've got to achieve the highest level of protection as you reasonably can.
To illustrate this, the Standards' Australia handbook, "Managing health-and-safety related risks", importantly says:
"Contemporary WHS legislation does not prescribe an acceptable or tolerable level of risk. The emphasis is on the effectiveness of controls, not estimated risk levels. It may be useful to estimated risk level for the purposes such as communicating which risks are the most significant or prioritising risks within a risk treatment plan. In any case, care should be taken to avoid targeting risk levels that may prevent further risk minimisation efforts that are reasonably practical to implement."
This is an absolutely perfect re-statement of the intention of the Model WHS legislation.
Yet, the process encouraged by ISO 31000, the risk management standard states it’s (to) establish the context and do a (hazard-based) risk assessment– which is hazard risk identification, hazard risk analysis, hazard risk evaluation and then risk treatment.
The two concepts don't align.
If you look at the Network Safety Standard, AS 5577, which is mandated by many regulators, it tells you to use the ISO 31000 Risk Management standard approach whilst also saying at different times throughout the standard you shall, for example, initiate action so far as is reasonably practicable (SFAIRP). It then goes on with all the things you should do. It also says you shall eliminate hazards so far as reasonably practical, and if you can't eliminate them, you'll minimise them as low as reasonably practical. Yet when it provides advice on how to do a formal safety assessment, it basically tells you to comply with the principles of ISO 31000 and to choose target levels of risk and safety and so forth, which is specifically against the will of all Australian parliaments.
This illustrates a mismatch between what senior decision makers and the boards worry about, which is the WHS legislation. These people understand their requirements and want to be compliant. But the tools and the processes that the engineers (and others) are using to do the day-to-day work in organisations, the Standards, is creating confusion.
Engineers should be looking at each credible critical (kill or maim) problem on a case-by-case basis and designing to ensure this has been eliminated so far as is reasonably practicable or if it can’t be eliminated, reduced so far as is reasonably practicable.
As from Paul Wentworth, a partner of MinterEllison says:
"Engineers should remember that in the eyes of the court, in the absence of any legislative or contractual requirement, an Australian Standard mounts only to an expert opinion about usual recommended practice. In the performance of any design, reliance on an Australian Standard does not relieve an engineer from a duty to exercise here's or her skill and expertise".
If you know that the legislation has the requirement to provide the highest level of protection as is reasonably practicable and you still choose to do work consistent with an Australian Standard, you are talking yourself into a very difficult place if it all goes wrong and you wind up in court. And you have expert witnesses like us acting against you.
When we brief legal counsel for organisations on the two different approaches (SFAIRP and target levels of risk and safety) prior to commencing any consulting work, they all agree that the target level of risk and safety approach encouraged by ISO 31000 does not meet the requirements of the WHS and OHS legislation. You cannot keep using target levels of risk and safety to make safety decisions. You can use it as a reporting tool, which is what the handbook says.
From the point of view of engineers, there are very many tools and techniques that can be used to help put a safety argument together and meet the requirements of the WHS legislation. R2A was a key contributor to the Engineers' Australia Safety Case Guidelines, which was signed off by the National Risk Engineering Society in 2016. The document was reviewed by a barrister to make sure that it was tight and consistent with the legislation.
Remember, it's not a Standard that's recognised good practice. It's the useful ideas in the Standards that are recognised good practice that you must consider.
The same applies to ISO 31000. It details a number of important points that are particularly useful, but the process encouraged acts against the fundamental purposes of WHS/OHS legislation.
Standards can provide some insight into particular issues of concern and some of the solutions available, but these shouldn’t doesn't stop us from thinking.