ISO 31000 The Risk Management Standard - The consequences for WHS/OHS legislation
Risk! Engineers Talk Governance
Episode 10, Season 1
In this final episode of Season 1 of Risk! Engineers Talk Governance, due diligence engineers Gaye Francis & Richard Robinson discuss one of the topics they are asked most: ISO 31000, the Risk Management Standard.
They outline the consequences of ISO 31000 that it does not meet the requirements of the WHS Legislation/OHS Act in Australia & New Zealand, that organisations cannot keep using target levels of risk and safety to make safety decisions -- you can use it as a reporting tool.
Transcript
Megan (Producer) (00:02):
Hi. Welcome to the final episode of Season 1 of Risk! Engineers Talk Governance. In this final episode, due diligence engineers Richard Robinson and Gaye Francis talk about ISO 31000, the Risk Management Standard and its consequences, especially with relation to WHS legislation in Australia or the OHS Act in Victoria.
(00:31):
We hope you enjoy the episode. Please do support our work and subscribe to the podcast and give us a rating. Also, share it across your network if you know other people who may be interested. Also, this is episode 10, so please do check out the other episodes if you haven't done so yet. We look forward to bringing you Season 2. If you want to keep in touch with Richard and Gaye's work and their due diligence consulting, please do head to R2A's website. The details will be in the description and you can also sign up to their newsletter that will keep you up to date. Enjoy the episode.
Gaye Francis (01:12):
Good morning, Richard, and welcome to our podcast; Episode 10 of our first season. Very exciting. How are you this morning?
Richard Robinson (01:20):
I'm good. How are you?
Gaye Francis (01:21):
Good, good, thank you. We're doing this podcast remotely as we've both had the lurgy this week, so keeping away from each other. We thought we'd finish with something that's probably one of the things that we get asked about the most, and that's ISO 31000, the risk management standard and its consequences and the difficulties that this has, especially in relation to the WHS and OHS legislation and the contradictions there.
(01:50):
So Richard, I'll let you launch in and then I'll chip in as we go.
Richard Robinson (01:56):
Well, thank you Gaye. Look, the key point here, I guess that this has puzzled us for a long time because it's been going on for a long time now, is that the OHS Act started in the Victoria in 2004 and the model Act commenced in most jurisdictions in 2011/2012, Western Australia adopted last year (2022) and kiwi land (New Zealand) adopted in 2015. And the legislation's absolutely crystal clear in its objectives that the purpose of the legislation is to achieve the highest level of protection as is reasonably practicable for everyone. It's absolutely crystal clear and we were just talking about... we're doing some stuff on VCAT where we asked to read some case law and one of the points they're making of this that the high court's making at different points is that the more precise a parliament is about the intention of the legislation, the less room that the courts have to maneuver to interpret. If so, if the objective is absolutely crystal clear, then that's what you're supposed to do.
(02:49):
Now, what’s got us completely confused is ISO 31000; that process is contradictory to that (OHS) Act, at least when you're dealing with health and safety. And what puzzles us the greatest is that this confusion is sort of reflected throughout Australian Standards everywhere. Just to give you an understanding that there's no such thing as a target level or tolerable level of risk or safety because the legislation's quite clear you've got to achieve the highest level as you reasonably can.
(03:15):
Now, just to sort of emphasise that this is from the "Managing Health and Safety" handbook thing Standards' Australia, and it says, importantly: "Contemporary WHS legislation does not prescribe an acceptable or tolerable level of risk. The emphasis is on the effectiveness of controls, not estimated risk levels. It may be useful to estimated risk level for the purposes such as communicating which risks are the most significant or prioritising risks within a risk treatment plan. In any case, care should be taken to avoid targeting risk levels that may prevent further risk minimisation efforts that are reasonably practical to implement."
(03:49):
Now, that's an absolutely perfect restatement of what the intention of the Model WHS legislation is.
Gaye Francis (03:56):
And that's in the handbook of the Risk Management Standard. But if we read out what the process of the Risk Management Standard is, it's: establish the context, do a risk assessment hazard base, which is hazard risk identification, hazard risk analysis, hazard risk evaluation -- so that's your criteria and your tolerable and acceptable level of risk -- and then risk treatment. So the two things don't match up there.
Richard Robinson (04:21):
And the weirdest thing is, is that if you look at a Standard like the Network Safety Standard, AS 5577, which is mandated by a lot of regulators, it tells you to use the risk management standard approach. It's absolutely crystal clear about it, even though throughout the words it's saying at different times you shall, for example, initiate action so far as this reasonably practicable (SFAIRP) and then it goes on with all the things you should do. And I've forgotten exactly where it is, but there's one bit there where it says you shall eliminate hazards so far as reasonably practical, and if you can't eliminate them, you'll minimise them as low as reasonably practical. And then at the back it's actually got how to do a formal safety assessment. It basically tells you to comply with the principles ISO 31000 and to choose target levels of risk and safety and so forth, which is specifically against the will of all Australian parliaments. So we find this...
Gaye Francis (05:16):
So I think this is sort of showing that there's a mismatch, isn't there, between the things that the senior decision makers and the boards worry about, which is the WHS legislation and things like that. And I don't think there's any confusion there that they understand what their requirements are and the desire to be compliant with that. But the tools and the processes that the engineers are using to do the day-to-day work in organisations, the Standards is what is creating that confusion. And there's a mismatch between the two.
(05:52):
And what we've sort of found is it hasn't been fed down into the organisation yet. So as I said, the boards and the senior exec understand the requirements of the WHS legislation and what they have to do to achieve it, but because they've got all of these embedded processes and policies that often reflect the processes in the Risk Management Standard, and that's what the engineers are doing on a day-to-day basis, there's this mismatch and they've been trying to put the principles of the WHS legislation within their current framework. And I'm not sure that that's, I don't know that that's been successful.
Richard Robinson (06:28):
I'm sure it hasn't. Now, from the point of view of the engineers, I mean this office was central to the Engineers' Australia Safety Case Guidelines, which was signed off by the National Risk Engineering Society in 2016, I think. It was reviewed by a barrister in Queensland to make sure that it was tightened and consistent with the legislation and all the points we're making here, that was basically making. And what's got us completely stumped, I mean that Safety Case Guideline is a recognised, I think it was a... What actual term the Engineers' Australia used? Practice note. And so if you're a professional engineer working in Australia, you need to understand what the practice notes from intellectual body are saying because you're all wide up in court. And Australian Standard, well I giving you another quote, this is from Paul Wentworth, a partner of MinterEllison: "Engineers should remember that in the eyes of the court, in the absence of any legislative or contractual requirement, an Australian Standard mounts only to an expert opinion about usual recommended practice. In the performance of any design, reliance on an Australian Standard does not relieve an engineer from a duty to exercise here's or her skill and expertise".
(07:33):
So if you know that the legislation says this and you still choose to do it consistent with an Australian Standard, you are talking yourself into a very difficult place if it all goes wrong and all wind up in court. And you have expert witnesses like us acting against you. I suppose it even puzzles us even more because the whole point of the exercise is that Engineers' Australia is meant to be an intellectual body for engineers and engineering in Australia. And yet, and I don't understand why Engineers' Australia keeps encouraging engineers to put their intellectual property into Australian Standards and these Australian Standards are quite contradictory, and as resolved by the practice note from Engineers' Australia.
(08:11):
So there's something that's really mismatching here and not quite right that needs resolution. I don't know that we're going to solve this on the spot.
Gaye Francis (08:20):
What we're saying is Engineers' Australia could have a role in playing to promote what is best practice in the industry outside of Australian Standards and should be doing that.
Richard Robinson (08:31):
Am I allowed to have my little rant about...
Gaye Francis (08:32):
Yes, you can have your little rant.
Richard Robinson (08:36):
See, one of the thing I don't get too, apart from the curious matter of telling engineers to put the intellectual property into Australian Standards rather than to documents that belong to Engineers Australia... Because I've got to tell you, if you look at the American engineering institutions, they don't give up their intellectual property for free to third parties. But under the code of ethics, for example of Engineers' Australia, you've got to give credit where credits to you and Standards Australia just refer to organisations rather than individuals who actually put the intellectual time and effort into the damn thing. Unlike for example, NFPA Standards in the US. It's something I just simply haven't understood that Engineers' Australia keeps promoting Standards Australia like it's a kindred society. It's not, it's a commercial entity doing commercial things.
Gaye Francis (09:18):
Okay, that's your little rant.
Richard Robinson (09:21):
That's probably enough! I could go on but I don't think you need it.
Gaye Francis (09:24):
So if we bring it back to ISO 31000 and its contradictions, what we're saying is we've been advised on a number of occasions when we brief legal counsel for organisations that the ISO 31000 does not meet the requirements of the WHS and OHS legislation. And you cannot keep using target levels of risk and safety to make safety decisions; you can use it as a reporting tool, which is what that paragraph in the handbook says, as a useful tool. And there are ways out there that the engineers have specified that you can put your safety argument together to meet the requirements of the WHS legislation and until organisations realise the mismatch between what the board is trying to achieve and then the processes and policies within an organisation, I think this confusion will continue.
(10:20):
And I think we touched on it last week (Ep 9, The Contest of Ideas), Richard, one of the other confusions or one of the reasons for the confusions is we think that there's been a sudden increase in the number of people from the UK who used to practice in health and safety and risk in the UK coming to Australia after Brexit.
(10:40):
And there's been almost a going backwards... I thought we were way on top of the SFAIRP approach, but ALARP seems to be creeping into more and more processes that we see in organisations and they're trying to say that they're the same. And we've been categorically told on a number occasions by lawyers that they are not the same and you cannot use the same processes to achieve that.
Richard Robinson (11:09):
Yeah. What we've noticed is that, and this is sad because a lot of organisations have to go through this process. If your regulator, for example, calls up like 5577, a Standard that mandates basically ISO 31000 approach, well you're going to be stuck. You're going to have to do it twice. You're going to have to do it to demonstrate the highest level of precautions being achieved on the one hand and then order to get a license to trade, you're going to have to do the ALARP approach to satisfy the regulator. And that's quite regrettable, but that's the way...
Gaye Francis (11:43):
But until the two systems align, there's nothing else you can do, because otherwise you leave yourself open for litigation in the event that something awful happens.
Richard Robinson (11:53):
Correct. And you have expert witnesses like acts against you.
Gaye Francis (11:59):
That is true. Anything in closing comments, Richard, on ISO 31000 and its consequences?
Richard Robinson (12:07):
Oh, I did say before... It's not the whole document. I mean we were talking about IEC 61508, the functional safety assessment standard and it uses targets of safety to decide to do the SIL allocation upfront. That's totally against Australian legislation. I get that, that's not a particular issue. But that doesn't mean the other seven volumes are invalid. And once you decided what the level you'd going go for is, there's a whole lot of validification and verification processes in there.
(12:34):
So remember, it's not a Standard that's recognised good practice. It's the useful ideas in the Standards that are recognised good practice and therefore you must consider. And the same thing occurs with ISO 31000. There are a number of quite important things in there that are particularly useful. It's just that the basic processes acts against the fundamental purposes of legislation. I don't know how anyone doesn't quite get that, but that's the problem.
Gaye Francis (13:00):
I think we also touched on it last week is what we're saying is Standards and policies and things like that are good tools to have, but it doesn't stop an engineer from thinking. You really have to figure it out and use those things, and where Richard said the quote before. But you really have to take with a grain of salt what they say and make sure that it's applicable to what you're applying it to.
(13:27):
Alright. I think we might leave it there, Richard. Thank you for joining us for episode 10 of Season 1. We hope you've enjoyed the season and we will be back with another season soon. So until then, thank you for joining us.
Richard Robinson (13:46):
Thank you.