Dr Alan Waring, risk management consultant, discusses systems management and the validity of SHE certificates and the standards these are meant to uphold....
My invective this month has a "systems" theme. Hands up all those who have heard of and may possibly know something about ISO 14000 Specification for Environmental Management Systems and OSHAS 18001 Specification for Occupational Health & Safety Management Systems?
Those of you who, like Manuel in Fawlty Towers, "know nurthing", need not fret. Being as yet unsullied by the management systems bandwagon, you "virgins" should do your darn-dest to keep your innocence.
Now, how many of you who do know something about such "management systems standards" think they are not all they are cracked up to be? "What's he on about?" I hear you say. Surely it's obvious that any organisation that adopts these standards and gets a certificate to prove it must be far better at their safety, health, and environmental (SHE) management than those that do not. Well, that's what the standards movement and all their commercial bedfellows want you to believe.
The bandwagon started with so-called "quality management systems" and ISO 9000. Forgive the naïvety, but I and many others thought that this was all about actual quality of product. However, it turns out to be about quality and consistency of administrative procedures.
All very necessary, but not the same thing. As various wags have noted over the past decade, you can get an ISO 9000 certificate for consistently producing rubbish just as easily as for producing excellent products. Supply of poor-quality products is a big risk faced by all organisations in the supply chain that rely solely on ISO 9000.
But wait for it! After all these years, the latest ISO 9000 version now seeks to adopt a more business-oriented approach involving "Top Management" (sic) and yes, amazingly, the poor old customer's needs get a look in as well. Will it really achieve what it should? I for one will not be holding my breath.
I am not saying that such standards have no value, but they are over-rated. For many organisations, these standards can provide a useful aide-memoire. For those organisations starting from a low base, typically the small to medium-size outfits, following some kind of think-plan-do-check approach is likely to be beneficial. Even better if they can get a certificate to show they have achieved the minimum required.
Therein lies the problem. In the real world, SHE and risk management generally require far more than these minimalist standards actually offer. Risk reduction and control are not simple linear functions of following such standards, and certification is an expensive illusion.
As my colleague Dr Ian Glendon and I wrote in our book, Managing Risk: "Motivations for seeking to adopt, management standards within organisations may be founded on a flawed understanding of the degree of prediction and control that is possible through such models. Naïve management systems intended to control particular risks may be therefore only partly effective while creating an illusion that they have been fully controlled.
"To be effective, risk management should ensure that management systems take full account of the inner context of the organisation (including, history, structure, culture, re-sources, motivations and power relations) and its environment, both of which affect how risks are perceived and what is done about them."
My five years' experience as a member of the committee and drafting panel for BS8800 Guide to Occupational Health & Safety Management Systems left me in no doubt of the scale of the problem.
Too often, the proponents and advocates of such standards appear to be propelled by a false belief that these offer some kind of guaranteed salvation from the messy realities of prediction and control where human activity is concerned. Some also regard such standards, regardless of their flaws, as a vehicle for commercial exploitation. There are countless "third party audit" consulting and training companies only too willing and eager to take your money to help you get a certificate.
Advertising hype implies that unless your organisation is certified, then somehow it is sub-standard, yet this may be far from accurate. Indeed, the minimalist and normative compulsion of such standards tends towards mediocrity and not excellence. The "proof of the pudding" etc.
Robust risk management systems (RMS) are also definitely needed, particularly in the context of corporate governance requirements post-Turnbull. ASNZ 4360: 1999 made a stab at providing a standard and a revised version is awaited. AIRMIC, IRM and BSI are also engaged in developing an RMS standard. All this is fine if it is just guidance, but can certification standards concerning fallible, wilful, variable and unpredictable human beings ever be reliable in delivering what they purport to? For my part, I shall stick my own "health warning" on them. Caveat emptor!