The Elsmar Cove Wiki More Free Files The Elsmar Cove Forums Discussion Thread Index Post Attachments Listing Failure Modes Services and Solutions to Problems Elsmar cove Forums Main Page Elsmar Cove Home Page
Google
  Web Elsmar.com
*Please be aware that SOME RECENT forum threads may not yet be indexed by Google.
PDA

View Full Version : Inherent vs. Residual Risk & Significance - ISO 14001

Ruthie J
20th May 2009, 03:22 AM
My last ISO14001 audit highlighted that we had not clearly defined the risk method used, i.e inherent v's residual, when identifying significant impacts.

I'm trying to fix this all up, but I've got myself stuck in a rut about all this.

My question is this..................Basically, if an inherent risk analysis identifies an impact as Significant - and if you then implement controls and then perform a residual risk assessment, and the scoring indicates that it is no longer 'Significant' - does this mean that you no longer have a Significant impact??? :confused:

Or does this mean that you DO have a Significant Impact, but your controls are effective???? :confused:

Would appreciate any feedback to try to clarify this point for me. I've probably over-analysed and confused myself on something that is probably straight-forward to most people :o
harry
20th May 2009, 05:31 AM
I think the first thing that you need to do is to define them. Generally:

Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls)

Residual Risk: The risk that remains after controls are taken into account (the net risk or risk after controls).

With regards to your questions:

Basically, if an inherent risk analysis identifies an impact as Significant - and if you then implement controls and then perform a residual risk assessment, and the scoring indicates that it is no longer 'Significant' - does this mean that you no longer have a Significant impact???
Yes

Or does this mean that you DO have a Significant Impact, but your controls are effective????
Yes and after implementing the controls it is no more significant.
Randy
20th May 2009, 08:22 AM
There is no requirement for anything to be related to risk, in fact significance can be based on the views of interested parties alone if that's what you think is appropriate....Keep it simple.
Ruthie J
20th May 2009, 09:07 PM
So - if an auditor asks 'what significant impacts does your company have' - does this question relate to inherently significant impacts?

Because I could turn around and say 'residually I have none'. Their response could be 'What is the point of having an EMS then?'
harry
20th May 2009, 10:04 PM
Chances are your aspect register may run into several pages long and that you only took action for the ones rated as significant. What about the second-liners? As soon as the significant ones are rendered insignificant, the second liners now become significant and should be your next target. This is a continuous cycle of improvement.

At other times, there may be changes in process, new product or legislation that renders an otherwise insignificant aspect significant - hence a new target. In practice, it is unlikely that you'll end up without any significant aspects.