ERM Chapter 12 Embedding ERM in Health and Safety, Project, and Supply chain.

ISO 31000:2018 11 Minutes
https://preteshbiswas.com/wp-content/uploads/2025/04/Embedding-ERM-in-Operations_-Health-Projects-and-Supply-Chain-1.mp3

12.1 Health and Safety risk management

Health and safety risk management is an example of a specialized area within the broader field of risk management. As highlighted, risk management is a key competency in health and safety management, primarily aimed at removing hazards—essentially negative risks—through a diverse set of tools, techniques, and skills. Effective health and safety practices hinge on managing risks, with a particular emphasis on threats that could lead to harm. Unlike broader risk management, it typically focuses solely on mitigating dangers rather than opportunities. Most nations have laws requiring employers to implement specific controls, guided by proper risk management, to address health and safety risks. In the UK, for instance, the Health and Safety at Work Act of 1974 outlines the minimum obligations for employers, which include:

  • Identifying potential sources of injury or illness in the workplace (hazards).
  • Assessing the likelihood and severity of harm to individuals (the risk).
  • Taking steps to eliminate hazards or, if elimination isn’t feasible, controlling the associated risks.

The terms “hazard” and “risk” are distinct in this context, and this differentiation is critical in health and safety. It helps prioritize which risks need urgent attention and supports organizations in designing workplaces that minimize or eliminate hazards. Health and safety risk management mirrors the general process of Enterprise Risk Management but often employs specialized terminology and methods, such as:

  • Identifying hazards as part of understanding the context or pinpointing risks.
  • Using impact versus likelihood matrices to evaluate risks.
  • Applying risk management tools like bowtie diagrams, root cause analysis, and failure mode effects analysis to gain deeper insight into risks.

When it comes to controls, widely used concepts include the hierarchy of controls and the Swiss cheese model, which help structure and strengthen risk mitigation efforts. Many organizations, particularly those in heavy industries like construction, mining, and oil and gas, adopt a vision of “zero harm.” This is sometimes understood—or explicitly defined—as having no tolerance for harm. While the ideal is that no one should ever be injured at work, the reality is that some level of risk persists, and there’s always a possibility, however slight, that harm could occur when people are engaged in workplace activities. Though it’s a challenging topic, leaders, risk managers, and health and safety professionals must recognize that injuries can happen despite best efforts, and there are limits to what can be done to ensure absolute safety in a work setting. This leads to defining a realistic tolerance for harm, known in health and safety as As Low As Reasonably Practicable (ALARP).

Note: Some organizations and regions use As Low As Reasonably Achievable (ALARA) instead, but the two terms represent essentially the same idea.

Once the ALARP tolerance level is set, it must be upheld by allocating sufficient resources to maintain a controlled work environment—either by removing hazards entirely or managing risks to an acceptable degree. Health and safety specialists often rely on the hierarchy of controls, which prioritizes eliminating hazards as the most effective way to ensure workplace safety. When elimination isn’t feasible—such as in an existing workplace that can’t be redesigned—other controls are employed. These might include installing barriers to prevent contact with dangerous machinery or replacing high-risk materials (like hazardous chemicals) with safer alternatives that still meet operational needs. As a last option, controls that depend on individuals following instructions, such as procedures or guidelines, should be used. While the hierarchy of controls is well-suited for safety risks, it may not always apply to other risk types, such as those tied to finance, legal issues, or sustainability. The Swiss Cheese Model is another tool frequently used in health and safety risk management. It involves layering multiple controls to address a risk, a practice that’s common across various risk management disciplines.

12.2 Project risk management

All organizations, at some stage in their lifecycle, need to modify their activities, objectives, or strategies through efforts that extend beyond everyday “business-as-usual” operations. These modifications, whether modest or substantial, can be classified as projects. According to the Project Management Institute (2008), a project is “a short-term undertaking designed to deliver a unique product, service, or result.” Although project definitions differ, they consistently exhibit certain features:

  • Temporary: Projects have a clear conclusion (even if their starting point is sometimes vague).
  • Purpose-driven: Every project seeks to achieve specific advantages.
  • Change-focused: Projects are initiated to bring about transformation, impacting both the team implementing them and their target audience.
  • Complex: Even minor projects require coordination of related tasks, introducing complexity.
  • Distinctive: Each project carries an element of originality, as it hasn’t been replicated exactly before.
  • Rel reliant: Projects depend on collaboration, including internal support.
  • Assumption-dependent: Planning a project involves anticipating future scenarios and working within given limitations.

Projects come in diverse forms and sizes, and their successful execution hinges on meticulous project management. They can be short-lived, like opening a new retail outlet, or span multiple years, such as extensive IT overhaul programs. Generally, the longer a project lasts, the higher the associated risks. This stems from the fact that prolonged and complex plans often depend on numerous assumptions that might not hold true, potentially causing significant repercussions for the organization if those assumptions prove unreliable. Due to their defining traits, projects inherently involve risks, making risk management an essential aspect of project oversight. Structured risk management within projects has been practiced since at least the 1990s, steadily advancing to protect and increase project value. Projects are typically evaluated based on two primary metrics—completion on schedule and adherence to budget—commonly referred to as project constraints or goals. Most also incorporate a third vital measure, such as performance, quality, or functionality, forming what’s known as the “iron triangle.” Determining which metric—cost, time, or performance/quality/functionality—takes precedence helps shape the project’s framework and set realistic benchmarks for risk assessment. Additional success indicators might include delivering quality without accidents, complying with legal or regulatory standards, and preserving confidentiality (for instance, in pharmaceuticals, where new inventions must be shielded from competitors). As a project advances, progress can be measured against milestones, and the accuracy of initial assumptions can be reviewed. This enables updates to projections for timelines, budgets, and other measures of success or objectives.

Programmes

Programme management serves as a coordinating framework for multiple projects, ensuring that broader, overarching benefits are achieved. The Project Management Institute describes a programme as “a collection of interconnected projects managed together to secure benefits and control that wouldn’t be possible if handled separately. Programmes might also encompass related tasks beyond the scope of the individual projects within them.”

The advantages of programme management are numerous, including:

  • Enabling the simultaneous execution of several projects.
  • Leveraging similarities across projects for greater efficiency.
  • Facilitating the alignment of goals and resource use.
  • Offering a comprehensive view of projects, identifying gaps, overlaps, and the combined risks and rewards.
  • Enhancing the handling of interdependencies, such as when one project’s completion is a prerequisite for another’s start.
  • Refining project selection by ensuring they contribute to the organization’s strategic goals.

When thoughtfully planned, structured, and executed, programme management becomes a valuable skill that delivers significant organizational benefits.

Portfolios

The Project Management Institute highlights that project portfolio management differs significantly from project and programme management. While project and programme management focus on the execution and delivery of tasks—ensuring projects are done correctly—portfolio management emphasizes selecting the right projects to pursue at the optimal time. Projects drive change to support an organization’s strategy and goals, and programmes coordinate these efforts to align with broader objectives. However, portfolio management takes this further by ensuring that projects are fully in sync with the organization’s strategic vision. Portfolio management demands a distinct approach and is frequently mishandled, resulting in the selection of unsuitable projects or an overload of initiatives. When executed effectively, it bridges strategic planning with project implementation, directs limited resources to the most valuable projects, and empowers organizations to decline projects when necessary. In essence, portfolio management works alongside project and programme management by supporting “doing projects correctly” (project management), “doing projects collaboratively” (programme management), and “doing the right projects” (portfolio management).

Project Management Office

Many sizable organizations maintain a centralized group of management experts, often referred to as a Project, Programme, or Portfolio Management Office (PMO). This team serves the entire organization, assisting with tasks like drafting project specifications, defining inputs and outputs, setting timelines (commonly presented as Gantt charts), identifying dependencies, and creating cost plans. Collaborating with internal “clients,” the PMO helps ensure effective project risk management, aiding project, programme, and portfolio teams in meeting their goals.

For smaller organizations, an alternative to establishing a PMO is to hire external project managers, either on a retainer or per-project basis.

Key Standards

Various standards and best practice guidelines exist for project management, typically adopted based on an organization’s geographic location. Examples include:

  • Project Management Institute (PMI): Headquartered in the US with global chapters.
  • Association for Project Management (APM): Based in the UK.
  • Australian Institute of Project Management (AIPM): Located in Australia.
  • PRINCE2 (Projects IN Controlled Environments): A structured methodology and certification program originating as a UK government standard, widely used in the UK, Western Europe, and Australia.

Each of these bodies or standards has developed its own project risk management guidance:

  • PMI: The Standard for Risk Management in Portfolios, Programs, and Projects (2019).
  • APM: The Project Risk Analysis and Management (PRAM) Guide, 2nd Edition (2004).
  • PRINCE2: Management of Risk (M_o_R): Guidance for Practitioners, 4th Edition (2022). The M_o_R Guide aims to assist organizations in establishing a robust risk management framework across strategic, programme, project, and operational levels.

While the specific project risk management guidance varies, it aligns closely with enterprise risk management when distilled into four basic steps: establish context and objectives, evaluate risks, address risks, and monitor, review, and report. However, the focus and application differ slightly due to the unique nature and characteristics of projects.

12.3 Supply Chain

The supply chain forms an integral part of an organization’s value chain and is a key focus when outlining the extended enterprise of an organization. The supply chain refers to “a series of linked processes and resources that begins with acquiring raw materials and concludes with delivering products and services to final customers.” An organization’s value chain consists of all the steps it takes to transform a product or service from its initial concept to its ultimate use. Managing the supply chain involves multiple value chain components, such as procurement (a supporting function) and the core functions of inbound logistics, operations, and outbound logistics.

The extended enterprise is a model that enhances understanding of an organization’s internal and external environment. Within this model, supply chain elements are generally aligned with “inputs,” “core activities,” and “outputs.” Supply chain management is particularly critical when organizations outsource significant aspects of their operations or tasks. As highlighted, outsourcing serves as a method to address or mitigate organizational risk. However, it also introduces new vulnerabilities, such as risks related to third-party involvement.

Modern supply chains are becoming increasingly intricate and face unprecedented levels of unpredictability. Key sources of supply chain risk include:

  1. Supplier Risk: Incidents like data breaches or business continuity issues affecting a third-party supplier or their own suppliers (nth-party risk).
  2. Transportation Risk: Obstacles such as customs holdups, strikes by transport workers, theft of goods, or heightened regulations.
  3. Natural Events: Disruptions caused by extreme weather.
  4. Socio-Political Issues: Risks arising from security threats, corruption, sanctions, interstate disputes, or civil disturbances.

Enterprise Risk Management (ERM) supports supply chain management in the following ways:

  • Unified Coordination: ERM promotes collaboration within procurement and across all areas impacted by supply chain disruptions. Since supply chain management is often fragmented, ERM encourages better integration among relevant functions.
  • Consistent Framework: In organizations where supply chain complexity has evolved naturally, management practices may lack uniformity. ERM offers standardized approaches and terminology for evaluating and measuring supply chain risk, benefiting overall supply chain governance.
  • Holistic Perspective: With its methodical process for identifying and assessing risks, ERM ensures that significant yet less immediate supply chain risks are addressed alongside more urgent priorities.

A key focus in recent times has been on “nth party risk,” where risk managers and supply chain leaders are expanding their attention beyond third-party risks to include fourth-party risks and further, collectively dubbed “nth party risk.” During the COVID-19 period, notable weaknesses—or “blind spots”—emerged in the supply chain management setups of most organizations. Research indicated that slightly less than half of companies were aware of their tier-one suppliers’ locations and the main risks they faced. In contrast, only two percent had insight into the locations and critical risks of suppliers at the third tier and beyond. The report emphasizes that this gap is significant because many of the most urgent supply shortages today occur in these deeper supply chain levels. Data revealed that 40.2 percent of disruptions tied to COVID-19 originated from issues with tier-two suppliers and beyond, highlighting the need to have visibility into suppliers further down the chain. It’s widely acknowledged that achieving full transparency across the supply base is difficult, if not unfeasible, due to the intricate nature of modern multi-tier supply chains, which can involve hundreds or thousands of suppliers for a single product.

Several standards address various elements of supply chain management:

  • ISO 28000 Security Management Systems: This standard outlines the requirements for a security management system. It is relevant to supply chains as it emphasizes security measures that help ensure the safety and integrity of an organization’s supply chain operations.
  • ISO 20400 Sustainable Procurement: This standard describes sustainable procurement as an approach that maximizes positive environmental, social, and economic outcomes throughout a product’s life cycle. Sustainability is explored further in Unit 8.
  • ISO 9001 Quality Management: ISO 9001 is noteworthy because it is frequently used as a baseline standard for engaging with suppliers. Certification to ISO 9001 provides confidence that a supplier adheres to minimum quality standards in its operations.

Contractual approach

Risk management is essential in overseeing supply chain management, procurement, and contractual strategies. Various types of supply chain relationships exist, each carrying different levels of risk for both clients and suppliers. A critical choice for an organization is determining the nature of its relationship with a supplier. Hopkin and Thompson discuss options like strategic partnerships, joint ventures, and outsourcing, outlining the pros and cons of these arrangements from the viewpoints of both clients and suppliers. The contract established with the supplier serves as a vital mechanism for addressing the risks tied to these supply chain dynamics.

Contract typeAdvantage to ClientDisadvantage to ClientAdvantage to SupplierDisadvantage to Supplier
Strategic partnershipPriority treatment, Continuity of supplier,
Reduced Cost		Secured Market, Long term contract Fixed cost, Reliance on one customer
Joint venturePriority supply status, some management control of supplier, Deny competitor access to supplier, Reduction in head count greater flexibility, Reduced capital investmentSecure market, shared funding, shared risksReliance in one customer
Outsourcing Transfer of some risks, Reduced costs, Greater level of experience from supplier, Reduction in head count greater flexibility, Reduced capital investmentCareful contract Consideration required, supplier chain exposure , Potential protected employment rightsSecured Market, Long term, Potential protected employment rights

The Kraljic Matrix

The Kraljic Matrix, created by Peter Kraljic, is a widely adopted tool among procurement and supply chain experts. It aligns procurement and supply chain strategies with the level of supply risk and the potential impact of disruptions on an organization’s profitability, as illustrated in the Kraljic Matrix.

  • Leverage Items: These items are essential to the organization, and there is an abundant supply.
    The organization should leverage its strong buying power through aggressive negotiation tactics, such as bulk purchasing at fixed rates or securing long-term contracts for better pricing.
  • Strategic Items: These products or services are crucial to the organization, but their supply is limited or scarce.
    Building long-term partnerships with these suppliers is recommended, and opportunities for collaboration or innovation with them should be carefully evaluated.
  • Non-Critical Items: These items are not vital to the organization, and supply is readily available.
    The focus should be on streamlining procurement processes, such as implementing automated purchasing systems, to boost efficiency.
  • Bottleneck Items: These products or services matter to the organization but are not essential, and their supply is unreliable.
    The organization should investigate alternatives with more consistent availability and, in certain cases, may support suppliers by encouraging them to stockpile scarce raw materials.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply