By Mark Boult and Mark Fisher
In 1978 Frank Bird and George Germain published the first edition of the International Safety Rating System (ISRS®). It was the result of collaboration with a range of companies and individuals across industries to determine the “ideal” Safety Management System. The ambition was for companies to use ISRS to assess their performance against the “ideal” so they identify improvement opportunities and track their performance in an objective repeatable manner.
41 years later DNV GL published the 9th edition of ISRS (now called the International Sustainability Rating System) continuing the expansion of ISRS beyond health and safety into 10 risk categories. We collaborated with a broad range of clients to define the ideal management system for controlling operational risks.
ISRS has matured into a suite of tools that allow companies to understand their proximity to best practice and support their continual performance improvement. It does this in the context of the interaction of human, organisational and technological risk controls.
At the heart of ISRS is the Core Risk Loop (see figure).
This is aligned with ISO, 2018, ISO 31000, “Risk management — Guidelines”, and COSO, 2017, “Enterprise Risk Management – Integrated Framework”, but adds more resolution where experience suggests organisations need greater focus. This is particularly in defining and communicating the risk control strategy (the “S” of the loop) which explains to how risks are to be managed and the performance expected of controls.
At the IRM Risk Leaders Conference in November 2019, we ran two workshop sessions with over 80 people attending from a range of industries. The workshops considered the Core Risk Loop and the current performance of each of its steps. The feedback from the workshops is summarised in the graph.
The results show as broad satisfaction in the performance of the Identify, Analyse, and Evaluate steps of the loop. Sentiments were less satisfactory when considering control Strategy, Communicate and Implement. The results for the Monitor, Review and Update steps were more balanced but receives fewer votes, possibly suggesting more neutrality or less confidence about performance in these areas.
Interestingly, these outcomes correlate with our findings in our consultancy work.
Our view is that successful implementation of the Core Risk Loop is how an organisation can demonstrate it had control of its risks. Confidence in the implementation is key and objective measurement and benchmarking develops that confidence.
ISRS 9th Edition Risk Categories
Mark Boult (CFIRM) and Mark Fisher are directors at DNV GL consultancy. The workshop took place at IRM’s 10th Risk Leaders conference in London in November 2019. The views expressed are the authors’ own and do not represent the views of IRM