Open access peer-reviewed chapter

The Utility of M-31000 for Managing Health and Safety Risks: A Pilot Investigation

Written By

Manikam Pillay

Submitted: September 29th, 2017 Reviewed: April 24th, 2018 Published: November 5th, 2018

DOI: 10.5772/intechopen.77949

Chapter metrics overview

983 Chapter Downloads

View Full Metrics


The management of occupational health and safety (OHS) risks is an important part of any business. ISO 31000 risk management has been suggested to represent the natural standard for integrating OHS risk management into business operations. However, published research on this standard is very limited, so its ability to influence the management of OHS risks is unknown. The aim of this chapter is to report on the first part of the findings of a pilot study aimed at investigating the utility of the ISO 31000 risk management standard for managing occupational health and safety (OHS) risks. A review of the published literature on ISO 31000 is presented first. This is followed by a modified theoretical framework, M-31000, taking into account OHS risk management practice. The results of 42/149 key informants selected as part of a purposive sampling strategy identified three main advantages of ISO 31000, including acting as a good starting point for risk management, supplementing other risk management strategies, and allowing for easier integration with other similar strategies. The two main shortfalls identified in this pilot included the standard being vague and difficult to implement. The study also revealed that M-31000 was much simpler and more consistent with safety management practice.


  • risk management
  • health and safety risk management
  • ISO 31000
  • M-31000
  • pilot studies
  • safety management practice

1. Introduction

The effective management of occupational health and safety (OHS) is an integral part of risk management in organisations. More than 2.7 million workers die from work-related accidents and diseases and over 374 million people suffer from non-fatal accidents and injuries [1]. These have increased by 17% compared to a decade ago and are expected to increase further as organisations are challenged by globalisation, advanced technologies, and their increasing complexity [2, 3]. A number of institutional, regulatory, and structural arrangements have been developed and implemented to address the impact of these developments. These include, for example, a strategy for sustainable prevention [4], visions of zero accidents [5], or healthy, safe, and productive working lives [6]. These underpinned a key principle of the United Nation’s Universal Declaration of Human Rights, that all workers, regardless of their occupation, have the right to a healthy and safe working environment. At the same time many safety practitioners charged with managing OHS risks are being asked to draw on strategies and measures for achieving simultaneous business objectives of environmental protection, finance, and quality management. The international standard for risk management, ISO 31000: 2009, has also been suggested as providing the necessary mechanism for such integration [7]. However, apart from the guidance notes and supporting documentation, published research on ISO 31000 is limited, so its utility for managing OHS risks remains questionable [8]. A framework for implementing risk management based on ISO 31000 has been proposed for construction projects [9]. However, this has been suggested to be suitable for construction organisations which have a relatively mature approach to risk management, has not been empirically tested outside of construction, and does not take into account practices and approaches used for managing OHS risks [8].

To overcome this, another framework based on ISO 31000 has been proposed [8]. This framework, M-31000, takes into account the key process common to OHS practice. However, it has not been empirically tested or validated. The present chapter reports on the first stage of a research project aimed at investigating the utility of ISO 31000 and M-31000 for managing OHS risks in the Australian industry.


2. Literature review

2.1. The ISO 31000 risk management standard

The International Organisation for Standardisation (ISO) published ISO 31000 in 2009. Titled ‘Risk management—principles and guidelines’, it represented the concerted efforts by a dedicated group of international technical advisors from a range of industries and backgrounds [10]. One of the key aims behind ISO 31000 was to ensure consistency through one vocabulary, a set of performance criteria, a common process, and guidance on how such processes could be integrated in decision-making [11]. As such it has been regarded the gold standard in risk management [12]. Lalonde and Boiral [7] argued that ISO 31000 offered a number of advantages over previously established standards. These included a comprehensive and multi-risk approach to reinforce commitment from leaders in the advance of decisions, ability to integrate the risk management framework into an organisation’s existing practices, principles and guidelines to manage poorly understood complex risks, and the ability to adapt the risk management system to specific contexts. However, authors such as Leitch [13] have argued that the terminology used in ISO 31000 was vague or ambiguous, offered minor guidance to managers, and was impossible to comply with. Purdy [11] proposed that some compromise and change was required to address the differences in terminology and its application across different regions and sectors.

ISO 31000 includes five main chapters [14], of interest to this project are the last two: framework and process. These are briefly discussed below.

2.1.1. Framework

ISO 31000 provides a structured framework for managing organisational risks. This includes five main stages, so is an expanded version of the Plan-Do-Study-Act (PDSA) cycle [15]. These stages include (i) mandate and commitment, (ii) the design of framework for managing risks, (iii) implementing risk management, (iv) the monitoring and review of framework, and (v) the continual review of framework [14]. A common framework provides an assurance that proposed organisation-wide processes for managing risks are supported and iterative, have continued to remain effective, and provide the necessary mechanism for integration, reporting, and accountability [10, 11]. It also includes the core supporting organisational structure, mandates, policies, and procedures [16]. The ‘framework is not intended to prescribe a management system, but to assist organisations integrate risk management into its overall management system’ [14]. Many organisations already have established management systems, such as ISO 9001 (Quality), ISO 14001 (Environmental Protection) or OHSAS 18001 (Safety), so there is an expectation that the key processes used for these can be integrated into a company’s risk management framework [8, 17].

2.1.2. Process

Risk management involves a series of integrated and coordinated activities aimed at directing and guiding an organisation in relation to risk; ISO 31000 has summarised these into five main ones, including (i) communication and consultation, (ii) establishment of the context, (iii) risk assessment, (iv) risk treatment, and (v) monitoring and review [8, 11, 14]. Steps (i) (communicate and consult) and (v) (monitoring and review) have been suggested to be continually acting and hence have been suggested to be part of the other three activities [11].

2.2. Published research on ISO 31000

Ciocoiu and Dobrea [18] examined standardisations in improving the effectiveness of an integrated risk management strategy and concluded that ISO 31000 was an appropriate tool for formalising the process and harmonising best practice. Gjerdrum and Salen [19] explored the basics of ISO 31000 and argued that it made risk management a central part of organisational success. Oehmen et al. [20] examined the adoption and application of ISO 31000 in product design and concluded that, while the suggested process was relevant, the published literature addressed different aspects of them to varying degrees, and there was generally a lack of integration between the suggested standards and processes. Gjedrum and Peter [21] compared ISO 31000 with the enterprise risk management (ERM) framework and found that ‘establishing the context’ and continuous ‘communication and consultation’ were major differences between the traditional processes of managing risks between the two frameworks. The authors concluded that the main strengths of ISO 31000 were in the identification of risk owners. In construction, Liu et al. [22] examined the practices and challenges of implementing enterprise risk management (ERM) modelled on ISO 31000. This research revealed that the construction organisations generally had a basic understanding of risk management and a relatively clear focus on market and financial risks; most had an established risk management system, and the main means of managing risks involved behavioural control. Dali and Lajtha [12] reviewed how the field of risk management had progressed and used this to compare the strengths and weaknesses of guidance provided on ISO 31000. Sousa et al. [9] integrated operational and organisational strategies to propose an ISO 31000 framework for managing risks in construction projects. Luko [16] reviewed the terminology and language and used the new guidelines as adopted in the United States as ANSI/ASSE Z690.2-2011 and concluded that ISO 31000 provided a good framework for managing quality and business risks through integration. Scannell et al. [23] investigated the supply chain risk management (SCRM) approaches and determined that ISO 31000 included the core steps used in SCRM but included two additional steps and so this was more comprehensive. This research also revealed that companies recognised the importance of SCRM but lacked skills and the ability to integrate these into ISO 31000. And Ariff et al. [24] proposed a framework which integrated the enterprise risk management with ISO 31000 to improve organisational performance in the Malaysian public university system. Collectively, these studies point towards a gradual adoption of ISO 31000 into different sectors and aspects of business risk management.

A few studies have also sought to investigate and/or link ISO 31000 with OHS risk management.

Haddad et al. [25] proposed a risk assessment method, hazard matrix, and demonstrated how this could be applied to health, safety and environment management by integrating it with the risk management process suggested in ISO 31000. The method suggested by the authors is useful for prioritising risks, which is one part of an overall risk management process. The authors contended a difficulty with their method, which was in prioritising both environmental and occupational risks in the same hazard matrix. Moraru [26] identified effective practices, processes, and structures in OHS risk management and demonstrated how these could be integrated in the ISO 31000 framework. The authors argued their framework provided a step forward to managing safety compared to a decade ago, but there was a need to adopt a more systematic approach for managing safety risks as part of their journey towards a culture of prevention. Poplin et al. [27] demonstrated how the ISO 31000 risk management process could be used to prioritise and manage injury risks in the Tucson fire department using a systematic approach. The authors contend that a significant amount of resources was required for conducting the key stages of their approach, which included scoping, risk assessment, and implementation, and that their approach was suitable for one or two key tasks. And a more recent study described the process, outputs, and lessons learnt from a proactive application of the ISO 31000 risk management process to reduce emergency service vehicle crashes in the US fire departments [28].

These studies point to a move towards some levels of adoption. Most of the above studies, however, concentrated on some aspects of the risk management process. None of these took into account safety management practices, so the utility of ISO 31000 for managing safety risks remains questionable [8]. This is an important issue from the perspective of safety management scholars and practitioners.

2.3. Key differences between ISO 31000 and OHS management process

There are four main differences between ISO 31000 and OHS management practice.

The first is the inclusion of ‘establishing the context’, a concept which is not featured in health and safety management practice [8]. According to Sousa et al. [9], this involves evaluating and understanding the internal and external contexts, the challenges faced by the organisation, factors which can impact on the achievement of goals, and the broader risk management strategy. Flaus [29] suggested distilling this stage into four key inputs, including (i) external environment; (ii) internal environment; (iii) risk management framework; and (iv) risk criteria [8]. The closest reference to ‘context’ in the OHS management process comes from safety cases in the major hazard regime, in the form of facility descriptions [30]. In effect, this is equivalent to the ‘background’ of any major undertaking or project and is deemed important because

  1. risk management takes place in the context of the broader organisational objectives and

  2. the objectives and performance criteria for any specific project, process, or activity need to be considered alongside other related objectives.

The second is the notion of ‘risk identification’, which is suggested to be the first part of the risk assessment process under ISO 31000 [8]. This is confusing, something previously identified by others [31]. Moreover, it represents a significant point of departure from existing OSH literature and practice, which associated risk with a ‘degree of harm, injury or disease’. Being able to determine degree involves making some level of determination based on two aspects, consequence and severity, so risk is an outcome of an assessment process. OHS regulations, practitioners, professionals, and academics relate more to the notion of identifying hazards, not risks! Manuele [32] makes this point more precisely, that hazards provide the generic base and justification of the practice of safety. The term ‘hazard identification’ instead of ‘risk identification’ is more common. Related to the notion of risks in the standard form are the terms risk analysis and risk evaluation, each of which have a different meaning. According to ISO 31000, risk analysis involves a ‘process for comprehending the nature of risk to determine the level of risk’, while risk evaluation involves a ‘process of comparing the results of risk analysis with risk criteria to determine whether the level of risk is acceptable or not’ [14]. In this regard there are two different outcomes of analysis and the evaluation of risks:

  1. from risk analysis—the level of risk

  2. from evaluation—the decision whether the level of risk is acceptable or not.

Again, in OHS practice, the simpler process of ‘risk assessment’, which accounts for analysis and evaluation is more common [8]. This is summarised by Rausand [33], ‘the overall process of risk analysis and risk evaluation’. Combining these two ideas gives us the main difference the way risk is conceptualised. In OHS practice risk includes determining the level of risk (hence the process of risk analysis) and a decision about whether this level of risk is acceptable or not (risk evaluation). Most importantly, it is also a separate process from hazard identification [8].

The third difference is the notion of ‘risk treatment’. The use of the term treatment seeks to suggest that an adverse outcome is a normal expectation of risk management, a philosophical problem when applied to OHS which has, at its core, the main objective of preventing harm, illness, injury, or diseases [8, 34]. For these reasons, OHS practice refers to risk control rather than risk treatment [35]. Hence, the process that follows risk assessment is risk control instead of risk treatment [8].

The fourth difference is in the range of approaches suggested for dealing with risks [8]. ISO 31000 posits that this can be done by avoiding the risks altogether, taking or increasing the risk to pursue an opportunity, removing the source, changing likelihood, changing consequences, sharing (outsourcing) through contracts and risk financing, and retaining the risks through informed decision-making [14]. However, in Australia, the suggested approaches of transferring and retaining OHS are illegal under safety law [36]. This is because the primary responsibility for management and control of OHS hazards remains with the person conducting or undertaking a business [35], irrespective of any efforts to engage with contractors or insure it off. Safety practitioners will therefore find it difficult to implement these specific controls.

2.4. A modified ISO 31000 OHS risk management process

In order to make ISO 31000 more user-friendly to safety managers, practitioners and scholars, a modified ISO 31000 OHS risk management process (herein called in M-31000) has been suggested [8]. This addresses some of the differences identified in Section 2.4 and includes a set of six iterative stages. It retains communicating and consulting, establishing the context, and monitoring and reviewing suggested by ISO 31000. However, it introduces the identification of hazards (instead of risk), the assessment of risk, and control of risks, as illustrated in Figure 1. The authors provided that M-31000 was theoretical in nature and had yet to be tested for its application in the general industry. The present study aims to address this by investigating the utility of M-31000 for managing OHS hazards and risks. In doing so it seeks to stimulate safety managers, leaders, practitioners and scholars to think more laterally before implementing ISO 31000 [7], by starting with careful listening to the practice of risk management [37].

Figure 1.

M-31000 OHS risk management process [8].


3. Research method

A pilot study was undertaken in order to examine the efficacy of ISO 31000 and M-31000 for managing OHS risks in Australia. Pilot studies guide the design and implementation of larger-scale studies and the collection of credible data and hence are an integral part of any social research [38, 39]. An exploratory research design [40] using purposive sampling [41] was utilised for this pilot. The informants included graduate students completing two postgraduate courses in OHS who were interviewed in 2016 and 2017. Apart from demographic information, the informants were asked to share their experiences and comment on two specific questions around:

  1. the usefulness (or otherwise) of ISO 31000 and M-31000 for managing OHS risks in their organisations and/or roles and

  2. any other approaches they had used, or were familiar with, for managing OHS risks in their work and organisations.

This chapter presents and discusses the findings for the first part.

The main data collected included free-flowing texts of responses to the above open-ended questions [42]. Comments were collated into a word document and pseudonyms used to code each comment to de-identify the personal details of the informants. Each comment was read twice, first to get a general overview of the data and the second for in-depth information to identify common themes and/or any sub-themes located in large blocks of texts [42, 43]. The aim here was to capture the surface meanings of the data as explicitly stated by the informants in order to maintain the original meaning of the key message(s) conveyed. In order to be regarded as a theme, the core message needed to be expressed by at least three different informants.


4. Findings and discussion

A total of 42 informants responded to the questions from a class size of 149, with a response rate of 28%. The informants included a relatively diverse group—risk managers, project managers, safety managers and/or coordinators, engineering managers and human resources. Most worked for large companies or projects and had between 2 and 18 years of experience in the field. Many chose not to divulge their sex, while a number chose to remain silent on their specific roles, industries in which they had worked for.

4.1. Utility of ISO 31000 for managing risks

The respondents raised a wide range of views regarding ISO 31000. Those relating to its positives centred around three main themes. These included:

  1. a useful starting point for risk management,

  2. supplementing other risk management strategies, and

  3. the ease of integration with/into other management systems.

4.1.1. ISO 31000 as a useful starting point for risk management

The first finding was that ISO 31000 provided a useful starting point for risk management. Examples of this theme are illustrated in the following excerpts:

‘The risk management process …is a useful starting point for those seeking to establish risk management process’ MG-01.

‘…is considered a starting point for initiating and obtaining further knowledge about risk…’ DA-25.

‘ISO 31000 is considered a good starting point for any company…’ RK-27.

This finding is consistent with the ISO’s position that ISO 31000 is a generic process [14]. Previous authors have argued that risk management is a strategy that managers take up [7]. This needs to start from somewhere, and the above finding suggests that ISO 31000 acts as a starting point for the doing part of risk management—establishing the process and obtaining knowledge about risks. This is also supported by Gjerdrum and Peter [10], who argued that it acted as a vehicle to make risk management central to successful performance and therefore an integral part of other business processes such as planning, management, and governance.

4.1.2. ISO 31000 supplemented other risk management strategies

The second finding was that ISO 31000 supplemented other risk management strategies. Examples of this theme are indicated in the excerpts below:

‘… used in parallel with other risk management strategies…’ JC-08.

‘ISO 3100 is… domain neutral for all types of risks’ GP-22.

‘…works well when applied…to holistically manage business risks…’ MH-30.

‘…consistent with other ISO standards in that it promotes a “plan, do, check, act”’…DC-37.

‘… ISO 31000 support … rather than replace those standards’ MC-39.

ISO 31000 is built around a three-tiered structure incorporating principles, framework, and process [12], so the above finding provides some support for this claim. It has previously been asserted that ISO 31000 be used in conjunction with, or takes into account, other similar strategies [24, 26, 31, 44]. Some authors have argued against the creation of any addition, parallel management system [12], while others have made the case for ISO 31000 to complement other conventional risk management systems [7, 23, 24]. This includes systems-based approaches.

4.1.3. ISO 31000 allowed for easier integration

A third common finding was that ISO 31000 allowed for an easier integration of risk management strategies. The following excerpts illustrate examples of this theme:

‘…and one of them is the ISO31000 can easily integrate into organisation existing practice…Companies with ISO 9001 and ISO 14001 certifications could incorporate into their management system’ MR-11.

‘ISO 31000 used as a set standard would allow for integration of …risk management practices’ MG-19.

‘…. It provides an important framework for integrating OHS into an organizations broader objective’ DA-25.

‘ISO 31000 … provides the necessary framework for integrating OHS into an organisations broader objectives’ MS-35.

ISO 31000 has been suggested to provide a structured framework to meet the needs of any type of organisation [7]. Moreover, it has been suggested to act as an umbrella for over 60 standards and guidelines for risk management and is more user-friendly to many other ones [12]. So the above finding is in tandem with the expectations of the risk management standard with respect to integration into an organisation’s risk management decision-making processes [11, 14]. The ease of integrating ISO 31000 into existing approaches for managing different risks (environmental, business, political) has been argued to be one of its key strengths [9, 12, 23, 26]. The results from this study provide support for this argument, with examples for quality and environmental protection. In addition, the results also provide support for integrating practices (MG-19) and objectives (DA-25 and MS-35). It is possible this takes into account different models and theoretical frameworks [26] to enable risk managers to take a more holistic view.

4.2. Concerns and issues with ISO 31000

A number of informants also saw a number of problems with ISO 31000. The two main ones included it being vague and lacking consistency and being difficult to implement.

4.2.1. ISO 31000 was vague and lacked consistency

A number of informants provided comments about ISO 31000 being vague. Some examples of this are illustrated in the excerpts below:

‘the standard is quite vague’ KW-14.

‘The intended meaning … is frustratingly hard to pin down. Key words and phrases are either vague, have meanings different from those of ordinary language, or even change their meaning from one place to another’ RH-06.

‘a number of concerns … relate to the process, terminology and its interpretation …’ SV-07.

‘…contains steps that are not necessary or particularly accurate in the risk management process’ JB-17.

One of the aims behind the development of ISO 31000 was to provide a common language and process for risk management specialists, auditors, and assurance providers, thereby enhancing the communication between the various stakeholders [14]. However, the findings above suggest this is not necessarily the case. This has also been identified previously by authors such as Leitch [13] and Purdy [11], who argued that there remained some elements which needed to be simplified to enable the framework to be better understood and implemented and appear less onerous. In this instance the respondents raised a similar opinion. Future full-scale investigations should explore whether this was a broader issue. Moreover, while terminology, process, and steps were identified as potential areas of confusion in this pilot, further studies should investigate which specific terms, process, and steps required more clarity.

4.2.2. ISO 31000 was difficult to implement

Another common finding was that ISO 31000 was difficult to implement, as the following excerpts demonstrate:

‘A risk management system is more easily applicable … if it is simplified. An over complicated risk management system can end up being demanding on time and company resources with more going in to the administration of the management system than the management of risks’ BH-18.

‘Impractical aspects are that (ISO 31000)… leads to illogical decisions if followed; is impossible to comply…’ MG-19.

‘whilst this standard is quite succinct, it is…lax in nature and offers little direction … as to how the processes of management risk should actually be implemented’ DG-21.

‘The negative aspects of the risk management process … are that it is difficult to use in industries…’ PG-24.

‘… it would prove challenging to incorporate….’ DV-29.

The ability to design or revise the components of its risk management system to suit a company’s key processes, structure, and risk profile has been suggested to be one of the main strengths of ISO 31000 [11]. The above findings indicate that this is not necessarily the case. This is not uncommon and possible reasons may be due to the changing nature of risk [45] or their management [46]. In the previous finding one of the informants suggested that ISO 31000 contained unnecessary steps, and this could make it difficult if the suggested process was used as a prescribed approach to managing risks. Risk management needs to make sense and should not be used for bureaucratic back covering, scaring people, or generating useless mountains of paperwork [47]. Some ways in which aspects of ISO 31000 could be improved have also been suggested, including:

  1. minimising use of labels,

  2. simplifying the risk assessment process,

  3. adopting an existing risk assessment process,

  4. accepting subjective assessments during risk assessment, and

  5. accepting uncertainty [26].

These improvements are associated with risk, or its assessment, which is an area of contention raised previously [8, 31]. Some authors have attempted to simplify the adoption and use of hazard matrixes [25] but whether this simplifies the overall process of risk management is unknown. Future full-scale investigations should enable an understanding of which specific aspects of the overall process were difficult, including any specific examples and/or cases.

4.3. Utility of M-31000 for OHS risk management

The respondents also raised positive views regarding M-31000. The two main themes are centred around its

  1. simplicity and

  2. consistency with safety management practice.

4.3.1. M-31000 was simple

A common understanding regarding M-31000 was that it was a simple approach. Examples of this are reflected in the following excerpts:

‘…The adapted version supports new, simple way of thinking…’ FB-05.

‘I would recommend the use of the simplified HSRM process’ SV-07.

‘…focus on health and safety make the simplified model…appealing as a practical, hazard management process’ JB-17.

‘…reducing the process from seven items to six…’ AM-10.

‘The adaptive version … allows the framework to be more understandable…’ MRA-11.

‘the adapted version of ISO 31000 provides a more concise and clear risk management process, …. By summarising into 5 key points, primary objectives for an organisation are better understood’ KW-14.

‘The adapted version … simplifies the ISO 31000 risk management process, by combining and eliminating certain steps…’ BT-26.

The need to keep the process of risk management simple and sensible has also been previously raised [12]. The informants in this instance believed M-31000 allowed this to occur by reducing the number of steps, making it more understandable and combining and eliminating certain steps. In some ways this may address the issue of reducing bureaucracy, paperwork, and making it a more sensible approach [47]. While this may indicate that M-31000 is easier to adopt, future studies should focus on actual experiences of implementing the revised version to identify if this is supported across small, medium, and large organisations across different industries and different hazards. This is necessary to identify which parts of the process are working as presented and which ones require further adaptation.

4.3.2. M-31000 is consistent with safety management practice

Another common theme was that M-31000 was consistent with safety management practice. Some examples of this are included in the following excerpts:

‘…seeks to better represent WHS by… retaining historical WHS language…’ AM-10.

‘Safety practitioners and professionals would be more likely to identify with a more relevant process of assessing hazards to health & safety’ BT-26.

‘…, alignment with in-the-field understanding and practice is required. We should speak of “hazard identification” rather than “risk identification” because “risk” implies predicting consequences by jumping to conclusions. Likewise ‘Risk treatment’ incorrectly implies a risk as something negative rather than an opportunity…’ DM-36.

‘The simplified HSRM process is more practical for OHS risk management whilst being harmonious with the standards principles…’ FD-38.

‘ …the adapted version … is more closely aligned to the terminology utilised in this jurisdiction’ MG-01.

‘…the adapted version of risk management is more closely aligned with other health and safety management framework (e.g. OHSAS 18001). …’ RK-27.

One of the criticisms of ISO 31000 was that it failed to account for OHS management practice, including steps such as risk identification and risk treatment [8]. In this instance the informants felt M-31000 addressed this shortfall through a mix of retaining historical language, the process for assessing health and safety hazards, and closer alignment with safety management, while retaining the essence of the ISO 31000 principles. Again, while consistency of safety management practice has been suggested to be one of the main reasons for M-31000, future studies should investigate which aspects of the process are consistent and/or closely align with safety management practice and actual experiences of integrating it safety management systems such as AS/NZS 4801, ILO-OSH 2001, OHSAS 18001 and/or ISO 45001.


5. Limitations and conclusions

5.1. Limitations

Any pilot study will have its limitations, and this study is no exception. The use of a purposive sampling strategy is one. This is a subjective and non-probabilistic approach and can lead to errors in judgement by researchers and high levels of bias [38, 39]. Future researchers investigating this issue should consider quota, cluster, or more systematic sampling methods. A second limitation is the issue of quality in the research process. There is a wide diversity of methods and approaches used for conducting qualitative research [48] and an equally large set of quality indicators [49]. Future studies should make the quality criteria clear.

5.2. Conclusions

In spite of these limitations, this study is one of the first to shed some light on the utility of ISO 31000 and M-31000 for managing health and safety risks. The findings of this pilot investigation suggest that ISO 31000 provided a useful starting point for risk management, supplemented other risk management strategies, and allowed for ease of integration with or into other management systems used by organisations. The two main disadvantages included it being vague and difficult to implement, and these could restrict its uptake and/or adoption. Future full-scale investigations should investigate those aspects of the overall process deemed to be difficult and which specific terms, process, and steps required more clarity. With respect to M-31000, the findings suggest it was simple, more consistent with safety management practice, and could enable closer alignment with other safety management systems. Future studies should consider actual experiences of implementing M-31000 to identify if this is supported across small, medium, and large organisations or across different industries and different hazards in order to identify which parts of the process are working as presented and which ones require further adaptation. In addition, studies investigating aspects of M-31000 which are consistent and/or closely align with safety management practice and actual experiences of integrating it with safety management systems such as AS/NZS 4801, ILO-OSH 2001, OHSAS 18001 and/or ISO 45001 will also be useful to advance research and practice in OHS risk management.



Parts of this chapter have been previously presented at the 2015 CIBWO99 International Health and Safety Conference, Northern Ireland. The author wishes to acknowledge the assistance of the 42 informants who responded to the questions posed and shared their insights into the key focus areas of this pilot study.


  1. 1. International Labour Organization. Safety and Health at Work. 2017. Available from:
  2. 2. Pillay M. Accident causation, prevention and safety management: A review of the state-of-the-art. Procedia Manufacturing. 2015;3:1838-1845
  3. 3. Pillay M. Improving organizational health and safety performance: Theoretical framework and contemporary approaches. International Journal of Management Excellence. 2016;7(3):855-866
  4. 4. International Labour Organization. Safety and health at work: A vision for sustainable prevention. In: XX World Congress on Safety and Health at Work; 2014. Frankfurt, Germany: International Labour Organization; 2014
  5. 5. Zwetsloot GIJM, Aaltonen M, Wybo J-L, Saari J, Kines P, Beeck ROD. The case for research into the zero accident vision. Safety Science. 2013;58:41-48
  6. 6. Safe Work Australia. Australian Work Health and Safety Strategy 2012–2022. Canberra: Safe Work Australia; 2012
  7. 7. Lalonde C, Boiral O. Managing risks through ISO 31000: A critical analysis. Risk Management. 2012;14(4):272-300
  8. 8. Pillay M, Jefferies MC. A revised framework for managing construction health and safety risks based on ISO 31000. In: CIBWO99 International Health and Safety Conference, Benefitting Workers & Society Through Safe(r) Construction; Belfast, Northern Ireland: International Council for Research and Innovation in Building and Construction; 2015. pp. 467-477
  9. 9. Sousa V, ALmeida NM, Dias LA. Risk management framework for the construction industry according to the ISO 31000:2009 standard. Journal of Risk Analysis and Crisis Response. 2012;2(4):261-274
  10. 10. Gjerdrum D, Peter M. The new international standard on the practice of risk management: A comparison of ISO 31000:2009 and the COSO REM framework. Risk Management. 2011;21(March):8-12
  11. 11. Purdy G. ISO 31000:2009—Setting a new standard for risk management. Risk Analysis. 2010;30(6):881-886
  12. 12. Dali A, Lajtha C. ISO 31000 risk management—“The gold standard”. EDPACS: The EDP Audit, Control, and Security Newsletter. 2012;45(5):1-8
  13. 13. Leitch M. ISO 31000: 2009—The new international standard on risk management. Risk Analysis. 2010;30(6):887-892
  14. 14. International Organization for Standardization (ISO). ISO 31000—Risk management. 2009. Available from:
  15. 15. Deming WE. Quality, Productivity and Competitive Position. Cambridge, MA: Massachussetts Institute of Technology, Centre for Advanced Engineering Study; 1982, 183
  16. 16. Luko SN. Risk management principles and guidelines. Quality Engineering. 2013;25(4):451-454
  17. 17. Avanesov E. Risk management in ISO 9000 series standards. In: Presented at the International Conference on Risk Assessment and Management. Geneva; 2009
  18. 18. Ciocoiu CN, Dobrea RC. The role of standardization in improving the effectiveness of integrated risk management. In: Nota G, editor. Advances in Risk Management. Rijela, Croatia: INTECH Open Access Publisher; 2010. pp. 1-18
  19. 19. Gjerdrum D, Salen WL. The new ERM gold standard: ISO 31000:2009. Professional Safety. 2010;55(8):43-44
  20. 20. Oehmen J, Ben-Daya M, Seering W, Al-Salamah M. Risk management in product design: Current state, conceptual model and future research. In: ASME International Design Engineering Conference & Computers and Information in Engineering Conference IDETC/CIE. Montreal, Canada: ASME International; 2010
  21. 21. Gjedrum D, Peter M. The new international standard on the practice of risk management: A comparison of ISO 31000:2009 and the COSO framework. Risk Management. 2011;21(March):8-12
  22. 22. Liu JY, Low SP, He X. Current practices and challenges of implementing enterprise risk management (ERM) in Chinese construction enterprises. International Journal of Construction Management. 2011;11(4):49-63
  23. 23. Scannell T, Curkovic S, Wagner B. Integration of ISO 31000:2009 and supply chain risk management. American Journal of Industrial and Business Management. 2013;3:367-377
  24. 24. Ariff MSB, Zakuan N, Ahmad A. Ahmad, “A framework for risk management practices and organizational performance in Higer education,” Review of Integrative Business & Economics, vol. 3, no. 2, pp. 422-432, 2014
  25. 25. Haddad A, Galante E, Caldas R, Morgado C. Hazard matrix application in health, safety and environmental management risk evaluation. In: Emblemsvag J, editor. Risk Management for the Future: Theory and Cases. Rijeka: InTech; 2012. pp. 29-50
  26. 26. Moraru RI. Current trends and future developments in occupational health and safety risk management. In: Emblemsvag J, editor. Risk Management for the Future: Theory and Cases. Rijela, Croatia: InTech; 2012. pp. 3-28
  27. 27. Poplin GS et al. Establishing a proactive safety and health risk management system in the fire service. BMC Public Health. 2015;15(407):1-12
  28. 28. Bui DP et al. Risk management of emergency service vehicle crashes in the United States fire services: Process, outputs, and recommendations. BMC Public Health. 2017;17(885):1-11
  29. 29. Flaus J-M. Risk Analysis: Socio-Technical and Industrial Systems. London: John Wiley & Sons, Inc.; 2013
  30. 30. Safe Work Australia. Guide for Major Hazard Facilities: Developing a Safety Case Outline. Canberra: Safe Work Australia; 2012
  31. 31. Raz T, Hillson D. A comparative review of risk management standards. Risk Management: An International Journal. 2005;7(4):53-66
  32. 32. Manuele FA. Principles for the practice of safety: A basis for discussion. In: On the Practice of Safety. 3rd ed. Hoboken, New Jersey: John Wiley & Sons, Inc.; 2005. pp. 72-87
  33. 33. Rausand M. Risk Assessment: Theory, Methods, and Application. Hoboken, New Jersey: Wiley; 2011
  34. 34. World Health Organization. Workers' health: Global plan of action. In: Sixtieth World Assembly. Vol. Agenda 12.13. Geneva, Switzerland: World Health Organization. 2007. Available from:
  35. 35. Safe Work Australia. How to Manage Work Health and Safety Risks: Model Code of Practice. Safe Work Australia: Canberra; 2011
  36. 36. O'Neil S, Cheung A, Holley S. The Business Case for Safe, Healthy & Productive Work: Implications for Resource Allocation—Procurement, Contracting and Infrastructure Decisions. Sydney, Australia: Macquarie Lighthouse Press; 2014
  37. 37. Corvellec H. The practice of risk management: Silence is not absence. Risk Management. 2009;11(3–4):285-304
  38. 38. Sampson H. Navigating the waves: The usefulness of a pilot in qualitative research. Qualitative Research. 2004;4(3):383-402
  39. 39. van Teijlingen ER, Hundley V. The importance of pilot studies. Social Research Update. 2001;35(Winter):1-4
  40. 40. Creswell JW. Research Design: Qualitative, Quantitative and Mixed Methods Approaches. 3rd ed. Thousand Oaks, USA: Sage Publications, Inc.; 2009. p. 260
  41. 41. Coyne IT. Sampling in qualitative research. Purposeful and theoretical sampling; merging or clear boundaries? Journal of Advanced Nursing. 1997;26:623-630
  42. 42. Ryan GW, Bernard HR. Data management and analysis methods. In: Denzin NK, Lincoln YS, editors. Qualitative Research. 2nd ed. Thousand Oaks: Sage Publications, Inc.; 2000. pp. 769-802
  43. 43. Ryan GW, Bernard HR. Techniques to identify themes. Field Methods. 2003;15(1):85-109
  44. 44. Knight KW. Developing a risk management standard—The Australian experience. Safety Science. 2002;40:69-74
  45. 45. Hollnagel E. The changing nature of risk. Ergonomics Australia Journal. 2008;22(1–2):33-46
  46. 46. Smith D, Fischbacher M. The changing nature of risk and risk management: The challenge of borders, uncertainty and resilience. Risk Management. 2009;11(1):1-12
  47. 47. Health and Safety Executive. Sensible risk management. 2016. Available from:
  48. 48. Given LM. The SAGE Encyclopedia of Qualitative Research Methods. Los Angeles, USA: SAGE Publications, Inc.; 2008
  49. 49. Malterud K. Qualitative research: Standards, challenges, and guidelines. The Lancet. 2001;358(August 11):483-488

Written By

Manikam Pillay

Submitted: September 29th, 2017 Reviewed: April 24th, 2018 Published: November 5th, 2018