Risk Model for Integrated Management System

The purpose of this paper is to develop an integrated risk management model for standardized management systems: ISO 9001:2015 for quality management, ISO 14001:2015 for environmental management, ISO/IEC 27001:2013 for information security management, ISO 45001:2018 for Occupational Health and Safety Management, and ISO 22000:2005 for food safety management in order to enable organizations can manage their processes and associated risks versus requirements of each internal and external stakeholder through only one MS instead of several individual MSs defined and implemented in an isolated way according to a specific MSS and hence to decrease the number of resources employed and to enhance the organization performance.


INTRODUCTION
One of the most important developments in the field of management is the optimal use of so-called management systems (MS). So it was imperative for organizations to improve their products, processes, and systems using management system standards (MSS) to assist organizations to manage the risks associated with providing products and services to customers and other stakeholders and to provide stakeholders with the confidence and security that meet their needs [1].
According to the annual survey issued by (ISO) International Organization for Standardization for management systems certifications -2017, a total number of 1058504, 362 610 certificates were acquired worldwide under the ISO 9001, and ISO 14001 respectively. While ISO 27001, ISO 22000 obtained only 39501, 32722 certificates respectively, and in 2015 OHSAS 18001 shows reliable performance with 92315 certificates distributed in 127 countries around the world [2].
Several organizations found many difficulties when operating the frequently implemented standards of quality management, environmental management, and occupational health and safety, either simultaneously or sequentially. Therefore, the integration of these standards was the target of many authors to adopt a single and more efficient management system which reduces time, bureaucracy and use of human, technical and financial resources [3].
Businesses nowadays operate in an environment of strong competition and developed distribution channels, producing significantly higher volume of products and services than the environment is capable of absorbing. For an organization to survive in such conditions, it is not enough to be average in the course of any business activity, forcing it to strive for business excellence. On the other hand, there is a significant increase in the uncertainty nowadays, bringing significant risks with it, so that business entities are critical to managing internal and external risks. In addition, the specifics of context of each company require specific solutions.
A review of the relevant literature and results suggests insufficient research and attractiveness of the topic. Available standards (e.g. ISO 31001, BS 31100, API 581, COSO Enterprise Risk Management, FERMA: Risk Management Standard), describing risk management, show that this is a significant discipline, and the fact that the norms have more similarities than differences shows that risk management is a discipline that, although still in development stage, has significant and broad applicability in all sectors.
To satisfy stakeholders, organizations need to implement multiple management system standards to assess, manage and control the risk to bring various benefits to the organizations. Anyhow, assessment and evaluation of risk in organizations implementing multiple parallel management systems individually can cause a conflict of operations and inefficiency of management, which leads to high cost in production [4].
These Since all standards used PDCA approach compatible to each other to be continued improvement of their performance, and the risk assessment method also compatible with this cycle, so it is possible to develop risk model in integrated standardization management systems using process approach to define a comprehensive scope for all processes and systems in the organization and different interactions between their policies, objectives and resources to control and mitigate different kinds of risks in the most effective and efficient way in order to address all relevant interested parties, key requirements.
According to the PDCA cycle approach which will be the base for building up this model, the following phases will be used.
Plan. Starting with understanding the context of the organization and the needs and expectations of interested parties in order to define risks.
Do. Implementing the actions that are taken to mitigate or prevent the risks.
Check. Check the performance of actions taken to mitigate or prevent the risks.
Act. The final step in the model. The most important contribution of this work is to develop a risk management plan in a systematic manner based on a process approach that identifies potential causes and consequences. Key elements of the standards and risk management are used to model uncertainty bounds for risk assessment and specific risk of activities in the contextual context.
The difference between the risk model developed in this paper and ISO31000:2009 is that ISO 31000 is an international risk management standard published by (ISO) used to manage risk by establishing a number of principles and framework for integrating risk management processes into the organization. It can be implemented in any organization regardless of type, size, and product in many fields and levels. Using this standard to manage risk in an organization implementing multiple standards is carried out by taking actions to address the risk that has occurred and find preventive measures for non-reoccurrence which are known as reactive action. Newly developed risk model is built upon PDCA cycle for continual improvements and process approach to identify the scope of all processes and their interactions in the organization with focusing on riskbased thinking used to address risk that already happened and those expected to happen, what is known as proactive action. This risk integrated model is used in case of IMS connected risk approach for all MSS implemented in the organization, provided that they are integrated with each other.

LITERATURE REVIEW
Several studies and papers are now reviewed to identify the most important weaknesses in the development of risk management integrated model in standardized management systems and to build the appropriate models. It was found that most of the studies indicated standards management system to be integrated with each other in a number of ways in general, and there is a clear lack in the absence of risk models for integrated management system, being the reason that set up the starting point for this research.

Integration Process
According to [5][6][7] four principle aspects including implementation strategy, integration methodology, level of integration, and auditing systems should be taken into account when studying the process of integration, as well as the benefits and difficulties during the implementation of IMS as follows: Implementation strategy is defined in the discussion of selection and execution sequence of management subsystem. Two integration strategies paradigms were clarified, the systemic approach, improving uniformity and homogeneity of IMS, and the techno-centric approach, promotion benefits at an operational level [8]. In addition, an overview about the concept of integration revealed two levels of integration, known as Alignment, which structured the system by using the similarities of parallel standards to reduce administration and audit costs, and Integration that made full integration in all relevant procedures and instructions. Also, the other three levels of integration can be distinguished: Correspondence, to increase compatibility with cross-references between parallel systems in order to save time, resources, reduce duplication of work tasks, and confusion between different standards, Coordinated and coherent level, which is based on a common understanding of generic processes of policy, planning, implementation, checking and corrective action, and management review, and Strategic and inherent level used to improve competitive advantages and contributing to sustainable development [7,9].
Integration methodology is an approach that describes the models or tools used in the integration process which are described by both academic and standardization bodies where process map, PDCA, common elements and organizations 'own models are proposed. Some other various national models such as in Denmark (Dansk Standard, 2005), Australia and New Zealand (SAI Global, 1999), Spain (AENOR, 2005), and United Kingdom (BSI, 2012) have been issued by standardization bodies for the same purpose [7,10].
Level of integration is defined as the management elements unification degree of two or more MSs [8]. Some authors refer to the Integration level to the degree achieved by IMS classified into three levels (no integration, partial, and full integration) although there is a difference between the methodologies of integration levels. Others pointed out that the integration of resources, procedures, and objectives can help to achieve the levels of integration, and suggest complete integration can be achieved by the following levels: documentation integration, management tools integration, common policies and goals, and common organizational structure [2, 7].
Auditing system's integration is related to the integration level of internal and external audits (higher level of integration in internal audits rather than in external audits). In [8] it is suggested that with respect to ISO 14001 and OHSAS 18001 four types of auditing system's integration can be represented as the fully integrated, simultaneous, overlapping and sequential.
According to the different principles' aspects mentioned in literature, there are different views to be used in studying the process of integration. The appropriate strategy of our risk model is to implement all management standards simultaneously and integrate them using process approach, PDCA cycle, and risk-based thinking.

Models of Integration Management System
In integrating standards, there are two management standard integration approaches, one that refers to the toplevel management core standard with some supporting modular standards to address specific requirements, and the other, so-called alignment approach, presenting the parallel management system standards with a high degree of common structure and contents of the constituent individual MSSs [8,7,11]. Several authors defined the models of integration as a theory and conceptual description that suggests how to manage the IMS implementation process for the enterprise, where others highlighted that modeling of management systems should take into account their goals and objectives. Various models proposed by several authors will be analyzed in this literature review as follows [8].
According to Renfrew and Muir management system evolution model, various integrated models represent the evolution of integrated management systems. The starting point for this evolution model was the introduction of a quality management system in 1987. Later, other standards are introduced, ISO 14001 in 1996 and OHSAS 18001 in 1999. Then IMS Matrix is established in which clauses of the different management systems similarities can be found followed by integration of procedures and processes where the last step in the model is so-called QUENSH (Quality Environment, Safety Health) [7,8,12].
Quality management system, environmental management system and occupational health and safety management system are the main integrated systems in Wilkinson-Dale's model. The differentiation and specificity of this model are the elements and integrated culture of the total quality management model. This model depends on the policies and requirements of any organization or interested party. Stakeholders may be managers (successful business), employees themselves (wages, working conditions), suppliers (long-term collaboration), customers (quality and price of a product), community (environment), owners (profits) and others. For organizations with priorities like quality system, environmental protection system and the protection system of their workers and employees, Wilkinson-Dale's model is the most appropriate one in integrating their management systems, also for the organizations that participate in the continuous improvement activities of TQM. The Wilkinson and Dale model takes into account the organizational sustainability culture that can create an organizational culture that enhances the implementation of integrated systems [8,12].
Systematic model is proposed by Karapetrovic and Willborn to integrate quality management and environmental management system and occupational health and safety with the corporate social responsibility management system and the financial management system i.e. the model contains the requirements of the standards and requirements of stakeholders. It is maintained in a balanced approach between management, goals, processes, and resources, and based on systematic approach and Deming cycle PDCA. Karapetrovic model, with the exception of customers, is for the stakeholder satisfaction of community (environment), reduction of staff (injury), management (business risk reduction) as well as other stakeholders. The implementation of management systems in this model is accomplished through the management of goals, process management, and resource management [8,7,12].
Synergistic model attributed to the potential synergies between different items in the requirements of ISO 9001, ISO 14001 and OHSAS 18001 standards namely documentation, policies and objectives development, top management commitment, continuous improvement, audits, and internal communication [8,12].
One approach is developed by focusing on SMEs through the alignment of the ISO 9001, ISO 14001 and BS 8800 requirements. EFQM (European Foundation for Quality Management) model is maturity model created in 1992 by the European Foundation for Quality Management and promoted in1999. There are nine criteria to assess this model; five of them belong to what an organization does such as leadership, people, policy & strategy, partnerships & resources, and processes, while the rest of them refer to the results of organization such as people results, customer results, society results and key performance results [8,12].
There are other authors who described IMS in different ways, for example but not limited to, the effect of integrated management systems on safety and productivity indices: case study; Iranian cement industries describe IMS as an attempt to create a single management system which is built based on interrelationships among the various management systems with the focus on effectively satisfying the needs of interest groups. Sun model integration of management systems in a pharmaceutical organization based on the PDCA cycle reveals that IMS should be a tool for achieving organizational goals, and on the other hand the complexity of it must be optimized for the available resources of the organization, and generic model of IMS consists of seven fundamental components and a correspondent set of guiding principles and action. The fundamental features used in this model will be helpful in our proposed integrated risk model [7].
Several types of integrated management system models in literature review started with Evolutionary model and finished by Maturity models and other different models. Our risk integrated model can be suitable for industrial organizations in the world that implemented multiple management standards in managing their risks effectively and efficiently with low costs.

RISK MODEL FOR INTEGRATED MANAGEMENT SYSTEM
Due to the feasible diffusion of implementing multiple standards in several companies nowadays, the best approach is to create an integrated management system (IMS) model that will meet the requirements of all standards in order to fulfill the stakeholders' satisfaction. Implementation of the (IMS) integrated management system in an organization is an opportunity to engage in a structured and comprehensive approach for monitoring risk to the environment and people and is an integral part of the continuous improvement [9]. In addition to that the common goal of any management standard worldwide is to assist the organization in managing risks associated with providing products and services in the context of customer and other relevant stakeholders requirements -"person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity" [8].
Three levels of integration have been defined as appropriate to use in building up this model which can be described as follows: Correspondence which refers to the increase of the compatibility between the standards in order to solve problems of bureaucracy, duplication of work tasks, and confusion between different standards; Coordination which is based on a common understanding of generic process and tasks management cycles (Plan-Do-Check-Act) to ensure the synergies and tradeoffs between the standards, and Integration that leads to the interaction with stakeholders, continuous improvement of the performance, better understanding of internal and external challenges and also to a responsibility culture [9].
The effectiveness of every management system is measured by the level of achievement of goals. The purpose of each MS in this model is to define management methodology of policies and specific system goals, risks that affect the achievement of goals, and the appropriate resources and processes needed to fulfill the stakeholders' requirements, needs, and expectations. Hence establishing the individual management systems according to appropriate standards that are shown in Fig. 1 is defined as the following: ISO 9001:2015 QMS used to determine the necessary process for transformation of input with product value added, and for treatment of risk non-conformance, as well as identification and realization of quality objectives.
Environmental Management System (EMS) is aimed at environmental risk prevention and environmental goals and programs determination and realization according to ISO 14001:2015 standard. Standard ISO 45001:2018 OH&S is carried out for occupational health and safety hazard prevention (treatment) as well as occupational safety and health goals and program determination and realization. Standard ISO/IEC 27001:2018 ISMS is made for treatment of information security risks, and to determine their objectives and programs. Standard ISO 22000:2018 FSMS is designed to determine food safety hazards treatment, as well as their objectives and HACCP plan [13].

Figure 1 Risk-based IMS model
Organizations must propagate and develop a risk culture from top to bottom in the organizational structure, across all employees and workers, to ensure risk management in a robust and comprehensive way across the organization. In addition to taking into account the needs and expectations of stakeholders related to risk, dedication and strong leadership of top management to apply the risk culture is also considered.
In accordance with [4], the PDCA cycle is a tool that can be used to manage processes and systems. The process approach is another tool used to manage a group of processes together as a system, where the interrelations between them are identified, and the outputs of a previous process are treated as inputs of the following one in order to ensure that the results of each individual process will add business value and contribute to achieving the final desired results. These two tools with risk-based thinking approach and risk management are important factors used to satisfy our proposed model of integration. Obviously, the implemented management standards in this research have many similarities such as: i) in their organizational structure and processes through the uses of terms objectives, audits, procedures, records, etc. ii) in their implementation regardless of type, size or production, and scope. iii) in standard language used and PDCA approach of continual improvement. This similarity in structure, implementation, and language used with following the PDCA cycle steps can facilitate the integration process through developing an effective integration strategy, [11]. The management performs a review and evaluation of IMS to ensure its continuous fitness and efficiency in satisfying all requirements. Fig. 2 illustrates how risk model works and can be implemented through the PDCA cycle in which the main elements of this model are planning, resource management, product realization, and measurement and improvement covering the whole PDCA cycle phases in the following procedures: The top management has an important and effective role in implementing this model by demonstrating strong commitment, leadership and personal involvement in establishing the Risk Model for Integrated Management System (RIMS) and its scope; ensure the context of the organization is determined and understood; make the needed implemented, evaluated and continuously improved. Top management also should have resources available on time to achieve the objectives; and ensuring that the RIMS is defined, document as strong text and approve the strategy, policies, objectives and targets in the scope of the RIMS to be applicable to all internal levels of the organization as well as to all other interested parties. The required documents and templates shall also be prepared accordingly, [7].

APPLICATION IN PRACTICE 4.1 Implementation Methodology
To implement the risk model, RIMS processes are selected one by one and regarded as the main organizational processes to apply risk management with risk-based thinking. Thus, according to PDCA in Fig. 2, setting up the objectives of RIMS that derived from the requirements and expectations of stakeholders will be the priority of the planning phase. These objectives should be assigned to each process using support resources and product realization. Each process is then analysed using key performance indicator to identify possible sources of risk that would impede the achievement of the objectives. In the next step different techniques such as failure mode and effects analysis (FMEA), hazard operability (HAZOP) and SWOT analysis, are used with risk-based thinking to identify the risks that need to be analyzed and evaluated to select treatments in order to reduce the levels of risks and improve the efficiency of the RIMS. The last step in this phase is the use of risk management process to define an appropriate plan for monitoring the implementations of preventive and corrective actions, taking into account the different processes, their interaction, and the level of risks. In the second phase of PDCA cycle is the implementation of management plan for integrating quality, Environment, Health and safety, Information security, and Food safety standards with the monitoring plan which involves monitoring, measures and controls of defined processes and procedures, outsourcing and other methods necessary to achieve planned results, and selected treatments, taking into account optimal resources scheduling to reach objectives with high efficiency.
Finally, once Do phase is achieved, there are several requirements to check the process of integration of this model to ensure they are functioning properly, as they have been planned by measuring the effectiveness of different decisions and their readjustments through Check and Act phases. Evaluate the effectiveness of selected treatments and estimate the degree of objectives achievements by combining and measuring all the defined indicators. Then adjust the management plan to achieve the objectives that are not reachable by allowing decision-makers to define appropriate corrective actions, and revise the objectives in order to contribute to sustainable development [11,14,15]. Fig. 3 shows integrated risk model clauses, based on PDCA, in which the clauses from 4 to 7 represent Plan phase in ISO 9001, ISO 14001, ISO 45001, and ISO/IEC 27001, where clause 8 represents Do, clause 9 represents Check, and clause 10 represents Act, while in ISO 22000 (FSMS), the clauses from 4 to 6 represent Plan phase, clause 7 represents Do, clause 8 represents Check, and clause 8.5 represents Act.
Risk management is one of the most important factors in implementing the model. It leads to increasing the compatibility and correspondence between the integrated standards in order to reduce the issues of parallel implementations. It is the common factor between each management system used to identify each risk source to evaluated and find the appropriate treatment. The process approach is used as a satisfaction tool to consider all the activities and their interactions in the same model, and PDCA cycle is another tool used to ensure the monitoring of the system and the integration as a continuous improvement of the performance by using performance indicator for each process in order to evaluate its state.

DOCUMENTED INFORMATION FOR RISK MODEL
Documented information associated with the developer's risk model will be explained through clause 4 in understanding the organization and its context as follows.

The Context of the Organization
It is a combination of internal and external factors and conditions that can have an impact on the attainment of the goals of the organization and its behavior in relation to stakeholders. It is subject of continuous review by the highest management of the organization. This tracking enables one to identify, evaluate, and manage risk-related to stakeholders and their changing needs and expectations. The top management timely makes decisions for organizational change and innovation to maintain and improve the organization performance.
Political, legal, financial, technological, economical, and other aspects represent an external environment in which an organization operates and seeks to achieve its goals. It is divided into three levels: international, state (at the level of the country), and local (at the level of local selfgovernment -the City).
The internal context is an internal environment, that is, the organization itself includes the following: management, organizational structure, roles and responsibilities, business policy and goals, vision of the organization, resources (employees, infrastructure, technologies, financial resources, ...), communication, relations with relevant stakeholders, culture, standards, guidelines and adopted models, as well as the form and scope of contractual relations. For each of the management systems (QMS, EMS, OH & S, ISMS, FSMS), the external and internal contexts are specifically considered and managed in the organization based on context management procedures. Review of the external and internal context of the organization is carried out at least once a year in the framework of RIMS reassessment.

Understanding Needs and Expectations of Stakeholders
The interested parties are individuals or organizations that add value to our organization, interested in activities of our organization or activities of our organization affect them.
Meeting the needs and expectations of stakeholders contributes to achieving the sustainable success of our organization. Top management should be aware that the effective business and sustainable success of the organization depend on the continuous fulfillment of the needs and expectations of its stakeholders, and this is done in a balanced way and in the long run. In addition, top management should consider some aspects when establishing the list of relevant stakeholders, for example, possible impact on performance or organization decisions, their ability to create risks and opportunities, and their ability to influence the market. In order to understand the needs and expectations of relevant stakeholders, information gathered and analyzed from unwinding the RIMS process, reviewing received orders, monitoring of legal and regulatory requirements, market research, and measuring customer satisfaction. After that top management should be able to define the list of relevant stakeholders and their needs and expectations in a table.

Identification of the Scope of IMS
The organization shall determine the boundaries and applicability of the IMS to establish its scope. When determining this scope, the organization shall consider; the external and internal issues referred to in 4.1; the requirements of relevant interested parties referred to in 4.2; and the products and services of the organization including the complexity of the processes. In addition, the organization should apply all requirements of ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 27001:2018, and ISO 22000:2018 standards, without omission.

Identification of the Processes of IMS
The organization shall establish, implement, maintain and continually improve IMS including the processes needed and their interactions in order to meet the needs and increase the satisfaction of our stakeholders in accordance with the requirements of ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 27001:2018, and ISO 22000:2018. In addition it shall determine the following: the inputs required and the outputs expected from these processes; the sequence and interaction of these processes; the criteria and methods (including monitoring, measurements, and related performance indicators) needed to ensure the effective operation and control of these processes; the resources needed for these processes and ensure their availability; assign the responsibilities and authorities for these processes; risks and opportunities related to the process; evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results; and improve the IMS and its processes. Finally, the organization to the extent necessary shall maintain documented information to support the operation of its processes and retain documented information (records) to have confidence that the processes are being carried out as planned.

FUTURE RESEARCH
Based on the idea of developing this model, several proposals for future research on the area of risk for the integrated management system can be suggested as: 1) Make a performance comparison between organizations not implementing risk model for IMS with those implementing risk model for IMS in order to measure the competitive factor between them. 2) Better explanations of the benefits of a risk model for IMS in the organizations by choosing different other performance variables such as financial measures, as well as supplementing the previous researches and studies. These new variables of financial performance will show different results in studies analyzing the standards separately which leads to giving a good chance to make sure if really there are financial performance benefits or not. 3) Analyze the internal and external benefits of a risk model for IMS with the performance to give confirmation to the organization in their decision concerning the implementation of a risk model for IMS. 4) Analyze the risk model for IMS implementation and benefits with other stakeholders such as the employees instead of top management or responsible manager.

CONCLUSIONS
In recent years, the most important factors encouraging organizations to implement various management systems are business pressure, regulations and government laws, competitiveness, public pressures on environmental protection due to the pollution and hazards, health and safety of employees, and customer satisfaction. These required the organizations to implement international standards in order to limit these factors, such as implementing ISO 9001 (QMS) whose main goal is effective management risk that can adversely affect the quality of the products, ISO 14001 (EMS) which aims to control the risks that could endanger the environment, ISO 45001 (OH&S), its implementation aims to reduce the risk of injuries at work, ISO 27001 (ISMS) is used to reduce risks that have an impact on information security of the organization, and ISO 22000 (FSMS) whose main target is to prevent foodborne illness. In practice, it seems to be difficult to deal with these separate management systems individually and to ensure their alignment with organizational strategies. Therefore, the purpose of this research was to develop a risk model for the integrated management system. This model has several characteristics which help organizations in application of their processes by using the following common approaches: Risk-based thinking with risk management as an important factor in identification, evaluation, and treatment of risks common in all standards systems, Process approach is used to manage and evaluate the performance of each process in the model, and Deming cycle PDCA operates as a cycle of continual improvement by ensuring the processes are adequately resourced, managed and opportunities for improvement are determined. In addition to that this model can be implemented in any organization regardless of type, size, and product in many fields and levels, it integrates most common international standards used by most of the organizations around the world. Final characteristic of this model is implementing these standards together in an integrated management system (IMS) with proactive and efficient risk management to help an organization to meet its requirements, prevent disruption, save a great amount of time in the implementation,