The Standard for risk management (AS/NZS 4360) was first published in 1995 and it will soon be replaced by a joint Australia/New Zealand adoption of the newly published ISO 31000:2009. In Australia and New Zealand, the new Standard will be called AS/NZS ISO 31000:2009 Risk management – Principles and guidelines.
New Zealand and Australian representatives have played a substantial role in the development of ISO 31000. For New Zealand, this was possible through financial support from the New Zealand Society for Risk Management, the Institution of Professional Engineers of New Zealand, and Air New Zealand.
Roger Estall, one of New Zealand's representatives on the ISO working group, says 'there is much in the new Standard that will be familiar to those accustomed to the earlier joint Standard, including the iterative process through which particular risks are managed. But there are also some important changes and additions which build on what has been learned over the past 14 years.'
Roger outlines a summary of some of the key changes below.
Risk is now characterised as the 'effect of uncertainty on objective'. This change shifts the emphasis from 'the event' (something happens) to 'the effect' and, in particular, the effect on objectives. The introduction to the Standard explains that risk comes about because organisations pursue their objectives against the uncertainties associated with their internal and external environment.
Because risk is ever present, in one way or another every organisation manages risk – but not necessarily particularly successfully. The Standard sets out eleven practical 'Principles' of effective risk management. One example – 'risk management is part of decision-making' – reminds users that virtually every decision will either create or modify a risk and so risk needs to be considered as part of the decision-making process. Taken together, the principles explain how managing risk effectively contributes to realisation of objectives. The principles also describe how risk management is best integrated into day-to-day management, and highlight how risk management contributes to continuous improvement.
A new section describes the features of the organisation's governance and management framework that allow risk to be managed effectively and as a continuous activity. Previously, although essential, these factors have not been explicit.
Enhanced risk management
A new Annex sets out characteristics of enhanced risk management. Two risk management 'outcome' tests relate to whether the organisation is aware of and understands its risks and whether it has adjusted its risks according to its risk criteria. Five 'attributes' tests focus on organisational behaviours that have been found to be the most important in organisations that manage risk effectively.
Grant Purdy, Chairman of the joint Australian and New Zealand committee responsible for risk management standards (OB-007) says New Zealand and Australia can feel particularly proud that the ISO Standard is based on our original joint publication. Now the international standard is being finalised for publication, OB-007 is revising the current risk management Handbook (SHB 4360:2004) to align it with the new Standard. Grant says 'this work is well advanced and the revised handbook should be available by early 2010. As with its predecessor, the handbook's practical advice should prove a great help to risk management practitioners in both small and large organisations.'
AS/NZS ISO 31000:2009 Risk management – Principles and guidelines will be available for purchase from Standards New Zealand later in October 2009.
To be notified when AS/NZS ISO 31000:2009 and the risk management handbook are published, subscribe to our 'Keep me up to date' service.
AS/NZS ISO 31000:2009 seminars planned for early 2010 in Auckland, Wellington, and Christchurch
Standards New Zealand and the New Zealand Society of Risk Management are planning to conduct breakfast seminars in Auckland, Wellington, and Christchurch (and possibly other centres) in February/March 2010 on AS/NZS ISO 31000:2009. To register your interest, please email email@example.com with your details.
- New Zealand Society of Risk Management (http://www.risksociety.org.nz/)