International Risk Management Standard

AS/NZS ISO 31000

Peter Brass
General Manager
Risk Management & Audit
PIRSA

Abstract of ISO 31000:2009

(Source: ISO Website on ISO 31000 16 June 2009)

Provides principles and guidelines on risk management. It is generic and not

developed for any specific industry or sector but risk per se.
Can be applied throughout the life of an organisation, and to a wide range of
activities, including strategies and decisions, operations, processes, functions,
projects, products, services and assets.
Can be applied to any type of risk, whatever its nature, whether having
positive or negative consequences.
Although ISO 31000:2009 provides generic guidelines, it is not intended to
promote uniformity of risk management across organisations. The design and
implementation of risk management plans and frameworks will need to take
into account an organisations particular objectives, context, structure
and operations. Risk management should continue to develop organically.
ISO 31000:2009 is not intended for the purpose of certification.

RISK = effect of uncertainty on objectives

NOTE 1 An effect may be positive, negative, or a deviation from the expected.
NOTE 2 An objective may be financial, related to health and safety, or defined in other
terms.
NOTE 3 Risk is often described by an event, a change in circumstances, a consequence,
or a combination of these and how they may affect the achievement of
objectives.
NOTE 4 Risk can be expressed in terms of a combination of the consequences of an
event or a change in circumstances, and their likelihood.
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to,
understanding or knowledge of, an event, its consequence, or likelihood.

Risk Management & Managing Risks

In the Standard, the expressions risk management and
managing risk are both used.
In general terms, risk management refers to the
architecture (principles, framework and process) for
managing risks effectively, and managing risk refers to
applying that architecture to particular risks.

Principles for managing risk (Clause 3)

1.
2.

3.
4.
5.
6.
7.
8.

9.
10.

11.

Creates value
Integral part of organisational
processes
Part of decision making
Explicitly addresses uncertainty
Systematic, structured & timely
Based on best available information
Tailored
Takes human & cultural factors into
account
Transparent & inclusive
Dynamic, iterative & responsive to
change
Facilitates continual improvement &
enhancement of the organisation

AS 4360 Implicit to
some extent

Framework for managing risk (Clause 4)

Mandate &
commitment

Design of framework
For managing risk

Continual
improvement
of the framework

Implementing
risk
management

Monitoring & review

of the framework

AS 4360 Covered partially in

Section 4 Establishing effective
risk management

Process for managing risk (Clause 5)

Risk Assessment
Identify Risks

Analysis of Risks

Evaluation of Risks

Treatment of Risks

AS 4360 Fully covered in

Section 3 Risk Management
Process

Monitoring & Review

Communication & Consultation

Establishing the Context

Comparison AS/NZS 4360 & ISO 31000:2009

Elements

AS/NZS 4360:2004

ISO 31000:2009

Application

Universal across all organisations

- Australasia but also widely
accepted internationally

Universal across all organisations International

Context for Risk Management

An organisations objectives

An organisations objectives

Principles for managing Risk

Included as part of risk

management culture although
mainly implicit.

Clause 3 and explicit common

business management principles

Framework for managing risk

Covered in detail

Clause 4 of standard. Expands on

4360

Risk Management Process

Core of the standard

Clause 5 of standard

Attributes of enhanced risk

management

Not covered

Annex in 31000. Informative only.

Guide to establishing and implementing

effective risk management program and
application of risk management process

Covered in detail in HB 436:2004

Annex in 31000. Informative only.

AS/NZS 4360:2004 Definitions

ISO 31000 Definitions (ISO/IEC Guide 73)

Risk

Chance of something happening that will impact on

objectives

Effect of uncertainty on objectives

Risk
Management

Culture, processes and structures that are directed

towards realizing potential opportunities whilst
managing adverse effects

Coordinated activities to direct and control an

organisation with regard to risk

Risk
Management
Framework

Set of elements of an organisations management

system concerned with managing risk

Set of components that provide the foundations and

organizational arrangements for designing, implementing,
monitoring, reviewing and continually improving risk
management throughout the organisation

Risk
Management
Policy

Not defined

Statement of the overall intentions and direction of an

organisation related to risk management

Risk
Management
Plan

Not defined

Scheme within the risk management framework specifying

the approach, the management components and
resources to be applied to the management of risk

Risk
Management
Process

What this means to us.

If you have followed 4360 impact of 31000 is minimal

Increased status of 31000 as international paramount standard

referred explicitly in GOSA Risk Management Policy

If no organisational Risk Management Policy, it is now required.

Timeframe No deadline. However, should update references and

other requirements as part of next risk management program review.

SAICORP Benchmarking Program

Self-assessment used to participate in this program will help to review

existing risk management program

Self-assessment will also helped to identify any amendments

required as the tool used has been aligned with 31000 and

Clause 3 Principles

Clause 4 Framework &

Clause 5 Process

Documents are available from Treasury website at

www.safa.sa.gov.au/insurance

Further information from Darryl Bruhn at Darryl.Bruhn@sa.gov.au or

8226 3429.

Information Sessions

Todays presentations are available from the Treasury website at

www.safa.sa.gov.au/insurance.

A schedule of information sessions on the new GOSA Risk

Management Policy & ISO 31000 has been developed.

First session is scheduled for Thursday 11th March at the Hetzel

Lecture Theatre at the State Library of SA. (9.30am to 11.00am)

Also Wednesday 14th April at same time and venue

Registration for these sessions to Bridget.Pacifico@sa.gov.au

Further information Darryl Bruhn at Darryl.Bruhn@sa.gov.au or 8226

3429.

QUESTIONS ??