New Risk Management Standard AS/NZS ISO 31000 3 May 2010

The new international Risk management to be environment in which the

Management Standard ISO effective, organisations at organisation’s processes
31000:2009 was released by the all levels need to ensure take place, describing
International Organisation for that their risk management external / internal influences
Standardisation (ISO) on 15 program: and identifying risks;
November 2009. It has been • Creates and protects • Undertaking a risk
four years since the ISO value; assessment which
established a working party to incorporates risk
develop the first international • Is an integral part of all
identification, analysis and
risk management standard of the organisation’s
evaluation;
using AS/NZS 4360:2004 as its processes;
working draft. • Treating the risk i.e. either
• Forms part of decision
avoidance (by
The joint Australian/New making;
discontinuing a specific
Zealand Standards Committee • Explicitly expresses activity), taking or
OB-007, which had reviewed uncertainty; increasing the risk in order
and updated the earlier version to pursue an opportunity,
of AS4360:1999, decided that • Is systematic, structured
removing the risk source,
instead of conducting a similar and timely;
changing either the
revision of the AS/NZS4360:2004, • Is based on the best likelihood or consequence,
it should focus its support on an available information; sharing or transferring the
international version of a risk risk (either partly or fully
management standard. This • Is tailored to the
outsourcing the activity), or
resulted in Standards Australia organisation;
retaining the risk by
adopting the ISO 31000 as an • Takes human and informed decision;
Australian/New Standard and cultural factors into
therefore now making • Monitoring and reviewing
account;
AS/NZS4360:2004 redundant. risk treatment plans to
• Is transparent and ensure they remain relevant
What are the main inclusive; and achieve expected
differences between the outcomes.
• Is dynamic, iterative
old and new standards? and responsive to
Risk Management
change; and
The main differences between Framework
the previous AS/NZS 4360 and • Facilitates continual
improvement of the There is now greater emphasis
the ISO31000 standard are
organisation. on how risk management
summarised below:
should be implemented and
1. Risk is now defined in terms Has the risk management integrated throughout an
of the effect of organisation through the
process changed?
uncertainties on objectives establishment and continuous
whilst previously the The process of managing risk in improvement of a risk
standard focused on risk as the new standard remains the management framework. The
being the chance of same as in the old standard. framework ensures that
something happening that The process of implementing information about risk derived
will have an impact on risk management within the from the risk management
objectives; organisation remains the same process (as described above) is
in that communication and adequately reported and used
2. The new standard highlights
consultation is required through as a basis for decision making
a set of principles that
the processes of: and accountability at all
organisations must follow to
• Establishing the risk context, relevant levels within the
achieve effective risk
i.e. defining the organisation.
management. For risk
Melbourne: ph. (03) 9890 8811 fax. (03) 9890 8911 Brisbane: ph. (07) 3514 9222 fax. (07) 3514 9220
Sydney: ph. (02) 9889 1800 fax. (02) 9889 1811 Canberra: ph. (02) 9889 1800 fax. (02) 9889 1811
www.noel-arnold.com.au
 Enhanced Risk What should my
Management organisation now do in
The new standard provides light of the new Standard?
guidance on the attributes of The new standard now
enhanced risk management. highlights eleven principles
These attributes represent a upon which a risk management
high level of performance in system should be based. The
managing risk and can be used implementation of risk
to compare an organisation’s management within an
own risk management organisation will only be
performance. The key attributes successful if the risk
are: management processes are
• Continual Improvement: embedded throughout all
through the setting of levels of the organisation.
performance goals against By incorporating the key
which the organisation or its principles and processes into a
Without a strong mandate and manager’s are measured; risk management framework, a
commitment, the risk organisation is able to create a
management framework will • Full Accountability of Tasks:
designated individuals fully structured basis for managing
not be maintained. The their risks to facilitate not only
framework design must take accept accountability, are
appropriately skilled and regulatory compliance, but
into account: also improved decision-making,
have adequate resources
• Understanding of the to check controls, monitor allocation of resources,
organisation’s activities and risks, improve controls and planning, and performance.
its context; communicate effectively
about risks; Further Information
• Establishing a risk
management policy; • Risk Management If you would like to know more
Application in all Decision about the new standard
• Defining accountabilities; AS/NZS ISO 31000 Risk
Making: no matter the level
• Integration into of importance or Management, or any of the
organisational processes; significance, explicit information mentioned above,
consideration of risks and please do not hesitate to
• Provision of adequate contact Arnold Risk Consulting.
resources to maintain the risk management needs to
take place; Our contact details are given
framework; and below.
• Establishing internal and • Continual Communications:
contact with internal and Melbourne: John Ruksenas on
external communication (03) 9890 8811 or
and reporting mechanisms. external stakeholders
including the frequent john.ruksenas@noel-
Following the establishment of reporting of risk arnold.com.au
the framework and the management Sydney: Martin Mitchelson on
implementation of risk performance; (02) 9460 2290 or
management process within a mmitchelson@mc2pacific.com.
organisation, monitoring and • Full Integration with the
Organisation’s Governance au
review of risk controls is required
to provide adequate data in Structure: the organisation’s Brisbane: Wade Russell on (07)
the continual improvement of governance structure and 3514 9222 or wade.russell@noel-
the risk management system. process should be based on arnold.com.au
the management of risk.

Melbourne: ph. (03) 9890 8811 fax. (03) 9890 8911 Brisbane: ph. (07) 3514 9222 fax. (07) 3514 9220
Sydney: ph. (02) 9889 1800 fax. (02) 9889 1811 Canberra: ph. (02) 9889 1800 fax. (02) 9889 1811
www.noel-arnold.com.au