Breadcrumbs (trail to this page)

Risk management standards

Risk Management Standard ISO 31000:2009

The first International risk management standard ISO 31000:2009 Risk management – Principles and guidelines, together with ISO Guide 73:2009 Risk management – Vocabulary, was released by the International Organisation for Standardisation (ISO) on 15 November 2009. Following the international publication, Standards Australia have officially released AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines on 19 November 2009, which is a direct adoption of ISO 31000:2009. The standard can be purchased from

Risk management standards and guides consist of the following:

  1. AS/NZS ISO 31000:2009 – Risk management - Principles and guidelines  (20 November, 2009)
  2. ISO Guide 73:2009 – Risk management – Vocabulary  (15 November, 2009)
  3. IEC/ISO 31010:2009 – Risk Management – Risk Assessment Techniques  (1 December, 2009)
  4. HB 327:2010 – Communicating and consulting about risk  (23 February, 2010)
  5. AS/NZS 5050:2010 Business continuity – Managing disruption-related risk  (28 June, 2010)
  6. HB 266:2010 – Guide for managing risk in not-for-profit organisations  (12 August, 2010)
  7. HB 246:2010 Guidelines for managing risk in sport and recreation organisations  (18 August, 2010)

AS/NZS ISO 31000: 2009

AS/NZS ISO 31000:2009 provides principles and generic guidelines on risk management and it can be used by any public, private or community enterprise, association, group or individual.

AS/NZS ISO 31000:2009 can be applied throughout the life of an organisation, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. It can also be applied to any type of risk, whatever its nature, whether having positive or negative consequences.

Although AS/NZS ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organisations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organisation, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed. AS/NZS ISO 31000:2009 is not intended for the purpose of certification.

AS/NZS ISO 31000: 2009 consists of three major parts:

  • 11 principles for managing risk (Clause 3)
  • five components to the framework for managing risk (Clause 4), and
  • five processes for managing risks (Clause 6).

^ Back to the Top

How will AS/NZS ISO 31000:2009 affect my organisation?

To be most effective, your organisation’s risk management should adhere to the 11 principles for managing risk (Clause 3). The most important principle of all is for your risk management program to create value for your organisation. Risk management should contribute to the demonstrable and measurable achievement of organisational objectives, and the improvement of organisational activities.

In addition, to be successful, risk management should function within a risk management framework that provides the necessary foundations and organisational arrangements that will embed risk management throughout the organisational at all levels. This foundation can assist organisations in managing risk effectively through the application of the risk management process at varying levels and within specific contexts of the organisation. The framework should ensure that risk information is adequately reported and used as a basis for decision making and accountability at all relevant organisational levels.

ISO Guide 73:2009

ISO Guide 73:2009 provides the definitions of generic terms related to risk management. It aims to encourage a mutual and consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, and the use of uniform risk management terminology in processes and frameworks dealing with the management of risk.

^ Back to the Top

IEC/ISO 31010

IEC/ISO 31010:2009 is a supporting standard for AS/NZS ISO 31000:2009 and provides guidance on selection and application of systematic techniques for risk assessment. The application of a range of techniques is introduced, with specific references to other international standards where the concept and application of techniques are described in greater detail.  This standard does not provide specific criteria for identifying the need for risk analysis, nor does it specify the type of risk analysis method that is required for a particular application.

HB 327:2010

Written as a companion to AS/NZS ISO 31000:2009, the handbook expands on the ‘Communicate and Consult’ section of the risk management process.

It provides individuals, organisations and specialists with an understanding of the role and techniques of effective communication and consultation when managing risks, especially when using the generic risk management process outlined in the risk management standard.

Designed as an owner’s handbook, the publication covers why communication and consultation is essential for good risk management; and provides advice on how to do this effectively. In addition, the concepts in the handbook are consistent with each of the 11 principles of effective risk management outlined in Section 3 of AS/NZS ISO 31000:2009. It also outlines how to take into account the mix of facts, uncertainties, perceptions, complexities, beliefs and values when making decisions about risk.

Support for VMIA clients

 ISO 31000 Principles - 20 questions [DOC 77 KB]

More information

For more information about risk management standards, email to contact our Risk Management Team.

^ Back to the Top

VAGO report

The Victorian Auditor General has outlined a range of risks and challenges facing the state from a whole of government perspective.

Find out how Strategic Foresight can contribute to innovative government in a number of different way.

According to Mr Leigh from the John F Kennedy School of Government, Harvard University, Strategic Foresight can contribute to more innovative government in a number of different way.

Read about the seven risks that are top of mind for risk managers

Seven risks remain top of mind for risk managers, according to the recent results from international surveys.