Strategic and operational risk management
New Risk Management Standard ISO 31000 2009
Transitioning from AS4360 to ISO31000 2009 DRAFT
What is ISO 31000: 2009?
ISO 31000:2009 is the first international standard on risk management that clearly and explicitly sets out the principles and framework for managing risk. The standard intends to harmonise risk management processes in existing and future standards. It provides a common approach to dealing with specific risk and/or sectors, and does not replace pre-existing relevant standards.
Prior to the development of ISO 31000: 2009, there was no internationally recognised standard on risk management, although the use of “AS/NZS 4360:2004, Risk Management” standard has been widespread. AS/NZS 4360:2004 was developed initially by Standards Australia in 1995. The current 2004 version is due for review in 2009. Regardless of the progression of ISO31000, a revised AS4360 would most likely adopt the contents of ISO 31000.
In conjunction with developing ISO 31000, the ISO Risk Management Working Group is updating “ISO/IEC Guide 73, Risk Management – Vocabulary” that will provide a glossary of risk management terms. The guide aims to develop a consistent language relating to the management of risk.
As Australian risk management practices have been recognised internationally as ‘better practice’, the same working group has used AS/NZS 4360:2004 extensively in the formation of the ISO draft.
ISO 31000: 2009 consists of three major parts – 11 principles for managing risk (Clause 3), five components to the framework for managing risk (Clause 4), and five processes for managing risks (Clause 6), illustrated in the diagram below:
How will the transition to ISO 31000 affect my organisation?
To be most effective, your organisation’s risk management should adhere to the 11 principles for managing risk. The most important principle of all is for your risk management program to create value for your organisation. Risk management should contribute to the demonstrable and measurable achievement of organisational objectives, and the improvement of organisational activities.
In addition, to be successful, risk management should function within a risk management framework that provides the necessary foundations and organisational arrangements that will embed risk management throughout the organisational at all levels. This foundation can assist organisations in managing risk effectively through the application of the risk management process (e.g. AS/NZS 4360:2004) at varying levels and within specific contexts of the organisation. The framework should ensure that risk information is adequately reported and used as a basis for decision making and accountability at all relevant organisational levels.
The draft ISO standard is in its final stages of approval. It is expected to be published in December 2009.
Contact
For more information about the draft ISO31000:2009, please contact Patrick Ow on (03) 9270 6968 or at p.ow@vmia.vic.gov.au.
