Risk Management - Present Day Overview
A 1-page explanation re changes from AS/NZS 4360 and ISO 31000 Risk Management, by Nick Katsouris.
This is not an easy one to answer possibly because of how the process unfolded which is summarised in the Preface of the AS/NZS ISO 31000:2009. I'm sure with the passage of time many risk practitioners will see this as an opportunity and there will be courses and papers presented if not already done so.
Broadly speaking, the main difference is that the AS/NZS 4360 was more about the process where ISO 31000 is more of a holistic view (evolution/next step) which establishes a number of principles that need to be satisfied before risk management will be effective. Great effort was made for it to not be prescriptive and words like "must" and "should" have been deliberately left out and is one of the differences in language between a certifiable and non certifiable standard which this one is.
Enterprise-Wide Risk management framework in Clause 4 of AS/NZS/ISO 31000:2009 is not intended to describe a management system; but rather, it is to assist the organisation to integrate risk management within its overall management system. Therefore organisations should adapt the components of the framework to their specific needs.
It's also a Paramount standard like 9000 & 14000 and will guide all other ISO/IEC standards with respect to risk management process and will replace national RM standards (Australia was one of the first to adopt it).
The standard was developed as Guideline document, and is NOT to be used for the purpose of certification. Essentially organisations cannot make statements that they are ISO 31000 compliant in their literature/promotional brochures.
FYI, the ISO 31000 working group terms of reference was to provide a document:
- which provides principles and practical guidance to the risk management process
- is applicable to all organisational, regardless of type, size, activities and location and should apply to all type of risk
- establishes a common concept of risk management process and common related concepts
- provide practical guidance to:
understand how to implement risk management
- identify and treat all types of risk
- treat and manage the identified risks
- improve an organisations performance through risk management of risk
- maximise opportunities and minimise losses in the organisation
- raise awareness of the need to treat and manage risk in organisations
In addition to the above ISO/IEC 31010 - Risk Assessment Techniques is being written with the involvement of the same WG in parallel with ISO 31000 & Guide 73. Basically it reflects current good practices in selection and utilisation of risk assessment techniques.
ISO 31000-2009 Risk Management - Principles and Guidelines,
This is the sucessor to AS/NZS 4360-2004. Risk Management as the resource for managing an organisation's risks.
The new standard is a direct adoption of the new international standard, which is based on the 2004 edition ofthe Australian/ NewZealand Risk Management Standard.
The adoption is a culmination of events which began when Standards Australia published its first standard for risk management AS/NZS 4360 Risk Management in 1995.
When this standard was revised in 2004, the Joint Australia/New Zealand Committee OB-007 decided that rather than undertake a similar revision in 2009, Standards Australia and Standards New Zealand should promote the development of an international standard on risk management. This international standard would then be adopted locally.
In 2005, the International Organization for Standardization (ISO) established a working group to develop an international risk management standard using AS/NZS 4360-2004 as the basis of the first draft.
The development process included public consultation in Australia and NewZealand, resulting in the publication of ISO 310002009 in November 2009.
"The new international standard is based on AS/NZS 4360-2004 and was shaped with input from Standards Australia, Standards New Zealand, OB-007, and experts from 28 countries;' said Colin Blair, acting CEO of Standards Australia.
The new standard provides organisations with guiding principles, a generic framework and a process for managing risk. New to this edition is the inclusion of 11 risk management principles an organisation should comply with and a management framework for the effective implementation and integration of these principles into an organisation's management system. The new edition emphasises that risk is the effect of uncertainty on objectives, not just an event.
It also includes an informative annex that sets out the attributes ofenhanced risk management for those organisations that have already been working on managing their risks and may wish to strive for a higher level of achievement.
The standard focuses on encouraging proactive management, improving financial reporting and assisting organisations to comply with relevant legal and regulatory requirements and meeting international norms.
Historic Treatment of Risk
The Risk aware:
- Formula 1 race car development, driver safety and public safety
- Avionics software and hardware development
- Public Transport infrastructure, construction and maintenance