You are on page 1of 3


AS/NZS ISO 31000:2009


Risk Management – Principles and Guidelines
August 2010

Introduction 1. The definition of risk – ‘the effect
of uncertainty on objectives’
In November 2009, AS/NZS ISO 31000: 2009 replaced the
previous Australian and New Zealand risk management The definition of risk has changed from ‘the chance
standard AS/NZS 4360: 2004. AS/NZS ISO 31000:2009 (the of something happening that will have an impact on
Standard) provides Fund Member agencies with principles objectives’ to ‘the effect of uncertainty on objectives’.
and general guidelines to be considered when developing
risk management frameworks and programs. The Standard While risk managers will continue to consider the
is supported by the: possibility of risks occurring, they should now apply risk
• International Standard ISO/IEC 31010:2009–Risk treatment options to ensure that the uncertainty of their
Management; agency meeting its objectives will be avoided, reduced,
removed or modified and/or retained.
• IEC/FDIS 31010 Risk Management–Risk Assessment
Techniques; and
• ISO Guide 73:2009–Risk Management–Vocabulary. 2. The introduction of the 11 Principles
of risk management

This factsheet highlights some of the 1. Creates and protects value
significant changes or enhancements Good risk management contributes to the achievement of
of AS/NZS ISO 31000:2009. These include: an agency’s objectives through the continuous review of its
1. A change to the definition of risk; processes and systems.
2. The introduction of eleven principles

for the management of risk;
2. Be an integral part of organisational processes
3. Five attributes of an enhanced risk

Risk management needs to be integrated with an agency’s
management framework; and

governance framework and become a part
4. A recommended approach to developing
of its planning processes, at both the operational and
an enterprise-wide risk management
strategic level.
3. Be part of decision making

The process of risk management assists decision makers
to make informed choices, identify priorities and select the
most appropriate action.

Facilitate the continual improvement Strategic objectives of organisations Senior Executives within an agency are responsible for Agencies with a mature risk management culture providing the strategic direction of the agency. Agencies are encouraged to consider the links throughout the risk management process recognises that between the foundations of their risk management communication and consultation is key to identifying. Based on the best available information continuous improvement. risk management performance should be included in the agencies governance processes. describes the vision for are able to demonstrate the continual achievement the management of risk and what overarching outcomes of their objectives. There is now an increased emphasis on continuous 5. iterative and responsive to change include its policy objectives and its commitment to risk management alongside its legislative responsibility. This are those that have invested resources over time and approach. both internal and external. consistency and the An agency should also review and modify its reliability of results. Be tailored consideration of risks and the application of the risk management process as appropriate. Be dynamic. The Standard outlines an approach to developing a 9. The The risk management framework should be embedded challenging environment we operate in requires agencies to within the agency’s overall strategic and operational consider the context for managing risk as well as continuing policies and practices. An agency’s risk management framework needs to 10. Agencies should set its performance goals. Five Attributes to enhance risk management By identifying potential risks. have adequate resources to check and to be aware that there may be limitations on that and improve controls. will be achieved. across an agency to ensure efficiency. This reporting 8. and the ability to information. analysing and monitoring risk. systems. agencies can implement 1. An agency’s risk management framework needs to include its risk profile. whatever the level of importance and significance. resources and capability/skills to ensure 6. Risk management needs to recognise the contribution 4. systems. Frequent reporting to all stakeholders of the agency’s and external operating environment. The process of risk management should be consistent and then review and modify processes as required. Individuals with accountability for risk management To effectively manage risk it is important to understand and are identified. 11. 4.AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines 4. It is then important to understand how all this communicate effectively with all stakeholders. Be transparent and inclusive framework that will assist agencies to integrate risk management into their enterprise-wide risk management Engaging stakeholders. Explicitly address uncertainty 3. should include 7. structured and timely improvement in risk management. monitor risks. The process of managing risk needs to be flexible. accountabilities. and take into consideration internal to identify new risks that emerge. those risks that no longer exist. Decision making within the agency. Be systematic. An agency should fully accept accountability for controls and treatments to maximise the chance of gain their risks and develop comprehensive controls and while minimising the chance of loss. resources. and make allowances for and external relationships. while usually long term. . These individuals should be consider all available information relevant to an activity appropriately skilled. Take into account human and cultural factors would be ongoing and highly visible. treatment strategies. 2. processes and activities. Developing an Enterprise-wide that people and culture have on achieving an agency’s Risk Management Framework objectives. 3. its measures. information informs the risk management process. as well as take into consideration its internal 5. framework and their organisation objectives.

2009. 2009. November 2009. it is the middle managers of an agency who are responsible for aligning the strategic objectives with the agencies operations in order to achieve outcomes. . The strategic plans developed at this level outline what each business unit must do to achieve their outcomes. First Edition. Line objectives Similarly. Standards Australia/Standards New Zealand Standard Committee. International Electrotechnical Commission. Risk Management-Vocabulary. Risk Management-Principles and Guidelines. ISO Guide 73:2009. References 1. Transitioning to the new risk management standard AS/NZS/ISO 31000:2009. ISO/ IEC 31010:2009. Canberra: Comcover. First Edition. Kevin W. 2009. AS/NZS ISO 31000:2009. International Standard. 2. KNIGht. 3. line managers are responsible for developing strategic plans that are more specific to achieving outcomes and are short term in nature. These plans prescribe in detail how the processes or activities of the agency’s outcomes will be actioned and completed.AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines Operational objectives Generally. International Organisation for Standardisation. Department of Finance and Deregulation. 27 August. 4. Comcover Insurance and Risk Management Conference.