You are on page 1of 3


AS/NZS ISO 31000:2009


Risk Management – Principles and Guidelines
August 2010

Introduction 1. The definition of risk – ‘the effect
of uncertainty on objectives’
In November 2009, AS/NZS ISO 31000: 2009 replaced the
previous Australian and New Zealand risk management The definition of risk has changed from ‘the chance
standard AS/NZS 4360: 2004. AS/NZS ISO 31000:2009 (the of something happening that will have an impact on
Standard) provides Fund Member agencies with principles objectives’ to ‘the effect of uncertainty on objectives’.
and general guidelines to be considered when developing
risk management frameworks and programs. The Standard While risk managers will continue to consider the
is supported by the: possibility of risks occurring, they should now apply risk
• International Standard ISO/IEC 31010:2009–Risk treatment options to ensure that the uncertainty of their
Management; agency meeting its objectives will be avoided, reduced,
removed or modified and/or retained.
• IEC/FDIS 31010 Risk Management–Risk Assessment
Techniques; and
• ISO Guide 73:2009–Risk Management–Vocabulary. 2. The introduction of the 11 Principles
of risk management

This factsheet highlights some of the 1. Creates and protects value
significant changes or enhancements Good risk management contributes to the achievement of
of AS/NZS ISO 31000:2009. These include: an agency’s objectives through the continuous review of its
1. A change to the definition of risk; processes and systems.
2. The introduction of eleven principles

for the management of risk;
2. Be an integral part of organisational processes
3. Five attributes of an enhanced risk

Risk management needs to be integrated with an agency’s
management framework; and

governance framework and become a part
4. A recommended approach to developing
of its planning processes, at both the operational and
an enterprise-wide risk management
strategic level.
3. Be part of decision making

The process of risk management assists decision makers
to make informed choices, identify priorities and select the
most appropriate action.

accountabilities. analysing and monitoring risk.AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines 4. Five Attributes to enhance risk management By identifying potential risks. risk management performance should be included in the agencies governance processes. and take into consideration internal to identify new risks that emerge. framework and their organisation objectives. Developing an Enterprise-wide that people and culture have on achieving an agency’s Risk Management Framework objectives. agencies can implement 1. consistency and the An agency should also review and modify its reliability of results. These individuals should be consider all available information relevant to an activity appropriately skilled. The process of risk management should be consistent and then review and modify processes as required. Take into account human and cultural factors would be ongoing and highly visible. There is now an increased emphasis on continuous 5. its measures. should include 7. Be transparent and inclusive framework that will assist agencies to integrate risk management into their enterprise-wide risk management Engaging stakeholders. Based on the best available information continuous improvement. It is then important to understand how all this communicate effectively with all stakeholders. Be tailored consideration of risks and the application of the risk management process as appropriate. iterative and responsive to change include its policy objectives and its commitment to risk management alongside its legislative responsibility. as well as take into consideration its internal 5. Be systematic. systems. Be dynamic. both internal and external. Frequent reporting to all stakeholders of the agency’s and external operating environment. across an agency to ensure efficiency. Individuals with accountability for risk management To effectively manage risk it is important to understand and are identified. Decision making within the agency. . This are those that have invested resources over time and approach. and the ability to information. The The risk management framework should be embedded challenging environment we operate in requires agencies to within the agency’s overall strategic and operational consider the context for managing risk as well as continuing policies and practices. An agency’s risk management framework needs to 10. 4. resources. monitor risks. Facilitate the continual improvement Strategic objectives of organisations Senior Executives within an agency are responsible for Agencies with a mature risk management culture providing the strategic direction of the agency. 11. The process of managing risk needs to be flexible. resources and capability/skills to ensure 6. systems. information informs the risk management process. those risks that no longer exist. treatment strategies. 3. whatever the level of importance and significance. Agencies are encouraged to consider the links throughout the risk management process recognises that between the foundations of their risk management communication and consultation is key to identifying. and make allowances for and external relationships. The Standard outlines an approach to developing a 9. processes and activities. while usually long term. have adequate resources to check and to be aware that there may be limitations on that and improve controls. Agencies should set its performance goals. structured and timely improvement in risk management. An agency’s risk management framework needs to include its risk profile. An agency should fully accept accountability for controls and treatments to maximise the chance of gain their risks and develop comprehensive controls and while minimising the chance of loss. 2. describes the vision for are able to demonstrate the continual achievement the management of risk and what overarching outcomes of their objectives. Explicitly address uncertainty 3. This reporting 8. will be achieved. Risk management needs to recognise the contribution 4.

4. line managers are responsible for developing strategic plans that are more specific to achieving outcomes and are short term in nature. it is the middle managers of an agency who are responsible for aligning the strategic objectives with the agencies operations in order to achieve outcomes. AS/NZS ISO 31000:2009. Canberra: Comcover. The strategic plans developed at this level outline what each business unit must do to achieve their outcomes. Line objectives Similarly. Risk Management-Principles and Guidelines. 2009. 2009. International Electrotechnical Commission. First Edition. International Organisation for Standardisation. Transitioning to the new risk management standard AS/NZS/ISO 31000:2009. ISO/ IEC 31010:2009. November 2009. . Comcover Insurance and Risk Management Conference. Kevin W. Risk Management-Vocabulary. First Edition. Standards Australia/Standards New Zealand Standard Committee. 2009. International Standard. 3. 2. 27 August.AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines Operational objectives Generally. These plans prescribe in detail how the processes or activities of the agency’s outcomes will be actioned and completed. ISO Guide 73:2009. References 1. KNIGht. Department of Finance and Deregulation.