AS/NZS/ISO31000:2009 : A Background Reading Material

R. Karunanithi

Introduction:

ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management.

ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.

The ISO 31000 family is includes:

  • ISO 31000: Principles and Guidelines on Implementation[1]
  • IEC 31010: Risk Management - Risk Assessment Techniques
  • ISO/IEC 73: Risk Management - Vocabulary

ISO 31000 was published as a standard on the 13th of November 2009, and provides a standard on the implementation of risk management. A revised and harmonised ISO/IEC Guide 73 was published at the same time.

It is understood that the Australian & New Zealand Standards Committee approvedon 27th October 2009 the adoption of the new Standard asAS/NZS/ISO/31000:2009 - Risk management — Principles and guidelines and for AS/NZS 4360:2004 – RiskManagement to be withdrawn. The only difference between ISO 31000:2009 and AS/NZS/ISO 31000:2009 is the Preface and Introduction which in the later case of talks about the transition from 4360 to 31000

Key Features:

• ISO 31000:2009 provides principles and generic guidelines on risk management.

• ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000:2009 is not specific to any industry or sector.

• ISO 31000:2009 can be applied throughout the life of an organisation, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.

• ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.

• Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organisations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organisation, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.

• ISO 31000:2009 is not intended for the purpose of certification.

• ISO/IEC Guide 73Risk management vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risks

Components of ISO 31000

The basic components of ISO 31000 are: Definitions- Principles- Framework – Framework as shown below

Key Definitions:

Some of the key definitions in ISO 31000 read with ISO Guide 73 are given below

• risk ; “effect of uncertainty on objectives”

– positive and negative consequences

– safety, compliance, strategy, etc

(Note the change from the AS/NZS 4360definition of Risk -“Chance of something happening that will have an impact on objectives”)

• risk management; “coordinated activities to direct and control and organization with regard to risk”

(Note the change for the AS/NZS 4360definition of risk management : “Culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects”)

risk management framework; “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization”

(Note: AS/NZS 4360 Set of elements of an organisation’s management system concerned with managing risk

• risk management process; “systematic application of management policies, procedures and practices to the tasks of communication, consultation, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk”

(Note the definition is similar to that in AS/NZS 4360)

• risk management plan; “statement of the overall intentions and direction of anorganisation related to risk management”

(Note this is not difined in AS/NZS 4360)

• risk management policy; “Scheme within the risk management frameworkspecifying the approach, the management componentsand resources to be applied to the management of risk

(Note this is not defined in As/NZS 4360)

Please note the difference between control and risk treatment:

• Risk treatment – “Process tomodify risk”

• Control – “Measure that ismodifying risk”

11 Principles for managing risk

Unlike AS/NZS 4360, the new standard explicitly documents principles of risk management. These 11 principles highlight the dynamic nature of risk management and clearly articulate how organisations should understand and apply the process of managing riskFor risk management to be effective, an organisation should at all levels comply with the following 11 principles:

  • Risk management creates and protects value
  • Risk management is an integral part of all organisational processes
  • Risk management is part of decision making
  • Risk management explicitly addresses uncertainty
  • Risk management is systematic, structured and timely
  • Risk management is based on the best available information
  • Risk management is tailored
  • Risk management takes human and cultural factors into account
  • Risk management is transparent and inclusive
  • Risk management is dynamic, iterative and responsive to change
  • Risk management facilitates continual improvement of the organisation.

Framework for Managing Risk

To be successful, risk management should function within a risk management framework which provides the foundations and organizational arrangements that will embed it throughout the organization at all levels. [Such a 'framework'] should ensure that risk information derived from these processes is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels.

Thus the framework consist of set of components that provide the foundations andorganisational arrangements for designing,implementing, monitoring, reviewing and continuallyimproving risk management throughout the organisation

The various components of the framework are outlined below:

Risk Management Process

The Risk Management Process is the same as in AS/NZ 4360. The process is shown in the diagram below

Relationship between Principles, Framework and Process:

The relationship between the various components is shown below;

Attributes of High Level of Performance in Risk Management

ISO 31000 in the informative annexure gives the list of attributes which represent a high level of performancein managing risk.

A.2.1 An emphasis on continual improvement in risk management through the setting of organizational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capability and skills.

A.2.2 Comprehensive, fully defined and fully accepted accountability for risks, risk controls and risk treatment tasks. Designated individuals fully accept, are appropriately skilled and have adequate resources to check risk controls, monitor risks, improve risk controls and communicate effectively about risks and their management to internal and external stakeholders.

A.2.3 All decision making within the organization, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree.

A.2.4 Continual communications with internal and external stakeholders including comprehensive and frequent reporting of risk management performance is part of good governance.

A.2.5 Risk management is viewed as central to the organization's management processes so that risks are considered in terms of effect of uncertainty on objectives. The organization’s governance structure and process are based on the management of risk. Effective risk management is regarded by managers as essential for the achievement of the organization’s objectives.

A Model of Risk Management Framework

The following chart as given in a sample presentation of Risk Management Framework that may be appropriate for a NSW public sector agency/organisation

Comparison with AS/NZS 4360

A risk is defined by the Australia/New Zealand Standard for Risk Management (AS/NZS 4360) as “the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence.” For ready reference, the Risk Management Process in AS/NZS 4360 is shown below :

The model of the risk management process AS/NZS 4360 consists of three major elements. The risk management workflow, monitor and review, and finally communication and consult. The later two continuously interact with the steps of the risk management workflow.

The new standard, ISO 31000:2009, draws heavily from the Australian/New Zealand risk standard AS/NZS 4360. The following table gives the comparison.

Elements of Risk Management Standards / HowAS/NZS ISO 31000 builds upon AS/NZS 4360:2004
Application of framework for risk
management / Expands the framework and further develops the 2004 framework
Principles for managing risk / Far more clear and explicit
Enhanced risk management attributes / New addition included in the Annex
Guide to establishing andimplementing effective risk management process / New addition included in the Annex compared with previously supplied in HB 436:2004
Risk management context / Also applicable across all industries to any entity implementing organizational objectives which may involve uncertain outcomes

Thus the major differences between the new ISO 31000:2009 and the old AS/NZS 4360 can be summarized as below:

  • Making explicit the principles of effective risk management (they were only implicit in AS/NZS 4360)
  • Giving some aspirational goals for enterprise risk management in terms of attributes of high performance in the new standard
  • Providing a lot more guidance on how risk management should sit within an organizational framework to be effective- and how that framework can be created, maintained and improved.

The following diagram represents the key improvements in the new standards.

Comparison with COSO ERM

COSO defines ERM asa process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. For ready reference, the COSO framework is shown in the diagram below:

The COSIO ERM needs a change as it does not comply with the new ISO 31000:2009. The approach to risk management COSO advocates does not satisfy the principles of good management under the new Standard. COSO omits certain key elements of risk management process, does not contain practical guidance on implementation and does not lead to approaches to Risk Management that meet the attributes of excellence. Under COSO risk is about events with negative consequences and is not associated with the achievement of an Organization’s objectives and the uncertainty faced in that.

Other Australian Standards which may be relevant

In the Australian context, the following Australian Standards may have some relevance in framing the risk management framework:

  1. Good Governance Principles (AS 8000-2003)
  2. Fraud and Corruption Control (AS 8001-2003)
  3. Organizational Code of Conduct (8002-2003)
  4. Corporate Social Responsibility (As 8003-2003)
  5. Whistle Blower Protection Policy (AS8004-2003)
  6. IT Service Management (AS8018:2004)
  7. Corporate Governance of IT (AS8015:2005)

Summary

Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.

It is intended that ISO 31000:2009 be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.

Fortunately for those that have established strong and effective risk management frameworks based on AS/NZS 4360, the new international standard has taken the Australian standard as the starting point in the drafting process. After several years of consultation, it is clear that the new standard brings improvements to the Australian standard rather than significant change.

One of the potential benefits of an international standard will be to provide a uniform approach and language for managing risk The ISO 31000 is also framed at a suitably high level to provide a positive contrast to the compliance-focused regimes that evolved from the Sarbanes-Oxley legislation and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) frameworks.

Since ISO 31000 replaces the AS/NZS 4360 Standard, the references to AS/NZS4360 in the Internal Audit and Risk Management Policy for the NSW Public Sector maypresumably be now taken to refer to the new AS/NZA/ISO 31000:2009. It is thus important for us in NSW public sector to understand and appreciate the implications of the new standard.

Source References:

The reference to various source materials used in the above compilation is given below. Many of the materials are repeated in more than one source.

  1. Presentation of Suncrop Risk Services & TMF on Risk Management Model for NSW Public sector ( the web reference not given as the same appears to be taken out)
  2. Journal of Accountancy Dec 09 (AIPCP) Article on Risk Based Audit Best Practices
  3. Frameworks for IT Management publshed by The IT Services Management Forum (itSMF)which refers to various Australian Governance and Risk Management standards ( part of reading material for CGEIT Program of ISACA)

Note: The views expressed in this article are those of the author.