International Risk Management Standard AS/NZS ISO 31000 Peter Brass General Manager Risk Management & Audit PIRSA.

International Risk Management StandardInternational Risk Management Standard AS/NZS ISO 31000AS/NZS ISO 31000

Peter Brass

General Manager

Risk Management & Audit

PIRSA

• Provides principles and guidelines on risk management. It is generic and not developed for any specific industry or sector but risk “per se”.

• Can be applied throughout the life of an organisation, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.

• Can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.

• Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organisations. The design and implementation of risk management plans and frameworks will need to take into account an organisation’s particular objectives, context, structure and operations. Risk management should continue to develop organically.

• ISO 31000:2009 is not intended for the purpose of certification.

Abstract of ISO 31000:2009Abstract of ISO 31000:2009(Source: ISO Website on ISO 31000 – 16 June 2009)

RISK = effect of uncertainty on objectives

NOTE 1 An effect may be positive, negative, or a deviation from the expected.

NOTE 2 An objective may be financial, related to health and safety, or defined in other terms.

NOTE 3 Risk is often described by an event, a change in circumstances, a consequence, or a combination of these and how they may affect the achievement of objectives.

NOTE 4 Risk can be expressed in terms of a combination of the consequences of an event or a change in circumstances, and their likelihood.

NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

Risk Management & Managing RisksRisk Management & Managing Risks

In the Standard, the expressions “risk management” and

“managing risk” are both used.

In general terms, “risk management” refers to the

architecture (principles, framework and process) for

managing risks effectively, and “managing risk” refers to

applying that architecture to particular risks.

Principles for managing risk (Clause 3)Principles for managing risk (Clause 3)

1. Creates value

2. Integral part of organisational processes

3. Part of decision making

4. Explicitly addresses uncertainty

5. Systematic, structured & timely

6. Based on best available information

7. Tailored

8. Takes human & cultural factors into account

9. Transparent & inclusive

10. Dynamic, iterative & responsive to change

11. Facilitates continual improvement & enhancement of the organisation

AS 4360 – Implicit tosome extent

Framework for managing risk (Clause 4)Framework for managing risk (Clause 4)

AS 4360 – Covered partially in Section 4 “Establishing effective

risk management”

Mandate & commitment

Design of frameworkFor managing risk

Implementing risk

management

Continualimprovement

of the framework

Monitoring & reviewof the framework

Process for managing risk (Clause 5)Process for managing risk (Clause 5)

AS 4360 – Fully covered in Section 3 “Risk Management

Process”

Establishing the Context

Co

mm

un

icat

ion

& C

on

sult

atio

n

Analysis of Risks

Evaluation of Risks

Treatment of Risks

Identify Risks Mo

nito

ring

& R

eview

Risk Assessment

Comparison AS/NZS 4360 & ISO 31000:2009Comparison AS/NZS 4360 & ISO 31000:2009

Elements AS/NZS 4360:2004 ISO 31000:2009

Application Universal across all organisations - Australasia but also widely accepted internationally

Universal across all organisations - International

Context for Risk Management An organisation’s objectives An organisation’s objectives

Principles for managing Risk Included as part of risk management culture although mainly implicit.

Clause 3 and explicit – common business management principles

Framework for managing risk Covered in detail Clause 4 of standard. Expands on 4360

Risk Management Process Core of the standard Clause 5 of standard

Attributes of enhanced risk management

Not covered Annex in 31000. Informative only.

Guide to establishing and implementing effective risk management program and application of risk management process

Covered in detail in HB 436:2004 Annex in 31000. Informative only.

AS/NZS 4360:2004 Definitions ISO 31000 Definitions (ISO/IEC Guide 73)

Risk Chance of something happening that will impact on objectives

Effect of uncertainty on objectives

Risk Management

Culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects

Coordinated activities to direct and control an organisation with regard to risk

Risk Management Framework

Set of elements of an organisation’s management system concerned with managing risk

Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation

Risk Management Policy

Not defined Statement of the overall intentions and direction of an organisation related to risk management

Risk Management Plan

Not defined Scheme within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk

Risk Management Process

What this means to us.What this means to us.

If you have followed 4360 – impact of 31000 is minimal

Increased status of 31000 as international paramount standard –

referred explicitly in GOSA Risk Management Policy

If no organisational Risk Management Policy, it is now required.

Timeframe – No deadline. However, should update references and

other requirements as part of next risk management program review.

SAICORP Benchmarking ProgramSAICORP Benchmarking Program

Self-assessment used to participate in this program will help to review existing risk management program

Self-assessment will also helped to identify any amendments required as the tool used has been aligned with 31000 and

Clause 3 Principles Clause 4 Framework & Clause 5 Process

Documents are available from Treasury website at www.safa.sa.gov.au/insurance

Further information from Darryl Bruhn at [email protected] or 8226 3429.

Information SessionsInformation Sessions

Today’s presentations are available from the Treasury website at

www.safa.sa.gov.au/insurance.

A schedule of information sessions on the new GOSA Risk

Management Policy & ISO 31000 has been developed.

First session is scheduled for Thursday 11th March at the Hetzel

Lecture Theatre at the State Library of SA. (9.30am to 11.00am)

Also Wednesday 14th April at same time and venue

Registration for these sessions to [email protected]

Further information Darryl Bruhn at [email protected] or 8226

3429.

QUESTIONS ??