The New International Risk Management Standard AS/NZ ISO 31000 – What You Need To Know

On 15 November 2009 the Australian Standard for Risk Management AS/NZ 4360:2004 was superseded by the new International Standard for Risk Management AS/NZ ISO 31000:2009.

Published at about the same time were:

  • ISO/IEC 31010:2009 a supporting standard for ISO 31000 which provides guidance on selection and application of systematic techniques for risk assessment.
  • ISO Guide 73 – Risk Management Vocabulary which, as the name suggests, provides guidance in the use of risk management terminology with the aim of encouraging a coherent approach in this area.

Together, these ISO documents create the new international risk management standard and provide practical guidance for those organisations that are either required by law, or are voluntarily seeking, to implement an effective risk management program.

What are the differences between AS/NZ 4360:2004 and AS/NZ ISO 31000:2009?

The good news for Australian and New Zealand organisations is that ISO 31000 is based on AS/NZ 4360, with the familiar 7 Step Risk Management Process being retained, more or less, intact.

What ISO 31000 does, that AS/NZ 4360 didn’t do, is to:

  • clearly articulate the key attributes that enable a risk management program to be managed effectively (these are referred to as the 11 Risk Management Principles); and
  • make it clear that the 7 Step Risk Management Process must be implemented through an effective Risk Management Framework that will allow it to be embedded at all levels throughout an organisation.

ISO 31000 draws together the 11 Risk Management Principles, the Risk Management Framework and the 7 Step Risk Management Process as three interrelated building blocks, all of which work together to ensure that a risk management program is implemented effectively.

What does ISO 31000 mean for Australian businesses?

For those organisations that have been proactive in their risk management practices, the 11 Risk Management Principles, and the concept of a Risk Management Framework, are nothing new.  Whilst you may not have used exactly the same terminology, the practical guidance offered by ISO 31000 will be familiar.

For those organisations that still think that risk management is something you do once a year, and have a documented risk management program which means little to staff, senior management and/or the board of directors … well  you may be in for a bit of a shock.

There is no doubt that for organisations that are mandated to implement effective risk management programs, such as Australian Financial Services License (AFSL) holders, AUSTRAC reporting entities and ASX listed entities,  the AS/NZ ISO 31000 substantially ups the ante by:

  • making the principles of risk management explicit (they were merely implied under AS/NZ 4360); and
  • providing a lot more guidance on the framework that organisations need to create in order to properly integrate and embed risk management at all levels.

Consider, for example, whether in your organisation:

  • risk management is an integral part of all organisational processes, including policy development and strategic planning;
  • risk management is dynamic, interactive and responsive to change, and helps decision makers make informed choices and prioritise actions;
  • specific risks are owned by individuals who have the accountability and authority to manage those risks;
  • you have established a robust system to continuously identify, assess, control , monitor and report risks.

ISO 31000 makes it clear that these are the types of outcomes that are expected from an effective risk management system. If there was any doubt under AS/NZ 4360 it has now been removed. Risk management clearly involves a lot more than simply documenting a program, formulating a risk register on an excel spreadsheet and tabling it with the board.

Do organisations have to upgrade to ISO 31000?

A key component of AS/NZ 4360 is that an organisation should regularly review its risk management program for currency and effectiveness. Any organisation that follows its program and undertakes this task will, of course, discover that AS/NZ 4360 no longer exists and has been replaced by ISO 31000.

Whilst there is no obligation to immediately convert to ISO 31000, references to AS/NZ 4360 are now obsolete and, over the short to medium term, failure to convert your documentation and, in some cases your risk methodologies, will provide a clear message to key stakeholders (regulators, investors and the media come to mind) that you may not be managing risk effectively.

What benefits will I get from converting to ISO 31000?

If the risks of not converting to ISO 31000 don’t convince you, maybe the benefits of practicing risk management effectively will.

The benefits of practicing effective risk management are now well documented. They include:

  • Increasing the likelihood that your organisation will achieve its strategic goals and objectives;
  • Encouraging proactive management and avoiding “fire fighting”;
  • Improving your ability to identify and manage future threats and opportunities;
  • Enabling you to better comply with your legal & regulatory obligations;
  • Establishing a reliable basis for decision making and planning;
  • Improving operational effectiveness, business processes and controls;
  • Allowing you to better allocate your resources;
  • Reducing the likelihood of adverse risk events occurring and the consequences if they do occur;
  • Minimising business complexity and optimising transparency; and
  • Increasing profitability and shareholder value.

How can CompliSpace help?

CompliSpace combines specialist risk management consulting services with practical, technology-enabled solutions. Our risk management program, which has been designed in accordance with AS/NZ ISO 31000, is delivered on-line, in a format that allows clients to quickly and efficiently tailor the content to their own particular specifications.

Our clients include a wide range of ASX listed entities and Australian Financial Services licensees.

If you are looking to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation give us a call. We are passionate about helping organisations to implement sustainable governance solutions.

Contact Details

P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)



This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.

5 thoughts on “The New International Risk Management Standard AS/NZ ISO 31000 – What You Need To Know

  1. This blog provides a good summary of the move to ISO 31000 – why, how, what.

    As pointed out, 31000 does have some strengths compared with AS/NZS 4360. However there are some serious issues that it does not address, and its thinking represents what could be agreed worldwide. It is ‘the lowest common denominator’. Accepted practice, not best practice.

    An example is the 11 principles. Each is plausible (with a couple of exceptions). However most are motherhoods, of little if any value to a practicing leader who wants to improve how they approach risk management. For more on the principles, visit, where alternate principles are discussed.

    It’s good to challenge and test this topic, so we can take the best from standards like ISO 31000 without limiting ourselves by believing it is a complete answer (or even a reasonable answer) to dealing with risk in organisations.

    1. The risk matrix works by allocating rankings to Likelihood and Consquence. Likelihood for example may be ranked from “almost certain to rare”. Consequence from “catastrophic to insignificant”. These rankings are then combined in a risk matrix table to give you the risk status (e.g. Low to Extreme). For example a risk event that is almost certain and has a potential catastrophic consequence is obviously going to be extreme. There are many ways of building the risk matrix. Some organisations use a 5 line (25 box) matrix others use 3. It all really depends on what you are trying to achieve. Some organisations also use a number sequence to provide more accurate prioritisation within the matrix. Hope this answers your question.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s