The imminent publication of ISO 31000:2009 Risk Management — Principles and guidelines on implementation has prompted Chris Peace to trace the history, content and use of the Standards Australia/Standards New Zealand version on which it is based, and suggest what safety and health practitioners can expect from the new international standard.
Although the original 1995 edition of the AS/NZS 4360 standard was developed from earlier risk-management ideas and processes it was nonetheless ground-breaking as the first standard published on risk management.
The subsequent 1999 edition added the “communicate and consult” stage, and a number of handbooks on aspects of risk management was also developed, the majority jointly by Australia and New Zealand.
The 2004 edition of the joint standard1 incorporated experience from the previous 10 years, and many of the appendices in the 1999 edition were either consolidated into the body of the standard, or removed into the associated handbook, SAA/SNZ HB 436:2004.2 Importantly, this included the 5×5 qualitative risk matrix in appendix E. Many users had simply copied this for their own use without thinking about its relevance, or the need for adaptation to their context. Few thought about alternative risk-analysis techniques — the matrix was the method!
Risk and related terms
Risk is defined in AS/NZS 4360 as “the chance of something happening that could have an impact on objectives”. A series of notes to the definition adds that risk is often specified in terms of an event, or circumstances, and the consequences that may flow from it/them; that risk is measured in terms of a combination of the consequences of an event and their likelihood; and that risk may have a positive or negative effect.
Notice the definition refers to “objectives” but is not health and safety-focused. Indeed, the definition does not limit risk to a single area, or type, so all risks are to be considered unless excluded when establishing the risk-management context.
Risk management is defined as “the culture, processes and structures that are directed towards realising potential opportunities while managing adverse effects”. In other words, risk management is about managing risks! Use of the word “culture” in the definition has been very helpful when explaining differences between organisations.
AS/NZS 4360 contains the five process steps and two continuing stages. Although some argue it is necessary to start with the communicate and consult stage, and others with establishing the context, this is not a flowchart, or start-to-finish process; you can start at any point and go forwards and backwards. For the purposes of this article, however, I will start with the context.
The context in which an organisation operates can be thought of as the overall business environment, and comprises external, internal and risk-management contexts. At this stage, criteria for risk evaluation are developed and the structure for the rest of the process agreed. The next stages are — as part of risk assessment — risk identification, risk analysis. and risk evaluation.
Risk identification is about asking what could happen, when, how, why, and involving who. A well-named risk will provide much of the information decision-makers need to know. For example: ‘The inability to recruit or retain competent staff to work in [a specified activity] will result in [name the impact on the objective].’
In risk analysis, the magnitude of the consequences and likelihood of the event are assessed and the current controls evaluated for effectiveness. It is also useful to try to assess the consequences and likelihood of all controls failing. The difference between uncontrolled and controlled risk severity illustrates how important the controls are.
Risk evaluation involves making decisions about risks — which ones need treatment, and what are the priorities? This requires comparison of the analysed risk to the criteria developed in the context stage. The tolerability of a risk is also considered here. Further analysis is sometimes needed before making treatment decisions.
The standard also discusses assessing treatment options, developing treatment plans, and the need to carefully weigh up high-impact/low-likelihood events.
At each stage in this process it is important to communicate and consult with stakeholders and monitor and review the whole process.
Does it work in practice?
In 2000, Standards Australia published Organisational experiences in implementing risk management practices.3 This set out the experiences of an insurer, two airlines, a mining company, a port, and a telecommunications firm — all major Australian organisations. Each used risk management to break down barriers and improve performance, and it worked for them, but one of the key lessons learnt was that there must be buy-in and direction from the top.
Six years later, chartered accountancy and management consultancy Ernst & Young published a survey,4 which covered 400 corporate leaders from some of the world’s largest companies. An appendix for Australia and New Zealand found companies were less risk-averse there than in other countries and more familiar and engaged with the risk-management process set out in AS/NZS 4360.
Interestingly, many Australian and New Zealand companies thought they had much to do to align risk and line management, probably because of 11 years’ experience with the standard. To quote the report: “Their greater understanding of risk-management best practice makes them more critical of their own performance.” Companies elsewhere were more confident (perhaps over confident?) of their risk-management abilities.
There may also be a link to corporate governance requirements for risk management down under. For example, the New Zealand Securities Commission handbook on corporate governance contains nine principles,5 one of which (principle 6) requires that: “The board should regularly verify that the entity has appropriate processes that identify and manage potential and relevant risks.”
In my experience, some companies in New Zealand have successfully used AS/NZS 4360 to drive growth and strategy. One engineering and services group carries out a risk assessment for every tender, for example. Their problem now, however, is that they have reached the limits of possible clients for their services. Some public-sector organisations are using AS/NZS 4360 to help ensure effective service delivery. Conversely, organisations with no, or limited risk management often have a rocky road.
It has also been evident that failure to consider the context, communication, consult and monitor, and review stages has led to deficient risk assessments and management.
The HSE publication Five Steps gives a simple approach to risk assessment,6 and is roughly comparable to the risk assessment part of AS/NZS 4360. However, it makes no mention of context, nor the need to communicate and consult, nor monitor and review. For simple, purely safety-related risks this might be satisfactory but these can be few and far between.
Indeed, research for the HSE on Five Steps by Neathey et al7 found that: “Risk assessments are not always comprehensive, and a number of establishments did not include all areas of work or all groups of employees in their assessments.” In other words, the lack of a context statement meant some people were left out of safety-related risk assessments.
The UK’s Association of Insurance Risk Managers’ model8 is closer to AS/NZS 4360 than Five Steps but lacks the detail of the joint standard.
The international standard — ISO 31000
Work on development of the international standard from AS/NZS 4360:2004 began about three years ago and, at the time of writing, had reached the point of voting on the final draft, with final approval expected any time now. In New Zealand and Australia, plans are already in hand to adopt it as a joint standard and to update the supporting handbooks.
An ISO/IEC guide, Risk management — vocabulary, has already been approved as a revision of the 2002 edition and sets out definitions for risk-management terms.9 Work on another international standard, Risk Assessment Techniques, is proceeding and a consultation draft may emerge in 2010.
ISO 31000 can be applied to any type of risk — with a few provisos. Firstly, the new definition of risk is “the effect of uncertainty on objectives”. The notes to the definition include: “Objectives can have different aspects, such as financial, health and safety, and environmental goals, and can apply at different levels such as strategic, organisation-wide, project, product, and process.” Thus, an organisation must set objectives that are relevant to its risk profile.
Secondly, we need to understand what is meant by uncertainty. The fifth note to the definition of risk says: “Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.” In other words, uncertainty can be:
- a lack of information, or understanding, or knowledge of either the initiating event, or change in circumstances; or
- the consequences or the likelihood of the event; or
- several of these.
Risk management is now defined as “the coordinated activities to direct and control an organisation with regard to risk”. The word “culture” has gone into guidance on establishing the internal context but is also mentioned in the external context.
Thirdly, therefore, effective risk management must be mandated and directed from top management if there are to be “coordinated activities to direct and control an organisation with regard to risk” (the new definition of risk management). This has been very clear in the two studies mentioned earlier.
Next steps
When the international standard is published buy a copy, as it is likely to become widely used and influential in a wide range of national and international settings. Spend time reading it and absorbing the meaning of the words. If your organisation uses Five Steps, pay attention to the steps the HSE guide does not cover, i.e. context, communication and consultation, and monitoring and review. Think about who in your organisation you can work with to build a picture of actions in those areas.
Determine the governance requirements for your organisation or sector, and identify what is said about risk and risk management. For example, the London Stock Exchange has published a practical guide to corporate governance,10 which is the same in sense, if not in exact words, as the corporate governance guidance in Australia and New Zealand. The Stock Exchange guidance applies only to listed companies but there is similar UK guidance for the public sector.
Talk to senior management about the benefits of effective risk management — it is not just about prevention of harm! (This is well set out in ISO 31000.) Offer to develop ideas for the creation of a risk-management framework. This will require work across the organisation.
Keep looking for and asking about uncertainty and the effect it could have on objectives. One response to uncertainty is resilience (the “adaptive capacity of an organisation in a complex and changing environment”). Resilient organisations don’t know what is coming next but are able to respond to the uncertainties of life and adapt to change.
Further information
A list of current risk-management handbooks and standards published by Standards Australia and Standards New Zealand, and other Risk Management Ltd publications, is available at www.riskmgmt.co.nz/publications
References
1 SA SNZ AS/NZS 4360:2004: Risk Management, Standards New Zealand, Wellington
2 SAA SNZ HB 436:2004: Risk Management Guidelines: a companion to AS/NZS 4360:2004, Standards New Zealand, Wellington
3 SA HB 250: 2000: Organisational experiences in implementing risk management practices, Standards Australia, Sydney
4 Ernst & Young (2006): Companies on risk — The benefits of alignment, Melbourne
5 Securities Commission (2004): Corporate Governance In New Zealand — Principles and Guidelines: A Handbook for Directors, Executives and Advisors, Securities Commission, Wellington
6 HSE (2003): Five Steps to Risk Assessment (Advisory Paper INDG163(rev1)), HSE Books
7 Neathey, F et al (2006): An evaluation of the five steps to risk assessment (HSE Research Report 476), HSE Books
8 AIRMIC (2002): A Risk Management Standard, AIRMIC, ALARM, IRM, London
9 ISO Guide 73 (2009): Risk management vocabulary — guidelines for use in standards, ISO, Geneva
10 Carey, A (2004): Corporate Governance: a practical guide (Report, London Stock Exchange)
Chris Peace is a risk-management consultant based in New Zealand.
The Safety Conversation Podcast: Listen now!
The Safety Conversation with SHP (previously the Safety and Health Podcast) aims to bring you the latest news, insights and legislation updates in the form of interviews, discussions and panel debates from leading figures within the profession.
Find us on Apple Podcasts, Spotify and Google Podcasts, subscribe and join the conversation today!