The international standard ISO 31000 Risk Management – Guidelines was first released in 2009, and in Australia the standard soon replaced the local AS 4360. Over the past few years ISO 31000 has undergone its first review, and the revised standard was released in February 2018.

The focus of the review was to make the standard clearer, simpler and shorter.

At the end of the day, the core requirements of the standard remain much the same. Primarily, the changes in the 2018 version are:

  • The principles of risk management are summarised without loss of any key messages;
  • An emphasis is placed on the purpose of the risk management framework being to integrate risk management into all organisational activities and functions, including governance and decision-making;
  • Responsibility is given to top management and oversight bodies to ensure this integration occurs and to demonstrate leadership and commitment;
  • Integration of risk management across all decisions and activities means the process is iterative and draws on new knowledge and experiences as they arise;
  • Recognition is given to the fact that there can be many applications of risk management processes across an organisation, customised to the context where they are applied; and
  • Recognition is also given to the fact that human nature and organisational culture are variable, and that these variabilities need to be considered throughout the risk management process.

One of the immediate effects on organisational processes of the new focus of integration is that risk management should no longer be done on a periodic basis (e.g. quarterly, annually) but rather every time a business decision is made or a key business process or activity is undertaken.

Please contact QRMC for assistance to update your risk management processes.