The story of ISO 31000 – the best known ERM Standard – begins in 1992 with the collaborative effort of Standards Australia and Standards New Zealand. This article focuses on the important work between 1992 and 2004 by these organizations and how their ERM model known as AS/NZS 4360 became the foundation of ISO 31000.
- Chris Pearce, Standard and Deliver, The Safety of Health Practitioner, p. 44 (Oct. 16, 2009)
“The only true voyage of discovery, the only fountain of Eternal Youth, would be not to visit strange lands but to possess other eyes, to behold the universe through the eyes of another, of a hundred others, to behold the hundred universes that each of them beholds, that each of them is[.]” - French novelist Marcel Proust, Remembrance of Things Past, vol 5. (1923)
In the previous section, we explained that in 1992, Standards Australia and Standards New Zealand, two national organizations working in the field of standardization, created a Joint Technical Committee on Risk Management (“OB/7”) that would publish the first known standard for enterprise risk management: AS/NZS 4360. First published in 1995, AS/NZS 4360 would be revised and reissued in 1999 and 2004. After 2004, AS/NZS 4360 became the building blocks of ISO 31000 which was published in November 2009. In this section, we highlight important aspects of the process for developing AS/NZS 4360 as well as key features of this first ERM standard.
Let’s start with highlighting the important aspects of the developmental process for AS/NZS 4360. As with any endeavor, it helps to get the right people in the room. The technical committee – OB/7 – that did the work was comprised of approximately 30 members who represented 21 different industry, professional and governmental organizations. Naturally, traditional risk management professionals (e.g., insurance managers, insurance brokers etc.) served on the committee but such professionals were outnumbered by peers with backgrounds in government, safety, technology, engineering, finance, planning, and academia. The wide set of knowledge, skills and experience on OB/7, in turn, had the beneficial consequence of ensuring that the ERM process was not overly narrow and would be seen as a generic process capable of broad application regardless of industry or economic sector.
In addition to broad application, a generic process has a second virtue. Any effective organization-wide process such as ERM must be accessible and useable by people with little formal training in the underlying subject regardless of whether such people are senior leaders, line managers, or employees carrying out day-to-day operations. Proceeding in this manner forces the use of clear and concise language, free from business jargon, and increases the likelihood that the ERM standard will serve as a meaningful “living guide” to promoting the health and well-being of the organization.
Before turning to an overview of AS/NZS 4360, there is an additional aspect of the developmental process for AS/NZS 4360 that merits attention: ongoing interdisciplinary collaboration. This interdisciplinary collaboration began at the outset of the developmental process with the gathering of all available information on risk management. It continued during the drafting phase which some committee members likened to the process of legislative drafting. Moreover, the drafting phase was enlarged to include a period of public comment that led to additional input and refinement of the ERM model. Once the drafting phase was completed and the initial model of AS/NZS 4360 was released in 1995, the interdisciplinary collaboration continued through the creation of guidelines and handbooks that explained how AS/NZS 4360 could be applied to a wide range of subjects such as the public sector, the environment, business continuity management, and healthcare. All of this activity, in turn, led to continued learning and refinement of AS/NZS 4360 and the issuance of revised versions in 1999 and 2004. The lesson in all of this is that ERM – when practiced well – becomes an evolutionary activity that grows organically with the organization.
In summarizing the key attributes of AS/NZS 4360, the model is best understood as containing five process steps: (i) establish the context, (ii) identify risks; (iii) analyze risks; (iv) evaluate risks and (v) treat risks; and two continuing stages: (i) communicate and consult, and (ii) monitor and review. Further, the emphasis, whether intended or not, is on managing negative risk (i.e., threats and vulnerabilities) which we previously defined as decreasing the probability and severity of bad things happening. Below is a depiction of AS/NZS 4360 as it first appeared in 1995: