FR | NL | EN
   Qui sommes nous?     Contact     Glossary index     Carte du site   

   Home > AS/NZS 4360 - Risk Management Process

AS/NZS 4360 - Risk Management Process     Print

The Australian/New Zealand Standard for risk management, describing the risk concepts and the risk management process.

The discipline of risk management, according to the Australian/New Zealand Standard : AS/NZS 4360.

Table of contents:

  1. Introduction
  2. Risk management requirements
  3. Risk management process
  4. Documentation
  5. Risk sources and impact

1. Introduction

Risk is the chance of something happening that will impact on objectives; it is measured in terms of gain/loss potential and gain/loss likelihood.

Risk management is the culture, processes and structures that are directed towards effective management of potential opportunities and risks. Risk management is recognised as an integral part of good management practice. It is an iterative process consisting of steps, which when undertaken in sequence, enable continual improvement in decision-making.

Risk management is the term applied to a logical and systematic method of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities. Risk management is as much about identifying opportunities as avoiding or mitigating losses.

Risk management may be applied at all stages in the life of an activity, function, project, product or asset.

go to top

2. Risk management requirements

Risk management policy

The development of an organisational risk management policy and support mechanism is needed to provide a framework for carrying out more detailed risk management programs. The risk management policy shall be relevant to the organisation's strategic context and its goals, objectives and the nature of its business. The policy should be communicated throughout the organisation, namely to raise awareness about managing risks.

Planning and resourcing

Management should commit to the establishment and implementation of a risk management system. The performance of the risk management is reported to the organisation's management. The responsibilities and authority of the staff performing the risk management shall be clearly defined and documented. Adequate resources shall be provided and appropriate risk management skills should be acquired.

go to top

3. Risk management process


The risk management process is made up of a series of iterative steps each of which have their own sub-processes, and undertaken in sequence will assist in overall decision making. These steps cover:

Establish the context

This step establishes the strategic, organisational and risk management context for the rest of the process.

  • The strategic context defines the relationship between the organisation and its environment covering financial, operational, competitive, social, political, customer, legal and cultural aspects. The risk management is closely linked to the enterprise's mission or strategic objectives.
  • The organisational context describes the organisation and its capabilities.
  • The risk management context determines the goals, objectives, strategies, scope and parameters of the activity.
  • Risk assessment criteria i.e. decisions concerning risk acceptability and risk treatment, are established for likelihood, consequences and controls; and the level of tolerance to risk is established.
  • The framework for risk management is defined :
    • The classification of risks and key consequences are defined;
    • The scope, objectives, terminology and methodology are clarified;
    • The available budget/financing is determined.

Identify risks

This steps identifies the risks to be managed :

  • Identify the risks that can happen
  • Describe risks by determining the possible causes and scenarios.

Techniques used to identify risks include checklist, records, experience, brainstorming, structured workshops, systems analysis and scenario analysis. A risk identification template should be established :

Area of impact
Sources of risk
Area 1
Area 2
Area j

Source 1

Source 2

Source i

Analyse risks

The objective of risk analysis is to classify from minor to major:

  • Assess the relative likelihood of occurrence of the risk
  • Identify the existing and new controls that reduce the likelihood or consequence of the risk;
  • Identify the potential consequences and assess their severity in terms of magnitude for each risk.
  • Identify the cost of controls;
  • Assess the adequacy and evaluate the importance and benefits of the controls;
  • Produce the estimated risk level by combining the assessment of likelihood and consequences, in the context of existing control measures.

The initial priorities of the risks are then determined using a matrix to combine likelihood and consequence as shown below.







Almost certain






























Techniques should be used to determine the consequences and the likelihood of events : past records, experience, industry practice, statistics, market research, experiments, models, judgements.

Risk analysis may be qualitative, semi-quantitative or quantitative:

  • qualitative analysis uses descriptive scales to describe the magnitude of potential consequences (minor, moderate, major) and the likelihood of occurrence (likely, possible, unlikely).
  • semi-quantitative analysis allocates numbers to the descriptive scales, allowing the use of formulas for prioritisation
  • quantitative analysis uses numerical values : consequences are expressed in terms of monetary or other criteria and likelihood as a probability, a frequency or a combination of exposure and probability

A sensitive analysis can be used to test the effect of changes in assumptions and data.

Evaluate risks

Risk evaluation will determine a prioritised list of risk for further action:

  • Compare risk exposure levels against predetermined tolerance level;
  • Assess existing levels of exposure in terms of the levels of exposure reduction that are achievable;
  • Rank the risks to establish management priorities.

Treat risks

Risk treatment consists of determining what will be done in response to the identified risks.

  • Treatments are selected from the following treatment options :
    • Accept risk;
    • Avoid risk by deciding not to proceed with the activity;
    • Transfer risk (partially or fully) to another party : e.g. insurance, joint ventures, partnerships;
    • Reduce likelihood of occurrence;
    • Reduce consequences; and
    • Retain the risk. After risk treatment, a residual risk may be retained.
  • Asses treatment options :
    • Consider feasibility costs and benefits. The costs must be reasonable with the benefits obtained.
    • Recommend treatment strategies. A combination of treatment options will often be required.
    • Select treatment strategies by priority ordering based on risk ranking or cost-benefit analysis.
  • Treatment plans are developed by considering responsibilities, schedules, available budget, benefits arising from actions/controls, performance measures.
  • Manage and monitor the implementation of the action plan.

Monitor and review

Monitoring and reviewing is an integral part of the risk management treatment plan.

  • Monitor the effectiveness of the mitigation task through the treatment plans, strategies and management information systems;
  • Review all steps in the process, in particular, identifying any new risks and changes to the current assessments and existing position.
  • Ongoing evaluations to verify that the mitigation plan remains relevant, when circumstances are changing.

A risk register database is the main management tool for monitoring risk. It contains a ranked list of risks, references to associated risk action plans and names of individuals responsible for each risk. Regular updating of the risk register should be part of the ongoing project management process.

Communicate and consult

Communication and consultation are important element of the risk management :

  • Undertaken at each step of the process;
  • Involves internal and external stakeholders; and
  • Clarify the responsibilities of each stakeholder.
go to top

4. Documentation

Documentation is needed to

  • demonstrate that the process is correctly managed
  • provide evidence of a systematic approach to risk identification and analysis
  • to complete the knowledge database
  • to provide decision makers with a risk management plan for approval
  • to provide an accountability mechanism and tool
  • to facilitate monitoring and review
  • to provide an audit trail
  • to share and communicate information
go to top

5. Risk sources and impact

Sources of risk include:

  • commercial and legal relationships
  • economic circumstances
  • human behaviour within or outside the enterprise
  • natural events
  • political circumstances
  • technology and technical issues
  • management activities and controls
  • individual activities

Areas of impact:

  • asset and resource base (including personnel)
  • revenue and entitlements
  • costs (direct and indirect)
  • people
  • community
  • performance
  • timing and schedule of activities
  • environment
  • intangibles (reputation, goodwill)
  • organisational behaviour

Risk classifications :

  • diseases e.g. humans, animals, plants
  • economic e.g. exchange rates, interest rates, stock exchange
  • environmental e.g. noise, pollution, contamination
  • financial e.g. contractual risks, fraud, fines
  • human e.g. riots, strikes, sabotage, error
  • natural hazards e.g. climatic conditions, earthquakes, vermin, volcanic activity
  • occupational health and safety e.g. inadequate safety measures, poor safety management
  • product liability e.g. design error, inadequate testing, quality control failure
  • professional liability e.g. wrong advice, negligence, design error
  • property damage e.g. fire, water, earthquakes, contamination, human error
  • public liability e.g. public access, safety
  • security e.g. cash arrangements, vandalism, theft, illegal entry
  • technological e.g. innovation, obsolescence, explosions, dependability
go to top

See also : ISO 31000

QAP © 2010 | advice[at] | audit[at]
   Audit     Conseil     Formations     Changement     Disclaimer     Copyright