ISO 31000:2009 Risk management
Photo by Mike Kononov / Unsplash

ISO 31000:2009 Risk management

In this article, we will be focusing on two popular methods of managing risk in projects, namely the Australian risk standard AS/NZ ISO 31000:2009 and the PMBOK® Guide approach. As an aspiring project manager, it is crucial to be familiar with these methods and to be able to apply them effectively in your projects. Despite the similarities between both approaches, there are differences in their terminologies. Therefore, we will provide explanations of terms used in both methods throughout the course. Additionally, we will cover other commonly used risk management methods by organizations and associations worldwide. If you work for an international company in Australia or overseas, you may have to adopt these methods. Finally, we will emphasize the importance of having a systematic and consistent approach, clear terminology, and effective record-keeping to effectively manage risks.

The ISO 31000:2009 standard provides guidelines to implement risk management principles in an organization. This standard is universal and applicable to all types of organizations, regardless of their specific risks or sectors. It is not intended for certification purposes, rather to provide a general approach to risk management.

The 'SA/SNZ HB 89:2013' and its international equivalent 'ISO 31010 Risk management - Risk assessment techniques' complements the ISO 31000 standard. This standard guides the selection and application of risk assessment tools and techniques.

However, it's important to note that the standard is a generic guide and should be tailored to the organization's context, sector, and project objectives. Managing risk at the operational level involves applying the risk management process to activities, projects, and programs.

The standard promotes risk management as an integral part of the management process. While the 'Executive' may be responsible for defining and documenting policy for risk management, all employees must play a part in interpreting and implementing risk management policies at the operational level.

The International Organization for Standardization (ISO) identifies several principles of risk management. The principles aim to increase the likelihood of achieving objectives, encourage proactive management, be aware of the need to identify and treat risk throughout the organization, improve identification of opportunities and threats, achieve compatible risk management practices between organizations and nations, comply with relevant legal and regulatory requirements and international norms, improve financial reporting, governance, stakeholder confidence and trust, establish a reliable basis for decision making and planning, improve controls, effectively allocate and use resources for risk treatment, improve operational effectiveness and efficiency, enhance health and safety performance as well as environment protection, improve loss prevention and incident management, minimize loss, improve organizational learning, and improve organizational resilience.

Although the process is described as 'iterative,' managing risk is not always neat and discrete. The dynamic nature of both the external and internal environments in which a project and the organizations exist and operate presents new and changing levels of risk. Risk (and risky opportunities) must be identified, analyzed, monitored, evaluated, and treated on an ongoing basis.

As your study progresses, we will examine each of the interconnected steps in the risk management process diagram shown in Figure 1. We will consider not only the theory of managing risk but also the application of the principles to all forms of organization. We will apply them to your work environment to satisfy the assessment criteria for this unit.

The diagram for the ISO 2009:31000 is very similar to the original AS/NZ 2004:4360 Standard in terms of its processes and the areas that are covered.

Technical Approach

The Risk Standard is a comprehensive and technical approach to risk management that aims to make discussions more scientific, factual, and impartial. It is designed to eliminate the influence of emotions that can often cloud the judgement and analysis of potential risks. The standard uses a number of key concepts, including the assessment of risk perception as the product of likelihood and consequence, the assumption that all decisions can be made rationally, and the objective assessment of risks. Additionally, the standard reduces risk management to checklists and audits, employs data analysis and decision analysis, and follows a rational process of hazard identification, all while disregarding elements such as bias, emotions, and vested interests.

The underlying belief of the Risk Standard is that there is information and data that can be collected to make informed decisions. However, in reality, risks are about the future, which is unknown and uncertain, making risk estimates actual forecasts. Also, there may be cost constraints that prevent the collection of necessary data.

For further information, you can watch the DVD titled "Risk Maker - Risk Taker: A Manager's Guide to Risk," available at