AS/NZS 4360 Risk Management

From The Secure Arc Wiki

Jump to: navigation, search

This Standard provides a generic guide for managing risk. This Standard may be applied to a very wide range of activities, decisions or operations of any public, private or community enterprise, group or individual. While the Standard has very broad applicability, risk management processes are commonly applied by organizations or groups and so, for convenience, the term ‘organization’ has been used throughout this Standard.

This Standard specifies the elements of the risk management process, but it is not the purpose of this Standard to enforce uniformity of risk management systems. It is generic and independent of any specific industry or economic sector. The design and implementation of the risk management system will be influenced by the varying needs of an organization, its particular objectives, its products and services, and the processes and specific practices employed.

This Standard should be applied at all stages in the life of an activity, function, project, product or asset. The maximum benefit is usually obtained by applying the risk management process from the beginning. Often a number of discrete studies are carried out at different times, and from strategic and operational perspectives. The process described here applies to the management of both potential gains and potential losses.

The following information gives a brief account of relevant AS/NZS 4360 standard. Each requirement of the standards are broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.


Standards Outline

  • Establish Goals and Context
  • Identify Risks
  • Analyse Risks
  • Evaluate Risks
  • Determine the Treatments for the Risks
    • Avoiding the risk by discontinuing the activity that generates it.
    • Reducing the likelihood of the occurrence.
    • Reducing the consequences of the occurrence.
    • Transferring the risk.
    • Retaining the risk.
  • Monitor and Report on the effectiveness of Risk treatments

Objectives and advantages of AS/NZS 4360 standard are;

  • Offers a holistic and flexible approach to risk management. The AS/NZ 4360 standard addresses all types of risk in all types of organisations and industries. This adaptable process enables a consistent approach to risk management throughout the organisation.
  • Establishes an external context for risk management. AS/NZ 4360 emphasises the establishment of a context for risk management – external as well as internal. ERM is not a siloed function. It can have a central head, such as a chief risk officer, to co-ordinate risk management across the organisation, but the ownership of risk falls across varying areas of the business and is influenced by external factors. The AS/NZ 4360 standard starts with understanding the broad scope of drivers and influencers from both internal and external contexts.
  • Builds consultation and communication into the ERM process. ERM does not happen in a vacuum: it requires a collaborative environment to be successful. This means that all stakeholders (for example, risk executive, legal, business process owner/manager and business partner) need to be able to have input into every stage of the risk process.
  • Defines both threats and opportunities in its definition of risk. AS/NZ 4360 clearly and concisely illustrates that risk is about taking advantage of opportunities as well as mitigating threats. AS/NZ 4360 grasps the opportunity side of risk management by emphasising value creation and preservation.
  • Provides a wealth of risk handbooks for practical advice. AS/NZ 4360 includes a set of implementation handbooks for using the standard in different situations. This expanding set of resources provides implementers with a broad portfolio of practical help.
  • Supplies the foundation for a new ISO risk management standard. AS/NZ 4360 will become the basis of a new international risk management standard from the International Organisation for Standardisation (ISO). Using the AS/NZ 4360 standard, an ISO working group is preparing a draft standard on risk management that it plans to release as a working draft in 2007. The goal is to have a final published international risk management standard in 2008.

Standard Practice

Provides a generic guide for establishing and implementing the risk management process which involves establishing context, identification, analysis, evaluation, treatment, monitoring and review and consultation and communication. This Standard may be applied at every stage in the life of an activity, function, project or asset generated by any public, private or community enterprise or group.

Licensing and Documentation

The license associated with the AS/NZS 4360 standard does not permit public distribution or reproduction, however they can be downloaded for personal or business use at a cost, directly from the SAI Global website.

More information can be found at SAI Global.


Personal tools