Risk management standards and handbooks

Consistent with the Society’s goal of improving the knowledge and practice of risk management in New Zealand, the Society strongly supports the consolidation and codification of knowledge about risk management in publicly available standards and handbooks. This codification provides for the use of a common vocabulary and a common understanding of the risk management process within and between organisations.

Standards development
The process for development or adoption of standards and handbooks provides for public comment to which any individual can contribute. For New Zealand, many, but not all standards and handbooks about risk management are developed by a joint Standards New Zealand /Standards Australia committee known as OB-007 on which the Society is represented. A description of the work of this committee can be found here.

The standards listed
As the number of standards documents relating to risk management is large, this page lists only those standards and guidance documents which directly describe risk management methodology and include risk management in the title. The page also only lists documents developed or endorsed (a process formally known as declaring) by the above Standards bodies.

 As risk management is a developing discipline, it is clear that any standard will be a representation of accepted practice at the time of development. To deal with this, standards are periodically updated, making the publication date important. In the case of risk management, the publication of AS/NZS ISO 31000 provides a significant point in standards development as it is intended internationally to act as a high level standardising document.

In recognition of this, these Listings are provided in three sections:

1. Those documents which conform to AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
2. Documents that are current but have not yet been updated since the publication of AS/NZS ISO 31000:2009
3. Documents now superceded or amended by publication of AS/NZS ISO 31000:2009

The Society wishes to make it clear that listing in this way does not imply any general judgement on the quality of the documents listed in each section.

This page is continually updated to reflect new developments in risk management standards and guidance documents. The listings provide links to enable purchase of each document and, where applicable, there are links to more detailed information and comment about these documents available within the Members-only pages of the website.

The Society gratefully acknowledges the assistance of several Society members including Geraint Bermingham, Roger Estall and Chris Peace in preparing the material on this page. 

1. Documents conforming with AS/NZS ISO31000:2009 


A. Standards and normative documents


AS/NZS ISO 31000: 2009 Risk Management – Principles and guidelines
This document is the Standards Australia/ Standards New Zealand adopted version of this international standard. It is identical to its parent document apart from material in the introduction to explain the transition from AS/NZS 4360:2004 which it replaces. ISO 31000:2009 provides a generic approach to managing risk effectively, designed to be is applicable to all forms of risk and all forms of organisation. It is the result of a consensus formed by experts from many nations as well as public comment from many of the 163 member countries of the International Standards Organisation.

It also serves as a ‘peak’ standard to harmonise other standards dealing with specific areas of risk management.

The Standard is built around three fundamental pillars: risk management principles, risk management framework (i.e. the intent and capacity to manage risk effectively), and risk management process (how risk is recognised, assessed and modified). It concludes with both ‘outcome’ and ‘attribute’ tests that can be applied to judge the effectiveness of an organisation’s risk management. The risk management process is for all practical purposes identical to that in AS/NZS 4360:2004.

Copies of the Standard can be obtained from Standards New Zealand by following this link.

Further extensive explanation and commentary about the Standard is available to Society members here.

ISO/IEC Guide 73:2009 Risk management – Vocabulary
This document, which replaces an earlier version, provides an extensive set of defined risk management concepts for application in every standard about risk management. (Guide 73 is therefore a ‘normative’ companion document to ISO 31000:2009.) The Society recommends that communications and discussions about risk management use terminology as set out in this document. This recommendation encompasses both general in risk management communications and formal documents.

Copies of this document can be obtained from Standards New Zealand by following this link.

AS/NZS 5050: 2010 Business continuity: management of disruption-related risk
AS/NZS 5050 applies AS/NZS ISO 31000:2009 to disruption-related risk and thereby assists organisations to build resilience. Building on earlier concepts (often called 'business continuity management'), this Standard ensures that all aspects of managing disruption-related risks are considered. This includes the factors which can lead to a disruptive event and influence the size of the event, and the factors that influence the nature, scale and likelihood of the disruptive effects. Particular attention is given in both risk assessment and risk treatment to those activities, resources, processes, and dependencies of the organisation that are most critical. A method for third party verification of the elements of the organisation’s management system, through which this risk is managed, is provided for those organisations which require this.

Copies of the Standard can be obtained from Standards New Zealand by following this link.

Further detail about the Standard is available to Society members here.


B. Handbooks


Handbooks are generally intended to provide guideline material that assists in the application of a particular standard.


SA/ SNZ HB 203: 2012 Managing Environment related risk
This handbook is a substantial update and rewrite of a document originally published in 2000, and revised in 2006. It provides guidance on implementing AS/NZS ISO 31000 in the context of environmental risks and their management, providing advice in respect of the application of the Standard’s risk management, principles, framework and process in the environmental context. The Handbook also contains a number of appendices. These include; comparisons of risk related terminology in different systems and organisations, legal definitions of ‘the environment’, and approaches to establishing tolerable risk in the context of environmental management.
Copies of HB 203:2012 can be obtained from the Standards New Zealand website here.

SA/SNZ HB 327:2010 Communicating and consulting about risk
This handbook was written as a companion to AS/NZS ISO 31000 and is design to explain the ‘communicate and consult’ element of the risk management process in more detail. The handbook explains why communication and consultation are essential for good risk management and sets out how to do this effectively. The handbook also explores how to take account of the mix of facts, uncertainties, perceptions, complexities and belief which form part of making decisions about risk. It includes several case studies taken from New Zealand and Australian contexts.

Copies of HB 327:2010 can be obtained from Standards New Zealand by following this link.

SNZ HB 246: 2010 Guidelines for risk management in sport and recreation organisations
HB 246 explains how to apply the risk management principles, framework and process of AS/NZS ISO 31000:2009 to all forms of organisation in the sport and recreation sectors in Australia and New Zealand – both professional and recreational. It contains many examples and includes background information about the law, good governance and the role of local government in sport and recreation. A rolling case study of a typical organisation is used to illustrate each step of the risk management process. HB 246 is intended mainly for those responsible and or accountable for ensuring that risk is managed effectively in their organisation.

The handbook itself can be obtained from the Standards New Zealand website here.

SA/SNZ HB 266: 2010 Guide for managing risk in not-for-profit organizations
This handbook has been designed to help all forms of not-for-profit organisation to apply AS/NZS ISO 31000:2009 in order to increase the likelihood of success. It includes tools and templates applicable to each step of the risk management process. These are scalable to various sizes of organisations. The Handbook will be particularly useful to those organisations needing to demonstrate to charitable supporters that the organisation is being managed effectively and in accordance with the principles of good governance.

SA/SNZ HB 266:2010 can be obtained from the Standards New Zealand website here.

AS HB 158: 2010 Delivering assurance based on ISO 31000:2009
This handbook was developed jointly by OB-007 and the Institute of Internal Auditors-Australia to assist assurance providers to plan and implement their work using the information that arises from an organisation managing risk in accordance with ISO 31000. It also describes how to provide assurance that an organisation’s risk management framework and processes are aligned to 31000. One of its purposes is to facilitate communication between risk management specialists and assurance providers.

The handbook can be obtained from the website of SAI Global here.

SA/SNZ HB 141:2011. Risk Financing Guidelines
HB 141:2011 explains the role of risk financing as a risk treatment in the context of the risk management process as set out in AS/NZS ISO 31000: 2010. It describes both common risk financing techniques (such as insurance and self funding) and other less frequently used methods, such as those offered by the capital markets. Each description explains where the particular technique may be suitable as well as pointing out factors which may affect its reliability. The Handbook is not intended as an advanced text for risk financing specialists, rather it is intended both to provide core basic knowledge of the techniques for directors and managers responsible for risk financing, and to provide broader background knowledge to risk financing specialists. It contains illustrative examples as well as referring to relevant parts of the New Zealand and Australian financial regulatory regimes.
Copies of HB 141:2011 can be obtained from Standards New Zealand by following this link.


2. Pre AS/NZS ISO31000:2009 documents

These documents provide useful advice on various aspects of risk management but have not yet been updated following publication of the AS/NZS ISO 31000:2009. Consequently the concepts and vocabulary may not be fully aligned with this international standard. The Society therefore recommends that they should be used with caution with attention being given to the implications of any differences in concept or terminology from AS/NZS ISO31000:2009. 


A. Standards and normative documents


NZS 9401: 2008 Flood risk management – A process Standard
This standard, which references (but did not strictly conform to) AS/NZS 4360, offers a high-level, decision-making framework for managing flood-related risk in relation to river catchments. Consistent with the management of any form of risk, there is particular focus on “context” with the interactions between catchment geography, precipitation, legislation, land use decisions, engineering, societal expectations and contingent capacity and arrangements being highlighted.

Copies of the Standard can be obtained from Standards New Zealand by following this link .

AS/NZS ISO/IEC 16085: 2007 Information technology - Systems and software engineering - Life cycle processes - Risk management 
This standard is a joint ISO/IEC (International Standards Organisations and International Electrotechnical Committee) standard that has been jointly adopted by Standards New Zealand and Standards Australia. It provides guidance for the management of risk during software acquisition, supply, development, operations, and maintenance.

Copies of the Standard can be obtained from Standards New Zealand by following this link.

AS/NZS 4810.1: 2000 Medical devices - Risk management - Application of risk analysis (2)
Specifies a procedure for investigating, using available information, the safety of a medical device, including in- vitro diagnostic devices or accessories, by identifying hazards and estimating the risks associated with the device. It does not stipulate levels of acceptability (i.e. risk criteria) nor is it intended to give guidance on all aspects of management of risks related to medical devices. This Standard is identical with and has been reproduced from ISO 14971-1:1998.
This standard pre-dated ISO31000 by 9 years and so there are notable discontinuities with AS/NZS31000.

Copies of the Standard can be obtained from Standards New Zealand by following this link 



B. Handbooks


SA /SNZ HB 296: 2007 Legal risk management 
This document provides guidelines to lawyers on how to align their professional advice and services to clients to assist them to manage their risks, applying AS/NZS 4360:2004 in a more holistic way. It advocates provision of proactive services rather than just reactive measures such as dispute resolution. It places particular emphasis on organisations using lawyers as business facilitators and highlights the value of ‘preventative law’. As well as encouraging lawyers (whether in-house counsel or law firms) to take this wider approach, the Handbook is also useful for consumers of legal services to select the basis for engagement of legal advisors.

Copies of the handbook can be obtained from the Standards New Zealand website here.

SA HB 192: 2007 Guide for managing risk in motor sport 
SA HB 192:2007 is intended as guidance for those who are involved in motor sport and whose actions can contribute to the safety of participants, spectators, bystanders etc... It is intended to apply regardless of the motor sport-related organisation’s size or purpose. It is based on AS/NZS 4360:2004 and provides specific guidance in implementing that standard in a motorsport context.

The handbook can be obtained from the website of SAI Global here.

SA/SNZ HB 167: 2006 Security risk management 
HB 167:2006 outlines both the framework and elements that should be included in a process for managing security-related risk. The guidance in the handbook is broadly consistent with AS/NZS 4360: 2004. It intended for use by any size or type of organisation - from large multinationals to small businesses, government agencies and the not-for profit sector. 

Copies of the handbook can be obtained from the Standards New Zealand website here.

SNZ HB 4525: 2006 Fire Risk Management Handbook
HB 4525 is intended to help identify how fires could start in a wide range of locations and provide simple precautions that will help prevent fires from starting, control their effects, and assist recovery. It encourages adoption of good fire risk management practices as a way of preventing injury, damage and disruption thereby helping ensure the delivery of organisational objectives.

The handbook includes definitions, processes, tools and examples and was written to be consistent with AS/NZS 4360:2004.

Copies of the handbook can be obtained from Standards New Zealand by following this link.

SAA/SNZ HB 436:2004 Risk Management Guidelines: companion to AS/NZS 4360: 2004
Originally written to accompany AS/NZS 4360:2004, this handbook provides explanation and guidance on the application of that standard. It contains detailed advice on each step of the risk management process. The handbook is being revised in the light of AS/NZS ISO 31000 but to the extent that the new standard employs the same process for managing risk, there is much which is still useful and relevant in this handbook. 

Copies of HB 436:2004 can be obtained from Standards New Zealand by following this link.

SA HB 205:2004 OHS Risk Management Handbook
This handbook was written to provide practical guidance on how to apply the risk management process to occupational health and safety related risks. It was written specifically for the Australian context and refers to Australian legislation and related concepts. SA HB 205:2004 is currently being revised to achieve conformance with AS/NZS ISO 31000: 2009.

The handbook can be obtained from the website of SAI Global here .

SA HB 240:2004 Guidelines for managing risk in outsourcing utilizing the AS/NZS4360:2004 process
Provides a guide to managing risks which arise when organisations outsource elements of their business. The handbook uses the risk management model in AS/NZS 4360: 2004 and includes case studies and a checklist of important issues to address when outsourcing.

The handbook can be obtained from the website of SAI Global here.

SA/SNZ HB 231: 2004 Information security risk management guidelines
Provides a generic guide for the establishment and implementation a risk management process for risks relating to information security.

Copies of the handbook can be obtained from the Standards New Zealand website here.

SNZ HB 4360: 2000 Risk Management for Local Government 
Despite the confusing numbering of this handbook, it is only concerned with assisting local authorities in meeting risk management requirements. As it was published before both the Local Government Act 2002 and the current international standard, it should be regarded as somewhat dated.

It postulates seven broad categories of risk – those concerning governance, legal compliance, business activity, built assets, human resources, information systems, and finance. The handbook also suggests organisational structures to implement and co-ordinate risk management in a local authority and, in this sense, foreshadows some of the concepts contained in the “framework” section of AS/NZS ISO 31000.

Copies of the handbook can be obtained from the Standards New Zealand website here.

3. Superseded Documents

The following documents have been superseded or amended by more recent documents, and while they may still be in use, it is recommended that the more recent document be used. As these documents are superseded, they are no longer available.


A. Standards and normative documents


AS/NZS 4360:2004 Risk Management
This standard has been superseded by AS/NZS ISO 31000: 2009.

AS/NZS 4360:1999 Risk Management
This document was superseded by AS/NZS 4360:2004 and in turn by AS/NZS ISO 31000.

AS/NZS 4360:1995 Risk Management
This document was superseded by AS/NZS 4360:1999 and in turn by AS/NZS 4360:2004 and now AS/NZS ISO 31000.


B. Handbooks


AS/NZS HB 141:2004 Risk Financing
This Handbook has been withdrawn and is shortly to be replaced by HB 141:2011 which conforms to AS/NZS ISO 31000.