In 2005, International Organisation for Standardisation (ISO) established a working group to develop the first internationalrisk management standard. An extensive consultative process resulted in AS/NZS 4360: 2004 (an Australian/New Zealand risk management standard with its origins dating to 1994) being reviewed and, at the end of the scheduled five-year process, the publication of ISO 31000: 2009 was proclaimed and released to the international marketplace.

The upshot of this extensive process is that, after 15 years, the standard which has underpinned the Australian/New Zealand approach to risk management has evolved to become the international standard.

Based upon 20 years of applying the principles enshrined in AS/NZS 4360, there are some strengths, and a few pitfalls, that I would like to share in applying this “new” international standard on risk management.


The Risk Management Process (refer to page vi of ISO 31000: 2009) succinctly captures the Systems Approach (my terminology) to Risk Management, as outlined in Diagram 1.

The Identify-Assess-Evaluate-Treat process has been implemented across Australia for more than a decade. Indeed, the Western Australian Government regulatory agency, WorkSafe Western Australia, opted to adopt this framework as the basis for a community-wide promotional programme called ThinkSafe SAM. This successful marketing campaign utilised SAM as an acronym for Spot (the hazard); Assess (the risk) and Make (the changes).

The Analyse Risks component of the “System” has given rise to numerous forms of qualitative risk assessment approaches, involving (in the main) simple risk assessment matrices. Although HB: 436 suggested a 5 x 5 matrix, I have seen many variants around this theme, ranging from a 3 x 3 matrix to a 5 x 6 approach. Risk assessment became viewed as a panacea, and the qualitative matrices were initially seen as something akin to the silver bullet by which zero harm could be delivered.

Although the flaws in the risk matrix as a silver bullet are self-evident, workplaces started to talk about risk, and regardless of which form of a qualitative matrix was being deployed, the workforce became engaged. Risk registers were developed, almost as a given, and safety professionals adopted terminology such as inherent and residual risk. Risk management as a fundamental element of occupational safety and health performance improvement efforts would not have been achievable without the advent of AS/NZS 4360 and its derivatives.


ISO 31000: 2009 (and its Australian/New Zealand forbears) is not without its critics. Challenges have been issued by no less than the author of the pre-eminent publication on risk management (Risk, 1995), John Adams (Emeritus Professor, University College, London) who has recently challenged the OSH community with the question “Is ISO 31000 fit for purpose?”

 I am an unabashed fan of Adams’ work, but it’s not in the philosophy of the risk management approach that I have difficulties – it’s in the application at the workplace.

The dark side of the implementation of risk matrices is the establishment of rules-based decisions on the outcomes of the risk assessment process. To properly articulate the issues, I need to introduce one of the risk assessment matrices, and use IFAP’s (Industrial Foundation for Accident Prevention) popular risk prioritisation tool to make my case.

In its simplest application, workers assess a potential workplace hazard and allocate a rating of the worst credible outcome (from Minor Injury through to Multiple Fatalities) of an energy exchange event involving the hazard as defined on the “consequence” scale. Once the worst credible outcome has been determined, workers then endeavour to establish the likelihood of the accident occurring as per the likelihood scale (Rare to Almost Certain). The intersection of the line drawn from the x-axis (Consequence) and the y-axis (Likelihood) provides a Risk Prioritisation value.

By way of example, a fall from a height of one metre might be determined to result in a Disabling Injury (a 3 on the Consequence Scale) and be allocated an Unlikely rating (D on the Likelihood Scale). The resulting Risk Prioritisation ranking is 17 (ie, 3-D intersection), which places it in the medium band of risk (by matrix colour).

This is not a complicated process and has led to acceptance by many workplaces. The concern is what happens as a result of the outcome of the risk assessment process.

Rules rigidity

Many workplaces I encounter use a rule-based approach to the outcome of the risk assessment process. For example, a risk priority (using the IFAP matrix) of less than 8 (the red zone) may mean that work is stopped until risk controls can be implemented. A risk in the yellow banding means that a Job Safety Analysis (JSA) and Work Method Statement (WMS) need to be written.

Revisiting our fall from one metre example, it is straightforward to propose that an unmotivated (in the risk management sense) workforce could readily consider that the fall from one metre will only lead to a Medical treatment Injury (4 on the Consequence Scale), the risk priority reduces from 17 to 21 (yellow to green) and the paperwork associated with the JSA/WMS process evaporates as if by magic.

Others quite rightly question as to “what comes first,” the Consequence or the Likelihood, and my colleagues at IFAP have been applying the risk prioritisation approach post-accident (where the Likelihood is always “Almost Certain” because the accident has happened). These discussions are invaluable because they can and do have a profound approach on the outcome of the risk assessment process.

Love it or hate it, ISO 31000 is with us, and despite its flaws, it does introduce a framework for risk management that has been honed from more than 15 years of experience in the Australian context.  The major issues arise when we, the safety profession, endeavour to make the qualitative tools advocated in the standard (and its companions) go beyond their design criteria.

Let’s not forget – a qualitative risk assessment approach isn’t about the destination – it’s about the journey – and if we manage to get our workforce talking about risk, the battle is nearly won.