Standards Australia emphasises Risk Management in AS/NZS5050 BCM Standard

The latest Standard to the be released titled “AS/NZ5050 - Business Continuity Managing disruption-related risk” comes from Standards Australia and arrived just a few months before the US BCM Standard jointly developed by the BSI and ASIS . 

In an interesting departure from established convention the Australia/New Zealand Standard takes different slant on key aspects of the process and connects far more with with risk management principles than others. The Standard itself declares that “the approach (taken) to managing disruption-related risk described in the Standard is through application of AS/NZS ISO 31000:2009, Risk management—Principles and guidelines.”

This is perhaps no surprise as many of the OB-007 committee responsible for the development of the Standard were involved in the development of the Risk Management Standard AS/ANS 31000:2009. Further explanation of the relationship between to the Standards is provided in the standard as follows:

AS/NZS ISO 31000:2009 

Risk management—Principles and guidelines is a globally accepted standard for managing all forms of risk.

It advocates that all risks should be managed in an integrated way, supported by an effective framework that sets policy, demonstrates commitment, provides resources, allocates responsibilities and constantly checks progress. It articulates principles for managing risk and also describes the same generic process for managing risks that, since AS/NZS 4360, Risk management, was first published in 1995, has been applied by organisations of all types in Australia and New Zealand.

The interrelationship of these elements of AS/NZS ISO 31000 (principles, framework and process) is illustrated in Figure 1.

AS/NZS 5050:2010

This Standard explains how to apply AS/NZS ISO 31000:2009 to disruption-related risks. It includes detailed guidance particular to the features of these risks and to the risk management framework through which they are managed.

The Standard therefore includes a methodology for determining how disruption can affect the continuity of the organisation's business and the likelihood of those effects being experienced. This requires a deep understanding of the operating environment as well as a detailed grasp of the organisation's objectives and risks. Particular attention is given to those activities, resources, processes and dependencies that are most critical.

In looking at the detail of the AS/NZ5050 Standard we can clearly see a much greater connection with the principles of Risk Management especially that address the frameworks for risk assessment and considerable emphasis on understanding and detailing the Risk treatment options available to the organisation.  

In some ways AS/NZ5050 seems to be creating a separate option for organisations placing Business Continuity Management under the wing of the organisations RM structures rather than reinforcing international consensus of BCM as a more adaptive and accessible tool.  It does though have to be stated that  most will see common ground throughout the Standard although we are sure there will considerable debate in the profession over the approach taken.

One thing we do feel is that AS/NZ5050 does raise interesting questions about how BCM can be applied within organisations; we can’t help but feel that for many less structured, experienced or indeed smaller organisations the Risk Management approach taken will prove challenging and they may feel as though the more autonomous  (international) standards offer greater accessibility or relevance to their needs. 

That said one thing is for sure the debate over how Risk Management and BCM are going to evolve will be with us for some time 

Copies of AS/NZS 5050:2010 can be obtained from SAI Global.