AS4360 leads the way on international risk management standard

For organisations operating at a multinational level, the minefield of different standards across multiple jurisdictions has meant that adopting a streamlined worldwide approach to managing corporate risks has proved a very challenging process. As a result, AS 4360 is becoming a popular benchmark globally for overseas corporations as a basic tool for their risk management framework and processes.A new international standard for risk management administered by the International Organisation for Standardisation to be known as ISO 31000 is anticipated to be largely modelled on Australian Standard AS 4360.

The development of this new international risk management standard is good news for Australian companies operating internationally; particularly those who already adopt the risk management framework and process that are set out in AS 4360. Given that ISO 31000 is anticipated to largely follow the principles set out in AS 4360, it is expected that there will be little cultural or systematic changes required when adopting this new standard.

ISO 31000 is due to be launched in September 2008 or March 2009 at the latest.

Reputation Risk and Business Continuity-are you prepared?

A recent global risk management study by AON has identified damage to reputation and business interruption as the two most significant risk exposures to business.

AON reported that damage to reputation is an enterprise wide event that can lead to a wide spectrum of adverse consequences including negative publicity, loss of revenue, costly litigation, a decline in customer base and the exit of key employees. The increasing pace of emerging technologies which speed up the information flow between territories and the increased pace of globalisation; serve to increase the severity of the consequences which flow from reputation risk issues.

Business continuity is another area identified by AON as a key concern for business. With events such as the September 11 attacks and the London bombings demonstrating the unpredictability of threats (and the consequent inadequacy of mere "scenario planning" as a risk management tool), there is a growing focus on resource loss planning and integrating human issues into business continuity planning.

In terms of industry, the finance sector has long been the "beacon" of business continuity planning with its focus on not only IT issues but also instilling a continuity culture among staff such that staff are actually involved in the testing of continuity plans and fully aware of these plans. A good example of this resource loss approach could be seen following the September 11 attacks where leading broker, Cantor Fitzgerald, lost 600 staff members yet was back in operation 2 days later.

While it would have been impossible to predict the nature of the scenario which led to such a devastating loss for Cantor Fitzgerald, the risk management philosophy which had been adopted by this organisation covering enterprise wide issues such as human resources, office facilities and technology (irrespective of the scenario) meant that the business was able to survive.

In Australia, the Australian Prudential Regulation Authority (APRA) and the financial institutions which are regulated have been working together to improve the resilience of the finance sector to pandemic planning.

The outcomes of the AON study as well as the advances which have been made in the finance sector represent an interesting shift in the risk management mindset from one of mere regulatory compliance ("tick the box" mindset) to a recognition that effective risk management needs to be a key component of an organisation's culture driven ultimately from the board level. Certainly organisations in other industries should take the time to examine the strategies that have been successfully used in the finance sector to understand how such methods can be successfully adapted to their own environment.

Recent cases

There have been recent cases in the public liability space which serve as a timely reminder of the importance of continuous risk management vigilance in any organisation.

Damages for psychological harm

A District Court decision made earlier this year highlights the extent to which a Court may infer liability from a safety related incident. In this case, it was held that a transport provider was liable (and damages were payable) under the provisions of section 5D of the Civil Liability Act 2002 (NSW) for psychological harm (depression) arising from a sexual assault to the plaintiff which occurred weeks after a fall at a location under the control of the provider (where the plaintiff had sustained a fractured ankle).

The plaintiff argued that the sexual assault would not have occurred had she been able to escape from the sexual predator. The District Court held that the depression suffered by the plaintiff (which she would not have suffered but for the ankle injury; but which she did suffer because of the sexual assault) was within the scope of the defendant's responsibility. Accordingly, damages were awarded in favour of the plaintiff not only for the physical injury and economic loss sustained from the fall but also for psychological harm sustained from the sexual assault.

Joint liability In another case, the New South Wales Court of Appeal found a local council was partially liable for injuries sustained by a cyclist who had collided with a bollard on a public pathway in a path under the control of the council. At the time of the accident, the pathway was dark and the cyclist had been travelling at speed. Although the plaintiff was using a good quality halogen headlight, the bollard had part of its reflector tape missing. The bollard had been placed in the park in order to deter maintenance workers from driving their vehicles along the path.

The trial judge at first instance had found in favour of the Council holding that the accident resulted from the cyclist's failure to keep a proper lookout.

On appeal the NSW Court of Appeal held that: • Bollards in the middle of the pathway created a real and significant hazard for cyclists (particularly at night time); • It was reasonably foreseeable that during the times that the reflector tape was missing, cyclists would be unlikely to see the bollard before impact and be injured; and • The Council's contribution to the cyclist's injuries was 50% taking into account the cyclist's own lack of forethought in riding at speed in the dark. Both these decisions are timely reminders of the consequences which can flow from what appear at first instance to be seemingly straight forward safety issues.

Organisations should regularly scan their external environment for incidents that could potentially affect their business. The hazards causing such incidents should be included in the business' Risk Register and if the risk is considered unacceptable, strategies developed and documented to prevent or mitigate the risk to within acceptable limits.

Wayne Middleton Principal