In 1995, the world’s first risk management standard, AS/NZS 4360: 1995 (ANZ/NZS 1995), was jointly issued by Standards Australia and Standards New Zealand. This standard provided a “generic framework for identification, analysis, assessment, treatment, and monitoring of risk” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 2). Although the AS/NZS 1995 standard is generic and does not enforce risk management system uniformity, it states that the “management of risk is an integral part of the management process” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 8), thus, this standard is diametrically opposed to the COSO Internal Control framework of 1992 that excludes risk management in its definition of internal control. The AS/NZS 1995 appears to advocate an ERM approach to risk management,
describing this as a “multifaceted approach, appropriate aspects of which are often best carried out by a multi-disciplinary team” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 8). The standard also recognises that in some situations, it may not be possible to integrate risk management across the organisation and under these circumstances it is proposed that “it may still be possible to apply it successfully to individual departments, processes, or projects” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 2).
The main elements of this iterative risk management process overview, shown at Figure 3.7 (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 9) are as follows.
• Establish the context – establish the strategic, organisation and risk management context for the rest of the process, including setting the criteria for risk assessment (e.g., operational, financial, etc.) and defining the structure of the analysis.
• Identify the risk – what, how and why things can arise, as the basis for further analysis.
• Analyse risks – estimate the level of risk based on the likelihood of an event happening and its potential consequences and magnitude.
• Assess and prioritise risks – compare risk levels (above) with previously established risk criteria in order to prioritise same for management. Note that low risk levels may be acceptable and, therefore, these do not require treatment. • Treat risk – for low priority risk accept and monitor; for other risks a
management plan should be developed and implemented and this should include funding considerations based on cost of risk reduction measures, as per Figure 3.8.
• Monitor and review – the performance of the risk management system and any changes that may affect it are to be monitored and reviewed.
The process itself, with a more detailed flow, is represented diagrammatically at Figure 3.9, and the risk treatment process at Figure 3.10.
Figure 3.7: AS/NZS 4360: 1995 Risk management overview (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 9)
Figure 3.8 shows how risk treatment options may be evaluated, based on “the extent of risk reduction and the extent of benefits or opportunities created” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 17). There is a cost versus benefit balance that needs to be achieved in treating risks, because “in general, the cost of managing risks needs to be commensurate with the benefits obtained” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk
Management 1995, p. 17). The standard recommends the implementation of options that have a high risk reduction with low cost associated with their implementation – this is shown by the area labelled ‘implement reductions measures’, in Figure 3.8. The shaded area in the middle of Figure 3.8, labelled ‘use judgement’ applies to that range of risk reductions options that need to be justified on a cost versus benefit basis. The clear right area under the curve labelled ‘uneconomic’ shows the range of decisions that should “take account of the need to carefully consider rare but severe risks, which may warrant risk reduction measures that are not fully justifiable on strictly economic grounds” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 17).
Figure 3.8: Cost of risk reduction measures (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 17)
Figure 3.9 shows a more detailed process than that of Figure 3.7, by providing additional information under each of the main elements discussed earlier, as well as introducing the ‘develop criteria’ step. “Criteria may be affected by internal and external perceptions and legal requirements. It is important that appropriate [risk
assessment] criteria be determined at the onset” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 12)
Figure 3.9: Risk management process (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 11)
The treatment process outlined in the flowchart at Figure 3.10 may only have limited application to Letter of Credit transactions because, often, documentary discrepancies are not able to be easily (if at all) corrected, especially when these relate to third party (externally issued) documents. Discrepancies are typically discovered by the bank documentary check procedures that take place after it has received the requisite
documents. By this stage the transport document has been issued because the goods have already been shipped. As discrepancies are a post-shipment event, preventative measures are not easily devised under such circumstances.
Figure 3.10: Risk treatment process (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 16)
The appendices to the standards provide examples of possible sources of risk (e.g., commercial/legal, human behaviour, economic circumstances, management activities and control, individual activities); classification of risk (e.g., economic and human perils, financial and diseases) and action to reduce or control likelihood and consequences (e.g., structured training and other programs [an issue that will be considered later in the thesis as part of the research data discussion] and contract conditions).
Although the AS/NZS 1995 Standard clearly advocates an enterprise-wide approach, the standard itself “is generic and independent of any specific industry or economic sector. The design and implementation of the risk management system will be influenced by the varying needs of an organisation” (Joint Standards Australia/Standards New Zealand Committee OB/7 on Risk Management 1995, p. 2). This standard, therefore, only provides a general framework, without any specific guidance on how these processes may work for a particular firm’s process. Whilst commercial relationships and human behaviour are identified as possible sources of risk, these are provided as generic examples, without any further detail or guidance in how to deal with them or how to implement appropriate risk management processes. The sample documentation provided in the standard includes a risk identification template, a risk register and risk treatment schedule and plan and a risk action plan but these are in simple form and not aligned to the documentary process risks inherent in Letter of Credit business. This generic approach, therefore, leaves it to the individual organisation to devise its own micro processes within the context of a broad macro standard. The lack of detail in the AS/NZS 1995 standard prevents it from being useful in the context of Letter of Credit transactions risks. For example, there is no clear identification of the risk components of Letter of Credit business, such as, country, customer or bank risk and, consequently, the AS/NZS 1995 standard is not appropriate to the purposes of this research.
The AS/NZS 1995 Standard was amended twice. The first amendment, in December 1995 merely rectified errors on the details of the committee’s participants. The second amendment in January 1998 replaced the word assessment with evaluation. These changes were incorporated in the subsequent version of the standard.
In 1999, a new version of the standard was published – AS/NZS 4360: 1999 Risk Management (AS/NZS 1999). The overall risk management process was enhanced and the overview, the risk management process and the risk treatment are shown at Figure 3.11, 3.12 and 3.13, respectively.
Figure 3.11: Risk management overview (Joint Technical Committee OB/7 - Risk Management 1999, p. 8)
By comparison with the original 1995 standard shown at Figures 3.7 and 3.9, the AS/NZS 1999 standard (Figures 3.11 and 3.12) added communication and consultation processes and what were once ‘assess and prioritise risks’ became ‘evaluate risks’ (these
are reflected by the yellow shaded areas) and the risk assessment (the background shadowed area in Figure 3.11, 3.12) included not only evaluation but also analysis. Figure 3.12: Risk management process (Joint Technical Committee OB/7 - Risk Management 1999, p. 11)
Communication and consultation processes were also added to the risk treatment flowchart (see Figure 3.10 versus Figure 3.13). These changes were regarded as an improvement to the original standard, however, the criticism about the lack of detail in the 1995 standard equally applies to the 1999 version. This version did not provide any more guidance than the generic framework that was touted to be applicable to any “public, private or community enterprise or group” (Joint Technical Committee OB/7 - Risk Management 1999, p. 1).
Figure 3.13: Risk treatment process (Joint Technical Committee OB/7 - Risk Management 1999, p. 17)
The AS/NZS standards no doubt contributed to the world-wide discussion of risk management processes. Despite differences between COSO Internal Control 1992 and the AS/NZS 1995 and 1999 standards, ideas were beginning to emerge slowly in favour of more inclusive risk management processes.