Jump to content

ISO 31000

From Wikipedia, the free encyclopedia

ISO 31000 is an international standard that provides principles and guidelines for risk management. It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization.[1]

The goal of these standards is to provide a consistent vocabulary and methodology for assessing and managing risk, addressing long-standing ambiguities and inconsistencies in how risk has traditionally been defined and described. They are designed to be compatible with and integrated into existing management systems, supporting a unified and systematic approach to risk across all organizational functions.

Introduction

[edit]

ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000 is to provide a guideline on managing risk faced by organizations Using a common approach for any type of risk and is not industry or sector specific. Users are "any public, private or community enterprise, association, group or individual." [2]

An updated version of ISO 31000 was published in February 2018, replacing the original 2009 edition. The 2018 revision introduced clearer and more concise language, placing greater emphasis on the integration of risk management into core business activities, decision-making processes, and organizational culture. It also reinforced the leadership role of top management in embedding risk management throughout the organization and promoted a more flexible, principles-based approach adaptable to organizations of all sizes and sectors.

The version ISO 31000:2018 was confirmed in October 2023 and valid for the next five years.

Scope

[edit]

ISO 31000 provides a set of principles, guidelines for the design, implementation of a risk management framework and recommendations for the application of a risk management process. The risk management process as described in ISO 31000 can be applied to any activity, including decision-making at all levels.

ISO 31000 helps companies establish the backbone of their Enterprise Risk Management (ERM) by providing a structured and principles-based framework for integrating risk management into all aspects of the organization. It guides companies in:

  • Defining a clear risk management policy aligned with objectives and culture
  • Establishing governance and accountability through leadership involvement
  • Embedding risk processes (identification, analysis, evaluation, treatment) into decision-making
  • Ensuring continuous improvement through monitoring and review

By following ISO 31000, organizations can build a consistent, organization-wide approach to managing risk that supports strategic goals and operational resilience.

Definitions

[edit]

ISO 31000 defines eight key terms related to the management of risk, forming the foundation for a consistent understanding of risk-related concepts across organizations. These terms are: risk, risk source, event, consequence, likelihood, risk identification, risk analysis, and risk evaluation. They are aligned with ISO 31073:2022 (formerly ISO Guide 73),[3] which provides a standardized vocabulary for risk management. ISO 31073 supports the implementation of ISO 31000 by ensuring clarity and consistency in risk communication, helping organizations align their terminology internally and externally across various sectors and disciplines.

-About the definition of risk-

One of the key paradigm shifts proposed in ISO 31000 is a change in how risk is conceptualised and defined. Under both ISO 31000 and ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives" ... thus causing the word "risk" to refer to negative consequences of uncertainty, as well as positive ones.

A similar definition was adopted in ISO 9001:2015 (Quality Management Systems[4]), in which risk is defined as, "effect of uncertainty." Additionally, a new risk related requirement, "risk-based thinking" was introduced[5] there.

Structure

[edit]

The management of risks explained in the ISO 31000 standard is founded on three core components: principles, a framework, and a process. These elements work together to ensure that risk management is structured, integrated, and aligned with organizational objectives. The principles guide the overall intent and value of risk management, the framework embeds it into the organization’s governance and operations, and the process provides a systematic approach for identifying, assessing, and addressing risks.

The relationship of the principles, the framework and the process can be visualized in an image located on the ISO Online Browsing Platform here [6]

Purpose of risk management. The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.

Principles. The principles provide guidance on the characteristics of effective and efficient risk management, communicating its value and explaining its intention and purpose. The principles are the foundation for managing risk and should be considered when establishing the organization’s risk management framework and processes. These principles should enable an organization to manage the effects of uncertainty on its objectives.

To be effective, risk managmeent should (be) :

  • Integrated – Risk management is an integral part of all organizational activities.
  • Structured and comprehensive – A structured and comprehensive approach contributes to consistent and comparable results.
  • Customized – The framework and process are tailored to the organization’s external and internal context.
  • Inclusive – Appropriate and timely involvement of stakeholders enables informed decision-making.
  • Dynamic – Risk management anticipates, detects, acknowledges, and responds to changes.
  • Uses best available information – Inputs to risk management are based on historical and current data, as well as future expectations.
  • Considers human and cultural factors – Human behavior and culture significantly influence risk management.
  • Continual improvement – Risk management is continuously improved through learning and experience.


Framework. The purpose of the risk management framework is to support the integration of risk management into the organization’s key activities and functions. Its effectiveness depends on how well it is embedded within the organization’s governance structure, particularly in decision-making processes. Achieving this integration requires active support from stakeholders, especially top management.

Framework development involves designing, implementing, evaluating, and continually improving risk management across all levels of the organization. The framework’s components should enable a consistent and structured approach. The organization is encouraged to assess its current risk management practices, identify any gaps, and address them as part of the framework’s development.

Importantly, the components of the framework, and the way they interact, should be tailored to the organization’s context, objectives, and needs, ensuring relevance and effectiveness in practice.

Process.The risk management process is defined in ISO 31073:2022 as the “systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording and reporting risk.”

Risk management should be an integral part of organizational management and decision-making, embedded into the structure, operations, and processes of the organization. It can be applied at various levels, including strategic, operational, program, or project levels.

There may be multiple applications of the risk management process within a single organization, each customized to specific objectives and adapted to the external and internal context in which it operates.

The dynamic and variable nature of human behavior and organizational culture should be considered throughout all stages of the process. Although the risk management process is often presented as a linear sequence, in practice it is iterative and adaptive, requiring continual adjustment as conditions change and new information becomes available.

Revision history

[edit]

The following table summarizes the key revisions of ISO 31000 since its initial publication:

Version Publication Date Key Updates
ISO 31000:2009 November 2009 First edition published. Introduced a structured approach to risk management with guiding principles, a generic framework, and a defined process.
ISO 31000:2018 February 2018 Second edition. Introduced clearer and more concise language, emphasized integration with governance and leadership, reduced the principles from 11 to 8, and aligned terminology with other ISO management system standards (Annex SL).
Confirmed without changes 2023 ISO 31000:2018 was reviewed and confirmed as the current valid version without revision.


Note : ISO 31000:2009 has been developed on the basis of an existing standard on risk management, called AS/NZS 4360:2004. Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, the first version ISO 31000:2009 addresses the entire management that supports the design, implementation, maintenance and improvement of risk management processes.

Implementation

[edit]

The intent of ISO 31000 is not to create a risk management system, but rather to integrate the management of risks into the existing management system of the organization. The standard provides a structured approach for embedding risk management into governance, strategy, planning, operations, performance management, and internal control systems — without requiring the creation of a separate or standalone system.

Implementation is context-dependent and should build on what already exists. Many organizations already have elements of risk management in place — such as risk registers, control frameworks, or compliance procedures — but they may lack coherence, consistency, or alignment with objectives. ISO 31000 helps unify these practices under a single set of principles, a clear framework, and a repeatable process for all types of risk.

Effective implementation typically focuses on:

  • Clarifying roles and responsibilities for managing risk
  • Integrating risk into decision-making at all levels
  • Developing shared risk assessment methods and aligning language across the organization
  • Connecting risk information to planning, reporting, and performance evaluation

Rather than being a compliance exercise, ISO 31000 implementation is about improving the quality of decisions and increasing the organization’s ability to manage uncertainty in pursuit of its objectives.


Implications

[edit]
  • ISO 31000 is non-prescriptive: It does not require conformance but offers a detailed framework to strengthen risk management practices.
  • The framework helps organizations build the foundations (e.g., policy, objectives, leadership commitment) and arrangements (e.g., processes, roles, resources) needed for effective risk management.
  • Senior leaders must understand the implications of adopting the standard and develop strategies to embed it into all organizational processes, including operations, plans & projects and strategy, short, medium and long-term focus.
  • In areas with less mature risk practices (e.g., R&D, innovation, CSR), significant changes may be needed—such as formal policies, clearer roles, and structured improvement efforts.
  • Organizations using older risk methods may need to enhance top management accountability, strategic alignment, and governance practices—especially in decision making processes.

Certification

[edit]
  • Organizations. ISO 31000 cannot be used for the certification of organisations. [7]
  • Individuals. Individuals may be certified once they have demonstrated knowledge of the philosophy and content of the ISO 31000 risk management standard, including its purpose, principles, framework, and process.
  • Audit. The ISO 31000 standard does provide guidance for internal or external audit programmes. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.[8]

International adoption

[edit]
  • Countries. The G31000 Risk Institute, an international NGO committed to promoting the ISO 31000 risk management standard, has reached out to governments, institutions, and organizations across both the public and private sectors, as well as individuals, urging them to adopt and promote ISO 31000:2018. As a result of these efforts, ISO 31000 has been adopted as a national standard in 82 countries and translated into 23 languages.
  • Translations. While ISO publishes the ISO 31000 standard in The standard has been translated into 23 languages, enhancing its accessibility and global reach. (source : G31000 Risk Institute)
  • Certified ISO 31000 Risk Professionals. Numerous professionals have obtained ISO 31000-related certifications through organizations like G31000 Risk Institute, PECB, Exemplar Global, and the Global Trust Association. The G31000 Risk Institute claims over 8,000+ risk professionals certified, worldwide.
  • Number of ISO 31000 standard sold, printed or downloaded. While ISO does not disclose the number of copies sold, the ISO 31000 standard is considered as one of the most popular, along with ISO 9001, ISO 14001 and ISO 45001 standard. Numerous national ISO representatives also sell the ISO 31000 standard.


Criticism

[edit]

ISO 31000 has received various criticisms from academics and practitioners. It has been described as lacking solid conceptual foundations and containing potentially misleading language.[9] Scholars have questioned the standard's practical utility and clarity, especially in complex organizational settings.[10] Others point to a lack of integration with modern decision theory and formal risk analysis methodologies.[11] The terminology used in the standard has been criticized for being ambiguous and inconsistently interpreted,[12] or for its lack of solidness and misleading language.[13].Some researchers argue that the drive for standardization may hinder innovation and adaptability in risk management practice.[14] Additionally, a gap has been identified between the theoretical principles of ISO 31000 and how they are operationalized within organizations.[15]

See also

[edit]


References

[edit]
  1. ^ Dali, Alex; Lajtha, Christopher (12 September 2009). "The Gold Standard". Strategic Risk. Retrieved 14 May 2025.
  2. ^ "ISO 31000:2018 – Risk management — Guidelines". ISO.org. International Organization for Standardization. Retrieved 14 May 2025.
  3. ^ "ISO 31073:2022 – Risk management — Vocabulary". ISO.org. International Organization for Standardization. Retrieved 14 May 2025.
  4. ^ "ISO 9001:2015 – Just published! (2015-09-23)". ISO. 23 September 2015. Retrieved 2017-02-23.
  5. ^ "Risk and the ISO 9001 Revision". Retrieved 2017-02-23.
  6. ^ "ISO 31000:2018 – Structure Figure 1 — Principles, framework and process". ISO. 15 May 2025. Retrieved 2025-05-15.
  7. ^ "ISO 31000:2018 – FAQ - How can I use ISO 31000, and can I become certified?". ISO. 15 May 2025. Retrieved 2025-05-15.
  8. ^ "ISO 31000:2018 – FAQ - How can I use ISO 31000, and can I become certified?". ISO. 15 May 2025. Retrieved 2025-05-15.
  9. ^ Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?" Reliability Engineering & System Safety 189 (2019): 279–286.
  10. ^ Leitch, Matthew (2010). "ISO 31000: What is the Standard for?". RM Professional (March): 26–27.
  11. ^ Aven, Terje (2011). "On the new ISO guide on risk management terminology". Reliability Engineering & System Safety. 96 (7): 719–726. doi:10.1016/j.ress.2010.12.020.
  12. ^ Aven, Terje; Zio, Enrico (2014). "Foundational issues in risk assessment and risk management". Risk Analysis. 34 (7): 1164–1172. doi:10.1111/risa.12132.
  13. ^ Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.
  14. ^ Woods, David (2011). "Rethinking 'resilience': Analyzing and simplifying the processes involved in resilience engineering". Proceedings of the 4th Symposium on Resilience Engineering.
  15. ^ Flage, Roger (2014). "On the gaps between theory and practice in risk management". Journal of Risk Research. 17 (7): 753–776. doi:10.1080/13669877.2013.838211.
[edit]