ISO 31000

ISO 31000 is an international standard that provides principles and guidelines for risk management. It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization.^[1]

The goal of these standards is to provide a consistent vocabulary and methodology for assessing and managing risk, addressing long-standing ambiguities and inconsistencies in how risk has traditionally been defined and described. They are designed to be compatible with and integrated into existing management systems, supporting a unified and systematic approach to risk across all organizational functions.

Introduction

ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000 is to provide a guideline on managing risk faced by organizations Using a common approach for any type of risk and is not industry or sector specific. Users are "any public, private or community enterprise, association, group or individual." ^[2]

An updated version of ISO 31000 was published in February 2018, replacing the original 2009 edition. The 2018 revision introduced clearer and more concise language, placing greater emphasis on the integration of risk management into core business activities, decision-making processes, and organizational culture. It also reinforced the leadership role of top management in embedding risk management throughout the organization and promoted a more flexible, principles-based approach adaptable to organizations of all sizes and sectors.

The version ISO 31000:2018 was confirmed in October 2023 and valid for the next five years.

Scope

ISO 31000 provides a set of principles, guidelines for the design, implementation of a risk management framework and recommendations for the application of a risk management process. The risk management process as described in ISO 31000 can be applied to any activity, including decision-making at all levels.

ISO 31000 helps companies establish the backbone of their Enterprise Risk Management (ERM) by providing a structured and principles-based framework for integrating risk management into all aspects of the organization. It guides companies in:

Defining a clear risk management policy aligned with objectives and culture

Establishing governance and accountability through leadership involvement

Embedding risk processes (identification, analysis, evaluation, treatment) into decision-making

Ensuring continuous improvement through monitoring and review

By following ISO 31000, organizations can build a consistent, organization-wide approach to managing risk that supports strategic goals and operational resilience.

Definitions

ISO 31000 defines eight key terms related to the management of risk, forming the foundation for a consistent understanding of risk-related concepts across organizations. These terms are: risk, risk source, event, consequence, likelihood, risk identification, risk analysis, and risk evaluation. They are aligned with ISO 31073:2022 (formerly ISO Guide 73),^[3] which provides a standardized vocabulary for risk management. ISO 31073 supports the implementation of ISO 31000 by ensuring clarity and consistency in risk communication, helping organizations align their terminology internally and externally across various sectors and disciplines.

-About the definition of risk-

One of the key paradigm shifts proposed in ISO 31000 is a change in how risk is conceptualised and defined. Under both ISO 31000 and ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives" ... thus causing the word "risk" to refer to negative consequences of uncertainty, as well as positive ones.

A similar definition was adopted in ISO 9001:2015 (Quality Management Systems^[4]), in which risk is defined as, "effect of uncertainty." Additionally, a new risk related requirement, "risk-based thinking" was introduced^[5] there.

Structure

The management of risks explained in the ISO 31000 standard is founded on three core components: principles, a framework, and a process. These elements work together to ensure that risk management is structured, integrated, and aligned with organizational objectives. The principles guide the overall intent and value of risk management, the framework embeds it into the organization’s governance and operations, and the process provides a systematic approach for identifying, assessing, and addressing risks.

The relationship of the principles, the framework and the process can be visualized in an image located on the ISO Online Browsing Platform here ^[6]

Purpose of risk management. The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.

Principles. The principles provide guidance on the characteristics of effective and efficient risk management, communicating its value and explaining its intention and purpose. The principles are the foundation for managing risk and should be considered when establishing the organization’s risk management framework and processes. These principles should enable an organization to manage the effects of uncertainty on its objectives.

To be effective, risk managmeent should (be) :

Integrated – Risk management is an integral part of all organizational activities.
Structured and comprehensive – A structured and comprehensive approach contributes to consistent and comparable results.
Customized – The framework and process are tailored to the organization’s external and internal context.
Inclusive – Appropriate and timely involvement of stakeholders enables informed decision-making.
Dynamic – Risk management anticipates, detects, acknowledges, and responds to changes.
Uses best available information – Inputs to risk management are based on historical and current data, as well as future expectations.
Considers human and cultural factors – Human behavior and culture significantly influence risk management.
Continual improvement – Risk management is continuously improved through learning and experience.

Framework. The purpose of the risk management framework is to support the integration of risk management into the organization’s key activities and functions. Its effectiveness depends on how well it is embedded within the organization’s governance structure, particularly in decision-making processes. Achieving this integration requires active support from stakeholders, especially top management.

Framework development involves designing, implementing, evaluating, and continually improving risk management across all levels of the organization. The framework’s components should enable a consistent and structured approach. The organization is encouraged to assess its current risk management practices, identify any gaps, and address them as part of the framework’s development.

Importantly, the components of the framework, and the way they interact, should be tailored to the organization’s context, objectives, and needs, ensuring relevance and effectiveness in practice.

Process.The risk management process is defined in ISO 31073:2022 as the “systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording and reporting risk.”

Risk management should be an integral part of organizational management and decision-making, embedded into the structure, operations, and processes of the organization. It can be applied at various levels, including strategic, operational, program, or project levels.

There may be multiple applications of the risk management process within a single organization, each customized to specific objectives and adapted to the external and internal context in which it operates.

The dynamic and variable nature of human behavior and organizational culture should be considered throughout all stages of the process. Although the risk management process is often presented as a linear sequence, in practice it is iterative and adaptive, requiring continual adjustment as conditions change and new information becomes available.

Revision history

The following table summarizes the key revisions of ISO 31000 since its initial publication:

Version	Publication Date	Key Updates
ISO 31000:2009	November 2009	First edition published. Introduced a structured approach to risk management with guiding principles, a generic framework, and a defined process.
ISO 31000:2018	February 2018	Second edition. Introduced clearer and more concise language, emphasized integration with governance and leadership, reduced the principles from 11 to 8, and aligned terminology with other ISO management system standards (Annex SL).
Confirmed without changes	2023	ISO 31000:2018 was reviewed and confirmed as the current valid version without revision.

Note : ISO 31000:2009 has been developed on the basis of an existing standard on risk management, called AS/NZS 4360:2004. Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, the first version ISO 31000:2009 addresses the entire management that supports the design, implementation, maintenance and improvement of risk management processes.

Implementation

The intent of ISO 31000 is not to create a risk management system, but rather to integrate the management of risks into the existing management system of the organization. The standard provides a structured approach for embedding risk management into governance, strategy, planning, operations, performance management, and internal control systems — without requiring the creation of a separate or standalone system.

Implementation is context-dependent and should build on what already exists. Many organizations already have elements of risk management in place — such as risk registers, control frameworks, or compliance procedures — but they may lack coherence, consistency, or alignment with objectives. ISO 31000 helps unify these practices under a single set of principles, a clear framework, and a repeatable process for all types of risk.

Effective implementation typically focuses on:

Clarifying roles and responsibilities for managing risk

Integrating risk into decision-making at all levels

Developing shared risk assessment methods and aligning language across the organization

Connecting risk information to planning, reporting, and performance evaluation

Rather than being a compliance exercise, ISO 31000 implementation is about improving the quality of decisions and increasing the organization’s ability to manage uncertainty in pursuit of its objectives.

Implications

ISO 31000 is non-prescriptive: It does not require conformance but offers a detailed framework to strengthen risk management practices.

The framework helps organizations build the foundations (e.g., policy, objectives, leadership commitment) and arrangements (e.g., processes, roles, resources) needed for effective risk management.

Senior leaders must understand the implications of adopting the standard and develop strategies to embed it into all organizational processes, including operations, plans & projects and strategy, short, medium and long-term focus.

In areas with less mature risk practices (e.g., R&D, innovation, CSR), significant changes may be needed—such as formal policies, clearer roles, and structured improvement efforts.

Organizations using older risk methods may need to enhance top management accountability, strategic alignment, and governance practices—especially in decision making processes.

Certification

Organizations. ISO 31000 cannot be used for the certification of organisations. ^[7]

Individuals. Individuals may be certified once they have demonstrated knowledge of the philosophy and content of the ISO 31000 risk management standard, including its purpose, principles, framework, and process.

Audit. The ISO 31000 standard does provide guidance for internal or external audit programmes. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.^[8]

International adoption

Countries. The G31000 Risk Institute, an international NGO committed to promoting the ISO 31000 risk management standard, has reached out to governments, institutions, and organizations across both the public and private sectors, as well as individuals, urging them to adopt and promote ISO 31000:2018. As a result of these efforts, ISO 31000 has been adopted as a national standard in 82 countries and translated into 23 languages.
Translations. While ISO publishes the ISO 31000 standard in The standard has been translated into 23 languages, enhancing its accessibility and global reach. (source : G31000 Risk Institute)
Certified ISO 31000 Risk Professionals. Numerous professionals have obtained ISO 31000-related certifications through organizations like G31000 Risk Institute, PECB, Exemplar Global, and the Global Trust Association. The G31000 Risk Institute claims over 8,000+ risk professionals certified, worldwide.
Number of ISO 31000 standard sold, printed or downloaded. While ISO does not disclose the number of copies sold, the ISO 31000 standard is considered as one of the most popular, along with ISO 9001, ISO 14001 and ISO 45001 standard. Numerous national ISO representatives also sell the ISO 31000 standard.

Criticism

ISO 31000 has received various criticisms from academics and practitioners. It has been described as lacking solid conceptual foundations and containing potentially misleading language.^[9] Scholars have questioned the standard's practical utility and clarity, especially in complex organizational settings.^[10] Others point to a lack of integration with modern decision theory and formal risk analysis methodologies.^[11] The terminology used in the standard has been criticized for being ambiguous and inconsistently interpreted,^[12] or for its lack of solidness and misleading language.^[13].Some researchers argue that the drive for standardization may hinder innovation and adaptability in risk management practice.^[14] Additionally, a gap has been identified between the theoretical principles of ISO 31000 and how they are operationalized within organizations.^[15]

References

^ Dali, Alex; Lajtha, Christopher (12 September 2009). "The Gold Standard". Strategic Risk. Retrieved 14 May 2025.
^ "ISO 31000:2018 – Risk management — Guidelines". ISO.org. International Organization for Standardization. Retrieved 14 May 2025.
^ "ISO 31073:2022 – Risk management — Vocabulary". ISO.org. International Organization for Standardization. Retrieved 14 May 2025.
^ "ISO 9001:2015 – Just published! (2015-09-23)". ISO. 23 September 2015. Retrieved 2017-02-23.
^ "Risk and the ISO 9001 Revision". Retrieved 2017-02-23.
^ "ISO 31000:2018 – Structure Figure 1 — Principles, framework and process". ISO. 15 May 2025. Retrieved 2025-05-15.
^ "ISO 31000:2018 – FAQ - How can I use ISO 31000, and can I become certified?". ISO. 15 May 2025. Retrieved 2025-05-15.
^ "ISO 31000:2018 – FAQ - How can I use ISO 31000, and can I become certified?". ISO. 15 May 2025. Retrieved 2025-05-15.
^ Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?" Reliability Engineering & System Safety 189 (2019): 279–286.
^ Leitch, Matthew (2010). "ISO 31000: What is the Standard for?". RM Professional (March): 26–27.
^ Aven, Terje (2011). "On the new ISO guide on risk management terminology". Reliability Engineering & System Safety. 96 (7): 719–726. doi:10.1016/j.ress.2010.12.020.
^ Aven, Terje; Zio, Enrico (2014). "Foundational issues in risk assessment and risk management". Risk Analysis. 34 (7): 1164–1172. doi:10.1111/risa.12132.
^ Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.
^ Woods, David (2011). "Rethinking 'resilience': Analyzing and simplifying the processes involved in resilience engineering". Proceedings of the 4th Symposium on Resilience Engineering.
^ Flage, Roger (2014). "On the gaps between theory and practice in risk management". Journal of Risk Research. 17 (7): 753–776. doi:10.1080/13669877.2013.838211.

External links

Standard International Organization for Standardization

[1] Dali, Alex; Lajtha, Christopher (12 September 2009). "The Gold Standard". Strategic Risk. Retrieved 14 May 2025.

[2] "ISO 31000:2018 – Risk management — Guidelines". ISO.org. International Organization for Standardization. Retrieved 14 May 2025.

[3] "ISO 31073:2022 – Risk management — Vocabulary". ISO.org. International Organization for Standardization. Retrieved 14 May 2025.

[4] "ISO 9001:2015 – Just published! (2015-09-23)". ISO. 23 September 2015. Retrieved 2017-02-23.

[5] "Risk and the ISO 9001 Revision". Retrieved 2017-02-23.

[6] "ISO 31000:2018 – Structure Figure 1 — Principles, framework and process". ISO. 15 May 2025. Retrieved 2025-05-15.

[7] "ISO 31000:2018 – FAQ - How can I use ISO 31000, and can I become certified?". ISO. 15 May 2025. Retrieved 2025-05-15.

[8] "ISO 31000:2018 – FAQ - How can I use ISO 31000, and can I become certified?". ISO. 15 May 2025. Retrieved 2025-05-15.

[9] Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?" Reliability Engineering & System Safety 189 (2019): 279–286.

[Leitch2010-10] Leitch, Matthew (2010). "ISO 31000: What is the Standard for?". RM Professional (March): 26–27.

[Aven2011-11] Aven, Terje (2011). "On the new ISO guide on risk management terminology". Reliability Engineering & System Safety. 96 (7): 719–726. doi:10.1016/j.ress.2010.12.020.

[AvenZio2014-12] Aven, Terje; Zio, Enrico (2014). "Foundational issues in risk assessment and risk management". Risk Analysis. 34 (7): 1164–1172. doi:10.1111/risa.12132.

[13] Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.

[Woods2011-14] Woods, David (2011). "Rethinking 'resilience': Analyzing and simplifying the processes involved in resilience engineering". Proceedings of the 4th Symposium on Resilience Engineering.

[Flage2014-15] Flage, Roger (2014). "On the gaps between theory and practice in risk management". Journal of Risk Research. 17 (7): 753–776. doi:10.1080/13669877.2013.838211.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

v t e International Organization for Standardization (ISO) standards
List of ISO standards – ISO romanizations – IEC standards
1–9999	1 2 3 4 6 7 9 16 17 31 -0 -1 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 68-1 128 216 217 226 228 233 259 261 262 302 306 361 500 518 519 639 -1 -2 -3 -5 -6 646 657 668 690 704 732 764 838 843 860 898 965 999 1000 1004 1007 1073-1 1073-2 1155 1413 1538 1629 1745 1989 2014 2015 2022 2033 2047 2108 2145 2146 2240 2281 2533 2709 2711 2720 2788 2848 2852 2921 3029 3103 3166 -1 -2 -3 3297 3307 3601 3602 3864 3901 3950 3977 4031 4157 4165 4217 4909 5218 5426 5427 5428 5725 5775 5776 5800 5807 5964 6166 6344 6346 6373 6385 6425 6429 6438 6523 6709 6943 7001 7002 7010 7027 7064 7098 7185 7200 7498 -1 7637 7736 7810 7811 7812 7813 7816 7942 8000 8093 8178 8217 8373 8501-1 8571 8583 8601 8613 8632 8651 8652 8691 8805/8806 8807 8820-5 8859 -1 -2 -3 -4 -5 -6 -7 -8 -8-I -9 -10 -11 -12 -13 -14 -15 -16 8879 9000/9001 9036 9075 9126 9141 9227 9241 9293 9314 9362 9407 9496 9506 9529 9564 9592/9593 9594 9660 9797-1 9897 9899 9945 9984 9985 9995
10000–19999	10006 10007 10116 10118-3 10160 10161 10165 10179 10206 10218 10279 10303 -11 -21 -22 -28 -238 10383 10585 10589 10628 10646 10664 10746 10861 10957 10962 10967 11073 11170 11172 11179 11404 11544 11783 11784 11785 11801 11889 11898 11940 (-2) 11941 11941 (TR) 11992 12006 12052 12182 12207 12234-2 12620 13211 -1 -2 13216 13250 13399 13406-2 13450 13485 13490 13567 13568 13584 13616 13816 13818 14000 14031 14224 14289 14396 14443 14496 -2 -3 -6 -10 -11 -12 -14 -17 -20 14617 14644 14649 14651 14698 14764 14882 14971 15022 15189 15288 15291 15398 15408 15444 -3 -9 15445 15438 15504 15511 15686 15693 15706 -2 15707 15897 15919 15924 15926 15926 WIP 15930 15938 16023 16262 16355-1 16485 16612-2 16750 16949 (TS) 17024 17025 17100 17203 17369 17442 17506 17799 18004 18014 18181 18245 18629 18760 18916 19005 19011 19092 -1 -2 19114 19115 19125 19136 19407 19439 19500 19501 19502 19503 19505 19506 19507 19508 19509 19510 19600 19752 19757 19770 19775-1 19794-5 19831
20000–29999	20000 20022 20121 20400 20802 20830 21000 21001 21047 21122 21500 21778 21827 22000 22275 22300 22301 22395 22537 23000 23003 23008 23009 23090-3 23092 23094-1 23094-2 23270 23271 23360 23941 24517 24613 24617 24707 24728 25178 25964 26000 26262 26300 26324 27000 series 27000 27001 27002 27005 27006 27729 28000 29110 29148 29199-2 29500
30000+	30170 31000 32000 37001 38500 39075 40314 40500 42010 45001 50001 55000 56000 80000
Category