ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2018 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters, and regions. ISO 31000 is applicable and adaptable for any public, private or community enterprise, association, group or individual. Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management.
ISO 31000 can be used by any organization no matter what size it is or what it does. It can be used by both public and private organizations and by groups, associations, and enterprises of all kinds. It is not specific to any sector or industry and can be
applied to any type of risk.
ISO 31000 can be applied to the achievement of all types of objectives at all levels and in all areas. It can be used at a strategic level to help make decisions and can be applied to all types of activities. It can be used to help manage processes, operations, functions, projects, programs, products, services, and assets.
However, exactly how you apply ISO 31000 is up to you and will depend on your organization’s needs, objectives, and challenges, and should reflect what it does and how it operates.
Risk is the “effect of uncertainty on objectives”, and an effect is a positive or negative deviation from what is expected. So, risk is the chance that there will be a positive or negative deviation from the objective we expect to achieve.
ISO 31000 focuses on creating and protecting value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors. It provides a risk management framework that supports all activities, including decision making across all levels of the organization. The ISO 31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organization. This would include strategy and planning, organizational resilience, IT, corporate governance, HR, compliance, quality, health and safety, business continuity, crisis management and security.
ISO’s definition recognizes that all of us operate in an uncertain world. Whenever we try to achieve an objective, there is always the chance that things will not go according to plan. Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we do not always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally we get both. Because of this, we need to reduce uncertainty as much as possible. According to ISO 31000, you can reduce your uncertainty and manage your risk, by using a systematic approach to risk management.
The traditional approach to risk combines three elements: it starts with a potential event and then combines its probability with its potential severity. A high-risk event would have a high likelihood of occurring and a severe impact if it occurred.
While ISO 31000 defines risk in a new and unusual way, the old and the new definitions are largely compatible. Both definitions talk about the same phenomena but from two different perspectives. ISO thinks of risk in goal-oriented terms while the traditional definition thinks of risk in event-oriented terms. These two definitions can and do co-exist. They are simply two different ways of talking about the same phenomena.
​
The diagram below shows how ISO’s three main sections are interrelated and how each of these three sections are, in turn, organized. The standard starts by listing a set of risk management principles. Use these principles to guide the establishment of your risk management framework. Then use the framework to guide the development of your risk management process. Together these three sections comprise the Risk Management Program.
When properly applied, ISO 31000 should help:
Comply with legal and regulatory requirements.
Enhance your approach to environmental protection.
Improve the effectiveness of your governance activities.
Encourage personnel to identify and treat risk.
Help minimize your organization’s losses.
Improve your risk management controls.
Enhance your organization’s health and safety performance.
Improve loss prevention and incident management activities.
Encourage and support continuous organizational learning.
Help you allocate and use risk treatment resources.
Improve the overall resilience of your organization.
Improve operational efficiency and effectiveness.
Increase the likelihood that objectives will be achieved.
Improve your ability to identify threats and opportunities.
Establish a sound basis for planning and decision making.
Improve the trust and confidence of your stakeholders.
Enhance both mandatory and voluntary reporting.
Comply with international norms and standards.
The ISO 31000 Standard is comprised of 6 clauses/sections which describe how organizations use risk management principles to improve planning and make better decisions.
Clause / Section | Clause / Section Objective |
|---|---|
1 | Introduction |
2 | Definitions |
3 | Overview |
4 | Risk Management Principles |
4.1 | Make sure that your risk management approach is effective |
4.2 | Make sure that your risk management approach is dynamic |
4.3 | Make sure that your risk management approach is dynamic |
5 | Risk Management Framework |
5.1 | Plan the establishment of your risk management framework |
5.2 | Show leadership by making a commitment to risk management |
5.3 | Show leadership by making a commitment to risk management |
5.4 | Design your organization's unique risk management framework |
5.5 | Implement your organization's risk management framework |
5.6 | Evaluate the performance of your risk management framework |
5.7 | Improve the performance of your risk management framework |
6 | Risk Management Process |
6.1 | Plan the establishment of a risk management process |
6.2 | Discuss risks and get feedback from your stakeholders |
6.3 | Define scope, context, and the criteria you intend to use |
6.4 | Conduct systematic risk assessments on a regular basis |
6.5 | Treat the risks that affect the achievement of objectives |
6.6 | Evaluate and improve your risk management process |
6.7 | Record and report on risk management activities |
The objective of ISO 31000:
-
Focus on leadership by top management who should ensure that risk management is integrated into all organizational activities, starting with the governance of the organization
-
Greater emphasis on the iterative nature of risk management, drawing on new experiences, knowledge, and analysis for the revision of process elements, actions, and controls at each stage of the process
-
Focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts
-
Help organizations ensure their viability and success over the longer term, in the interests of all stakeholders, by providing good risk management practice. Because “failure to manage risks is inherently risking failure.”