ISO 31000
ISO 31000 is a set of international standards for risk management. It was developed in November 2009 by International Organization for Standardization. The goal of these standards is to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described. The standards were designed to fit into an integrated management system.
Introduction
ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time.The purpose of ISO 31000 is to provide a guideline on managing risk faced by organizations Using a common approach for any type of risk and is not industry or sector specific. Users are "any public, private or community enterprise, association, group or individual."
An updated version of ISO 31000 was published in February 2018, replacing the original 2009 edition. The 2018 revision introduced clearer and more concise language, placing greater emphasis on the integration of risk management into core business activities, decision-making processes, and organizational culture. It also reinforced the leadership role of top management in embedding risk management throughout the organization and promoted a more flexible, principles-based approach adaptable to organizations of all sizes and sectors.
The version ISO 31000:2018 was confirmed in October 2023 and valid for the next five years.
Scope
ISO 31000 provides a set of principles, guidelines for the design, implementation of a risk management framework and recommendations for the application of a risk management process. The risk management process as described in ISO 31000 can be applied to any activity, including decision-making at all levels.ISO 31000 helps companies establish the backbone of their Enterprise Risk Management by providing a structured and principles-based framework for integrating risk management into all aspects of the organization. It guides companies in:
- Defining a clear risk management policy aligned with objectives and culture
- Establishing governance and accountability through leadership involvement
- Embedding risk processes into decision-making
- Ensuring continuous improvement through monitoring and review
Definitions
ISO 31000 defines eight key terms related to the management of risk, forming the foundation for a consistent understanding of risk-related concepts across organizations. These terms are: risk, risk source, event, consequence, likelihood, risk identification, risk analysis, and risk evaluation. They are aligned with ISO 31073:2022, which provides a standardized vocabulary for risk management. ISO 31073 supports the implementation of ISO 31000 by ensuring clarity and consistency in risk communication, helping organizations align their terminology internally and externally across various sectors and disciplines.-About the definition of risk-
One of the key paradigm shifts proposed in ISO 31000 is a change in how risk is conceptualised and defined. Under both ISO 31000 and ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives"... thus causing the word "risk" to refer to negative consequences of uncertainty, as well as positive ones.
A similar definition was adopted in ISO 9001:2015, in which risk is defined as, "effect of uncertainty." Additionally, a new risk related requirement, "risk-based thinking" was introduced there.
Structure
The management of risks explained in the ISO 31000 standard is founded on three core components: principles, a framework, and a process. These elements work together to ensure that risk management is structured, integrated, and aligned with organizational objectives. The principles guide the overall intent and value of risk management, the framework embeds it into the organization’s governance and operations, and the process provides a systematic approach for identifying, assessing, and addressing risks.The relationship of the principles, the framework and the process can be visualized in an image located on the ISO Online Browsing Platform here
The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.
The principles provide guidance on the characteristics of effective and efficient risk management, communicating its value and explaining its intention and purpose. The principles are the foundation for managing risk and should be considered when establishing the organization's risk management framework and processes. These principles should enable an organization to manage the effects of uncertainty on its objectives.
To be effective, risk management should :
- Integrated – Risk management is an integral part of all organizational activities.
- Structured and comprehensive – A structured and comprehensive approach contributes to consistent and comparable results.
- Customized – The framework and process are tailored to the organization’s external and internal context.
- Inclusive – Appropriate and timely involvement of stakeholders enables informed decision-making.
- Dynamic – Risk management anticipates, detects, acknowledges, and responds to changes.
- Uses best available information – Inputs to risk management are based on historical and current data, as well as future expectations.
- Considers human and cultural factors – Human behavior and culture significantly influence risk management.
- Continual improvement – Risk management is continuously improved through learning and experience.
Framework development involves designing, implementing, evaluating, and continually improving risk management across all levels of the organization. The framework’s components should enable a consistent and structured approach. The organization is encouraged to assess its current risk management practices, identify any gaps, and address them as part of the framework’s development.
The components of the framework, and the way they interact, should be tailored to the organization’s context, objectives, and needs, ensuring relevance and effectiveness in practice.
The risk management process is defined in ISO 31073:2022 as the “systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording and reporting risk.”
Risk management should be an integral part of organizational management and decision-making, embedded into the structure, operations, and processes of the organization. It can be applied at various levels, including strategic, operational, program, or project levels.
There may be multiple applications of the risk management process within a single organization, each customized to specific objectives and adapted to the external and internal context in which it operates.
The dynamic and variable nature of human behavior and organizational culture should be considered throughout all stages of the process. Although the risk management process is often presented as a linear sequence, in practice it is iterative and adaptive, requiring continual adjustment as conditions change and new information becomes available.
Revision history
The following table summarizes the key revisions of ISO 31000 since its initial publication:| Version | Publication Date | Key Updates |
| ISO 31000:2009 | November 2009 | First edition published. Introduced a structured approach to risk management with guiding principles, a generic framework, and a defined process. |
| ISO 31000:2018 | February 2018 | Second edition. Introduced clearer and more concise language, emphasized integration with governance and leadership, reduced the principles from 11 to 8, and aligned terminology with other ISO management system standards. |
| Confirmed without changes | 2023 | ISO 31000:2018 was reviewed and confirmed as the current valid version without revision. |
''Note: ISO 31000:2009 has been developed on the basis of an existing standard on risk management, called AS/NZS 4360:2004. Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, the first version ISO 31000:2009 addresses the entire management that supports the design, implementation, maintenance and improvement of risk management processes.''
Implementation
The intent of ISO 31000 is not to create a risk management system, but rather to integrate the management of risks into the existing management system of the organization. The standard provides a structured approach for embedding risk management into governance, strategy, planning, operations, performance management, and internal control systems — without requiring the creation of a separate or standalone system.Implementation is context-dependent and should build on what already exists. Many organizations already have elements of risk management in place — such as risk registers, control frameworks, or compliance procedures — but they may lack coherence, consistency, or alignment with objectives. ISO 31000 helps unify these practices under a single set of principles, a clear framework, and a repeatable process for all types of risk.
Effective implementation typically focuses on:
- Clarifying roles and responsibilities for managing risk
- Integrating risk into decision-making at all levels
- Developing shared risk assessment methods and aligning language across the organization
- Connecting risk information to planning, reporting, and performance evaluation