ISO 31000 is an international standard published in 2009 that provides principles and guidelines for effective risk management. It outlines a generic approach to risk management, which can be applied to different types of risks (financial, safety, project risks) and used by any type of organization. The standard provides a uniform vocabulary and concepts for discussing risk management. It provides guidelines and principles that can help to undertake a critical review of your organization’s risk management process.
The standard does not provide detailed instructions or requirements on how to manage specific risks, nor any advice related to a specific application domain; it remains at a generic level.
Relative to older standards on risk management, the 31000 standard innovates in several areas:
it provides a new definition of risk as the effect of uncertainty on the possibility of achieving the organization’s objectives, highlighting the importance of defining objectives before attempting to control risks, and emphasizing the role of uncertainty
it introduces the (sometimes controversial) notion of risk appetite, or the level of risk which the organization accepts to take on in return for expected value
it defines a risk management framework with different organizational procedures, roles and responsibilities in the management of risks
it outlines a management philosophy where risk management is seen as an integral part of strategic decision-making and the management of change
The ISO 31000 standard
We recommend the following sources of further information on this topic: