The ISO 31000 standard
Risk management: principles and guidelines
ISO 31000 is an international standard published in 2009 (and updated in 2018) that provides principles and guidelines for effective risk management. It outlines a generic approach to risk management, which can be applied to different types of risks (financial, safety, project risks) and used by any type of organization. The standard provides a uniform vocabulary and concepts for discussing risk management. It provides guidelines and principles that can help to undertake a critical review of your organization’s risk management process.
The standard does not provide detailed instructions or requirements on how to manage specific risks, nor any advice related to a specific application domain; it remains at a generic level.
Relative to older standards on risk management, the 31000 standard innovates in several areas:
it provides a new definition of risk as the effect of uncertainty on the possibility of achieving the organization’s objectives, highlighting the importance of defining objectives before attempting to control risks, and emphasizing the role of uncertainty
it introduces the (sometimes controversial) notion of risk appetite, or the level of risk which the organization accepts to take on in return for expected value
it defines a risk management framework with different organizational procedures, roles and responsibilities in the management of risks
it outlines a management philosophy where risk management is seen as an integral part of strategic decision-making and the management of change
The ISO 31000 standard
The risk management process outlined in the ISO 31000 standard includes the following activities:
Risk identification: identifying what could prevent us from achieving our objectives.
Risk analysis: understanding the sources and causes of the identified risks; studying probabilities and consequences given the existing controls, to identify the level of residual risk.
Risk evaluation: comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable.
Risk treatment: changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit.
Establishing the context: this activity, which was not included in earlier risk management process descriptions, consists of defining the scope for the risk management process, defining the organization’s objectives, and establishing the risk evaluation criteria. The context comprises both external elements (regulatory environment, market conditions, external stakeholder expectations) and internal elements (the organization’s governance, culture, standards and rules, capabilities, existing contracts, worker expectations, information systems, etc.).
Monitoring and review: this task consists of measuring risk management performance against indicators, which are periodically reviewed for appropriateness. It involves checking for deviations from the risk management plan, checking whether the risk management framework, policy and plan are still appropriate, given organizations’ external and internal context, reporting on risk, progress with the risk management plan and how well the risk management policy is being followed, and reviewing the effectiveness of the risk management framework.
Communication and consultation. This task helps understand stakeholders’ interests and concerns, to check that the risk management process is focusing on the right elements, and also helps explain the rationale for decisions and for particular risk treatment options.
The standard includes a number of principles that risk management should verify:
- creates and protects value
- is based on the best information
- is an integral part of organizational processes
- is tailored
- is part of decision-making
- takes human and cultural factors into account
- explicitly addresses uncertainty
- is transparent and inclusive
- is systematic, structured and timely
- is dynamic, iterative and responsive to change
- facilitates continual improvement of the organization
Note that the standards document is very expensive to purchase. The slides above suggest an alternative source of information that may be useful to some learners.
We recommend the following sources of further information on this topic:
A collection of videos on risk management by Grant Purdy
The Introduction to risk identification textbook in the Lecture Notes in Safety Science series of INSA Toulouse, by Prof. Gilles Motet, and accompanying video lecture.