ISO 31000: Principles and Guidelines on Risk Management

ISO 31000: Principles and Guidelines on Risk Management

ISO 31000 is an international standard that provides principles and guidelines on risk management. This standard, officially known as ISO 31000:2009 Risk management – Principles and Guidelines, provides principles, a framework, and a process for managing risk that can be used by any organization.

ISO 31000 helps in establishing the context which captures the objectives of the organization, the environment in which it pursues those objectives, its stakeholders, and the diversity of risk criteria – all of which will help reveal and assess the nature and complexity of its risks.

All organizations are exposed to a number of threats that make them vulnerable and which can prevent them from properly achieving their objectives. In order to provide a universally recognized standard that can be used by any kind of organization for managing these risks effectively, the International Organization for Standardization (ISO) developed ISO 31000 in November 2009 which has a generic approach in providing the principles and guidelines for managing any form of risk in a systematic, transparent, and credible manner and within any scope and context. A key feature of this International Standard is the inclusion of “establishing the context”. Establishing the context captures the objectives of the organization, the environment in which it pursues those objectives, its stakeholders, and the diversity of risk criteria – all of which will help reveal and assess the nature and complexity of its risks.

ISO 31000 establishes a number of principles that need to be satisfied to make risk management effective. These are divided into the principles for managing risk, the framework in which it occurs, and the risk management process itself.

ISO 31000 can be applied to any and all types of objectives at all levels and areas within an organization. It can be used at a strategic or organizational level to help make decisions or help manage processes, operations, projects, programs, products, services, and assets. It can be applied to any type of risk, whatever its nature, cause or origin, whether they may have a positive or negative effect of the organization.

Organizations using ISO 31000 can compare their risk management practices with an internationally recognized benchmarks, providing sound principles for effective management and corporate governance.

The purpose of ISO 31000 is to be applicable and adaptable for any public enterprise, private enterprise, association, group, or individual. If an organization implements and maintains ISO 31000 successfully it will enable them to:

  • Promote proactive management rather than reactive
  • Comply with legal and regulatory requirements and international standards
  • Improve financial information
  • Improve business management
  • Improve the confidence of stakeholders
  • Establish a reliable basis for decision-making and planning
  • Improve controls
  • Distribute and effectively use resources to manage risks
  • Improve the effectiveness and operational efficiency
  • Increase safety and health performance
  • Improve prevention and incident management
  • Minimize losses
  • Improve organizational learning
  • Improve organizational resistance

A number of other standards also relate to risk management:

  • ISO Guide 73:2009, Risk management – Vocabulary
  • ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk assessment

ISO 31000 cannot be used for certification purposes, but it does provide guidance for internal or external audit programs. Organizations using it can compare their risk management practices with an internationally recognized benchmarks, providing sound principles for effective management and corporate governance.