ISO 31000

Last updated March 30, 2024

ISO 31000 is a family of international standards relating to risk management codified by the International Organization for Standardization.^[1] The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.^[1]

Introduction

ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual."^[2] Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management. It began the process for its first revision on May 13, 2015.^[3] A draft International standard (DIS), which was open for public comment, was published on February 17, 2017.^[4] The ISO 31000 has been criticized for lack of solidness and misleading language.^[5]

An update to ISO 31000 was added in early 2018. The update is different in that it "provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization."^[6]

Scope

ISO 31000 provides a set of principles, guidelines for the design, implementation of a risk management framework and recommendations for the application of a risk management process. The risk management process as described in ISO 31000 can be applied to any activity, including decision-making at all levels.

The difference between the terms risk management framework and risk management process is described by ISO as in the following:

Risk management framework - set of components that provide the foundations and organizational arrangements for designing, implementing, mentoring, reviewing and continually improving risk management throughout the organization. With the help of the PDCA cycle, the system can be improved on an ongoing basis.^[7]

Risk management process - systematic application of management policies, procedures and practices to the activities of communication, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk. In other words, what ISO 31000 does is that it formalizes risk management practices, and this approach is intended to facilitate broader adoption by companies who require an enterprise risk management standard that accommodates multiple ‘silo-centric’ management systems.^[8]

The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.

Accordingly, ISO 31000 is intended for a broad stakeholder group including:

executive level stakeholders
appointment holders in the enterprise risk management group
risk analysts and management officers
line managers and project managers
compliance and internal auditors
independent practitioners.

Definitions

One of the key paradigm shifts proposed in ISO 31000 is a change in how risk is conceptualised and defined. Under both ISO 31000 and ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives" ... thus causing the word "risk" to refer to positive consequences of uncertainty, as well as negative ones.

A similar definition was adopted in ISO 9001:2015 (Quality Management System Standard^[9]), in which risk is defined as, "effect of uncertainty." Additionally, a new risk related requirement, "risk-based thinking" was introduced^[10] there.

Likewise, a broad new definition for stakeholder was established in ISO 31000, "Person or persons that can affect, be affected by, or perceive themselves to be affected by a decision or activity." It is the verbatim definition given for the term "interested party" as defined in ISO 9001:2015.

Framework approach

ISO 31000:2009 has been developed on the basis of an existing standard on risk management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire management system that supports the design, implementation, maintenance and improvement of risk management processes.

Implementation

The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard.

The focus of many ISO 31000 'harmonization' programmes^[11] have centered on:

Transferring accountability gaps in enterprise risk management
Aligning objectives of the governance frameworks with ISO 31000
Embedding management system reporting mechanisms
Creating uniform risk criteria and evaluation metrics

Implications

While adopting any new standard may have re-engineering implications to existing management practices, no requirement to conform is set out in this standard. A detailed framework is described to ensure that an organization will have "the foundations and arrangements" required to embed needed organizational capabilities in order to maintain successful risk management practices. Foundations include risk management policy, objectives and mandate and commitment by top management. Arrangements include plans, relationships, accountabilities, resources, processes and activities.

Accordingly, senior position holders in an enterprise risk management organisation will need to be cognisant of the implications for adopting the standard and be able to develop effective strategies for implementing the standard, embedding it as an integral part of all organizational processes including supply chains and commercial operations.^[12] In domains that concern risk management which may operate using relatively unsophisticated risk management processes, such as security and corporate social responsibility, more material change will be required, such as creating a clearly articulated risk management policy, formalising risk ownership processes, structuring framework processes and adopting continuous improvement programmes.

Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks including communications and consultation, will require more consideration by organisations that have used previous risk management methodologies which have not specified such requirements.

Managing risk

ISO 31000 gives a list on how to deal with risk:

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
Accepting or increasing the risk in order to pursue an opportunity
Removing the risk source
Changing the likelihood
Changing the consequences
Sharing the risk with another party or parties (including contracts and risk financing)
Retaining the risk by informed decision

Accreditation

ISO 31000 has not been developed with the intention for certification. (2009)

History

Year	Description
2009	ISO 31000 (1st Edition)
2018	ISO 31000 (2nd Edition)

Related Research Articles

Project management is the process of leading the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. The primary constraints are scope, time, and budget. The secondary challenge is to optimize the allocation of necessary inputs and apply them to meet pre-defined objectives.

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

The ISO 9000 family is a set of five quality management systems (QMS) standards by the International Organization for Standardization (ISO) that help organizations ensure they meet customer and other stakeholder needs within statutory and regulatory requirements related to a product or service. ISO 9000 deals with the fundamentals of QMS, including the seven quality management principles that underlie the family of standards. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfill. ISO 9002 is a model for quality assurance in production and installation. ISO 9003 for quality assurance in final inspection and test. ISO 9004 gives guidance on achieving sustained organizational success.

ISO 14000 is a family of standards by the International Organization for Standardization (ISO) related to environmental management that exists to help organizations (a) minimize how their operations negatively affect the environment ; (b) comply with applicable laws, regulations, and other environmentally oriented requirements; and (c) continually improve in the above.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

Quality management ensures that an organization, product or service consistently functions well. It has four main components: quality planning, quality assurance, quality control and quality improvement. Quality management is focused not only on product and service quality, but also on the means to achieve it. Quality management, therefore, uses quality assurance and control of processes as well as products to achieve more consistent quality. Quality control is also part of quality management. What a customer wants and is willing to pay for it, determines quality. It is a written or unwritten commitment to a known or unknown consumer in the market. Quality can be defined as how well the product performs its intended function.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

<span class="mw-page-title-main">Internal audit</span> Independent, objective assurance and consulting activity

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

ISO 22000 is a food safety management system by the International Organization for Standardization (ISO) which is outcome focused, providing requirements for any organization in the food industry with objective to help to improve overall performance in food safety. These standards are intended to ensure safety in the global food supply chain. The standards involve the overall guidelines for food safety management and also focuses on traceability in the feed and food chain.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

A safety management system (SMS) is a management system designed to manage occupational safety and health risks in the workplace. If the system contains elements elements of management of longer-term health impacts and occupational disease, it may be referred to as a safety and health management system (SHMS) or health and safety management system.

ISO 28000:2022, Security and resilience – Security management systems – Requirements, is a management system standard published by International Organization for Standardization (ISO) that specifies requirements for a security management system including aspects relevant to the supply chain.

Risk IT Framework, published in 2009 by ISACA, provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Within project management, risk management refers to activities for minimizing project risks, and thereby ensuring that a project is completed within time and budget, as well as fulfilling its goals.

ISO 50001Energy management systems - Requirements with guidance for use, is an international standard created by the International Organization for Standardization (ISO). It supports organizations in all sectors to use energy more efficiently through the development of an energy Management System. The standard specifies the requirements for establishing, implementing, maintaining and improving an energy management system, whose purpose is to enable an organization to follow a systematic approach in achieving continual improvement of energy performance, including energy efficiency, energy security, energy use and consumption.

ISO 21500, Guidance on Project Management, is an international standard developed by the International Organization for Standardization, or ISO starting in 2007 and released in 2012. It was intended to provide generic guidance, explain core principles and what constitutes good practice in project management. The ISO technical committee dealing with project management, ISO/PC 236 was held by the American National Standards Institute (ANSI) which had approved four standards that used Project Management Institute (PMI) materials, one of which was ANSI/PMI 99-001-2008, A Guide to the Project Management Body of Knowledge - 4th Edition.

ISO 19600, Compliance management systems - Guidelines, is a compliance standard introduced by the International Organization for Standardization (ISO) in April 2014. As its title suggests, it operates as an advisory standard and is not used for accreditation or certification.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

References

1 2 Purdy, G (2010). "ISO 31000:2009--Setting a New Standard for Risk Management". Risk Analysis. 30 (6): 881–886. Bibcode:2010RiskA..30..881P. doi:10.1111/j.1539-6924.2010.01442.x.
↑ ISO 31000 catalogue http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170
↑ "The revision of ISO 31000 on risk management started 2015-05-13". ISO. 13 May 2015. Retrieved 2017-02-23.
↑ "ISO/DIS 31000 – Risk management – Guidelines". ISO. Retrieved 2017-02-23.
↑ Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.
↑ https://www.iso.org/files/live/sites/isoorg/files/store/en/PUB100426.pdf ^{[ bare URL PDF ]}
↑ "Standardized Risk Management: ISO 31000". IONOS Start up guide. 6 August 2020. Retrieved 2022-06-16.
↑ "optaresystems.com". www.optaresystems.com.
↑ "ISO 9001:2015 – Just published! (2015-09-23)". ISO. 23 September 2015. Retrieved 2017-02-23.
↑ "Risk and the ISO 9001 Revision" . Retrieved 2017-02-23.
↑ "optaresystems.com". www.optaresystems.com.
↑ Implications for ISO adoption http://www.optaresystems.com/index.php/optare/publication_detail/iso_31000_update_what_it_will_mean_for_a_cso/

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Purdy-1] 1 2 Purdy, G (2010). "ISO 31000:2009--Setting a New Standard for Risk Management". Risk Analysis. 30 (6): 881–886. Bibcode:2010RiskA..30..881P. doi:10.1111/j.1539-6924.2010.01442.x.

[2] ISO 31000 catalogue http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170

[3] "The revision of ISO 31000 on risk management started 2015-05-13". ISO. 13 May 2015. Retrieved 2017-02-23.

[4] "ISO/DIS 31000 – Risk management – Guidelines". ISO. Retrieved 2017-02-23.

[5] Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.

[6] ttps://www.iso.org/files/live/sites/isoorg/files/store/en/PUB100426.pdf ^{[ bare URL PDF ]}

[7] "Standardized Risk Management: ISO 31000". IONOS Start up guide. 6 August 2020. Retrieved 2022-06-16.

[8] "optaresystems.com". www.optaresystems.com.

[9] "ISO 9001:2015 – Just published! (2015-09-23)". ISO. 23 September 2015. Retrieved 2017-02-23.

[10] "Risk and the ISO 9001 Revision" . Retrieved 2017-02-23.

[11] "optaresystems.com". www.optaresystems.com.

[12] Implications for ISO adoption http://www.optaresystems.com/index.php/optare/publication_detail/iso_31000_update_what_it_will_mean_for_a_cso/

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

v t e ISO standards by standard number
List of ISO standards – ISO romanizations – IEC standards
1–9999	1 2 3 4 6 7 9 16 17 31 -0 -1 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 68-1 128 216 217 226 228 233 259 261 262 302 306 361 500 518 519 639 -1 -2 -3 -5 -6 646 657 668 690 704 732 764 838 843 860 898 965 999 1000 1004 1007 1073-1 1073-2 1155 1413 1538 1629 1745 1989 2014 2015 2022 2033 2047 2108 2145 2146 2240 2281 2533 2709 2711 2720 2788 2848 2852 3029 3103 3166 -1 -2 -3 3297 3307 3601 3602 3864 3901 3950 3977 4031 4157 4165 4217 4909 5218 5426 5427 5428 5725 5775 5776 5800 5807 5964 6166 6344 6346 6373 6385 6425 6429 6438 6523 6709 6943 7001 7002 7010 7027 7064 7098 7185 7200 7498 -1 7637 7736 7810 7811 7812 7813 7816 7942 8000 8093 8178 8217 8373 8501-1 8571 8583 8601 8613 8632 8651 8652 8691 8805/8806 8807 8820-5 8859 -1 -2 -3 -4 -5 -6 -7 -8 -8-I -9 -10 -11 -12 -13 -14 -15 -16 8879 9000/9001 9036 9075 9126 9141 9227 9241 9293 9314 9362 9407 9496 9506 9529 9564 9592/9593 9594 9660 9797-1 9897 9899 9945 9984 9985 9995
10000–19999	10006 10007 10116 10118-3 10160 10161 10165 10179 10206 10218 10279 10303 -11 -21 -22 -28 -238 10383 10585 10589 10628 10646 10664 10746 10861 10957 10962 10967 11073 11170 11172 11179 11404 11544 11783 11784 11785 11801 11889 11898 11940 (-2) 11941 11941 (TR) 11992 12006 12052 12182 12207 12234-2 12620 13211 -1 -2 13216 13250 13399 13406-2 13450 13485 13490 13567 13568 13584 13616 13816 13818 14000 14031 14224 14289 14396 14443 14496 -2 -3 -6 -10 -11 -12 -14 -17 -20 14617 14644 14649 14651 14698 14764 14882 14971 15022 15189 15288 15291 15292 15398 15408 15444 -3 -9 15445 15438 15504 15511 15686 15693 15706 -2 15707 15897 15919 15924 15926 15926 WIP 15930 15938 16023 16262 16355-1 16485 16612-2 16750 16949 (TS) 17024 17025 17100 17203 17369 17442 17506 17799 18004 18014 18181 18245 18629 18916 19005 19011 19092 -1 -2 19114 19115 19125 19136 19407 19439 19500 19501 19502 19503 19505 19506 19507 19508 19509 19510 19600 19752 19757 19770 19775-1 19794-5 19831
20000–29999	20000 20022 20121 20400 20802 20830 21000 21047 21122 21500 21827 22000 22275 22300 22301 22395 22537 23000 23003 23008 23009 23090-3 23092 23094-1 23094-2 23270 23271 23360 24517 24613 24617 24707 24728 25178 25964 26000 26262 26300 26324 27000 series 27000 27001 27002 27005 27006 27729 28000 29110 29148 29199-2 29500
30000+	30170 31000 32000 37001 38500 40500 42010 45001 50001 55000 56000 80000
Category