ISO 31000

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.

Currently, the ISO 31000 family is expected to include:

  • ISO 31000:2009 – Principles and Guidelines on Implementation[1]
  • ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
  • ISO Guide 73:2009 – Risk Management – Vocabulary

ISO also designed its ISO 21500 Guidance on Project Management standard to align with ISO 31000:2009.[2]


ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonised ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000:2009 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual."[3] Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management. It began the process for its first revision on May 13, 2015.[4] A draft International standard (DIS), which was open for public comment, was published on February 17, 2017.[5]

An update to ISO 31000 was added in early 2018. The update is different in that "ISO 31000:2018 provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization."[6]


ISO 31000:2009 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. This approach to formalizing risk management practices will facilitate broader adoption by companies who require an enterprise risk management standard that accommodates multiple ‘silo-centric’ management systems.[7]

The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.

Accordingly, ISO 31000:2009 is intended for a broad stakeholder group including:

  • executive level stakeholders
  • appointment holders in the enterprise risk management group
  • risk analysts and management officers
  • line managers and project managers
  • compliance and internal auditors
  • independent practitioners.


One of the key paradigm shifts proposed in ISO 31000 is a controversial change in how risk is conceptualised and defined. Under both ISO 31000:2009 and ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives" ... thus causing the word "risk" to refer to positive consequences of uncertainty, as well as negative ones.

A similar definition was adopted in ISO 9001:2015 (Quality Management System Standard[8]), in which risk is defined as, "effect of uncertainty." Additionally, a new risk related requirement, "risk-based thinking" was introduced[9] there.

Likewise, a broad new definition for stakeholder was established in ISO 31000, "Person or persons that can affect, be affected by, or perceive themselves to be affected by a decision or activity." It is the verbatim definition given for the term "interested party" as defined in ISO 9001:2015.

Framework approach

ISO 31000:2009 has been developed on the basis of an existing standard on risk management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire management system that supports the design, implementation, maintenance and improvement of risk management processes.


The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard.

The focus of many ISO 31000 'harmonization' programmes[10] have centered on:

  • Transferring accountability gaps in enterprise risk management
  • Aligning objectives of the governance frameworks with ISO 31000
  • Embedding management system reporting mechanisms
  • Creating uniform risk criteria and evaluation metrics


While adopting any new standard may have re-engineering implications to existing management practices, no requirement to conform is set out in this standard. A detailed framework is described to ensure that an organization will have "the foundations and arrangements" required to embed needed organizational capabilities in order to maintain successful risk management practices. Foundations include risk management policy, objectives and mandate and commitment by top management. Arrangements include plans, relationships, accountabilites, resources, processes and activities.

Accordingly, senior position holders in an enterprise risk management organisation will need to be cognisant of the implications for adopting the standard and be able to develop effective strategies for implementing the standard, embedding it as an integral part of all organizational processes including supply chains and commercial operations.[11] In domains that concern risk management which may operate using relatively unsophisticated risk management processes, such as security and corporate social responsibility, more material change will be required, such as creating a clearly articulated risk management policy, formalising risk ownership processes, structuring framework processes and adopting continuous improvement programmes.

Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks including communications and consultation, will require more consideration by organisations that have used previous risk management methodologies which have not specified such requirements.

Managing risk

ISO 31000:2009 gives a list on how to deal with risk:

  1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  2. Accepting or increasing the risk in order to pursue an opportunity
  3. Removing the risk source
  4. Changing the likelihood
  5. Changing the consequences
  6. Sharing the risk with another party or parties (including contracts and risk financing)
  7. Retaining the risk by informed decision


ISO 31000 has not been developed with the intention for certification. (2009)

See also


  1. ^ "ISO 31000 Risk management".
  2. ^ "New ISO standard on project management". ISO. 2012.
  3. ^ ISO 31000 catalogue
  4. ^ "The revision of ISO 31000 on risk management started 2015-05-13". ISO. Retrieved 2017-02-23.
  5. ^ "ISO/DIS 31000 – Risk management – Guidelines". ISO. Retrieved 2017-02-23.
  6. ^
  7. ^ "".
  8. ^ "ISO 9001:2015 – Just published! (2015-09-23)". ISO. Retrieved 2017-02-23.
  9. ^ "Risk and the ISO 9001 Revision". Retrieved 2017-02-23.
  10. ^ "".
  11. ^ Implications for ISO adoption

External links


In finance and economics, divestment or divestiture is the reduction of some kind of asset for financial, ethical, or political objectives or sale of an existing business by a firm. A divestment is the opposite of an investment.

Enterprise risk management

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act, data protection and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

According to Thomas Stanton of Johns Hopkins University, the point of enterprise risk management is not to create more bureaucracy, but to facilitate discussion on what the really big risks are.

Financial instrument

Financial instruments are monetary contracts between parties. They can be created, traded, modified and settled. They can be cash (currency), evidence of an ownership interest in an entity (share), or a contractual right to receive or deliver cash (bond).

International Accounting Standards IAS 32 and 39 define a financial instrument as "any contract that gives rise to a financial asset of one entity and a financial liability or equity instrument of another entity".

Financial planner

A financial planner or personal financial planner is a professional who prepares financial plans for people. These financial plans often cover cash flow management, retirement planning, investment planning, financial risk management, insurance planning, tax planning, estate planning and business succession planning (for business owners).

Fuel price risk management

A specialization of both financial risk management and oil price analysis – and similar to conventional risk management practice – fuel price risk management is a continual cyclic process that includes risk assessment, risk decision making, and the implementation of risk controls. Fuel price risk management focuses primarily on when and how an organization can best hedge against exposure to fuel price volatility. Fuel price risk management is generally referred to as bunker hedging in marine and shipping contexts and fuel hedging in aviation and trucking contexts.

ISO/IEC 31010

ISO/IEC 31010 is a standard concerning risk management codified by The International Organization for Standardization and The International Electrotechnical Commission (IEC). The full name of the standard is ISO.IEC 31010:2009 – Risk management – Risk assessment techniques.

ISO/TC 262

ISO/TC 262 Risk management is a technical committee of the International Organization for Standardization established originally in 2011 as Project Committee and converted in August 2012 into a full Technical Committee (TC) to develop standards in the area of risk management. It has 55 Participating Countries and 18 Observing Countries.

The scope of ISO/TC 262 is »Standardization in the field of risk management«. Risks affecting organizations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty. Earlier safety oriented risk management has today been developed into a comprehensive management approach to maximize opportunities and minimize threats. Contemporary management of risk ensures survival and sustainability in all activities concerning decision making at all levels of any organization. Therefore, effective and efficient risk management today is closely linked to business continuity management and to compliance management.

Attitudes to risk still vary substantially around the world but 57 National Standards Organizations have adopted ISO 31000 as their national Standard for the management of risk.

ISO 19600

ISO 19600:2014, Compliance management systems -- Guidelines, is a compliance standard introduced by the International Organization for Standardisation (ISO) in April 2014.

This standard was developed by ISO Project Committee ISO/PC 271 that was chaired by Martin Tolar. In recent times technical committee ISO/TC 309 has been created and the maintenance and future development of 19600 will be undertaken by members of this committee.

ISO 21500

ISO 21500:2012, Guidance on Project Management, is an international standard developed by the International Organization for Standardization, or ISO starting in 2007 and released in 2012. It was intended to provide generic guidance, explain core principles and what constitutes good practice in project management. The ISO technical committee dealing with project management, ISO/PC 236 was held by the American National Standards Institute (ANSI) which had approved four standards that used PMI materials. one of which was ANSI/PMI 99-001-2008, A Guide to the Project Management Body of Knowledge - 4th Edition (PMI BoK® Guide - 4th Edition) (revision and re-designation of ANSI/PMI 99-001-2004): 11/20/2008.ISO plans for this standard (21500) to be the first in a family of project management standards. ISO also designed this standard to align with other, related standards such as ISO 10005:2005 Quality management systems − Guidelines for quality plans, ISO 10006:2003 Quality management systems − Guidelines for quality management in projects, ISO 10007:2003 Quality management systems − Guidelines for configuration management, ISO 31000:2009 Risk management – Principles and guidelines.

ISO 28000

ISO 28000:2007 (Specification for security management systems for the supply chain) is an International Organization for Standardization standard specifying requirements of a security management system particularly dealing with security assurance in the supply chain. Parts of the standard are considered publicly available, while the entire specification can be purchased from the International Standards Organization.

Incident management

An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or functions. Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an incident response team (IRT), an incident management team (IMT), or Incident Command System (ICS). Without effective incident management, an incident can disrupt business operations, information security, IT systems, employees, customers, or other vital business functions.

Long (finance)

In finance, a long position in a financial instrument, means the holder of the position owns a positive amount of the instrument. It is contrasted with going short.

Payments bank

Payments banks is a new model of banks conceptualised by the Reserve Bank of India (RBI). These banks can accept a restricted deposit, which is currently limited to ₹100,000 per customer and may be increased further. These banks cannot issue loans and credit cards. Both current account and savings accounts can be operated by such banks. Payments banks can issue services like ATM cards, debit cards, net-banking and mobile-banking. Bharti Airtel set up India's first live payments bank.

Position (finance)

In finance, a position is the amount of a particular security, commodity or currency held or owned by a person or entity.In financial trading, a position in a futures contract does not reflect ownership but rather a binding commitment to buy or sell a given number of financial instruments, such as securities, currencies or commodities, for a given price.

Risk-based auditing

Risk-based auditing is a style of auditing which focuses upon the analysis and management of risk.

In the UK, the 1999 Turnbull Report on corporate governance required directors to provide a statement to shareholders of the significant risks to the business. This then encouraged the audit activity of studying these risks rather than just checking compliance with existing controls.Standards for risk management have included the COSO guidelines and the first international standard, AS/NZS 4360. The latter is now the basis for a family of international standards for risk management — ISO 31000.

A traditional audit would focus upon the transactions which would make up financial statements such as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential impact. Strategic risk analysis will then include political and social risks such as the potential effect of legislation and demographic change.An experiment suggested that managers might respond to risk-based auditing by transferring activity to accounts which are ostensibly low risk. Auditors would need to anticipate such attempts to game the process.

Risk IT

Risk IT provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.

Risk IT was published in 2009 by ISACA. It is the result of a work group composed by industry experts and some academics of different nations, coming from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life,and KPMG.

Risk management

Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Risks can come from various sources including uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk; whereas the confidence in estimates and decisions seem to increase. For example, one study found that one in six IT projects were "black swans" with gigantic overruns (cost overruns averaged 200%, and schedule overruns 70%).

Risk management tools

Risk management tools allow uncertainty to be addressed by identifying and generating metrics, parameterizing, prioritizing, and developing responses, and tracking risk. These activities may be difficult to track without tools and techniques, documentation and information systems.

There are two distinct types of risk tools identified by their approach: market-level tools using the capital asset pricing model (CAP-M) and component-level tools with probabilistic risk assessment (PRA). Market-level tools use market forces to make risk decisions between securities. Component-level tools use the functions of probability and impact of individual risks to make decisions between resource allocations.

ISO/IEC 31010 (Risk assessment techniques) has a detailed but non-exhaustive list of tools and techniques available for assessing risk.

Supply-chain security

Supply-chain security refers to efforts to enhance the security of the supply chain, the transport and logistics system for the world's cargo. It combines traditional practices of supply-chain management with the security requirements driven by threats such as terrorism, piracy, and theft.

Typical supply-chain security activities include:

Credentialing of participants in the supply chain

Screening and validating of the contents of cargo being shipped

Advance notification of the contents to the destination country

Ensuring the security of cargo while in-transit via the use of locks and tamper-proof seals

Inspecting cargo on entry

ISO standards by standard number

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.