Risk & Governanceintermediate3-6 months for initial implementationEst. 2009 by International Organization for Standardization (ISO)

ISO 31000

Also known as: ISO 31000 Risk Management, International Risk Management Standard

An international standard providing principles, a framework, and a process for managing risk, applicable to any organization regardless of size, sector, or type of risk.

Quick Reference

Memory Aid

Principles (why) → Framework (set up) → Process (do it). Context → Identify → Analyze → Evaluate → Treat → Monitor.

TL;DR

ISO 31000 provides a universal risk management approach: establish context, identify risks, analyze and evaluate them, treat the important ones, and monitor continuously. It's flexible by design — scale it to your organization's needs.

What Is ISO 31000?

A universal risk management standard with three parts: principles (why), a framework (how to set up), and a process (how to do it) — applicable to any type of risk in any organization.

On Managing Uncertainty

Risk management is not about eliminating risk. It is about making informed choices about how much risk to take and how to manage it.

Kevin W. Knight, Chair of the ISO Working Group that developed ISO 31000

ISO 31000 provides a pragmatic, principles-based approach to risk management. It defines eight principles that describe what effective risk management looks like, a framework for integrating risk management into the organization, and a six-step process for identifying, analyzing, evaluating, and treating risks. Unlike COSO, it is intentionally flexible and non-prescriptive, allowing organizations to adapt it to their context. It is not a certifiable standard — it provides guidance rather than requirements.

📊

ISO 31000 Risk Management Process

The iterative risk management process at the core of ISO 31000, supported by continuous communication and monitoring.

Scope, Context & Criteria

Define the parameters for risk management

Risk Identification

Find, recognize, and describe risks

Risk Analysis

Comprehend the nature and level of risk

Risk Evaluation

Compare against criteria to determine treatment

Risk Treatment

Select and implement options to address risk

Origin & Context

Developed to provide a universal, non-certifiable risk management standard that could be applied across all industries and risk types. Revised in 2018.

Core Components

1

Principles

Eight principles describing the characteristics of effective risk management.

Example

Risk management should be 'integrated' — part of all organizational activities, not a separate function.

2

Framework

The organizational infrastructure for implementing risk management: leadership, integration, design, implementation, evaluation, and improvement.

Example

An organization integrates risk considerations into its project approval process, budgeting cycle, and performance reviews.

3

Process

The practical steps for managing risk: communicate, establish context, assess risks, treat risks, monitor, and report.

Example

A project team identifies risks through brainstorming, analyzes their likelihood and impact, evaluates which need treatment, and implements mitigations.

4

Risk Assessment

The core analytical steps: identify what could happen, analyze how likely and how severe, evaluate which risks need treatment.

Example

A supply chain team identifies 40 potential risks, analyzes each for probability and impact, and prioritizes the top 10 for treatment.

💡

Did You Know?

ISO 31000 has been adopted as a national standard in over 70 countries and translated into more than 30 languages, making it the most widely recognized risk management standard in the world. Unlike most ISO standards, it is intentionally non-certifiable — designed as guidance rather than requirements.

When to Use ISO 31000

Scenario 1

Project risk management

Problem it solves: Projects lack a systematic approach to identifying and managing risks.

Real-World Application

A construction firm adopts ISO 31000 to standardize risk management across all projects, reducing cost overruns by 25%.

Scenario 2

Cross-industry risk management

Problem it solves: Industry-specific frameworks don't apply to diverse organizations.

Real-World Application

A conglomerate with operations in manufacturing, retail, and services uses ISO 31000 as the common risk management framework across all divisions.

Scenario 3

SME risk management

Problem it solves: Small and medium enterprises need a practical, scalable risk framework.

Real-World Application

A 50-person tech company applies ISO 31000 principles in a simplified way — monthly risk reviews with a simple register and clear ownership.

🔎

ISO 31000 defines risk as 'the effect of uncertainty on objectives' — not just negative events. This means opportunities are risks too, and should be managed proactively.

How to Apply ISO 31000: Step by Step

Before You Start

  • Management commitment to risk management
  • Clear organizational objectives against which to assess risk
  • Basic understanding of the organization's risk landscape
Tools:Risk registerRisk assessment matrixRisk treatment plan template
1

Establish context and criteria

Define the scope, context, and risk criteria for your risk management activities.

Tips

  • Align risk criteria with organizational objectives
  • Consider internal and external context

Common Mistakes

  • Skipping context-setting and jumping straight to risk identification
2

Risk identification

Identify risks that could affect the achievement of objectives, including sources, events, causes, and consequences.

Tips

  • Use multiple techniques: workshops, checklists, interviews, PESTEL
  • Include opportunities, not just threats

Common Mistakes

  • Only identifying familiar risks; missing novel or systemic risks
3

Risk analysis and evaluation

Analyze the likelihood and consequences of each risk, then evaluate which risks need treatment based on your criteria.

Tips

  • Use both qualitative and quantitative methods
  • Consider risk interdependencies

Common Mistakes

  • Over-relying on quantitative analysis without qualitative judgment
4

Risk treatment

Select and implement risk treatment options: avoid, reduce, share, or accept the risk.

Tips

  • Consider cost-benefit of each treatment
  • Assign clear ownership for each treatment

Common Mistakes

  • Treating every risk equally rather than prioritizing based on evaluation
5

Monitor, review, and improve

Continuously monitor risks, review the effectiveness of treatments, and improve the process.

Tips

  • Use Key Risk Indicators for early warning
  • Conduct regular reviews, not just annual

Common Mistakes

  • Setting up the process once and never reviewing it

Value & Outcomes

Primary Benefit

Provides a flexible, internationally recognized framework for managing any type of risk systematically.

Additional Benefits

  • Applicable to any organization size and sector
  • Creates a common risk language
  • Improves decision-making under uncertainty

What You'll Learn

  • How to establish a risk management process
  • How to identify, analyze, and treat risks systematically
  • How to integrate risk management into organizational decision-making

Typical Outcomes

More systematic identification and management of risksBetter-informed decisions at all organizational levelsIncreased confidence from stakeholders in risk governance

Best Practices

📋 Preparation

  • Start with a risk management maturity assessment
  • Identify the most critical objectives to protect

🚀 Execution

  • Keep the process proportionate to the organization's size and complexity
  • Focus on risk ownership — every risk needs an owner
  • Communicate risk information to those who need it to make decisions

🔄 Follow-Up

  • Review the risk register at least monthly
  • Update risk assessments when significant changes occur
  • Learn from risk events through post-incident reviews

💎 Pro Tips

  • Don't over-engineer the process — a simple, well-used risk register beats a complex unused one
  • Make risk discussions a standing agenda item in management meetings

ISO 31000 is deliberately flexible. Don't try to implement every aspect at once. Start with the process, then build the framework around it.

📌

City of Melbourne's Risk-Based Decision Making

The City of Melbourne adopted ISO 31000 as the foundation for all risk management across its operations. By applying the standard's risk process to urban planning decisions, the city systematically assessed risks from climate change, population growth, and infrastructure aging. This led to a prioritized $1.5B infrastructure investment plan that addressed the highest-impact risks first, rather than relying on political priorities alone.

Limitations & Pitfalls

Non-certifiable — cannot demonstrate compliance through certification

Mitigation: Use ISO 31000 as guidance alongside certifiable standards like ISO 27001 where certification is needed

Intentionally high-level — may need supplementation for specific risk domains

Mitigation: Combine with domain-specific standards (e.g., ISO 27005 for information security risk)

Apply ISO 31000 with Stratrix

Turn this framework into a professional strategy deck in under a minute. Stratrix applies ISO 31000 automatically to your business context.

Try Stratrix Free

Continue Exploring

← All Frameworks|Learn Strategy