Iso 31000 2009 Risk Management

Posted on by admin

For many organisations, ISO 31000 provides a single global reference for stakeholders in an organisation who have an interest in risk management since it is the only internationally recognized ISO standard in risk management, adopted by over 50 countries as their national risk management standard. [email protected] Twitter: @ramirocid ISO 31000 - Risk Management 10 Managing risk ISO gives a list in order of preference on how to deal with risk: 1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk 2.


According to the Introduction to ISO, the term risk management also refers to the architecture that is used to manage risk. This architecture includes risk management principles, a risk management framework, and a risk management process. ISO provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. This approach to formalizing risk management practices will facilitate broader adoption by companies who require an enterprise risk management standard that accommodates multiple.

ISO 31000 is an international standard published in 2009 that provides principles and guidelines for effective risk management. It outlines a generic approach to risk management, which can be applied to different types of risks (financial, safety, project risks) and used by any type of organization. The standard provides a uniform vocabulary and concepts for discussing risk management. It provides guidelines and principles that can help to undertake a critical review of your organization’s risk management process.

The standard does not provide detailed instructions or requirements on how to manage specific risks, nor any advice related to a specific application domain; it remains at a generic level.

Relative to older standards on risk management, the 31000 standard innovates in several areas:

  • it provides a new definition of risk as the effect of uncertainty on the possibility of achieving the organization’s objectives, highlighting the importance of defining objectives before attempting to control risks, and emphasizing the role of uncertainty

  • it introduces the (sometimes controversial) notion of risk appetite, or the level of risk which the organization accepts to take on in return for expected value

  • it defines a risk management framework with different organizational procedures, roles and responsibilities in the management of risks

  • it outlines a management philosophy where risk management is seen as an integral part of strategic decision-making and the management of change

Course material

The ISO 31000 standard

Lecture slides (PDF)

The risk management process outlined in the ISO 31000 standard includes the following activities:

  • Risk identification: identifying what could prevent us from achieving our objectives.

  • Risk analysis: understanding the sources and causes of the identified risks; studying probabilities and consequences given the existing controls, to identify the level of residual risk.

  • Risk evaluation: comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable.

  • Risk treatment: changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit.

  • Establishing the context: this activity, which was not included in earlier risk management process descriptions, consists of defining the scope for the risk management process, defining the organization’s objectives, and establishing the risk evaluation criteria. The context comprises both external elements (regulatory environment, market conditions, stakeholder expectations) and internal elements (the organization’s governance, culture, standards and rules, capabilities, existing contracts, worker expectations, information systems, etc.).

  • Monitoring and review: this task consists of measuring risk management performance against indicators, which are periodically reviewed for appropriateness. It involves checking for deviations from the risk management plan, checking whether the risk management framework, policy and plan are still appropriate, given organizations’ external and internal context, reporting on risk, progress with the risk management plan and how well the risk management policy is being followed, and reviewing the effectiveness of the risk management framework.

  • Communication and consultation. This task helps understand stakeholders’ interests and concerns, to check that the risk management process is focusing on the right elements, and also helps explain the rationale for decisions and for particular risk treatment options.

The standard includes a number of principles that risk management should verify:

  • creates and protects value
  • is based on the best information
  • is an integral part of organizational processes
  • is tailored
  • is part of decision-making
  • takes human and cultural factors into account
  • explicitly addresses uncertainty
  • is transparent and inclusive
  • is systematic, structured and timely
  • is dynamic, iterative and responsive to change
  • facilitates continual improvement of the organization

Note that the standards document is very expensive to purchase. The slides above suggest an alternative source of information that may be useful to some learners.

Other resources

We recommend the following sources of further information on this topic:

  • A collection of videos on risk management by Grant Purdy

  • The Introduction to risk identification textbook in the Lecture Notes in Safety Science series of INSA Toulouse, by Prof. Gilles Motet, and accompanying video lecture.

Published by the International Organisation for Standardisation, ISO 31000:2009 is named as risk Management - Principles and Guidelines which takes a common sense approach to risk management. Regardless of type and size of the organization, the newly published risk management standard helps organization achieve its goals by managing risks in an effective and efficient manner.

With the introduction of ISO 31000, many similar international standards will be replaced. Of all replaced standards, AS/NZS 4360 is the most prominent one keeping in mind its exceptional success in Australia, New Zealand and other countries too. However, with a newer approach to view, verify and deal with risk - ISO 31000 promises a better and more efficient way of risk management.

ISO 31000 and a Set of New Definitions As per ISO 31000, risk is 'The effect of uncertainty on objectives' whereas Iso 31000 risk management standardrisk management is 'coordinated activities to direct and control and organization with regard to risk'. It again elaborates risk management framework as a 'set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization'. According to ISO 31000, risk management process is a 'systematic application of management policies, procedures and practices to the tasks of communication, consultation, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk'.
Key Principles of ISO 31000 ISO 31000 consists of 11 key principles which view risk management as an elementary process of generating success of the organization. These eleven principles can be regarded as the 'essential qualities' required for risk management. Iso 31000 risk management 2009

Principle 1: Risk management creates and protects value

Principle 2: Risk management is an integral part of the organizational procedure

Principle 3: Risk management is part of decision making

Principle 4: Risk management explicitly addresses uncertainty

Principle 5: Risk management is systematic, structured and timely

Principle 6: Risk management is based on the best available information

Principle7: Risk management is tailored

Principle 8: Risk management takes human and cultural factors into account

Principle 9: Risk management is transparent and inclusive

Principle 10: Risk management is dynamic, iterative and responsive to change

Principle 11: Risk management facilitates continual improvement and enhancement of the organization

ISO 31000 and Enhanced Risk Management ISO 31000 acknowledges the importance of incessant improvement of risk management strategies. As per ISO 31000, the five features of enhanced risk management are:
  • Continual improvement
  • Full accountability for risks
  • Application of risk management in all decision making
  • Continual communications
  • Full integration in the organization's governance structure

Iso 31000:2009 Risk Management Principles And Guidelines

In coming days, ISO 31000 will become an immensely important part of organizations which have not yet executed a formal and structured risk management framework. Is your company yet to implement a proactive risk management strategy? Is it struggling to effectively implement one? If yes, you are certainly seeking the need of professional help from ComplianceOnline.

Risk Management Iso 31000 Pdf

ComplianceOnline with its effort to bring the knowledge to the door step of your company have collaborated with many industry experts who has led many successful ISO 31000 processes and have more than 20-30 years in various areas of expertise. They are with their immense knowledge and enormous experience conducting easy to understand and easy to attend webinars which are available in the format of recordings or CDs. So, what are you waiting for? Train your entire team interfacing with ISO 31000 and risk management with below mentioned webinars.

Iso 31000:2009 Risk Management

Business Risk Mgmt ISO 31000
This Business Risk Mgmt training will guide you on ISO 31000 general risk management standard, the process model it recommends, and how companies may use the standard, and its companion risk assessment tools document ISO/IEC 31010.
More Info
More Info