ISO 31000
Risk management

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizations as these could have consequence in terms of economic performance and professional reputation.

ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions. For this purpose, the recommendations provided in ISO 31000 can be customized to any organization and its context

The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.

Accordingly, ISO 31000 is intended for a broad stakeholder group including:
executive level stakeholders
appointment holders in the enterprise risk management group
risk analysts and management officers
line managers and project managers
compliance and internal auditors
independent practitioners.

ISO 31000 gives a list on how to deal with risk:
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
Accepting or increasing the risk in order to pursue an opportunity
Removing the risk source
Changing the likelihood
Changing the consequences
Sharing the risk with another party or parties (including contracts and risk financing)
Retaining the risk by informed decision

The risk management process outlined in the ISO 31000 standard includes the following activities:

Risk identification: identifying what could prevent us from achieving our objectives.

Risk analysis: understanding the sources and causes of the identified risks; studying probabilities and consequences given the existing controls, to identify the level of residual risk.

Risk evaluation: comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable.

Risk treatment: changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit.

Establishing the context: this activity, which was not included in earlier risk management process descriptions, consists of defining the scope for the risk management process, defining the organizationís objectives, and establishing the risk evaluation criteria. The context comprises both external elements (regulatory environment, market conditions, external stakeholder expectations) and internal elements (the organizationís governance, culture, standards and rules, capabilities, existing contracts, worker expectations, information systems, etc.).

Monitoring and review: this task consists of measuring risk management performance against indicators, which are periodically reviewed for appropriateness. It involves checking for deviations from the risk management plan, checking whether the risk management framework, policy and plan are still appropriate, given organizationsí external and internal context, reporting on risk, progress with the risk management plan and how well the risk management policy is being followed, and reviewing the effectiveness of the risk management framework.

Communication and consultation. This task helps understand stakeholdersí interests and concerns, to check that the risk management process is focusing on the right elements, and also helps explain the rationale for decisions and for particular risk treatment options.

Certification, inspection and audit solutions focused on business optimization.






WHO WE ARE           






244 Fifth Avenue, Suite 1203, New York, NY 10001 US
The standard includes a number of principles that risk management should verify:

creates and protects value
is based on the best information
is an integral part of organizational processes
is tailored
is part of decision-making
takes human and cultural factors into account
explicitly addresses uncertainty
is transparent and inclusive
is systematic, structured and timely
is dynamic, iterative and responsive to change
facilitates continual improvement of the organization