ISO 31000, the international standard for risk management

The world is changing at a rapid pace and uncertainty has become a daily reality. Just think about the corona crisis, economic conflicts and stricter environmental requirements. The way organisations deal with those uncertain factors determines their success. Or in other words: the better you manage risks, the better you perform.

That sounds simple enough, but that’s not always the case. Luckily, we can rely on ISO 31000, the international standard for risk management. This standard allows you to boost your results and reputation in the long run. Why? ISO 31000 is not only a basis for risk analysis, it also helps you to spot opportunities.

Uncertain elements – or risks – can have a positive impact on achieving your goals. If you know how to become a risk-aware organisation, you’ll gain a competitive edge!

  1. What is ISO 31000?
  2. Why implement ISO 31000?
  3. Who is ISO 31000 meant for?
  4. Certification ISO 31000
  5. Risk-based auditing
  6. Related standards

Risk managers still remain mostly on the side lines when it comes to key decision making. ISO 31000 should help them to turn risk management into an integral part of the organisation, both on operational and strategic levels.

James Brown, chairman of ISO’s commission on risk management.

Do you want to know which guidelines to follow to achieve good risk management?

Purchase NBN ISO 31000:2018 Risk management - Guidelines from NBN. The standard is available in English, Dutch and French.

1. What is ISO 31000?

ISO 31000 offers companies and other organisations guidelines to integrate risk-aware decision making into their governance, planning, reporting, policies, values and culture. It’s an open, principle-based system that makes the standard apt for any context. The international standard is both intended for risk management on corporate level and the management of strategic and operational risks in the daily operations or projects.

ISO 31000 was revised in 2018, almost 10 years after its first publication in 2009. Because of that revision, the standard is now completely in line with the current market situation and takes new challenges for organisations into account. Some examples: the increasing complexity of economic systems and emerging risks, such as digital currencies and cyber criminality.

Important: the concept of risk management (and risk assessment), as described in ISO 31000, was important input for the new generation of risk-based management standards, such as ISO 9001 (quality management), ISO 14001 (environmental management) and ISO 45001 (occupational health and safety).


HLS turns risk management into cornerstone for management standards

With the High-Level Structure (HLS) all management standards possess the same basic structure, definitions and concepts. Risk management plays a crucial part in this. The result: if you know what ISO 31000 is about, you’ll be able to apply management standards more efficiently.

What is the objective of ISO 31000?

The definition of risk according to ISO 31000 is ‘the effect of uncertainty on your goals’, so risk management is basically an instrument to manage threats (negative effects) and to benefit from opportunities (positive effects). This should lead to improved performance of your organisation, project, product or service. In short: the main objective of ISO 31000 is to create and protect value.

These 8 principles of ISO 31000 support the main objective:

  • Integrated: risk management should be integrated into all operations and activities.
  • Structured and comprehensive: the approach should be structured and comprehensive.
  • Customised: the framework for risk management should be adapted to the context and the goals of the organisation.
  • Inclusive: all (relevant) stakeholders should be involved in risk management.
  • Dynamic: taking proactive action, anticipating and responding to changes swiftly are crucial elements of good risk management.
  • Best available info: risk management means taking all restrictions of available info into account.
  • Human and cultural factors: these factors are essential and need to be addressed in every phase.
  • Continuous improvement: through experience and accumulated knowledge, an organisation should be able to grow stronger over time.

2. Why implement ISO 31000?

The main benefits of good risk management based on ISO 31000:

  • Focus on goals: by following international best practices on risk assessment you are more likely to meet your goals.
  • Lower costs: through intensive risk analysis you increase your chances of immediately taking good decisions, reducing a lot of unnecessary costs.
  • Risk-aware culture: the standard makes sure well-informed decisions are being made on all levels. For example, when assigning resources.
  • Stronger reputation: an organisation that implements the guidelines from ISO 31000 shows the outside world it not only identifies risks but also analyses and controls them.
  • Spotting opportunities: the revised ISO 31000 emphasises that risks aren’t necessarily negative, but can also have a positive impact on your goals.
  • Scalable: when your organisation grows, new risks emerge. However, the guidelines from ISO 31000 apply to any type of organisation, regardless of size.
  • Consistent with other standards: thanks to the structure of ISO 31000’s latest version, the standard better aligns with popular management standards, such as ISO 9001 (quality management) and ISO/IEC 27001 (information security).

3. Who is ISO 31000 meant for?

Everyone who contributes to risk management within their organisations can benefit from ISO 31000, so not only professional risk managers, but also:

  • top managers;
  • risk analysts;
  • line managers;
  • project managers;
  • external and internal auditors.

Looking for useful techniques to assess risks even better?

With the standard IEC 31010, the perfect addition to ISO 31000, you create a practical, sustainable and easily understandable evaluation process.

4. Certification ISO 31000

ISO 31000 is not a management standard in the strict sense, because the standard includes guidelines (not requirements) for a management system. The consequence: contrary to ISO 9001 or ISO 14001, you can’t get your organisation certified for ISO 31000. However, individual professionals can obtain a personal certification.


What is a personal certification?

A certification is an objective and written proof that you completely master the methodologies, guidelines and approach from ISO 31000. If you pass the PECB exam, you receive a certification of the internationally accredited certification institution PECB.

In Belgium, you can obtain a certification via the Global Network for Independent Certification (GNIC). Together with NBN, GNIC regularly organises courses and exams that offer risk managers the chance to improve their skills.

Why obtain a personal certification for ISO 31000?

With a certification to your name, your career will take a leap forward. This recognition proves that you’re trained to protect organisations from risks and spot opportunities. An asset that inspires confidence from many different stakeholders.


5. Risk-based auditing

Nowadays, the importance of risk analysis is a common theme in various standardisation commissions. For example, in the commission that is responsible for ISO 19011, the standard for internal and external auditing of management systems. Even more, risk-based thinking is one of the 7 main principles for auditing management systems in the latest version of ISO 19011. The core ideas of this principle are directly linked to ISO 31000.


What is risk-based auditing?

Traditional audit methods take procedure compliance as a benchmark. Risk-based auditing, however, gives more attention to achieving business goals and a proactive approach towards them. This new audit focus is gaining traction. The result: if you conduct audits for management standards, such as ISO 9001 (quality management) or ISO 14001 (environmental management), the auditor will definitely take a closer look at your risk management within those areas. Knowledge of the guidelines from ISO 31000 is a big plus in that respect.

6. Related standards

To take your risk management to the next level, you can also count on these standards to complement ISO 31000:

Get started with NBN ISO 31000:2018?

Purchase the standard in the NBN e-shop. That way, you’ll immediately get an overview of all requirements for good risk management.

Be the first to know about the latest standards, events, trainings and standardisation commissions.

Sign up for our monthly newsletter.