ISO 31000 explained: the principles

ISO 31000 - Toolshero

ISO 31000: in this article you will find an easy and practical explanation of the ISO 31000 method. Next to what it is, this article also highlights the principles, the framework of reference, the Risk management process and treatment, advantages and the conclusion. After reading, you will understand how useful this tool can be for risk management in companies. Enjoy reading!

A brief introduction of ISO 31000

Before going deeper into what this method is all about, it is necessary to emphasise the importance of analysing the possible risks that a company may face at any stage of its development. No company, regardless of its size or development, is free from the risks that may arise.

These risks can arise from the business’ internal processes, such as problems in manufacturing, machinery, human talent, communication, among others, to external processes such as a bad reputation, poor quality products and customer service.

Free Toolshero ebook

This is where risk management comes in. It aims to identify and handle unforeseen events. A company should always be aware of this, as it is a priority rule for the proper functioning of the organisation. With this clear and reviewed, we will proceed to explain the international ISO 31000 method that is directly related to risk management activities.

What is ISO 31000?

ISO 31000 is the international standard of risk management, developed by the International Organization for Standardization. Its purpose is to increase the probability of achieving objectives, improve the identification of opportunities and threats and allocate and efficiently use resources for the treatment of risks at a strategic and operational level.

It was first published in 2009, with the objective that all companies, regardless of size, should be able to manage enterprise risks efficiently. This means that organisations develop, implement and improve the framework for each of their risk management activities.

Gradually, ISO 31000 has grown and evolved into other versions such as:

  • ISO 31000 – Risk Management – Principles and Guidelines
  • ISO / IEC 31010 – Risk Management – Risk Assessment – Technical risk assessment
  • ISO Guide 73:2009 – Risk management – Vocabulary – Management
  • ISO 31000:2018 – Risk management – Principles and Guidelines

In this article, we will focus on ISO 31000:2018, which is the latest update.

Principles for ISO 31000 risk management

Create value

Implementing ISO 31000 creates value in risk management. It improves the performance of the company, through the monitoring and review of the system and processes. Examples of areas where ISO 31000 has proven its value are: safety, occupational health, environmental protection, among others.

Integration of organisational processes

It should not be a separate process; it should be connected to the other processes of the company.

Decision making

Risk management helps to make assertive decisions by analysing the different alternatives that exist to solve possible problems that may occur in the organisation.

Explain uncertainty

By identifying potential risks and the decisions that need to be taken in order to get out of a negative situation, uncertainty management is controlled.

Systematic, structured and efficient

Managing risk management processes in a systematic and structured way will bring reliable results for the company.

Based on the best available information

The risk management process is based on collected data, experience, observation and expert opinion. It is considered to be important and essential for carrying out activities and recognising models and data that are important.

Necessary and adaptive

Risk management is aligned to the internal and external context of the organisation and its risk profile. This risk management is adapted to the resources available to the company, such as personnel resources, finances, track record, among others.

Human and cultural factors taken into account

It understands the importance of the employees and people involved in the company’s processes to achieve its objectives. By understanding the culture of the people who work for the organisation, it will facilitate the achievement of objectives and their positive results in operations.

Transparency and participation

It emphasises the importance of maintaining stakeholder engagement (employees, investors, customers) in order to recognise internal and external communication to maintain constant updates on risk management.

Dynamic, iterative and responsive to change

It is important for today’s companies to understand that trends and the environment change both internally and externally. This means that new risks may emerge in such transformations or changes. Risk management must be aware and must be updated and adapted when this happens.

Facilitating and continuously improving the company

By making strategies and implementing them, you continuously improve, both in risk management and in other aspects of the company.

Framework of reference

The framework for risk management has been developed to assist the organisation in integrating risk management into all its major activities and functions. This integration, including decision making, will have a positive impact on the company’s processes when done appropriately.

ISO 31000: leadership and commitment

Identify the organisation’s risks, to define a risk management policy. Anticipating ahead of events is essential.

  • Allocate financial resources to risk management
  • Communicate the benefits of risk management so there will be fewer operational losses
  • Assign roles and responsibilities
  • Be accountable for managing risk

The integration of risk management depends on the understanding of the structures and context of the organisation. The company must fully understand its internal and external contexts when designing the framework.

As mentioned above, integration should not be isolated from the processes that the company has in place. Integration must go hand in hand with leadership, as this is where the company’s strategies, objectives and operations lie in order to meet its goals.

ISO 31000: the Risk management process

The risk management process is the systematic implementation of policies, procedures and practices where the situation is identified, analysed, and assessed through risk assessment.
How to do a risk assessment in the company?

1. Identification of

  • Tangible and intangible sources
  • Opportunities, strengths and weaknesses
  • The internal and external context and its changes
  • General risk indicators
  • The company’s assets and resources

2. Analysis

  • Probability of events and their consequences
  • Magnitude of consequences
  • Complexity
  • Time-related factors
  • Controls and effectiveness

3. Risk assessment

Compare the analysis results with the risk criteria and make decisions such as doing nothing, options to address the risk, doing extra analysis, maintaining existing controls or reconsidering objectives.
This process should be recorded, communicated and validated in each area of the business.

Risk treatment using ISO 31000

The purpose of risk mitigation is to select and implement options to address risk.

Risk mitigation involves a dynamic process of:

Formulating and selecting responses for risks; it requires knowing how much it will cost and what implications it will have and the consequences, who it will affect. These actions can:

  • Eliminate the risk
  • Accept the risk
  • Reduce the occurrence of the risk
  • Reduce the impact of the risk
  • Share the risk or retain the risk
  • Plan and implement the risk treatment; it is the order in which the actions should be implemented and the way in which they will be connected with the company’s processes
  • Evaluate the effectiveness of that treatment; follow up and review at each stage of the risk management processes
  • Decide whether the residual risk is acceptable; if not acceptable, carry out additional treatment

Advantages of ISO 31000

Benefits for the organisation

  1. Security and confidence for employees and customers
  2. Adequate risk management
  3. Culture of prevention
  4. Improvement of management systems
  5. Allows to understand the importance of identifying, analysing, monitoring and dealing with risk at each stage
  6. Helps to identify threats, weaknesses, opportunities and strengths in the process
  7. Helps in complying with the legal requirements of international standards
  8. It creates a solid and reliable strategy focused on decision making and planning

Benefits ISO 31000 for stakeholders

  • Security for stakeholders
  • Effectiveness in emergency situations
  • Actions in case of threats or risks
  • Improved financial management of the company and confidence of economic stakeholders

Market benefits of using ISO 31000

  • Credibility and prestige
  • Security and trust
  • Competitiveness
  • Prevents losses that may occur

Conclusion on ISO 31000

ISO 31000 is a vital method to protect a company from various problems and risks that may arise. A threat can also become an opportunity, which needs to be exploited.

How do you deal with a critical situation that can bring risk to the company in the short, medium or long term? This is where ISO 31000 comes in to rethink a risk situation and help your company deal with it.

Join the Toolshero community

Now It’s Your Turn

What do you think? Did you know about ISO 31000 risk management before? Have you implemented it in your company? If so, please share your experience with us. Do you have anything else to add or any suggestions?

Share your experience and knowledge in the comments box below.

More information

  1. Purdy, G. (2010). ISO 31000: 2009—setting a new standard for risk management. Risk Analysis: An International Journal, 30(6), 881-886.
  2. Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk management, 14(4), 272-300.
  3. de Oliveira, U. R., Marins, F. A. S., Rocha, H. M., & Salomon, V. A. P. (2017). The ISO 31000 standard in supply chain risk management. Journal of Cleaner Production, 151, 616-633.

How to cite this article:
Ospina Avendano, D. (2021). ISO 31000. Retrieved [insert date] from Toolshero:

Original publication date: 03/10//2021 | Last update: 12/16/2023

Add a link to this page on your website:
<a href=””> Toolshero: ISO 31000</a>

Did you find this article interesting?

Your rating is more than welcome or share this article via Social media!

Average rating 4 / 5. Vote count: 4

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Daniela Avendaño
Article by:

Daniela Avendaño

Daniela Avendaño is a content producer and translator at toolshero. She obtained a Bachelor in Communications & Journalism, and with her theoretical and practical knowledge she supports the toolshero production team with interesting articles on management, personal & professional development, marketing and more. She is driven by sharing knowledge and stimulating others to develop.


Leave a Reply