What Is ISO 31000?
The ISO 31000 risk management framework is an international standard published by the International Organization for Standardization (ISO) that provides principles, a framework, and a process for effective risk management. Rather than prescribing rigid controls or compliance checklists, ISO 31000 provides a structured approach to identifying, assessing, treating, and monitoring risk in a way that supports organisational objectives and decision-making.
Unlike certification standards, ISO 31000:
- Is not mandatory: Organisations choose to adopt it voluntarily
- Does not require certification: There is no ISO 31000 certification process
- Can be adapted: Applicable to any organisation, sector, or activity
Its purpose is to help organisations manage uncertainty in a structured, consistent, and repeatable way. This makes ISO 31000 relevant for oil and gas companies, healthcare organisations, manufacturers, and public sector entities alike.
Framework Flexibility
ISO 31000 is principle-based rather than prescriptive. This means organisations can apply it in ways that suit their size, complexity, and risk profile without following a rigid template.
Why ISO 31000 Exists
Many organisations manage risk informally—through experience, judgement, or reactive controls. ISO 31000 exists to address common failures such as:
- Risks identified too late: After incidents have already occurred
- Inconsistent risk scoring: Different departments using different criteria
- Controls listed but never tested: No evidence of control effectiveness
- Risk registers treated as static documents: Updated annually rather than continuously
ISO 31000 shifts risk management from a compliance exercise to a decision-support discipline. It provides the foundation for enterprise risk management that creates real value for organisations.
The ISO 31000 Principles Explained
ISO 31000 is built on key principles that define what "good" risk management looks like. Effective risk management should be:
| Principle | Description |
|---|---|
| Integrated | Embedded into governance, strategy, planning, and operations—not treated as a separate activity |
| Structured and comprehensive | Consistent methods ensure comparable results across departments and sites |
| Customised | Risk management must reflect the organisation's context, industry, and objectives |
| Inclusive | Stakeholder involvement improves risk identification and ownership |
| Dynamic | Risks change over time and must be reviewed regularly |
| Based on best available information | Decisions should use reliable data, while acknowledging uncertainty |
| Focused on continual improvement | Risk management should mature as the organisation learns |
These principles provide the foundation for building a risk management framework that genuinely supports decision-making rather than creating administrative burden.
The ISO 31000 Risk Management Process
At the core of ISO 31000 is a clear, repeatable process. Understanding and implementing this process is essential for effective risk management.
1. Establishing the Context
Before identifying risks, organisations must define the context in which they operate:
- Organisational objectives: What is the organisation trying to achieve?
- Internal and external environment: What factors influence risk?
- Risk criteria: What does "high risk" mean for this organisation?
2. Risk Identification
Identifying events or conditions that could affect objectives, across:
- Strategic risks
- Operational risks
- Financial risks
- Compliance risks
- Safety and environmental risks
A comprehensive risk register captures these identified risks systematically.
3. Risk Analysis
Understanding the nature and level of each risk by examining:
- Likelihood of occurrence: How probable is this risk?
- Potential impact: What would be the consequence?
- Existing controls: What measures are already in place?
Proper risk scoring is essential for consistent analysis across the organisation.
4. Risk Evaluation
Comparing analysed risks against defined criteria to determine priorities. This step answers: "Which risks require treatment, and in what order?"
Understanding inherent vs residual risk helps organisations evaluate the effectiveness of existing controls.
5. Risk Treatment
Selecting and implementing actions to modify risk. Options include:
- Avoiding the risk: Eliminating the activity that creates the risk
- Reducing likelihood or impact: Implementing controls
- Sharing the risk: Insurance or contractual transfer
- Accepting the risk: Proceeding with informed awareness
Different types of risk controls can be applied depending on the nature of the risk.
6. Monitoring and Review
Ensuring risks, controls, and treatments remain relevant and effective. This includes:
- Regular review of the risk register
- Tracking control effectiveness
- Updating risk assessments based on new information
Learn how to review and update your risk register effectively.
7. Communication and Consultation
Maintaining transparency and alignment across stakeholders throughout the process. This includes:
- Engaging risk owners
- Reporting to leadership
- Sharing lessons learned
Process Integration
The ISO 31000 process steps are not strictly sequential. Communication, consultation, monitoring, and review should occur continuously throughout all other steps.
The Role of the Risk Register in ISO 31000
The risk register is not the framework—it is a tool that supports it. In ISO 31000, a risk register typically:
- Records identified risks with clear descriptions
- Documents risk owners and their responsibilities
- Captures likelihood and impact assessments
- Lists controls and treatment actions
- Tracks residual risk and review dates
Common failure: Organisations complete the risk register but ignore monitoring, review, and evidence. The register becomes a static document rather than a living management tool.
Effective risk registers should also link risks to controls and actions to demonstrate how treatments are implemented and monitored.
Common ISO 31000 Implementation Mistakes
Despite its flexibility, organisations often struggle with ISO 31000 due to:
| Mistake | Consequence |
|---|---|
| Treating it as a once-a-year exercise | Risks become outdated and irrelevant |
| Copy-and-paste risk descriptions | Risks don't reflect actual organisational context |
| No link between risks and incidents | Lessons learned are not captured |
| Controls listed without proof of effectiveness | False sense of security |
| Poor alignment with operational data | Risk management disconnected from reality |
These failures are cultural and operational—not framework flaws. ISO 31000 provides the structure; organisations must provide the discipline.
ISO 31000 in Practice (Real-World Use)
Organisations that apply ISO 31000 effectively:
- Review risks quarterly or continuously rather than annually
- Link risks to controls, incidents, and actions in an integrated system
- Use dashboards instead of spreadsheets for real-time visibility
- Treat risk data as management information that informs decisions
ISO 31000 works best when integrated into daily operations, not isolated in governance documents. This applies across industries—from mining operations to energy utilities.
Industry Applications
- Oil & Gas: Process safety, asset integrity, environmental compliance
- Energy & Utilities: Infrastructure reliability, grid security, climate transition
- Manufacturing: Supply chain, quality, operational continuity
- Mining: Health and safety, environmental impact, community relations
- Healthcare: Clinical risk, patient safety, regulatory compliance
- Public Sector: Service delivery, governance, accountability
ISO 31000 vs COSO ERM
ISO 31000 and COSO ERM are both widely used frameworks, but they serve different purposes:
| Aspect | ISO 31000 | COSO ERM |
|---|---|---|
| Focus | Risk process and principles | Governance and strategy |
| Style | Flexible, principle-based | Structured, component-based |
| Audience | Operational and enterprise | Executive and board |
| Strength | Flexibility and adaptability | Strategy alignment |
| Certification | No | No |
Many organisations use ISO 31000 for operational execution and COSO ERM for governance together. In South Africa, both frameworks often complement King IV governance requirements.
Summary
- ISO 31000 provides principles, a framework, and a process for effective risk management
- It is voluntary, not certifiable, and adaptable to any organisation or industry
- The framework emphasises integration, stakeholder inclusion, and continual improvement
- The risk management process includes context, identification, analysis, evaluation, treatment, and monitoring
- Risk registers are tools that support the framework, not the framework itself
- ISO 31000 works best when embedded into daily operations and decision-making
Frequently Asked Questions
Is ISO 31000 mandatory?
No. ISO 31000 is a voluntary international standard. However, it is widely recognised as best practice for risk management and is often referenced in regulatory frameworks, industry standards, and governance codes globally.
Is ISO 31000 certifiable?
No certification exists for ISO 31000. Unlike ISO 9001 or ISO 14001, organisations cannot be certified to ISO 31000. However, they can align their internal risk management frameworks to ISO 31000 principles and processes.
Which industries use ISO 31000?
ISO 31000 is used across all industries including oil and gas, mining, healthcare, manufacturing, energy and utilities, public sector, financial services, and construction. Its flexibility makes it adaptable to any organisation regardless of size or sector.
What is the difference between ISO 31000 and COSO ERM?
ISO 31000 focuses on risk management principles and processes applicable across all levels of an organisation, while COSO ERM emphasises governance, strategy alignment, and board-level oversight. Many organisations use ISO 31000 for operational execution and COSO ERM for governance together.