If you have ever searched for a clear, structured way to manage risk in your organisation, you have almost certainly come across ISO 31000. It is the world's most widely referenced risk management standard, yet many people find it hard to pin down exactly what it says and how to use it. This guide gives you a plain-language explanation so you can decide whether ISO 31000 is the right starting point for your risk management journey.
What Is ISO 31000?
ISO 31000 is an international standard published by the International Organization for Standardization (ISO) that provides guidelines for managing risk. First released in 2009 and updated in 2018, its full title is ISO 31000:2018 — Risk management — Guidelines.
In simple terms, ISO 31000 answers three questions:
- Why should an organisation manage risk? (Principles)
- What structures and accountabilities does it need? (Framework)
- How does it actually identify, analyse, evaluate, and treat risk? (Process)
ISO 31000 is not a compliance checklist. It is a set of guidelines that any organisation can adapt to its own size, industry, and risk profile. There is no certification audit for ISO 31000 — you adopt its thinking rather than "pass" an assessment.
Guideline vs. Certification Standard
Unlike ISO 9001 (quality) or ISO 27001 (information security), ISO 31000 is a guidance standard. Organisations cannot be certified against it, but they can — and do — use it as the backbone of their enterprise risk management programs.
Who Is ISO 31000 For?
One of the strengths of ISO 31000 is its universality. It is designed for:
- Any industry — from financial services and healthcare to mining and the public sector
- Any organisation size — a five-person start-up or a multinational with thousands of employees
- Any type of risk — strategic, operational, financial, compliance, reputational, or project-level risks
- Any level of maturity — organisations just starting out or those refining an existing program
If your organisation makes decisions under uncertainty — and every organisation does — ISO 31000 is relevant to you.
The Three Layers of ISO 31000
ISO 31000 is built around three interconnected layers. Think of them as the why, what, and how of risk management:
| Layer | Purpose | Key Question |
|---|---|---|
| Principles | Define the values and qualities that effective risk management should embody | Why are we doing this? |
| Framework | Establish the structures, roles, and governance needed to embed risk management | What do we need in place? |
| Process | Set out the steps for identifying, assessing, treating, and monitoring risk | How do we do it day to day? |
Each layer supports the others. The principles guide the design of the framework, and the framework enables the process. If you skip a layer, the system breaks down: a rigorous process without the right framework leads to risk management in a vacuum, while a framework without clear principles becomes a bureaucratic exercise.
The Eight Principles
ISO 31000 states that effective risk management should be:
- Integrated — risk management is part of all organisational activities, not a separate silo or add-on function.
- Structured and comprehensive — a consistent, systematic approach produces reliable and comparable results.
- Customised — the framework and process are tailored to the organisation's external and internal context.
- Inclusive — stakeholders at every level are involved, bringing diverse knowledge and perspectives.
- Dynamic — risk management anticipates, detects, and responds to change in a timely way.
- Based on the best available information — decisions use historical data, current intelligence, expert judgement, and forward-looking analysis, while acknowledging limitations.
- Considers human and cultural factors — people's behaviour, biases, and the organisational culture influence every step of the process.
- Continually improved — the organisation learns from experience and adapts its approach over time.
These principles act as a compass. When you design your risk management program, or when you review how well it is working, you can check each decision against these eight qualities. For a deeper dive into each principle and how it works in practice, see the detailed ISO 31000 framework guide.
The Framework
The framework is the organisational scaffolding that makes risk management work. ISO 31000 describes it as a cycle with five components:
1. Leadership and Commitment
Senior leaders set the tone. They define risk appetite, allocate resources, and ensure risk management is embedded in governance and decision-making — not treated as a tick-box exercise.
2. Integration
Risk management should be woven into existing structures, processes, and culture. It is not a bolt-on activity but part of how the organisation operates.
3. Design
This involves understanding the organisation's context, defining roles and responsibilities, establishing communication channels, and selecting the right tools and methods. This is where you might decide to use a risk register and scoring criteria like likelihood and impact scales.
4. Implementation
Putting the design into action — rolling out training, building processes, deploying software, and beginning the day-to-day cycle of risk identification and treatment.
5. Evaluation and Improvement
Periodically review whether the framework is working. Are risks being identified early? Are treatments effective? Is the organisation learning? Use the findings to make improvements.
The framework is not a one-off project. It is a continuous cycle of design, implement, evaluate, and improve — much like the Plan-Do-Check-Act cycle used in quality management.
The Risk Management Process
The process is where the hands-on work happens. ISO 31000 defines six interconnected activities:
Communication and Consultation
This runs throughout the entire process. Stakeholders are informed, consulted, and involved at every stage so that diverse perspectives are captured and decisions are transparent.
Scope, Context, and Criteria
Before assessing risks, define what you are looking at (scope), the internal and external factors that influence risk (context), and the criteria you will use to evaluate significance (for example, a 5 × 5 likelihood and impact matrix).
Risk Assessment
This is the core analytical step, broken into three sub-steps:
- Risk identification — what could happen, why, and what are the consequences?
- Risk analysis — how likely is it, and how severe would the impact be? Consider both inherent and residual risk.
- Risk evaluation — compare results against your criteria to decide which risks need treatment.
Risk Treatment
Select and implement options to modify the risk. Common treatment strategies include avoiding, reducing, sharing (e.g. insurance), or accepting the risk. Each treatment becomes an action in your risk register.
Monitoring and Review
Track how risks evolve, whether treatments are working, and whether new risks have emerged. Effective monitoring turns your risk register into a living document rather than a snapshot.
Recording and Reporting
Document decisions, assumptions, and outcomes. Report to the right people at the right time — operational teams, management, the board, and external stakeholders as needed.
Putting It Together
Imagine a mid-sized manufacturer adopting ISO 31000 for the first time. They begin by defining scope (all operational risks across three plants), set criteria (a 5 × 5 matrix), identify 40 risks in workshops with frontline staff, analyse and evaluate each one, design treatments for the top 15, assign owners, and set up quarterly reviews. Six months in, they have already caught two emerging supply-chain risks that would previously have gone unnoticed.
How ISO 31000 Differs From Other Standards
ISO 31000 is not the only risk management framework available. Two other widely used frameworks are COSO ERM and King IV. Here is how they compare at a high level:
| Feature | ISO 31000 | COSO ERM | King IV |
|---|---|---|---|
| Origin | International (ISO) | United States (COSO) | South Africa (IoDSA) |
| Focus | General risk management guidelines | Enterprise risk integrated with strategy and performance | Corporate governance including risk governance |
| Certification | No | No | No (apply-and-explain) |
| Applicability | Any organisation, any size | Primarily larger organisations | Listed companies and public entities in South Africa |
| Structure | Principles, framework, process | Five components, 20 principles | Governance outcomes, principles, practices |
Each framework has its strengths. Many organisations use ISO 31000 as the foundation and layer in elements from COSO ERM (for strategy alignment) or King IV (for governance requirements). They are complementary rather than competing. For a more detailed comparison, see the in-depth ISO 31000 guide.
How to Get Started With ISO 31000
You do not need to implement everything at once. Here is a practical path for organisations new to ISO 31000:
- Understand your context — map out the external and internal factors that influence your organisation's risks. Regulatory requirements, market conditions, culture, and strategy all matter.
- Get leadership buy-in — the framework will not take hold without visible support from the top. Make the case in terms of better decisions, fewer surprises, and stronger governance.
- Start with a risk register — create a simple risk register that captures your most important risks, their likelihood, impact, owners, and treatment actions. Follow a step-by-step guide like how to create a risk register.
- Define scoring criteria — agree on consistent scales for likelihood and impact scoring so everyone evaluates risk the same way.
- Run your first cycle — identify, analyse, evaluate, and treat a manageable set of risks. Review and improve after three to six months.
- Expand and mature — add more risk categories, involve more stakeholders, integrate with strategic planning, and move from spreadsheets to purpose-built software when the time is right.
The goal is progress, not perfection. ISO 31000 itself says that risk management should be continually improved — your first version will not be your final version, and that is exactly as it should be.
Summary
- ISO 31000 is an international guideline for risk management — it is not a certification standard
- It applies to any organisation, regardless of size, industry, or sector
- The standard is built on three layers: principles (why), framework (what), and process (how)
- Eight principles define what good risk management looks like, from integration to continual improvement
- The risk management process covers communication, context setting, assessment, treatment, monitoring, and reporting
- ISO 31000 complements other frameworks like COSO ERM and King IV rather than replacing them
- Start simple — a basic risk register and consistent scoring criteria are enough to get meaningful value
Frequently Asked Questions
Is ISO 31000 a legal requirement?
No. ISO 31000 is a voluntary guidance standard. However, some regulations and governance codes reference it or require risk management practices that align closely with its recommendations.
Can my organisation get ISO 31000 certified?
No. There is no certification scheme for ISO 31000. It is a set of guidelines, not a requirements standard. Individual risk management professionals can earn ISO 31000-aligned certifications, but organisations adopt the standard rather than certify against it.
What is the difference between ISO 31000 and ISO 31010?
ISO 31000 provides the overall principles, framework, and process for risk management. ISO 31010 is a companion standard that offers guidance on specific risk assessment techniques — such as brainstorming, bow-tie analysis, failure mode analysis, and Monte Carlo simulation. Think of ISO 31000 as the "what and why" and ISO 31010 as the "how to assess" toolkit.
How long does it take to implement ISO 31000?
There is no fixed timeline because ISO 31000 is not a pass-or-fail standard. A small organisation can set up a basic risk register and start applying the process within a few weeks. A larger organisation may spend six to twelve months embedding the framework across departments and building the supporting culture.
