We noticed you’re not on the correct regional site. Switch to our AMERICAS site for the best experience.

Understanding risk management

Business risks can take many forms, with organisations of all sizes and in any industry facing a variety of internal and external risks. Whichever form they take, they can affect operational efficiencies, economic position, brand reputation, health and safety as well as the environment which overall impacts the ability to achieve business objectives.

To help identify and mitigate these risks, businesses require guidelines to form strategies and policies to prioritise business continuity.

What is ISO 31000?

ISO 31000 Risk Management - Guidelines is the international Standard for risk management, created by the International Organization for Standardization. It provides a generic approach to risk management with principles and guidelines for anyone who manages risk in an organisation, not only professional risk managers. 

Effective use of this Standard requires implementation throughout all business processes, from strategy and planning to continued management and reporting. 

5 ISO 31000 risk management framework components 

The ISO 31000 framework works in a cycle. There are 5 components to help establish, maintain and improve a risk management system in any business.  


Integrating risk management looks different for each organisation. It's a dynamic process that must be customised to suit specific needs, with everyone responsible to play their part in managing risk. It needs to work alongside operations, strategies and objectives, rather than treated as a separate function, with accountability and specific roles defined.  


The design function of ISO 31000 includes 5 areas - understanding the organisation and its context, articulating risk management commitment, assigning roles and responsibilities, allocating resources and establishing communication and consultation. 


Successfully implementing risk management framework requires an organisation to define timelines and resources within their plan; identify how decisions are to be made and who is responsible for them at each level of the organisation; understanding that the decision-making process may need to change where necessary and that strategies; and arrangements for managing risk are understood by each stakeholder and actively practised.


While it may seem that once the risk management framework is established, it should continually work to an organisation's benefit - this is rarely the case. Continual assessment is needed to evaluate the framework's effectiveness, measuring the performance of the plan against its intended purpose and expectations. This step helps an organisation understand whether it continues to work towards their objectives.


Continuing to monitor the internal and external environments of an organisation can help identify gaps or opportunities to improve the current risk management framework. As an established plan can seem comprehensive, working in a dynamic environment can lead to new, unexpected risks. 

11 ISO 31000 risk management principles 

There are 11 guiding principles within ISO 31000. Implementation of these principles can promote a safer, more resilient organisation. The Standard states that risk management: 

  1. Creates and protects value. 
  2. Is an integral part of all organisational processes. 
  3. Is part of decision making. 
  4. Explicitly addresses uncertainty. 
  5. Is systematic, structured and timely. 
  6. Is based on the best available information. 
  7. Is tailored. 
  8. Takes human and cultural factors into account. 
  9. Is transparent and inclusive. 
  10. Is dynamic, iterative and responsive to change. 
  11. Facilitates continual improvement of the organisation. 

Types of risks 

A traditional view of risk involves the threat of danger, generally in the form of injury or loss. ISO 31000 shifts this view on risk, taking an approach to focus on the uncertainty of an environment, rather than a negative outcome to also allow the potential for opportunities. 

There are 3 categories of risk - hazard, relating to events that result in negative outcomes; control, relating to events that result in uncertain outcomes; opportunity, relating to events that result in positive outcomes. 

Get on top of your risk management planning today.
Purchase the Standard

Understanding ISO 45001, the occupational health and safety Standard

Health and safety guidelines tailored for COVID-19 work conditions with ISO 45005

Standards for business continuity in times of crisis