ISO 31000:2018 Provides principles, framework and a process for managing risk.

ISO 31000 provides guidelines on managing risk faced by organizations, the application of these guidelines can be customized to any organization and its context. ISO 31000 provides a common approach to managing any type of risk and is not industry or sector specific. ISO 31000 can be used through out the life of the organization and can be applied to any activity, including decision-making at all levels.


  • Preparing for and responding to negative events, from the predictable to the unforeseen, from the mundane to the catastrophic, has become a fact of life for businesses and governments around the world.
  • Tackling these risks requires an integrant and holistic framework with the capability to identify, evaluate and adequately define responses to the circumstances.
  • This holistic approach gives organizations a better framework for mitigating risk while advancing their goals and opportunities in the face of business threats.


  • Integrating risk management into an organization’s activities and decision-making.
  • Taking a structured and comprehensive approach.
  • Customizing for an organization’s needs and objectives.
  • Integrating risk management into an organization’s activities and decision-making.
  • Including stakeholder perspectives.
  • Being dynamic and responsive to organizational changes.
  • Taking human and culture factors into account.
  • Learning and adapting for continual improvement.


  • Is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.
  • Is part of governance and leadership.
  • Is part of all activities associated with an organization and includes interaction with stakeholders.
  • Considers the external and internal context of the organization.
  • Is based on the principles, framework and process.

WHY ISO 31000?

  • Risk is a necessary part of doing business and in a world where enormous amounts of data are being processed at increasingly rapid rates, identifying and mitigating risks is a challenge for any company.
  • Many contracts and insurance agreements require solid evidence of good risk management practice.
  • ISO 31000 provides direction on how companies can integrate risk-based decision making into an organisation’s governance, planning, management, reporting, policies, values and culture.


Step 1: Define Risk Management Principles

Step 2: Develop Risk Management Framework

Step 3: Establish Risk Management Process

Step 4: Communication and Consultation

Step 5: Establish the Context

Step 6: Perform Risk Assessment

Step 7: Risk Treatment

Step 8: Monitor and Review Risk Management Process

Step 9: Recording and Reporting Outcomes


Is organized around 11 management principles. A management principle refers to a fundamental idea, rule or truth about a subject. ISO 31000 risk principles serve as the guideline, method, logic, design, and implementation for the risk management framework and its process.

ISO 31000 does not specify how the principles can be used to design, implement and assure a risk management process. ISO 31000 believes an organization should apply and tailor these principles to the organizational context. ISO 31000 as a guidance document is applicable to all organizations and may be used with any product or service.

The eleven risk management principles are as follows:

  • Risk management establishes and sustains value.
  • Risk management is an integral part of all organizational processes.
  • Risk management is part of decision making.
  • Risk management explicitly addresses uncertainty.
  • Risk management is systematic, structured and timely.
  • Risk management is based on the best available information.
  • Risk management is tailored.
  • Risk management takes human and cultural factors into account.
  • Risk management is transparent and inclusive.
  • Risk management is dynamic, iterative, and responsive to the change.
  • Risk management facilitates continual improvement of the organization.

Many of us think about shall clauses as the basis for the design of a process or to demonstrate compliance. ISO 31000 is different. It is more principles based. It is more discretionary. IT requires deep knowledge of risk management and context.

Are you making a decision to implement a risk management framework based on ISO 31000 is often a very simple one, as the benefits are well-documented? By following a structured and effective methodology, an organization can be sure to cover all minimum practices required for the implementation of risk management programme.

There is no single blueprint for implementing ISO 31000 that will work for every company, but there are some common steps that will allow you to balance the often-conflicting requirements and prepare you for a successful certification audit.

Should you have any alternative questions, please feel free to mail us at
Start your Certification process today by downloading and completing this questionnaire.
We help businesses become more successful not just more compliant

ISOQAR Africa offers certification services to ISO standards on behalf of Alcumus ISOQAR Limited based in the UK


Get In Touch

Scroll to Top