ISO 31000 with its version of 2009 defines the principles and general guidelines for risk management. It can be used by any organization regardless of its size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. However, ISO 31000 cannot be used for certification purposes, but does provide guidance for internal or external audit programmes. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.

Related Standards

  • ISO Guide 73:2009, Risk management – Vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk.
  • ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk assessment. Risk assessment helps decision makers understand the risks that could affect the achievement of objectives as well as the adequacy of the controls already in place. ISO/IEC 31010:2009 focuses on risk assessment concepts, processes and the selection of risk assessment techniques.

ISO 31000:2009 is not intended for certification purposes.

The standard applies to assessing and managing risks in business planning, project management and other activities such as information security management, management of health and safety, environmental management, risk assessment endpoints and other activities that there is a need to standardize the process.

The philosophy and basic principles of this standard is enshrined standard for risk management AS / NZS 4360:2004 to the joint standards body in Australia and New Zealand.

International standard ISO 31000 recommends that organizations develop, implement and continuously improve the framework, which aims to integrate the process of risk management in the overall management of the organization strategy and planning, management, accounting processes, policies, values and culture of the organization. Risk management can be applied to the entire organization or some of its areas of action for all or only some levels of government, at any time and for specific functions, projects or activities. In identifying, evaluating and managing risks, organizations continuously communicate and consult with stakeholders.

Risk Principles:

  • Risk management creates value and protect;
  • Risk management is an integral part of all organizational processes;
  • Risk management is part of the process of decision making;
  • Risk management is directed against uncertainty;
  • Risk management is a systematic, structured and timely manner;
  • Risk management is based on best available information;
  • Risk management is tailored to the organization;
  • Risk management into account human and cultural factors;
  • Risk management is transparent and inclusive;
  • Risk management is dynamic, repetitive and corresponding changes;
  • Risk management facilitates continuous improvement of the organization.

The process of risk management must be:

  • Integral part of the overall management of operations;
  • Built in the culture and practices of the organization;
  • Consistent with the organization business processes.
  • Optimization and improvement process that evolve with the development of corporate governance culture.


  • Risk avoidance, by deciding not to initiate or continue any activity that poses a risk;
  • Accept or even increase the risk to benefit a good (albeit risky) opportunity (by defining mechanisms to monitor and control risk);
  • Remove the source of risk (when assessed risks can not be managed adequately);
  • Change the likelihood of risk;
  • Change the effects of event risk;
  • Sharing risk with another party or parties (using the resources of selected partners for risk management when it is effective for the organization);
  • Retention of risk informed decision (by defining mechanisms to monitor and control risk).