ISO 31000:2018 is a document, designed for use by people who create and protect value in organisations by managing risks, making decisions, setting and achieving objectives and improving performance.

Organisations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.

Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.

Managing risk is part of governance and leadership, and is fundamental to how the organisation is managed at all levels. It contributes to the improvement of management systems.

Managing risk is part of all activities associated with an organisation and includes interaction with stakeholders.

Managing risk considers the external and internal context of the organisation, including human behaviour and cultural factors.

Managing risk is based on the principles, framework and process outlined in ISO31000, as illustrated in this diagram. These components might already exist in full or in part within the organisation, however, they might need to be adapted or improved so that managing risk is efficient, effective and consistent.

The 8 Risk Management Principles

Integrated. Risk management is an integral part of all organisational activities.

Structured and comprehensive. A structured and comprehensive approach to risk management contributes to consistent and comparable results.

Customised. The risk management framework and process are customised and proportionate to the organisation’s external and internal context related to its objectives.

Inclusive. Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.

Dynamic. Risks can emerge, change or disappear as an organisation’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.

Best available information. The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.

Human and cultural factors. Human behaviour and culture significantly influence all aspects of risk management at each level and stage.

Continual improvement. Risk management is continually improved through learning and experience.

The 6 Framework Components

Leadership and commitment. Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organisational activities and should demonstrate leadership and commitment.

Integration. Integrating risk management relies on an understanding of organisational structures and context. Structures differ depending on the organisation’s purpose, goals and complexity. Risk is managed in every part of the organisation’s structure. Everyone in an organisation has responsibility for managing risk.

Design. When designing the framework for managing risk, the organisation should examine and understand its external and internal context.

Implementation. Successful implementation of the framework requires the engagement and awareness of stakeholders. This enables organisations to explicitly address uncertainty in decision-making, while also ensuring that any new or subsequent uncertainty can be taken into account as it arises.

Evaluation. In order to evaluate the effectiveness of the risk management framework, the organisation should periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behaviour;

Improvement. The organisation should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.

The 6 Elements of the Risk Management Process

The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

The risk management process should be an integral part of management and decision-making and integrated into the structure, operations and processes of the organization. It can be applied at strategic, operational, programme or project levels.

There can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied.

The dynamic and variable nature of human behaviour and culture should be considered throughout the risk management process.

Although the risk management process is often presented as sequential, in practice it is iterative.