ISO 31000:2009 for risk management – in 3 minutes

Title/current version
ISO 31000:2009 Standard for Risk Management

The basics
ISO 31000:2009 comprises principles, a framework and a process for the management of risk that is applicable to any type of organization in the public or private sector.

ISO 31000:2009 provides guidance on the implementation of risk management. It was fi rst published as a standard in November 2009, and is owned by the International Standards Organization (ISO).

The ISO 31000 family includes:
• ISO 31000:2009 – Principles and Guidelines on Implementation
• ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
• ISO Guide 73:2009 – Risk Management – Vocabulary

ISO 31000 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives. ISO 31000:2009 comprises three building blocks (see Figure).

The First Building Block, the Risk Management Infrastructure, states that risk management should contain the following principles:

• Creates value
• Integral part of organizational processes
• Part of decision-making
• Explicitly addresses uncertainty
• Systematic, structured and timely
• Based on the best available information
• Tailored to the organization
• Takes human and cultural factors into account
• Transparent and inclusive
• Dynamic, iterative and responsive to change
• Facilitates continual improvement of the organization

The Second Building Block, the Risk Management Framework, is about creating the right risk framework through management commitment. Once commitment is established, there is a cycle of actions that include the following steps:

1. Design
2. Implementation
3. Monitoring and review
4. Continual improvement

The Third Building Block, the Risk Management Process, was originally adopted from the standard AS/NZS 4360:2004, which assures that communication and monitoring is done throughout the process.

Target audience
Business managers, risk management officers, CIOs, information security officer.


Figure: Building blocks of ISO 31000:2009

Scope and constraints
ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. It can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.

ISO 31000:2009 is a concise and well-written standard that reflects current international thinking. This is a very positive development in the risk management standards landscape.

However, a constraint might be that it still has to prove itself. At the present date, there are not many actual implementations in

Relevant links (web links)