ISO 31000:2018 Certification Service

ISO 31000 provides principles and generic guidelines to assist organizations in establishing, implementing, operating, maintaining and continually improving their risk management framework.

It is not specific to any industry or sector, so it can be used by any public, private or community enterprise, association, group or individual. This standard can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.

This standard is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.

ISO 31000 is organized into the following main clauses:

Clause 3: Principles

Clause 4: Framework

Clause 5: Process

Each of these key activities is listed below.

Clause 3: Principles of risk management 

In order to have an effective risk management, an organization has to comply with these 11 principles.

1. Risk management creates and protects value;
2. Risk management is an integral part of all organizational processes;
3. Risk management is part of decision making;
4. Risk management explicitly addresses uncertainty;
5. Risk management is systematic, structured and timely;
6. Risk management is based on the best available information;
7. Risk management is tailored;
8. Risk management takes human and cultural factors into account;
9. Risk management is transparent and inclusive;
10. Risk management is dynamic, iterative and responsive to change;
11. Risk management facilitates continual improvement of the organization.

Clause 4: Framework 

ISO 31000 states that the success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements what will embed it throughout the organization at all levels.

The framework:

• assists in managing risks effectively through the application of the risk management process;
• ensures that information about risk derived from the risk management process is adequately reported; and
• ensures that these information is used as a basis for decision making and accountability at all relevant organizational levels.

This clause describes the necessary components of the framework for managing risk and the way in which they interrelate in an iterative manner.

Design of framework for managing risk: Before the implementation, the organization must design a framework for managing risk. This includes:

•  Understanding of the organization and its context
•  Establishing risk management policy
•  Ensuring accountability, authority and appropriate competence for risk management
•  Integrating risk management into organizational processes
•  Allocating appropriate resources
•  Establishing internal and external communication and reporting mechanisms

ISO 31000 states that the success of risk management will depend on the effectiveness of the management 

•  The risk management process should be:

1. An integral part of management;
2. Embedded in the culture and practices;
3. Tailored to the business processes of the organization.

•  Risk management process comprises the following activities: