ISO 31000: A Risk Management Framework


The ISO (International Organization for Standardization) Standards are a set of international standards that give world-class specifications for products, services, and systems in order to ensure quality, efficiency, and safety (ISO, 2015). ISO 31000:2009 provides principles and generic guidelines on risk management (ISO, 2009). This standard can be applied throughout the life of any organization: public, private, or community enterprise, and to a wide range of activities including strategies and decisions, operations, processes, functions, projects, products, services, and assets (ISO, 2009). 

Our ISO 31000: A Risk Management Framework model provides guidance for audits and helps organizations align with international standards of risk management. This model consists of these steps:

  1. Rate your organization’s current level of compliance with each of the principles in the areas such as understanding your organization’s context, establishing a risk management policy, and integration of risk management into organizational processes.
  2. Display results and discuss alignment.
  3. Develop an action plan to address the areas of noncompliance.
  4. Monitor and review your organization’s risk management performance to identify strategies to improve your risk management maturity.


This model can be used by business unit heads, directors of all departments, and managers in all departments.


Risk is involved in all activities of all organizations, and as such, all organizations should have risk management measures in place. The adoption of consistent processes within a comprehensive framework laid out by ISO 31000 helps to ensure that risk management is effective, efficient, and coherent across the entire organization.

The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent, and credible manner and within any scope and context (ISO, 2009). Organizations with an effective implementation of ISO 31000 have the advantage of a risk management process tightly integrated with their decision-making process and thus are able to perform well in an environment full of uncertainty (Wanson, n.d.).


1) RATE your organization’s level of compliance with each of the ISO 31000 guidelines. In the comments section, provide the rationale for your rating and identify the gaps and/or improvement plans of which you’re aware.

ISO 31000

2) DISPLAY RESULTS and discuss alignment.  

Screen Shot 2017-12-21 at 6.52.18 PM.png

3) ACTION PLAN: Develop an action plan to resolve areas of noncompliance.

Use this model to periodically review your organization’s risk management efforts and develop action plans for continual improvement.

Note that the focus of this model is on clauses 4.3-4.6 since clauses 4.1 and 4.2 are for informative purposes only. Clause 5 of the standard deals with the actual risk management process for which you can use the Risk Identification and Assessment model.


  • Identification of noncompliant areas in ISO standards and a shared understanding of the gaps
  • Action plan to resolve the gaps between current practice and ISO 31000 standards
  • Collective and informed decisions on how to improve your risk management framework, policy, and plan


This exercise will enable:

Quality  Continually improve your organization’s management of risk and risk management culture (ISO, 2009).

Efficiency Save time, effort, and money by developing a consistent risk framework that can be used across the organization.

Engagement Engage a diverse set of relevant stakeholders for deeper perspectives and richer insight.

Agility – Encourage proactive risk management in your organization and improve operational effectiveness and efficiency (ISO, 2009). 



International Organization for Standardization. (2009). Risk management –Principles and guidelines (ISO Standard No. 31000). Retrieved from

International Organization for Standardization. (2015). ISO in brief. Retrieved from 

Wanson, P. (n.d.).  Why ISO 31000 is important to organizations nowadays? Retrieved from