ISO 31000-2018 PDF

Full title and description

ISO 31000:2018 — Risk management — Guidelines. An international standard providing principles, framework and generic guidelines for managing risk applicable to any organization, regardless of size, industry or sector; intended to help organizations increase the likelihood of achieving objectives, improve identification of opportunities and threats, and inform decision-making at all levels.

Abstract

ISO 31000:2018 describes a structured approach to risk management that can be customized to an organization’s context. It covers principles for effective risk management, the components of a risk management framework and the risk management process (identification, analysis, evaluation, treatment, monitoring, communication and consultation). The guidance is non-sector-specific and is intended for use across the life of the organization and in decision-making at all levels.

General information

• Status: Published (current international standard).
• Publication date: February 2018 (14 February 2018 / 2018-02).
• Publisher: International Organization for Standardization (ISO).
• ICS / categories: 03.100.01 — Company organization and management in general.
• Edition / version: Edition 2 (ISO 31000:2018), superseding ISO 31000:2009.
• Number of pages: 16 pages for the ISO edition (note: some national/adopted publications incorporate national forewords or additional material and show longer page counts, e.g., some national versions list 26 pages).

Scope

Provides guidelines for managing risk faced by organizations. The recommendations are generic and intended to be tailored to the organization’s external and internal context; applicable to any type of risk and any type of organization, and across organizational activities including strategic planning and operations. ISO 31000 is guidance (not a certifiable management system requirement) and is intended to inform internal and external audit programmes and organizational risk practices.

Key topics and requirements

• Principles of effective risk management (e.g., integrated, structured and comprehensive, customized, inclusive, dynamic, best available information, human and cultural factors, continual improvement).
• Risk management framework components: leadership and commitment, integration into governance, design of framework, implementation, evaluation and continual improvement.
• Risk management process: establishing context; risk identification; risk analysis; risk evaluation; risk treatment; plus communication, consultation, monitoring and review.
• Guidance on establishing and using risk criteria, and on tailoring methods and techniques to the organization’s needs (qualitative, semi-quantitative or quantitative approaches).
• Clarification that ISO 31000 provides guidance only and is not intended for certification; it serves as a benchmark and reference for internal/external assessments.

Typical use and users

Used by executives, risk managers, audit and compliance functions, project managers, consultants and anyone responsible for governance and decision-making who needs a consistent, organization-wide approach to risk. Applicable to private, public and non-profit organizations across industries for strategic, operational, financial, safety, environmental, information/cyber and project risk contexts.

Related standards

ISO 31000 is part of a family of risk-management guidance and supporting documents, including ISO 31073:2022 (vocabulary), ISO/IEC 31010 (risk assessment techniques), ISO/TR 31004 (guidance for implementation), and other sector/regional adaptations and guidance documents. These linked standards provide vocabulary, detailed assessment techniques and implementation advice that complement ISO 31000.

Keywords

risk management; risk assessment; risk treatment; risk criteria; governance; ISO/TC 262; framework; risk process; opportunities; threats; continual improvement.

FAQ

Q: What is this standard?

A: ISO 31000:2018 is an international guideline standard that sets out principles, a framework and a process for managing risk across organizations; it is intended as guidance rather than a certifiable management system.

Q: What does it cover?

A: It covers risk management principles, the components of a risk management framework and the risk management process (establishing context, identification, analysis, evaluation, treatment, monitoring, communication). It also offers guidance on tailoring methods and choosing appropriate assessment techniques.

Q: Who typically uses it?

A: Leaders, boards, risk and compliance professionals, operational managers, project teams and consultants across public, private and non-profit sectors who need a consistent, organization-wide approach to risk.

Q: Is it current or superseded?

A: ISO 31000:2018 is the current ISO edition published in February 2018 and superseded ISO 31000:2009. The ISO record notes the edition and the review lifecycle for standards; ISO 31000 is guidance and will be subject to periodic review.

Q: Is it part of a series?

A: Yes — ISO 31000 is supported by related documents in the ISO risk management family, notably ISO 31073:2022 (vocabulary), ISO/IEC 31010 (risk assessment techniques) and ISO/TR 31004 (implementation guidance), among others. These provide complementary vocabulary, techniques and implementation advice.

Q: What are the key keywords?

A: Risk management, risk assessment, risk treatment, framework, governance, risk criteria, monitoring, ISO/TC 262.