The Requirements of ISO 31000
By Kimberley Riccio, eHow Contributor
International Organization for Standardization's ISO 31000 is a list of standards relating to an
organization's risk management program. The standard guides, instructs and requires organizations to build
a foundation and framework for a risk management program. The foundation includes policies, objectives
and commitment to establish an organization-wide risk management program. The framework includes the
plans, employee accountability, processes and activities used to manage the risk within the operations of
the company. The purpose of the standards is to provide the organization with principles and guidelines for
their in-house risk management program. The ISO 31000 includes guidelines on the implementation of the
program, assessment techniques and terminology.
Creating Plans and Activities
o The ISO 31000 requires an organization to establish a recurring risk management
program. The standard aids the organization in exploring all options relating to risk
treatment plans, framework and processes. The standard instructs an organization on how
to establish a risk treatment process and what options are available. The program requires
establishment of risk analysis processes, solutions and treatment plans, and continuous
o The ISO 31000 requires implanting the risk management program's plans and processes.
The standard provides guidelines for the implementation. Those guidelines include
documentation needed for risk treatment plans and how to carry out a treatment
Monitoring and Reviews
o ISO 31000 requires the organization to review and monitor its risk management program.
The standard guides the organization through the review process. The review process
includes accountability, the framework and integration of the plan, the process and
analysis activities and the solutions to reduce the organization's risk. The standard also
instructs how to record the review and monitoring status and results, as well as how to
report those findings.
The Basics of ISO 31000 – Risk Management
by Courtney Bowers on 1/19/2011 9:00 AM
Category: Holistic Business Continuity; Risk Management; Current Events
After approval by the ISO member bodies, the ISO Technical Management Board Working Group on risk
management released ISO 31000:2009, Risk Management – Principles and Guidelines in November of
2009. The authors designed the standard to be applicable for any organization and any risk type, but, unlike
the familiar ISO quality standards, ISO 31000 is not certifiable.
For those familiar with the AS/NZS 4360:2004 standard on risk management, this ISO standard should be
easily recognizable. With the exception of wording changes, ISO 31000 is essentially the same standard. If
your organization adopted the AS/NZS standard, the transition to ISO 31000 should be relatively seamless.
Further, the auxiliary document, Risk Management Guidelines Companion to AS/NZS 4360:2004, provides
guidance on the design and implementation of risk assessment and management techniques. Similarly,
ISO/IEC 31010:2009 is the auxiliary document that supports the new ISO 31000 standard.
For those unfamiliar with the AS/NZS standard, or those unfamiliar with a formal, structured risk
management process, the remainder of this article will discuss the structure and key elements of ISO
The two primary components of the ISO 31000 risk management process are:
The Framework, which guides the overall structure and operation of risk management across an
The Process, which describes the actual method of identifying, analyzing, and treating risks.
The ISO 31000 Framework mirrors the plan, do, check, act (PDCA) cycle, which is common to all
management system designs. The standard states, however, that, “This Framework is not intended to
prescribe a management system, but rather to assist the organization to integrate risk management into its
overall management system”. This statement should encourage organizations to be flexible in incorporating
elements of the framework as needed.
Major elements of the Framework include:
Policy and Governance
Provides the mandate and demonstrates the commitment of the organization
Design of the overall Framework for managing risk on an ongoing basis
Implementing the risk management structure and program
Monitoring and Review
Oversight of the management system structure and performance
Improvements to the performance of the overall management system
Organizations, particularly those without a prior familiarity with management systems, should prepare to
spend considerable time establishing a robust framework and avoid the urge to dive directly into the risk
assessment process. Process design is an important step because the Framework provides the stability and
continuity to assist in establishing a program as opposed to just executing a project.
Key elements that organizations should not overlook include:
Establishing management commitment both during the implementation and on a long-term basis,
o Development and approval of a formal policy
o Identification and allocation of needed resources, including sufficient expertise and
budget to sustain the program
o Establishment of a regular review cycle to maintain program visibility to management
and motivate all participants
Developing a program that works within the organization, its culture and environment, including:
o Understanding the external forces – industry trends, regulatory requirements, and
expectations of key external stakeholders
o Understanding the internal forces – existing governance, organizational structure, culture,
and organizational capabilities
The extent to which an organization considers and implements any of these elements is dependent on the
organizational purpose and needs. The goal is a visible, adequately-equipped program that is compatible
with the organization’s culture and objectives and sustainable for the long-term.
After establishing the risk management Framework, an organization is ready to develop the Process. The
Process, as defined by ISO 31000, is “multi-step and iterative; designed to identify and analyze risks in the
Major elements of the Process, as seen in the diagram below, include:
o Communication and consultation with all stakeholders
o Establishing the context
o Risk identification
o Risk analysis
o Risk evaluation
o Risk treatment
o Similar to the Framework, regular monitoring and review is required
As noted in the diagram above, the first and third activities should occur regularly during the risk
assessment Process. Early in the Process, regular communication is critical to understanding stakeholders’
interests and concerns, thus validating the focus of the Process. At later stages, regular communication
helps convey the rationale behind decisions and why the organization needs certain risk treatments. In
addition, regular oversight ensures that the organization addresses changes in the risk environment and
processes and that controls operate effectively. Together, these activities ensure that all stakeholders clearly
understand expectations and that the organization addresses change as quickly as possible.
The actual process of assessing risks first requires definition of what ISO 31000 calls the “context”. The
context is a combination of the external and internal environments, both viewed in relation to
organizational objectives and strategies. The context setting process begins during the Framework phase
with the examination of the organization’s internal and external environments, but management should
continue this assessment in greater detail here and focus on the scope of the particular risk management
The remaining assessment steps involve developing techniques to identify, analyze, and evaluate specific
risks. While multiple documented methods and techniques exist, all should include the following key
o Identification of the sources of a particular risk, areas of impacts, and potential events
including their causes and consequences
o Classification of the source as internal or external
o Identification of potential consequences and factors that affect the consequences
o Assessment of the likelihood
o Identification and evaluation of the controls currently in place
o Comparison of the identified risks to the established rick criteria
o Decisions made to treat or accept risks with consideration of internal, legal, regulatory
and external party requirements
Those interested in each of the risk assessment techniques and methods should consult ISO/IEC 31010, the
supporting auxiliary document mentioned earlier. Of note, the complexity of methods and the extent of
analysis required are highly dependent on the nature of the organization and management should consult
with all stakeholders when developing an appropriate approach.
Overall, management should develop and implement risk treatments to reduce residual risks to levels
acceptable to key stakeholders and monitor/adjust to ensure efficiency and effectiveness.
Relationship to ASIS SPC.1-2009 and Business Continuity
The release of both ISO 31000 and the ASIS SPC.1 Organizational Risk standard in such close proximity
to each other raised several questions. Since both are management systems-based, should the industry view
them as equivalent or interchangeable? How do they relate to business continuity? And which, if either, is a
sound basis for Enterprise Risk Management (ERM)?
While both standards leverage the management systems processes and describe a similar process structure,
SPC.1 presents a somewhat more limited scope, defining Organizational Resilience in terms of security,
preparedness and continuity while ISO 31000 maintains a broader – perhaps more strategic – focus.
Regarding business continuity, it is just one of the many risk treatments that would comprise a more
strategic risk management program espoused by ISO 31000. As a result, business continuity should be
viewed a sub-component of the risk management program described in ISO 31000 because it addresses one
specific risk (process, resource and technology availability).
Overall, the risk management principles and processes described in ISO 31000 and supported by the
guidance of ISO/IEC 31010 provide a robust system that allows an organization to design and implement a
repeatable, proactive and strategic program. The design of specific program elements is highly dependent
on the goals, resource, and circumstances of the individual organization. Regardless of the level of
implementation, management involvement in setting direction and regularly reviewing results should be a
part of every program, which will not only elevate the management of risk, but also ensure an appropriate
treatment of risk based on organizational objectives and long-term strategies.
Glen Bricker, Managing Consultant
Avalution Consulting: Business Continuity Consulting