Risk – ISO 31000:2018

ISO 31000:2018, Risk Management – Guidelines, has been published. This second edition standard states that the purpose of risk management is the creation and protection of value. It improves performance, encourages innovation, and supports the achievement of objectives.

According to ISO 31000:2018, its main changes from ISO 31000:2009 are:

  • Review of the principles of risk management, which are the key criteria for its success;
  • Highlighting of the leadership by top management and the integration of risk management, starting with the governance of the organization;
  • Greater emphasis on the iterative nature of risk management, noting that new experiences, knowledge, and analysis can lead to a revision of process elements, actions, and controls at each stage of the process;
  • Streamlining of the content with greater focus on sustaining an open systems model to fit multiple needs and contexts.

Note that clause 2 was added for Normative References, but none are listed. The addition of this clause caused the remaining clauses to be re-numbered.

Clause 3: Terms and Definitions

The total number of definitions were reduced from 29 to the 8 most related to risk management. The definition of Risk remains the “effect of uncertainty on objectives”. However, the Notes under that definition have been revised:

Note 1: An effect is a deviation from the expected. It can be positive, negative, or both, and can address, create, or result in opportunities and threats.

Note 2: Objectives can have different aspects and categories and can be applied at different levels.

Note 3: Risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood.

Clause 4: Principles

The eleven risk management principles in ISO 31000:2009 have been simplified to these eight risk management principles in ISO 31000:2018:

1. Risk management is an integral part of all organizational activities.

2. A structured and comprehensive approach to risk management contributes to consistent and comparable results.

3. The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.

4. Appropriate and timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered, resulting in improved awareness and informed risk management.

5. Risks can emerge, change, or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges, and responds to those changes and events in an appropriate and timely manner.

6. The inputs to risk management are based on historical and current information, as well as, on future expectations. Risk management explicitly considers any limitations and uncertainties associated with such information and expectations.

7. Human behavior and culture significantly influence all aspects of risk management at each level and stage.

8. Risk management is continually improved through learning and experience.

Clause 5: Framework

The Framework sections have been revised with different numbering, updated titles, and changed content. Sub-clause 5.3 on Integration is new.

5.1 General
5.2 Leadership and commitment
5.3 Integration
5.4 Design
5.4.1 Understanding the organization and its context
5.4.2 Articulating risk management commitment
5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities
5.4.4 Allocating resources
5.4.5 Establishing communication and consultation
5.5 Implementation
5.6 Evaluation
5.7 Improvement
5.7.1 Adapting
5.7.2 Continually improving

Clause 5.3: Integration

ISO 31000:2018 states that integrating risk management relies on an understanding of organizational structures and context. Structures differ depending on the organization’s purpose, goals, and complexity. Risk is managed in every part of the organization’s structure. Everyone in an organization has responsibility for managing risk.

Governance guides the course of the organization, its external and internal relationships, and the rules, processes and practices needed to achieve its purpose. Management structures translate governance direction into the strategy and associated objectives required to achieve desired levels of sustainable performance and long-term viability. Determining risk management accountability and oversight roles within an organization are integral parts of the organization’s governance.

Integrating risk management into an organization is a dynamic and iterative process, and should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives, and operations.

Clause 6: Process

Some of the Process sections have been renamed. All but one of the sub-clauses have revised content.

6.1 General
6.2 Communication and consultation
6.3 Scope, context and criteria
6.3.1 General
6.3.2 Defining the scope
6.3.3 External and internal context
6.3.4 Defining risk criteria
6.4 Risk assessment
6.4.1 General
6.4.2 Risk identification
6.4.3 Risk analysis
6.4.4 Risk evaluation
6.5 Risk treatment
6.5.1 General
6.5.2 Selection of risk treatment options
6.5.3 Preparing and implementing risk treatment plans
6.6 Monitoring and review
6.7 Recording and reporting


You can order a PDF copy of the 16-page standard at this ISO web page for about $88.