Definition · Plain-language
ISO 31000
ISO 31000:2018 is the international standard providing principles, framework and process guidelines for risk management, applicable to any organisation regardless of size, sector or type of risk.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
Principles and framework
ISO 31000:2018 defines eight principles that characterise effective risk management: integrated (risk management is part of all organisational activities, not a separate function); structured and comprehensive (consistent, comparable results); customised (proportionate to the organisation's context, objectives and risk profile); inclusive (involving stakeholders appropriately); dynamic (anticipating and responding to change); based on the best available information; accounting for human and cultural factors; and supporting continual improvement. These principles inform a risk management framework — the set of components providing the foundations and governance arrangements for embedding risk management across the organisation. Framework elements are: leadership and commitment; integration of risk management into organisational processes; framework design; implementation; evaluation; and improvement.
The risk management process
The ISO 31000 risk management process consists of five interconnected activities carried out iteratively. Communication and consultation is a continuous activity throughout the process, engaging internal and external stakeholders. Scope, context and criteria establishment defines the objectives, scope and risk criteria for the specific risk assessment. Risk assessment encompasses three sub-activities: risk identification (finding, recognising and describing risks); risk analysis (understanding risk nature, causes, sources, consequences, likelihood and existing controls); and risk evaluation (comparing analysis results with risk criteria to determine whether risk is acceptable or requires treatment). Risk treatment selects and implements options for modifying risk — avoiding, reducing, sharing or retaining it — and prepares treatment plans. Monitoring and review checks the effectiveness of controls and identifies changes requiring reassessment. Recording and reporting maintains documentation and supports accountability throughout.
Not certifiable but widely referenced
Unlike ISO 9001, ISO 14001 and ISO/IEC 27001, ISO 31000 is a guidance document: it provides principles and guidance rather than auditable requirements, and no third-party certification scheme exists. This does not diminish its influence: ISO 31000 is one of the most widely referenced management standards globally, cited in financial services regulation (Basel III, Solvency II), healthcare governance frameworks, public-sector risk management policies and ISO management system standards including ISO 9001's risk-based thinking clause, ISO 14001's risks and opportunities requirements, ISO 22301's BCMS risk assessment and ISO/IEC 42001's AI risk assessment. The US counterpart is the COSO Enterprise Risk Management (ERM) integrated framework, widely used in financial reporting and corporate governance contexts. Organisations use ISO 31000 alongside certifiable management systems to provide the underlying risk management methodology.
Key facts
At a glance
- Standard: ISO 31000:2018 (second edition)
- Nature: guidance standard — not certifiable; no third-party certification scheme
- Eight principles: integrated, structured, customised, inclusive, dynamic, best available information, human and cultural factors, continual improvement
- Risk process: identification, analysis, evaluation and treatment — iterative, not sequential
- Scope: any organisation, any risk type — strategic, operational, financial, compliance, AI risk
- References: cited by ISO 9001, ISO 14001, ISO 22301 and ISO/IEC 42001, and in sector regulations
Common misconceptions
What people often get wrong
Often heard: You can get ISO 31000 certified.
Actually: ISO 31000 is a guidance standard, not a requirements standard. No certification scheme exists because the standard does not contain auditable requirements against which conformity can be assessed. Organisations seeking certified risk management should look to standards such as ISO/IEC 27001 (information security) or ISO 22301 (business continuity), which incorporate risk management requirements alongside certifiable controls.
Often heard: ISO 31000 only covers financial risk.
Actually: ISO 31000 provides a universal framework applicable to any type of risk — operational, reputational, strategic, compliance, safety, environmental, AI-related and others. Its sector-agnostic design is one of its principal strengths, allowing the same framework and process to be applied at any level of the organisation and to any risk category.
Often heard: ISO 31000 is the same as ISO 9001 risk-based thinking.
Actually: ISO 9001:2015 introduced risk-based thinking as a principle, drawing on ISO 31000 concepts, but it does not require implementation of a full risk management framework. ISO 31000 is a comprehensive, standalone risk management framework with a defined process, principles and governance structure. ISO 9001 risk-based thinking is a subset of what ISO 31000 addresses.
Going deeper
