See more ISO 31000 articles on AOD.

Powered by
Share this page on
Article provided by Wikipedia

Main article: "Risk

One of the key paradigm shifts proposed in ISO 31000 is a controversial change in how risk is conceptualised and defined. Under both ISO 31000:2009 and ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives" ... thus causing the word "risk" to refer to positive consequences of uncertainty, as well as negative ones.

A similar definition was adopted in ISO 9001:2015 (Quality Management System Standard[7]), in which risk is defined as, "effect of uncertainty." Additionally, a new risk related requirement, "risk-based thinking" was introduced[8] there.

Likewise, a broad new definition for stakeholder was established in ISO 31000, "Person or persons that can affect, be affected by, or perceive themselves to be affected by a decision or activity." It is the verbatim definition given for the term "interested party" as defined in ISO 9001:2015.

Framework approach[edit]

ISO 31000:2009 has been developed on the basis of an existing standard on risk management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the initial "Standards Australia approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire "management system that supports the design, implementation, maintenance and improvement of risk management processes.


The intent of ISO 31000 is to be applied within existing management systems to formalise and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard.

The focus of many ISO 31000 'harmonisation' programmes[9] have centred on:


While adopting any new standard may have re-engineering implications to existing management practices, no requirement to conform is set out in this standard. A detailed framework is described to ensure that an organization will have "the foundations and arrangements" required to embed needed organizational capabilities in order to maintain successful risk management practices. Foundations include risk management policy, objectives and mandate and committment by top management. Arrangements include plans, relationships, accountabilites, resources, processes and activities.

Accordingly, senior position holders in an "enterprise risk management organisation will need to be cognisant of the implications for adopting the standard and be able to develop effective strategies for implementing the standard, embedding it as an integral part of all organizational processes including supply chains and commercial operations.[10] In domains that concern risk management which may operate using relatively unsophisticated risk management processes, such as security and corporate social responsibility, more material change will be required, such as creating a clearly articulated risk management policy, formalising risk ownership processes, structuring framework processes and adopting continuous improvement programmes.

Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks including communications and consulation, will require more consideration by organisations that have used previous risk management methodologies which have not specified such requirements.

Managing risk[edit]

ISO 31000:2009 gives a list on how to deal with risk:

  1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  2. Accepting or increasing the risk in order to pursue an opportunity
  3. Removing the risk source
  4. Changing the likelihood
  5. Changing the consequences
  6. Sharing the risk with another party or parties (including contracts and risk financing)
  7. Retaining the risk by informed decision


ISO 31000 has not been developed with the intention for certification. (2009)

See also[edit]


  1. ^ ISO: ISO/IEC 31000 page
  2. ^ "New ISO standard on project management". "ISO. 2012. 
  3. ^ ISO 31000 catalogue
  4. ^ "The revision of ISO 31000 on risk management has started (2015-05-13)". ISO. Retrieved 2017-02-23. 
  5. ^ "ISO/DIS 31000 - Risk management -- Guidelines". ISO. Retrieved 2017-02-23. 
  6. ^ ISO 31000 Update
  7. ^ "ISO 9001:2015 - Just published! (2015-09-23)". ISO. Retrieved 2017-02-23. 
  8. ^ "Risk and the ISO 9001 Revision". Retrieved 2017-02-23. 
  9. ^ ISO 31000 update: What it means to C-Suite Risk Owners
  10. ^ Implications for ISO adoption

External links[edit]

) )