ISO 31000 is the International Standard for risk management. It provides principles and practices for generic risk management that can be employed whatever the sector, type or location of the organisation.

For all types of organisations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. Organisations need to understand the overall level of risk embedded within their processes and activities. It is important for organisations to recognise and prioritise significant risks and identify the weakest critical controls.

When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organisation.

The standard provides organisations with guiding principles, a generic framework, and a process for managing risk. New to this edition is the inclusion of 11 risk management principles an organisation should comply with, and a management framework for the effective implementation and integration of these principles into an organisation’s management system. Unlike previous editions, emphasis is given to considering risk in terms of the effect of uncertainty on objectives, rather than the risk incident.

This edition also includes an informative annex that sets out the attributes of enhanced risk management for those organisations that have already been working on managing their risks and may wish to strive for a higher level of achievement.