This article was published  in NSAI EZine May 2015


ISO 31000 Risk Management Standard

National guidance on implementing I.S. ISO 31000:2009 Risk Management - Principles & guidelinesISO 31000 is a relatively new International Standard that after four years of development was published in November 2009.  It provides generic guidelines for the principles and the adequate implementation of risk management.  The standard is now undergoing a typical revision as is the case for most ISO standards.  So it is a good time to reflect on the main elements of the standards and what it means to a variety of organisations.

The revisions are at this point likely to be technical in nature and should see an improvement on the first draft in terms of clarity.  In this Article, we introduce ISO 31000 and answer some of the questions you might have about the new standard.

What is ISO 31000?

ISO 31000 is an International Standard that seeks to provide organisations with guidelines for the principles and the adequate implementation of risk management.  

Is ISO 31000 mandatory?

ISO 31000 is not mandatory and as an International Standard describes voluntary risk management principles and guidelines for the implementation of risk management.  Adopting a generic approach, the standard allows the unique needs of a specific organisation (e.g. objectives, context, structure, projects, products, services, etc....) to influence the design and implementation of risk management.  

My Organisation is already compliant with an existing good practice standard.
What does this mean for us?

The chances are if you are fully compliant with an existing code or standard, your organisation will have achieved many of the requirements outlined in ISO 31000.  However, there may be additional elements that need to be in place or further emphasis/ focus placed on particular areas before you are able to meet the full requirements of the new International Standard. Many other codes e.g. COSO are also being revised.

Where so many of the efforts to unify the global view of risk management have fallen short, the ISO standard is expected to succeed.  By simplifying complex concepts and in coupling the framework with the process and principles of cross-organizational risk management efforts, the Standard is likely to subsume most, if not all, of the existing independent and national risk management standards.  To that end, the Standard will provide organizations with a tool to adhere to best practice and, if implemented, will provide a platform for developing effective management of risk.

What are the benefits of formally addressing risk management through ISO 31000 compared to other risk management standards?

ISO 31000 has been written and developed by an ISO International Technical Committee, representing risk management experts throughout the world.  As a concise and comprehensive statement of good risk management practice ISO 31000 will likely supplement or replace a variety of independent and national risk management standards – the risk management standards Australia New Zealand standard AS/NZS 4360 and COSO have both agreed to conform with ISO 31000.  For example in Ireland the Department of Finance guidelines reference the AS/NZS 4360 which has since been retired in favour of 31000.

De facto this means that all public sector organisations in Ireland should be following the 31000 standard. ISO 31000 therefore provides organisations with a tool for following good practice and, if implemented, will provide a platform for developing effective management of risk.

Who will be affected and how?

Whilst every organisation will have its own unique risk footprint and its own risk management challenges, ISO 31000 has been developed so that it is generic and not specific to any industry or sector.  The International Standard can be applied to large, medium and small enterprises, whether public or private, as well as to a wide range of activities, decisions and operations.  ISO 31000 is not a legal requirement and there will be no immediate obligation for organisations to take any action.

However, we would recommend clients become familiar with the standard and, as a minimum, compare their existing risk management framework with the standard.  Clients may also experience pressure from stakeholders, such as customers, to demonstrate that they have in place proactive and formal risk management. 

My organisation has been practising risk management for several years.  
Does the advent of ISO 31000 mean we need to start again?

No, ISO 31000 is only a guide and its application needs to be tailored to your specific needs.  Every organisation will have its own level of risk management maturity and therefore will be affected differently by the new International Standard.  It would be worth using the standard as a sense check to ensure you continually review your risk management approach against best practice. 

Do I need certification?

No definitely not, this is a voluntary standard and although certification may come into play with some organisations into the future no such requirement exists at present.

Does ISO 31000 provide details on how I go about Risk Assessment?

Other than in a general approach, no.  A complementary standard deals specifically with risk assessment i.e. IEC 31010.  This standard which is currently being revised gives us an insight into the myriad of assessment methods and at that is far from exhaustive.

How can my organisation learn more about ISO 31000?


NSAI | Risk ManangementNSAI the national standards authority in Ireland has published national guidance on the standard along with the standard itself and the definitions standard ISO guide 73, for further information see:

Further Information
The author of this article Sean Coleman is part of the NSAI Risk Management committee and was a co author of  the national guidance.   Sean has worked with a variety of public and private sector organisations and offers a range of training courses on the subject of Risk Management and ISO 31000 in particular.  For further information is available on

Latest News

linkedin logo 1-300x79

| + -