11/8/2021

ISO 31000:2018
Structure

Session – 2 (A)

ISO 31000:2018

1
 11/8/2021

ISO 31000:2018
Foreword
Introduction

1. Scope
2. Normative references
3. Terms and definitions

4. Principles
5. Framework
6. Process
Bibliography

ISO 31000:2018
Introduction

• This document is for use by people who create and protect value in
organizations by managing risks, making decisions, setting and
achieving objectives and improving performance.
• Organizations of all types and sizes face external and internal factors
and influences that make it uncertain whether they will achieve their
objectives.

2
 11/8/2021

ISO 31000:2018
Foreword
This document was prepared by Technical Committee ISO/TC 262, Risk management.

This second edition cancels and replaces the first edition (ISO 31000:2009) which has
been technically revised.

The main changes compared to the previous edition are as follows:

— review of the principles of risk management, which are the key criteria for its success;
— highlighting of the leadership by top management and the integration of risk management, starting with the
governance of the organization;
— greater emphasis on the iterative nature of risk management, noting that new experiences, knowledge and
analysis can lead to a revision of process elements, actions and controls at each stage of the process;
— streamlining of the content with greater focus on sustaining an open systems model to fit multiple needs and
contexts.

ISO 31000:2018
1 Scope
• This document provides guidelines on managing risk faced by
organizations. The application of these guidelines can be
customized to any organization and its context.
• This document provides a common approach to managing
any type of risk and is not industry or sector specific.
• This document can be used throughout the life of the
organization and can be applied to any activity, including
decision-making at all levels.

3
 11/8/2021

ISO 31000:2018
2 Normative References

• There are no normative references in this document.

ISO 31000:2018
3 Terms and definitions
3.1 risk
3.2 risk management
3.3 stakeholder
3.4 risk source
3.5 event
3.6 consequence
3.7 likelihood
3.8 control

4
 11/8/2021

ISO 31000:2018

Risk Management Principles

Risk Management Framework

Risk Management Process

ISO 31000:2018
4 Principles
• The purpose of risk management is the creation and protection of
value. It improves performance, encourages innovation and supports
the achievement of objectives.
• The principles provide guidance on the characteristics of effective and
efficient risk management, communicating its value and explaining its
intention and purpose. The principles are the foundation for managing
risk and should be considered when establishing the organization’s
risk management framework and processes. These principles should
enable an organization to manage the effects of uncertainty on its
objectives.

5
 11/8/2021

ISO 31000:2018
4 Principles

ISO 31000:2018
5 Framework
• The purpose of the risk management framework is to assist the
organization in integrating risk management into significant activities
and functions. The effectiveness of risk management will depend on its
integration into the governance of the organization, including decision-
making. This requires support from stakeholders, particularly top
management.
• Framework development encompasses integrating, designing,
implementing, evaluating and improving risk management across the
organization

6
 11/8/2021

ISO 31000:2018
5 Framework

ISO 31000:2018
6 Process

• The risk management process involves the systematic application of

policies, procedures and practices to the activities of communicating
and consulting, establishing the context and assessing, treating,
monitoring, reviewing, recording and reporting risk.

7
 11/8/2021

ISO 31000:2018
6 Process

ISO 31000:2018
Bibliography

[1] IEC 31010, Risk management — Risk assessment techniques

8
 11/8/2021

Terms & Definitions used in

Risk Management

Session – 2 (B)

ISO 31000:2018
• Risk
effect of uncertainty on objectives

Note 1 to entry: An effect is a deviation from the expected. It

can be positive, negative or both, and can address, create or
result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and
categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources
(3.4), potential events (3.5), their consequences (3.6) and their
likelihood (3.7).

9
 11/8/2021

ISO 31000:2018
• Risk Management
coordinated activities to direct and control an organization
with regard to risk

• Stakeholder
person or organization that can affect, be affected by, or
perceive themselves to be affected by a decision or activity
Note 1 to entry: The term “interested party” can be used as an
alternative to “stakeholder”

ISO 31000:2018
• Risk Source
element which alone or in combination has the
potential to give rise to risk.

10
 11/8/2021

ISO 31000:2018
• event
occurrence or change of a particular set of
circumstances
Note 1 to entry: An event can have one or more
occurrences, and can have several causes and several
consequences (3.6).
Note 2 to entry: An event can also be something that is
expected which does not happen, or something that is
not expected which does happen.
Note 3 to entry: An event can be a risk source.

ISO 31000:2018
• consequence
outcome of an event (3.5) affecting objectives
Note 1 to entry: A consequence can be certain or
uncertain and can have positive or negative direct or
indirect effects on objectives.
Note 2 to entry: Consequences can be expressed
qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through
cascading and cumulative effects.

11
 11/8/2021

ISO 31000:2018
• likelihood
chance of something happening
Note 1 to entry: In risk management (3.2) terminology,
the word “likelihood” is used to refer to the chance of
something happening, whether defined, measured or
determined objectively or subjectively , qualitatively or
quantitatively, and described using general terms or
mathematically (such as a probability or a frequency
over a given time period)

ISO 31000:2018
Note 2 to entry: The English term “likelihood” does not
have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used.
However, in English, “probability” is often narrowly
interpreted as a mathematical term. Therefore, in risk
management terminology, “likelihood” is used with the
intent that it should have the same broad interpretation
as the term “probability” has in many languages other
than English.

12
 11/8/2021

ISO 31000:2018
• Control
Measure that maintains and / or modifies risk

Note 1 to entry: Controls include, but are not limited to,

any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the
intended or assumed modifying effect.

Risk Management
Principles

Session – 2 (C)

13
 11/8/2021

Clause 4 ‘Risk Management Principles’

• The purpose of risk management is the creation and protection of
value. It improves performance, encourages innovation and supports
the achievement of objectives.
• The principles provide guidance on the characteristics of effective and
efficient risk management, communicating its value and explaining its
intention and purpose.
• The principles are the foundation for managing risk and should be
considered when establishing the organization’s risk management
framework and processes.
• These principles should enable an organization to manage the effects
of uncertainty on its objectives.

Clause 4 ‘Risk Management Principles’

14
 11/8/2021

Clause 4 ‘Risk Management Principles’

a) Integrated –
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive –
A structured and comprehensive approach to risk management
contributes to consistent and comparable results.
c) Customized –
The risk management framework and process are customized and
proportionate to the organization’s external and internal context
related to its objectives.

Clause 4 ‘Risk Management Principles’

d) Inclusive
Appropriate and timely involvement of stakeholders enables their
knowledge, views and perceptions to be considered. This results in
improved awareness and informed risk management.
e) Dynamic –
Risks can emerge, change or disappear as an organization’s external
and internal context changes. Risk management anticipates,
detects, acknowledges and responds to those changes and events in
an appropriate and timely manner.

15
 11/8/2021

Clause 4 ‘Risk Management Principles’

f) Best available information
The inputs to risk management are based on historical and current
information, as well as on future expectations. Risk management
explicitly takes into account any limitations and uncertainties
associated with such information and expectations. Information
should be timely, clear and available to relevant stakeholders.
g) Human and cultural factors
Human behaviour and culture significantly influence all aspects of
risk management at each level and stage.

Clause 4 ‘Risk Management Principles’

h) Continual improvement
Risk management is continually improved through learning and
experience.

16
 11/8/2021

Risk Management
Framework

Session – 2 (D)

Clause 5 ‘Framework’
The purpose of the risk management framework is to assist the
organization in integrating risk management into significant
activities and functions.
The effectiveness of risk management will depend on its
integration into the governance of the organization, including
decision-making.
This requires support from stakeholders, particularly top
management.

17
 11/8/2021

Clause 5 ‘Framework’
The components of the framework should be
customized to the needs of the organization-
1. Leadership and commitment
2. Integration
3. Design
4. Implementation
5. Evaluation
6. Improvement

Clause 5 ‘Framework’

18
 11/8/2021

Clause 5 ‘Framework’
1. The focal point is Leadership and commitment and
demonstration through
‐ customizing and implementing all components of the framework
‐ establish a risk management approach, plan the course of action;
‐ keeping in view the objectives and the context of the organization;
‐ ensuring that the necessary resources are allocated to managing
risk;
‐ assigning authority, responsibility and accountability at
appropriate levels within the organization.

Clause 5 ‘Framework’
2. Integration
‐ Needs an understanding of the organizational structures and
context. Needs to be managed in every part of the organization.
Everyone in an organization has responsibility for managing risk.
‐ Assigning responsibility and accountability for managing risk
‐ Integrating risk management into an organization is an iterative
process.

19
 11/8/2021

Clause 5 ‘Framework’
3. Design
‐ Understanding the organization and its context- both internal &
external
‐ Articulating RM commitment
‐ Assigning roles, authorities, responsibilities and accountabilities
‐ Allocating resources
‐ Establishing communication & consultation

Clause 5 ‘Framework’
4. Implementation
The organization should implement the risk management framework by:
• developing an appropriate plan including time and resources;
• identifying where, when and how different types of decisions are
made across the organization, and by whom;
• modifying the applicable decision-making processes where necessary;
• ensuring that the organization’s arrangements for managing risk are
clearly understood and practised.

20
 11/8/2021

Clause 5 ‘Framework’
5. Evaluation
In order to evaluate the effectiveness of the risk management
framework, the organization should:
• periodically measure risk management framework performance
against its purpose, implementation plans, indicators and expected
behaviour;
• determine whether it remains suitable to support achieving the
objectives of the organization.

Clause 5 ‘Framework’
6. Improvement
• Adapting
The organization should continually monitor and adapt the risk
management framework to address external and internal changes. In
doing so, the organization can improve its value.
• Continually improving
The organization should continually improve the suitability, adequacy and
effectiveness of the risk management framework and the way the risk
management process is integrated.

21
 11/8/2021

Risk Management
Process

Session – 2 (E)

Clause 6 ‘Risk Management Process’

It involves the systematic application of policies,
procedures and practices to the activities of
communicating and consulting, establishing the context
and assessing, treating, monitoring, reviewing, recording
and reporting risk

22
 11/8/2021

Clause 6 ‘Risk Management Process’

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

Clause 6 ‘Risk Management Process’

23
 11/8/2021

Different stages of the process

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

Different stages of the process

1. Communication & Consultation

a) The purpose of communication and consultation is to assist relevant

stakeholders in understanding risk, the basis on which decisions are
made and the reasons why particular actions are required.
b) Communication & consultation with both internal & external
stakeholders to
‐ bring different areas of expertise together for each step of the risk management
process
‐ ensure different views are considered
‐ provide sufficient information to facilitate risk oversight & decision making.

24
 11/8/2021

Different stages of the process

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

Different stages of the process

2. Scope Context & Criteria

a) Defining the scope

The risk management process may be applied at different levels (e.g. strategic,
operational, programme, project, or other activities), it is important to be clear about
the scope under consideration, the relevant objectives to be considered and their
alignment with organizational objectives.

b) External & Internal Context

The context of the risk management process should be established from the
understanding of the external & internal environment in which the organization
operates and should reflect the specific environment of the activity to which the risk
management process is to be applied.

25
 11/8/2021

Different stages of the process

c) Defining Risk Criteria
The amount of risk an organization can take or cannot take. Should define criteria to
evaluate the significance of risk and to support decision making.

Different stages of the process

To set risk criteria, the following should be considered:
‐ the nature and type of uncertainties that can affect outcomes and
objectives (both tangible and intangible);
‐ how consequences (positive & negative) and likelihood will be defined
and measured
‐ time-related factors;
‐ consistency in the use of measurements;
‐ how the level of risk is to be determined;
‐ how combinations and sequences of multiple risks will be taken into
account;
‐ the organization’s capacity.

26
 11/8/2021

Different stages of the process

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

Different stages of the process

3. Risk Assessment
It is the overall process of risk identification, risk analysis and risk
evaluation.

a) Risk Identification
The organization can use a range of techniques for identifying
uncertainties that may affect one or more objectives. The following
factors, and the relationship between these factors, should be
considered:

27
 11/8/2021

Different stages of the process

‐ tangible and intangible sources of risk;
‐ causes and events;
‐ threats and opportunities;
‐ vulnerabilities and capabilities;
‐ changes in the external and internal context;
‐ indicators of emerging risks;
‐ the nature and value of assets and resources;
‐ consequences and their impact on objectives;
‐ limitations of knowledge and reliability of information;
‐ time-related factors;
‐ biases, assumptions and beliefs of those involved.

Different stages of the process

b) Risk Analysis
The purpose of risk analysis is to comprehend the nature of risk and its
characteristics including, where appropriate, the level of risk. Risk
analysis involves a detailed consideration of uncertainties, risk sources,
consequences, likelihood, events, scenarios, controls and their
effectiveness. An event can have multiple causes and consequences and
can affect multiple objectives.

28
 11/8/2021

Different stages of the process

Analysis techniques can be qualitative, quantitative or a combination of
these, depending on the circumstances and intended use.
• Risk analysis should consider factors such as:
• — the likelihood of events and consequences;
• — the nature and magnitude of consequences;
• — complexity and connectivity;
• — time-related factors and volatility;
• — the effectiveness of existing controls;
• -- sensitivity and confidence levels

Different stages of the process

c) Risk Evaluation
The purpose of risk evaluation is to support decisions. Risk evaluation
involves comparing the results of the risk analysis with the established
risk criteria to determine where additional action is required. This can
lead to a decision to:
‐ do nothing further;
‐ consider risk treatment options;
‐ undertake further analysis to better understand the risk;
‐ maintain existing controls;
‐ reconsider objectives.

29
 11/8/2021

Different stages of the process

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

Different stages of the process

4. Risk Treatment
The purpose of risk treatment is to select and implement options for
addressing risk.
Risk treatment involves an iterative process of:
‐ formulating and selecting risk treatment options;
‐ planning and implementing risk treatment;
‐ assessing the effectiveness of that treatment;
‐ deciding whether the remaining risk is acceptable;
‐ if not acceptable, taking further treatment

30
 11/8/2021

Different stages of the process

4. Risk Treatment
The purpose of risk treatment is to select and implement options for
addressing risk.
Risk treatment involves an iterative process of:
‐ formulating and selecting risk treatment options;
‐ planning and implementing risk treatment;
‐ assessing the effectiveness of that treatment;
‐ deciding whether the remaining risk is acceptable;
‐ if not acceptable, taking further treatment

Different stages of the process

a) Selection of Risk Treatment option
Options for treating risk may involve one or more of the following:
‐ avoiding the risk by deciding not to start or continue with the activity that gives
rise to the risk;
‐ taking or increasing the risk in order to pursue an opportunity;
‐ removing the risk source;
‐ changing the likelihood;
‐ changing the consequences;
‐ sharing the risk (e.g. through contracts, buying insurance);
‐ retaining the risk by informed decision.

31
 11/8/2021

Different stages of the process

b) Preparing and implementing risk treatment plans
• The purpose of risk treatment plans is to specify how the chosen
treatment options will be implemented, so that arrangements are
understood by those involved, and progress against the plan can be
monitored. The treatment plan should clearly identify the order in
which risk treatment should be implemented.
• Treatment plans should be integrated into the management plans and
processes of the organization, in consultation with appropriate
stakeholders

Different stages of the process

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

32
 11/8/2021

Different stages of the process

5. Monitoring & Review
• Monitoring and review should take place in all stages of the process.
Monitoring and review includes planning, gathering and analysing
information, recording results and providing feedback.
• The results of monitoring and review should be incorporated
throughout the organization’s performance management,
measurement and reporting activities.

Different stages of the process

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

33
 11/8/2021

Different stages of the process

6. Recording & Reporting
The risk management process and its outcomes should be documented
and reported through appropriate mechanisms. Recording and reporting
aims to:
‐ communicate risk management activities and outcomes across the
organization;
‐ provide information for decision-making;
‐ improve risk management activities;
‐ assist interaction with stakeholders, including those with
responsibility and accountability for risk management activities.

Different stages of the process

1) Communication & Consultation
2) Scope Context & criteria
a) Defining the scope
b) External & Internal Context
c) Defining Risk Criteria
3) Risk Assessment
a) Risk Identification
b) Risk Analysis
c) Risk Evaluation
4) Risk Treatment
a) Selection of Risk Treatment option
b) Preparing and implementing risk treatment plans
5) Monitoring & Review
6) Recording & Reporting

34
11/8/2021

35