ISO 31000:2009 (ISO 31000) is the International Standard for risk management. The standard provides principles and practices for generic risk management that can be employed no matter the sector, type or location of the organisation.
The principles and practices in the standard can be applied throughout a wide range of activities with an organisation. These activities include: strategies and decisions, operations, processes, functions, projects, products, services and assets.
ISO 31000 is intended for a broad stakeholder group including:
- executive level stakeholders
- appointment holders in the enterprise risk management group
- risk analysts and management officers
- line managers and project managers
- compliance and internal auditors
- independent practitioners.
ISO 31000 - approach to risk
ISO 31000:2009 gives a list in order of preference on how to deal with risk:
- 1) Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
- 2) Taking or increasing the risk in order to pursue an opportunity;
- 3) Removing the risk source;
- 4) Changing the likelihood;
- 5) Changing the consequences;
- 6) Sharing the risk with another party or parties(including contracts and risk ﬁnancing);
- g) Retaining the risk by informed decision.
A number of other standards also relate to risk management.
- ISO Guide 73:2009, Risk management - Vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk.
- ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk assessment. Risk assessment helps decision makers understand the risks that could affect the achievement of objectives as well as the adequacy of the controls already in place. ISO/IEC 31010:2009 focuses on risk assessment concepts, processes and the selection of risk assessment techniques.