Why ISO 31000 is important to organizations nowadays?

Risk analysis, we do it every day. But when it comes to risks that occur in companies, a more formal approach is required.

Risk analysis, we do it every day. Crossing the street, deciding to fasten our seat belts or not, starting early to arrive on time for important appointments. But when it comes to risks that occur in companies, a more formal approach is required. Risk analysis can anticipate problems. By adding risk analysis to key business processes, one can commit to steps that ensure that anticipated problems do not occur or steps that respond if they occur. Time and money can be very crucial. A generic risk assessment process has been defined in ISO 31000. This approach can be applied to all types of risk through any kind of organization.

What is ISO 31000?

ISO 31000 using AS/NZS 4360:2004 as its first draft. In 2009, ISO 31000 was issued to widespread acclaim. Today, ISO 31000:2009 remains the international standard on risk management. This document counts 34 pages and provides a generic framework for establishing the context of, identifying, analyzing, evaluating, treating, monitoring and communicating risk. ISO 31000 is the first document published in the ISO 31000 Risk Management series and it also includes:

  • The ISO Guide 73:2009, Risk management — Vocabulary, provides the definitions of generic terms relating to risk management and with the help of a uniform risk management terminology aiming to encourage the right approach to the description of activities relating to the management of risk.
  • The ISO/IEC 31010, Risk management — Risk assessment techniques, a guide supporting the standard for ISO 31000 offering guidance on the selection and application of systematic techniques for risk assessment.

Why consider this ISO standard while my organization is already adhering to COSO in the context of Sox compliance for example?

ISO 31000 can be considered as an update to COSO that reflects current risk management thinking internationally. However, ISO 31000 does provide a number of relevant advantages compared to COSO:

  1. It is more practical
  2. It provides more details
  3. It explicitly defines the terms
  4. It is more clearly written, and easier to understand for CXOs, and risk professionals
  5. The information in the standard can be adapted to develop guidelines to assess existing risk management methodologies
  6. It provides a foundation for implementing other ISO risk management standards and guidelines
  7. The most significant difference is in the definition of risk for ISO 31000 and COSO ERM (Enterprise Risk Management).

ISO defines risk as the “effect of uncertainty on objectives”, highlighting the consequences of uncertainty and therefore popping up a different view of the risk than COSO.

On the other side, COSO ERM defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” COSO concentrates the effort on the analysis of events rather than the consequences of these events for the organization.

As a consequence, ISO appears better in considering the ‘flow on’ consequences of an event occurring.

Making risk part of the Quality Management process

Preventing and correcting unwanted actions and outcomes have long been a part of ISO 9001, but it has been limited to specific elements of the quality management process. ISO 9001:2015 is about to change that.

As an organization, ISO has already addressed the notion of a more global risk management approach to businesses in its ISO 31000 standard, which provides an organizational-level risk management approach. ISO 31000 deals with crucial risk management concepts like:

  • When to or not to accept risk when taking advantage of a key opportunity.
  • Acceptable ways to remove a risk source entirely
  • Avoiding activities associated with a given risk

Which additional advantages will I have in adopting the ISO31000 standard?

In addition to ISO 31000, the ISO 31010 introduction provides general principles of risk management. The annexes go into more detail on different types of risk assessment techniques explaining the positive and negative aspects of each of them.

For the organization that will have an effective implementation of ISO 31000, the risk management will provide the following advantages:

  • It creates and protects value.
  • It is an integral part of all organizational processes.
  • It is part of decision making.
  • It explicitly addresses uncertainty.
  • It is systematic, structured and timely.
  • It is based on the best available information.
  • It is tailored.
  • It takes human and cultural factors into account.
  • It is transparent and inclusive.
  • It is dynamic, iterative and responsive to change.
  • It facilitates the continual improvement of the organization.


Managers need to understand the importance of risk management as a tool for meeting business needs and developing management programs to support these needs. The objective of Risk Management is to identify, analyze, quantify and manage information (security-related) risks to achieve business objectives through a number of tasks.

Risk management is a process aimed at achieving an optimal balance between realizing opportunities for gain and minimizing vulnerabilities and loss. This is usually accomplished by ensuring that the impact of threats exploiting vulnerabilities is within acceptable limits at an acceptable cost.

Risks affecting organizations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty.

Enquire Now

Want to know more? Contact us today for any questions.

We will use this information to contact you about this enquiry only and not for marketing purposes.


Leave a Reply

Table of Contents

Enquire Now

Interested in this course? Let's help you get started.
We will use this information to contact you about this enquiry only and not for marketing purposes.
Click here to download this article.

More Quality Articles

What is risk? There’s a lot of research into all types of risk, but in my experience, I have found that most people and organisations don’t completely gras…
There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.
Introduction Enterprise Risk Management (ERM) is describing a Risk Matrix (ERM Risk Matrix) as a tool for ranking and displaying risks by defining ranges for consequ…
What is a Compliance Management System (CMS)? For organizations seeking growth and long-term success, adhering to compliance obligations is not an option, is a must…
What is ISO 18788? ISO 18788 specifies the requirements and provides guidance for organizations that conduct or contract security operations.Moreover, it provide…
Information Security Management Network segregation is the tool used for dividing a network into smaller parts which are called subnetworks or network segments. Yo…
Information Security Management The popularity of the terms “data controller” and “data processor” has sharply increased in recent years. In part because of the sig…
The ability to predict what the future holds and choosing effectively among varying alternatives lies at the centre of contemporary societies and organizations. Ri…
“Food Safety” refers to the prevention, elimination and control of foodborne diseases at the stage of consumption. In a globalized world, the impact of food safety ha…
Six Sigma Benefits Reducing Waste Improving Time Management Increase Customer Loyalty Boost Employee Motivation Higher Revenues and Lower Costs Six Sigma has prov…
As the threat of energy-resource depletion has emerged, the global demand for energy is increasing constantly. Provided that billions of people still have no access…
Is your Business protected against a breach of data and software? Are you Internationally Certified to be able to prevent hackers from stealing your organization’s v…
The education industry has gone through tremendous changes over the last decades in terms of educational opportunities, teaching methods, availability of reading…
The Three P(’s)illars of Sustainability The concept of the “triple bottom line” was firstly introduced in 1994 by John Elkington, with the idea of organizations pre…
A politically inclined attack or just a ‘simple’ lack of security awareness? Whatever the case, the cyber-attack that hit Marriott was huge. This was the joint second…