ISO 31000 is an international standard that provides principles and guidelines for effective risk management. It outlines a generic approach to risk management, which can be applied to different types of risks (financial, safety, project risks) and used by any type of organization. The standard provides a uniform vocabulary and concepts for discussing risk management. It provides guidelines and principles that can help to undertake a critical review of your organization’s risk management process.


The ISO 31000 Framework mirrors the plan, do, check, act (PDCA) cycle, which is common to all management system designs. The standard states, however, that, “This Framework is not intended to prescribe a management system, but rather to assist the organization to integrate risk management into its overall management system”. This statement should encourage organizations to be flexible in incorporating elements of the framework as needed.

Major elements of the Framework include:

  • Policy and Governance
    Provides the mandate and demonstrates the commitment of the organization
  • Program Design
    Design of the overall Framework for managing risk on an ongoing basis
  • Implementation
    Implementing the risk management structure and program
  • Monitoring and Review
    Oversight of the management system structure and performance
  • Continual Improvement
    Improvements to the performance of the overall management system