ISO 31000 is a risk management standard that is built upon 8 principles. Every part of this system is founded by these principles, from the framework to the processes. The principles of ISO 31000 are based on value creation and protection.
The principles are the foundation for managing risk and should be considered when establishing the organization’s risk management framework and processes.
ISO 31000 Principles
- Risk management is not separated from the main activities and processes of the organization; it is a part of decision-making in every department
- Risk management is embedded into the organization’s processes and is a part of management’s responsibilities
2. Structured and Comprehensive
- Approaching risk management in a systematic way contributes to efficiency and consistent results within the organization as well as a comprehension for everyone involved
- Risk management is structured with guidelines and procedures to follow in order to maintain productivity and efficacy
- Risk management processes are not one-size-fits-all and must be tailored to the organization’s external and internal context in order to reach objectives
- When the context is established in both internal and external environments, objectives can be captured and risk management can be customized to the unique organization
- The involvement of stakeholders allows their knowledge and views to be considered, guaranteeing that risk management is relevant and up to date
- Risk management is transparent; it is easy to understand and doesn’t include confusing jargon, allowing stakeholders to be included in the framework
- Context and knowledge within an organization change constantly and should be acknowledged as they do
- Risk management must respond to change continually and in a timely manner to maintain efficiency and results
- Risks emerge, change, and disappear as internal and external events occur, so risk management must be anticipatory
6. Best Available Information
- An organization will never have all of the information needed, but action must be taken when an organization has the best available data
- Historical and current information, as well as the limitations of these, must be taken into account
- All known information should be available to stakeholders
7. Human and Cultural Factors
- Risk management is influenced significantly by human behavior and culture
- The organization’s capabilities, as well as the goals of the people within and around it, must be recognized by risk management to achieve, or inhibit, the goals of the business
8. Continual Improvement
- Improving continually through experience ensures the organization’s resiliency
- PDCA is a risk management process: plan, do, check, adjust. This is a cycle that keeps the organization continually improving while factors change over time
- Appropriately adapting to results in risk management allows the organization to grow exponentially in every aspect, and continue to do so
These 8 principles are the foundation for managing risk and are considered when creating processes in all areas of an organization with the ISO 31000 standard. Without the foundation provided by these developed principles, the framework of ISO 31000 risk management would not be sound. The best risk management uses these principles to manage uncertainty for an organization to reach its objectives and continue achieving goals. When an organization manages risk while incorporating the 8 principles, it will see consistent and reliable results.
The 8 ISO 31000 Principles are:
1. Risk management is integrated into the organization’s processes.
2. Risk management is structured and comprehensive.
3. Risk management is customized to your organization.
4. Risk management is inclusive and transparent.
5. Risk management is dynamic, fluid, and responsive to change.
6. Risk management takes into consideration the best available information.
7. Risk management takes into account human factors and the company culture.
8. Risk management encourages and drives continual improvement.