ISO 31000 is unusual among ISO standards: you don't get certified to it. It's guidance — a way of thinking about risk that applies to any organization, any sector, any kind of risk. That makes it more flexible and, handled poorly, easier to ignore. Here's the structure that makes it work.
Three parts: principles, framework, process
ISO 31000 organizes risk management into three connected layers:
- Principles — what good risk management looks like. The central one: risk management exists to create and protect value. It should be integrated, structured, tailored, and based on the best available information.
- Framework — how risk management is embedded in the organization, led from the top, and continually improved. This is the governance layer that stops risk management from being a once-a-year spreadsheet.
- Process — the repeatable steps you actually run.
The process, step by step
- Scope, context, criteria — what are we assessing, in what environment, and what counts as acceptable?
- Risk identification — what could happen?
- Risk analysis — how likely, and how bad?
- Risk evaluation — which risks need treatment, and in what order?
- Risk treatment — avoid, reduce, transfer, or accept.
- Monitoring, review, communication, recording — wrapped around the whole thing, continuously.
The point of ISO 31000 isn't a risk register that gathers dust. It's risk thinking baked into how decisions get made.
Risk is not only downside
A subtle but important shift in modern risk thinking: risk is the "effect of uncertainty on objectives" — which includes opportunity, not just threat. Good risk management helps you take the right risks deliberately, not just avoid bad ones.
How it connects to ISO 9001 and others
ISO 9001's "risk-based thinking" is ISO 31000's logic applied to a quality system. Once you understand 31000's process, the risk requirements scattered through other management standards stop looking like separate demands and start looking like one discipline applied in different places.
Make risk management practical
My ISO 31000 course turns the principles-framework-process model into something you can actually run — from context-setting to treatment and monitoring.
View the ISO 31000 course →Questions
Can I get certified to ISO 31000?
No — it's guidance, not a requirements standard, so there's no accredited certification. You adopt it; you don't get audited against it.
How is it different from ISO 9001's risk thinking?
ISO 9001 requires risk-based thinking but doesn't prescribe a method. ISO 31000 supplies the method you can use to satisfy it.