ISO 31000:2018
Risk management — Guidelines
Standard Introduction
ISO 31000:2018 is an active (guidelines - not certifiable) standard published by International Organization for Standardization (ISO). It is commonly used across Manufacturing, Healthcare, Finance & Banking, Technology, Services, Government, Energy, Construction and applies in Global.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO 31000:2018.
Universal Application
Applicable to any organization regardless of size, sector, or activity. Provides generic guidelines that can be customized to any type of risk — strategic, operational, financial, environmental, or compliance.
Integrated Framework
Built on three core pillars — principles, framework, and process — ensuring risk management is not a standalone activity but integrated into governance, strategy, planning, and decision-making at all levels.
Customizable & Scalable
Designed as a guidelines standard (not certifiable), giving organizations flexibility to adapt the framework and process to their specific context, risk appetite, and organizational culture.
list_alt Core Components
- Eight principles for effective risk management
- Leadership and commitment integration
- Framework design — integration, implementation, evaluation, improvement
- Risk identification across all organizational activities
- Risk analysis (qualitative, semi-quantitative, quantitative)
- Risk evaluation against criteria and risk appetite
- Risk treatment selection and implementation
- Communication, consultation, and continuous monitoring
Who Needs to Comply?
Any organization seeking a structured approach to managing risk — from small businesses to multinational corporations, government agencies, and non-profits. Widely used as a foundation for sector-specific risk management frameworks.
Key Requirements
Principles of Risk Management
Adopt the eight principles: risk management creates and protects value, is an integral part of all organizational processes, is part of decision-making, explicitly addresses uncertainty, is systematic and structured, is based on the best available information, is tailored, and considers human and cultural factors.
Risk Management Framework
Design a framework that integrates risk management into the organization through leadership commitment, organizational design, resource allocation, and establishing communication and reporting mechanisms.
Risk Assessment Process
Implement a systematic process of risk identification (what can happen and why), risk analysis (likelihood and consequences), and risk evaluation (comparing against criteria to determine treatment priorities).
Risk Treatment
Select and implement risk treatment options — avoid, accept, modify likelihood, modify consequences, share, or retain risk. Develop treatment plans and monitor their effectiveness.
Monitoring & Continuous Improvement
Establish monitoring and review processes to ensure risk management remains relevant and effective. Continuously improve the framework and process based on organizational learning and changing context.
Implementation Roadmap
Define risk management scope
Identify the products, services, sites, systems, teams, jurisdictions, and stakeholders covered by ISO 31000:2018. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for risk principles, governance framework, risk criteria, context, assessment, treatment, communication, consultation, monitoring, and review.
Assess gaps and prioritize risks
Compare current practices with the expected risk management approach. Review risk appetite and criteria, ownership, registers, assessment methods, treatment plans, reporting, escalation, and review cadence, then prioritize gaps by legal exposure, safety impact, customer commitments, operational dependency, and audit or market-access readiness.
Implement controls and records
Deploy the required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain risk policy, criteria, registers, assessment records, treatment plans, management reporting, review minutes, and improvement actions as traceable evidence.
Review, audit, and improve
Run internal reviews, management reporting, audits, corrective actions, and change assessments. Refresh the program when products, services, suppliers, technology, regulations, incidents, or stakeholder expectations change.
Compliance Checklist
checklist Scope and governance
checklist Controls and evidence
checklist Monitoring and improvement
Penalties & Enforcement
No penalties — ISO 31000 is a guidelines standard and is not certifiable. There are no regulatory requirements to comply with it. However, many regulations and industry standards reference ISO 31000 principles, and organizations using its framework often demonstrate better risk governance to regulators, investors, and stakeholders.
Frequently Asked Questions
Who needs ISO 31000:2018?
expand_more
ISO 31000:2018 is most relevant to organizations that need a consistent enterprise risk management approach. The exact scope depends on products, services, jurisdictions, customer commitments, and whether the organization needs certification, conformity evidence, regulatory readiness, or internal governance.
Is ISO 31000:2018 certifiable?
expand_more
ISO 31000 is guidance and is not normally used as a certifiable management-system standard.
What should the implementation focus on first?
expand_more
Start by defining scope and obligations, then build a current-state gap assessment. The most important early work is to confirm ownership, affected assets or processes, risk criteria, customer or legal drivers, and the evidence the organization must be able to produce.
What evidence is useful for ISO 31000:2018?
expand_more
Useful evidence includes risk policy, criteria, registers, assessment records, treatment plans, management reporting, review minutes, and improvement actions. The evidence should be version-controlled, attributable to owners, and linked to risks, obligations, controls, decisions, and corrective actions.
How often should the program be reviewed?
expand_more
Review it at planned intervals and whenever products, services, suppliers, operating environments, incidents, customer commitments, or regulations change. High-risk domains should use more frequent monitoring and management reporting.
Official Documentation
Official PDF for ISO 31000:2018
Official publication or summary for ISO 31000:2018
Official online resource
International Organization for Standardization (ISO) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for ISO 31000:2018