ISO 31000 — a review of the 2018 standard

Summary of the changes

ISO 31000:2018 was published in early 2018 and replaced the 2009 version of the standard. (From now on when I refer to ISO 31000 I am referring to the 2018 version unless specified otherwise.) The introduction to the 2018 version notes the main areas of change:

ISO 31000:2018 in detail

Who is the standard for?

What’s in it?

ISO 31000 is broken into 5 main parts:

  • Introduction and document references including terminology and definitions
  • Risk management principles (Section 4)
  • The risk management framework (Section 5)
  • Risk management processes (Section 6)
  • Bibliography

Risk management principles (Section 4)

ISO 31000:2018 identifies eight principles for effective risk management, all of which fall under the overall purpose that risk management:

  • Integrated (P2)
  • Structured and comprehensive (P5)
  • Customized (P7)
  • Inclusive (P9)
  • Dynamic (P10)
  • Best available information (P6)
  • Human and cultural factors (P8)
  • Continuous improvement (P11)

The risk management framework (Section 5)

N.B. I confess that this section left me a little confused because it feels as though it mixes principles and process. So while I think I understand the intent, how I should apply this section was a little unclear.

Risk management processes (Section 6)

The final section of the standard contains processes and guidance for the core elements of the risk management system:

  • Communications and consultation
  • Processes for developing the scope, content and defining risk criteria
  • A process for risk assessments
  • Guidelines for risk treatment
  • A process for monitoring and review
  • Recording and reporting guidelines.


ISO 31000 was nine years old and due for a review but I think that the 2008 version was still pretty robust so I’m pleased that the revised version didn’t make too many major changes. Other than my confusion as to what to do with the framework section, the document is pretty clear and straightforward. Moreover, it has a lot of clear processes that you can use as the basis for your risk management system so ISO 31000 is a highly functional standard and definitely falls into the ‘love’ column.

A short note on the material on the website

As I noted at the beginning, the initial impetus behind this article was selfish: what impact does the new standard have on the material in my site? In short, not a huge amount as a lot of the material here is quite tactical, process-driven but there are three big changes and I am working on.

  • The biggest change is that the ERM maturity model is based on the 2009 principles and these need to be updated completely to match ISO 31000:2018. I still need to decide what to do with decision-making, uncertainty and leadership and commitment but as soon as I get that worked out, I will update the model.
  • References to ISO 31000:2009 remain in the presentations and videos in the Risk Management Basics Course and need to be updated. Frankly, I am dreading this but the course needs freshening up more generally so I plan to roll out an updated course in Fall 2018. Again, the vast majority of this material remains extant but I want to make sure things are 100% accurate.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrew Sheves

Andrew Sheves

I’m an analogue operator in a digital environment who thinks simplification = optimization. I build and share risk management tools at