International Organization for Standardization (ISO) Standard 31000 helps employers identify, mitigate, and manage risks. These risks are common to all industries, but every organization has its own unique risks to manage. Here, we will focus on implementing the process and actions needed to successfully manage risks.

At the center of the risk management process are the activities of risk assessment and risk treatment.

Risk assessment has three stages: risk identification, risk analysis and risk evaluation. Each stage is described in detail in ISO 31000. The standard provides valuable insight into how to:

  • Identify your risks
  • Analyze the likelihood and consequences of those risks
  • Evaluate the risks against established risk criteria to determine whether additional action is needed

Risk treatment refers to selecting risk treatment options, and then preparing and implementing risk treatment plans and actions. Under ISO 31000, selecting risk treatment options involves balancing the potential benefits of introducing further risk treatment controls with the associated costs, effort, disadvantages, and other risks. A risk treatment plan should clearly identify timelines and responsibilities for implementing the selected risk treatments.


The implementation phase may be just as challenging as the identification and action phases. While determining what the risks are and how to remove or reduce them requires focus and participation from all interested parties, the implementation phase requires action and continuous evaluation to ensure the actions are relevant and effective. Implementation involves:

  • Identifying and evaluating available resources
  • Determining what decisions need to be made and who within the organization has the authority and duty to make them
  • Evaluating those decisions and the potential actions to be taken

Risk management is an iterative process

If the established actions prove to be ineffective, the process is restarted and a more effective action is developed to mitigate the risk without creating a new or unintended risk. Once the actions are in place, the organization must commit to adjusting and tweaking them as needed. Reviews are done periodically to ensure the risks are being monitored and actions are taken whenever new risks are identified.

The same steps are repeated throughout the risk management process, so there is consistency in how the process is applied at any stage. The iterative nature of the standard helps organizations set strategies, achieve objectives, and make informed decisions.

Risk management requires participation at every level

Implementation requires all of the units of an organization to come together, starting with leadership and governance. The involvement of leadership highlights how the organization is managed and how well it unifies its individual departments. In other words, there are no silos when it comes to risk management. Everyone in the organization is responsible for identifying and removing risks, both those that come from within and those that originate outside of the organization.

It bears repeating that successful risk management starts with committed leaders. There is no benefit to talking about risk management without leadership’s commitment to fully engaging stakeholders and addressing all real and perceived risks. With leadership on board, real risk reduction can take place and benefits can be seen at all levels of the organization.

Risk management enhances communication

The implementation phase of risk management enhances communication between the organization and all of its stakeholders, internal and external. By opening up the lines of communication, the process reveals the risk context in which the organization operates, including people, culture and external factors that may be outside of the organization’s control, such as political, social, and regulatory environments.

Risk management should be an ongoing process that’s built into the organization’s operations. This aids in identifying, evaluating and addressing risks.

Risk management creates transparency

The implementation process creates transparency; all interested parties see what is at risk and what is being done to remove or reduce the risk. It also encourages feedback and input, highlighting perspectives that may have otherwise been missed. Its structure and nature are designed to be responsive to change.

ISO 31000 creates an all-risks approach

The iterative design and structure of ISO 31000 create an all-risks approach where organizations can address risks from other ISO standards with one framework. Examples of other standards that cross over into risk management include:

  • ISO 45001, occupational health and safety
  • ISO 14001, environmental safety
  • ISO 9001, quality management
  • ISO 22001, food safety
  • ISO 27001, information security

The standards are all based on the same structure and design so once the framework and process are learned, they can be applied across all of the levels and functions of an organization.

Implementation practices are tailored to each organization’s unique risks

ISO 31000 leaves room for organizations to determine their own implementation practices based on their unique risks. The standard is not intended to be a cookie-cutter approach, but to ensure real dialog and actions are effectively integrated into the process. Because each organization’s risks are unique, using a template from another organization or even a different work site within an organization offers no benefit.

ISO 31000 isn’t a regulatory requirement, but it will help protect your organization

It’s important to know that ISO standards are not regulatory, so participation is voluntary. If you do not want to commit to following the standard, that is your choice.

But if you do choose to follow ISO 31000, the benefits go beyond risk management. Following the standard helps improve management, governance, and procedures, and enhances communication with internal and external stakeholders. Improving relationships alone can reduce your organization’s risks. Should an adverse event occur, showing that you want to do the right thing, care for your people and your community, and care about the environment can lessen the impact of that event. But if the relationships are ignored or perceived as adversarial, your organization might not be able to recover from such an event.