ISO 31000 provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context. This document provides a common approach to managing any type of risk and is not industry or sector specific. This document can be used throughout the life of the organization and can be applied to any activity, including decision-making at all levels.
ISO 31000 is for use by people who create and protect value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance. Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.
Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions. It is part of governance and leadership, and is fundamental to how the organization is managed at all levels, and also contributes to the improvement of management systems. Managing risk is part of all activities associated with an organization and includes interaction with stakeholders. It considers the external and internal context of the organization, including human behaviour and cultural factors. It is based on the principles, framework and process outlined in this document. These components might already exist in full or in part within the organization, however, they might need to be adapted or improved so that managing risk is efficient, effective and consistent.