ISO 31000 2009 Translated into Plain English

ISO 31000 is a generic risk management standard. It can be used by
any organization no matter what size it is or what it does. It can be used by
both public and private organizations and by groups, associations, and
enterprises of all kinds. It is not specific to any sector or industry and
can be applied to any type of risk. ISO 31000 can be applied to the achievement
of any and all types of objectives at all levels and areas within an organization.
It can be used at a strategic or organizational level to help make decisions
and can be applied to all types of activities. It can be used to help manage
processes, operations, projects, programs, products, services, and assets.

This page presents an overview of ISO 31000 2009. It doesn't provide detail.
It starts with section 3 because the ISO 31000 2009 guidelines start there.

 

3. RISK MANAGEMENT PRINCIPLES

 

3(A) RISK MANAGEMENT SHOULD CREATE AND PROTECT VALUE

  • Use risk management to create and protect value.

    • Create and protect value by using risk management to help achieve your organizationís objectives and improve its performance.              

3(B) RISK MANAGEMENT SHOULD BE PART OF ALL PROCESSES

  • Make risk management part of every process at every level.

  • Make risk management a responsibility of every manager.

3(C) RISK MANAGEMENT SHOULD BE PART OF YOUR DECISION MAKING

  • Make risk management part of decision making at all levels.

    • Use risk management to make informed choices.

    • Use risk management to prioritize actions.

3(D) RISK MANAGEMENT SHOULD BE USED TO HANDLE UNCERTAINTY

  • Use risk management to address the uncertainty that you face.

    • Use risk management to identify and define the nature and type of uncertainties that your organization must deal with.

    • Use risk management to figure out what you can do to address your organizationís uncertainties.

3(E) RISK MANAGEMENT SHOULD BE SYSTEMATIC AND TIMELY

  • Make sure that your organizationís approach to risk management is systematic, structured, and timely.

    • Make sure that your approach contributes to efficiency.

    • Make sure that your approach generates reliable results.

3(F) RISK MANAGEMENT SHOULD BE BASED ON THE BEST DATA

  • Make sure that the inputs you use to manage risk are based on the best available information sources.

  • Make sure that decision makers understand and consider the limitations and shortcomings of the data they use to manage risk.

3(G) RISK MANAGEMENT SHOULD BE TAILORED TO YOUR ENVIRONMENT

  • Make sure that your organizationís approach to risk management is aligned with its unique internal and external context.

  • Make sure that your organizationís approach to risk management is aligned with its risk profile.

3(H) RISK MANAGEMENT SHOULD CONSIDER HUMAN FACTORS

  • Make sure that your approach to risk management recognizes and considers the human and cultural factors that can influence the achievement of your organizationís objectives.

    • Consider how human capabilities can facilitate or hinder the achievement of your objectives.

    • Consider how human perceptions can facilitate or hinder the achievement of your objectives.

    • Consider how human intentions can facilitate or hinder the achievement of your objectives.

3(I) RISK MANAGEMENT SHOULD BE TRANSPARENT AND INCLUSIVE

  • Make sure that your approach to risk management is transparent.

    • Make sure that your organizationís approach to risk management is open, visible, and accessible.

  • Make sure that your approach to risk management is inclusive.

    • Involve your organizationís stakeholders.

    • Involve decision makers from all parts of your organization.

3(J) RISK MANAGEMENT SHOULD BE RESPONSIVE AND ITERATIVE

  • Make sure that your organizationís approach to risk management is dynamic and responsive.

    • Make sure that your approach to risk management continually senses change and responds to it.

  • Make sure that your approach to risk management is ongoing.

    • Repeat your risk management process whenever and wherever objectives need to be achieved.

3(K) RISK MANAGEMENT SHOULD SUPPORT CONTINUAL IMPROVEMENT

  • Use risk management to improve all aspects of your organization.

  • Develop strategies to improve your approach to risk management.

 

4. RISK MANAGEMENT FRAMEWORK

 

4.1 ESTABLISH A RISK MANAGEMENT FRAMEWORK

  • Make risk management part of your management system.

    • Establish an effective risk management framework.

    • Use your framework to support risk management process.

4.2 MAKE A COMMITMENT TO RISK MANAGEMENT

  • Define your organizationís risk management policy.

  • Establish risk management performance indicators.

  • Formulate risk management objectives.

  • Assign risk management responsibilities.

  • Allocate risk management resources.

  • Communicate risk management benefits.

  • Support your risk management framework.

4.3 DESIGN YOUR RISK MANAGEMENT FRAMEWORK

4.3.1 Understand your organization's context

  • Evaluate and understand your organizationís external context and then use this knowledge to design your risk management framework.

    • Evaluate and understand your external environment.

    • Evaluate and understand your external stakeholders.

    • Evaluate and understand your external influences.

  • Evaluate and understand your organizationís internal context and then use this knowledge to design your risk management framework.

    • Understand your organizationís internal stakeholders.

    • Understand your organizationís governance.

    • Understand your organizationís capabilities.

    • Understand your organizationís culture.

    • Understand your organizationís standards.

    • Understand your organizationís contracts.

4.3.2 Formulate your risk management policy

  • Establish a risk management policy for your organization.

    • Make a clear commitment to risk management.

    • Define your risk management objectives.

    • Explain how your policy will be implemented.

  • Communicate your risk management policy.

4.3.3 Make people accountable for managing risk

  • Identify your organizationís risk owners.

  • Give risk owners the authority to manage risk.

  • Make risk owners accountable for managing risk.

  • Establish risk management performance measurement methods.

  • Develop risk management reporting and escalation processes.

4.3.4 Build risk management into your organization

  • Make risk management a part of all processes and practices.

  • Develop an organization-wide risk management plan.

4.3.5 Allocate resources for risk management

  • Allocate appropriate resources to support your organizationís risk management activities.                    

    • Consider providing people who can support your organizationís risk management activities.                

    • Consider providing resources needed to support each step of the risk management process.               

    • Consider providing information and knowledge management systems to support risk management.                  

    • Consider providing risk management procedures and processes.                       

    • Consider providing appropriate risk management methods and tools.                         

4.3.6 Establish internal communication mechanisms

  • Establish internal risk management communication and reporting processes and mechanisms.                               

4.3.7 Develop an external communication plan

  • Develop a plan that describes how you intend to communicate with your external stakeholders.

  • Implement your risk management communication plan.

4.4 IMPLEMENT YOUR APPROACH TO RISK MANAGEMENT

4.4.1 Implement your risk management framework

  • Develop a strategy to implement your organizationís framework.

  • Implement your organizationís risk management framework.

4.4.2 Implement your risk management process

  • Develop a plan that explains how you intend to apply your organizationís risk management process (Part 5).

  • Use your risk management plan to implement your organizationís risk management process (Part 5).

4.5 MONITOR YOUR RISK MANAGEMENT FRAMEWORK

  • Evaluate the ongoing effectiveness of your organizationís risk management framework.         

  • Prepare reports on the effectiveness of your organizationís risk management framework.            

4.6 IMPROVE YOUR RISK MANAGEMENT FRAMEWORK

  • Study the results of your organizationís risk management monitoring and review activities (see Part 4.5, above).

  • Figure out how youíre going to improve your organizationís risk management framework.          

 

5. RISK MANAGEMENT PROCESS

 

5.1 APPLY YOUR RISK MANAGEMENT PROCESS

  • Apply your risk management process (see Part 5.2 to 5.6).

    • Make your risk management process part of your organizationís management approach.

    • Make your risk management process part of your organizationís unique culture.                  

5.2 COMMUNICATE AND CONSULT WITH YOUR STAKEHOLDERS

  • Communicate and consult with stakeholders during all stages of the risk management process.

  • Use a consultative team approach to communicate and consult with your organizationís stakeholders.

5.3 ESTABLISH YOUR UNIQUE RISK MANAGEMENT CONTEXT

5.3.1 Establish your risk management parameters

  • Identify and understand the parameters and variables that influence and control how your organization manages risk.

    • Define your organizationís external context (see Part 5.3.2).

    • Define your organizationís internal context (see Part 5.3.3).

5.3.2 Establish your organization's external context

  • Identify and understand your organizationís external context and consider the influence it could have on its ability to manage risk and achieve its objectives.

    • Identify and understand environmental conditions and consider the influence they could have on your organizationís ability to achieve its objectives.

    • Identify and understand key external factors and consider the influence they could have on your organizationís ability to achieve its objectives.                             

    • Identify and understand the relationships you have with external stakeholders and consider the influence they could have on your organizationís ability to achieve its objectives.

  • Consider your organization external context when you develop your organizationís risk criteria (see Part 5.3.5 for details).

    • Consider the concerns, objectives, and perceptions of external stakeholders when you formulate your risk criteria.

5.3.3 Establish your organization's internal context

  • Identify and understand your organizationís internal context and consider the influence it could have on its ability to manage risk and achieve objectives.                                  

    • Understand your organizationís internal stakeholders.

    • Understand your organizationís governance structure.

    • Understand your organizationís capabilities.

    • Understand your organizationís culture.

    • Understand your organizationís standards.

    • Understand your organizationís contracts.

5.3.4 Establish the context of your risk management process

  • Establish the unique context of your risk management process.

    • Adopt a risk management approach that is appropriate to your circumstances and consistent with your context.

    • Identify the organizational areas or parts that will participate in your risk management process and make sure you understand what they do and how they do it.

  • Clarify how each specific risk management process or activity should be organized and managed.                      

    • Define the goals and objectives of the risk management activities and projects you intend to carry out.

    • Define the resources that your risk management activities and projects will need.                

    • Define the risk management responsibilities and authorities of all process participants.                 

    • Define the focus of each risk management project including where and when it will be carried out.        

    • Define the decisions that will need to be made as you carry out each risk management process.

    • Define the risk assessment methodologies that you intend to use for each risk management process or project.

    • Define how your risk management process is related to your organizationís other processes.

    • Define the studies that you intend to carry out to support each risk management process.

    • Define how risk management process performance and effectiveness will be evaluated.

    • Define the records that each risk management process or activity should maintain.                                

5.3.5 Establish your organization's risk criteria

  • Define your organizationís risk criteria.

    • Consider your organization and how it functions when you define your risk criteria.               

    • Consider the views of your organizationís stakeholders when you define your risk criteria.

    • Consider the nature and type of causes when you define your organizationís risk criteria.

    • Consider the consequences and impacts that could occur when you define your risk criteria.

    • Consider how likelihood or probability will be determined when you define your risk criteria.

    • Consider how the level of risk will be determined when you define your organizationís risk criteria.

    • Consider whether combinations of multiple risks should be taken into account when you define your risk criteria.

  • Review and periodically update your risk criteria.

5.4 CARRY OUT YOUR ORGANIZATIONíS RISK ASSESSMENT PROCESS

5.4.1 Identify, analyze, and evaluate risks

  • Carry out your risk assessment process.

    • Identify your organizationís risks (see Part 5.4.2 for details).

    • Analyze your organizationís risks (see Part 5.4.3 for details).

    • Evaluate your organizationís risks (see Part 5.4.4 for details).

5.4.2 Identify your organization's risks

  • Choose suitable risk identification tools and techniques.

  • Select suitable people to identify your organizationís risks.

  • Use your tools and techniques to identify the risks that could affect the achievement of your organizationís objectives.

  • Generate a comprehensive list of risks that could affect the achievement of your organizationís objectives.

5.4.3 Analyze your organization's risks

  • Analyze the risks that your organization faces.

  • Estimate your organizationís level of risk.

  • Specify how much confidence you have in your analysis.

  • Use your risk analysis to understand your organizationís risks.

  • Communicate the results of your risk analysis.

5.4.4 Evaluate your organization's risks

5.5 FORMULATE AND IMPLEMENT YOUR RISK TREATMENT PLANS

5.5.1 Explore your organization's risk treatment options

  • Establish a cyclical risk treatment process.

  • Consider your organizationís risk treatment options.

5.5.2 Select your organization's risk treatment options

  • Select the most appropriate risk treatment options.

  • Plan the implementation of your risk treatments.

5.5.3 Prepare risk treatment implementation plans

  • Document your organizationís risk treatment plans.

  • Discuss risk treatment plans with all participants.

  • Carry out your risk treatment implementation plans.

5.6 MONITOR AND REVIEW YOUR RISK MANAGEMENT PROCESS

  • Plan your risk management monitoring and review processes.

  • Monitor and review all aspects of your risk management process.

  • Record your organizationís monitoring and review results.

  • Report your risk management monitoring and review results.

5.7 MAINTAIN A RECORD OF RISK MANAGEMENT ACTIVITIES

  • Create and maintain records to support risk management process.

  • Use your records to support your risk management process.

Attention

This page summarizes the ISO 31000 2009 standard. It highlights
the main points. It does not present detail. To get the complete
plain English standard, please consider purchasing our
Title 31: ISO 31000 2009 Translated into Plain English.

Title 31 is detailed, accurate, and complete. It uses language
that is clear, precise, and easy to understand. We guarantee it!
Title 31 is 81 pages long and comes in pdf and MS doc file formats.

Title 31 Contents

Place an Order

Check Prices

Our License


OTHER ISO 31000 PAGES

Introduction to Risk Management

Overview of Risk Management Standard

Plain English Risk Management Checklist

Plain English Risk Management Definitions

Plain English Risk Management Audit Tool

Our Plain English Approach

RELATED RESOURCES

ISO 9001 2015 Quality Management Library

ISO 22301 2012 Business Continuity Library

ISO 20000 2011 Service Management Library

ISO 28000 2007 Supply Chain Security Library

ISO 14001 2015 Environmental Management Library

ISO 90003 2014 Software Quality Management Library

ISO 13485 2016 Medical Device Management Library

ISO 14971 2007 Medical Device Risk Management Library

ISO 27001 2013 and ISO 27002 2013 Information Security Library


Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited      help@praxiom.com      780-461-4514

Updated on December 30, 2016. First published on August 31, 2010.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2010 - 2016 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited