ISO 31000 Principles of Risk Management

Guest Post by Greg Hutchins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

ISO 31000 is organized around 11 risk management principles.   A management principle refers to a fundamental idea, rule, or truth about a subject. ISO 31000 risk principles serve as the guideline, method, logic, design, and implementation for the risk management framework and its process.

ISO 31000 does not specify how the principles can be used to design, implement, and assure a risk management process. ISO 31000 believes an organization should apply and tailor these principles to the organizational context. ISO 31000 as a guidance document is applicable to all organizations and may be used with any product or service.

The eleven risk management principles are:

1. Risk management establishes and sustains value.
2. Risk management is an integral part of all organizational processes.
3. Risk management is part of decision making.
4. Risk management explicitly addresses uncertainty.
5. Risk management is systematic, structured, and timely.
6. Risk management is based on the best available information.
7. Risk management is tailored.
8. Risk management takes human and cultural factors into account.
9. Risk management is transparent and inclusive.
10. Risk management is dynamic, iterative, and responsive to change.
11. Risk management facilitates continual improvement of the organization.

Many of us still think about ‘shall’ clauses as the basis for the design of a process or to demonstrate compliance.  ISO 31000 is different.  It is more principles based.  It is more discretionary.  It requires deep knowledge of risk management and context.

The successful implementation of these risk management principles will determine the design, implementation, and assurance of an effective  ISO 31000 risk management process.