Risk management ISO 31000.

ISO 31000 provides principles and guidelines for risk management. The seven-step process is: communication, context, identification, analysis, evaluation, treatment, monitoring. The risk matrix is the standard visualization tool.

"What could go wrong?" is the question that, asked systematically, separates companies that survive sector disruptions from those that do not. Corporate risk management is no longer a topic for large multinationals: SMEs that systematize the discipline gain time to anticipate and reduce the cost of bad surprises. ISO 31000 provides the framework.

What ISO 31000 is

ISO 31000:2018 is the international standard that provides principles and guidelines for risk management at corporate level. It is not a certifiable standard like ISO 9001: it is a guidance standard that complements clause 6.1 of all Annex SL management standards.

The standard structure has three parts: principles (eight that should guide all risk management), framework (how risk management is integrated into the organization's governance), process (the seven repeatable steps applied to each specific risk).

The eight principles

1. Integrated: risk management is integrated into all organizational activities.
2. Structured and comprehensive: contributes to consistent and comparable results.
3. Customized: framework adapted to the organization's context and objectives.
4. Inclusive: involves interested parties at the appropriate time.
5. Dynamic: anticipates, detects and acknowledges changes.
6. Best available information: based on data, evidence and expert judgement.
7. Human and cultural factors: influence all phases of the process.
8. Continual improvement: through learning and experience.

The seven-step process

The ISO 31000 core process has seven steps that apply to each risk:

1. Communication and consultation: with internal and external interested parties throughout the process.
2. Scope, context and criteria: define the perimeter of the analysis, the relevant external and internal context, the risk acceptance criteria.
3. Risk identification: list the risks that could affect the organization's objectives. Brainstorming, structured interviews, sector benchmarks, scenario analysis.
4. Risk analysis: estimate the probability and impact of each risk, considering existing controls.
5. Risk evaluation: compare the analysis result against the acceptance criteria and decide whether action is needed.
6. Risk treatment: choose and implement the treatment option (avoid, reduce, transfer, share, accept).
7. Monitoring and review: track the evolution of risks, controls and changes in context.

How to build the risk matrix

The risk matrix is the most widely used tool to visualize the risk portfolio. It is built in three steps:

1. Probability scale: 1-5 or 1-3 depending on company maturity. Example for an SME: 1 (very unlikely, <5% per year), 2 (unlikely, 5-25%), 3 (possible, 25-50%), 4 (likely, 50-75%), 5 (very likely, >75%).
2. Impact scale: same 1-5 scale, quantified in financial terms or relevant qualitative criteria. Example: 1 (negligible, <€5,000), 2 (low, €5,000-25,000), 3 (medium, €25,000-100,000), 4 (high, €100,000-500,000), 5 (critical, >€500,000).
3. Risk score: probability × impact = score between 1 and 25. Categorization: 1-4 acceptable, 5-9 monitor, 10-15 reduce, 16-25 priority treatment.

Example of risk matrix for an SME 2026

Risk	Probability	Impact	Score	Treatment
Cyberattack with data hijack	4	5	20	Reduce + transfer (cyber insurance)
Loss of key account (>20% turnover)	3	5	15	Reduce (commercial diversification)
Loss of key staff	3	4	12	Reduce (succession plan, retention)
Sustained energy cost rise	4	3	12	Reduce (PPA, efficiency)
Material non-compliance with regulation	2	5	10	Reduce (compliance system)
Production stoppage due to supplier	3	3	9	Monitor + alternative supplier
Litigation with employee or supplier	2	3	6	Monitor + civil liability insurance

The four treatment options

• Avoid: remove the activity that generates the risk. Example: stop selling to a country with extreme regulatory risk.
• Reduce: act on probability or impact. Example: backup system to reduce the impact of a ransomware incident.
• Transfer: insurance, contract with a third party that assumes the risk. Example: civil liability insurance.
• Share: joint venture, alliance with a partner who assumes part of the risk. Example: production agreement with a backup supplier.
• Accept: assume the risk consciously when it falls within the risk appetite. Example: accept a small currency exchange risk because hedging cost exceeds expected impact.

Risk appetite and risk tolerance

Two strategic concepts that ISO 31000 introduces and that top management must define explicitly:

• Risk appetite: the level of risk the organization is willing to accept in pursuit of its objectives. Strategic decision of top management.
• Risk tolerance: the acceptable variation around the appetite. Operational decision.

A company with high risk appetite (innovative startup) accepts more risks than one with low appetite (established healthcare SME). The risk matrix scale must be aligned with the defined appetite.

Integration with ISO 9001, ISO 14001, ISO 45001

ISO 31000 is the meta-standard that gives consistency to risk thinking across all management systems. Clause 6.1 of every Annex SL standard demands risks and opportunities; ISO 31000 provides the method.

The recommended integration is one single corporate risk matrix with category tags (quality, environment, OH&S, information security, business continuity) so a single risk that affects multiple objectives is not duplicated. Strategic risks affect more than one category and require coordinated treatment.

Monitoring the risk portfolio

The risk matrix is not a one-off document: it is a live portfolio. The recommended monitoring rhythm is:

• Annual: full review in the management review with a complete update of the matrix.
• Quarterly: review of top-10 risks and the status of their treatment plans.
• Monthly: indicators of risks with active treatment, especially high-volatility ones.
• Ad-hoc: emerging risks identified by any team member through an internal reporting channel.

Frequent mistakes in risk management

• Confusing risks with problems (a risk has not happened yet; a problem has).
• Identifying only generic risks (use sector-specific brainstorming).
• Setting probability and impact subjectively without anchoring to data.
• Building the matrix and never updating it.
• Defining treatment without an owner or deadline.
• Forgetting that opportunities are also risks (positive impact).

A mature risk management practice multiplies decision quality across the company. Book a 45-minute session and we will look at your top-10 risks and the consistency of your treatment plans before the next management review.

Frequently asked questions

What is ISO 31000?

ISO 31000:2018 is the international standard that provides principles and guidelines for risk management at corporate level. It is not certifiable on its own; it is a guidance standard that complements ISO 9001 clause 6.1 and other risk-related standards (ISO 27005, ISO 22301).

What is the difference between risk and uncertainty?

Risk is the effect of uncertainty on objectives. Uncertainty is the lack of information about an event; risk emerges when that uncertainty has a positive or negative consequence on a specific organizational objective.

What is the risk matrix?

The risk matrix is a tool that classifies each risk by probability (vertical axis) and impact (horizontal axis) into low/medium/high/critical categories. It is the most widely used visualization for prioritizing risk treatment.

What treatment options does ISO 31000 propose?

Five: avoid the risk (remove the activity that generates it), reduce it (mitigate probability or impact), transfer it (insurance, contract), share it (joint venture), accept it (when within risk appetite). The decision depends on the cost-benefit of each option.

How often should the risk map be updated?

At least once a year in the management review, and whenever there is a relevant change in context (new project, regulatory change, market disruption, organizational change). For high-volatility risks, quarterly updates are recommended.