ISO 31000:2018 Components

Managing risk is a critical part of the success of any organization. That’s why ISO (International Organization for Standardization) developed the 31000 Risk Management Standard. Issued in 2009, the standard helps address operational continuity, and also confidence and reassurance in your organization’s economic resilience, professional reputation and environmental and safety outcomes. Best of all, ISO 31000 can be tailored to your organization to help achieve the best results.

1. Principles

The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives. Principles include the requirement for the risk management initiative to be (1) customized; (2) inclusive; (3) structured and comprehensive; (4) integrated; and (5) dynamic.

2. Framework

The purpose of the risk management framework is to assist with integrating risk management into all activities and functions. The effectiveness of risk management will depend on integration into governance and all other activities of the organization, including decision-making.

> At CRI Group we are working on new ISO 31000 Awareness training course. Show your interest and sign up for more updates HERE!

2.1. Leadership and commitment, including:

  • Aligning risk management with the strategy, objectives and culture of the organization;
  • Issuing a statement or policy that establishes a RM approach, plan or course of action;
  • Making necessary resources available for managing risk; and
  • Establishing the amount and type of risk that may or may not be taken (risk appetite).

2.2. Integration, including:

  • Determining management accountability and oversight roles and responsibilities; and
  • Ensuring risk management is part of, and not separate from, all aspects of the organization.

2.3. Design, including:

  • Understanding the organization and its internal and external context;
  • Articulating risk management commitment and allocating resources; and
  • Establishing communication and consultation arrangements.

2.4. Implementation, including:

  • Developing an appropriate implementation plan including deadlines;
  • Identifying where, when and how different types of decisions are made, and by whom; and
  • Modifying the applicable decision-making processes where necessary.

2.5. Evaluation, including:

  • Measuring framework performance against its purpose, implementation and behaviors; and
  • Determining whether it remains suitable to support achievement of objectives.

2.6. Improvement, including:

  • Continually monitoring and adapting the framework to address external and internal changes;
  • Taking actions to improve the value of risk management; and
  • Improving the suitability, adequacy and effectiveness of the RM framework.

> Are you new to risk management? Our newly published “Risk Management & ABMS Playbook: A guide for prevention, detection and compliance” is available for download now. Read more here!

3. Process

The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

3.1. Communication and consultation, including:

  • Bringing different areas of expertise together for each step of the RM process;
  • Ensuring different views are considered when defining risk criteria and evaluating risks;
  • Providing sufficient information to facilitate risk oversight and decision-making; and
  • Building a sense of inclusiveness and ownership among those affected by risk.

3.2. Scope, context and criteria, including:

  • Defining the purpose and scope of risk management activities;
  • Identifying the external and internal context for the organization;
  • Defining risk criteria by specifying the acceptable amount and type of risk; and
  • Defining criteria to evaluate the significance of risk and to support decision-making;

3.3. Risk assessment, including:

  • Risk identification to find, recognize and describe risks that might help or prevent achievement of objectives and the variety of tangible or intangible consequences;
  • Risk analysis of the nature and characteristics of risk, including the level of risk, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness; and
  • Risk evaluation to support decisions by comparing the results of the risk analysis with the established risk criteria to determine the significance of risk.

4. Risk treatment, including:

  • Selecting the most appropriate risk treatment option(s); and
  • Designing risk treatment plans specifying how the treatment options will be implemented.

5. Monitoring and review, including:

  • Improving the quality and effectiveness of process design, implementation and outcomes;
  • Monitoring the RM process and its outcomes, with responsibilities clearly defined;
  • Planning, gathering and analyzing information, recording results and providing feedback; and
  • Incorporating the results in performance management, measurement and reporting activities.

6. Recording and reporting, including:

  • Communicating risk management activities and outcomes across the organization;
  • Providing information for decision-making;
  • Improving risk management activities; and
  • Providing risk information and interacting with stakeholders.

Getting Started with ISO 31000 Risk Management?

ISO 31000 is an international standard issued in 2009 by ISO (International Organization for Standardization). All types and sizes of organizations face internal and external factors that directly impact whether an organization can achieve their objectives or not. ISO 31000:2018 serves as a guide for the design, implementation and maintenance of risk management, ISO 31000:2018 describes a systematic and logical process, during which organizations manage risk by identifying it, analyzing it, and then make a determination as to mitigating the risk treatment in a way that is consistent with their risk appetite. An organization can implement risk management across the entire company, and it can do so at any time. Our newly published “ISO 31000 Risk Management: A guide to identify, analyse and mitigate risk” playbook covers everything you need to know about ISO 31000:2018; here’s a quick rundown of the playbook structure:

  • What is ISO 31000?
  • Why is this Standard a good idea?
  • What are the benefits for my business?
  • Principles of ISO 31000:2018
  • ISO 31000 framework
    • Why was it revised?
    • What are the main differences?
  • Key Clauses of 31000:2018
  • Who is the standard for?
  • The process
  • The link between 31000:20180 and other standards
  • Importance of risk management leadership
  • 31000:2018 and continuous improvement
  • How do we get started?

> Risk management is a full-time, ongoing endeavor for organizations in today’s business world, and it poses constant challenges. The first part of reducing risk is having a strategy, and taking action. So DOWNLOAD your free playbook now!

Speak Up – Report Any Illegal, Unethical, or Improper Behavior

Ethics and Compliance Hotline is an anonymous reporting mechanism that facilitates reporting of possible illegal, unethical, or improper conduct when the normal channels of communication have proven ineffective, or are impractical under the circumstances. At CRI Group, we are committed to having an open dialogue on ethical dilemmas regardless.


We would like to introduce a new Ethics & Compliance Hotline. This hotline is available to all employees, as well as clients, contractors, vendors and others in a business relationship with CRI Group and ABAC Group. If you find yourself in an ethical dilemma or suspect inappropriate or illegal conduct, and you feel uncomfortable reporting through normal channels of communication, or wish to raise the issue anonymously, use CRI Group’s Compliance Hotline in below mentioned ways or provide us with your complaint online on the form below. The Compliance Hotline is a secure and confidential reporting channel managed by an independent provider. When reporting a concern in good faith, you will be protected by CRI Group’s Non-Retaliation Policy.


About CRI Group

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management SystemsISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organizations. Contact ABAC® for more on ISO Certification and training.


Your opinion matters! Participate in the background screening survey now and let us know how COVID-19 and WFH have affected your business. ANSWER THE SURVEY