ISO 31000 2009

TRANSLATED INTO PLAIN ENGLISH

ISO 31000 2009 is a generic risk management standard. It can be used by any
organization no matter what size it is or what it does. It can be used by both public and
private organizations and by groups, associations, and enterprises of all kinds. It is not
specific to any sector or industry and can be applied to any type of risk. ISO 31000 can
be applied to the achievement of any and all types of objectives at all levels and areas within
an organization. It can be used at a strategic or organizational level to help make decisions
and can be applied to all types of activities. It can be used to help manage processes,
operations, functions, projects, programs, products, services, and assets.

This web page presents an extensive overview of ISO 31000. However, it does
not present the entire detailed standard. If you need a detailed and complete
interpretation and explanation of the standard, please consider purchasing
our new Title 31: ISO 31000 2009 Translated into Plain English.

The following material starts with section 3 because the ISO 31000 guidelines start there.

3. RISK MANAGEMENT PRINCIPLES

3(A) RISK MANAGEMENT SHOULD CREATE AND PROTECT VALUE

Use risk management to create and protect value.
- Create and protect value by using risk management to help achieve
  your organization’s objectives and improve its performance.

3(B) RISK MANAGEMENT SHOULD BE AN INTEGRAL PART OF ALL PROCESSES

Make risk management part of every process within your organization at every level.
Make risk management a responsibility of every manager within your organization.

3(C) RISK MANAGEMENT SHOULD BE PART OF YOUR DECISION MAKING

Make risk management part of your decision making process at every level.
- Use risk management to make informed choices.
- Use risk management to prioritize actions.

3(D) RISK MANAGEMENT SHOULD BE USED TO DEAL WITH UNCERTAINTY

Use risk management to address the uncertainty that your organization faces.
- Use risk management to identify and define the nature and
  type of uncertainties that your organization must deal with.
- Use risk management to figure out what you can do
  to address your organization’s uncertainties.

3(E) RISK MANAGEMENT SHOULD BE STRUCTURED, SYSTEMATIC, AND TIMELY

Make sure that your risk management approach is structured, systematic, and timely.
- Make sure that your approach contributes to organizational efficiency.
- Make sure that your approach generates consistent and reliable results.

3(F) RISK MANAGEMENT SHOULD BE BASED ON THE BEST INFORMATION

Make sure that the inputs you use to manage risk are
based on the best available information sources.
Make sure that decision makers understand and consider the
limitations and shortcomings of the data they use to manage risk.

3(G) RISK MANAGEMENT SHOULD BE TAILORED TO YOUR ENVIRONMENT

Make sure that your organization’s approach to risk management
is aligned with its unique internal and external context.
Make sure that your organization’s approach to
risk management is aligned with its risk profile.

3(H) RISK MANAGEMENT SHOULD CONSIDER BOTH HUMAN AND CULTURAL FACTORS

Make sure that your approach to risk management recognizes
and considers the human and cultural factors that can influence
the achievement of your organization’s objectives.
- Consider how human capabilities can facilitate
  or hinder the achievement of your objectives.
- Consider how human perceptions can facilitate
  or hinder the achievement of your objectives.
- Consider how human intentions can facilitate
  or hinder the achievement of your objectives.

3(I) RISK MANAGEMENT SHOULD BE TRANSPARENT, INCLUSIVE, AND RELEVANT

Make sure that your approach to risk management is transparent.
- Make sure that your organization’s approach to
  risk management is open, visible, and accessible.
Make sure that your approach to risk management is inclusive.

Involve your organization’s stakeholders.
Involve decision makers from all parts of your organization.

3(J) RISK MANAGEMENT SHOULD BE DYNAMIC, RESPONSIVE, AND ITERATIVE

Make sure that your organization’s approach to
risk management is dynamic and responsive.
- Make sure that your approach to risk management
  continually senses change and responds to it.
Make sure that your organization’s approach to risk
management is iterative (a process that repeats itself).
- Repeat your risk management process whenever
  and wherever objectives need to be achieved.

3(K) RISK MANAGEMENT SHOULD FACILITATE CONTINUAL IMPROVEMENT

Use risk management to continually improve all aspects of your organization.
Develop strategies to continually improve your approach to risk management.

4. RISK MANAGEMENT FRAMEWORK

4.1 ESTABLISH A RISK MANAGEMENT FRAMEWORK

Make risk management part of your organization’s management system.
- Establish an effective risk management framework for your organization.
- Use your framework to support your organization’s risk management process.

4.2 MAKE A COMMITMENT TO RISK MANAGEMENT

Define your organization’s risk management policy.
Establish risk management performance indicators.
Formulate risk management objectives.
Assign risk management responsibilities.
Allocate risk management resources.
Communicate risk management benefits.
Support your risk management framework.

4.3 DESIGN YOUR RISK MANAGEMENT FRAMEWORK

4.3.1 Understand your organization's context

Evaluate and understand your organization’s external context and then
use this knowledge to help design your risk management framework.
- Evaluate and understand your organization’s external environment.
- Evaluate and understand your organization’s external stakeholders.
- Evaluate and understand your organization’s external influences.
Evaluate and understand your organization’s internal context and then
use this knowledge to help design your risk management framework.
- Understand your organization’s internal stakeholders.
- Understand your organization’s governance.
- Understand your organization’s capabilities.
- Understand your organization’s culture.
- Understand your organization’s standards.
- Understand your organization’s contracts.

4.3.2 Formulate your risk management policy

Establish a risk management policy for your organization.
- Make a clear commitment to risk management.
- Define your risk management objectives.
- Explain how your policy will be implemented.
Communicate your risk management policy.

4.3.3 Make people accountable for managing risk

Identify your organization’s risk owners.
Give risk owners the authority to manage risk.
Make risk owners accountable for managing risk.
Establish risk management performance measurement methods.
Develop risk management reporting and escalation processes.

4.3.4 Build risk management into your organization

Make risk management an integral part of all processes and practices.
Develop an organization-wide risk management plan.

4.3.5 Allocate resources for risk management

Allocate appropriate resources to support your
organization’s risk management activities.
- Consider providing people who can support your
  organization’s risk management activities.
- Consider providing resources needed to support
  each step of the risk management process.
- Consider providing information and knowledge
  management systems to support risk management.
- Consider providing risk management procedures and processes.
- Consider providing appropriate risk management methods and tools.

4.3.6 Establish internal communication mechanisms

Establish internal risk management communication and reporting mechanisms.
Establish internal risk management communication and reporting processes.

4.3.7 Develop an external communication plan

Develop a plan that describes how you intend to communicate
with your organization’s external stakeholders.
Implement your external risk management communication plan.

4.4 IMPLEMENT YOUR APPROACH TO RISK MANAGEMENT

4.4.1 Implement your risk management framework

Develop a strategy to implement your organization’s framework.
Implement your organization’s risk management framework.

4.4.2 Implement your risk management process

Develop a plan that explains how you intend to apply
your organization’s risk management process (Part 5).
Use your risk management plan to implement your
organization’s risk management process (Part 5).

4.5 MONITOR YOUR RISK MANAGEMENT FRAMEWORK

Evaluate the ongoing effectiveness of your ’s risk management framework.
Prepare reports on the effectiveness of your ’s risk management framework.

4.6 IMPROVE YOUR RISK MANAGEMENT FRAMEWORK

Study the results of your risk management monitoring and review activities (Part 4.5).
Figure out how you’re going to improve your ’s risk management framework.

5. RISK MANAGEMENT PROCESS

5.1 APPLY YOUR RISK MANAGEMENT PROCESS

Apply your risk management process (see Part 5.2 to 5.6 for details).
- Make your risk management process part of your management approach.
- Make your risk management process part of your unique culture.

5.2 COMMUNICATE AND CONSULT WITH YOUR STAKEHOLDERS

Communicate and consult with stakeholders
during all stages of the risk management process.
Use a consultative team approach to communicate
and consult with your organization’s stakeholders.

5.3 ESTABLISH YOUR UNIQUE RISK MANAGEMENT CONTEXT

5.3.1 Establish your risk management parameters

Identify and understand the parameters and variables that
influence and control how your organization manages risk.
- Define your organization’s external context (see Part 5.3.2 for details).
- Define your organization’s internal context (see Part 5.3.3 for details).

5.3.2 Establish your organization's external context

Identify and understand your organization’s external context
and consider the influence it could have on its ability to manage
risk and achieve its objectives.
- Identify and understand environmental conditions and
  consider the influence they could have on your organization’s
  ability to achieve its objectives.
- Identify and understand key external factors and consider the influence
  they could have on your organization’s ability to achieve its objectives.
- Identify and understand the relationships you have with external
  stakeholders and consider the influence they could have on your
  organization’s ability to achieve its objectives.
Consider your external context when you develop your
organization’s risk criteria (see Part 5.3.5 for details).
- Consider the concerns, objectives, and perceptions of
  external stakeholders when you formulate your risk criteria.

5.3.3 Establish your organization's internal context

Identify and understand your organization’s internal context and consider the
influence it could have on its ability to manage risk and achieve objectives.
- Understand your organization’s internal stakeholders.
- Understand your organization’s governance structure.
- Understand your organization’s capabilities.
- Understand your organization’s culture.
- Understand your organization’s standards.
- Understand your organization’s contracts.

5.3.4 Establish the context of your risk management process

Establish the unique context of your risk management process.
- Adopt a risk management approach that is appropriate
  to your circumstances and consistent with your context.
- Identify the organizational areas or parts that will
  participate in your risk management process and make
  sure you understand what they do and how they do it.
Clarify how each specific risk management process
or activity should be organized and managed.
- Define the goals and objectives of the risk management
  activities and projects you intend to carry out.
- Define the resources that your risk management
  activities and projects will need.
- Define the risk management responsibilities
  and authorities of all process participants.
- Define the focus of each risk management project
  including where and when it will be carried out.
- Define the decisions that will need to be made
  as you carry out each risk management process.
- Define the risk assessment methodologies that you intend
  to use for each risk management process or project.
- Define how your risk management process is
  related to your organization’s other processes.
- Define the studies that you intend to carry out
  to support each risk management process.
- Define how risk management process performance
  and effectiveness will be evaluated.
- Define the records that each risk management
  process or activity should maintain.

5.3.5 Establish your organization's risk criteria

Define your organization’s risk criteria.
- Consider your organization and how it
  functions when you define your risk criteria.
- Consider the views of your organization’s
  stakeholders when you define your risk criteria.
- Consider the nature and type of causes
  when you define your risk criteria.
- Consider the consequences and impacts that
  could occur when you define your risk criteria.
- Consider how likelihood or probability will be
  determined when you define your risk criteria.
- Consider how the level of risk will be determined
  when you define your risk criteria.
- Consider whether combinations of multiple risks should
  be taken into account when you define your risk criteria.
Review and periodically update your risk criteria.

5.4 CARRY OUT YOUR ORGANIZATION’S RISK ASSESSMENT PROCESS

5.4.1 Identify, analyze, and evaluate risks

Carry out your risk assessment process.
- Identify your organization’s risks (see Part 5.4.2 for details).
- Analyze your organization’s risks (see Part 5.4.3 for details).
- Evaluate your organization’s risks (see Part 5.4.4 for details).

5.4.2 Identify your organization's risks

Choose suitable risk identification tools and techniques.
Select suitable people to identify your organization’s risks.
Use your tools and techniques to identify the risks that could
affect the achievement of your organization’s objectives.
Generate a comprehensive list of risks that could affect
the achievement of your organization’s objectives.

5.4.3 Analyze your organization's risks

Analyze the risks that your organization faces.
Estimate your organization’s level of risk.
Specify how much confidence you have in your analysis.
Use your risk analysis to understand your organization’s risks.
Communicate the results of your risk analysis.

5.4.4 Evaluate your organization's risks

Use the results of your risk analysis to evaluate your organization’s risks.
Use the results of your risk analysis to consider your risk treatment options.

5.5 FORMULATE AND IMPLEMENT YOUR RISK TREATMENT PLANS

5.5.1 Explore your organization's risk treatment options

Establish a cyclical risk treatment process.
Consider your organization’s risk treatment options.

5.5.2 Select your organization's risk treatment options

Select the most appropriate risk treatment options.
Plan the implementation of your risk treatments.

5.5.3 Prepare risk treatment implementation plans

Document your organization’s risk treatment plans.
Discuss risk treatment plans with all participants.
Carry out your risk treatment implementation plans.

5.6 MONITOR AND REVIEW YOUR RISK MANAGEMENT PROCESS

Plan your risk management monitoring and review processes.
Monitor and review all aspects of your risk management process.
Record your organization’s monitoring and review results.
Report your risk management monitoring and review results.

5.7 MAINTAIN A RECORD OF RISK MANAGEMENT ACTIVITIES

Create and maintain records to support your risk management process.
Use your records to support your organization’s risk management process.

Attention

This page summarizes the ISO 31000 2009 standard.
It highlights the main points. It does not present detail.

If you need a detailed and complete interpretation
of ISO 31000 2009, please consider purchasing our
Title 31: ISO 31000 2009 Translated into Plain English.

Check our Title 31 Table of Contents.
Check our Prices. Place an Order.
Check our License Agreement.

Our Title 31 provides a detailed, accurate, and complete
interpretation of ISO 31000 2009. It uses language that is
clear, precise, and easy to understand. We guarantee it!

Title 31 can be delivered to you on CD or as an email attachment.
Title 31 is 81 pages long and comes in pdf and MS doc file formats.

OTHER ISO 31000 PAGES

Introduction to Risk Management

Overview of Risk Management Standard

Plain English Risk Management Definitions

Our Plain English Approach

OTHER PLAIN ENGLISH STANDARDS

Home Page	Our Libraries	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
PRAXIOM RESEARCH GROUP LIMITED 9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada Telephone: 780-461-4514 - Email: info@praxiom.com
Updated on April 22, 2012. First published on August 31, 2010.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
developing this electronic publication. We make no representation or warranties
with respect to accuracy or completeness of the contents of this publication and
specifically disclaim any implied warranties or merchantability or fitness for any
particular purpose and shall in no event be liable for any loss of profit or any
other commercial damage, including but not limited to special, incidental,
consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you keep intact
all copyright notices, you are also welcome to print or make one copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies or to copy and paste
any of our material onto another web site or to republish it in any way.