Risk management is the systematic process of identifying, assessing and treating risks that may affect an organization's objectives.
According to ISO 31000, risk management comprises coordinated activities to direct and control an organization with regard to risk. It includes establishing context, identifying risks, analyzing them, evaluating them and defining treatments proportional to their impact and likelihood.
ISO 31000 is not certifiable, but provides principles and guidelines applicable to any type of risk in any organization.
Each organization defines its own risk acceptability criteria based on its risk appetite and regulatory context.
All ISO management system standards (27001, 42001, 9001, 22301) require risk management as a cross-cutting process.
ISO 31000 is a generic framework for any type of risk. ISO 27005 is a specific guide for information security risk management, complementary to ISO 27001.
No. ISO 31000 is scalable. Organizations of any size can apply its principles by adapting process complexity to their resources and context.
Common ones include probability-impact matrices, FMEA analysis, fault trees and bow-tie analysis. Selection depends on risk type and organizational maturity.
Assessment within 72 business hours. ISO methodology. No ties to certification bodies.
Request diagnosis