ISO 31000 Risk Management: A Complete Guide to the 2018 Standard

What Is ISO 31000?

ISO 31000 is the international standard for risk management, published by the International Organization for Standardization (ISO). First released in 2009 as a successor to Australia's pioneering AS/NZS 4360 standard, it was revised in 2018 to reflect modern governance expectations and a more iterative approach to managing risk.

The current version — ISO 31000:2018 — provides principles, a framework, and a process that any organisation can use to manage risk, regardless of size, sector, or the type of risk involved. It is adopted in Australia as AS/NZS ISO 31000:2018 through Standards Australia.

Unlike certifiable standards such as ISO 27001 (information security) or ISO 9001 (quality management), ISO 31000 is a guidelines standard. It does not contain requirements that can be audited for certification. Instead, it provides a best-practice methodology that organisations adapt to their specific context, risk appetite, and governance structure.

ISO 31000:2018 — Principles, Framework, and Process

ISO 31000 is structured around three interconnected components — often called the three pillars. Each pillar has a distinct role, and together they form a complete system for embedding risk management into an organisation's governance and operations.

The Eight Principles

The principles define the characteristics of effective risk management. ISO 31000:2018 states that risk management should be:

The 2018 revision reduced the principles from eleven to eight, making them more concise and easier to apply. Each principle is meant to guide the design of the framework and the execution of the process.

The Framework

The framework provides the organisational structure for integrating risk management. It follows a Plan-Do-Check-Act cycle with six components:

The key change in the 2018 revision was the stronger emphasis on leadership commitment and integration — recognising that risk management only works when it is embedded in decision-making, not bolted on as a compliance exercise.

The Process

The risk management process is the operational core — the hands-on methodology that practitioners apply to individual risks, projects, or business activities. It consists of six steps, detailed in the next section.

The ISO 31000 Risk Management Process Explained

The six-step process is applied iteratively, not as a one-off linear sequence. Monitoring and review runs throughout, ensuring risks and controls remain relevant as circumstances change.

1. Communication and Consultation

Stakeholder engagement runs throughout the entire process. The goal is to ensure that those with relevant knowledge, authority, or interest are involved in identifying, analysing, and treating risks. Effective communication builds shared understanding, while consultation brings diverse perspectives that improve the quality of risk decisions.

In practice, this means identifying stakeholders early, defining how and when they will be engaged, and ensuring that risk information flows to decision-makers in a timely, useful format.

2. Scope, Context, and Criteria

Before identifying risks, the organisation defines the boundaries of the risk management activity. This includes:

• Scope — what is included and excluded (a project, a business unit, the entire enterprise).
• External context — regulatory environment, market conditions, stakeholder expectations.
• Internal context — governance structure, capabilities, culture, existing controls.
• Risk criteria — the benchmarks used to evaluate the significance of risk (likelihood scales, consequence scales, risk appetite thresholds, tolerance levels).

Getting this step right is critical. Poorly defined scope or criteria lead to inconsistent risk assessments and poor treatment decisions downstream.

3. Risk Identification

The organisation systematically finds, recognises, and describes risks. The aim is to create a comprehensive list of risks that could affect objectives — including risks from sources not directly controlled by the organisation.

Common techniques include brainstorming sessions, interviews, workshops, SWOT analysis, scenario analysis, historical data review, and control self-assessments. The output is typically a risk register that records each risk, its sources, potential causes, and potential consequences.

4. Risk Analysis

Each identified risk is analysed to understand its nature, sources, likelihood, and potential consequences. The analysis can be qualitative (using descriptive scales), semi-quantitative (assigning numerical scores to categories), or quantitative (using statistical models and data).

Risk analysis considers the effectiveness of existing controls and the confidence level in the assessment. The output is a risk level for each risk, typically expressed as a combination of likelihood and consequence.

5. Risk Evaluation

The analysed risks are compared against the risk criteria defined in step 2. The purpose is to determine which risks need treatment, which can be accepted, and which require further analysis. Risk evaluation supports prioritisation — helping the organisation focus resources on the risks that matter most.

Evaluation decisions should be documented and communicated to stakeholders. Common outputs include heat maps, risk matrices, and ranked risk lists.

6. Risk Treatment

For risks that exceed the organisation's risk appetite, treatment options are selected and implemented. ISO 31000 identifies four broad treatment strategies:

• Avoid — eliminate the activity or source of risk entirely.
• Modify — change the likelihood or consequence through new or enhanced controls (mitigation).
• Share — transfer or distribute the risk to another party (insurance, outsourcing, partnerships).
• Accept — retain the risk within appetite, with informed decision-making and monitoring.

Treatment plans should specify what will be done, who is responsible, the timeline, required resources, and how effectiveness will be measured. Residual risk — the risk remaining after treatment — must be assessed and documented.

Monitoring and Review

This is not a separate step but a continuous activity that runs throughout the process. Monitoring tracks risk indicators, control effectiveness, and changes in context. Review evaluates whether the risk management process itself is working as intended. Together, they ensure that the risk register stays current and that treatments remain effective as the operating environment changes.

AS/NZS ISO 31000 — Australian and New Zealand Adoption

Australia has a uniquely deep history with risk management standards. The original AS/NZS 4360, first published in 1995, was one of the world's first national risk management standards. It went through revisions in 1999 and 2004 before being superseded by ISO 31000:2009 — a standard that AS/NZS 4360 itself heavily influenced.

Today, AS/NZS ISO 31000:2018 is the locally adopted version of the international standard. The adoption ensures alignment with Australian regulatory expectations while maintaining full compatibility with the global standard.

Several key regulatory frameworks in Australia reference or align with ISO 31000:

• APRA CPS 220 — requires APRA-regulated financial institutions to maintain a risk management framework that is consistent with ISO 31000 principles.
• Security of Critical Infrastructure Act 2018 (SOCI Act) — requires critical infrastructure entities to adopt risk management programs. ISO 31000 provides the overarching methodology for these programs.
• Commonwealth and state government policies — Australian public sector agencies reference ISO 31000 in their risk management frameworks and internal policies.
• Work Health and Safety (WHS) — ISO 31000 provides the risk management structure that underpins safety management systems across Australian workplaces.

For Australian practitioners, understanding AS/NZS ISO 31000:2018 is essential for operating within the local regulatory environment while applying an internationally recognised methodology.

ISO 31000 vs Other Risk and Security Frameworks

Understanding where ISO 31000 fits relative to other frameworks helps you choose the right combination for your organisation.

Many Australian organisations use a layered approach: ISO 31000 as the enterprise risk framework, ISO 27001 as the information security management system, and domain-specific standards (ISO 27005, NIST CSF, Essential Eight) for specialised risk domains. ISO 31000 provides the common language and methodology that ties them together.

Who Should Use ISO 31000?

ISO 31000 is relevant to any organisation that manages risk — which is every organisation. It is particularly valuable for:

The standard applies equally across government, finance, healthcare, energy, mining, construction, technology, and education. Its generic design is its strength — it provides a common framework that can be adapted to any context.

How to Get Started with ISO 31000

If you are new to ISO 31000, the most effective starting point is formal training that covers the complete framework — principles, framework design, and the risk management process — in a structured way.

The PECB Certified ISO 31000 Risk Manager eLearning ($599 AUD) is a self-paced course that covers the entire standard and includes the PECB certification exam voucher. It validates your ability to establish risk frameworks, facilitate risk assessments, and advise organisations on risk management best practices.

For organisations already implementing ISO 27001, understanding ISO 31000 strengthens the risk assessment methodology that sits at the heart of any information security management system.

Key Takeaways

• ISO 31000:2018 provides a universal risk management methodology applicable to all risk types and all organisations.
• The standard is structured around three pillars: principles (what good looks like), framework (how to embed it), and process (how to do it).
• The six-step risk management process — from communication through treatment — is applied iteratively, not as a one-off exercise.
• Australia adopted the standard as AS/NZS ISO 31000:2018, and it underpins regulatory expectations from APRA CPS 220 to the SOCI Act.
• ISO 31000 complements certifiable standards like ISO 27001 — providing the risk methodology that management systems rely on.
• Organisations cannot certify against ISO 31000, but individuals can earn the PECB Certified ISO 31000 Risk Manager credential.

Resources

Continue building your risk management knowledge:

• ISO 31000 Overview — The hub page covering ISO 31000 fundamentals and Australian adoption.
• ISO 31000 Risk Matrix — Free 5×5 likelihood × consequence template with step-by-step guide.
• PECB ISO 31000 Risk Manager — Self-paced eLearning with exam voucher ($599 AUD).
• ISO 27001 Certification Guide — Understand the information security management system that uses ISO 31000 risk methodology.
• ControlStack — Browse ISO 27001, Essential Eight, and ISM controls alongside risk management guidance.
• Free resources — Download templates, checklists, and implementation guides.
• All courses — Browse the full catalogue of PECB eLearning and live training options.