Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organization or it may simply be embedded in the activities of the organization.

An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the ‘upside of risk’

ISO 31000 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization.

It is a framework that can be integrated across various industries and regions and adopted by any organization – including public, private, not-for-profit and government organizations.

The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.

ISO 31000 was published as a standard on the 13th of November 2009, and provides a standard on the implementation of risk management. The purpose of ISO 31000 is to be applicable and adaptable for “any public, private or community enterprise, association, group or individual. Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management.


ISO 31000 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. This approach to formalizing risk management practices will facilitate broader adoption by companies who require an enterprise risk management standard that accommodates multiple ‘silo-centric’ management systems.

Accordingly, ISO 31000 is intended for a broad stakeholder group including:

  • executive level stakeholders
  • appointment holders in the enterprise risk management group
  • risk analysts and management officers
  • line managers and project managers
  • compliance and internal auditors
  • Independent Practitioners


For all types of organizations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. Organizations need to understand the overall level of risk embedded within their processes and activities. It is important for organizations to recognize and prioritize significant risks and identify the weakest critical controls.

When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organization.

A successful risk management initiative can affect the likelihood and consequences of risks materializing, as well as deliver benefits related to better informed strategic decisions, successful delivery of change and increased operational efficiency.

Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organization, better marketplace presence and, in the case of public service organizations, enhanced political and community support.

Risk management is a process which provides assurance that:

  • objectives are more likely to be achieved
  • damaging things will not happen or are less likely to happen
  • beneficially things will be or are more likely to be achieved.

It is avoiding risk. The aim of risk management is not to eliminate risk, rather to manage the risks involved in all activities to maximize opportunities and minimize adverse effects.

Good risk management provides upward assurance from business activities and administrative functions, from department to faculties, to the senior management team and ultimately to the governing body.

The potential benefits from risk management are:

  • supporting strategic and business planning
  • supporting effective use of resources
  • promoting continuous improvement
  • fewer shocks and unwelcome surprises
  • quick grasp of new opportunities
  • enhancing communication between Organizations and Departments
  • reassuring stakeholders
  • helping focus internal audit program