ISO 31000 (Risk Management)
The international risk management framework providing principles, a structured process, and implementation guidelines applicable across all organizational contexts.
ISO 31000:2018, "Risk management — Guidelines," is the international standard providing principles and guidelines for risk management applicable to any organization, sector, and risk type. Unlike ISO 27001 or ISO 22301, ISO 31000 is not a certifiable standard — it provides a framework and process for embedding risk management into organizational governance, not a requirements specification against which auditors certify. The 2018 revision restructured the standard around three components: Principles (Clause 4, 8 principles including integration, structured and comprehensive approach, and continual improvement), Framework (Clause 5, covering leadership and commitment, integration, design, implementation, evaluation, and improvement), and Process (Clause 6, covering communication, scope/context/criteria, risk assessment, risk treatment, monitoring, review, recording, and reporting).
The risk assessment process (ISO 31000 Clause 6.4) encompasses risk identification, risk analysis, and risk evaluation. Risk identification uses structured techniques — checklists, scenario analysis, SWIFT (Structured What-If Technique), bow-tie analysis, FMEA (Failure Mode and Effects Analysis), and fault tree analysis — to enumerate possible risk events. Risk analysis considers likelihood and consequence to produce risk level estimates, using either qualitative (high/medium/low), semi-quantitative (scoring matrices), or quantitative (Monte Carlo simulation, probabilistic models) methods depending on data availability and decision stakes. Risk evaluation compares analyzed risk levels against risk criteria — the organization's risk appetite and tolerance — to determine which risks require treatment and prioritization.
ISO 31000's integration principle (Clause 4.2) requires that risk management is embedded in all organizational processes and decision-making, not maintained as a separate parallel activity. In engineering contexts, this means risk assessment must be a component of architecture review boards, change management processes, vendor onboarding, and project inception — not conducted solely as an annual audit exercise. ISO 31000 does not prescribe specific risk treatment options but identifies four standard responses: avoid, modify (reduce likelihood or consequence), share (transfer to third party including insurance), and retain (accept). The framework's monitoring and review requirement demands that risk registers are living documents updated as controls are implemented, risks materialize, and the operating environment changes.
We integrate ISO 31000 risk assessment into our architecture review and change management processes, using structured risk identification workshops with FMEA for technical systems and bow-tie analysis for regulatory and operational risks. Our risk register tooling provides dynamic risk scoring, treatment plan tracking, and heat map reporting that integrates with ISO 27001 and ISO 22301 risk management processes.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.