ISO 31000:2009 Risk management - Principles and guidelines

From ISO's website:

ISO 31000:2009 provides principles and generic guidelines on risk management.

ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000:2009 is not specific to any industry or sector.

ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.


The guide is made up of the following main sections:

  • Introduction
  • Scope
  • Terms and definitions
  • Priciples
    • Risk management creates and protects value.
    • Risk management is an integral part of all organizational processes.
    • Risk management is part of decision making.
    • Risk management explicitly addresses uncertainty.
    • Risk management is systematic, structured and timely.
    • Risk management is based on the best available information.
    • Risk management is tailored.
    • Risk management takes human and cultural factors into account.
    • Risk management is transparent and inclusive.
    • Risk management is dynamic, iterative and responsive to change.
    • Risk management facilitates continual improvement of the organization.
  • Framework
  • Process
  • Annex a: Attributes of enhanced risk management
    • General
    • Key outcomes
    • Attributes
  • Bibliography