Inverifi logo

ISO 31000 Process

Get compliant with ISO 31000 and simplify compliance for your organisation.

The ISO 31000 process outlines the steps that organisations can take to identify, assess, and manage risk in order to achieve their objectives. The ISO 31000 process begins by establishing the context for risk management. This involves identifying the objectives, stakeholders, scope of the risk management process, and stablish the criteria that will be used to evaluate risk.

Table of Contents

6.2 Communication and consultation

Effective communication and consultation are crucial to ensure that risk-informed decisions are made and that those involved in identifying and managing risk, as well as those with an interest are informed.


The objective of communication and consultation is to aid stakeholders in comprehending the risk, the reasoning behind decision-making, and the necessity for specific actions.


This is an ongoing and iterative process that entails providing, sharing, or obtaining information and engaging in conversations with stakeholders about risk management.


Communication seeks to enhance knowledge and awareness of risks, while consultation entails gathering feedback and information to facilitate decision-making.


Consultation is a two-way process of informed communication between an individual or organisation and its stakeholders regarding an issue before deciding or determining a course of action on that matter. It is a process that influences decision-making rather than using authority and is an input, not joint decision-making.

6.3 Scope, context and criteria

Scope, context, and criteria are important concepts that form the basis of the ISO 31000 process. These three elements help organisations to identify, analyse, and manage risks in a systematic and structured manner. These elements also help to ensure that the risk management process is tailored to the organisation’s specific needs and objectives

Define the scope

Scope refers to the limitations of the risk management process. It defines the system, process, or activity that is being assessed for risk and the decisions that need to be made.


When defining the scope of the risk management process we need to consider;


  • Specific system, process or activity that will be the focus of the risk management process.
  • Define the objectives and decisions that must be made in order to achieve desired outcomes.
  • It is important to identify the appropriate risk assessment tools and techniques that will be used to evaluate the identified risks.
  • Resources, responsibilities and record-keeping requirements should be established to ensure that the process is executed smoothly.
  • It is also essential to consider the relationships with other processes that may be impacted by the risk management process.

Internal and external context

By understanding both the internal and external context, organisations can better assess the potential risks and opportunities that may arise.


This knowledge helps organisations to develop strategies that will enable them to effectively manage risk and capitalise on opportunities.

Defining risk criteria

Defining risk criteria is an important aspect of risk management that helps organisations to evaluate the level of risk that is acceptable for their operations.


Risk criteria are the standards and benchmarks that an organisation uses to evaluate risk. They include the risk appetite, risk tolerance, and risk acceptance levels that an organisation is willing to take.

6.4 Risk assessment

Risk assessment covers the ISO 31000 process of risk identification, risk analysis and risk evaluation.


Risk identification aims to discover and characterise potential risks that could either aid or hinder the achievement of objectives. The process of identification makes it possible to explicitly account for uncertainties.


Depending on the scope and context of the assessment, all forms of uncertainty and their impacts, whether positive or negative, may be pertinent.


The identification of risk sources, events, causes, and potential consequences constitutes the essence of risk identification.


It is crucial to have pertinent, suitable, and current information while identifying risks. During the risk identification process, the following factors and their interrelationships should be taken into account.


The objective of risk analysis is to gain an understanding of the nature of a particular risk and its attributes, which may include the level of risk, where applicable.


The level of risk, also known as the risk rating, is the measure of the size of a risk or a combination of risks, expressed as a function of the combination of consequences and their likelihood.


The process of risk analysis entails a thorough examination of uncertainties, sources, causes, consequences, likelihood, events, scenarios, controls, and their effectiveness.


Risk evaluation serves the purpose of providing decision-making support.


This process entails comparing the outcomes of risk analysis with the pre-established risk criteria to determine the necessity of further measures. By utilising the knowledge of risks obtained during the risk analysis, risk evaluation facilitates informed decisions about future actions that take risk into account.

6.5 Risk treatment

ISO 31000 process of risk treatment involves identifying and applying measures to manage risks. Once a risk assessment has been completed, treating a risk involves selecting and implementing one or more measures that can reduce the likelihood of occurrence, the consequences of the risk, or both.


Selecting the most suitable risk treatment measures involves weighing the potential benefits against the costs, effort, and drawbacks of implementation, in relation to the achievement of the objectives. The choice of risk treatment measures should be made based on your objectives, risk criteria, and available resources.


Once appropriate risk treatment measures have been identified and selected by the responsible parties, treatment plans can be prepared to track the progress of implementation.


The purpose of risk treatment plans is to define how the selected measures will be implemented, ensuring that all parties involved understand the arrangements and that progress against the plan can be monitored.


The treatment plan should also identify the order in which risk treatment measures should be implemented, and the plan should be incorporated into management plans and processes.

6.6 Monitoring and review

The purpose of monitoring and review is to ensure and enhance the quality and effectiveness of the process design, implementation, and outcomes.


Regular monitoring and periodic review of the risk management process and its outcomes should be a planned part of your risk management activities, with clearly defined responsibilities.


As part of the ISO 31000 process; risks, controls, and treatment measures should be monitored and reviewed to confirm that assumptions about uncertainties, risks, and opportunities remain valid, that expected results and performance are being achieved, that the results of risk assessments are consistent with experience or expectations, that risk assessment techniques are being applied correctly and effectively, and that risk treatment measures still effective.

6.7 Recording and reporting

Clause 6.7 of ISO 31000 highlights the importance of recording and reporting on risk management activities. This includes keeping records of the risk management process, as well as reporting on the outcomes of that process to relevant stakeholders.


There are few key elements. These include:


Record-keeping: Keeping records of all aspects of the risk management process, including risk identification, assessment, treatment, and monitoring and review.


This is important for a number of reasons, including providing a historical record of the organisation’s risk management activities, supporting ongoing monitoring and review, and providing evidence of compliance with relevant laws, regulations, and standards.


Documentation: In addition to keeping records, ISO 31000 requires that the risk management process be documented in a way that is clear, concise, and accessible to relevant stakeholders. This includes documenting the scope and objectives of the risk management process, as well as the roles and responsibilities of those involved in the process.


Reporting: Reporting on the outcomes of the risk management process to relevant stakeholders. This includes reporting on the identified risks, the assessment of those risks, the treatment options selected, and the results of the treatment. The reporting should be tailored to the needs of the audience and should provide sufficient information to support decision-making.


Review: Ongoing review of the risk management process and its outcomes. This includes reviewing the records and documentation to ensure that they are accurate and up-to-date, as well as assessing the effectiveness of the risk management process in achieving its objectives.

How can Inverifi help you get ISO 31000 compliant?

Risk management tools

Risk management tool that enables you to identify, assess, and treat risks in a systematic and structured way. This tool includes risk assessments, risk registers, risk treatment plans, and risk reporting features, all of which can help your organisation to meet the requirements of ISO 31000.

Centralised document management

Inverifi provides a centralised platform for managing all your documentation, including policies, procedures, and reports. This can help you to maintain an audit trail and ensure that all documentation is up to date and easily accessible.


Inverifi provides a reporting feature that enables you to track and monitor your organisation’s risk management performance. Visual reporting of risk quantity as well as see a breakdown of the likelihood, severity and impact scores.