ISO 31000
Risk Management — Principles & Guidelines
ISO · IEC 31010 companion · 2018 edition · Aviation Safety Frameworks

ISO 31000 is the international consensus standard for managing any kind of risk — financial, operational, strategic, or safety. It is principle-based rather than prescriptive, offering a common vocabulary and a single integrating picture of principles, framework, and process that sits above sector-specific methods.

Overview of the framework

First issued in 2009 and revised in 2018, ISO 31000 defines risk as the "effect of uncertainty on objectives" — a definition that aligns well with Aven's (A, C, U) perspective. The standard presents three integrated layers. Principles describe the qualities any good risk-management system should exhibit (integrated, structured, customised, inclusive, dynamic, best-available information, human and cultural factors, continual improvement). The Framework embeds risk management into organisational governance: leadership and commitment, integration, design, implementation, evaluation, and improvement. The Process is the operational loop: scope/context/criteria, risk assessment (identify, analyse, evaluate), risk treatment, and the cross-cutting activities of communication & consultation, monitoring & review, and recording & reporting (ISO, 2018).

Its companion, IEC 31010:2019, catalogues more than 40 specific risk-assessment techniques — bow-tie, HAZOP, FMEA, Bayesian networks, Monte Carlo — so ISO 31000 provides the scaffolding while 31010 supplies the tools.

PRINCIPLES · Integrated · Structured & comprehensive · Customised · Inclusive · Dynamic · Best-available info · Human & cultural factors · Continual improvement Value creation & protection FRAMEWORK Leadership Design Implement Evaluate Improve PROCESS Scope · Context · Criteria Risk Identification Risk Analysis Risk Evaluation Risk Treatment · Communication · Monitoring · Recording ·
Figure 1 · The ISO 31000 trinity — Principles, Framework, and Process — with cross-cutting communication, monitoring, and recording.

When to use it

Typical applications

  • Establishing a unified enterprise risk management (ERM) function across safety, finance, compliance, and strategy.
  • Meeting a contracting or regulatory expectation for "an internationally recognised risk-management standard."
  • Integrating risk into strategy, investment, and project decisions.
  • Building a common vocabulary across specialised risk sub-disciplines.

Aviation relevance

  • Anchors enterprise risk management alongside ICAO Annex 19 SMS — SMS becomes the safety-specific implementation of ISO 31000.
  • Supports integrated safety/security/cyber risk reporting for boards.
  • Used by major airlines and ANSPs for top-down risk appetite and tolerance statements.
  • IEC 31010 offers the toolkit — FMEA, HAZOP, bow-tie, FTA, Monte Carlo, Bayesian networks — used inside aviation safety cases.

Benefits

  • Universally recognised. Common language that regulators, auditors, customers, and insurers understand.
  • Principle-based. Doesn't prescribe tools — organisations adopt whichever sector-specific methods suit them.
  • Governance integration. Explicit expectation that risk management is owned at the top and integrated into decisions.
  • Pairs with IEC 31010. Supplies a vetted catalogue of 40+ techniques — no need to invent methods.
  • Compatible with other management systems. ISO Annex SL structure aligns with ISO 9001, 14001, 27001, 45001.
  • Definition of risk accepts uncertainty. The 2018 edition sharpened the "effect of uncertainty on objectives" definition, aligning with modern risk science.
  • Inclusive language. Emphasises stakeholder engagement, culture, and human factors.
  • Continual improvement. Framework loop mirrors Deming's PDCA — familiar to most organisations.

Limitations

  • High-level by design. Offers little granular guidance — operational teams need further methods on top.
  • Not certifiable. Unlike ISO 9001, ISO 31000 is a guideline; organisations cannot be certified against it (only conformance is claimable).
  • Risk of ritualism. Organisations can tick ISO 31000 boxes while making little real change in decisions.
  • Sector neutrality cuts both ways. General-purpose vocabulary can feel thin when mapped onto aviation-specific hazards and SMS terminology.
  • Probability still dominates. In practice, many ISO 31000 implementations collapse uncertainty into a likelihood score — losing the nuance that the definition invites.
  • Mapping to SMS takes effort. ICAO Annex 19 and ISO 31000 use overlapping but non-identical terminology (hazard / risk / event).
In short ISO 31000 is the umbrella. It gives organisations a common language and governance shape for risk, and pairs with IEC 31010 as the technique library. Use it to integrate safety risk with enterprise and financial risk; use SMS, bow-ties, and FRAM/STAMP underneath for the actual analysis.

References (APA 7)

International Organization for Standardization. (2018). ISO 31000:2018 Risk management — Guidelines. ISO.

International Electrotechnical Commission. (2019). IEC 31010:2019 Risk management — Risk assessment techniques. IEC.

International Organization for Standardization. (2009). ISO Guide 73:2009 Risk management — Vocabulary. ISO.

Purdy, G. (2010). ISO 31000:2009 — Setting a new standard for risk management. Risk Analysis, 30(6), 881–886.

Leitch, M. (2010). ISO 31000:2009 — The new international standard on risk management. Risk Analysis, 30(6), 887–892.

Aven, T. (2011). On the new ISO guide on risk management terminology. Reliability Engineering & System Safety, 96(7), 719–726.

Further reading

International Civil Aviation Organization. (2018). Doc 9859 Safety management manual (4th ed.). ICAO.

Hopkin, P. (2018). Fundamentals of risk management (5th ed.). Kogan Page.

Kaplan, R. S., & Mikes, A. (2012). Managing risks: A new framework. Harvard Business Review, 90(6), 48–60.

Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1–13.