- What is ISO 31000?
- ISO 31000:2018 is the international standard for risk management. It defines principles, a framework, and a process that any organization — public or private, of any size — can apply to any type of risk. It is deliberately non-prescriptive: it tells you how to structure risk management, not which risks to accept.
- What are the five steps of the ISO 31000 process?
- Identify, Analyze, Evaluate, Treat, and Monitor & Review. Communication and consultation run alongside every step. In practice, operational risk teams run this loop continuously against a live risk register rather than as a one-off exercise.
- How is ISO 31000 different from COSO ERM?
- COSO ERM is oriented around strategy and financial reporting, with a strong internal-controls lineage. ISO 31000 is broader and lighter-weight — it works for operational, project, IT, and compliance risk without requiring the COSO governance stack. Most operational teams adopt ISO 31000 for day-to-day risk work and map to COSO only where audit requires it.
- Do I need to be certified to use ISO 31000?
- No. ISO 31000 is a guidance standard, not a certifiable one. You align your process to it and can be audited against it, but there is no certification body issuing an 'ISO 31000 certificate' for organizations.