Implementing ISO 31000:2018 for Operational Risk Management

ISO 31000 is the most widely-adopted risk management standard in the world — and the most misunderstood. This guide strips it down to the five steps your operational risk team will actually run, week after week, against a live register.

In short

The five-step loop, in practice

1. Identify

List everything that could go wrong. Workshop by process, department, or value stream. Record cause and consequence separately — 'server outage' is not a risk; 'customer-facing outage caused by unpatched dependency, leading to SLA breach' is.

Output: A raw register of candidate risks with owners assigned.

2. Analyze

Score each risk on likelihood (1–5) and impact (1–5) before controls — this is the inherent score. Use a 5×5 matrix so severity is a single number your board can compare across categories.

Output: Inherent likelihood × impact = inherent severity for every entry.

3. Evaluate

Compare inherent severity against your risk appetite. Anything above the tolerance line needs treatment; anything below can be accepted and monitored. This is where the register stops being a list and starts driving decisions.

Output: A prioritized shortlist of risks that require action.

4. Treat

Pick a strategy per risk: avoid, reduce, transfer, or accept. Log the specific controls and treatment actions, then re-score post-treatment to get the residual severity. The gap between inherent and residual is the evidence that your controls worked.

Output: Named controls, action owners, and residual scores for each treated risk.

5. Monitor & Review

Set a review cadence per risk based on severity — quarterly for low, monthly for high, and immediately when a trigger event occurs. Track control effectiveness and re-score when the environment changes. ISO 31000 is a loop, not a checklist.

Output: A living register with next-review dates and an audit trail of changes.

Start with a template that already fits

The columns your ISO 31000 register needs — inherent scoring, residual scoring, treatment strategy, next-review date — are already laid out in our free Excel template.

FAQ

What is ISO 31000?
ISO 31000:2018 is the international standard for risk management. It defines principles, a framework, and a process that any organization — public or private, of any size — can apply to any type of risk. It is deliberately non-prescriptive: it tells you how to structure risk management, not which risks to accept.
What are the five steps of the ISO 31000 process?
Identify, Analyze, Evaluate, Treat, and Monitor & Review. Communication and consultation run alongside every step. In practice, operational risk teams run this loop continuously against a live risk register rather than as a one-off exercise.
How is ISO 31000 different from COSO ERM?
COSO ERM is oriented around strategy and financial reporting, with a strong internal-controls lineage. ISO 31000 is broader and lighter-weight — it works for operational, project, IT, and compliance risk without requiring the COSO governance stack. Most operational teams adopt ISO 31000 for day-to-day risk work and map to COSO only where audit requires it.
Do I need to be certified to use ISO 31000?
No. ISO 31000 is a guidance standard, not a certifiable one. You align your process to it and can be audited against it, but there is no certification body issuing an 'ISO 31000 certificate' for organizations.