Category: Risk management frameworks · Reviewed by Jake Leat, Associate Director · Last reviewed
ISO 31000:2018 is the international standard on risk management published by the International Organization for Standardization. It provides principles, a framework and a process applicable to any organisation regardless of sector or size. Unlike ISO 27001 or ISO 9001, ISO 31000 is not certifiable — it is a guidance standard.
The 2018 revision is organised around three layers:
1. Principles (Clause 4). Eight principles describe what good risk management looks like: integrated, structured and comprehensive, customised, inclusive, dynamic, best-available information, human and cultural factors, and continual improvement.
2. Framework (Clause 5). A Plan–Do–Check–Act cycle covering leadership and commitment, integration, design, implementation, evaluation and improvement of the risk-management arrangement.
3. Process (Clause 6). The operational steps: communication and consultation; scope, context and criteria; risk assessment (identification → analysis → evaluation); risk treatment; monitoring and review; recording and reporting.
ISO 31000 is shorter, principle-led and process-neutral; COSO ERM is more prescriptive, control-oriented and oriented to US-listed financial reporting requirements (Sarbanes-Oxley). Many UK insurers blend the two: COSO for internal controls and reporting, ISO 31000 for the operating risk process.
Insurer underwriting questionnaires for D&O, cyber and management-liability lines often ask whether the insured has adopted “a recognised risk management framework such as ISO 31000 or COSO ERM”. Affirmative answers can shift terms in the insured’s favour.
Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote