ISO 31000: risk management in practice
ISO 31000 is the world's most widely used risk management standard. It isn't a certifiable checklist, it's a process: identify, analyse, evaluate, treat, monitor. Here's what it actually requires from you and how to implement it without reading 40 pages of standard text.
What is ISO 31000?
ISO 31000:2018 is an international standard for risk management published by ISO. It describes a generic risk management process that works for any organisation, regardless of size, sector, or type of risk.
Unlike ISO 27001 or ISO 9001, ISO 31000 is **not certifiable**. There's no auditor who gives you a certificate. The standard is guidance, a structure you apply to get consistent, considered risk management.
RiskNote implements the full process.
The ISO 31000 process (5 steps)
1. Identify risks
List every risk that could affect the organisation's objectives. Be exhaustive, missed risks are the most dangerous. RiskNote's AI suggests 5 industry-relevant risks per analysis as a starting point.
2. Analyse risks
Assess each risk's likelihood and consequence. ISO 31000 is agnostic about scale, 5x5 matrices are most common but 3x3 or 7x7 also work. RiskNote uses 5x5.
3. Evaluate risks
Compare against the organisation's risk tolerance. Is the risk acceptable, watch-listed, or does it require treatment? Prioritise.
4. Treat risks
Accept, reduce, transfer (insurance/outsourcing), or avoid. Document the response. RiskNote V1.1 (June 2026) adds structured action planning.
5. Monitor and review
Risks move. Come back to the register regularly, quarterly, per sprint, or on major change. Audit trail required.
ISO 31000 checklist for your first implementation
Executive sponsorship
Risk management without management backing becomes a spreadsheet no one opens. Write a one-page policy the CEO signs.
Define risk tolerance
What are you willing to accept? What requires action? Write three or four levels everyone can refer to.
Establish context
Industry, size, regulatory requirements, stakeholders. These shape the risk picture. In RiskNote you capture this once in the organisation profile.
Run the first identification
Brainstorm with key people + AI suggestions as a complement. Aim for 10–20 risks to start.
Assess likelihood and consequence
Use a consistent scale. Have definitions for each level (1–5).
Document actions per risk
What will be done? Who owns it? When? Follow up.
Set a review cadence
Quarterly is standard. Some risks (cyber, vendors) need more often.
Create audit evidence
PDF export from RiskNote works as documentation for audit, board meeting, and insurance renewal.
How RiskNote supports ISO 31000
RiskNote implements the ISO 31000:2018 process from identification to monitoring. The AI analysis helps with step 1 (identify) by suggesting relevant risks for your context. The 5x5 matrix covers steps 2 and 3 (analyse, evaluate). Action tracking (V1.1) covers step 4 (treat). Status updates and versioning cover step 5 (monitor).
It isn't a certification (none exists for ISO 31000), but it is a standards-based, traceable, and reproducible process that works in both SMEs and larger organisations.
Frequently asked questions about ISO 31000
Is ISO 31000 mandatory?
No. ISO 31000 is a voluntary standard. But it's often a prerequisite for compliance with other frameworks: ISO 27001, ISO 9001, NIS2, DORA, and GDPR articles on risk-based security all reference ISO 31000-compatible risk management processes.
Can we certify against ISO 31000?
No, ISO 31000 isn't certifiable. It's guidance, not a requirements list. If you want a certified management system for risk, ISO 31010 covers risk assessment techniques, and ISO 27001 for information security contains risk management.
How does ISO 31000 differ from ISO 27005?
ISO 31000 is the generic risk management standard. ISO 27005 is the specific application to information-security risk (and is used together with ISO 27001). They're compatible, ISO 27005 implements ISO 31000 in the infosec context.
Which risk matrix does ISO 31000 recommend?
ISO 31000 doesn't recommend a specific matrix size. 5x5 is common practice in most organisations. 3x3 is too coarse for most purposes; 7x7 or larger rarely becomes practical. RiskNote uses 5x5.
What's the difference between ISO 31000 and COSO ERM?
ISO 31000 is international and more process-focused. COSO ERM (Enterprise Risk Management) comes from the US and ties more strongly to internal control and financial reporting. Both are compatible risk management frameworks.
Get started with ISO 31000 today
RiskNote implements the ISO 31000:2018 process from identification to monitoring. Start a free trial, first risk assessment ready before lunch.