KRUCEK>Expert Articles>Risk management based on ISO 31000

Risk management based on ISO 31000

All organisations are exposed to internal and external influences that create uncertainty as to whether they will be able to achieve their goals. Risk management helps organisations identify potential threats and opportunities, identify appropriate strategies, and make informed decisions. Risk management is an essential part of the governance and management of an organisation at all levels and in all activities. International standard ISO 31000 defines the principles, framework and process for risk management so that risk management is effective, efficient and consistent.

Risk management brings many benefits to organisations. Organisations can identify emerging risks on time, consider the threats of extreme events, adapt their strategies to risk appetite, collect and assess all risks, and create a risk management culture in the organisation.

The risks associated with the threats and opportunities that organisations face can be:

  • strategic, e.g. risk of maintaining/gaining a position on the market, risk of loss of goodwill, risk of failure of a business plan;
  • financial, e.g. market price risk, transaction risk with other organisations, liquidity risk and many others;
  • compliance with the requirements of laws, regulations, standards or contractual obligations, such as environmental, bribery, quality, health and safety, information security, quality and much more;
  • operational, i.e. all risks associated with the implementation of processes and procedures or the operation of systems.

Risk management may be enforced by-laws (e.g. Act No. 320/2001 Coll., On Financial Control), regulations (e.g. the CNB’s official communication of 27 May 2011 on the performance of activities on the financial market – operational risk in the area of the information system), contractual obligations, standards (e.g. business continuity risk management according to ISO 22301) or internal requirements of the organisation.

ISO 31000 standard

ISO 31000 provides a risk management principles, framework and process. For risk management to be effective, organisations should adopt ISO 31000 principles at all levels – strategic, operational, program or project-based. In addition to taking risk management principles, organisations should establish a risk management framework. The risk management framework assists in effective risk management through the risk management process.

Source: ISO 31000

Principles of risk management

The basis for risk management is the principles that need to be taken into account when developing the risk management framework and processes. The principles ensure that risk management is perceived as an integral part of the organisation’s activities, to provide consistent and comparable results, to be adapted to the organisation, to properly involve stakeholders in risk management, to respond to incremental and step changes in the organisational context, to come up from the right information, to respect human behaviour and culture and, finally, to improve continually.

Risk management framework

Organisations need to integrate risk management into their essential activities and functions. This is done through a risk management framework that incorporates the integration, design, implementation, evaluation and improvement of risk management over the organisation. The characteristics of the framework and the extent to which the framework is integrated into the organisation’s management system will ultimately determine how effectively the risks will be managed. The objectives of risk management, policy and support from the top management (the basis of the framework), as well as specific plans, relationships, responsibilities, resources, processes and activities (arrangement) significantly affect the effectiveness of the entire system.

Risk management process

As follows from the scheme, the risk management process consists of constant communication, context definition, assessment, treatment, processing, monitoring and review of risks, as well as risk reporting. A more detailed description of the risk management process is beyond the scope of this article.

Source: PECB

Implementation of risk management in the organisation

Implementing risk management in an organisation requires support from the organisation’s senior management and a commitment to align the purpose of risk management with the organisation’s goals and policies, and further strengthen the need to integrate risk management into the organisation’s culture, integrate risk management into the organisation’s core business and decision-making processes, assign roles, responsibilities and responsibilities or to ensure the availability of resources.

Effective risk management cannot work without appropriate documentation, including:

  • the organisation’s risk management policy, which defines the strategic direction of the organisation, the scope or structure of the risk management activities;
  • descriptions of processes, procedures and controls that describe who, what, when, where, how and why does;
  • records that provide evidence of compliance of activities with risk management processes.

It is essential to continuously monitor and review the risk management framework as well as all risks, which contributes to the continuous improvement of the organisation’s ability to properly manage, detect and treat the risks to which it is exposed in a rapidly changing environment.


The organisation’s risk management process may seem complicated and perhaps unnecessary, which it certainly is not. If the organisation adopts the principles of risk management and implements them appropriately in its activities, the benefits will undoubtedly outweigh the efforts made. And if you avoid unnecessary mistakes in the beginning, then with each subsequent risk review, the work involved will be less, the results better, and the positive effects higher. It makes sense :).

Are you interested?

    Privacy Statement