IEC 62198:2025

IEC 62198 ®
Edition 3.0 2025-06
REDLINE VERSION
INTERNATIONAL
STANDARD
Managing risk in projects - Application guidelines
ICS 03.100.01 ISBN 978-2-8327-0543-8
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or
by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either
IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC copyright
or have an enquiry about obtaining additional rights to this publication, please contact the address below or your local
IEC member National Committee for further information.

IEC Secretariat Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - IEC Products & Services Portal - products.iec.ch
webstore.iec.ch/advsearchform Discover our powerful search engine and read freely all the
The advanced search enables to find IEC publications by a publications previews, graphical symbols and the glossary.
variety of criteria (reference number, text, technical With a subscription you will always have access to up to date
committee, …). It also gives information on projects, content tailored to your needs.
replaced and withdrawn publications.
Electropedia - www.electropedia.org
The world's leading online dictionary on electrotechnology,
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published containing more than 22 500 terminological entries in English
details all new publications released. Available online and and French, with equivalent terms in 25 additional languages.
once a month by email. Also known as the International Electrotechnical Vocabulary
(IEV) online.
IEC Customer Service Centre - webstore.iec.ch/csc
If you wish to give us your feedback on this publication or
need further assistance, please contact the Customer
Service Centre: sales@iec.ch.
CONTENTS
FOREWORD . 3
INTRODUCTION . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Managing risks in projects . 9
5 Principles . 11
6 Project risk management framework . 13
6.1 General . 13
6.2 MandateLeadership and commitment . 14
6.3 Design of the framework for managing project risk . 15
6.3.1 Understanding the project and its context . 15
6.3.2 Establishing the project risk management policy . 16
6.3.3 Accountability . 16
6.3.4 Integration into project management processes . 17
6.3.5 Resources . 17
6.3.6 Establishing internal project communication and reporting mechanisms . 18
6.3.7 Establishing external project communication and reporting mechanisms . 18
6.4 Implementing project risk management . 18
6.4.1 Implementing the framework for managing project risk. 18
6.4.2 Implementing the project risk management process . 19
6.5 Monitoring and review of the project risk management framework . 19
6.6 Continual improvement of the project risk management framework . 19
7 Project risk management process . 20
7.1 General . 20
7.2 The project risk management plan . 22
7.3 Communication and consultation. 22
7.4 Establishing the context Scope, context and criteria . 23
7.4.1 General . 23
7.4.2 Defining the scope . 23
7.4.3 Establishing the external context . 24
7.4.4 Establishing the internal context . 24
7.4.5 Establishing the context of the project risk management process . 25
7.4.6 Defining risk criteria . 25
7.4.7 Key elements . 26
7.5 Risk assessment . 27
7.5.1 General . 27
7.5.2 Risk identification . 27
7.5.3 Risk analysis . 28
7.5.4 Risk evaluation . 29
7.6 Risk treatment . 29
7.6.1 General . 29
7.6.2 Selection of risk treatment options . 29
7.6.3 Risk treatment plans . 30
7.7 Monitoring and review . 31
7.7.1 General . 31
7.7.2 Management meetings . 32
7.8 Recording and reporting the project risk management process . 32
7.8.1 Reporting . 32
7.8.2 Documentation Records and data storage . 32
7.8.3 The project risk register . 33
Annex A (informative) Examples . 35
A.1 General . 35
A.2 Project risk management process . 35
A.2.1 Stakeholder analysis (see 7.3) . 35
A.2.2 External and internal context (see 7.4.3 and 7.4.4) . 36
A.2.3 Risk management context (see 7.4.5) . 38
A.2.4 Risk management context for a power enhancement project .
A.2.4 Risk criteria (see 7.4.6) . 39
A.2.5 Key elements (see 7.4.7) . 40
A.2.6 Risk analysis (see 7.5.3) . 42
A.2.7 Risk evaluation (see 7.5.4) . 46
A.2.8 Risk treatment (see 7.6) . 47
A.2.9 Risk register (see 7.5.2 and 7.8.3) . 47
Bibliography . 49

Figure 1 – Principal stakeholders in a project .
Figure 1 – Relationship between the components of the framework for managing risk,
adapted from ISO 31000 . 14
Figure 2 – Project risk management process, adapted from ISO 31000 . 21
Figure A.1 – Risk management scope for an open pit mine project . 39
Figure A.2 – Distribution of costs cost estimate using simulation (example only) . 46

Table 1 – Typical phases in a project . 10
Table A.1 – Stakeholders for a government project . 35
Table A.2 – Stakeholders and objectives for a ship upgrade . 36
Table A.3 – Stakeholders and communication needs for a civil engineering project . 36
Table A.4 – External context for an energy project . 37
Table A.5 – Internal context for a private sector infrastructure project . 38
Table A.6 – Example risk management context for a power enhancement project . 38
Table A.7 – Criteria for a high-technology project . 40
Table A.8 – Key elements and workshop planning guide for a defence project .
Table A.8 – Key elements for a communications system project . 41
Table A.9 – Key elements for establishing a new health service organization . 42
Table A.10 – Example consequence scale . 43
Table A.11 – Example likelihood scale . 44
Table A.12 – Example of a matrix for determining the level of risk . 44
Table A.13 – Example of priorities for attention . 47
Table A.14 – Example of a treatment options worksheet . 47
Table A.15 – Simple risk register structure . 47
Table A.16 – Example scale for control effectiveness (CE) . 48
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
Managing risk in projects -
Application guidelines
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international
co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and
in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports,
Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their
preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with
may participate in this preparatory work. International, governmental and non-governmental organizations liaising
with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for
Standardization (ISO) in accordance with conditions determined by agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence between
any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) IEC draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). IEC takes no position concerning the evidence, validity or applicability of any claimed patent rights in
respect thereof. As of the date of publication of this document, IEC had not received notice of (a) patent(s), which
may be required to implement this document. However, implementers are cautioned that this may not represent
the latest information, which may be obtained from the patent database available at https://patents.iec.ch. IEC
shall not be held responsible for identifying any or all such patent rights.
This redline version of the official IEC Standard allows the user to identify the changes
made to the previous edition IEC 62198:2013. A vertical bar appears in the margin
wherever a change has been made. Additions are in green text, deletions are in
strikethrough red text.
IEC 62198 has been prepared by IEC technical committee 56: Dependability. It is an
International Standard.
This third edition cancels and replaces the second edition, published in 2013, and constitutes
a technical revision.
This edition includes the following technical changes with respect to the previous edition:
a) now aligned with ISO 31000, Risk management – Guidelines and ISO 21502, Project,
programme and portfolio management – Guidance on project management [1] .
b) the principles and generic guidelines on managing risk in projects have been updated to
take into account developments in risk management and leadership, with particular
reference to implementing risk management within the broad scope of project management
envisaged by ISO 21502, including project-related oversight and direction by the sponsoring
organization.
The text of this International Standard is based on the following documents:
Draft Report on voting
56/2058/FDIS 56/2081/RVD
Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this International Standard is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and developed in
accordance with ISO/IEC Directives, Part 1 and ISO/IEC Directives, IEC Supplement, available
at www.iec.ch/members_experts/refdocs. The main document types developed by IEC are
described in greater detail at www.iec.ch/publications.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under webstore.iec.ch in the data related to the
specific document. At this date, the document will be
• reconfirmed,
• withdrawn, or
• revised.
___________
Numbers in square brackets refer to the Bibliography.
INTRODUCTION
Every project involves uncertainty and risk. Project risks can be related to the objectives of the
project itself or to the objectives of the assets, products or services the project creates. This
document provides guidelines for managing risks in a project in a systematic, effective, efficient
and consistent way.
ion with
Risk management includes the coordinated activities to direct and control an organizat
regard to risk. ISO 31000, Risk management – Principles and Guidelines, describes:
a) the principles for effective risk management,
b) the framework that provides the foundations and organizational arrangements for designing,
implementing, monitoring, reviewing and continually improving risk management throughout
an organization, and
c) a process for managing risk that can be applied to all types of risk in any organization.
This document shows how those general principles and guidelines apply to managing
uncertainty, threats and opportunities in projects. It applies to all kinds of projects and project
management processes. When applying this document in conjunction with flexible or agile
project management processes, the project’s objectives, requirements and specifications are
expected to evolve as the project progresses. The application of this document can be adjusted
in these circumstances.
This document is relevant to individuals and organizations concerned with any or all phases in
the life cycle of projects. It can also be applied to sub-projects and to sets of inter-related
projects and programmes.
The application of this document needs to can be tailored to each specific project by taking into
consideration factors such as context, objectives and requirements. Therefore, it is considered
inappropriate not in the scope of this document to impose a certification system for risk
management practitioners.
The guidance provided in this document is not intended to override existing industry-specific
standards, although the guidance can be helpful in such instances.

1 Scope
This document provides principles and generic guidelines on managing risk and uncertainty in
projects. In particular it describes a systematic approach to managing risk in projects based on
ISO 31000, Risk management – Principles and guidelines.
Guidance is provided on the principles for managing risk in projects, the framework and
organizational requirements for implementing risk management, and the process for conducting
effective risk management.
This standard is not intended for the purpose of certification.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies.
For undated references, the latest edition of the referenced document (including any
amendments) applies.
ISO 31000, Risk management – Principles and Guidelines
3 Terms and definitions
For the purposes of this document, the following terms or definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following
addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several
consequences.
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
Note 3 to entry: An event can be a risk source.
[SOURCE: ISO 31000:2018, 3.5]
3.2
opportunity
combination of circumstances expected to be favourable to objectives
Note 1 to entry: An opportunity is a positive situation in which gain is likely and over which one has a fair level of
control.
Note 2 to entry: An opportunity to one party may pose a threat to another.
Note 3 to entry: Taking or not taking an opportunity are both sources of risk.
[SOURCE: IEC 31010:2019, 3.2 [2]]
3.3
project
temporary endeavour to achieve one or more defined objectives
Note 1 to entry: unique process consisting A project generally consists of a set of coordinated and controlled
activities (3.1) with start and finish dates, undertaken to achieve an objective conforming to specific requirements,
including the constraints of time, cost and resources.
Note 12 to entry: An individual project may can form part of a larger project structure and generally has a defined
start and finish date.
Note 23 to entry: In some projects the objectives and scope are updated and the product or service characteristics
defined progressively as the project proceeds.
Note 34 to entry: The project’s product is generally defined in the project scope. It may be one or several units of
product and may be tangible or intangible. The output of a project can be one or several units of product or service.
Note 45 to entry: The project’s organization is normally temporary and established for the lifetime of the project.
Note 56 to entry: The complexity of the interactions among project activities is not necessarily related to the project
size.
[SOURCE: ISO 21502:2020, 3.20, modified – The Notes have been taken from
ISO 10006:2003, 3.5 2017, 3.3. [3]]
3.4
project management
planning, organizing, monitoring, controlling and reporting of all aspects of a project and the
motivation of all those involved in it to achieve the project objectives
coordinated activities to direct and control the accomplishment of agreed objectives
[SOURCE: ISO 10006:2003, 3.6 ISO 21502:2020, 3.24]
3.5
project management plan
document specifying what is necessary to meet the objective(s) of the project
Note 1 to entry: A project management plan should include or refer to the project’s quality plan.
Note 2 to entry: The project management plan also includes or references such other plans as those relating to
organizational structures, resources, schedule, budget, risk management (3.5), environmental management, health
and safety management and security management, as appropriate.
[SOURCE: ISO 10006:2003, 3.7]
documented description of the technical and management baselines to be followed for a project
[SOURCE: ISO 21506:2024, 3.68 [4]]
3.6
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address,
create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental
goals) and categories, and can apply be applied at different levels (such as strategic, organization-wide, project
(3.1), product and process).
Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination
of these.
Note 43 to entry: Risk is often usually expressed in terms of a combination of the consequences of an event
(including changes in circumstances) and the associated likelihood of occurrence risk sources, potential events, their
consequences and their likelihood.
Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to understanding or
knowledge of an event, its consequence, or likelihood.
[SOURCE: ISO Guide 73:2009, 1.1 [2] ISO 31000:2018, 3.1]
3.7
risk management
coordinated activities to direct and control an organization with regard to risk
[SOURCE: ISO Guide 73:2009, 2.1 ISO 31000:2018, 3.2]
3.8
risk management framework
set of components that provide the foundations and organizational arrangements for designing,
implementing, monitoring, reviewing and continually improving risk management throughout the
organization
Note 1 to entry: The foundations include the policy, objectives, mandate and commitment to manage risk (3.6).
Note 2 to entry: The organizational arrangements include plans, relationships, accountabilities, resources,
processes and activities.
Note 3 to entry: The risk management framework is embedded within the organization's overall strategic and
operational policies and practices.
[SOURCE: ISO Guide 73:2009, 2.1.1 [5]]
3.9
risk management policy
statement of the overall intentions and direction of an organization related to risk management
[SOURCE: ISO Guide 73:2009, 2.1.2 ISO 31073:2022, 3.2.2 [6]]
3.10
risk management plan
scheme within the risk management framework specifying the approach, the management
components and resources to be applied to the management of risk
Note 1 to entry: Management components typically include procedures, practices, assignment of responsibilities,
sequence and timing of activities.
Note 2 to entry: The risk management plan can be applied to a particular product, process and project (3.3), and
part or whole of the organization.
[SOURCE: ISO Guide 73:2009, 2.1.3 ISO 31073:2022, 3.2.3]
3.11
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analysing, evaluating,
treating, monitoring and reviewing risk
[SOURCE: ISO Guide 73:2009, 3.1 ISO 31073:2022, 3.3.1]
3.12
risk treatment
process to modify risk
Note 1 to entry: Risk treatment can involve:
– avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk,
– taking or increasing risk in order to pursue an opportunity,
– removing the risk source,
– changing the likelihood,
– changing the consequences,
– sharing the risk with another party or parties (including contracts and risk financing), and
– retaining the risk by informed decision.
Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 3 to entry: Risk treatment can create new risks or modify existing risks.
[SOURCE: ISO Guide 73:2009, 3.8.1 ISO 31073:2022, 3.3.32]
3.13
threat
potential source of danger, harm, or other undesirable outcome
Note 1 to entry: A threat is a negative situation in which loss is likely and over which one has relatively little control.
Note 2 to entry: A threat to one party may pose an opportunity to another.
[SOURCE: IEC 31010:2019, 3.5]
3.14
uncertainty
state, even partial, of deficiency of information related to understanding or knowledge
Note 1 to entry: In some cases, uncertainty can be related to the organization’s context as well as to its objectives.
Note 2 to entry: Uncertainty is the root source of risk, namely any kind of “deficiency of information” that matters in
relation to objectives (and objectives, in turn, relate to all relevant interested parties’ needs and expectations).
[SOURCE: ISO 31073:2022, 3.1.3]
3.15
work breakdown structure
decomposition of the defined scope of a project or programme into progressively lower levels
consisting of elements of work
[SOURCE: ISO 21502:2020, 3.29]
4 Managing risks in projects
Every project involves uncertainties that can lead to risks. These risks uncertainties can relate
to the objectives of the project itself (for example to complete the project within a specified time
frame and budget) or to the requirements of the assets, products or services that the project
creates (for example for a product to be safe, dependable and environmentally sustainable).
The consequences that could arise from uncertainty in a project can be beneficial as well as
detrimental, so project risk management is directed not only to avoiding or reacting to problems
but also to identifying and capturing opportunities. Taking account of project risks contributes
to better decisions, better project outcomes and increased value for stakeholders.
This document is relevant to individuals and organizations concerned with any or all phases in
the life cycle of projects. To obtain maximum benefit, risk management activities are should be
initiated at the earliest possible phase of the outset when considering a project, and continued
through subsequent phases (see Table 1). However, project risk management can be initiated
successfully at any point in the life cycle, providing appropriate preliminary work is undertaken.
The process It is scalable, so it can be used with both small and large projects and to with
individual phases of projects. It can also be applied to sub-projects and to sets of inter-related
projects and programmes.
Risk management should be integrated with project management activities and processes. It
should not be separate or an afterthought.
A typical set of project phases and their characteristics is shown in Table 1. In practice, there
can be iteration between the phases.
Table 1 – Typical phases in a project
Phase 5           Phase 6
Phase 1 Phase 2 Phase 3 Phase 4 Additional activities

Phase Identify Pre- Feasibility Deliver Operate and Abandon
label feasibility maintain
Concept Design and Implement Dispose
Select develop
Install and
commissio
n
Purpose Appraising Selecting Defining Delivering Realising the Closure: ensure
opportuniti options: the project: the project: benefits: safe and
es: identify and finalize the produce an evaluate the acceptable
determine appraise scope and operating project closure or
whether project detail of asset, outcome to disposal
ensure
the project developme the product or
could be nt options preferred service, performance
worthwhile and select option consistent
and its the with the
alignment preferred agreed
with one scope
business
strategy
Focus of Strategic Risk-based Design and Project Operation and Disposal and
risk threats and options delivery delivery, maintenance rehabilitation
manageme opportuniti selection strategy test and
nt activities es handover
NOTE The additional activities in the two right-hand columns correspond to phases in the life cycle of an
asset, product or service that is created by a project. They are not project phases, but they are included here
because they are often considered by project managers as they proceed through phases 1 to 4.

It is common for each phase to culminate in a decision point (sometimes called a gate) at which
executive approval is provided for progression and entry to the next phase. Information on risks
and risk management is an important part of the information provided to executives to support
their decisions at each decision point. Information on risks and controls in each phase should
also be handed over to the team shared with other teams managing the next phase of the
project.
All executives and managers people in the organizations associated with a project have a role
in managing the risks associated with their decisions (Figure 1) and activities. This document
is intended for use by:
a) project directors and project managers who are part of an organization that owns or
commissions the project or that will own or manage the assets, products or services the
project will create,
b) members of project teams who are responsible for significant sub-projects, groups of
activities or packages of work, and the associated risks,
c) risk managers and members of risk management groups, internal or external to the
organization, who are responsible for overseeing, supporting or administering risk
management activities in the project,
d) project owners or sponsors who are responsible for ensuring that the sponsoring
organization’s business interests in the project are maintained and that the expected
outcomes and benefits are realized,
e) executives who have to approve the progression of the project through at each gate decision
point and the expenditure, resource allocation and objectives associated with the
subsequent phase,
f) peer reviewers who provide assurance to the executives who make approval decisions that
the supporting information is comprehensive, accurate, valid and reliable,
g) project directors and project managers who are part of a contracting organization, or a sub-
contractor or supplier, that bids for or delivers some or all of the project and its associated
assets, products or services,
h) financiers and insurers who provide financial and related support for the project,
i) regulators of project-related activities or the assets, products or services that can be created
by the project, and
j) other stakeholders, including sub-contractors, suppliers and parties who could have an
interest in the project and its outcomes, and, users or beneficiaries of the assets, products
or services that can be created by the project, and other parties who could have an interest
in the project and its outcomes (including the wider public).

Project owner Users
Financiers and
insurers
Contractor
Regulators
Sub-contractors
and suppliers
IEC  2813/13
Figure 1 – Principal stakeholders in a project
5 Principles
For project risk management to be effective, efficient and consistent, an organization should at
all levels comply with the principles shown below.
a) Risk management creates and protects value.
Risk management contributes to demonstrable achievement of progress towards
organizational objectives and improvement of performance and quality in projects and the
assets, products and services they create. The objectives shall be understood clearly by all
parties.
b) Risk management is part of decision-making.
Risk management helps decision makers make informed choices about the project, within
each stage of its life, prioritize actions and distinguish among alternative courses of action.
This implies that all decisions should consider risk.
c) Risk management is an integral part of all organizational processes associated with a
project.
Risk management is not a stand-alone activity that is separate from the main activities and
processes of the project or the organization. Risk management is part of the responsibilities
of project managers and of staff at all levels. It is an integral part of all the organizational
processes associated with a project, including strategic project and investment planning,
project management and management of project change.
d) Risk management explicitly addresses uncertainty.
All managers people in the organization should explicitly take account of uncertainty, the
nature of that uncertainty, and how it can be addressed, particularly in critical processes.
e) Risk management is systematic, structured and timely.
A systematic, timely and structured approach to risk management contributes to consistent,
comparable and reliable project decisions and their successful application, to the efficiency
and effectiveness of project management processes and to the benefits of the project aims
to deliver. A sound framework for risk management should be applied from the beginning of
a project.
f) Risk management is based on the best available information.
The inputs to the process of managing risk in a project are based on information sources
such as technical and engineering analyses, physical site and equipment inspections, test
results and progress reports, supplemented with historical data, experience, stakeholder
feedback, forecasts and expert judgement. However, those involved with managing risks in
a project should inform themselves of, and should take into account, any limitations of the
data or modelling used, uncertainty in the information available or the possibility of
divergence among experts.
i) Risk management is tailored.
Risk management activities are adapted to the kind of project, the project’s external and
internal context and those of the organizations involved, and the level of uncertainty and
complexity associated with the project. The level of risk management effort is proportionate
to the situation.
j) Risk management takes human and cultural factors into account.
The capabilities, perceptions and intentions of people and organizations that can facilitate
or hinder achievement of the project’s objectives are taken into account when managing
risk, as are social and organizational changes brought about by the project.
k) Risk management is transparent and inclusive.
Appropriate and timely involvement of stakeholders and, in particular, decision makers at
all levels of the organization, ensures that risk management remains relevant and up to
date. Involvement also allows stakeholders to be properly represented and to have their
views taken into account in determining risk criteria.
l) Risk management is dynamic, iterative and responsive to change.
As a project progresses and as related external and internal events occur, context and
knowledge change, monitoring and review take place, new risks emerge, some risks change,
and other risks disappear. Therefore, risk management activities in a project help project
decision-makers to continually identify, understand and respond to change.
m) Risk management facilitates continual improvement of the organization.
Organizations should develop and implement strategies to improve the maturity of their
project risk management alongside all other aspects of their organizational processes.
6 Project risk management framework
6.1 General
Project risk management processes should be integrated with project management processes.
The project management framework – the way in which the project management process will
be organized, structured and controlled – should provide the foundations and arrangements
that will embed project risk management throughout the project through all phases, at all levels
and across all the organizations involved. The success of project risk management will depend
in part on the effectiveness of the integration.
The project risk management framework assists in managing project risks. It does this through
the application of the consistent and effective project risk management processes (see Clause
7), applied at varying levels and within the specific context of the project. The framework and
processes ensure that information about project risk derived from these processes is
adequately reported and used as a basis for governance, decision making and accountability
at all relevant organizational and project levels. Organizations often adopt a common risk
management framework, aligned with their corporate risk management framework, and they
customize it in a similar way in many projects.
This Clause 6 describes the necessary components of the framework for managing project risk
and the way in which they interrelate in an iterative manner. Figure 21 shows the risk
management framework and process specified in ISO 31000 applied to managing risk in
projects.
This framework is not intended to prescribe a management system, but rather to assist the
organizations involved in a project to integrate project risk management into the overall project
management framework. Therefore, organizations should adapt the components of the
framework to their specific needs and the specific project requirements.
If an organization's existing project management practices and processes include components
of risk management, or if the organization has already adopted a formal project risk
management process for particular types of projects, risks or situations, then these should be
critically reviewed and assessed against this document to determine their adequacy and
effectiveness.
Ma n d a t e a n d co mmi t me n t (6 . 2 )

D e si g n o f t h e f ra me w o rk f o r ma n a g i n g ri sk (6 . 3 )

U n d e rst a n d i n g t h e p ro j e ct a n d i t s co n t e xt (6 . 3 . 1 )

Est a b l i sh i n g t h e p ro j e ct ri sk ma n a g e me n t p o l i cy (6 . 3 . 2 )

Acco u n t a b i l i t y (6 . 3 . 3 )
I n t e g ra t i o n i n t o p ro j e ct ma n a g e me n t p ro ce sse s (6 . 3 . 4 )

R e so u rce s (6 . 3 . 5 )
Est a b l i sh i n g i n t e rn a l p ro j e ct co mmu n i ca t i o n a n d re p o rt i n g

me ch a n i sms (6 . 3 . 6 )
Est a b l i sh i n g e xt e rn a l p ro j e ct co mmu n i ca t i o n a n d re p o rt i n g

me ch a n i sms (6 . 3 . 7 )
I mp l e me n t i n g p ro j e ct ri sk ma n a g e me n t (6 . 4 )
C o n t i n u a l i mp ro ve me n t o f t h e p ro j e ct ri sk

I mp l e me n t i n g t h e f ra me w o rk f o r ma n a g i n g p ro j e ct ri sk (6 . 4 . 1 )

ma n a g e me n t f ra me w o rk (6 . 6 )
...