ISO 31000:2009

INTERNATIONAL ISO
STANDARD 31000
First edition
2009-11-15

Risk management — Principles and
guidelines
Management du risque — Principes et lignes directrices




Reference number
ISO 31000:2009(E)
©
ISO 2009

---------------------- Page: 1 ----------------------
ISO 31000:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2009 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 31000:2009(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Terms and definitions .1
3 Principles.7
4 Framework .8
4.1 General .8
4.2 Mandate and commitment .9
4.3 Design of framework for managing risk.10
4.3.1 Understanding of the organization and its context .10
4.3.2 Establishing risk management policy.10
4.3.3 Accountability.11
4.3.4 Integration into organizational processes.11
4.3.5 Resources .11
4.3.6 Establishing internal communication and reporting mechanisms .12
4.3.7 Establishing external communication and reporting mechanisms .12
4.4 Implementing risk management .12
4.4.1 Implementing the framework for managing risk .12
4.4.2 Implementing the risk management process .13
4.5 Monitoring and review of the framework .13
4.6 Continual improvement of the framework .13
5 Process.13
5.1 General .13
5.2 Communication and consultation .14
5.3 Establishing the context.15
5.3.1 General .15
5.3.2 Establishing the external context .15
5.3.3 Establishing the internal context.15
5.3.4 Establishing the context of the risk management process .16
5.3.5 Defining risk criteria.17
5.4 Risk assessment .17
5.4.1 General .17
5.4.2 Risk identification.17
5.4.3 Risk analysis.18
5.4.4 Risk evaluation .18
5.5 Risk treatment.18
5.5.1 General .18
5.5.2 Selection of risk treatment options .19
5.5.3 Preparing and implementing risk treatment plans .20
5.6 Monitoring and review .20
5.7 Recording the risk management process.21
Annex A (informative) Attributes of enhanced risk management.22
Bibliography.24

© ISO 2009 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 31000:2009(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 31000 was prepared by the ISO Technical Management Board Working Group on risk management.
iv © ISO 2009 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 31000:2009(E)
Introduction
Organizations of all types and sizes face internal and external factors and influences that make it uncertain
whether and when they will achieve their objectives. The effect this uncertainty has on an organization's
objectives is “risk”.
All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then
evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria.
Throughout this process, they communicate and consult with stakeholders and monitor and review the risk
and the controls that are modifying the risk in order to ensure that no further risk treatment is required. This
International Standard describes this systematic and logical process in detail.
While all organizations manage risk to some degree, this International Standard establishes a number of
principles that need to be satisfied to make risk management effective. This International Standard
recommends that organizations develop, implement and continuously improve a framework whose purpose is
to integrate the process for managing risk into the organization's overall governance, strategy and planning,
management, reporting processes, policies, values and culture.
Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well
as to specific functions, projects and activities.
Although the practice of risk management has been developed over time and within many sectors in order to
meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to
ensure that risk is managed effectively, efficiently and coherently across an organization. The generic
approach described in this International Standard provides the principles and guidelines for managing any
form of risk in a systematic, transparent and credible manner and within any scope and context.
Each specific sector or application of risk management brings with it individual needs, audiences, perceptions
and criteria. Therefore, a key feature of this International Standard is the inclusion of “establishing the context”
as an activity at the start of this generic risk management process. Establishing the context will capture the
objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the
diversity of risk criteria – all of which will help reveal and assess the nature and complexity of its risks.
The relationship between the principles for managing risk, the framework in which it occurs and the risk
management process described in this International Standard are shown in Figure 1.
When implemented and maintained in accordance with this International Standard, the management of risk
enables an organization to, for example:
⎯ increase the likelihood of achieving objectives;
⎯ encourage proactive management;
⎯ be aware of the need to identify and treat risk throughout the organization;
⎯ improve the identification of opportunities and threats;
⎯ comply with relevant legal and regulatory requirements and international norms;
⎯ improve mandatory and voluntary reporting;
⎯ improve governance;
⎯ improve stakeholder confidence and trust;
© ISO 2009 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 31000:2009(E)
⎯ establish a reliable basis for decision making and planning;
⎯ improve controls;
⎯ effectively allocate and use resources for risk treatment;
⎯ improve operational effectiveness and efficiency;
⎯ enhance health and safety performance, as well as environmental protection;
⎯ improve loss prevention and incident management;
⎯ minimize losses;
⎯ improve organizational learning; and
⎯ improve organizational resilience.
This International Standard is intended to meet the needs of a wide range of stakeholders, including:
a) those responsible for developing risk management policy within their organization;
b) those accountable for ensuring that risk is effectively managed within the organization as a whole or
within a specific area, project or activity;
c) those who need to evaluate an organization's effectiveness in managing risk; and
d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how
risk is to be managed within the specific context of these documents.
The current management practices and processes of many organizations include components of risk
management, and many organizations have already adopted a formal risk management process for particular
types of risk or circumstances. In such cases, an organization can decide to carry out a critical review of its
existing practices and processes in the light of this International Standard.
In this International Standard, the expressions “risk management” and “managing risk” are both used. In
general terms, “risk management” refers to the architecture (principles, framework and process) for managing
risks effectively, while “managing risk” refers to applying that architecture to particular risks.

vi © ISO 2009 – All rights reserved

---------------------- Page: 6 ----------------------
ISO 31000:2009(E)

Figure 1 — Relationships between the risk management principles, framework and process
© ISO 2009 – All rights reserved vii

a) Creates value
Mandate
b) Integral part of
and
organizational processes
commitment (4.2)
Establishing the context
(5.3)
c) Part of decision making
d) Explicitly addresses
Risk assessment (5.4)
uncertainty
Design of
framework
e) Systematic, structured for managing risk
and timely
(4.3) Risk identification (5.4.2)
f) Based on the best
available information
Continual
Implementing
improvement
g) Tailored
risk
of the
management
Risk analysis (5.4.3)
framework
h) Takes human and
(4.4)
(4.6)
cultural factors into
account
i) Transparent and inclusive
Monitoring
Risk evaluation (5.4.4)
j) Dynamic, iterative and
and review
responsive to change
of the
framework
k) Facilitates continual
(4.5)
improvement and
enhancement of the
organization Risk treatment (5.5)
Framework
Principles
(Clause 4)
(Clause 3)
Process
(Clause 5)
Communication and consultation (5.2)
Monitoring and review (5.6)

---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 31000:2009(E)

Risk management — Principles and guidelines
1 Scope
This International Standard provides principles and generic guidelines on risk management.
This International Standard can be used by any public, private or community enterprise, association, group or
individual. Therefore, this International Standard is not specific to any industry or sector.
NOTE For convenience, all the different users of this International Standard are referred to by the general term
“organization”.
This International Standard can be applied throughout the life of an organization, and to a wide range of
activities, including strategies and decisions, operations, processes, functions, projects, products, services
and assets.
This International Standard can be applied to any type of risk, whatever its nature, whether having positive or
negative consequences.
Although this International Standard provides generic guidelines, it is not intended to promote uniformity of risk
management across organizations. The design and implementation of risk management plans and
frameworks will need to take into account the varying needs of a specific organization, its particular objectives,
context, structure, operations, processes, functions, projects, products, services, or assets and specific
practices employed.
It is intended that this International Standard be utilized to harmonize risk management processes in existing
and future standards. It provides a common approach in support of standards dealing with specific risks
and/or sectors, and does not replace those standards.
This International Standard is not intended for the purpose of certification.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
risk
effect of uncertainty on objectives
NOTE 1 An effect is a deviation from the expected — positive and/or negative.
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can
apply at different levels (such as strategic, organization-wide, project, product and process).
NOTE 3 Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a
combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in
circumstances) and the associated likelihood (2.19) of occurrence.
© ISO 2009 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO 31000:2009(E)
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an
event, its consequence, or likelihood.
[ISO Guide 73:2009, definition 1.1]
2.2
risk management
coordinated activities to direct and control an organization with regard to risk (2.1)
[ISO Guide 73:2009, definition 2.1]
2.3
risk management framework
set of components that provide the foundations and organizational arrangements for designing, implementing,
monitoring (2.28), reviewing and continually improving risk management (2.2) throughout the organization
NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk (2.1).
NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and
activities.
NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational
policies and practices.
[ISO Guide 73:2009, definition 2.1.1]
2.4
risk management policy
statement of the overall intentions and direction of an organization related to risk management (2.2)
[ISO Guide 73:2009, definition 2.1.2]
2.5
risk attitude
organization's approach to assess and eventually pursue, retain, take or turn away from risk (2.1)
[ISO Guide 73:2009, definition 3.7.1.1]
2.6
risk management plan
scheme within the risk management framework (2.3) specifying the approach, the management
components and resources to be applied to the management of risk (2.1)
NOTE 1 Management components typically include procedures, practices, assignment of responsibilities, sequence
and timing of activities.
NOTE 2 The risk management plan can be applied to a particular product, process and project, and part or whole of
the organization.
[ISO Guide 73:2009, definition 2.1.3]
2.7
risk owner
person or entity with the accountability and authority to manage a risk (2.1)
[ISO Guide 73:2009, definition 3.5.1.5]
2 © ISO 2009 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 31000:2009(E)
2.8
risk management process
systematic application of management policies, procedures and practices to the activities of communicating,
consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring (2.28) and
reviewing risk (2.1)
[ISO Guide 73:2009, definition 3.1]
2.9
establishing the context
defining the external and internal parameters to be taken into account when managing risk, and setting the
scope and risk criteria (2.22) for the risk management policy (2.4)
[ISO Guide 73:2009, definition 3.3.1]
2.10
external context
external environment in which the organization seeks to achieve its objectives
NOTE External context can include:
⎯ the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment,
whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, and perceptions and values of external stakeholders (2.13).
[ISO Guide 73:2009, definition 3.3.1.1]
2.11
internal context
internal environment in which the organization seeks to achieve its objectives
NOTE Internal context can include:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and
technologies);
⎯ information systems, information flows and decision-making processes (both formal and informal);
⎯ relationships with, and perceptions and values of, internal stakeholders;
⎯ the organization's culture;
⎯ standards, guidelines and models adopted by the organization; and
⎯ form and extent of contractual relationships.
[ISO Guide 73:2009, definition 3.3.1.2]
2.12
communication and consultation
continual and iterative processes that an organization conducts to provide, share or obtain information and to
engage in dialogue with stakeholders (2.13) regarding the management of risk (2.1)
© ISO 2009 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO 31000:2009(E)
NOTE 1 The information can relate to the existence, nature, form, likelihood (2.19), significance, evaluation,
acceptability and treatment of the management of risk.
NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders
on an issue prior to making a decision or determining a direction on that issue. Consultation is:
⎯ a process which impacts on a decision through influence rather than power; and
⎯ an input to decision making, not joint decision making.
[ISO Guide 73:2009, definition 3.2.1]
2.13
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or
activity
NOTE A decision maker can be a stakeholder.
[ISO Guide 73:2009, definition 3.2.1.1]
2.14
risk assessment
overall process of risk identification (2.15), risk analysis (2.21) and risk evaluation (2.24)
[ISO Guide 73:2009, definition 3.4.1]
2.15
risk identification
process of finding, recognizing and describing risks (2.1)
NOTE 1 Risk identification involves the identification of risk sources (2.16), events (2.17), their causes and their
potential consequences (2.18).
NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and
stakeholder's (2.13) needs.
[ISO Guide 73:2009, definition 3.5.1]
2.16
risk source
element which alone or in combination has the intrinsic potential to give rise to risk (2.1)
NOTE A risk source can be tangible or intangible.
[ISO Guide 73:2009, definition 3.5.1.2]
2.17
event
occurrence or change of a particular set of circumstances
NOTE 1 An event can be one or more occurrences, and can have several causes.
NOTE 2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.
NOTE 4 An event without consequences (2.18) can also be referred to as a “near miss”, “incident”, “near hit” or “close
call”.
[ISO Guide 73:2009, definition 3.5.1.3]
4 © ISO 2009 – All rights reserved

---------------------- Page: 11 ----------------------
ISO 31000:2009(E)
2.18
consequence
outcome of an event (2.17) affecting objectives
NOTE 1 An event can lead to a range of consequences.
NOTE 2 A consequence can be certain or uncertain and can have positive or negative effects on objectives.
NOTE 3 Consequences can be expressed qualitatively or quantitatively.
NOTE 4 Initial consequences can escalate through knock-on effects.
[ISO Guide 73:2009, definition 3.6.1.3]
2.19
likelihood
chance of something happening
NOTE 1 In risk management terminology, the word “likelihood” is used to refer to the chance of something happening,
whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using
general terms or mathematically (such as a probability or a frequency over a given time period).
NOTE 2 The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of
the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term.
Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad
interpretation as the term “probability” has in many languages other than English.
[ISO Guide 73:2009, definition 3.6.1.1]
2.20
risk profile
description of any set of risks (2.1)
NOTE The set of risks can contain those that relate to the whole organization, part of the organization, or as
otherwise defined.
[ISO Guide 73:2009, definition 3.8.2.5]
2.21
risk analysis
process to comprehend the nature of risk (2.1) and to determine the level of risk (2.23)
NOTE 1 Risk analysis provides the basis for risk evaluation (2.24) and decisions about risk treatment (2.25).
NOTE 2 Risk analysis includes risk estimation.
[ISO Guide 73:2009, definition 3.6.1]
2.22
risk criteria
terms of reference against which the significance of a risk (2.1) is evaluated
NOTE 1 Risk criteria are based on organizational objectives, and external (2.10) and internal context (2.11).
NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements.
[ISO Guide 73:2009, definition 3.3.1.3]
© ISO 2009 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO 31000:2009(E)
2.23
level of risk
magnitude of a risk (2.1) or combination of risks, expressed in terms of the combination of consequences
(2.18) and their likelihood (2.19)
[ISO Guide 73:2009, definition 3.6.1.8]
2.24
risk evaluation
process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk
(2.1) and/or its magnitude is acceptable or tolerable
NOTE Risk evaluation assists in the decision about risk treatment (2.25).
[ISO Guide 73:2009, definition 3.7.1]
2.25
risk treatment
process to modify risk (2.1)
NOTE 1 Risk treatment can involve:
⎯ avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
⎯ taking or increasing risk in order to pursue an opportunity;
⎯ removing the risk source (2.16);
⎯ changing the likelihood (2.19);
⎯ changing the consequences (2.18);
⎯ sharing the risk with another party or parties (including contracts and risk financing); and
⎯ retaining the risk by informed decision.
NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk
elimination”, “risk prevention” and “risk reduction”.
NOTE 3 Risk treatment can create new risks or modify existing risks.
[ISO Guide 73:2009, definition 3.8.1]
2.26
control
measure that is modifying risk (2.1)
NOTE 1 Controls include any process, policy, device, practice, or other actions which modify risk.
NOTE 2 Controls may not always exert the intended or assumed modifying effect.
[ISO Guide 73:2009, definition 3.8.1.1]
2.27
residual risk
risk (2.1) remaining after risk treatment (2.25)
NOTE 1 Residual risk can contain unidentified risk.
NOTE 2 Residual risk can also be known as “retained risk”.
[ISO Guide 73:2009, definition 3.8.1.6]
6 © ISO 2009 – All rights reserved

---------------------- Page: 13 ----------------------
ISO 31000:2009(E)
2.28
monitoring
continual checking, supervising, critically observing or determining the status in order to identify change from
the performance level required or expected
NOTE Monitoring can be applied to a risk management framework (2.3), risk management process (2.8), risk
(2.1) or control (2.26).
[ISO Guide 73:2009, definition 3.8.2.1]
2.29
review
activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve
established objectives
NOTE Review can be applied to a risk management framework (2.3), risk management process (2.8), risk (2.1)
or control (2.26).
[ISO Guide 7
...

SLOVENSKI STANDARD
SIST ISO 31000:2011
01-april-2011
2EYODGRYDQMHWYHJDQM1DþHODLQVPHUQLFH
Risk management - Principles and guidelines
Management du risque - Principes et lignes directrices
Ta slovenski standard je istoveten z: ISO 31000:2009
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
SIST ISO 31000:2011 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO 31000:2011

---------------------- Page: 2 ----------------------

SIST ISO 31000:2011

INTERNATIONAL ISO
STANDARD 31000
First edition
2009-11-15

Risk management — Principles and
guidelines
Management du risque — Principes et lignes directrices




Reference number
ISO 31000:2009(E)
©
ISO 2009

---------------------- Page: 3 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2009 – All rights reserved

---------------------- Page: 4 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Terms and definitions .1
3 Principles.7
4 Framework .8
4.1 General .8
4.2 Mandate and commitment .9
4.3 Design of framework for managing risk.10
4.3.1 Understanding of the organization and its context .10
4.3.2 Establishing risk management policy.10
4.3.3 Accountability.11
4.3.4 Integration into organizational processes.11
4.3.5 Resources .11
4.3.6 Establishing internal communication and reporting mechanisms .12
4.3.7 Establishing external communication and reporting mechanisms .12
4.4 Implementing risk management .12
4.4.1 Implementing the framework for managing risk .12
4.4.2 Implementing the risk management process .13
4.5 Monitoring and review of the framework .13
4.6 Continual improvement of the framework .13
5 Process.13
5.1 General .13
5.2 Communication and consultation .14
5.3 Establishing the context.15
5.3.1 General .15
5.3.2 Establishing the external context .15
5.3.3 Establishing the internal context.15
5.3.4 Establishing the context of the risk management process .16
5.3.5 Defining risk criteria.17
5.4 Risk assessment .17
5.4.1 General .17
5.4.2 Risk identification.17
5.4.3 Risk analysis.18
5.4.4 Risk evaluation .18
5.5 Risk treatment.18
5.5.1 General .18
5.5.2 Selection of risk treatment options .19
5.5.3 Preparing and implementing risk treatment plans .20
5.6 Monitoring and review .20
5.7 Recording the risk management process.21
Annex A (informative) Attributes of enhanced risk management.22
Bibliography.24

© ISO 2009 – All rights reserved iii

---------------------- Page: 5 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 31000 was prepared by the ISO Technical Management Board Working Group on risk management.
iv © ISO 2009 – All rights reserved

---------------------- Page: 6 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
Introduction
Organizations of all types and sizes face internal and external factors and influences that make it uncertain
whether and when they will achieve their objectives. The effect this uncertainty has on an organization's
objectives is “risk”.
All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then
evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria.
Throughout this process, they communicate and consult with stakeholders and monitor and review the risk
and the controls that are modifying the risk in order to ensure that no further risk treatment is required. This
International Standard describes this systematic and logical process in detail.
While all organizations manage risk to some degree, this International Standard establishes a number of
principles that need to be satisfied to make risk management effective. This International Standard
recommends that organizations develop, implement and continuously improve a framework whose purpose is
to integrate the process for managing risk into the organization's overall governance, strategy and planning,
management, reporting processes, policies, values and culture.
Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well
as to specific functions, projects and activities.
Although the practice of risk management has been developed over time and within many sectors in order to
meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to
ensure that risk is managed effectively, efficiently and coherently across an organization. The generic
approach described in this International Standard provides the principles and guidelines for managing any
form of risk in a systematic, transparent and credible manner and within any scope and context.
Each specific sector or application of risk management brings with it individual needs, audiences, perceptions
and criteria. Therefore, a key feature of this International Standard is the inclusion of “establishing the context”
as an activity at the start of this generic risk management process. Establishing the context will capture the
objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the
diversity of risk criteria – all of which will help reveal and assess the nature and complexity of its risks.
The relationship between the principles for managing risk, the framework in which it occurs and the risk
management process described in this International Standard are shown in Figure 1.
When implemented and maintained in accordance with this International Standard, the management of risk
enables an organization to, for example:
⎯ increase the likelihood of achieving objectives;
⎯ encourage proactive management;
⎯ be aware of the need to identify and treat risk throughout the organization;
⎯ improve the identification of opportunities and threats;
⎯ comply with relevant legal and regulatory requirements and international norms;
⎯ improve mandatory and voluntary reporting;
⎯ improve governance;
⎯ improve stakeholder confidence and trust;
© ISO 2009 – All rights reserved v

---------------------- Page: 7 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
⎯ establish a reliable basis for decision making and planning;
⎯ improve controls;
⎯ effectively allocate and use resources for risk treatment;
⎯ improve operational effectiveness and efficiency;
⎯ enhance health and safety performance, as well as environmental protection;
⎯ improve loss prevention and incident management;
⎯ minimize losses;
⎯ improve organizational learning; and
⎯ improve organizational resilience.
This International Standard is intended to meet the needs of a wide range of stakeholders, including:
a) those responsible for developing risk management policy within their organization;
b) those accountable for ensuring that risk is effectively managed within the organization as a whole or
within a specific area, project or activity;
c) those who need to evaluate an organization's effectiveness in managing risk; and
d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how
risk is to be managed within the specific context of these documents.
The current management practices and processes of many organizations include components of risk
management, and many organizations have already adopted a formal risk management process for particular
types of risk or circumstances. In such cases, an organization can decide to carry out a critical review of its
existing practices and processes in the light of this International Standard.
In this International Standard, the expressions “risk management” and “managing risk” are both used. In
general terms, “risk management” refers to the architecture (principles, framework and process) for managing
risks effectively, while “managing risk” refers to applying that architecture to particular risks.

vi © ISO 2009 – All rights reserved

---------------------- Page: 8 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)

Figure 1 — Relationships between the risk management principles, framework and process
© ISO 2009 – All rights reserved vii

a) Creates value
Mandate
b) Integral part of
and
organizational processes
commitment (4.2)
Establishing the context
(5.3)
c) Part of decision making
d) Explicitly addresses
Risk assessment (5.4)
uncertainty
Design of
framework
e) Systematic, structured for managing risk
and timely
(4.3) Risk identification (5.4.2)
f) Based on the best
available information
Continual
Implementing
improvement
g) Tailored
risk
of the
management
Risk analysis (5.4.3)
framework
h) Takes human and
(4.4)
(4.6)
cultural factors into
account
i) Transparent and inclusive
Monitoring
Risk evaluation (5.4.4)
j) Dynamic, iterative and
and review
responsive to change
of the
framework
k) Facilitates continual
(4.5)
improvement and
enhancement of the
organization Risk treatment (5.5)
Framework
Principles
(Clause 4)
(Clause 3)
Process
(Clause 5)
Communication and consultation (5.2)
Monitoring and review (5.6)

---------------------- Page: 9 ----------------------

SIST ISO 31000:2011

---------------------- Page: 10 ----------------------

SIST ISO 31000:2011
INTERNATIONAL STANDARD ISO 31000:2009(E)

Risk management — Principles and guidelines
1 Scope
This International Standard provides principles and generic guidelines on risk management.
This International Standard can be used by any public, private or community enterprise, association, group or
individual. Therefore, this International Standard is not specific to any industry or sector.
NOTE For convenience, all the different users of this International Standard are referred to by the general term
“organization”.
This International Standard can be applied throughout the life of an organization, and to a wide range of
activities, including strategies and decisions, operations, processes, functions, projects, products, services
and assets.
This International Standard can be applied to any type of risk, whatever its nature, whether having positive or
negative consequences.
Although this International Standard provides generic guidelines, it is not intended to promote uniformity of risk
management across organizations. The design and implementation of risk management plans and
frameworks will need to take into account the varying needs of a specific organization, its particular objectives,
context, structure, operations, processes, functions, projects, products, services, or assets and specific
practices employed.
It is intended that this International Standard be utilized to harmonize risk management processes in existing
and future standards. It provides a common approach in support of standards dealing with specific risks
and/or sectors, and does not replace those standards.
This International Standard is not intended for the purpose of certification.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
risk
effect of uncertainty on objectives
NOTE 1 An effect is a deviation from the expected — positive and/or negative.
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can
apply at different levels (such as strategic, organization-wide, project, product and process).
NOTE 3 Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a
combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in
circumstances) and the associated likelihood (2.19) of occurrence.
© ISO 2009 – All rights reserved 1

---------------------- Page: 11 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an
event, its consequence, or likelihood.
[ISO Guide 73:2009, definition 1.1]
2.2
risk management
coordinated activities to direct and control an organization with regard to risk (2.1)
[ISO Guide 73:2009, definition 2.1]
2.3
risk management framework
set of components that provide the foundations and organizational arrangements for designing, implementing,
monitoring (2.28), reviewing and continually improving risk management (2.2) throughout the organization
NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk (2.1).
NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and
activities.
NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational
policies and practices.
[ISO Guide 73:2009, definition 2.1.1]
2.4
risk management policy
statement of the overall intentions and direction of an organization related to risk management (2.2)
[ISO Guide 73:2009, definition 2.1.2]
2.5
risk attitude
organization's approach to assess and eventually pursue, retain, take or turn away from risk (2.1)
[ISO Guide 73:2009, definition 3.7.1.1]
2.6
risk management plan
scheme within the risk management framework (2.3) specifying the approach, the management
components and resources to be applied to the management of risk (2.1)
NOTE 1 Management components typically include procedures, practices, assignment of responsibilities, sequence
and timing of activities.
NOTE 2 The risk management plan can be applied to a particular product, process and project, and part or whole of
the organization.
[ISO Guide 73:2009, definition 2.1.3]
2.7
risk owner
person or entity with the accountability and authority to manage a risk (2.1)
[ISO Guide 73:2009, definition 3.5.1.5]
2 © ISO 2009 – All rights reserved

---------------------- Page: 12 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
2.8
risk management process
systematic application of management policies, procedures and practices to the activities of communicating,
consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring (2.28) and
reviewing risk (2.1)
[ISO Guide 73:2009, definition 3.1]
2.9
establishing the context
defining the external and internal parameters to be taken into account when managing risk, and setting the
scope and risk criteria (2.22) for the risk management policy (2.4)
[ISO Guide 73:2009, definition 3.3.1]
2.10
external context
external environment in which the organization seeks to achieve its objectives
NOTE External context can include:
⎯ the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment,
whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, and perceptions and values of external stakeholders (2.13).
[ISO Guide 73:2009, definition 3.3.1.1]
2.11
internal context
internal environment in which the organization seeks to achieve its objectives
NOTE Internal context can include:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and
technologies);
⎯ information systems, information flows and decision-making processes (both formal and informal);
⎯ relationships with, and perceptions and values of, internal stakeholders;
⎯ the organization's culture;
⎯ standards, guidelines and models adopted by the organization; and
⎯ form and extent of contractual relationships.
[ISO Guide 73:2009, definition 3.3.1.2]
2.12
communication and consultation
continual and iterative processes that an organization conducts to provide, share or obtain information and to
engage in dialogue with stakeholders (2.13) regarding the management of risk (2.1)
© ISO 2009 – All rights reserved 3

---------------------- Page: 13 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
NOTE 1 The information can relate to the existence, nature, form, likelihood (2.19), significance, evaluation,
acceptability and treatment of the management of risk.
NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders
on an issue prior to making a decision or determining a direction on that issue. Consultation is:
⎯ a process which impacts on a decision through influence rather than power; and
⎯ an input to decision making, not joint decision making.
[ISO Guide 73:2009, definition 3.2.1]
2.13
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or
activity
NOTE A decision maker can be a stakeholder.
[ISO Guide 73:2009, definition 3.2.1.1]
2.14
risk assessment
overall process of risk identification (2.15), risk analysis (2.21) and risk evaluation (2.24)
[ISO Guide 73:2009, definition 3.4.1]
2.15
risk identification
process of finding, recognizing and describing risks (2.1)
NOTE 1 Risk identification involves the identification of risk sources (2.16), events (2.17), their causes and their
potential consequences (2.18).
NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and
stakeholder's (2.13) needs.
[ISO Guide 73:2009, definition 3.5.1]
2.16
risk source
element which alone or in combination has the intrinsic potential to give rise to risk (2.1)
NOTE A risk source can be tangible or intangible.
[ISO Guide 73:2009, definition 3.5.1.2]
2.17
event
occurrence or change of a particular set of circumstances
NOTE 1 An event can be one or more occurrences, and can have several causes.
NOTE 2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.
NOTE 4 An event without consequences (2.18) can also be referred to as a “near miss”, “incident”, “near hit” or “close
call”.
[ISO Guide 73:2009, definition 3.5.1.3]
4 © ISO 2009 – All rights reserved

---------------------- Page: 14 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
2.18
consequence
outcome of an event (2.17) affecting objectives
NOTE 1 An event can lead to a range of consequences.
NOTE 2 A consequence can be certain or uncertain and can have positive or negative effects on objectives.
NOTE 3 Consequences can be expressed qualitatively or quantitatively.
NOTE 4 Initial consequences can escalate through knock-on effects.
[ISO Guide 73:2009, definition 3.6.1.3]
2.19
likelihood
chance of something happening
NOTE 1 In risk management terminology, the word “likelihood” is used to refer to the chance of something happening,
whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using
general terms or mathematically (such as a probability or a frequency over a given time period).
NOTE 2 The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of
the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term.
Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad
interpretation as the term “probability” has in many languages other than English.
[ISO Guide 73:2009, definition 3.6.1.1]
2.20
risk profile
description of any set of risks (2.1)
NOTE The set of risks can contain those that relate to the whole organization, part of the organization, or as
otherwise defined.
[ISO Guide 73:2009, definition 3.8.2.5]
2.21
risk analysis
process to comprehend the nature of risk (2.1) and to determine the level of risk (2.23)
NOTE 1 Risk analysis provides the basis for risk evaluation (2.24) and decisions about risk treatment (2.25).
NOTE 2 Risk analysis includes risk estimation.
[ISO Guide 73:2009, definition 3.6.1]
2.22
risk criteria
terms of reference against which the significance of a risk (2.1) is evaluated
NOTE 1 Risk criteria are based on organizational objectives, and external (2.10) and internal context (2.11).
NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements.
[ISO Guide 73:2009, definition 3.3.1.3]
© ISO 2009 – All rights reserved 5

---------------------- Page: 15 ----------------------

SIST ISO 31000:2011
ISO 31000:2009(E)
2.23
level of risk
magnitude of a risk (2.1) or combination of risks, expressed in terms of the combination of consequences
(2.18) and their likelihood (2.19)
[ISO Guide 73:2009, definition 3.6.1.8]
2.24
risk evaluation
process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk
(2.1) and/or its magnitude is acceptable or tolerable
NOTE Risk evaluation assists in the decision about risk treatment (2.25).
[ISO Guide 73:2009, definition 3.7.1]
2.25
risk treatment
process to modify risk (2.1)
NOTE 1 Risk treatment can involve:
⎯ avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
⎯ taking or increasing risk in order to pursue an opportunity;
⎯ removing the risk source (2.16);
⎯ changing the likelihood (2.19);
⎯ changing the consequences (2.18);
⎯ sharing the risk with another party or parties (including contracts and risk financing); and
⎯ retaining the risk by informed decision.
NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk
elimination”, “risk prevention” and “risk reduction”.
NOTE 3 Risk treatment can create new risks or modify existing risks.
[ISO Guide 73:2009, definition 3.8.1]
2.26
control
measure that is modifying risk (2.1)
NOTE 1 Controls include any process, policy, device, practice, or other actions which modify risk.
NOTE 2 Controls may not always exert the intended or assumed modifying effect.
[ISO Guide 73:2009,
...

NORME ISO
INTERNATIONALE 31000
Première édition
2009-11-15

Management du risque — Principes et
lignes directrices
Risk management — Principles and guidelines




Numéro de référence
ISO 31000:2009(F)
©
ISO 2009

---------------------- Page: 1 ----------------------
ISO 31000:2009(F)
PDF – Exonération de responsabilité
Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier
peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence
autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées
acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute
responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.
Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info
du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir
l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,
veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.


DOCUMENT PROTÉGÉ PAR COPYRIGHT


©  ISO 2009
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse

ii © ISO 2009 – Tous droits réservés

---------------------- Page: 2 ----------------------
ISO 31000:2009(F)
Sommaire Page
Avant-propos .iv
Introduction.v
1 Domaine d'application .1
2 Termes et définitions .1
3 Principes.7
4 Cadre organisationnel.8
4.1 Généralités .8
4.2 Mandat et engagement.9
4.3 Conception du cadre organisationnel de management du risque.10
4.3.1 Compréhension de l'organisme et de son contexte.10
4.3.2 Établissement de la politique de management du risque.10
4.3.3 Responsabilité .11
4.3.4 Intégration aux processus organisationnels.11
4.3.5 Ressources .11
4.3.6 Établissement de mécanismes de communication et de rapports internes.12
4.3.7 Établissement de mécanismes de communication et de rapports externes .12
4.4 Mise en œuvre du management du risque .12
4.4.1 Mise en œuvre du cadre organisationnel de management du risque .12
4.4.2 Mise en œuvre du processus de management du risque.13
4.5 Surveillance et revue du cadre organisationnel .13
4.6 Amélioration continue du cadre organisationnel .13
5 Processus .13
5.1 Généralités .13
5.2 Communication et concertation .14
5.3 Établissement du contexte.15
5.3.1 Généralités .15
5.3.2 Établissement du contexte externe .15
5.3.3 Établissement du contexte interne.15
5.3.4 Établissement du contexte du processus de management du risque .16
5.3.5 Définition des critères de risque.17
5.4 Appréciation du risque .17
5.4.1 Généralités .17
5.4.2 Identification du risque.17
5.4.3 Analyse du risque.18
5.4.4 Évaluation du risque .18
5.5 Traitement du risque .19
5.5.1 Généralités .19
5.5.2 Sélection des options de traitement du risque .19
5.5.3 Élaboration et mise en œuvre des plans de traitement du risque .20
5.6 Surveillance et revue.20
5.7 Enregistrement du processus de management du risque.21
Annexe A (informative) Attributs d'un management du risque élevé.22
Bibliographie.24

© ISO 2009 – Tous droits réservés iii

---------------------- Page: 3 ----------------------
ISO 31000:2009(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes nationaux de
normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est en général confiée
aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude a le droit de faire partie du
comité technique créé à cet effet. Les organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO participent également aux travaux. L'ISO collabore étroitement avec
la Commission électrotechnique internationale (CEI) en ce qui concerne la normalisation électrotechnique.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale des comités techniques est d'élaborer les Normes internationales. Les projets de Normes
internationales adoptés par les comités techniques sont soumis aux comités membres pour vote. Leur
publication comme Normes internationales requiert l'approbation de 75 % au moins des comités membres
votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO ne saurait être tenue pour responsable de ne
pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO 31000 a été élaborée par le groupe de travail du Bureau de gestion technique ISO sur le Management
du risque.
iv © ISO 2009 – Tous droits réservés

---------------------- Page: 4 ----------------------
ISO 31000:2009(F)
Introduction
Les organismes de tous types et de toutes dimensions confrontés à des facteurs et des influences internes et
externes ignorent si et quand ils vont atteindre leurs objectifs. L'incidence de cette incertitude sur l'atteinte des
objectifs d'un organisme constitue le «risque».
Toutes les activités d'un organisme comprennent des risques. Les organismes gèrent le risque en l'identifiant,
en l'analysant, et en évaluant ensuite la nécessité de le modifier par un traitement afin de satisfaire aux
critères de risque. Tout au long de ce processus, ils communiquent et se concertent avec les parties
prenantes, et surveillent et revoient le risque et les moyens de maîtrise qui modifient le risque afin de
s'assurer qu'il n'est pas nécessaire de recourir à un traitement supplémentaire du risque. La présente Norme
internationale décrit ce processus systématique et logique en détail.
Alors que tous les organismes gèrent des risques à différents niveaux, la présente Norme internationale fixe
un certain nombre de principes qui doivent être appliqués pour rendre le management du risque efficace. La
présente Norme internationale recommande que les organismes élaborent, mettent en œuvre et améliorent
continuellement un cadre organisationnel dont le but est d'intégrer le processus de management du risque
aux processus de gouvernance, de stratégie et de planification, de management, de rédaction des rapports,
ainsi qu'aux politiques, aux valeurs et à la culture d'ensemble de l'organisme.
Le management du risque peut s'appliquer à l'ensemble de l'organisme, dans tous ses domaines et à tous
ses niveaux, à tout moment, ainsi qu'à des fonctions, des projets et des activités particulières.
Même si la pratique du management du risque s'est développée au fil du temps et dans de nombreux
secteurs pour répondre à différents besoins, l'adoption de processus cohérents dans un cadre organisationnel
complet peut contribuer à garantir que le risque est géré de façon efficace, performante et cohérente au sein
d'un organisme. L'approche générique décrite dans la présente Norme internationale fournit des principes et
des lignes directrices pour gérer toute forme de risque de manière systématique, transparente et fiable, dans
quelque domaine et quelque contexte que ce soit.
Chaque secteur ou application particulier du management du risque comporte des besoins, des publics, des
perceptions et des critères qui lui sont propres. C'est pourquoi, l'un des points essentiels de la présente
Norme internationale est d'intégrer «l'établissement du contexte» en tant qu'activité de départ du processus
générique de management du risque. Établir le contexte va permettre d'appréhender les objectifs de
l'organisme, l'environnement dans lequel il poursuit ces objectifs, les parties prenantes et la diversité des
critères de risques, tous ces éléments devant contribuer à révéler et apprécier la nature et la complexité de
ses risques.
La Figure 1 illustre les relations entre les principes de management du risque, le cadre organisationnel dans
lequel il se présente et le processus de management du risque décrits dans la présente Norme internationale.
La mise en œuvre et le maintien du management du risque conformément à la présente Norme internationale
permettent, par exemple, à un organisme
⎯ d'accroître la vraisemblance d'atteindre les objectifs,
⎯ d'encourager un management proactif,
⎯ de prendre conscience de la nécessité d'identifier et de traiter le risque à travers tout l'organisme,
⎯ d'améliorer l'identification des opportunités et des menaces,
⎯ de se conformer aux obligations légales et réglementaires ainsi qu'aux normes internationales,
© ISO 2009 – Tous droits réservés v

---------------------- Page: 5 ----------------------
ISO 31000:2009(F)
⎯ d'améliorer la rédaction des rapports obligatoires et volontaires,
⎯ d'améliorer la gouvernance,
⎯ d'accroître l'assurance et la confiance des parties prenantes,
⎯ d'établir une base fiable pour la prise de décision et la planification,
⎯ d'améliorer les moyens de maîtrise,
⎯ d'allouer et d'utiliser efficacement les ressources pour le traitement du risque,
⎯ d'améliorer l'efficacité et l'efficience opérationnelles,
⎯ de renforcer les performances en matière de santé et de sécurité, ainsi que de protection
environnementale,
⎯ d'améliorer la prévention des pertes et le management des incidents,
⎯ de minimiser les pertes,
⎯ d'améliorer l'apprentissage organisationnel, et
⎯ d'améliorer la résilience organisationnelle.
La présente Norme internationale est destinée à répondre aux besoins d'une grande diversité de parties
prenantes, dont
a) les personnes responsables de l'élaboration d'une politique de management du risque au sein de leur
organisme,
b) les personnes chargées de s'assurer que ce risque est géré efficacement au sein de l'organisme dans
son ensemble ou dans un domaine, une activité ou un projet spécifique,
c) les personnes chargées d'évaluer l'efficacité d'un organisme en matière de management du risque, et
d) les rédacteurs de normes, guides, procédures et bonnes pratiques qui, en totalité ou en partie,
déterminent la manière dont le risque doit être géré dans le contexte spécifique de ces documents.
Les pratiques et processus de management en cours dans nombre d'organismes comportent des éléments
de management du risque, et beaucoup d'organismes ont déjà adopté un processus formalisé de
management du risque pour des types particuliers de risques ou de situations. Dans de tels cas, un
organisme peut décider de réaliser une revue critique de ses pratiques et processus existants à la lumière de
la présente Norme internationale.
Dans la présente Norme internationale les expressions «management du risque» et «gérer le risque» sont
toutes deux utilisées. De façon générale, le «management du risque» se réfère à la structure (principe, cadre
organisationnel et processus) permettant de gérer le risque avec efficacité, alors que «gérer le risque» se
réfère à l'application de cette structure aux risques particuliers.
vi © ISO 2009 – Tous droits réservés

---------------------- Page: 6 ----------------------
ISO 31000:2009(F)

Figure 1 — Relations entre les principes, le cadre organisationnel
et le processus de management du risque
© ISO 2009 – Tous droits réservés vii

a) Crée de la valeur
Mandat et
b) Fait partie intégrante des
engagement
processus organisationnels
(4.2)
Établissement du contexte
c) Élément de la prise de (5.3)
décision
Conception du Appréciation du
d) Traite explicitement de
cadre
risque (5.4)
l’incertitude
organisationnel de
management du
e) Systématique, structuré et
Identification du risque
risque (4.3)
en temps utile
(5.4.2)
f) S’appuie sur la meilleure
Amélioration
Mise en
information disponible
continue œuvre du
du cadre
management
g) Adapté
Analyse du risque (5.4.3)
organisation-
du risque
nel (4.4)
h) Tient compte des facteurs
(4.6)
humains et culturels
i) Transparent et participatif
Surveillance
Évaluation du risque
j) Dynamique, itératif et
et revue du
(5.4.4)
réactif au changement
cadre
organisation-
k) Facilite l’amélioration
nel
continue et le
(4.5)
développement permanents
de l’organisme Traitement du risque (5.5)
Principes Cadre
(Article 3) (Article 4)
Processus
(Article 5)
Communication et concertation (5.2)
Surveillance et revue (5.6)

---------------------- Page: 7 ----------------------
NORME INTERNATIONALE ISO 31000:2009(F)

Management du risque — Principes et lignes directrices
1 Domaine d'application
La présente Norme internationale fournit des principes et des lignes directrices générales sur le management
du risque.
La présente Norme internationale peut être appliquée par tout public, toute entreprise publique ou privée,
toute collectivité, toute association, tout groupe ou individu. Par conséquent, la présente Norme internationale
n'est pas spécifique à une industrie ou un secteur donné.
NOTE Pour plus de facilité, les différents utilisateurs de la présente Norme internationale sont désignés par le terme
général d'«organisme».
La présente Norme internationale peut être appliquée tout au long de la vie d'un organisme et à une large
gamme d'activités, dont les stratégies et les prises de décisions, les activités opérationnelles, les processus,
les fonctions, les projets, les produits, les services et les actifs.
La présente Norme internationale peut s'appliquer à tout type de risque, quelle que soit sa nature, que ses
conséquences soient positives ou négatives.
Bien que la présente Norme internationale fournisse des lignes directrices générales, elle ne vise pas à
promouvoir l'uniformisation du management du risque au sein des organismes. La conception et la mise en
œuvre des plans et des structures organisationnelles de management du risque devront tenir compte des
divers besoins d'un organisme spécifique, de ses objectifs, son contexte, sa structure, son activité, ses
processus, ses fonctions, ses projets, ses produits, ses services ou ses actifs particuliers, ainsi que de ses
pratiques spécifiques.
Il est prévu que la présente Norme internationale serve à harmoniser les processus de management du risque
dans les normes existantes et à venir. Elle offre une approche commune à l'établissement des normes traitant
de risques et/ou secteurs spécifiques, sans toutefois remplacer ces normes.
La présente Norme internationale n'a pas vocation à servir de base à une certification.
2 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s'appliquent.
2.1
risque
effet de l'incertitude sur l'atteinte des objectifs
NOTE 1 Un effet est un écart, positif et/ou négatif, par rapport à une attente.
NOTE 2 Les objectifs peuvent avoir différents aspects (par exemple buts financiers, de santé et de sécurité, ou
environnementaux) et peuvent concerner différents niveaux (niveau stratégique, niveau d'un projet, d'un produit, d'un
processus ou d'un organisme tout entier).
NOTE 3 Un risque est souvent caractérisé en référence à des événements (2.17) et des conséquences (2.18)
potentiels ou à une combinaison des deux.
© ISO 2009 – Tous droits réservés 1

---------------------- Page: 8 ----------------------
ISO 31000:2009(F)
NOTE 4 Un risque est souvent exprimé en termes de combinaison des conséquences d'un événement (incluant des
changements de circonstances) et de sa vraisemblance (2.19).
NOTE 5 L'incertitude est l'état, même partiel, de défaut d'information concernant la compréhension ou la connaissance
d'un événement, de ses conséquences ou de sa vraisemblance.
[ISO Guide 73:2009, définition 1.1]
2.2
management du risque
activités coordonnées dans le but de diriger et piloter un organisme vis-à-vis du risque (2.1)
[ISO Guide 73:2009, définition 2.1]
2.3
cadre organisationnel de management du risque
ensemble d'éléments établissant les fondements et dispositions organisationnelles présidant à la conception,
la mise en œuvre, la surveillance (2.28), la revue et l'amélioration continue du management du risque (2.2)
dans tout l'organisme
NOTE 1 Les fondements incluent la politique, les objectifs, le mandat et l'engagement envers le management du
risque (2.1).
NOTE 2 Les dispositions organisationnelles incluent les plans, les relations, les responsabilités, les ressources, les
processus et les activités.
NOTE 3 Le cadre organisationnel du management du risque fait partie intégrante des politiques stratégiques et
opérationnelles ainsi que des pratiques de l'ensemble de l'organisme.
[ISO Guide 73:2009, définition 2.1.1]
2.4
politique de management du risque
déclaration des intentions et des orientations générales d'un organisme en relation avec le management du
risque (2.2)
[ISO Guide 73:2009, définition 2.1.2]
2.5
attitude face au risque
approche d'un organisme pour apprécier un risque (2.1) avant, éventuellement, de saisir ou préserver une
opportunité ou de prendre ou rejeter un risque
[ISO Guide 73:2009, définition 3.7.1.1]
2.6
plan de management du risque
programme inclus dans le cadre organisationnel de management du risque (2.3), spécifiant l'approche, les
composantes du management et les ressources auxquelles doit avoir recours le management du risque (2.1)
NOTE 1 Les composantes du management incluent, par exemple, les procédures, les pratiques, l'attribution des
responsabilités, le déroulement chronologique des activités.
NOTE 2 Le plan de management du risque peut être appliqué à un produit, un processus, un projet particulier, à une
partie de l'organisme ou à l'organisme tout entier.
[ISO Guide 73:2009, définition 2.1.3]
2 © ISO 2009 – Tous droits réservés

---------------------- Page: 9 ----------------------
ISO 31000:2009(F)
2.7
propriétaire du risque
personne ou entité ayant la responsabilité du risque (2.1) et ayant autorité pour le gérer
[ISO Guide 73:2009, définition 3.5.1.5]
2.8
processus de management du risque
application systématique de politiques, procédures et pratiques de management aux activités de
communication, de concertation, d'établissement du contexte, ainsi qu'aux activités d'identification, d'analyse,
d'évaluation, de traitement, de surveillance (2.28) et de revue des risques (2.1)
[ISO Guide 73:2009, définition 3.1]
2.9
établissement du contexte
définition des paramètres externes et internes à prendre en compte lors du management du risque et
définition du domaine d'application ainsi que des critères de risque (2.22) pour la politique de management
du risque (2.4)
[ISO Guide 73:2009, définition 3.3.1]
2.10
contexte externe
environnement externe dans lequel l'organisme cherche à atteindre ses objectifs
NOTE Le contexte externe peut inclure
⎯ l'environnement culturel, social, politique, légal, réglementaire, financier, technologique, économique, naturel et
concurrentiel, au niveau international, national, régional ou local,
⎯ les facteurs et tendances ayant un impact déterminant sur les objectifs de l'organisme, et
⎯ les relations avec les parties prenantes (2.13) externes, leurs perceptions et leurs valeurs.
[ISO Guide 73:2009, définition 3.3.1.1]
2.11
contexte interne
environnement interne dans lequel l'organisme cherche à atteindre ses objectifs
NOTE Le contexte interne peut inclure
⎯ la gouvernance, l'organisation, les rôles et responsabilités,
⎯ les politiques, les objectifs et les stratégies mises en place pour atteindre ces derniers,
⎯ les capacités, en termes de ressources et de connaissances (par exemple capital, temps, personnels, processus,
systèmes et technologies),
⎯ les systèmes d'information, les flux d'information et les processus de prise de décision (à la fois formels et informels),
⎯ les relations avec les parties prenantes internes, ainsi que leurs perceptions et leurs valeurs,
⎯ la culture de l'organisme,
⎯ les normes, lignes directrices et modèles adoptés par l'organisme, et
⎯ la forme et l'étendue des relations contractuelles.
[ISO Guide 73:2009, définition 3.3.1.2]
© ISO 2009 – Tous droits réservés 3

---------------------- Page: 10 ----------------------
ISO 31000:2009(F)
2.12
communication et concertation
processus itératifs et continus mis en œuvre par un organisme afin de fournir, partager ou obtenir des
informations et d'engager un dialogue avec les parties prenantes (2.13) et autres parties, concernant le
management du risque (2.1)
NOTE 1 Ces informations peuvent concerner l'existence, la nature, la forme, la vraisemblance (2.19), l'importance,
l'évaluation, l'acceptabilité et le traitement du management du risque.
NOTE 2 La concertation est un processus de communication argumentée à double sens entre un organisme et ses
parties prenantes sur une question donnée avant de prendre une décision ou de déterminer une orientation concernant
ladite question. La concertation est
⎯ un processus dont l'effet sur une décision s'exerce par l'influence plutôt que par le pouvoir, et
⎯ une contribution à une prise de décision, et non une prise de décision conjointe.
[ISO Guide 73:2009, définition 3.2.1]
2.13
partie prenante
personne ou organisme susceptible d'affecter, d'être affecté ou de se sentir lui-même affecté par une décision
ou une activité
NOTE Un décideur peut être une partie prenante.
[ISO Guide 73:2009, définition 3.2.1.1]
2.14
appréciation du risque
ensemble du processus d'identification des risques (2.15), d'analyse du risque (2.21) et d'évaluation du
risque (2.24)
[ISO Guide 73:2009, définition 3.4.1]
2.15
identification des risques
processus de recherche, de reconnaissance et de description des risques (2.1)
NOTE 1 L'identification des risques comprend l'identification des sources de risque (2.16), des événements (2.17),
de leurs causes et de leurs conséquences (2.18) potentielles.
NOTE 2 L'identification des risques peut faire appel à des données historiques, des analyses théoriques, des avis
d'experts et autres personnes compétentes et tenir compte des besoins des parties prenantes (2.13).
[ISO Guide 73:2009, définition 3.5.1]
2.16
source de risque
tout élément qui, seul ou combiné à d'autres, présente un potentiel intrinsèque d'engendrer un risque (2.1)
NOTE Une source de risque peut être tangible ou intangible.
[ISO Guide 73:2009, définition 3.5.1.2]
2.17
événement
occurrence ou changement d'un ensemble particulier de circonstances
NOTE 1 Un événement peut être unique ou se reproduire et peut avoir plusieurs causes.
4 © ISO 2009 – Tous droits réservés

---------------------- Page: 11 ----------------------
ISO 31000:2009(F)
NOTE 2 Un événement peut consister en quelque chose qui ne se produit pas.
NOTE 3 Un événement peut parfois être qualifié «d'incident» ou «d'accident».
NOTE 4 Un événement sans conséquences (2.18) peut également être appelé «quasi-accident» ou «incident» ou
«presque succès».
[ISO Guide 73:2009, définition 3.5.1.3]
2.18
conséquence
effet d'un événement (2.17) affectant les objectifs
NOTE 1 Un événement peut engendrer une série de conséquences.
NOTE 2 Une conséquence peut être certaine ou incertaine et peut avoir des effets positifs ou négatifs sur l'atteinte des
objectifs.
NOTE 3 Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
NOTE 4 Des conséquences initiales peuvent déclencher des réactions en chaîne.
[ISO Guide 73:2009, définition 3.6.1.3]
2.19
vraisemblance
possibilité que quelque chose se produise
NOTE 1 Dans la terminologie du management du risque, le mot «vraisemblance» est utilisé pour indiquer la possibilité
que quelque chose se produise, que cette possibilité soit définie, mesurée ou déterminée de façon objective ou subjective,
qualitative ou quantitative, et qu'elle soit décrite au moyen de termes généraux ou mathématiques (telles une probabilité
ou une fréquence sur une période donnée).
NOTE 2 Le terme anglais «likelihood» (vraisemblance) n'a pas d'équivalent direct dans certaines langues et c'est
souvent l'équivalent du terme «probability» (probabilité) qui est utilisé à la place. En anglais, cependant, le terme
«probability» (probabilité) est souvent limité à son interprétation mathématique. Par conséquent, dans la terminologie du
management du risque, le terme «vraisemblance» est utilisé avec l'intention qu'il fasse l'objet d'une interprétation aussi
large que celle dont bénéficie le terme «probability» (probabilité) dans de nombreuses langues autres que l'anglais.
[ISO Guide 73:2009, définition 3.6.1.1]
2.20
profil de risque
description d'un ensemble quelconque de risques (2.1)
NOTE Cet ensemble de risques peut inclure les risques relatifs à l'ensemble de l'organisme, à une partie de celui-ci,
ou être défini autrement.
[ISO Guide 73:2009, définition 3.8.2.5]
2.21
analyse du risque
processus mis en œuvre pour comprendre la nature d'un risque (2.1) et pour déterminer le n
...

S L O V E N S K I SIST ISO 31000

STANDARD
april 2011













Obvladovanje tveganja – Načela in smernice
Risk management – Principles and guidelines
Management du risque – Principes et lignes directrices

























Referenčna oznaka
ICS 03.100.01 SIST ISO 31000:2011 (sl, en)


Nadaljevanje na straneh od 2 do 41






© 2012-06. Slovenski prevod standarda je založil in izdal Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov ni dovoljeno.
  1

---------------------- Page: 1 ----------------------

SIST ISO 31000 : 2011
NACIONALNI UVOD

Standard SIST ISO 31000 (sl, en), Obvladovanje tveganja – Načela in smernice, 2011, ima status
slovenskega standarda in je enakovreden mednarodnemu standardu ISO 31000, Risk management –
Principles and guidelines, 2009.

NACIONALNI PREDGOVOR

Mednarodni standard ISO 31000:2009 je pripravila delovna skupina za obvladovanje tveganja pri
Tehničnem upravnem odboru ISO. Slovenski standard SIST ISO 31000:2011 je prevod angleškega
besedila mednarodnega standarda ISO 31000:2009. V primeru spora glede besedila slovenskega
prevoda v tem standardu je odločilen izvirni mednarodni standard v angleškem jeziku. Slovensko-
angleško izdajo standarda je pripravil SIST/TC VZK Vodenje in zagotavljanje kakovosti.

Odločitev za izdajo tega standarda je dne 28. februarja 2011 sprejel SIST/TC VZK Vodenje in
zagotavljanje kakovosti.

ZVEZE S STANDARDI

S privzemom tega mednarodnega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen standarda, ki smo ga že sprejeli v nacionalno standardizacijo:

SIST ISO/IEC 31010:2011 (en) Obvladovanje tveganja – Tehnike ocenjevanja tveganj

OSNOVA ZA IZDAJO STANDARDA

– Privzem standarda ISO 31000:2009

OPOMBE

– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO 31000
to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.











2

---------------------- Page: 2 ----------------------

SIST ISO 31000 : 2011


VSEBINA StranCONTENTS Page
Predgovor . 5 Foreword .5
Uvod . 6 Introduction.6
1 Področje uporabe . 10 1 Scope .10
2 Izrazi in definicije . 10 2 Terms and definitions.10
3 Načela. 17 3 Principles.17
4 Okvir . 19 4 Framework .19
4.1 Splošno. 19 4.1 General.19
4.2 Naloge in pooblastila ter zavezanost. 21 4.2 Mandate and commitment.21
4.3 Zasnova okvira za obvladovanje  4.3 Design of framework for managing
tveganja. 21 risk .21
4.3.1 Razumevanje organizacije  4.3.1 Understanding of the organization
in njenega konteksta . 21 and its context.21
4.3.2 Vzpostavljanje politike obvladovanja 4.3.2 Establishing risk management
tveganja. 22 policy.22
4.3.3 Odgovornost. 23 4.3.3 Accountability .23
4.3.4 Vključevanje v organizacijske  4.3.4 Integration into organizational
procese . 23 processes .23
4.3.5 Viri. 24 4.3.5 Resources .24
4.3.6 Vzpostavljanje mehanizmov  4.3.6 Establishing internal communication
notranjega komuniciranja in poročanja. 24 and reporting mechanisms .24
4.3.7 Vzpostavljanje mehanizmov  4.3.7 Establishing external
zunanjega komuniciranja in poročanja . 24 communication and reporting mechanisms.24
4.4 Izvajanje obvladovanja tveganja . 25 4.4 Implementing risk management.25
4.4.1 Izvajanje okvira za obvladovanje  4.4.1 Implementing the framework for
tveganja. 25 managing risk .25
4.4.2 Izvajanje procesa obvladovanja  4.4.2 Implementing the risk management
tveganja. 25 process .25
4.5 Spremljanje in pregled okvira . 26 4.5 Monitoring and review of the framework .26
4.6 Nenehno izboljševanje okvira. 26 4.6 Continual improvement of the framework .26
5 Proces. 26 5 Process .26
5.1 Splošno. 26 5.1 General.26
5.2 Komuniciranje in posvetovanje. 27 5.2 Communication and consultation.27
5.3 Vzpostavljanje konteksta. 28 5.3 Establishing the context .28
5.3.1 Splošno. 28 5.3.1 General.28
5.3.2 Vzpostavljanje zunanjega konteksta . 29 5.3.2 Establishing the external context .29
5.3.3 Vzpostavljanje notranjega konteksta. 29 5.3.3 Establishing the internal context .29
5.3.4 Vzpostavljanje konteksta 5.3.4 Establishing the context of the risk
za proces obvladovanja tveganja . 30 management process .30
5.3.5 Določanje meril tveganja . 31 5.3.5 Defining risk criteria.31
5.4 Ocenjevanje tveganja. 31 5.4 Risk assessment .31
5.4.1 Splošno. 31 5.4.1 General.31
5.4.2 Identifikacija tveganja . 32 5.4.2 Risk identification .32
3

---------------------- Page: 3 ----------------------

SIST ISO 31000 : 2011
5.4.3 Analiza tveganja . 32 5.4.3 Risk analysis .32
5.4.4 Vrednotenje tveganja. 33 5.4.4 Risk evaluation.33
5.5 Obravnavanje tveganja. 34 5.5 Risk treatment .34
5.5.1 Splošno. 34 5.5.1 General.34
5.5.2 Izbira možnosti obravnavanja  5.5.2 Selection of risk treatment
tveganja. 34 options .34
5.5.3 Priprava in izvajanje načrtov za 5.5.3 Preparing and implementing risk
obravnavanje tveganja. 35 treatment plans.35
5.6 Spremljanje in pregled. 36 5.6 Monitoring and review .36
5.7 Zapisovanje procesa obvladovanja 5.7 Recording the risk management
tveganja. 37 process .37
Dodatek A (informativni): Lastnosti  Annex A (informative) Attributes of
okrepljenega obvladovanja tveganja . 38 enhanced risk management .38
Literatura. 41 Bibliography.41

4

---------------------- Page: 4 ----------------------

SIST ISO 31000 : 2011


Predgovor Foreword
ISO (Mednarodna organizacija za standardizacijo) ISO (the International Organization for
je svetovna zveza nacionalnih organov za Standardization) is a worldwide federation of
standarde (članov ISO). Mednarodne standarde national standards bodies (ISO member bodies).
navadno pripravljajo tehnični odbori ISO. Vsak The work of preparing International Standards is
član, ki želi delovati na določenem področju, za normally carried out through ISO technical
katero je bil ustanovljen tehnični odbor, ima committees. Each member body interested in a
pravico biti zastopan v tem odboru. Pri delu subject for which a technical committee has
sodelujejo tudi vladne in nevladne mednarodne been established has the right to be represented
organizacije, povezane z ISO. ISO v vseh on that committee. International organizations,
zadevah, ki so povezane s standardizacijo na governmental and non-governmental, in liaison
področju elektrotehnike, tesno sodeluje z with ISO, also take part in the work. ISO
Mednarodno elektrotehniško komisijo (IEC). collaborates closely with the International
Electrotechnical Commission (IEC) on all matters
of electrotechnical standardization.
Mednarodni standardi so pripravljeni v skladu s International Standards are drafted in
pravili, podanimi v 2. delu Direktiv ISO/IEC. accordance with the rules given in the ISO/IEC
Directives, Part 2.
Glavna naloga tehničnih odborov je priprava The main task of technical committees is to
mednarodnih standardov. Osnutki mednarodnih prepare International Standards. Draft
standardov, ki jih sprejmejo tehnični odbori, se International Standards adopted by the technical
pošljejo vsem članom v glasovanje. Za objavo committees are circulated to the member bodies
mednarodnega standarda je treba pridobiti for voting. Publication as an International
soglasje najmanj 75 odstotkov članov, ki se Standard requires approval by at least 75 % of
udeležijo glasovanja. the member bodies casting a vote.
Opozoriti je treba na možnost, da je lahko nekaj Attention is drawn to the possibility that some of
elementov tega mednarodnega standarda the elements of this document may be the
predmet patentnih pravic. ISO ne prevzema subject of patent rights. ISO shall not be held
odgovornosti za identificiranje katerih koli ali responsible for identifying any or all such patent
vseh takih patentnih pravic. rights.
Standard ISO 31000 je pripravila delovna ISO 31000 was prepared by the ISO Technical
skupina za obvladovanje tveganja pri Tehničnem Management Board Working Group on risk
upravnem odboru ISO. management.









5

---------------------- Page: 5 ----------------------

SIST ISO 31000 : 2011
Uvod Introduction
Organizacije vseh vrst in velikosti se soočajo z Organizations of all types and sizes face internal
notranjimi in zunanjimi dejavniki ter vplivi, ki jih and external factors and influences that make it
postavljajo v negotovost, ali bodo dosegle svoje uncertain whether and when they will achieve
cilje in kdaj. Vpliv, ki ga ima ta negotovost na their objectives. The effect this uncertainty has
cilje organizacije, je "tveganje". on an organization's objectives is “risk”.
Vse dejavnosti organizacije vključujejo tveganje. All activities of an organization involve risk.
Organizacije obvladujejo tveganje tako, da ga Organizations manage risk by identifying it,
identificirajo, analizirajo in nato ovrednotijo, ali naj analysing it and then evaluating whether the risk
ga z obravnavanjem spremenijo, da bi zadovoljile should be modified by risk treatment in order to
svojim merilom tveganja. V vsem tem procesu satisfy their risk criteria. Throughout this process,
komunicirajo z deležniki in se z njimi posvetujejo they communicate and consult with stakeholders
ter spremljajo in pregledujejo tveganje in ukrepe, s and monitor and review the risk and the controls
katerim spreminjajo tveganje, da bi zagotovile, da that are modifying the risk in order to ensure that
nadaljnje obravnavanje tveganja ne bi bilo no further risk treatment is required. This
potrebno. Ta sistematičen in logičen proces je International Standard describes this systematic
podrobno opisan v tem mednarodnem standardu. and logical process in detail.
Medtem ko vse organizacije do neke mere While all organizations manage risk to some
obvladujejo tveganje, pa ta mednarodni standard degree, this International Standard establishes
postavlja številna načela, ki jih je treba izpolniti, a number of principles that need to be satisfied
da bo obvladovanje tveganja uspešno. Ta to make risk management effective. This
mednarodni standard priporoča organizacijam, International Standard recommends that
da razvijejo, izvajajo in nenehno izboljšujejo organizations develop, implement and
okvir, katerega namen je vključiti proces za continuously improve a framework whose
obvladovanje tveganja v celovito upravljanje, purpose is to integrate the process for
strategijo in načrtovanje, vodenje, procese managing risk into the organization's overall
poročanja, politiko, vrednote ter kulturo governance, strategy and planning,
organizacije. management, reporting processes, policies,
values and culture.
Obvladovanje tveganja se lahko izvaja v celotni Risk management can be applied to an entire
organizaciji, na mnogih njenih področjih in organization, at its many areas and levels, at
ravneh, ob vsakem času, prav tako pa tudi pri any time, as well as to specific functions,
specifičnih funkcijah, projektih in dejavnostih. projects and activities.
Čeprav se je zaradi različnih potreb praksa Although the practice of risk management has
obvladovanja tveganja razvijala počasi in na been developed over time and within many
mnogih področjih, lahko sprejetje doslednih sectors in order to meet diverse needs, the
procesov v celovitem okviru pomaga zagotoviti, adoption of consistent processes within a
da je tveganje obvladovano uspešno, učinkovito comprehensive framework can help to ensure
in usklajeno po vsej organizaciji. Splošni pristop, that risk is managed effectively, efficiently and
opisan v tem mednarodnem standardu, podaja coherently across an organization. The generic
načela in smernice za obvladovanje vseh vrst approach described in this International
tveganja sistematično, pregledno in verodostojno Standard provides the principles and guidelines
ter v katerem koli obsegu in kontekstu. for managing any form of risk in a systematic,
transparent and credible manner and within any
scope and context.
Vsako specifično področje uporabe Each specific sector or application of risk
obvladovanja tveganja prinaša s seboj svoje management brings with it individual needs,
potrebe, obravnavo, dojemanje in merila. Zato je audiences, perceptions and criteria. Therefore,
ključna značilnost tega mednarodnega a key feature of this International Standard is
standarda vključitev aktivnosti "vzpostavljanja the inclusion of “establishing the context” as an
konteksta" na sam začetek tega splošnega activity at the start of this generic risk
procesa obvladovanja tveganja. Vzpostavljanje management process. Establishing the context
konteksta bo zajemalo cilje organizacije, okolje, will capture the objectives of the organization,
6

---------------------- Page: 6 ----------------------

SIST ISO 31000 : 2011

v katerem sledi tem ciljem, njene deležnike in the environment in which it pursues those
različna merila tveganja – vse to pa ji bo objectives, its stakeholders and the diversity of
pomagalo odkriti ter oceniti naravo in risk criteria – all of which will help reveal and
kompleksnost njenih tveganj. assess the nature and complexity of its risks.
Razmerje med načeli za obvladovanje tveganja, The relationship between the principles for
okvir, v katerem nastopa, in proces obvladovanja managing risk, the framework in which it occurs
tveganja, opisani v tem mednarodnem and the risk management process described in
standardu, so prikazani v sliki 1. this International Standard are shown in Figure 1.
Če je obvladovanje tveganja izvedeno in When implemented and maintained in
vzdrževano v skladu s tem mednarodnim accordance with this International Standard, the
standardom, potem omogoča organizaciji, da na management of risk enables an organization to,
primer: for example:
– poveča verjetnost doseganja ciljev,  – increase the likelihood of achieving
objectives;
– spodbuja proaktivno vodenje, – encourage proactive management;
– se zaveda potrebe po identificiranju in – be aware of the need to identify and treat
obravnavanju tveganja po vsej organizaciji, risk throughout the organization;
– izboljša identifikacijo priložnosti in groženj, – improve the identification of opportunities
and threats;
– izpolnjuje ustrezne pravne in regulativne – comply with relevant legal and regulatory
zahteve ter mednarodne normative, requirements and international norms;
– izboljša obvezno in prostovoljno poročanje, – improve mandatory and voluntary reporting;
– izboljša upravljanje, – improve governance;
– izboljša zaupanje deležnikov,  – improve stakeholder confidence and trust;
– vzpostavi zanesljivo podlago za odločanje – establish a reliable basis for decision
in načrtovanje, making and planning;
– izboljša ukrepe za obvladovanje tveganja, – improve controls;
– uspešno dodeljuje in uporablja vire za – effectively allocate and use resources for
obravnavanje tveganja, risk treatment;
– izboljša delovno uspešnost in učinkovitost, – improve operational effectiveness and
efficiency;
– izboljša zdravje in varnost ter varstvo okolja, – enhance health and safety performance, as
well as environmental protection;
– izboljša preprečevanje poškodb in obvla- – improve loss prevention and incident
dovanje izrednih dogodkov, management;
– kar najbolj zmanjša poškodbe, – minimize losses;
– izboljša organizacijsko učenje in  – improve organizational learning; and
– izboljša organizacijsko prilagodljivost. – improve organizational resilience.
Namen tega mednarodnega standarda je izpolniti This International Standard is intended to meet
potrebe najrazličnejših deležnikov, vključno s: the needs of a wide range of stakeholders,
including:
a) tistimi, ki so odgovorni za razvoj politike a) those responsible for developing risk
obvladovanja tveganja v organizaciji, management policy within their
organization;

7

---------------------- Page: 7 ----------------------

SIST ISO 31000 : 2011
b) tistimi, ki odgovarjajo za zagotavljanje, da je b) those accountable for ensuring that risk is
tveganje uspešno obvladovano v okviru effectively managed within the organization
celotne organizacije ali v okviru specifičnega as a whole or within a specific area, project
področja, projekta ali aktivnosti, or activity;
c) tistimi, ki morajo ovrednotiti uspešnost c) those who need to evaluate an
organizacije na področju obvladovanja organization's effectiveness in managing
tveganja, in risk; and
d) tistimi, ki pripravljajo standarde, vodila, d) developers of standards, guides,
postopke in kodekse ravnanja, ki v celoti ali procedures and codes of practice that, in
delno opredeljujejo, kako naj se tveganje whole or in part, set out how risk is to be
obvladuje v okviru specifičnega konteksta managed within the specific context of
teh dokumentov. these documents.
Trenutna praksa in procesi obvladovanja mnogih The current management practices and
organizacij vključujejo elemente obvladovanja processes of many organizations include
tveganja in veliko organizacij je že sprejelo components of risk management, and many
formalen proces njegovega obvladovanja za organizations have already adopted a formal
posamezne vrste tveganja ali okoliščin. V takih risk management process for particular types of
primerih se lahko organizacija odloči za izvedbo risk or circumstances. In such cases, an
kritičnega pregleda svojih obstoječih praks in organization can decide to carry out a critical
procesov v luči tega mednarodnega standarda. review of its existing practices and processes in
the light of this International Standard.
V tem mednarodnem standardu se uporabljata In this International Standard, the expressions
izraza "risk management" in "managing risk". Na “risk management” and “managing risk” are
splošno se "risk management" nanaša na both used. In general terms, “risk management”
strukturo (načela, okvir in proces) uspešnega refers to the architecture (principles, framework
obvladovanja tveganj, medtem ko se "managing and process) for managing risks effectively,
risk" nanaša na uporabo te strukture pri while “managing risk” refers to applying that
posameznih tveganjih. architecture to particular risks.
8

---------------------- Page: 8 ----------------------

SIST ISO 31000 : 2011



Slika 1: Razmerja med načeli, okvirom in procesom obvladovanja tveganja
Figure 1 – Relationships between the risk management principles, framework and process
9

---------------------- Page: 9 ----------------------

SIST ISO 31000 : 2011


Obvladovanje tveganja – Risk management –
Načela in smernice Principles and guidelines

1 Področje uporabe 1 Scope
Ta mednarodni standard zagotavlja načela in This International Standard provides principles
splošne smernice za obvladovanje tveganja. and generic guidelines on risk management.
Ta mednarodni standard lahko uporabljajo vsa This International Standard can be used by any
podjetja, javna ali zasebna, družbena podjetja, public, private or community enterprise,
združenja, skupine ali posamezniki. association, group or individual. Therefore, this
Potemtakem ta mednarodni standard torej ni International Standard is not specific to any
specifičen za neko industrijo ali sektor. industry or sector.
OPOMBA: Zaradi poenostavitve se za vse različne NOTE For convenience, all the different users of

uporabnike tega mednarodnega standarda this International Standard are referred to
uporablja splošni izraz "organizacija". by the general term “organization”.
Ta mednarodni standard se lahko uporablja v This International Standard can be applied
celotnem življenju organizacije in za širok throughout the life of an organization, and to a
razpon dejavnosti, vključno s strategijami in wide range of activities, including strategies and
odločitvami, dejanji, procesi, funkcijami, decisions, operations, processes, functions,
projekti, proizvodi, storitvami in sredstvi. projects, products, services and assets.
Ta mednarodni standard se lahko uporablja za This International Standard can be applied to
vse vrste tveganja ne glede na njihovo naravo any type of risk, whatever its nature, whether
in ne glede na to, ali imajo pozitivne ali having positive or negative consequences.
negativne posledice.
Čeprav ta mednarodni standard zagotavlja Although this International Standard provides
splošne smernice, ni namenjen spodbujanju generic guidelines, it is not intended to promote
enotnosti obvladovanja tveganja po organizacijah. uniformity of risk management across
Pri snovanju in izvajanju načrtov in okvirov za organizations. The design and implementation
obvladovanje tveganja bo treba upoštevati of risk management plans and frameworks will
različne potrebe posamezne organizacije, njene need to take into account the varying needs of
posebne cilje, kontekst, zgradbo, dejanja, a specific organization, its particular objectives,
procese, funkcije, projekte, proizvode, storitve ali context, structure, operations, processes,
sredstva ter določene vpeljane prakse. functions, projects, products, services, or
assets and specific practices employed.
Ta mednarodni standard je namenjen It is intended that this International Standard be
usklajevanju procesov obvladovanja tveganja pri utilized to harmonize risk management
obstoječih in prihodnjih standardih. Zagotavlja processes in existing and future standards. It
skupni pristop in podporo standardom, ki se provides a common approach in support of
ukvarjajo s specifičnimi tveganji in/ali področji, standards dealing with specific risks and/or
vendar teh standardov ne zamenjuje. sectors, and does not replace those standards.
Ta mednarodni standard ni namenjen This International Standard is not intended for
certificiranju. the purpose of certification.

2 Izrazi in definicije 2 Terms and definitions
V tem dokumentu se uporabljajo naslednji izrazi For the purposes of this document, the
in definicije. following terms and definitions apply.
2.1 2.1
tveganje risk
vpliv negotovosti na doseganje ciljev effect of uncertainty on objectives
OPOMBA 1: Vpliv je odstopanje od pričakovanega – NOTE 1 An effect is a deviation from the expected –

pozitivno in/ali negativno. positive and/or negative.
10

---------------------- Page: 10 ----------------------

SIST ISO 31000 : 2011

OPOMBA 2: Cilji imajo lahko različne vidike (kot so npr. NOTE 2 Objectives can have different aspects (such as

finančni, zdravstveni in varnostni ter okoljski financial, health and safety, and environmental
cilji) in se lahko nanašajo na različne ravni goals) and can apply at different levels (such as
t
(kot so npr. strateška, vseorganizacijska, strategic, organization-wide, project, produc
projektna, proizvodna in procesna). and process).
OPOMBA 3: Za tveganje je pogosto značilno sklicevanje NOTE 3 Risk is often characterized by reference to

na možne dogodke (2.17) in posledice potential events (2.17) and consequences
(2.18) ali na kombinacijo obojih. (2.18), or a combination of these.
OPOMBA 4: Tveganje se pogosto izraža kot kombinacija NOTE 4 Risk is often expressed in terms of a

posledic nekega dogodka (vključno s combination of the consequences of an event
spremembami okoliščin) ter s tem povezane (including changes in circumstances) and the
verjetnosti (2.19) pojava tega dogodka. associated likelihood (2.19) of occurrence.
OPOMBA 5: Negotovost je stanje pomanjkanja (tudi NOTE 5 Uncertainty is the state, even partial, of

delnega) informacij, povezanih z deficiency of information related to,
razumevanjem ali poznavanjem dogodka, understanding or knowledge of an event, its
njegovih posledic ali njegove verjetnosti. consequence, or likelihood.
[ISO Vodilo 73:2009, definicija 1.1] [ISO Guide 73:2009, definition 1.1]
2.2 2.2
obvladovanje tveganja risk management
usklajene aktivnosti za usmerjanje in nadzoro- coordinated activities to direct and control an

vanje organizacije v zvezi s tveganjem (2.1) organization with regard to risk (2.1)
[ISO Vodilo 73:2009, definicija 2.1] [ISO Guide 73:2009, definition 2.1]

2.3 2.3
okvir za obvladovanje tveganja risk management framework
skupek elementov, ki zagotavljajo temelje in set of components that provide the foundations
organizacijske ureditve za snovanje, izvajanje, and organizational arrangements for designing,
spremljanje (2.28), pregledovanje in nenehno implementing, monitoring (2.28), reviewing
izboljševanje obvladovanja tveganja (2.2) po and continually improving risk management
vsej organizaciji (2.2) throughout the organization
OPOMBA 1: Temelji vključujejo politiko, cilje, naloge in NOTE 1 The foundations include the policy,

pooblastila ter zavezanost k obvladovanju objectives, mandate and commitment to
tveganja (2.1). manage risk (2.1).
OPOMBA 2: Organizacijske ureditve vključujejo načrte, NOTE 2 The organizational arrangements include

odnose, odgovornosti, vire, procese in plans, relationships, accountabilities,
aktivnosti. resources, processes and activities.
OPOMBA 3: Okvir za obvladovanje tveganja je vgrajen v NOTE 3 The risk management framework is

celotno strateško in operativno politiko ter embedded within the organization's
prakso organizacije. overall strategic and operational
policies and practices.
[ISO Vodilo 73:2009, definicija 2.1.1] [ISO Guide 73:2009, definition 2.1.1]

2.4 2.4
politika obvladovanja tveganja risk management policy
izjava o celovitih namerah in usmeritvi orga- statement of the overall intentions and direction of
nizacije v zvezi z obvladovanjem tveganja (2.2) an organization related to risk management (2.2)
[ISO Vodilo 73:2009, definicija 2.1.2] [ISO Guide 73:2009, definition 2.1.2]
2.5 2.5
odnos do tveganja risk attitude
pristop organizacije k ocenjevanju in organization's approach to assess and
morebitnemu spremljanju, ohranitvi, sprejetju ali eventually pursue, retain, take or turn away
odvračanju od tveganja (2.1) from risk (2.1)
[ISO Vodilo 73:2009, definicija 3.7.1.1] [ISO Guide 73:2009, definition 3.7.1.1]
11

---------------------- Page: 11 ----------------------

SIST ISO 31000 : 2011
2.6 2.6
načrt obvladovanja tveganja risk management plan
načrt znotraj okvira za obvladovanje tveganja scheme within the risk management
(2.3), ki opredeljuje pristop, elemente framework (2.3) specifying the approach, the
obvladovanja in vire, ki naj se uporabijo za management components and resources to be
obvladovanje tveganja (2.1) applied to the management of
...