SIST ISO 31000:2018
Risk management - Guidelines
Risk management - Guidelines
This document provides guidelines on managing risk faced by organizations. The application of these
guidelines can be customized to any organization and its context.
This document provides a common approach to managing any type of risk and is not industry or sector
specific.
This document can be used throughout the life of the organization and can be applied to any activity,
including decision-making at all levels.
Management du risque -- Lignes directrices
ISO 31000:2018 fournit des lignes directrices concernant le management du risque auquel sont confront�s les organismes. L'application de ces lignes directrices peut �tre adapt�e � tout organisme et � son contexte.
ISO 31000:2018 fournit une approche g�n�rique permettant de g�rer toute forme de risque et n'est pas sp�cifique � une industrie ou un secteur.
ISO 31000:2018 peut �tre utilis� tout au long de la vie de l'organisme et peut �tre appliqu� � toute activit�, y compris la prise de d�cisions � tous les niveaux.
Obvladovanje tveganja - Smernice
Ta dokument zagotavlja smernice o obvladovanju tveganja, s katerim se soočajo organizacije. Uporabo teh smernic je mogoče prilagoditi vsaki organizaciji in njenemu kontekstu.
Ta dokument zagotavlja splošni pristop k obvladovanju vseh vrst tveganja in ni specifičen za neko industrijo ali sektor.
Ta dokument se lahko uporablja v celotnem življenju organizacije in za katerokoli aktivnost, vključno s sprejemanjem odločitev na vseh ravneh.
General Information
Relations
Buy Standard
Standards Content (Sample)
SLOVENSKI STANDARD
SIST ISO 31000:2018
01-maj-2018
Obvladovanje tveganja - Smernice
Risk management - Guidelines
Management du risque -- Lignes directrices
Ta slovenski standard je istoveten z: ISO 31000:2018
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
SIST ISO 31000:2018 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO 31000:2018
---------------------- Page: 2 ----------------------
SIST ISO 31000:2018
INTERNATIONAL ISO
STANDARD 31000
Second edition
2018-02
Risk management — Guidelines
Management du risque — Lignes directrices
Reference number
ISO 31000:2018(E)
©
ISO 2018
---------------------- Page: 3 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 2
5 Framework . 4
5.1 General . 4
5.2 Leadership and commitment . 5
5.3 Integration . 5
5.4 Design . 6
5.4.1 Understanding the organization and its context . 6
5.4.2 Articulating risk management commitment . 6
5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities 7
5.4.4 Allocating resources. 7
5.4.5 Establishing communication and consultation . 7
5.5 Implementation . 7
5.6 Evaluation . 8
5.7 Improvement . 8
5.7.1 Adapting . 8
5.7.2 Continually improving . 8
6 Process . 8
6.1 General . 8
6.2 Communication and consultation . 9
6.3 Scope, context and criteria . .10
6.3.1 General.10
6.3.2 Defining the scope .10
6.3.3 External and internal context .10
6.3.4 Defining risk criteria.10
6.4 Risk assessment .11
6.4.1 General.11
6.4.2 Risk identification .11
6.4.3 Risk analysis .12
6.4.4 Risk evaluation .12
6.5 Risk treatment .13
6.5.1 General.13
6.5.2 Selection of risk treatment options .13
6.5.3 Preparing and implementing risk treatment plans .14
6.6 Monitoring and review .14
6.7 Recording and reporting .14
Bibliography .16
© ISO 2018 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 262, Risk management.
This second edition cancels and replaces the first edition (ISO 31000:2009) which has been technically
revised.
The main changes compared to the previous edition are as follows:
— review of the principles of risk management, which are the key criteria for its success;
— highlighting of the leadership by top management and the integration of risk management, starting
with the governance of the organization;
— greater emphasis on the iterative nature of risk management, noting that new experiences,
knowledge and analysis can lead to a revision of process elements, actions and controls at each
stage of the process;
— streamlining of the content with greater focus on sustaining an open systems model to fit multiple
needs and contexts.
iv © ISO 2018 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
Introduction
This document is for use by people who create and protect value in organizations by managing risks,
making decisions, setting and achieving objectives and improving performance.
Organizations of all types and sizes face external and internal factors and influences that make it
uncertain whether they will achieve their objectives.
Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making
informed decisions.
Managing risk is part of governance and leadership, and is fundamental to how the organization is
managed at all levels. It contributes to the improvement of management systems.
Managing risk is part of all activities associated with an organization and includes interaction with
stakeholders.
Managing risk considers the external and internal context of the organization, including human
behaviour and cultural factors.
Managing risk is based on the principles, framework and process outlined in this document, as
illustrated in Figure 1. These components might already exist in full or in part within the organization,
however, they might need to be adapted or improved so that managing risk is efficient, effective and
consistent.
d
Figure 1 — Principles, framework and process
© ISO 2018 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO 31000:2018
---------------------- Page: 8 ----------------------
SIST ISO 31000:2018
INTERNATIONAL STANDARD ISO 31000:2018(E)
Risk management — Guidelines
1 Scope
This document provides guidelines on managing risk faced by organizations. The application of these
guidelines can be customized to any organization and its context.
This document provides a common approach to managing any type of risk and is not industry or sector
specific.
This document can be used throughout the life of the organization and can be applied to any activity,
including decision-making at all levels.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org
3.1
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address,
create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources (3.4), potential events (3.5), their consequences
(3.6) and their likelihood (3.7).
3.2
risk management
coordinated activities to direct and control an organization with regard to risk (3.1)
3.3
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision
or activity
Note 1 to entry: The term “interested party” can be used as an alternative to “stakeholder”.
3.4
risk source
element which alone or in combination has the potential to give rise to risk (3.1)
© ISO 2018 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
3.5
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several
consequences (3.6).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
Note 3 to entry: An event can be a risk source.
3.6
consequence
outcome of an event (3.5) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
3.7
likelihood
chance of something happening
Note 1 to entry: In risk management (3.2) terminology, the word “likelihood” is used to refer to the chance of
something happening, whether defined, measured or determined objectively or subjectively, qualitatively or
quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a
given time period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
3.8
control
measure that maintains and/or modifies risk (3.1)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
4 Principles
The purpose of risk management is the creation and protection of value. It improves performance,
encourages innovation and supports the achievement of objectives.
The principles outlined in Figure 2 provide guidance on the characteristics of effective and efficient
risk management, communicating its value and explaining its intention and purpose. The principles are
the foundation for managing risk and should be considered when establishing the organization’s risk
management framework and processes. These principles should enable an organization to manage the
effects of uncertainty on its objectives.
2 © ISO 2018 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
d
Figure 2 — Principles
Effective risk management requires the elements of Figure 2 and can be further explained as follows.
a) Integrated
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive
A structured and comprehensive approach to risk management contributes to consistent and
comparable results.
c) Customized
The risk management framework and process are customized and proportionate to the
organization’s external and internal context related to its objectives.
d) Inclusive
Appropriate and timely involvement of stakeholders enables their knowledge, views and
perceptions to be considered. This results in improved awareness and informed risk management.
e) Dynamic
Risks can emerge, change or disappear as an organization’s external and internal context changes.
Risk management anticipates, detects, acknowledges and responds to those changes and events in
an appropriate and timely manner.
f) Best available information
The inputs to risk management are based on historical and current information, as well as on future
expectations. Risk management explicitly takes into account any limitations and uncertainties
associated with such information and expectations. Information should be timely, clear and
available to relevant stakeholders.
© ISO 2018 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
g) Human and cultural factors
Human behaviour and culture significantly influence all aspects of risk management at each level
and stage.
h) Continual improvement
Risk management is continually improved through learning and experience.
5 Framework
5.1 General
The purpose of the risk management framework is to assist the organization in integrating risk
management into significant activities and functions. The effectiveness of risk management will depend
on its integration into the governance of the organization, including decision-making. This requires
support from stakeholders, particularly top management.
Framework development encompasses integrating, designing, implementing, evaluating and improving
risk management across the organization. Figure 3 illustrates the components of a framework.
Figure 3 — Framework
The organization should evaluate its existing risk management practices and processes, evaluate any
gaps and address those gaps within the framework.
The components of the framework and the way in which they work together should be customized to
the needs of the organization.
4 © ISO 2018 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
5.2 Leadership and commitment
Top management and oversight bodies, where applicable, should ensure that risk management is
integrated into all organizational activities and should demonstrate leadership and commitment by:
— customizing and implementing all components of the framework;
— issuing a statement or policy that establishes a risk management approach, plan or course of action;
— ensuring that the necessary resources are allocated to managing risk;
— assigning authority, responsibility and accountability at appropriate levels within the organization.
This will help the organization to:
— align risk management with its objectives, strategy and culture;
— recognize and address all obligations, as well as its voluntary commitments;
— establish the amount and type of risk that may or may not be taken to guide the development of risk
criteria, ensuring that they are communicated to the organization and its stakeholders;
— communicate the value of risk management to the organization and its stakeholders;
— promote systematic monitoring of risks;
— ensure that the risk management framework remains appropriate to the context of the organization.
Top management is accountable for managing risk while oversight bodies are accountable for overseeing
risk management. Oversight bodies are often expected or required to:
— ensure that risks are adequately considered when setting the organization’s objectives;
— understand the risks facing the organization in pursuit of its objectives;
— ensure that systems to manage such risks are implemented and operating effectively;
— ensure that such risks are appropriate in the context of the organization’s objectives;
— ensure that information about such risks and their management is properly communicated.
5.3 Integration
Integrating risk management relies on an understanding of organizational structures and context.
Structures differ depending on the organization’s purpose, goals and complexity. Risk is managed in every
part of the organization’s structure. Everyone in an organization has responsibility for managing risk.
Governance guides the course of the organization, its external and internal relationships, and the rules,
processes and practices needed to achieve its purpose. Management structures translate governance
direction into the strategy and associated objectives required to achieve desired levels of sustainable
performance and long-term viability. Determining risk management accountability and oversight roles
within an organization are integral parts of the organization’s governance.
Integrating risk management into an organization is a dynamic and iterative process, and should
be customized to the organization’s needs and culture. Risk management should be a part of, and
not separate from, the organizational purpose, governance, leadership and commitment, strategy,
objectives and operations.
© ISO 2018 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
5.4 Design
5.4.1 Understanding the organization and its context
When designing the framework for managing risk, the organization should examine and understand its
external and internal context.
Examining the organization’s external context may include, but is not limited to:
— the social, cultural, political, legal, regulatory, financial, technological, economic and environmental
factors, whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external stakeholders’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
Examining the organization’s internal context may include, but is not limited to:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization’s culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual
property, processes, systems and technologies);
— data, information systems and information flows;
— relationships with internal stakeholders, taking into account their perceptions and values;
— contractual relationships and commitments;
— interdependencies and interconnections.
5.4.2 Articulating risk management commitment
Top management and oversight bodies, where applicable, should demonstrate and articulate their
continual commitment to risk management through a policy, a statement or other forms that clearly
convey an organization’s objectives and commitment to risk management. The commitment should
include, but is not limited to:
— the organization’s purpose for managing risk and links to its objectives and other policies;
— reinforcing the need to integrate risk management into the overall culture of the organization;
— leading the integration of risk management into core business activities and decision-making;
— authorities, responsibilities and accountabilities;
— making the necessary resources available;
— the way in which conflicting objectives are dealt with;
— measurement and reporting within the organization’s performance indicators;
6 © ISO 2018 – All rights reserved
---------------------- Page: 14 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
— review and improvement.
The risk management commitment should be communicated within an organization and to stakeholders,
as appropriate.
5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities
Top management and oversight bodies, where applicable, should ensure that the authorities,
responsibilities and accountabilities for relevant roles with respect to risk management are assigned
and communicated at all levels of the organization, and should:
— emphasize that risk management is a core responsibility;
— identify individuals who have the accountability and authority to manage risk (risk owners).
5.4.4 Allocating resources
Top management and oversight bodies, where applicable, should ensure allocation of appropriate
resources for risk management, which can include, but are not limited to:
— people, skills, experience and competence;
— the organization’s processes, methods and tools to be used for managing risk;
— documented processes and procedures;
— information and knowledge management systems;
— professional development and training needs.
The organization should consider the capabilities of, and constraints on, existing resources.
5.4.5 Establishing communication and consultation
The organization should establish an approved approach to communication and consultation in order
to support the framework and facilitate the effective application of risk management. Communication
involves sharing information with targeted audiences. Consultation also involves participants providing
feedback with the expectation that it will contribute to and shape decisions or other activities.
Communication and consultation methods and content should reflect the expectations of stakeholders,
where relevant.
Communication and consultation should be timely and ensure that relevant information is collected,
collated, synthesised and shared, as appropriate, and that feedback is provided and improvements
are made.
5.5 Implementation
The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are made across the organization, and
by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are clearly understood and
practised.
© ISO 2018 – All rights reserved 7
---------------------- Page: 15 ----------------------
SIST ISO 31000:2018
ISO 31000:2018(E)
Successful implementation of the framework requires the engagement and awareness of stakeholders.
This enables organizations to explicitly address uncertainty in decision-making, while also ensuring
that any new or subsequent uncertainty can be taken into account as it arises.
Properly designed and implemented, the risk management framework will ensure that the risk
management process is a part of all activities throughout the organization, including decision-making,
and that changes in external and internal contexts will be adequately captured.
5.6 Evaluation
In order to evaluate the effectiveness of the ri
...
ةيلودلا ةفصاوملا
ISO
00333
يناثلا رادصلإا
2302/2
ةٌمسرلا ةمجرتلا
Official translation
Traductionofficielle
ةيهيجوتلا ةلدلأا - رطاخملا ةرادإ
Risk management — Guidelines
Management du risque — Lignes
directrices
بهزًجرر ذًر خًُضر خُثرػ خًجرزك ارطَىض ، فُُج ٍف ISO خَسكرًنا خَبيلأا ٍف ذؼجغ
262ISO TC رغبخًنا حرادلإ خُُفنا خُجهنا ٍف خُثرؼنا خًجرزنا مًػ خػىًجي مجل ٍي
1/ATTF
ًؼجرًنا ىلرنا
ISO 3100002013 (A)
خًُضرنا خًجرزنا
©ISO 2013
)ع( 2013031000 وسَلأا
---------------------- Page: 1 ----------------------
:تفصإًنا ِذْ ثذًتعا يتنا تيبزعنا شييقتنا ثآج
ٌدرلأا خَُدرلأا صَُبمًناو دبفصاىًنا خطضؤي
داربيلأا صَُبمًناو دبفصاىًهن داربيلأا خئُھ
رئاسجنا صُُمزهن ٌرئاسجنا ذهؼًنا
خَدىؼطنا صَُبمًناو دبفصاىًهن خَدىؼطنا خئُهنا
قارؼنا خُػىُنا حرطُطناو صُُمزهن ٌسكرًنا زبهجنا
ذَىكنا خػبُصهن خيبؼنا خئُهنا
ٌادىطنا صَُبمًناو دبفصاىًهن خَُادىطنا خئُهنا
ًٍُنا حدىجنا ػجظو صَُبمًناو دبفصاىًهن خًُُُنا خئُهنا
صَىر خُػبُصنا خُكهًناو دبفصاىًهن ًُغىنا ذهؼًنا
بَرىض خَرىطنا خُثرؼنا صَُبمًناو دبفصاىًنا خئُھ
بُجُن خُضبُمنا رَُبؼًناو دبفصاىًهن ًُغىنا سكرًنا
رصي حدىجناو دبفصاىًهن خيبؼنا خَرصًنا خئُهنا
زشُنأ عبطنا قٕقد تياًد تقيثٔ
©2013 وسَأ
همادختسا وأ روشنملا اذه نم ءزج يأ جاتنإ ةداعإ زوجٌ لا ، هذٌفنت قاٌس ًف ًابولطم وأ ، كلذ فلاخ ىلع صنٌ مل ام .ةظوفحم قوقحلا عٌمج
. قبسم نذإ نود تنارتنلاا وأ تنرتنلاا ىلع رشنلا وأ وأ خسنلا كلذ ًف امب ، ةٌكٌناكٌم وأ ةٌنورتكلإ ، ةلٌسو يأب وأ لكش يأب ىرخأ ةقٌرطب
.ةبلاطلا ةھجلا ةلود ًف سٌٌقتلل ةٌلودلا ةمظنملا ًف ءاضعلأا تائٌھلا ىدحإ نم وأ هاندأ ناونعلا ىلع ISO ـلا نم امإ نذلإا بلط نكمٌ
صُُمزهن خُنوذنا خًظًُنا خُكهي قىمح تزكي
CP 401. Ch. De Blandonnet 3
CH-1214 Vernier, Geneva, Switzerland
004122٧4٢0111 :فربھ
004122٧4٢0٢4٧ :صكبف
copyright@iso.org :ٍَورزكنا ذَرث
www.iso.org :ٍَورزكنلأا غلىًنا
2021 وبػ ٍف0 خُثرؼنا خخطُنارشَ ىر
ارطَىض ٍف رشُنا ىر
ِ
---------------------- Page: 2 ----------------------
و
)ع( 02813:8222 زيا
سزٓفنا
IV . : ذيًٓت
V . :تيذقًنا
VI . تيٓيجٕتنا تندلأا - زطاخًنا ةرادإ
1 . :قاطُنا .1
VI . :تيضييقتنا عجازًنا .2
VI . :ثافيزعتنأ ثاذهطصًنا .3
1 . :زطخنا 1.3
1 . زطاخًنا ةرادإ 2.3
VI . تيُعًنا فازطلأا 3.3
VII . زطخنا رذصي 4.3
2VII . ثذذنا 5.3
2VII . تبقاعنا 6.3
2 . تيناًتدلاا 3.3
2 . ظبإضنا 3.3
3 . :ادابًنا .4
4 . :يًيظُتنا راطلإا .5
4 . واع 1.5
5 . :وازتنلاا ٔ ةدايقنا 2.5
6 . جايذَلاا 3.5
3 .:ىيًصتنا 4.5
3 . آقايص ٔ ةأشًُنا ىٓف 1.4.5
3 . زطاخًنا ةرادئب وازتنلإا خيضٕت 2.4.5
3 . تيًيظُتنا ثلاءاضًنأ ، ثاينٔؤضًنأ ثاطهضنأ ،رأدلأا داُصا 3.4.5
3 . درإًنا صيصخت 4.4.5
9 . رٔاشتنا ٔ لاصتلاا 5.4.5
9 . :ذيفُتنا5.5
11 . ىييقتنا 6.5
11 . ٍيضذتنا 3.5
11 .ىهقأتنا 1.3.5
11 . زًتضًنا ٍيضذُنا 2.3.5
11 . :تيهًعنا .6
11 . واع 1.6
11 . رٔاشتنأ لاصتلاا 2.6
12 . زيياعًنأ قايضنا ،قاطُنا 3.6
12 . واع 1.3.6
12 . قاطُنا ذيذذت 2.3.6
13 . يهخاذنأ يجراخنا قايضنا 3.3.6
13 . زطخنا زيياعي فيزعت 4.3.6
14 . زطاخًنا ىييقت 4.6
14 . واع 1.4.6
14 . زطاخًنا ذيذذت 2.4.6
---------------------- Page: 3 ----------------------
و
)ع( 02813:8222 زيا
15 . زطاخًنا ميهذت 3.4.6
16 . زطاخًنا زيذقت 4.4.6
16 . زطاخًنا تجناعي 5.6
16 . واع 1.5.6
13 . زطاخًنا تجناعي ثارايخ رايتخا 2.5.6
13 . زطاخًنا تجناعي ظطخ ذيفُتٔ داذعإ 3.5.6
13 . تعجازًنأ تبقازًنا 6.6
19 . )حاصفلإا( زيراقتنا عفرٔ ميجضتنا 3.6
21 . :عجازًنا
iii
---------------------- Page: 4 ----------------------
و
)ع( 02813:8222 زيا
: ديهمت
ـلا يف ءاضعلأا تائييلا( ةينطولا سييقتلا تائييل يلود داحتا يى (ISO سييقتمل ةيلودلا ةمظنملا ( وزيلأا
ٌ
ةساردب ينعم وضع لكل .ISO لل ةينفلا ناجملا للاخ نم ةيلودلا ةيسايقلا تافصاوملا دادعإ متي ةداع .)ISO
تامظنملا لمعلا يف كلذك كراشيو .ضرغمل ةصتخملا ةينفلا ةنجملا كمت يف لاثمم نوكي نأ يف قحلا ةنيعم
عيمج يف ، )IEC( ةينقتورھكلا ةيلودلا ةنجملا عم قيثو لكشب وزيلاا نواعتت ،ةيموكحلا ريغو ةيموكحلاو ةيلودلا
. ينقتوريكلا سييقتلا رومأ
ISO / IEC تاييجوت يف ةحضوم اييمع ريوطتلا ةمصاومل كمتو ةفصاوملا هذى ريوطتل ةمدختسملا تاءرجلإاا
هذى ةغايص تمت .وزيلاا ىدل قئاثولا فمتخم زاجيلإ ةمزلالا ريبادتلا ريياعم اميس لا . لولأا ءزجلا ،
عجرا ( يناثلا ءزجلا ، ISO / IEC تاييجوتب ةصاخلا ريرحتلا دعاوقل اقفو ةقيثولا
ً
.)www.iso.org/directives
ةيلوؤسم وزيلاا لمحتت نل .ةيكمملا قوقح عوضوم ةقيثولا هذى رصانع ضعب نوكت نأ لامتحا ىلإ هابتنلاا ىجري
يف ةقيثولا ريوطت ءانثأ اىديدحت مت ةيكمممل قوقح ةيأ ليصافت .ايعيمج وأ هذى ةيكمملا قوقح نم يأ ديدحت
www.iso.org/patents).رظنا( ةممتسملا تاءربلاا تانلاعلإ وزيلاا ةمئاق يف وأ /و ةمدقملا
.ةقداصم لكشت لاو نيمدختسملا ىمع ريسيتمل ةمدقم تامومعم وى ةقيثولا هذى يف مدختسم يراجت مسا يأ
ةقمعتملا ةددحملا وزيلاا ترا يبعتو تاحمطصم ىنعمو ، ريياعممل ةيعوطلا ةعيبطلا لوح حرش ىمع لوصحمل
زجاوحلا يف (WTO) ةيملاعلا ةراجتلا ةمظنم ئدابمب وزيلاا مزتلاا لوح تامومعم ىلإ ةفاضلإاب ، ةقباطملا مييقتب
: www.iso.org/iso/foreword.html.يلاتلا URL ناونع رظنا ، (TBT)ةراجتلا مامأ ةينقتلا
.رطاخملا ةرادإ ، ISO / TC 262ةينفلا ةنجملا لبق نم ةقيثولا هذى دادعإ مت
. اينقت وتعجارم تمت يذلا )ISO 22293:9222( لولأا رادصلإا لحم لحيو يغمي يناثلا رادصلإا اذى
ً
:يمي امك يى قباسلا رادصلإاب ةنراقم ةيسيئرلا ترييا غتلا
.ايحاجنل ةيساسلأا ريياعملا يىو ، رطاخملا ةرادإ ئدابم ةعجارم
؛ ةأشنملا ةمكوح نم اءدب ، رطاخملا ةرادإ لماكتو ايمعلا ةرادلإا لبق نم ةدايقلا ىمع ءوضلا طيمست
ً
تلايمحتلاو فراعملاو تربخلاا نأ ةظحلام عم ، رطاخملا ةرادلإ ةيراركتلا ةعيبطلا ىمع زيكرتلا ةدايز
لحارم نم ةمحرم لك يف طباوضلاو تاءرجلإاا و ةيممعلا رصانع ةعجارم ىلإ يدؤت نأ نكمي ةديدجلا
؛ ةيممعلا
تاجايتحلاا مئلايل ةحوتفملا ةمظنلأا جذومن ةمادتسا ىمع ربكأ لكشب زيكرتلا عم ىوتحملا طيسبت
.ةددعتملا تاقايسلاو
iv
---------------------- Page: 5 ----------------------
و
)ع( 02813:8222 زيا
:ةمدقملا
ةرادإ للاخ نم تآشنملا يف ةميقلا ةيامحو ءاشنإب نوموقي نيذلا صاخشلأا لبق نم مادختسلال ةقيثولا هذى تدعإ
.ءادلأا نيسحتو ايقيقحتو فادىلأا ديدحتو ، تراارقلا ذاختاو ، رطاخملا
.ايفادىأ نم ةدكأتم ريغ ايمعجت ةيمخادو ةيجراخ تريثا أتو لماوع ماجحلأاو عاونلأا عيمج نم تآشنملا وجاوت
فادىلأا قيقحتو ةيجيترتسلاا ا عضو يف تآشنملا دعاستو رمتسم وحن ىمع اىذيفنت متي ةيممع يى رطاخملا ةرادإ
.ةسوردم تراارق ذاختاو
بناج ىلإ .تايوتسملا عيمج ىمع ةسسؤملا ةرادلإ ةيساسأ يىو ، ةدايقلاو ةمكوحلا نم ءزج يى رطاخملا ةرادإ
.ةرادلإا ةمظنأ نيسحت يف مىاست اينأ
. ةينعملا فرطلأاا عم لعافتلا لمشتو ةسسؤملاب ةطبترملا ةطشنلأا عيمج نم اءزج رطاخملا ةرادإ دعت
ً
.ةيفاقثلا لماوعلاو يرشبلا كومسلا كلذ يف امب ، ةمظنممل يمخادلاو يجراخلا قايسلا رطاخملا ةرادإ سردت
يف حضوم وى امك ، ةقيثولا هذى يف ةحضوملا ةيممعلاو يميظنتلا راطلإا ،ئدابملا ىلإ رطاخملا ةرادإ دنتست
وأ ايفييكت ىلإ جاتحت دق ، كلذ عمو ، ةسسؤملا لخاد ايئزج وأ ايمك ةدوجوم تانوكملا هذى نوكت دقو .9 لكشلا
ً ً
.ةمءلامو ةيلاعفو ةءافكب رطاخملا ةرادإب مايقلا ىنستي ىتح اينيسحت
ةيممعلاو ، يميظنتلا راطلإاو ،ئدابملا – 0 لكشلا
v
---------------------- Page: 6 ----------------------
و
)ع( 02813:8222 زيا
ةيهيجوتلا ةلدلأا - رطاخملا ةرادإ
:قاطنلا .1
هذى قيبطت ةمءاوم نكمي و .تآشنملا اييجاوت يتلا رطاخملا ةرادإ ةيممع لوح تاداشرإ ةقيثولا هذى رفوت
.ايقايسو ةأشنممل اقفو تاداشرلإا
.نيعم عاطق وأ ةنيعم ةعانصل ةيجوم تسيلو رطاخملا عاونأ نم عون يأ ةرادلإ ا كرتشم اجينم ةقيثولا هذى مدقت
ً
ً
رارقلا ةعانص كلذ يف امب طاشن يأ ىمع ايقيبطت نكميو ةسسؤملا ةايح ةرتف لاوط ةقيثولا هذى مادختسا نكمي
.تايوتسملا عيمج ىمع
:ةيسييقتلا عجارملا .2
.ةقيثولا هذى يف ةيسييقت عجارم يأ دجوت لا
:تافيرعتلاو تاحلطصملا .3
3ةيلاتلا تافيرعتلاو تاحمطصملا قبط ت ،ةقيثولا هذى ضرا غلأ
نيوانعلا ىمع سييقتلا يف ايمادختسلإ تاحمطصممل تانايب دعاوقب )IEC( يسييا و )ISO) وزيا ظفتحت
3ةيلاتلا
http://www.iso.org/obp ىمع ةحاتم 3تنرتنلإا ربع وزيا حفصت ةصنم -
http: //www.electelectedia.org ىمع ةحاتم 3IEC Electropedia -
:رطخلا 1.3
.فادهلاا قيقحت ىمع نيقيلالا ريثأت
جزَُ وأ كهخَ وأ جنبؼَ ٌأ ٍكًَو ، بًهُهك وأ ٍجهض وأ ٍثبجَإ ٌىكَ ٌأ ٍكًَ . غلىزًنا ٍػ فارحَا ىھ رُصأزنا )1( خظىحهي
.داذَذهرو صرف هُػ
.خفهزخي دبَىزطي ًهػ بهمُجطر ٍكًَو ، خفهزخي فبُصأو تَاىج فاذھلأن ٌىكَ ٌأ ٍكًَ )2( خظىحهي
بهجلاىػو ) 5.3 ( خهًزحًنا ساذحلأاو )4.3( رطخنا ردبصي شُح ٍي رطخنا ٍػ رُجؼزنا ىزَ حدبؼنا ٍف )3( خظىحهي
.) ٧.3( بهصوذح خُنبًزحاو )6.3(
رطاخملا ةرادإ 2.3
. )1.3( اْزطاخي يف ىكذتنأ ةأشًُنا ّيجٕتن تًظًُنا تطشَلأا ٍي تعًٕجي
ةينعملا فارطلأا 3.3
.اي طاشَ ٔأ رازقب زثأتي َّأ كر ذ ي ٔأ زثأتي ٔأ ز ثؤ ي ٌأ ٍكًي ةأشُي ٔأ صخش
1
---------------------- Page: 7 ----------------------
و
)ع( 02813:8222 زيا
."خحهصًنا ةبحصأ" حهطصًن مَذجك "خُُؼًنا فرغلأا" حهطصي واذخزضا ٍكًَ : خظىحهي
رطخلا ردصم 4.3
. )1.3( زطاخي ذينٕتن تيَاكيإ ّيذن ٖزخأ زصاُع عي داذتلإاب ٔأ دزفُي زصُع
ثدحلا 5.3
. عئاقٕنا ٍي تُيعي تعًٕجي يف زييغت ٔأ تعقأ
. )6.3( تلاىػ حذػو ةبجضأ حذػ هن ٌىكَ ٌأ ٍكًَو ، رضكأ وأ حذحاو خؼلاو سذحنا ٌىكَ ٌأ ٍكًَ )1( خظىحهي
.ًبعَأ سذحَ غلىزي رُغ ئُش وأ ، سذحَ لا غلىزي ئُش ٍي سذحنا ٌىكزَ ٌأ ٍكًَ )2( خظىحهي
.رطخهن رذصي سذحنا ٌىكَ ٌأ ٍكًَ )3( خظىحهي
ةبقاعلا 6.3
. فاذْلأا ٗهع زثؤي ) 5.3( ثذد تجيتَ
حرشبجي رُغو حرشبجي خُجهض وأ خُثبجَإ ربصآ هن ٌىكَ ٌأ ٍكًَ و ،حذكؤي رُغ وأ حذكؤي تلاىؼنا ٌىكر ٌأ ٍكًَ )1( خظىحهي
.فاذھلأا ًهػ
ًً
. بًُك وأ بُػىَ خجلبؼنا ٍػ رُجؼزنا ٍكًَ )2( خظىحهي
. خًُكارزنا وأ خُنبززًنا دارُصأزنا للاخ ٍي خجلبػ ٌأ ىلبفزر ٌأ ٍكًَ )3( خظىحهي
ةيلامتحلاا 3.3
. اي ٍءيش ثٔذد تصزف
ً بي ءٍش سوذح خصرف ًنإ حربشلإن وذخزطر " خُنبًزحلإا" خًهك ٌئف ، )3.2( رغبخًنا حرادإ دبحهطصًن بمفو )1( خظىحهي
ًً واذخزضئث فصىَو بًُك وأ بُػىَ ، ٍػىظىي رُغ وأ ٍػىظىي مكشث دذح ُي وأ شبمُي وأ ،فرﱠؼُي ٌبك ًءاىض
.[ حدذحي خُُيز حرزف للاخ راركزنا وأ خُنبًزحلإا شبُل مضي ] خُظبَر حرىصث وأ وبػ حهطصي
يرخلأا دبغهنا طؼث ٍف حرشبجي هندبؼَ بي هَذن صُن خَسُهجَلإا خغهنا ٍف )Likelihood( خُنبًزحإ حهطصي )2( خظىحهي
ًًً
رصزمَ بي بجنبغ ) Probability( ٌأ بًهػ )Probability ( هن مثبمًنا حهطصًنا واذخزضإ بجنبغ ىزَ هُهػو
ٍف وذخزطَ )Likelihood( خُنبًزحلإا حهطصي رغبخًنا حرادإ ٍف ٍكن )ٍثبطح( ٍظبَر حهطصًك هياذخزضإ
.يرخلأا دبغهنا ٍف )Probability ( ل مثبمًنا غضاىنا رىظًُنا
طباوضلا 3.3
. )1.3( زطخنا ميذعتن ٔأ ٗهع تظفاذًهن ءازجإ
ٍي بھرُغ وأ خضربًي وأ حادأ وأ خضبُض وأ خُهًػ ٌأ رصحلا لا لاثملا ليبس ىمع ػثاىعنا مًشر )1( خظىحهي
.رغبخًنا ًهػ عفبحر وأ 0و لُذؼ ر ٍزنا داءارجلإا
.ضرزفًنا وأ دىشًُنا رُُغزنا بًئاد ػثاىعنا كمُح ر لا ذل )2( خظىحهي
2
---------------------- Page: 8 ----------------------
و
)ع( 02813:8222 زيا
:ئدابملا .4
معد و ،راكتبلاا ىمع عيجشتلاو ،ءادلأا نيسحت و ،ةميقلا ةيامحو قمخ وى رطاخملا ةرادإ نم ضرغلا
.فادىلأا قيقحت
لاصيإ ،ةؤ فكلاو ةلاعفلا رطاخملا ةرادإ صئاصخ لوح تاداشرإ 2 لكشلا يف ةحضوملا ئدابملا رفوت
بجي ثيح رطاخملا ةرادلإ ساسلأا يى ئدابملا هذى ربتعت .اينم ضرغلاو اىدصاقم حيضوتو ايتميق
هذيل يغبنيو .ةأشنملا يف رطاخملا ةرادلإ تايممعلاو يميظنتلا راطلإا عضو دنع رابتعلاا يف ايعضو
.ايفادىأ قيقحت لوح نيقيلالا رثأ ةرادإ نم ةأشنملا نكمت نأ ئدابملا
ئدابملا – 2 لكشلا
3يلاتلا وحنلا ىمع ايحيضوت نكمي يتلاو 2 لكشلا رصانع ةلاعفلا رطاخملا ةرادإ بمطتت
:ةمماكتم )أ
.ةيميظنتلا ةطشنلأا عيمج نم أزجتي لا ءزج يى رطاخملا ةرادإ
ةمماشو ةمظنم )ب
.ةنراقممل ةمباقو ةقستم جئاتن ىمع لوصحلا يف رطاخملا ةرادلإ لماشلاو مظنملا جينلا مىاسي
)ةمئاوتم( ةقفاوتم )ج
يمخادلاو يجراخلا قايسلا عم نامئاوتمو ناقستم رطاخملا ةرادلإ ةيممعلا و يميظنتلا راطلإا نوكي
. ايفادىأب ناقمعتملاو ةسسؤممل
:
---------------------- Page: 9 ----------------------
و
)ع( 02813:8222 زيا
ةعماج )د
مىؤ رآا و ، ميتفرعم رابتعلااب نيذخآ بسانملا تقولا يف ةمئلاملا ةكراشملا نم ةينعملا فارطلأا نيكمت
.حيحص لكشب رطاخملا ةراداو يعولا نيسحت ىلإ يدؤي .ميتراوصت و
)ةيكيمانيد( ةيوي ح )ه
ةرادإ عقوتت .ةأشنممل يمخادلاو يجراخلا قايسلا ريغتب يفتخت وأ ريغتت وأ رطاخملا ريظت نأ نكمي
ّ
.نيبسانم تقوو ةقيرطب ثادحلأاو تريغا تمل بيجتستو رقتو فشتكتو رطاخملا
ةحاتملا تامومعملا لضفأ )و
تاعقوتلا ىمع كلذكو ، ةيلاحلاو ةيخيراتلا تامومعملا ىمع رطاخملا ةرادإ ىلإ تلاخدملا دنتست
تامومعملا هذيب ةطبترم كوكشو دويق يأ رابتعلاا يف حضاو لكشب رطاخملا ةرادإ ذخأت .ةيمبقتسملا
ةينعملا فارطلأل ةحاتمو ةحضاو و ، بسانملا تقولا يف ةرفوتم تامومعملا نوكت نأ يغبني .تاعقوتلاو
.ةقلاعلا تاذ
ةيفاقثلا و ةيرشبلا لماوعلا )ز
.ةمحرمو ىوتسم لك يف رطاخملا ةرادإ بناوج عيمج ىمع ريب ا ك ر ا يثأت ةفاقثلاو يرشبلا كومسلا رثؤي
ً ً
رمتسملا نيسحتلا )ح
. ةربخلا و ممعتلا للاخ نم ررمتسا اب رطاخملا ةرادإ نيسحت متي
:يميظنتلا راطلإا .5
:ماع 1.5
ةطشنلأا يف رطاخملا ةرادإ جمد يف ةأشنملا ةدعاسم وى رطاخملا ةرادلإ يميظنتلا راطلإا نم ضرغلا
عنص كلذ يف امب ، ةأشنملا ةمكوح يف ايجمد ىمع رطاخملا ةرادإ ةيلاعف دمتعت ثيح .ةمايلا فئاظولاو
.ايمعلا ةرادلإا بناج نم ةصاخ ةفصب و ،ةينعملا فرطا لأا نم معدلا بمطتي اذىو .رارقلا
ءاحنأ عيمج يف رطاخملا ةرادإ نيسحتو مييقتو ذيفنتو ميمصتو جمد يميظنتلا راطلإا ريوطت لمشي
.يميظنتلا راطلإا تانوكم : لكشلا حضوي .ةأشنملا
4
---------------------- Page: 10 ----------------------
و
)ع( 02813:8222 زيا
يميظنتلا راطلإا – 0 لكشلا
يف ايتجلاعم و ترغثا يأ مييقت و ةيلاحلا رطاخملا ةرادإ تايممع و تاسرامم مييقت ةأشنملا ىمع يغبني
.يميظنتلا راطلإا
.ةأشنملا تاجايتحلا ةمئاوم لمعلا ةقيرط و يميظنتلا راطلإا تانوكم نوكت نأ يغبني
:مازتللاا و ةدايقلا 2.5
ةطشنلأا عيمج يف رطاخملا ةرادإ جمد ،ءاضتقلاا بسح ، ةيباقرلا تائييلاو ايمعلا ةرادلإا ىمع يغبني
3للاخ نم مزتلا لااو ةدايقلا ريظت نأ يغبني و ،ةأشنملا يف ةيميظنتلا
. ةأشنملا بمط بسح يميظنتلا راطلإا تانوكم عيمج ذيفنتو ةمئاوم -
.لمعلا راسم وأ ةطخ وأ رطاخملا ةرادإ جين ددحت ةسايس وأ نايب رادصإ -
.رطاخملا ةرادإ ةيممعل ةيرورضلا دراوملا صيصخت نامض -
فوس كلذ نأ ثيح ،ةأشنملا لخاد ةبسانملا تايوتسملاب ةلءاسملاو ةيلو ؤسملاو ةطمسلا دانسا -
3ىمع اىدعاسي
.ايتفاقث و ايتيجيترتسا و اا يفادىأ عم رطاخملا ةرادإ ةمءلام
.ةيعوطلا تاطابترلاا كلذكو ايعم لماعتلاو تامازتللإا عيمجب فارتعلاا
، رطاخملا ريياعم ريوطتل ويجوتمل اىذاختا متي لا وا متي دق يتلا رطاخملا عونو رادقم ديدحت
. ةينعملا فرطلأاا و ةأشنملا ىلإ ايغلابا نامضو
. ةينعملا فرطلأا ا عمو ةأشنملا لخاد رطاخملا ةرادإ ةميق لوح لصاوتلا
5
---------------------- Page: 11 ----------------------
و
)ع( 02813:8222 زيا
.مظتنم لكشب رطاخملا ةبقرم ا زيزعت
.ةأشنملا قايسل ابسانم رطاخملا ةرادلإ يميظنتلا راطلإا نأ نم دكأتلا
نع ةلءاسم نوكت ةيباقرلا تائييلا
...
INTERNATIONAL ISO
STANDARD 31000
Redline version
compares Second edition to
First edition
Risk management — Guidelines
Management du risque — Lignes directrices
Reference number
ISO 31000:redline:2018(E)
©
ISO 2018
---------------------- Page: 1 ----------------------
ISO 31000:redline:2018(E)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 31000:redline:2018(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
2 3 Terms and definitions . 1
3 4 Principles . 7
4 5 Framework . 9
4.1 5.1 General . 9
4.2 5.2 Mandate Leadership and commitment .11
5.3 Integration .11
4.3 5.4 Design of framework for managing risk .12
4.3.1 5.4.1 Understanding of the organization and its context .12
4.3.2 5.4.2 Establishing Articulating risk management policy commitment .13
4.3.3 5.4.3 Accountability Assigning organizational roles, authorities,
responsibilities and accountabilities .13
4.3.4 Integration into organizational processes .14
4.3.5 5.4.4 Resources Allocating resources .14
4.3.6 5.4.5 Establishing internal communication and reporting
mechanisms consultation .14
4.3.7 Establishing external communication and reporting mechanisms .15
4.4 5.5 Implementing risk management Implementation .15
4.4.1 Implementing the framework for managing risk .15
4.4.2 Implementing the risk management process .15
4.5 5.6 Monitoring and review of the framework Evaluation .16
4.6 5.7 Continual improvement of the framework Improvement .16
5.7.1 Adapting .16
5.7.2 Continually improving .16
5 6 Process .16
5.1 6.1 General .16
5.2 6.2 Communication and consultation .18
5.3 6.3 Establishing the context Scope, context and criteria .18
5.3.1 6.3.1 General .18
5.3.2 6.3.2 Establishing the external context Defining the scope .19
5.3.3 6.3.3 Establishing the External and internal context .19
5.3.4 Establishing the context of the risk management process .20
5.3.5 6.3.4 Defining risk criteria .20
5.4 6.4 Risk assessment .21
5.4.1 6.4.1 General .21
5.4.2 6.4.2 Risk identification .21
5.4.3 6.4.3 Risk analysis .22
5.4.4 6.4.4 Risk evaluation .23
5.5 6.5 Risk treatment .24
5.5.1 6.5.1 General .24
5.5.2 6.5.2 Selection of risk treatment options.24
5.5.3 6.5.3 Preparing and implementing risk treatment plans .25
5.6 6.6 Monitoring and review .26
5.7 6.7 Recording the risk management process and reporting .27
Annex A (informative) Attributes of enhanced risk management .28
Bibliography .30
© ISO 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 31000:redline:2018(E)
iv © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 31000:redline:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards areThe procedures used to develop this document and those intended for
its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different
approval criteria needed for the different types of ISO documents should be noted. This document was
drafted in accordance with the rules given ineditorial rules of the ISO/IEC Directives, Part 2 (see www
.iso .org/ directives).
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
ISO 31000This document was prepared by the ISO Technical Management Board Working Group on
riskTechnical Committee ISO/TC 262, Risk management.
This second edition cancels and replaces the first edition (ISO 31000:2009) which has been technically
revised.
The main changes compared to the previous edition are as follows:
— review of the principles of risk management, which are the key criteria for its success;
— highlighting of the leadership by top management and the integration of risk management, starting
with the governance of the organization;
— greater emphasis on the iterative nature of risk management, noting that new experiences,
knowledge and analysis can lead to a revision of process elements, actions and controls at each
stage of the process;
— streamlining of the content with greater focus on sustaining an open systems model to fit multiple
needs and contexts.
© ISO 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO 31000:redline:2018(E)
Introduction
This document is for use by people who create and protect value in organizations by managing risks,
making decisions, setting and achieving objectives and improving performance.
Organizations of all types and sizes face internal and externalexternal and internal factors and
influences that make it uncertain whether and when they will achieve their objectives. The effect this
uncertainty has on an organization's objectives is “risk”.
All activities of an organization involve risk. Organizations manage risk by identifying it, analysing
it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their
risk criteria. Throughout this process, they communicate and consult with stakeholders and monitor
and review the risk and the controls that are modifying the risk in order to ensure that no further risk
treatment is required. This International Standard describes this systematic and logical process in detail.
While all organizations manage risk to some degree, this International Standard establishes a number
of principles that need to be satisfied to make risk management effective. This International Standard
recommends that organizations develop, implement and continuously improve a framework whose
purpose is to integrate the process for managing risk into the organization's overall governance,
strategy and planning, management, reporting processes, policies, values and cultureManaging risk
is iterative and assists organizations in setting strategy, achieving objectives and making informed
decisions.
Risk management can be applied to an entire organization, at its many areas and levels, at any time, as
well as to specific functions, projects and activities.
Although the practice of risk management has been developed over time and within many sectors in
order to meet diverse needs, the adoption of consistent processes within a comprehensive framework
can help to ensure that risk is managed effectively, efficiently and coherently across an organization.
The generic approach described in this International Standard provides the principles and guidelines for
managing any form of risk in a systematic, transparent and credible manner and within any scope and
contextManaging risk is part of governance and leadership, and is fundamental to how the organization
is managed at all levels. It contributes to the improvement of management systems.
Managing risk is part of all activities associated with an organization and includes interaction with
stakeholders.
Each specific sector or application of risk management brings with it individual needs, audiences,
perceptions and criteria. Therefore, a key feature of this International Standard is the inclusion
of “establishing the context” as an activity at the start of this generic risk management process.
Establishing the context will capture the objectives of the organization, the environment in which it
pursues those objectives, its stakeholders and the diversity of risk criteria – all of which will help reveal
and assess the nature and complexity of its risksManaging risk considers the external and internal
context of the organization, including human behaviour and cultural factors.
The relationship between the principles for managing risk, the framework in which it occurs and the
risk management process described in this International Standard are shownManaging risk is based
on the principles, framework and process outlined in this document, as illustrated in Figure 1. These
components might already exist in full or in part within the organization, however, they might need to
be adapted or improved so that managing risk is efficient, effective and consistent.
When implemented and maintained in accordance with this International Standard, the management of
risk enables an organization to, for example:
— increase the likelihood of achieving objectives;
— encourage proactive management;
— be aware of the need to identify and treat risk throughout the organization;
vi © ISO 2018 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 31000:redline:2018(E)
— improve the identification of opportunities and threats;
— comply with relevant legal and regulatory requirements and international norms;
— improve mandatory and voluntary reporting;
— improve governance;
— improve stakeholder confidence and trust;
— establish a reliable basis for decision making and planning;
— improve controls;
— effectively allocate and use resources for risk treatment;
— improve operational effectiveness and efficiency;
— enhance health and safety performance, as well as environmental protection;
— improve loss prevention and incident management;
— minimize losses;
— improve organizational learning; and
— improve organizational resilience.
This International Standard is intended to meet the needs of a wide range of stakeholders, including:
a) those responsible for developing risk management policy within their organization;
b) those accountable for ensuring that risk is effectively managed within the organization as a whole
or within a specific area, project or activity;
c) those who need to evaluate an organization's effectiveness in managing risk; and
d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out
how risk is to be managed within the specific context of these documents.
The current management practices and processes of many organizations include components of risk
management, and many organizations have already adopted a formal risk management process for
particular types of risk or circumstances. In such cases, an organization can decide to carry out a
critical review of its existing practices and processes in the light of this International Standard.
In this International Standard, the expressions “risk management” and “managing risk” are both used.
In general terms, “risk management” refers to the architecture (principles, framework and process) for
managing risks effectively, while “managing risk” refers to applying that architecture to particular risks.
© ISO 2018 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO 31000:redline:2018(E)
d
Figure 1 — Relationships between the risk management principles Principles, framework
and process
viii © ISO 2018 – All rights reserved
---------------------- Page: 8 ----------------------
INTERNATIONAL STANDARD ISO 31000:redline:2018(E)
Risk management — Guidelines
1 Scope
This International Standard provides principles and generic guidelines on risk management.document
provides guidelines on managing risk faced by organizations. The application of these guidelines can be
customized to any organization and its context.
This International Standard can be used by any public, private or community enterprise, association,
group or individual. Therefore, this International Standard is not specific to anydocument provides a
common approach to managing any type of risk and is not industry or sector specific.
NOTE For convenience, all the different users of this International Standard are referred to by the general
term “organization”.
This International Standarddocument can be appliedused throughout the life of anthe organization,
and to a wide range of activities, including strategies and decisions, operations, processes, functions,
projects, products, services and assets and can be applied to any activity, including decision-making at
all levels.
This International Standard can be applied to any type of risk, whatever its nature, whether having
positive or negative consequences.
Although this International Standard provides generic guidelines, it is not intended to promote
uniformity of risk management across organizations. The design and implementation of risk
management plans and frameworks will need to take into account the varying needs of a specific
organization, its particular objectives, context, structure, operations, processes, functions, projects,
products, services, or assets and specific practices employed.
It is intended that this International Standard be utilized to harmonize risk management processes in
existing and future standards. It provides a common approach in support of standards dealing with
specific risks and/or sectors, and does not replace those standards.
This International Standard is not intended for the purpose of certification.
2 Normative references
There are no normative references in this document.
2 3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org
2.1 3.1
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected — positive and/or negative . It can be positive, negative
or both, and can address, create or result in opportunities and threats.
© ISO 2018 – All rights reserved 1
---------------------- Page: 9 ----------------------
ISO 31000:redline:2018(E)
Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental
goals) and can apply and categories, and can be applied at different levels (such as strategic, organization-wide,
project, product and process) .
Note 3 to entry: Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a
combination of these.
Note 4 to entry: Risk is often usually expressed in terms of a combination of the consequences of an event
(including changes in circumstances) risk sources (3.4), potential events (3.5), their consequences (3.6) and the
associated their likelihood (2.19 3.7) of occurrence .
Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of an event, its consequence, or likelihood.
[SOURCE: ISO Guide 73:2009, definition 1.1]
2.2 3.2
risk management
coordinated activities to direct and control an organization with regard to risk (2.1 3.1)
[SOURCE: ISO Guide 73:2009, definition 2.1]
2.3
risk management framework
set of components that provide the foundations and organizational arrangements for designing,
implementing, monitoring (2.28), reviewing and continually improving risk management (2.2)
throughout the organization
Note 1 to entry: The foundations include the policy, objectives, mandate and commitment to manage risk (2.1).
Note 2 to entry: The organizational arrangements include plans, relationships, accountabilities, resources,
processes and activities.
Note 3 to entry: The risk management framework is embedded within the organization's overall strategic and
operational policies and practices.
[SOURCE: ISO Guide 73:2009, definition 2.1.1]
2.4
risk management policy
statement of the overall intentions and direction of an organization related to risk management (2.2)
[SOURCE: ISO Guide 73:2009, definition 2.1.2]
2.5
risk attitude
organization's approach to assess and eventually pursue, retain, take or turn away from risk (2.1)
[SOURCE: ISO Guide 73:2009, definition 3.7.1.1]
2.6
risk management plan
scheme within the risk management framework (2.3) specifying the approach, the management
components and resources to be applied to the management of risk (2.1)
Note 1 to entry: Management components typically include procedures, practices, assignment of responsibilities,
sequence and timing of activities.
Note 2 to entry: The risk management plan can be applied to a particular product, process and project, and part
or whole of the organization.
[SOURCE: ISO Guide 73:2009, definition 2.1.3]
2 © ISO 2018 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 31000:redline:2018(E)
2.7
risk owner
person or entity with the accountability and authority to manage a risk (2.1)
[SOURCE: ISO Guide 73:2009, definition 3.5.1.5]
2.8
risk management process
systematic application of management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating,
monitoring (2.28) and reviewing risk (2.1)
[SOURCE: ISO Guide 73:2009, definition 3.1]
2.9
establishing the context
defining the external and internal parameters to be taken into account when managing risk, and setting
the scope and risk criteria (2.22) for the risk management policy (2.4)
[SOURCE: ISO Guide 73:2009, definition 3.3.1]
2.10
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization; and
— relationships with, and perceptions and values of external stakeholders (2.13).
[SOURCE: ISO Guide 73:2009, definition 3.3.1.1]
2.11
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies, objectives, and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,
systems and technologies);
— information systems, information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders;
— the organization's culture;
— standards, guidelines and models adopted by the organization; and
— form and extent of contractual relationships.
[SOURCE: ISO Guide 73:2009, definition 3.3.1.2]
© ISO 2018 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO 31000:redline:2018(E)
2.12
communication and consultation
continual and iterative processes that an organization conducts to provide, share or obtain information
and to engage in dialogue with stakeholders (2.13) regarding the management of risk (2.1)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (2.19), significance,
evaluation, acceptability and treatment of the management of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its
stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is:
— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.
[SOURCE: ISO Guide 73:2009, definition 3.2.1]
2.13 3.3
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision
or activity
Note 1 to entry: A decision maker can be a stakeholder The term “interested party” can be used as an alternative
to “stakeholder”.
[SOURCE: ISO Guide 73:2009, definition 3.2.1.1]
2.14
risk assessment
overall process of risk identification (2.15), risk analysis (2.21) and risk evaluation (2.24)
[SOURCE: ISO Guide 73:2009, definition 3.4.1]
2.15
risk identification
process of finding, recognizing and describing risks (2.1)
Note 1 to entry: Risk identification involves the identification of risk sources (2.16), events (2.17), their causes and
their potential consequences (2.18).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and stakeholder's (2.13) needs.
[SOURCE: ISO Guide 73:2009, definition 3.5.1]
2.16 3.4
risk source
element which alone or in combination has the intrinsic potential to give rise to
...
INTERNATIONAL ISO
STANDARD 31000
Second edition
2018-02
Risk management — Guidelines
Management du risque — Lignes directrices
Reference number
ISO 31000:2018(E)
©
ISO 2018
---------------------- Page: 1 ----------------------
ISO 31000:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 31000:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 2
5 Framework . 4
5.1 General . 4
5.2 Leadership and commitment . 5
5.3 Integration . 5
5.4 Design . 6
5.4.1 Understanding the organization and its context . 6
5.4.2 Articulating risk management commitment . 6
5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities 7
5.4.4 Allocating resources. 7
5.4.5 Establishing communication and consultation . 7
5.5 Implementation . 7
5.6 Evaluation . 8
5.7 Improvement . 8
5.7.1 Adapting . 8
5.7.2 Continually improving . 8
6 Process . 8
6.1 General . 8
6.2 Communication and consultation . 9
6.3 Scope, context and criteria . .10
6.3.1 General.10
6.3.2 Defining the scope .10
6.3.3 External and internal context .10
6.3.4 Defining risk criteria.10
6.4 Risk assessment .11
6.4.1 General.11
6.4.2 Risk identification .11
6.4.3 Risk analysis .12
6.4.4 Risk evaluation .12
6.5 Risk treatment .13
6.5.1 General.13
6.5.2 Selection of risk treatment options .13
6.5.3 Preparing and implementing risk treatment plans .14
6.6 Monitoring and review .14
6.7 Recording and reporting .14
Bibliography .16
© ISO 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 31000:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 262, Risk management.
This second edition cancels and replaces the first edition (ISO 31000:2009) which has been technically
revised.
The main changes compared to the previous edition are as follows:
— review of the principles of risk management, which are the key criteria for its success;
— highlighting of the leadership by top management and the integration of risk management, starting
with the governance of the organization;
— greater emphasis on the iterative nature of risk management, noting that new experiences,
knowledge and analysis can lead to a revision of process elements, actions and controls at each
stage of the process;
— streamlining of the content with greater focus on sustaining an open systems model to fit multiple
needs and contexts.
iv © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 31000:2018(E)
Introduction
This document is for use by people who create and protect value in organizations by managing risks,
making decisions, setting and achieving objectives and improving performance.
Organizations of all types and sizes face external and internal factors and influences that make it
uncertain whether they will achieve their objectives.
Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making
informed decisions.
Managing risk is part of governance and leadership, and is fundamental to how the organization is
managed at all levels. It contributes to the improvement of management systems.
Managing risk is part of all activities associated with an organization and includes interaction with
stakeholders.
Managing risk considers the external and internal context of the organization, including human
behaviour and cultural factors.
Managing risk is based on the principles, framework and process outlined in this document, as
illustrated in Figure 1. These components might already exist in full or in part within the organization,
however, they might need to be adapted or improved so that managing risk is efficient, effective and
consistent.
d
Figure 1 — Principles, framework and process
© ISO 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 31000:2018(E)
Risk management — Guidelines
1 Scope
This document provides guidelines on managing risk faced by organizations. The application of these
guidelines can be customized to any organization and its context.
This document provides a common approach to managing any type of risk and is not industry or sector
specific.
This document can be used throughout the life of the organization and can be applied to any activity,
including decision-making at all levels.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org
3.1
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address,
create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources (3.4), potential events (3.5), their consequences
(3.6) and their likelihood (3.7).
3.2
risk management
coordinated activities to direct and control an organization with regard to risk (3.1)
3.3
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision
or activity
Note 1 to entry: The term “interested party” can be used as an alternative to “stakeholder”.
3.4
risk source
element which alone or in combination has the potential to give rise to risk (3.1)
© ISO 2018 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 31000:2018(E)
3.5
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several
consequences (3.6).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not
expected which does happen.
Note 3 to entry: An event can be a risk source.
3.6
consequence
outcome of an event (3.5) affecting objectives
Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative direct or indirect
effects on objectives.
Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate through cascading and cumulative effects.
3.7
likelihood
chance of something happening
Note 1 to entry: In risk management (3.2) terminology, the word “likelihood” is used to refer to the chance of
something happening, whether defined, measured or determined objectively or subjectively, qualitatively or
quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a
given time period).
Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
should have the same broad interpretation as the term “probability” has in many languages other than English.
3.8
control
measure that maintains and/or modifies risk (3.1)
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
4 Principles
The purpose of risk management is the creation and protection of value. It improves performance,
encourages innovation and supports the achievement of objectives.
The principles outlined in Figure 2 provide guidance on the characteristics of effective and efficient
risk management, communicating its value and explaining its intention and purpose. The principles are
the foundation for managing risk and should be considered when establishing the organization’s risk
management framework and processes. These principles should enable an organization to manage the
effects of uncertainty on its objectives.
2 © ISO 2018 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 31000:2018(E)
d
Figure 2 — Principles
Effective risk management requires the elements of Figure 2 and can be further explained as follows.
a) Integrated
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive
A structured and comprehensive approach to risk management contributes to consistent and
comparable results.
c) Customized
The risk management framework and process are customized and proportionate to the
organization’s external and internal context related to its objectives.
d) Inclusive
Appropriate and timely involvement of stakeholders enables their knowledge, views and
perceptions to be considered. This results in improved awareness and informed risk management.
e) Dynamic
Risks can emerge, change or disappear as an organization’s external and internal context changes.
Risk management anticipates, detects, acknowledges and responds to those changes and events in
an appropriate and timely manner.
f) Best available information
The inputs to risk management are based on historical and current information, as well as on future
expectations. Risk management explicitly takes into account any limitations and uncertainties
associated with such information and expectations. Information should be timely, clear and
available to relevant stakeholders.
© ISO 2018 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 31000:2018(E)
g) Human and cultural factors
Human behaviour and culture significantly influence all aspects of risk management at each level
and stage.
h) Continual improvement
Risk management is continually improved through learning and experience.
5 Framework
5.1 General
The purpose of the risk management framework is to assist the organization in integrating risk
management into significant activities and functions. The effectiveness of risk management will depend
on its integration into the governance of the organization, including decision-making. This requires
support from stakeholders, particularly top management.
Framework development encompasses integrating, designing, implementing, evaluating and improving
risk management across the organization. Figure 3 illustrates the components of a framework.
Figure 3 — Framework
The organization should evaluate its existing risk management practices and processes, evaluate any
gaps and address those gaps within the framework.
The components of the framework and the way in which they work together should be customized to
the needs of the organization.
4 © ISO 2018 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 31000:2018(E)
5.2 Leadership and commitment
Top management and oversight bodies, where applicable, should ensure that risk management is
integrated into all organizational activities and should demonstrate leadership and commitment by:
— customizing and implementing all components of the framework;
— issuing a statement or policy that establishes a risk management approach, plan or course of action;
— ensuring that the necessary resources are allocated to managing risk;
— assigning authority, responsibility and accountability at appropriate levels within the organization.
This will help the organization to:
— align risk management with its objectives, strategy and culture;
— recognize and address all obligations, as well as its voluntary commitments;
— establish the amount and type of risk that may or may not be taken to guide the development of risk
criteria, ensuring that they are communicated to the organization and its stakeholders;
— communicate the value of risk management to the organization and its stakeholders;
— promote systematic monitoring of risks;
— ensure that the risk management framework remains appropriate to the context of the organization.
Top management is accountable for managing risk while oversight bodies are accountable for overseeing
risk management. Oversight bodies are often expected or required to:
— ensure that risks are adequately considered when setting the organization’s objectives;
— understand the risks facing the organization in pursuit of its objectives;
— ensure that systems to manage such risks are implemented and operating effectively;
— ensure that such risks are appropriate in the context of the organization’s objectives;
— ensure that information about such risks and their management is properly communicated.
5.3 Integration
Integrating risk management relies on an understanding of organizational structures and context.
Structures differ depending on the organization’s purpose, goals and complexity. Risk is managed in every
part of the organization’s structure. Everyone in an organization has responsibility for managing risk.
Governance guides the course of the organization, its external and internal relationships, and the rules,
processes and practices needed to achieve its purpose. Management structures translate governance
direction into the strategy and associated objectives required to achieve desired levels of sustainable
performance and long-term viability. Determining risk management accountability and oversight roles
within an organization are integral parts of the organization’s governance.
Integrating risk management into an organization is a dynamic and iterative process, and should
be customized to the organization’s needs and culture. Risk management should be a part of, and
not separate from, the organizational purpose, governance, leadership and commitment, strategy,
objectives and operations.
© ISO 2018 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 31000:2018(E)
5.4 Design
5.4.1 Understanding the organization and its context
When designing the framework for managing risk, the organization should examine and understand its
external and internal context.
Examining the organization’s external context may include, but is not limited to:
— the social, cultural, political, legal, regulatory, financial, technological, economic and environmental
factors, whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external stakeholders’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
Examining the organization’s internal context may include, but is not limited to:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization’s culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual
property, processes, systems and technologies);
— data, information systems and information flows;
— relationships with internal stakeholders, taking into account their perceptions and values;
— contractual relationships and commitments;
— interdependencies and interconnections.
5.4.2 Articulating risk management commitment
Top management and oversight bodies, where applicable, should demonstrate and articulate their
continual commitment to risk management through a policy, a statement or other forms that clearly
convey an organization’s objectives and commitment to risk management. The commitment should
include, but is not limited to:
— the organization’s purpose for managing risk and links to its objectives and other policies;
— reinforcing the need to integrate risk management into the overall culture of the organization;
— leading the integration of risk management into core business activities and decision-making;
— authorities, responsibilities and accountabilities;
— making the necessary resources available;
— the way in which conflicting objectives are dealt with;
— measurement and reporting within the organization’s performance indicators;
6 © ISO 2018 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 31000:2018(E)
— review and improvement.
The risk management commitment should be communicated within an organization and to stakeholders,
as appropriate.
5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities
Top management and oversight bodies, where applicable, should ensure that the authorities,
responsibilities and accountabilities for relevant roles with respect to risk management are assigned
and communicated at all levels of the organization, and should:
— emphasize that risk management is a core responsibility;
— identify individuals who have the accountability and authority to manage risk (risk owners).
5.4.4 Allocating resources
Top management and oversight bodies, where applicable, should ensure allocation of appropriate
resources for risk management, which can include, but are not limited to:
— people, skills, experience and competence;
— the organization’s processes, methods and tools to be used for managing risk;
— documented processes and procedures;
— information and knowledge management systems;
— professional development and training needs.
The organization should consider the capabilities of, and constraints on, existing resources.
5.4.5 Establishing communication and consultation
The organization should establish an approved approach to communication and consultation in order
to support the framework and facilitate the effective application of risk management. Communication
involves sharing information with targeted audiences. Consultation also involves participants providing
feedback with the expectation that it will contribute to and shape decisions or other activities.
Communication and consultation methods and content should reflect the expectations of stakeholders,
where relevant.
Communication and consultation should be timely and ensure that relevant information is collected,
collated, synthesised and shared, as appropriate, and that feedback is provided and improvements
are made.
5.5 Implementation
The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are made across the organization, and
by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are clearly understood and
practised.
© ISO 2018 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO 31000:2018(E)
Successful implementation of the framework requires the engagement and awareness of stakeholders.
This enables organizations to explicitly address uncertainty in decision-making, while also ensuring
that any new or subsequent uncertainty can be taken into account as it arises.
Properly designed and implemented, the risk management framework will ensure that the risk
management process is a part of all activities throughout the organization, including decision-making,
and that changes in external and internal contexts will be adequately captured.
5.6 Evaluation
In order to evaluate the effectiveness of the risk management framework, the organization should:
— periodically measure risk management framework performance against its purpose, implementation
plans, indicators and expected behaviour;
— determine whether it remains suitable to support achieving the objectives of the organization.
5.7 Improvement
5.7.1 Adapting
The organization should continually monitor and adapt the risk management framework to address
external and internal changes. In doing so, the organization can improve its value.
5.7.2 Continually improving
The organization should continually improve the suitability, adequacy and effectiveness of the risk
management framework and the way the risk management process is integrated.
As relevant gaps or improvement opportunities are identified, the organization should develop
plans and tasks and assign them to those accountable for implementation. Once implemented, these
improvements should contribute to the enhancement of risk man
...
NORME ISO
INTERNATIONALE 31000
Redline version
compare la Deuxième édition
à la Première édition
Management du risque — Lignes
directrices
Risk management — Guidelines
Numéro de référence
ISO 31000:redline:2018(F)
©
ISO 2018
---------------------- Page: 1 ----------------------
ISO 31000:redline:2018(F)
IMPORTANT — PLEASE NOTE
This is a mark-up copy and uses the following colour coding:
Text example 1 — indicates added text (in green)
Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x . — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents
DISCLAIMER
This Redline version provides you with a quick and easy way to compare the main changes
between this edition of the standard and its previous edition. It doesn’t capture all single
changes such as punctuation but highlights the modifications providing customers with
the most valuable information. Therefore it is important to note that this Redline version is
not the official ISO standard and that the users must consult with the clean version of the
standard, which is the official standard, for implementation purposes.
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2018
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en oeuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2018 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO 31000:redline:2018(F)
Sommaire Page
Avant-propos .v
Introduction .vi
1 Domaine d'application d’application . 1
2 Références normatives . 1
2 3 Termes et définitions . 1
3 4 Principes . 7
4 5 Cadre organisationnel .10
4.1 5.1 Généralités .10
4.2 5.2 Mandat Leadership et engagement .11
5.3 Intégration .12
4.3 5.4 Conception du cadre organisationnel de management du risque .13
4.3.1 5.4.1 Compréhension de l'organisme l’organisme et de son contexte .13
4.3.2 Établissement de la politique de management du risque .13
4.3.3 5.4.2 Responsabilité Définir clairement l’engagement en matière de
management du risque .14
4.3.4 5.4.3 Intégration aux processus organisationnels Attribution des rôles,
pouvoirs et responsabilités au sein de l’organisme .14
4.3.5 5.4.4 Ressources Affectation des ressources .15
4.3.6 Établissement de mécanismes de communication et de rapports internes .15
4.3.7 5.4.5 Établissement de mécanismes de communication et de rapports
externes d’une communication et d’une concertation .15
5.5 Mise en œuvre.16
4.4 5.6 Mise en œuvre du management du risque Évaluation .16
4.4.1 Mise en œuvre du cadre organisationnel de management du risque .16
4.4.2 Mise en œuvre du processus de management du risque .17
4.5 5.7 Surveillance et revue du cadre organisationnel Amélioration .17
5.7.1 Adaptation .17
5.7.2 Amélioration continue .17
4.6 Amélioration continue du cadre organisationnel .17
5 6 Processus .18
5.1 6.1 Généralités .18
5.2 6.2 Communication et concertation consultation.19
5.3 6.3 Établissement du contexte Périmètre d’application, contexte et critères .20
5.3.1 6.3.1 Généralités .20
5.3.2 6.3.2 Établissement du contexte externe Définition du domaine d’application .20
5.3.3 Établissement du contexte interne .21
5.3.4 6.3.3 Établissement du contexte du processus de management du
risque Contexte interne et externe .22
5.3.5 6.3.4 Définition des critères de risque .22
5.4 6.4 Appréciation du risque .23
5.4.1 6.4.1 Généralités .23
5.4.2 6.4.2 Identification du risque .23
5.4.3 6.4.3 Analyse du risque .24
5.4.4 6.4.4 Évaluation du risque .25
5.5 6.5 Traitement du risque .26
5.5.1 6.5.1 Généralités .26
5.5.2 6.5.2 Sélection des options de traitement du risque .27
5.5.3 6.5.3 Élaboration et mise en œuvre des plans de traitement du risque .28
5.6 6.6 Surveillance Suivi et revue .29
5.7 6.7 Enregistrement du processus de management du risque et élaboration de rapports .29
Annexe A (informative) Attributs d'un management du risque élevé .31
© ISO 2018 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO 31000:redline:2018(F)
Bibliographie .33
iv © ISO 2018 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO 31000:redline:2018(F)
Avant-propos
L'ISOL’ISO (Organisation internationale de normalisation) est une fédération mondiale
d'organismesd’organismes nationaux de normalisation (comités membres de l'ISOl’ISO).
L'élaborationL’élaboration des Normes internationales est en général confiée aux comités techniques de
l'ISOl’ISO. Chaque comité membre intéressé par une étude a le droit de faire partie du comité technique
créé à cet effet. Les organisations internationales, gouvernementales et non gouvernementales, en liaison
avec l'ISOl’ISO participent également aux travaux. L'ISOL’ISO collabore étroitement avec la Commission
électrotechnique internationale (CEIIEC) en ce qui concerne la normalisation électrotechnique.
Les Normes internationales sont rédigéesprocédures utilisées pour élaborer le présent document
et celles destinées à sa mise à jour sont décrites dans les Directives ISO/IEC, Partie 1. Il convient, en
particulier de prendre note des différents critères d’approbation requis pour les différents types de
documents ISO. Le présent document a été rédigé conformément aux règles de rédaction données dans
les Directives ISO/CEIIEC, Partie 2 (voir www .iso .org/ directives).
La tâche principale des comités techniques est d'élaborer les Normes internationales. Les projets de
Normes internationales adoptés par les comités techniques sont soumis aux comités membres pour
vote. Leur publication comme Normes internationales requiert l'approbation de 75 % au moins des
comités membres votants.
L'attention est appeléeL’attention est attirée sur le fait que certains des éléments du présent document
peuvent faire l'objetl’objet de droits de propriété intellectuelle ou de droits analogues. L'ISOL’ISO ne
saurait être tenue pour responsable de ne pas avoir identifié de tels droits de propriété et averti de leur
existence. Les détails concernant les références aux droits de propriété intellectuelle ou autres droits
analogues identifiés lors de l’élaboration du document sont indiqués dans l’Introduction et/ou dans la
liste des déclarations de brevets reçues par l’ISO (voir www .iso .org/ brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion
de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir le lien suivant: www .iso .org/ avant -propos.
L'ISO 31000Le présent document a été élaborée par le groupe de travail du Bureau de gestion technique
ISOélaboré par le comité technique ISO/TC 262, sur le Management du risque.
Cette deuxième édition annule et remplace la première édition (ISO 31000:2009), qui a fait l’objet d’une
révision technique.
Les principales modifications par rapport à l’édition précédente sont les suivantes:
— revue des principes de management du risque, qui sont les critères clés de sa réussite;
— mise en exergue du leadership de la direction et de l’intégration du management du risque, en
commençant par la gouvernance de l’organisme;
— importance accrue accordée à la nature itérative du management du risque, en notant que de
nouvelles expériences, connaissances et analyses peuvent conduire à une révision des éléments,
actions et moyens de maîtrise du processus à chacune de ses étapes;
— simplification du contenu en se concentrant davantage sur le maintien d’un modèle de système
ouvert pour s’adapter à de multiples besoins et contextes.
© ISO 2018 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO 31000:redline:2018(F)
Introduction
Le présent document s’adresse aux personnes qui, au sein des organismes, créent de la valeur et la
préservent par le management du risque, la prise de décisions, la définition et l’atteinte d’objectifs et
l’amélioration de la performance.
Les organismes de tous types et de toutes dimensionstailles sont confrontés à des facteurs et des
influences internes et externes ignorent si et quand ils vont atteindre leurs objectifs. L'incidence de
cette incertitude sur l'atteinte des objectifs d'un organisme constitue le «risque»qui rendent l’atteinte
de leurs objectifs incertaine.
Toutes les activités d'un organisme comprennent des risques. Les organismes gèrent le risque en
l'identifiant, en l'analysant, et en évaluant ensuite la nécessité de le modifier par un traitement afin
de satisfaire aux critères de risque. Tout au long de ce processus, ils communiquent et se concertent
avec les parties prenantes, et surveillent et revoient le risque et les moyens de maîtrise qui modifient le
risque afin de s'assurer qu'il n'est pas nécessaire de recourir à un traitement supplémentaire du risque.
La présente Norme internationale décrit ce processus systématique et logique en détail.
Alors que tous les organismes gèrent des risques à différents niveaux, la présente Norme internationale
fixe un certain nombre de principes qui doivent être appliqués pour rendre leLe management du
risque efficace. La présente Norme internationale recommande que les organismes élaborent,
mettent en œuvre et améliorent continuellement un cadre organisationnel dont le but est d'intégrer le
processus de management du risque aux processus de gouvernance, de stratégie et de planification, de
management, de rédaction des rapports, ainsi qu'aux politiques, aux valeurs et à la culture d'ensemble
de l'organismeest une activité itérative qui aide les organismes à développer une stratégie, atteindre
des objectifs et prendre des décisions éclairées.
Le management du risque peut s'appliquer à l'ensemble de l'organisme, dans tous ses domaines et à tous
ses niveaux, à tout moment, ainsi qu'à des fonctions, des projets et des activités particulières.
Même si la pratique duLe management du risque s'est développée au fil du temps et dans de
nombreux secteurs pour répondre à différents besoins, l'adoption de processus cohérents dans un
cadre organisationnel complet peut contribuer à garantir que le risque est géré de façon efficace,
performante et cohérente au sein d'un organisme. L'approche générique décrite dans la présente
Norme internationale fournit des principes et des lignes directrices pour gérer toute forme de risque de
manière systématique, transparente et fiable, dans quelque domaine et quelque contexte que ce soitfait
partie intégrante de la gouvernance et du leadership et a une importance fondamentale dans la façon
dont l’organisme est géré à tous les niveaux. Il contribue à l’amélioration des systèmes de management.
Chaque secteur ou application particulier duLe management du risque comporte des besoins, des
publics, des perceptions et des critères qui lui sont propres. C'est pourquoi, l'un des points essentiels de la
présente Norme internationale est d'intégrer «l'établissement du contexte» en tant qu'activité de départ
du processus générique de management du risque. Établir le contexte va permettre d'appréhender les
objectifs de l'organisme, l'environnement dans lequel il poursuit ces objectifs,est intégré à toutes les
activités d’un organisme et inclut l’interaction avec les parties prenantes et la diversité des critères
de risques, tous ces éléments devant contribuer à révéler et apprécier la nature et la complexité de ses
risques.
Le management du risque prend en considération le contexte interne et externe de l’organisme, y
compris le comportement humain et les facteurs culturels.
LaLe management du risque est fondé sur les principes, le cadre organisationnel et le processus
décrits dans le présent document, tel qu’illustré à la Figure 1 illustre les relations entre les principes
de management du risque, le cadre organisationnel dans lequel il se présente et le processus de. Ces
éléments peuvent déjà exister, en totalité ou en partie, au sein de l’organisme; toutefois, ils peuvent
nécessiter une adaptation ou une amélioration afin que le management du risque décrits dans la
présente Norme internationalesoit efficient, efficace et cohérent.
vi © ISO 2018 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO 31000:redline:2018(F)
La mise en œuvre et le maintien du management du risque conformément à la présente Norme
internationale permettent, par exemple, à un organisme
— d'accroître la vraisemblance d'atteindre les objectifs,
— d'encourager un management proactif,
— de prendre conscience de la nécessité d'identifier et de traiter le risque à travers tout l'organisme,
— d'améliorer l'identification des opportunités et des menaces,
— de se conformer aux obligations légales et réglementaires ainsi qu'aux normes internationales,
— d'améliorer la rédaction des rapports obligatoires et volontaires,
— d'améliorer la gouvernance,
— d'accroître l'assurance et la confiance des parties prenantes,
— d'établir une base fiable pour la prise de décision et la planification,
— d'améliorer les moyens de maîtrise,
— d'allouer et d'utiliser efficacement les ressources pour le traitement du risque,
— d'améliorer l'efficacité et l'efficience opérationnelles,
— de renforcer les performances en matière de santé et de sécurité, ainsi que de protection
environnementale,
— d'améliorer la prévention des pertes et le management des incidents,
— de minimiser les pertes,
— d'améliorer l'apprentissage organisationnel, et
— d'améliorer la résilience organisationnelle.
La présente Norme internationale est destinée à répondre aux besoins d'une grande diversité de parties
prenantes, dont
a) les personnes responsables de l'élaboration d'une politique de management du risque au sein de
leur organisme,
b) les personnes chargées de s'assurer que ce risque est géré efficacement au sein de l'organisme dans
son ensemble ou dans un domaine, une activité ou un projet spécifique,
c) les personnes chargées d'évaluer l'efficacité d'un organisme en matière de management du risque, et
d) les rédacteurs de normes, guides, procédures et bonnes pratiques qui, en totalité ou en partie,
déterminent la manière dont le risque doit être géré dans le contexte spécifique de ces documents.
Les pratiques et processus de management en cours dans nombre d'organismes comportent des
éléments de management du risque, et beaucoup d'organismes ont déjà adopté un processus formalisé
de management du risque pour des types particuliers de risques ou de situations. Dans de tels cas,
un organisme peut décider de réaliser une revue critique de ses pratiques et processus existants à la
lumière de la présente Norme internationale.
Dans la présente Norme internationale les expressions «management du risque» et «gérer le risque»
sont toutes deux utilisées. De façon générale, le «management du risque» se réfère à la structure
(principe, cadre organisationnel et processus) permettant de gérer le risque avec efficacité, alors que
«gérer le risque» se réfère à l'application de cette structure aux risques particuliers.
© ISO 2018 – Tous droits réservés vii
---------------------- Page: 7 ----------------------
ISO 31000:redline:2018(F)
Figure 1 — Relations entre les principes, le Principes, cadre organisationnel et le processus de
management du risque processus
viii © ISO 2018 – Tous droits réservés
---------------------- Page: 8 ----------------------
NORME INTERNATIONALE ISO 31000:redline:2018(F)
Management du risque — Lignes directrices
1 Domaine d'application d’application
La présente Norme internationale fournit des principes et des lignes directrices générales surLe présent
document fournit des lignes directrices concernant le management du risque. auquel sont confrontés les
organismes. L’application de ces lignes directrices peut être adaptée à tout organisme et à son contexte.
La présente Norme internationale peut être appliquée par tout public, toute entreprise publique ou
privée, toute collectivité, toute association, tout groupe ou individu. Par conséquent, la présente Norme
internationale n'estLe présent document fournit une approche générique permettant de gérer toute
forme de risque et n’est pas spécifique à une industrie ou un secteur donné.
NOTE Pour plus de facilité, les différents utilisateurs de la présente Norme internationale sont désignés par
le terme général d'«organisme».
La présente Norme internationale peut être appliquéeLe présent document peut être utilisé tout au long
de la vie d'un organisme et à une large gamme d'activités, dont les stratégies et les prises de décisions,
les activités opérationnelles, les processus, les fonctions, les projets, les produits, les services et les
actifsde l’organisme et peut être appliqué à toute activité, y compris la prise de décisions à tous les
niveaux.
La présente Norme internationale peut s'appliquer à tout type de risque, quelle que soit sa nature, que
ses conséquences soient positives ou négatives.
Bien que la présente Norme internationale fournisse des lignes directrices générales, elle ne vise pas
à promouvoir l'uniformisation du management du risque au sein des organismes. La conception et la
mise en œuvre des plans et des structures organisationnelles de management du risque devront tenir
compte des divers besoins d'un organisme spécifique, de ses objectifs, son contexte, sa structure, son
activité, ses processus, ses fonctions, ses projets, ses produits, ses services ou ses actifs particuliers,
ainsi que de ses pratiques spécifiques.
Il est prévu que la présente Norme internationale serve à harmoniser les processus de management
du risque dans les normes existantes et à venir. Elle offre une approche commune à l'établissement des
normes traitant de risques et/ou secteurs spécifiques, sans toutefois remplacer ces normes.
La présente Norme internationale n'a pas vocation à servir de base à une certification.
2 Références normatives
Le présent document ne contient aucune référence normative.
2 3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s'appliquents’appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse https:// www .electropedia .org/
© ISO 2018 – Tous droits réservés 1
---------------------- Page: 9 ----------------------
ISO 31000:redline:2018(F)
2.1 3.1
risque
effet de l'incertitude sur l'atteinte des l’incertitude sur les objectifs
Note 1 à l'article: Un effet est un écart, positif et/ou négatif, par rapport à une attente par rapport à un attendu. Il
peut être positif, négatif ou les deux à la fois, et traiter, créer ou entraîner des opportunités et des menaces.
Note 2 à l'article: Les objectifs peuvent avoir différents aspects (par exemple buts financiers, de santé et de
sécurité, ou environnementaux) , être de catégories différentes, et peuvent concerner différents niveaux (niveau
stratégique, niveau d'un projet, d'un produit, d'un processus ou d'un organisme tout entier) .
Note 3 à l'article: Un risque est souvent caractérisé en référence à des événements (2.17) et des conséquences
(2.18) potentiels ou à une combinaison des deux.
Note 3 à l'article: Un risque est souvent généralement exprimé en termes de combinaison des conséquences d'un
événement (incluant des changements de circonstances) sources de risque (3.4), événements (3.5) potentiels avec
leurs conséquences (3.6) et de sa leur vraisemblance (2.19 3.7).
Note 5 à l'article: L'incertitude est l'état, même partiel, de défaut d'information concernant la compréhension ou
la connaissance d'un événement, de ses conséquences ou de sa vraisemblance.
[SOURCE: ISO Guide 73:2009, définition 1.1]
2.2 3.2
management du risque
activités coordonnées dans le but de diriger et piloter un organisme vis-à-vis du risque (2.1 3.1)
[SOURCE: ISO Guide 73:2009, définition 2.1]
2.3
cadre organisationnel de management du risque
ensemble d'éléments établissant les fondements et dispositions organisationnelles présidant à la
conception, la mise en œuvre, la surveillance (2.28), la revue et l'amélioration continue du management
du risque (2.2) dans tout l'organisme
Note 1 à l'article: Les fondements incluent la politique, les objectifs, le mandat et l'engagement envers le
management du risque (2.1).
Note 2 à l'article: Les dispositions organisationnelles incluent les plans, les relations, les responsabilités, les
ressources, les processus et les activités.
Note 3 à l'article: Le cadre organisationnel du management du risque fait partie intégrante des politiques
stratégiques et opérationnelles ainsi que des pratiques de l'ensemble de l'organisme.
[SOURCE: ISO Guide 73:2009, définition 2.1.1]
2.4
politique de management du risque
déclaration des intentions et des orientations générales d'un organisme en relation avec le management
du risque (2.2)
[SOURCE: ISO Guide 73:2009, définition 2.1.2]
2.5
attitude face au risque
approche d'un organisme pour apprécier un risque (2.1) avant, éventuellement, de saisir ou préserver
une opportunité ou de prendre ou rejeter un risque
[SOURCE: ISO Guide 73:2009, définition 3.7.1.1]
2 © ISO 2018 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO 31000:redline:2018(F)
2.6
plan de management du risque
programme inclus dans le cadre organisationnel de management du risque (2.3), spécifiant l'approche,
les composantes du management et les ressources auxquelles doit avoir recours le management du
risque (2.1)
Note 1 à l'article: Les composantes du management incluent, par exemple, les procédures, les pratiques,
l'attribution des responsabilités, le déroulement chronologique des activités.
Note 2 à l'article: Le plan de management du risque peut être appliqué à un produit, un processus, un projet
particulier, à une partie de l'organisme ou à l'organisme tout entier.
[SOURCE: ISO Guide 73:2009, définition 2.1.3]
2.7
propriétaire du risque
personne ou entité ayant la responsabilité du risque (2.1) et ayant autorité pour le gérer
[SOURCE: ISO Guide 73:2009, définition 3.5.1.5]
2.8
processus de management du risque
application systématique de politiques, procédures et pratiques de management aux activités de
communication, de concertation, d'établissement du contexte, ainsi qu'aux activités d'identification,
d'analyse, d'évaluation, de traitement, de surveillance (2.28) et de revue des risques (2.1)
[SOURCE: ISO Guide 73:2009, définition 3.1]
2.9
établissement du contexte
définition des paramètres externes et internes à prendre en compte lors du management du risque
et définition du domaine d'application ainsi que des critères de risque (2.22) pour la politique de
management du risque (2.4)
[SOURCE: ISO Guide 73:2009, définition 3.3.1]
2.10
contexte externe
environnement externe dans lequel l'organisme cherche à atteindre ses objectifs
Note 1 à l'article: Le contexte externe peut inclure
— l'environnement culturel, social, politique, légal, régle
...
NORME ISO
INTERNATIONALE 31000
Deuxième édition
2018-02
Management du risque — Lignes
directrices
Risk management — Guidelines
Numéro de référence
ISO 31000:2018(F)
©
ISO 2018
---------------------- Page: 1 ----------------------
ISO 31000:2018(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2018
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en oeuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Tél.: +41 22 749 01 11
Fax: +41 22 749 09 47
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2018 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO 31000:2018(F)
Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Principes . 2
5 Cadre organisationnel . 4
5.1 Généralités . 4
5.2 Leadership et engagement. 5
5.3 Intégration . 5
5.4 Conception . 6
5.4.1 Compréhension de l’organisme et de son contexte . 6
5.4.2 Définir clairement l’engagement en matière de management du risque. 6
5.4.3 Attribution des rôles, pouvoirs et responsabilités au sein de l’organisme . 7
5.4.4 Affectation des ressources . 7
5.4.5 Établissement d’une communication et d’une concertation . 7
5.5 Mise en œuvre. 8
5.6 Évaluation . 8
5.7 Amélioration . 8
5.7.1 Adaptation . 8
5.7.2 Amélioration continue . 8
6 Processus . 8
6.1 Généralités . 8
6.2 Communication et consultation . 9
6.3 Périmètre d’application, contexte et critères . .10
6.3.1 Généralités .10
6.3.2 Définition du domaine d’application .10
6.3.3 Contexte interne et externe .10
6.3.4 Définition des critères de risque .11
6.4 Appréciation du risque .11
6.4.1 Généralités .11
6.4.2 Identification du risque.11
6.4.3 Analyse du risque .12
6.4.4 Évaluation du risque .13
6.5 Traitement du risque .13
6.5.1 Généralités .13
6.5.2 Sélection des options de traitement du risque .13
6.5.3 Élaboration et mise en œuvre des plans de traitement du risque .14
6.6 Suivi et revue .14
6.7 Enregistrement et élaboration de rapports .15
Bibliographie .16
© ISO 2018 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO 31000:2018(F)
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui
concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www
.iso .org/ directives).
L’attention est attirée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant
les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de
l’élaboration du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de
brevets reçues par l’ISO (voir www .iso .org/ brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion
de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir le lien suivant: www .iso .org/ avant -propos.
Le présent document a été élaboré par le comité technique ISO/TC 262, Management du risque.
Cette deuxième édition annule et remplace la première édition (ISO 31000:2009), qui a fait l’objet d’une
révision technique.
Les principales modifications par rapport à l’édition précédente sont les suivantes:
— revue des principes de management du risque, qui sont les critères clés de sa réussite;
— mise en exergue du leadership de la direction et de l’intégration du management du risque, en
commençant par la gouvernance de l’organisme;
— importance accrue accordée à la nature itérative du management du risque, en notant que de
nouvelles expériences, connaissances et analyses peuvent conduire à une révision des éléments,
actions et moyens de maîtrise du processus à chacune de ses étapes;
— simplification du contenu en se concentrant davantage sur le maintien d’un modèle de système
ouvert pour s’adapter à de multiples besoins et contextes.
iv © ISO 2018 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO 31000:2018(F)
Introduction
Le présent document s’adresse aux personnes qui, au sein des organismes, créent de la valeur et la
préservent par le management du risque, la prise de décisions, la définition et l’atteinte d’objectifs et
l’amélioration de la performance.
Les organismes de tous types et de toutes tailles sont confrontés à des facteurs et des influences
internes et externes qui rendent l’atteinte de leurs objectifs incertaine.
Le management du risque est une activité itérative qui aide les organismes à développer une stratégie,
atteindre des objectifs et prendre des décisions éclairées.
Le management du risque fait partie intégrante de la gouvernance et du leadership et a une importance
fondamentale dans la façon dont l’organisme est géré à tous les niveaux. Il contribue à l’amélioration des
systèmes de management.
Le management du risque est intégré à toutes les activités d’un organisme et inclut l’interaction avec les
parties prenantes.
Le management du risque prend en considération le contexte interne et externe de l’organisme, y
compris le comportement humain et les facteurs culturels.
Le management du risque est fondé sur les principes, le cadre organisationnel et le processus décrits
dans le présent document, tel qu’illustré à la Figure 1. Ces éléments peuvent déjà exister, en totalité ou
en partie, au sein de l’organisme; toutefois, ils peuvent nécessiter une adaptation ou une amélioration
afin que le management du risque soit efficient, efficace et cohérent.
Figure 1 — Principes, cadre organisationnel et processus
© ISO 2018 – Tous droits réservés v
---------------------- Page: 5 ----------------------
NORME INTERNATIONALE ISO 31000:2018(F)
Management du risque — Lignes directrices
1 Domaine d’application
Le présent document fournit des lignes directrices concernant le management du risque auquel sont
confrontés les organismes. L’application de ces lignes directrices peut être adaptée à tout organisme et
à son contexte.
Le présent document fournit une approche générique permettant de gérer toute forme de risque et n’est
pas spécifique à une industrie ou un secteur.
Le présent document peut être utilisé tout au long de la vie de l’organisme et peut être appliqué à toute
activité, y compris la prise de décisions à tous les niveaux.
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse https:// www .electropedia .org/
3.1
risque
effet de l’incertitude sur les objectifs
Note 1 à l'article: Un effet est un écart par rapport à un attendu. Il peut être positif, négatif ou les deux à la fois, et
traiter, créer ou entraîner des opportunités et des menaces.
Note 2 à l'article: Les objectifs peuvent avoir différents aspects, être de catégories différentes, et peuvent
concerner différents niveaux.
Note 3 à l'article: Un risque est généralement exprimé en termes de sources de risque (3.4), événements (3.5)
potentiels avec leurs conséquences (3.6) et leur vraisemblance (3.7).
3.2
management du risque
activités coordonnées dans le but de diriger et piloter un organisme vis-à-vis du risque (3.1)
3.3
partie prenante
personne ou organisme susceptible d’affecter, d’être affecté ou de se sentir affecté par une décision ou
une activité
Note 1 à l'article: Le terme «partie intéressée» peut être utilisé comme alternative à «partie prenante».
3.4
source de risque
tout élément qui, seul ou combiné à d’autres, est susceptible d’engendrer un risque (3.1)
© ISO 2018 – Tous droits réservés 1
---------------------- Page: 6 ----------------------
ISO 31000:2018(F)
3.5
événement
occurrence ou changement d’un ensemble particulier de circonstances
Note 1 à l'article: Un événement peut être unique ou se reproduire et peut avoir plusieurs causes et plusieurs
conséquences (3.6).
Note 2 à l'article: Un événement peut être quelque chose qui est attendu, mais qui ne se produit pas, ou quelque
chose auquel on ne s’attend pas, mais qui se produit.
Note 3 à l'article: Un événement peut être une source de risque.
3.6
conséquence
effet d’un événement (3.5) affectant les objectifs
Note 1 à l'article: Une conséquence peut être certaine ou incertaine et peut avoir des effets positifs ou négatifs,
directs ou indirects, sur l’atteinte des objectifs.
Note 2 à l'article: Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
Note 3 à l'article: Toute conséquence peut déclencher des effets en cascade et cumulatifs.
3.7
vraisemblance
possibilité que quelque chose se produise
Note 1 à l'article: Dans la terminologie du management du risque (3.2), le mot «vraisemblance» est utilisé pour
indiquer la possibilité que quelque chose se produise, que cette possibilité soit définie, mesurée ou déterminée de
façon objective ou subjective, qualitative ou quantitative, et qu’elle soit décrite au moyen de termes généraux ou
mathématiques (telles une probabilité ou une fréquence sur une période donnée).
Note 2 à l'article: Le terme anglais «likelihood» (vraisemblance) n’a pas d’équivalent direct dans certaines langues
et c’est souvent l’équivalent du terme «probability» (probabilité) qui est utilisé à la place. En anglais, cependant,
le terme «probability» (probabilité) est souvent limité à son interprétation mathématique. Par conséquent, dans
la terminologie du management du risque, le terme «vraisemblance» est utilisé avec l’intention qu’il fasse l’objet
d’une interprétation aussi large que celle dont bénéficie le terme «probability» (probabilité) dans de nombreuses
langues autres que l’anglais.
3.8
moyen de maîtrise
action qui maintient et/ou modifie un risque (3.1)
Note 1 à l'article: Un moyen de maîtrise du risque inclut, sans toutefois s’y limiter, n’importe quels processus,
politique, dispositif, pratique ou autres conditions et/ou actions qui maintiennent et/ou modifient un risque.
Note 2 à l'article: Un moyen de maîtrise du risque n’aboutit pas toujours nécessairement à la modification voulue
ou supposée.
4 Principes
La finalité du management du risque est la création et la préservation de la valeur. Il améliore la
performance, favorise l’innovation et contribue à l’atteinte des objectifs.
Les principes rappelés à la Figure 2 fournissent les grands axes relatifs aux caractéristiques d’un
management du risque efficace et efficient, en communiquant sa valeur et en expliquant son intention
et sa finalité. Les principes sont le fondement du management du risque et il convient de les prendre
en considération lors de l’établissement du cadre organisationnel et des processus de management du
risque de l’organisme. Il convient que ces principes permettent à un organisme de gérer les effets de
l’incertitude sur ses objectifs.
2 © ISO 2018 – Tous droits réservés
---------------------- Page: 7 ----------------------
ISO 31000:2018(F)
Figure 2 — Principes
Un management du risque efficace nécessite les éléments de la Figure 2 et peut être expliqué plus en
détail comme suit:
a) Intégré
Le management du risque est intégré à toutes les activités de l’organisme.
b) Structuré et global
Une approche structurée et globale du management du risque contribue à la cohérence de résultats
qui peuvent être comparés.
c) Adapté
Le cadre organisationnel et le processus de management du risque sont adaptés et proportionnés
au contexte externe et interne de l’organisme aussi bien qu’à ses objectifs.
d) Inclusif
L’implication appropriée et au moment opportun des parties prenantes permet de prendre en
compte leurs connaissances, leurs opinions et leur perception. Ceci conduit à un management du
risque mieux éclairé et plus pertinent.
e) Dynamique
Des risques peuvent surgir, être modifiés ou disparaître lorsque le contexte externe et interne
d’un organisme change. Le management du risque anticipe, détecte, reconnaît et réagit à ces
changements et événements en temps voulu et de manière appropriée.
f) Meilleure information disponible
Les données d’entrée du management du risque sont fondées sur des informations historiques et
actuelles ainsi que sur les attentes futures. Le management du risque tient compte explicitement
© ISO 2018 – Tous droits réservés 3
---------------------- Page: 8 ----------------------
ISO 31000:2018(F)
de toutes limites et incertitudes associées à ces informations et attentes. Il convient que les
informations soient disponibles à temps, claires et accessibles aux parties prenantes pertinentes.
g) Facteurs humains et culturels
Le comportement humain et la culture influent de manière significative sur tous les aspects du
management du risque à chaque niveau et à chaque étape.
h) Amélioration continue
Le management du risque est amélioré en continu par l’apprentissage et l’expérience.
5 Cadre organisationnel
5.1 Généralités
La finalité du cadre organisationnel de management du risque est d’aider l’organisme à intégrer le
management du risque dans les activités et les fonctions significatives. L’efficacité du management
du risque va dépendre de son intégration dans la gouvernance de l’organisme, y compris la prise de
décisions. Cela nécessite un soutien et une implication des parties prenantes, en particulier de la
direction.
Le développement du cadre organisationnel englobe l’intégration, la conception, la mise en œuvre,
l’évaluation et l’amélioration du management du risque au sein de l’organisme. La Figure 3 illustre les
composantes d’un cadre organisationnel.
Figure 3 — Cadre organisationnel
Il convient que l’organisme évalue ses pratiques et processus existants de management du risque,
identifie les lacunes et les comble avec le cadre organisationnel.
Il convient que les composantes du cadre organisationnel et la manière dont elles s’articulent soient
adaptées aux besoins de l’organisme.
4 © ISO 2018 – Tous droits réservés
---------------------- Page: 9 ----------------------
ISO 31000:2018(F)
5.2 Leadership et engagement
Il convient que la direction et les organes de surveillance, le cas échéant, s’assurent que le management
du risque est intégré dans toutes les activités de l’organisme et démontrent leur leadership et leur
engagement en:
— adaptant et mettant en place toutes les composantes du cadre organisationnel;
— diffusant une déclaration ou une politique qui énonce une approche, un plan ou une ligne de conduite
en matière de management du risque;
— s’assurant que les ressources nécessaires sont allouées au management du risque;
— attribuant l’autorité et la responsabilité aux niveaux appropriés de l’organisme.
Ceci aidera l’organisme à:
— aligner le management du risque sur sa stratégie, ses objectifs et sa culture;
— reconnaître et prendre en charge toutes les obligations ainsi que ses engagements volontaires;
— établir le niveau et le type de risque pouvant ou non être pris, afin de servir de guide à la mise en
place de critères de risque, en s’assurant qu’ils sont communiqués à l’organisme et à ses parties
prenantes;
— communiquer sur la valeur d’un management du risque pour l’organisme et ses parties prenantes;
— promouvoir un suivi systématique des risques;
— s’assurer que le cadre organisationnel de management du risque reste approprié au contexte de
l’organisme.
La direction est responsable du management du risque alors que les organes de surveillance sont
responsables de la supervision du management du risque. Les organes de surveillance sont souvent
censés ou tenus de:
— s’assurer que les risques sont pris en compte de manière adéquate lors de l’établissement des
objectifs de l’organisme;
— comprendre les risques auxquels l’organisme s’expose dans la poursuite de ses objectifs;
— s’assurer que des systèmes permettant de gérer ces risques sont mis en œuvre et fonctionnent
efficacement;
— s’assurer que ces risques sont adaptés au contexte des objectifs de l’organisme;
— s’assurer que les informations relatives à ces risques et à leur management sont communiquées de
façon appropriée.
5.3 Intégration
L’intégration du management du risque s’appuie sur la compréhension des structures et du contexte de
l’organisme. Les structures diffèrent selon la finalité, les objectifs et la complexité de l’organisme. Le
risque est géré dans chaque partie de la structure de l’organisme. Chacun au sein d’un organisme a une
responsabilité en matière de management du risque.
La gouvernance guide l’évolution de l’organisme, de ses relations externes et internes et des règles,
processus et pratiques nécessaires pour atteindre sa finalité. Les structures de management traduisent
l’orientation de la gouvernance en stratégie et objectifs associés requis pour atteindre les niveaux
souhaités de performance durable et de viabilité à long terme. La détermination de la responsabilité
du management du risque et des rôles de suivi au sein d’un organisme fait partie intégrante de la
gouvernance de l’organisme.
© ISO 2018 – Tous droits réservés 5
---------------------- Page: 10 ----------------------
ISO 31000:2018(F)
L’intégration du management du risque dans un organisme est un processus dynamique et itératif, qu’il
convient d’adapter aux besoins et à la culture de l’organisme. Il convient que le management du risque
fasse partie, et ne soit pas séparé, de la finalité, de la gouvernance, du leadership et de l’engagement, de
la stratégie, des objectifs et des opérations de l’organisme.
5.4 Conception
5.4.1 Compréhension de l’organisme et de son contexte
Lors de la conception du cadre organisationnel de management du risque, il convient que l’organisme
analyse et comprenne son contexte externe et interne.
L’analyse du contexte externe d’un organisme peut comprendre, entre autres:
— les facteurs sociaux, culturels, politiques, légaux, réglementaires, financiers, technologiques,
économiques et environnementaux, au niveau international, national, régional ou local;
— les moteurs et tendances clés ayant une incidence sur les objectifs de l’organisme;
— les relations avec les parties prenantes externes, leurs perceptions, leurs valeurs, leurs besoins et
leurs attentes;
— les relations contractuelles et les engagements;
— la complexité des réseaux et des dépendances.
L’analyse du contexte interne d’un organisme peut comprendre, entre autres:
— la vision, la mission et les valeurs;
— la gouvernance, l’organisation, les rôles et les responsabilités;
— la stratégie, les objectifs et les politiques;
— la culture de l’organisme;
— les normes, les lignes directrices et les modèles adoptés par l’organisme;
— les capacités, en termes de ressources et de connaissances (par exemple capital, temps, personnel,
propriété intellectuelle, processus, systèmes et technologies);
— les données, les systèmes d’information et la circulation de l’information;
— les relations avec les parties prenantes internes, en tenant compte de leurs perceptions et de leurs
valeurs;
— les relations contractuelles et les engagements;
— les interdépendances et les interconnexions.
5.4.2 Définir clairement l’engagement en matière de management du risque
Il convient que la direction et les organes de surveillance, le cas échéant, démontrent et définissent
clairement leur engagement permanent en matière de management du risque par le biais d’une
politique, d’une déclaration ou d’autres formes permettant de communiquer clairement les objectifs
et l’engagement de l’organisme en matière de management du risque. Il convient que cet engagement
comprenne, sans toutefois s’y limiter:
— le but de l’organisme en matière de management du risque et les liens avec ses objectifs et ses autres
politiques;
— le rappel de la nécessité d’intégrer le management du risque à la culture globale de l’organisme;
6 © ISO 2018 – Tous droits réservés
---------------------- Page: 11 ----------------------
ISO 31000:2018(F)
— le pilotage de l’intégration du management du risque dans les principales activités de l’organisme et
dans la prise de décisions;
— les pouvoirs et les responsabilités;
— la mise à disposition des ressources nécessaires;
— la manière de traiter des objectifs contradictoires;
— l’évaluation et le compte rendu dans le cadre des indicateurs de performance de l’organisme;
— la revue et l’amélioration.
Il convient que l’engagement en matière de management du risque soit communiqué au sein de
l’organisme et aux parties prenantes, le cas échéant.
5.4.3 Attribution des rôles, pouvoirs et responsabilités au sein de l’organisme
Il convient que la direction et les organes de surveillance, le cas échéant, s’assurent que les pouvoirs
et responsabilités pour les rôles pertinents en matière de management du risque sont attribués et
communiqués à tous les niveaux de l’organisme, et:
— soulignent que le management du risque est une responsabilité fondamentale;
— identifient les personnes ayant la responsabilité du risque et le pouvoir pour le gérer (propriétaires
du risque).
5.4.4 Affectation des ressources
Il convient que la direction et les organes de surveillance, le cas échéant, assurent l’affectation des
ressources nécessaires au management du risque, ces dernières pouvant comprendre, sans toutefois s’y
limiter:
— les personnels, les aptitudes, l’expérience et les compétences;
— les processus, méthodes et outils de l’organisme servant au management du risque;
— les processus et procédures documentés;
— les systèmes de gestion des informations et des connaissances;
— les besoins en perfectionnement et formation professionnels.
Il convient que l’organisme prenne en compte les capacités et les contr
...
NORMA ISO
INTERNACIONAL 31000
Traducción oficial
Segunda edición
Official translation
2018-02
Traduction officielle
Gestión del riesgo — Directrices
Risk management — Guidelines
Management du risque — Lignes directrices
Publicado por la Secretaría Central de ISO en Ginebra, Suiza, como
traducción oficial en español avalada por el Translation
Management Group, que ha certificado la conformidad en relación
con las versiones inglesa y francesa.
Número de referencia
ISO 31000:2018
(traducción oficial)
©
ISO 2018
---------------------- Page: 1 ----------------------
ISO 31000:2018 (traducción oficial)
DOCUMENTO PROTEGIDO POR COPYRIGHT
© ISO 2018. Publicado en Suiza
Reservados los derechos de reproducción. Salvo prescripción diferente, o requerido en el contexto de su implementación, no
podrá reproducirse ni utilizarse ninguna parte de esta publicación bajo ninguna forma y por ningún medio, electrónico o
mecánico, incluidos el fotocopiado, o la publicación en Internet o una Intranet, sin la autorización previa por escrito. La
autorización puede solicitarse a ISO en la siguiente dirección o al organismo miembro de ISO en el país solicitante.
ISO copyright office
Ch. de Blandonnet 8 CP 401
CH-1214 Vernier, Ginebra, Suiza
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Versión española publicada en 2018
Traducción oficial/Official translation/Traduction officielle
ii © ISO 2018 — Todos los derechos reservados
---------------------- Page: 2 ----------------------
ISO 31000:2018 (traducción oficial)
Índice Página
Prólogo . iv
Prólogo de la versión en español . v
Introducción . vi
1 Objeto y campo de aplicación .1
2 Referencias normativas.1
3 Términos y definiciones .1
4 Principios .3
5 Marco de referencia .4
5.1 Generalidades . 4
5.2 Liderazgo y compromiso . 5
5.3 Integración . 6
5.4 Diseño . 6
5.4.1 Comprensión de la organización y de su contexto . 6
5.4.2 Articulación del compromiso con la gestión del riesgo . 7
5.4.3 Asignación de roles, autoridades, responsabilidades y obligación de rendir
cuentas en la organización . 8
5.4.4 Asignación de recursos . 8
5.4.5 Establecimiento de la comunicación y la consulta . 8
5.5 Implementación . 9
5.6 Valoración . 9
5.7 Mejora . 9
5.7.1 Adaptación . 9
5.7.2 Mejora continua . 9
6 Proceso . 10
6.1 Generalidades . 10
6.2 Comunicación y consulta . 11
6.3 Alcance, contexto y criterios . 11
6.3.1 Generalidades . 11
6.3.2 Definición del alcance . 11
6.3.3 Contextos externo e interno . 12
6.3.4 Definición de los criterios del riesgo . 12
6.4 Evaluación del riesgo . 13
6.4.1 Generalidades . 13
6.4.2 Identificación del riesgo . 13
6.4.3 Análisis del riesgo . 13
6.4.4 Valoración del riesgo . 14
6.5 Tratamiento del riesgo . 15
6.5.1 Generalidades . 15
6.5.2 Selección de las opciones para el tratamiento del riesgo . 15
6.5.3 Preparación e implementación de los planes de tratamiento del riesgo . 16
6.6 Seguimiento y revisión . 16
6.7 Registro e informe . 17
Bibliografía . 18
Traducción oficial/Official translation/Traduction officielle
© ISO 2018 — Todos los derechos reservados iii
---------------------- Page: 3 ----------------------
ISO 31000:2018 (traducción oficial)
Prólogo
ISO (Organización Internacional de Normalización) es una federación mundial de organismos
nacionales de normalización (organismos miembros de ISO). El trabajo de preparación de las Normas
Internacionales normalmente se realiza a través de los comités técnicos de ISO. Cada organismo
miembro interesado en una materia para la cual se haya establecido un comité técnico, tiene el derecho
de estar representado en dicho comité. Las organizaciones internacionales, públicas y privadas, en
coordinación con ISO, también participan en el trabajo. ISO colabora estrechamente con la Comisión
Electrotécnica Internacional (IEC) en todas las materias de normalización electrotécnica.
En la Parte 1 de las Directivas ISO/IEC se describen los procedimientos utilizados para desarrollar este
documento y para su mantenimiento posterior. En particular debería tomarse nota de los diferentes
criterios de aprobación necesarios para los distintos tipos de documentos ISO. Este documento se redactó
de acuerdo a las reglas editoriales de la Parte 2 de las Directivas ISO/IEC. www.iso.org/directives.
Se llama la atención sobre la posibilidad de que algunos de los elementos de este documento puedan
estar sujetos a derechos de patente. ISO no asume la responsabilidad por la identificación de cualquiera
o todos los derechos de patente. Los detalles sobre cualquier derecho de patente identificado durante el
desarrollo de este documento se indican en la introducción y/o en la lista ISO de declaraciones de
patente recibidas. www.iso.org/patents.
Cualquier nombre comercial utilizado en este documento es información que se proporciona para
comodidad del usuario y no constituye una recomendación.
Para obtener una explicación sobre el significado de los términos específicos de ISO y expresiones
relacionadas con la evaluación de la conformidad, así como información de la adhesión de ISO a los
principios de la Organización Mundial del Comercio (OMC) respecto a los Obstáculos Técnicos al
Comercio (OTC), véase la siguiente dirección: www.iso.org/iso/foreword.html.
El comité responsable de este documento es el ISO/TC 262, Gestión del riesgo.
Esta segunda edición anula y sustituye a la primera edición (ISO 31000:2009) que ha sido revisada
técnicamente.
Los principales cambios en comparación con la edición anterior son los siguientes:
— se revisan los principios de la gestión del riesgo, que son los criterios clave para su éxito;
— se destaca el liderazgo de la alta dirección y la integración de la gestión del riesgo, comenzando con
la gobernanza de la organización;
— se pone mayor énfasis en la naturaleza iterativa de la gestión del riesgo, señalando que las nuevas
experiencias, el conocimiento y el análisis pueden llevar a una revisión de los elementos del
proceso, las acciones y los controles en cada etapa del proceso;
— se simplifica el contenido con un mayor enfoque en mantener un modelo de sistemas abiertos para
adaptarse a múltiples necesidades y contextos.
Traducción oficial/Official translation/Traduction officielle
iv © ISO 2018 — Todos los derechos reservados
---------------------- Page: 4 ----------------------
ISO 31000:2018 (traducción oficial)
Prólogo de la versión en español
Este documento ha sido traducido por el Grupo de Trabajo Spanish Translation Task Force (STTF) del
Comité Técnico ISO/TC 262, Gestión del riesgo, en el que participan representantes de los organismos
nacionales de normalización y representantes del sector empresarial de los siguientes países:
Argentina, Chile, Colombia, Costa Rica, Ecuador, El Salvador, España, México, Panamá, Perú, y Uruguay.
Igualmente, en el citado Grupo de Trabajo participan representantes de COPANT (Comisión
Panamericana de Normas Técnicas) e INLAC (Instituto Latinoamericano de la Calidad).
Esta traducción es parte del resultado del trabajo que el Grupo ISO/TC 262/STTF viene desarrollando
desde su creación en el año 2017 para lograr la unificación de la terminología en lengua española en el
ámbito de la gestión del riesgo.
Traducción oficial/Official translation/Traduction officielle
© ISO 2018 — Todos los derechos reservados v
---------------------- Page: 5 ----------------------
ISO 31000:2018 (traducción oficial)
Introducción
Este documento está dirigido a las personas que crean y protegen el valor en las organizaciones
gestionando riesgos, tomando decisiones, estableciendo y logrando objetivos y mejorando el
desempeño.
Las organizaciones de todos los tipos y tamaños se enfrentan a factores e influencias externas e internas
que hacen incierto si lograrán sus objetivos.
La gestión del riesgo es iterativa y asiste a las organizaciones a establecer su estrategia, lograr sus
objetivos y tomar decisiones informadas.
La gestión del riesgo es parte de la gobernanza y el liderazgo y es fundamental en la manera en que se
gestiona la organización en todos sus niveles. Esto contribuye a la mejora de los sistemas de gestión.
La gestión del riesgo es parte de todas las actividades asociadas con la organización e incluye la
interacción con las partes interesadas.
La gestión del riesgo considera los contextos externo e interno de la organización, incluido el
comportamiento humano y los factores culturales.
La gestión del riesgo está basada en los principios, el marco de referencia y el proceso descritos en este
documento, conforme se ilustra en la Figura 1. Estos componentes podrían existir previamente en toda
o parte de la organización, sin embargo, podría ser necesario adaptarlos o mejorarlos para que la
gestión del riesgo sea eficiente, eficaz y coherente.
Figura 1 — Principios, marco de referencia y proceso
Traducción oficial/Official translation/Traduction officielle
vi © ISO 2018 — Todos los derechos reservados
---------------------- Page: 6 ----------------------
ISO 31000:2018 (traducción oficial)
NORMA INTERNACIONAL
Gestión del riesgo — Directrices
1 Objeto y campo de aplicación
Este documento proporciona directrices para gestionar el riesgo al que se enfrentan las organizaciones.
La aplicación de estas directrices puede adaptarse a cualquier organización y a su contexto.
Este documento proporciona un enfoque común para gestionar cualquier tipo de riesgo y no es
específico de una industria o un sector.
Este documento puede utilizarse a lo largo de la vida de la organización y puede aplicarse a cualquier
actividad, incluyendo la toma de decisiones a todos los niveles.
2 Referencias normativas
El presente documento no contiene referencias normativas.
3 Términos y definiciones
Para los fines de este documento, se aplican los términos y definiciones siguientes.
ISO e IEC mantienen bases de datos terminológicas para su utilización en normalización en las
siguientes direcciones:
— Plataforma de búsqueda en línea de ISO: disponible en http://www.iso.org/obp
— Electropedia de IEC: disponible en http://www.electropedia.org
3.1
riesgo
efecto de la incertidumbre sobre los objetivos
Nota 1 a la entrada: Un efecto es una desviación respecto a lo previsto. Puede ser positivo, negativo o ambos, y
puede abordar, crear o resultar en oportunidades y amenazas.
Nota 2 a la entrada: Los objetivos pueden tener diferentes aspectos y categorías, y se pueden aplicar a diferentes
niveles.
Nota 3 a la entrada: Con frecuencia, el riesgo se expresa en términos de fuentes de riesgo (3.4), eventos (3.5)
potenciales, sus consecuencias (3.6) y sus probabilidades (3.7).
3.2
gestión del riesgo
actividades coordinadas para dirigir y controlar la organización con relación al riesgo (3.1)
Traducción oficial/Official translation/Traduction officielle
© ISO 2018 — Todos los derechos reservados 1
---------------------- Page: 7 ----------------------
ISO 31000:2018 (traducción oficial)
3.3
parte interesada
persona u organización que puede afectar, verse afectada, o percibirse como afectada por una decisión o
actividad
Nota 1 a la versión en español: Los términos en inglés “interested party” y “stakeholder” tienen una traducción
única al español como “parte interesada”.
3.4
fuente de riesgo
elemento que, por sí solo o en combinación con otros, tiene el potencial de generar riesgo (3.1)
3.5
evento
ocurrencia o cambio de un conjunto particular de circunstancias
Nota 1 a la entrada: Un evento puede tener una o más ocurrencias y puede tener varias causas y varias
consecuencias (3.6).
Nota 2 a la entrada: Un evento también puede ser algo previsto que no llega a ocurrir, o algo no previsto que
ocurre.
Nota 3 a la entrada: Un evento puede ser una fuente de riesgo.
3.6
consecuencia
resultado de un evento (3.5) que afecta a los objetivos
Nota 1 a la entrada: Una consecuencia puede ser cierta o incierta y puede tener efectos positivos o negativos,
directos o indirectos sobre los objetivos.
Nota 2 a la entrada: Las consecuencias se pueden expresar de manera cualitativa o cuantitativa.
Nota 3 a la entrada: Cualquier consecuencia puede incrementarse por efectos en cascada y efectos acumulativos.
3.7
probabilidad (likelihood)
posibilidad de que algo suceda
Nota 1 a la entrada: En la terminología de gestión del riesgo (3.2), la palabra “probabilidad” se utiliza para indicar
la posibilidad de que algo suceda, esté definida, medida o determinada objetiva o subjetivamente, cualitativa o
cuantitativamente, y descrita utilizando términos generales o matemáticos (como una probabilidad matemática o
una frecuencia en un periodo de tiempo determinado).
Nota 2 a la entrada: El término inglés “likelihood” (probabilidad) no tiene un equivalente directo en algunos
idiomas; en su lugar se utiliza con frecuencia el término probabilidad. Sin embargo, en inglés la palabra
“probability” (probabilidad matemática) se interpreta frecuentemente de manera más limitada como un término
matemático. Por ello, en la terminología de gestión del riesgo, “likelihood” se utiliza con la misma interpretación
amplia que tiene la palabra probabilidad en otros idiomas distintos del inglés.
3.8
control
medida que mantiene y/o modifica un riesgo (3.1)
Nota 1 a la entrada: Los controles incluyen, pero no se limitan a cualquier proceso, política, dispositivo, práctica u
otras condiciones y/o acciones que mantengan y/o modifiquen un riesgo.
Nota 2 a la entrada: Los controles no siempre pueden producir el efecto de modificación previsto o asumido.
Traducción oficial/Official translation/Traduction officielle
2 © ISO 2018 — Todos los derechos reservados
---------------------- Page: 8 ----------------------
ISO 31000:2018 (traducción oficial)
4 Principios
El propósito de la gestión del riesgo es la creación y la protección del valor. Mejora el desempeño,
fomenta la innovación y contribuye al logro de objetivos.
Los principios descritos en la Figura 2 proporcionan orientación sobre las características de una gestión
del riesgo eficaz y eficiente, comunicando su valor y explicando su intención y propósito. Los principios
son el fundamento de la gestión del riesgo y se deberían considerar cuando se establece el marco de
referencia y los procesos de la gestión del riesgo de la organización. Estos principios deberían habilitar
a la organización para gestionar los efectos de la incertidumbre sobre sus objetivos.
Figura 2 — Principios
La gestión del riesgo eficaz requiere los elementos de la Figura 2 y puede explicarse como sigue.
a) Integrada
La gestión del riesgo es parte integral de todas las actividades de la organización.
b) Estructurada y exhaustiva
Un enfoque estructurado y exhaustivo hacia la gestión del riesgo contribuye a resultados
coherentes y comparables.
c) Adaptada
El marco de referencia y el proceso de la gestión del riesgo se adaptan y son proporcionales a los
contextos externo e interno de la organización relacionados con sus objetivos.
Traducción oficial/Official translation/Traduction officielle
© ISO 2018 — Todos los derechos reservados 3
---------------------- Page: 9 ----------------------
ISO 31000:2018 (traducción oficial)
d) Inclusiva
La participación apropiada y oportuna de las partes interesadas permite que se consideren su
conocimiento, puntos de vista y percepciones. Esto resulta en una mayor toma de conciencia y una
gestión del riesgo informada.
e) Dinámica
Los riesgos pueden aparecer, cambiar o desaparecer con los cambios de los contextos externo e
interno de la organización. La gestión del riesgo anticipa, detecta, reconoce y responde a esos
cambios y eventos de una manera apropiada y oportuna.
f) Mejor información disponible
Las entradas a la gestión del riesgo se basan en información histórica y actualizada, así como en
expectativas futuras. La gestión del riesgo tiene en cuenta explícitamente cualquier limitación e
incertidumbre asociada con tal información y expectativas. La información debería ser oportuna,
clara y disponible para las partes interesadas pertinentes.
g) Factores humanos y culturales
El comportamiento humano y la cultura influyen considerablemente en todos los aspectos de la
gestión del riesgo en todos los niveles y etapas.
h) Mejora continua
La gestión del riesgo mejora continuamente mediante aprendizaje y experiencia.
5 Marco de referencia
5.1 Generalidades
El propósito del marco de referencia de la gestión del riesgo es asistir a la organización en integrar la
gestión del riesgo en todas sus actividades y funciones significativas. La eficacia de la gestión del riesgo
dependerá de su integración en la gobernanza de la organización, incluyendo la toma de decisiones.
Esto requiere el apoyo de las partes interesadas, particularmente de la alta dirección.
El desarrollo del marco de referencia implica integrar, diseñar, implementar, valorar y mejorar la
gestión del riesgo a lo largo de toda la organización. La Figura 3 ilustra los componentes del marco de
referencia.
Traducción oficial/Official translation/Traduction officielle
4 © ISO 2018 — Todos los derechos reservados
---------------------- Page: 10 ----------------------
ISO 31000:2018 (traducción oficial)
Figura 3 — Marco de referencia
La organización debería valorar sus prácticas y procesos existentes de la gestión del riesgo, valorar
cualquier brecha y abordar estas brechas en el marco de referencia.
Los componentes del marco de referencia y la manera en la que trabajan juntos, deberían adaptarse a
las necesidades de la organización.
5.2 Liderazgo y compromiso
La alta dirección y los órganos de supervisión, cuando sea aplicable, deberían asegurar que la gestión
del riesgo esté integrada en todas las actividades de la organización y deberían demostrar el liderazgo y
compromiso:
— adaptando e implementando todos los componentes del marco de referencia;
— publicando una declaración o una política que establezca un enfoque, un plan o una línea de acción
para la gestión del riesgo;
— asegurando que los recursos necesarios se asignan para gestionar los riesgos;
— asignando autoridad, responsabilidad y obligación de rendir cuentas en los niveles apropiados
dentro de la organización;
Esto ayudará a la organización a:
— alinear la gestión del riesgo con sus objetivos, estrategia y cultura;
— reconocer y abordar todas las obligaciones, así como sus compromisos voluntarios;
Traducción oficial/Official translation/Traduction officielle
© ISO 2018 — Todos los derechos reservados 5
---------------------- Page: 11 ----------------------
ISO 31000:2018 (traducción oficial)
— establecer la magnitud y el tipo de riesgo que puede o no ser tomado para guiar el desarrollo de los
criterios del riesgo, asegurando que se comunican a la organización y a sus partes interesadas.
— comunicar el valor de la gestión del riesgo a la organización y sus partes interesadas;
— promover el seguimiento sistemático de los riesgos;
— asegurarse de que el marco de referencia de la gestión del riesgo permanezca apropiado al contexto
de la organización.
La alta dirección rinde cuentas por gestionar el riesgo mientras que los órganos de supervisión rinden
cuentas por la supervisión de la gestión del riesgo. Frecuentemente se espera o se requiere que los
órganos de supervisión:
— se aseguren de que los riesgos se consideran apropiadamente cuando se establezcan los objetivos
de la organización;
— comprendan los riesgos a los que hace frente la organización en la búsqueda de sus objetivos;
— se aseguren de que los sistemas para gestionar estos riesgos se implementen y operen eficazmente;
— se aseguren de que estos riesgos sean apropiados en el contexto de los objetivos de la organización;
— se aseguren de que la información sobre estos riesgos y su gestión se comunique de la manera
apropiada.
5.3 Integración
La integración de la gestión del riesgo depende de la comprensión de las estructuras y el contexto de la
organización. Las estructuras difieren dependiendo del propósito, las metas y la complejidad de la
organización. El riesgo se gestiona en cada parte de la estructura de la organización. Todos los
miembros de una organización tienen la responsabilidad de gestionar el riesgo.
La gobernanza guía el curso de la organización, sus relaciones externas e internas y las reglas, los
procesos y las prácticas necesarios para alcanzar su propósito. Las estructuras de gestión convierten la
orientación de la gobernanza en la estrategia y los objetivos asociados requeridos para lograr los
niveles deseados de desempeño sostenible y de viabilidad en el largo plazo. La determinación de los
roles para la rendición de cuentas y la supervisión de la gestión del riesgo dentro de la organización son
partes integrales de la gobernanza de la organización.
La integración de la gestión del riesgo en la organización es un proceso dinámico e iterativo, y se
debería adaptar a las necesidades y a la cultura de la organización. La gestión del riesgo debería ser una
parte de, y no estar separada del propósito, la gobernanza, el liderazgo y compromiso, la estrategia, los
objetivos y las operaciones de la organización.
5.4 Diseño
5.4.1 Comprensión de la organización y de su contexto
La organización debería analizar y comprender sus contextos externo e interno cuando diseñe el marco
de referencia para gestionar el riesgo.
Traducción oficial/Official translation/Traduction officielle
6 © ISO 2018 — Todos los derechos reservados
---------------------- Page: 12 ----------------------
ISO 31000:2018 (traducción oficial)
El análisis del contexto externo de la organización puede incluir, pero no limitarse a:
— los factores sociales, culturales, políticos, legales, reglamentarios, financieros, tecnológicos,
económicos y ambientales ya sea a nivel internacional, nacional, regional o local;
— los impulsores clave y las tendencias que afectan a los objetivos de la organización;
— las relaciones, percepciones, valores, necesidades y expectativas de las partes interesadas externas;
— las relaciones contractuales y los compromisos;
— la complejidad de las redes y dependencias.
El análisis del contexto interno de la organización puede incluir, pero no limitarse a:
— la visión, la misión y los valores;
— la gobernanza, la estructura de la organización, los roles y la rendición de cuentas;
— la estrategia, los objetivos y las políticas;
— la cultura de la organización;
— las normas, las directrices y los modelos adoptados por la organización;
— las capacidades, entendidas en términos de recursos y conocimiento (por ejemplo, capital, tiempo,
personas, propiedad intelectual, procesos, sistemas y tecnologías);
— los datos, los sistemas de información y los flujos de información;
— las relaciones con partes interesadas internas, teniendo en cuenta sus percepciones y valores;
— las relaciones contractuales y los compromisos;
— las interdependencias e interconexiones.
5.4.2 Articulación del compromiso con la gestión del riesgo
La alta dirección y los organismos de supervisión, cuando sea aplicable, deberían articular y demostrar
su compromiso continuo con la gestión del riesgo mediante una política, una declaración u otras formas
que expresen claramente los objetivos y el compromiso de la organización con la gestión del riesgo. El
compromiso debería incluir, pero no limitarse a:
— el propósito de la organización para gestionar el riesgo y los vínculos con sus objetivos y otras
políticas;
— el refuerzo de la necesidad de integrar la gestión del riesgo en toda la cultura de la organización;
— el liderazgo en la integración de la gestión del riesgo en las actividades principales del negocio y la
toma de decisiones;
— las autoridades, las responsabilidades y la obligación de rendir cuentas;
— la disponibilidad de los recursos necesarios;
Traducción oficial/Official translation/Traduction officielle
© ISO 2018 — Todos los derechos reservados 7
---------------------- Page: 13 ----------------------
ISO 31000:2018 (traducción oficial)
— la manera de manejar los objetivos en conflicto;
— la medición e informe como parte de los indicadores de desempeño de la organización;
— la revisión y la mejora.
El compromiso con la gestión del riesgo se debería comunicar dentro de la organización y a las partes
interesadas, de manera apropiada.
5.4.3 Asignación de roles, autoridades, responsabilidades y obligación de rendir cuentas en la
organización
La alta dirección y los órganos de supervisión, cuando sea aplicable, deberían asegurarse de que las
autoridades, las responsabilidades y la obligación de rendir cuen
...
SLOVENSKI SIST ISO 31000
STANDARD maj 2018
Obvladovanje tveganja – Smernice
Risk management – Guidelines
Management du risque – Lignes directrices
Referenčna oznaka
ICS 03.100.01 SIST ISO 31000:2018 (en,sl)
Nadaljevanje na straneh 2 do 32
© 2018-12. Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO 31000 : 2018
NACIONALNI UVOD
Standard SIST ISO 31000 (sl, en), Obvladovanje tveganja – Smernice, 2018, ima status slovenskega
standarda in je enakovreden mednarodnemu standardu ISO 31000, Risk management – Guidelines,
2018.
Ta standard nadomešča SIST ISO 31000:2011.
NACIONALNI PREDGOVOR
Mednarodni standard ISO 31000:2018 je pripravil tehnični odbor ISO/TC 262 Obvladovanje tveganja.
Slovenski standard SIST ISO 31000:2018 je prevod angleškega besedila mednarodnega standarda ISO
31000:2018. V primeru spora glede besedila slovenskega prevoda v tem standardu je odločilen izvirni
mednarodni standard v angleškem jeziku. Slovensko-angleško izdajo standarda je pripravil SIST/TC
VZK Vodenje in zagotavljanje kakovosti.
Odločitev za izdajo tega standarda je dne 26. marca 2018 sprejel SIST/TC VZK Vodenje in
zagotavljanje kakovosti.
ZVEZE S STANDARDI
Ta dokument ne vsebuje zvez s standardi.
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO 31000:2018
PREDHODNA IZDAJA
‒ SIST ISO 31000:2011, Obvladovanje tveganja – Načela in smernice
OPOMBE
– Povsod, kjer se v besedilu standarda uporablja izraz "mednarodni standard", v SIST ISO
31000:2018 to pomeni "slovenski standard".
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
2
---------------------- Page: 2 ----------------------
SIST ISO 31000 : 2018
VSEBINA Stran CONTENTS Page
Predgovor . 5 Foreword . 5
Uvod . 7 Introduction . 7
1 Področje uporabe . 9 1 Scope . 9
2 Zveze s standardi . 9 2 Normative references . 9
3 Izrazi in definicije . 9 3 Terms and definitions . 9
4 Načela. 14 4 Principles . 14
5 Okvir . 14 5 Framework . 14
5.1 Splošno . 14 5.1 General . 14
5.2 Voditeljstvo in zavezanost . 16 5.2 Leadership and commitment . 16
5.3 Vključevanje . 17 5.3 Integration . 17
5.4 Zasnova . 17 5.4 Design . 17
5.4.1 Razumevanje organizacije in njenega 5.4.1 Understanding the organization and its
konteksta . 17 context . 17
5.4.2 Izražanje zavezanosti obvladovanju 5.4.2 Articulating risk management
tveganja . 18 commitment . 18
5.4.3 Dodeljevanje organizacijskih vlog, 5.4.3 Assigning organizational roles,
pooblastil in odgovornosti . 19 authorities, responsibilities and
accountabilities . 19
5.4.4 Razporejanje virov . 19 5.4.4 Allocating resources . 19
5.4.5 Vzpostavljanje komuniciranja in 5.4.5 Establishing communication and
posvetovanja . 20 consultation . 20
5.5 Izvajanje . 20 5.5 Implementation . 20
5.6 Ovrednotenje . 21 5.6 Evaluation . 21
5.7 Izboljševanje . 21 5.7 Improvement . 21
5.7.1 Prilagajanje . 21 5.7.1 Adapting . 21
5.7.2 Nenehno izboljševanje . 21 5.7.2 Continually improving . 21
6 Proces. 21 6 Process . 21
6.1 Splošno . 21 6.1 General . 21
6.2 Komuniciranje in posvetovanje . 23 6.2 Communication and consultation . 23
6.3 Obseg, kontekst in merila . 24 6.3 Scope, context and criteria . 24
6.3.1 Splošno . 24 6.3.1 General . 24
6.3.2 Določanje obsega . 24 6.3.2 Defining the scope . 24
6.3.3 Zunanji in notranji kontekst . 24 6.3.3 External and internal context. 24
6.3.4 Določanje meril tveganja . 25 6.3.4 Defining risk criteria . 25
6.4 Ocenjevanje tveganja . 26 6.4 Risk assessment . 26
6.4.1 Splošno . 26 6.4.1 General . 26
6.4.2 Identifikacija tveganja . 26 6.4.2 Risk identification . 26
6.4.3 Analiza tveganja . 27 6.4.3 Risk analysis . 27
6.4.4 Ovrednotenje tveganja . 28 6.4.4 Risk evaluation . 28
6.5 Obravnavanje tveganja . 28 6.5 Risk treatment . 28
3
---------------------- Page: 3 ----------------------
SIST ISO 31000 : 2018
6.5.1 Splošno . 28 6.5.1 General . 28
6.5.2 Izbira možnosti obravnavanja 6.5.2 Selection of risk treatment options . 28
tveganja . 28
6.5.3 Priprava in izvajanje načrtov za 6.5.3 Preparing and implementing risk
obravnavanje tveganja . 30 treatment plans . 30
6.6 Spremljanje in pregled . 30 6.6 Monitoring and review . 30
6.7 Zapisovanje in poročanje . 31 6.7 Recording and reporting . 31
Literatura. 32 Bibliography . 32
4
---------------------- Page: 4 ----------------------
SIST ISO 31000 : 2018
Predgovor Foreword
ISO (Mednarodna organizacija za ISO (the International Organization for
standardizacijo) je svetovna zveza nacionalnih Standardization) is a worldwide federation of
organov za standarde (članov ISO). Mednarodne national standards bodies (ISO member bodies).
standarde navadno pripravljajo tehnični odbori The work of preparing International Standards is
ISO. Vsak član, ki želi delovati na določenem normally carried out through ISO technical
področju, za katerega je bil ustanovljen tehnični committees. Each member body interested in a
odbor, ima pravico biti zastopan v tem odboru. Pri subject for which a technical committee has been
delu sodelujejo tudi mednarodne vladne in established has the right to be represented on that
nevladne organizacije, povezane z ISO. ISO v committee. International organizations,
vseh zadevah, ki so povezane s standardizacijo governmental and non-governmental, in liaison
na področju elektrotehnike, tesno sodeluje z with ISO, also take part in the work. ISO
Mednarodno elektrotehniško komisijo (IEC). collaborates closely with the International
Electrotechnical Commission (IEC) on all matters
of electrotechnical standardization.
Postopki, uporabljeni pri razvoju tega dokumenta, The procedures used to develop this document
in postopki, predvideni za njegovo nadaljnje and those intended for its further maintenance are
vzdrževanje, so opisani v Direktivah ISO/IEC, 1. described in the ISO/IEC Directives, Part 1. In
del. Posebna pozornost naj se nameni različnim particular the different approval criteria needed for
kriterijem odobritve, potrebnim za različne vrste the different types of ISO documents should be
dokumentov ISO. Ta dokument je bil pripravljen v noted. This document was drafted in accordance
skladu z uredniškimi pravili Direktiv ISO/IEC, 2. del with the editorial rules of the ISO/IEC Directives,
(glej www.iso.org/directives). Part 2 (see www.iso.org/directives).
Opozoriti je treba na možnost, da je lahko nekaj Attention is drawn to the possibility that some of
elementov tega dokumenta predmet patentnih the elements of this document may be the subject
pravic. ISO ne prevzema odgovornosti za of patent rights. ISO shall not be held responsible
identifikacijo katerihkoli ali vseh takih patentnih for identifying any or all such patent rights. Details
pravic. Podrobnosti o morebitnih patentnih of any patent rights identified during the
pravicah, identificiranih med pripravo tega development of the document will be in the
dokumenta, bodo navedene v uvodu in/ali na Introduction and/or on the ISO list of patent
seznamu patentnih izjav, ki jih je prejela declarations received (see www.iso.org/patents).
organizacija ISO (glej www.iso.org/patents).
Morebitna trgovska imena, uporabljena v tem Any trade name used in this document is
dokumentu, so informacije za uporabnike in ne information given for the convenience of users
pomenijo podpore blagovni znamki. and does not constitute an endorsement.
Za razlago prostovoljne narave standardov, For an explanation on the voluntary nature of
pomena specifičnih pojmov in izrazov ISO, standards, the meaning of ISO specific terms and
povezanih z ugotavljanjem skladnosti, ter informacij expressions related to conformity assessment, as
o tem, kako ISO spoštuje načela Mednarodne well as information about ISO’s adherence to the
trgovinske organizacije (WTO) v Tehničnih ovirah World Trade Organization (WTO) principles in the
pri trgovanju (TBT), glej naslednji naslov URL: Technical Barriers to Trade (TBT) see the
www.iso.org/foreword.html. following URL: www.iso.org/iso/foreword.html.
Ta dokument je pripravil tehnični odbor ISO/TC This document was prepared by Technical
262 Obvladovanje tveganja. Committee ISO/TC 262, Risk management.
Ta druga izdaja razveljavlja in nadomešča prvo This second edition cancels and replaces the first
izdajo (ISO 31000:2009), ki je bila tehnično edition (ISO 31000:2009) which has been
revidirana. technically revised.
5
---------------------- Page: 5 ----------------------
SIST ISO 31000 : 2018
Glavne spremembe glede na predhodno različico The main changes compared to the previous
so naslednje: edition are as follows:
– review of the principles of risk management,
‒ prenovljena načela obvladovanja tveganja,
which are the key criteria for its success;
ki so ključna merila za njegovo uspešnost,
‒ highlighting of the leadership by top
‒ poudarjanje voditeljstva najvišjega vodstva
management and the integration of risk
in vključevanja obvladovanja tveganja,
management, starting with the governance
začenši z vodenjem organizacije,
of the organization;
– greater emphasis on the iterative nature of
‒ večji poudarek na ponavljajoči se naravi
risk management, noting that new
obvladovanja tveganja, pri čemer lahko nove
experiences, knowledge and analysis can
izkušnje, znanje in analize vodijo do revizije
lead to a revision of process elements,
elementov procesa, ukrepov in ukrepov za
actions and controls at each stage of the
obvladovanje tveganja na posamezni stopnji
process;
procesa,
– streamlining of the content with greater focus
‒ poenostavitev vsebine z večjo osredo-
on sustaining an open systems model to fit
točenostjo na ohranjanju modela odprtega
multiple needs and contexts.
sistema, ki ustreza več potrebam in
kontekstom.
6
---------------------- Page: 6 ----------------------
SIST ISO 31000 : 2018
Uvod Introduction
Ta dokument je pripravljen, da ga uporabljajo This document is for use by people who create
osebe, ki z obvladovanjem tveganj, and protect value in organizations by managing
sprejemanjem odločitev, postavljanjem in risks, making decisions, setting and achieving
doseganjem ciljev ter izboljšanjem delovanja objectives and improving performance.
ustvarjajo in varujejo vrednost v organizacijah.
Organizacije vseh vrst in velikosti se soočajo z Organizations of all types and sizes face external
zunanjimi in notranjimi dejavniki ter vplivi, ki jih and internal factors and influences that make it
postavljajo v negotovost, ali bodo dosegle svoje uncertain whether they will achieve their
cilje. objectives.
Obvladovanje tveganja je ponavljajoč se proces Managing risk is iterative and assists
in organizacijam pomaga pri vzpostavljanju organizations in setting strategy, achieving
strategije, doseganju ciljev in sprejemanju objectives and making informed decisions.
informiranih odločitev.
Obvladovanje tveganja je del vodenja in Managing risk is part of governance and
voditeljstva ter predstavlja podlago za vodenje leadership, and is fundamental to how the
organizacije na vseh ravneh. Prispeva k organization is managed at all levels. It
izboljšanju sistemov vodenja. contributes to the improvement of management
systems.
Obvladovanje tveganja je del vseh aktivnosti, Managing risk is part of all activities associated
povezanih z organizacijo, in vključuje interakcijo with an organization and includes interaction
z deležniki. with stakeholders.
Obvladovanje tveganja upošteva zunanji in Managing risk considers the external and
notranji kontekst organizacije, vključno s internal context of the organization, including
človeškim vedenjem in kulturnimi dejavniki. human behaviour and cultural factors.
Obvladovanje tveganja temelji na načelih, okviru Managing risk is based on the principles,
in procesu, opisanih v tem dokumentu, kot framework and process outlined in this
prikazuje slika 1. Te komponente morda že document, as illustrated in Figure 1. These
obstajajo v organizaciji v celoti ali deloma, components might already exist in full or in part
vendar jih je morda treba prilagoditi ali izboljšati, within the organization, however, they might
tako da je obvladovanje tveganja učinkovito, need to be adapted or improved so that
uspešno in konsistentno. managing risk is efficient, effective and
consistent.
7
---------------------- Page: 7 ----------------------
SIST ISO 31000 : 2018
Slika 1: Načela, okvir in proces
Figure 1 – Principles, framework and process
8
---------------------- Page: 8 ----------------------
SIST ISO 31000 : 2018
Obvladovanje tveganja – Smernice Risk management – Guidelines
Uvod Introduction
1 Področje uporabe 1 Scope
Ta dokument zagotavlja smernice o This document provides guidelines on managing
obvladovanju tveganja, s katerim se soočajo risk faced by organizations. The application of
organizacije. Uporabo teh smernic je mogoče these guidelines can be customized to any
prilagoditi vsaki organizaciji in njenemu organization and its context.
kontekstu.
Ta dokument zagotavlja splošni pristop k This document provides a common approach to
obvladovanju vseh vrst tveganja in ni specifičen managing any type of risk and is not industry or
za neko industrijo ali sektor. sector specific.
Ta dokument se lahko uporablja v celotnem This document can be used throughout the life
življenju organizacije in za katerokoli aktivnost, of the organization and can be applied to any
vključno s sprejemanjem odločitev na vseh activity, including decision-making at all levels.
ravneh.
2 Zveze s standardi 2 Normative references
Ta dokument ne vsebuje zvez s standardi. There are no normative references in this
document.
3 Izrazi in definicije 3 Terms and definitions
V tem dokumentu se uporabljajo naslednji izrazi For the purposes of this document, the following
in definicije. terms and definitions apply.
ISO in IEC vzdržujeta terminološke zbirke ISO and IEC maintain terminological databases
podatkov za uporabo v standardizaciji na for use in standardization at the following
naslednjih naslovih: addresses:
‒ platforma za brskanje po spletu ISO: ‒ ISO Online browsing platform: available at
dostopna na http://www.iso.org/obp http://www.iso.org/obp
‒ IEC Electropedia: dostopna na ‒ IEC Electropedia: available at
http://www.electropedia.org http:// www.electropedia.org
3.1 3.1
tveganje risk
vpliv negotovosti na doseganje ciljev effect of uncertainty on objectives
OPOMBA 1: Vpliv je odstopanje od pričakovanega. Note 1 to entry: An effect is a deviation from the
Lahko je pozitiven, negativen ali oboje ter se expected. It can be positive, negative
lahko nanaša na priložnosti in grožnje, jih or both, and can address, create or
ustvarja ali jih povzroči. result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects
OPOMBA 2: Cilji imajo lahko različne vidike in kategorije
and categories, and can be applied at
ter se lahko nanašajo na različne ravni.
different levels.
OPOMBA 3: Tveganje je navadno izraženo v obliki virov Note 3 to entry: Risk is usually expressed in terms of
tveganja (3.4), potencialnih dogodkov risk sources (3.4), potential events
(3.5), njihovih posledic (3.6) in njihove (3.5), their consequences (3.6) and
verjetnosti (3.7). their likelihood (3.7).
3.2 3.2
obvladovanje tveganja risk management
usklajene aktivnosti za usmerjanje in nadzo- coordinated activities to direct and control an
rovanje organizacije v zvezi s tveganjem (3.1) organization with regard to risk (3.1)
9
---------------------- Page: 9 ----------------------
SIST ISO 31000 : 2018
3.3 3.3
deležnik stakeholder
oseba ali organizacija, ki lahko vpliva na person or organization that can affect, be
odločitev ali aktivnost ali na katero odločitev ali affected by, or perceive themselves to be
aktivnost vpliva ali ji daje občutek, da vpliva affected by a decision or activity
nanjo
OPOMBA 1: Namesto izraza "deležnik" se lahko Note 1 to entry: The term "interested party" can be
uporablja izraz "zainteresirana stran". used as an alternative to
"stakeholder".
3.4 3.4
vir tveganja risk source
element, ki je sam ali v kombinaciji z drugimi element which alone or in combination has the
elementi sposoben povzročiti tveganje (3.1) potential to give rise to risk (3.1)
3.5 3.5
dogodek event
pojav ali sprememba določenega spleta occurrence or change of a particular set of
okoliščin circumstances
OPOMBA 1: Dogodek lahko zajema enega ali več Note 1 to entry: An event can have one or more
pojavov ter ima lahko več vzrokov in več occurrences, and can have several
posledic (3.6). causes and several consequences
(3.6).
OPOMBA 2: Dogodek je lahko tudi nekaj, kar je
Note 2 to entry: An event can also be something that is
pričakovano, a se ne zgodi, ali nekaj, kar ni
expected which does not happen, or
pričakovano, a se zgodi.
something that is not expected which
does happen.
OPOMBA 3: Dogodek je lahko vir tveganja.
Note 3 to entry: An event can be a risk source.
3.6 3.6
posledica consequence
izid nekega dogodka (3.5), ki vpliva na cilje outcome of an event (3.5) affecting objectives
OPOMBA 1: Posledica je lahko gotova ali negotova in ima Note 1 to entry: A consequence can be certain or
lahko pozitivne ali negativne neposredne ali uncertain and can have positive or
posredne vplive na cilje. negative direct or indirect effects on
objectives.
OPOMBA 2: Posledice se lahko izražajo kakovostno ali
Note 2 to entry: Consequences can be expressed
količinsko.
qualitatively or quantitatively.
Note 3 to entry: Any consequence can escalate
OPOMBA 3: Vsaka posledica se lahko stopnjuje s
through cascading and cumulative
kaskadnimi in kumulativnimi vplivi.
effects.
3.7 3.7
verjetnost likelihood
možnost, da se bo nekaj zgodilo chance of something happening
Note 1 to entry: In risk management (3.2)
OPOMBA 1: V terminologiji obvladovanja tveganja (3.2)
terminology, the word "likelihood" is
se beseda "verjetnost" uporablja za
used to refer to the chance of
označevanje možnosti, da se bo nekaj
something happening, whether
zgodilo, ki se lahko določi, izmeri ali ugotovi
defined, measured or determined
objektivno ali subjektivno, kakovostno ali
objectively or subjectively,
količinsko ter opiše s pomočjo splošnih
qualitatively or quantitatively, and
izrazov ali matematično (kot verjetnost ali
described using general terms or
pogostnost v danem časovnem obdobju).
mathematically (such as a probability
or a frequency over a given time
period).
OPOMBA 2: Angleški izraz "likelihood" v nekaterih jezikih Note 2 to entry: The English term "likelihood" does not
nima neposredne ustreznice, namesto njega have a direct equivalent in some
se pogosto uporablja ustreznica za izraz languages; instead, the equivalent of
"probability". V angleščini pa se "probability" the term "probability" is often used.
pogosto ožje razlaga kot matematični izraz. However, in English, "probability" is
10
---------------------- Page: 10 ----------------------
SIST ISO 31000 : 2018
Zato se v terminologiji obvladovanja often narrowly interpreted as a
tveganja "likelihood« uporablja z namenom, mathematical term. Therefore, in risk
da bi imel enako širšo razlago, kot ga ima management terminology, "likelihood"
izraz "probability" v številnih jezikih, razen v is used with the intent that it should
angleškem. have the same broad interpretation as
the term "probability" has in many
languages other than English.
3.8 3.8
ukrep za obvladovanje tveganja control
ukrep, ki ohranja in/ali spreminja tveganje (3.1) measure that maintains and/or modifies risk (3.1)
OPOMBA 1: Ukrepi za obvladovanje tveganja med Note 1 to entry: Controls include, but are not limited to,
drugim vključujejo vsak proces, politiko, any process, policy, device, practice,
napravo, prakso ali druge pogoje in/ali or other conditions and/or actions
ukrepe, ki ohranjajo in/ali spremenijo which maintain and/or modify risk.
tveganje.
Note 2 to entry: Controls may not always exert the
intended or assumed modifying effect.
OPOMBA 2: Ukrepi za obvladovanje tveganja mogoče ne
bodo vedno imeli nameravanega ali
pričakovanega spreminjajočega učinka.
4 Načela 4 Principles
Namen obvladovanja tveganja je ustvarjati in The purpose of risk management is the creation
varovati vrednost. Izboljšuje delovanje, spodbuja and protection of value. It improves
inovativnost in podpira doseganje ciljev. performance, encourages innovation and
supports the achievement of objectives.
Načela, zapisana na sliki 2, podajajo napotke za The principles outlined in Figure 2 provide
značilnosti uspešnega in učinkovitega guidance on the characteristics of effective and
obvladovanja tveganja, sporočanje njegove efficient risk management, communicating its
vrednosti in razlago njegovega namena. Načela value and explaining its intention and purpose.
so temelj za obvladovanje tveganja in naj se The principles are the foundation for managing
upoštevajo ob vzpostavljanju okvira in procesov risk and should be considered when establishing
za obvladovanje tveganja v organizaciji. Ta the organization’s risk management framework
načela naj organizaciji omogočajo obvladovati and processes. These principles should enable
vplive negotovosti na doseganje ciljev. an organization to manage the effects of
uncertainty on its objectives.
11
---------------------- Page: 11 ----------------------
SIST ISO 31000 : 2018
Slika 2: Načela
Figure 2 – Principles
12
---------------------- Page: 12 ----------------------
SIST ISO 31000 : 2018
Za uspešno obvladovanje tveganja so potrebni Effective risk management requires the
elementi s slike 2, ki jih je mogoče dodatno elements of Figure 2 and can be further
razložiti, kot sledi. explained as follows.
a) Vključeno a) Integrated
Obvladovanje tveganja je sestavni del vseh Risk management is an integral part of all
organizacijskih aktivnosti. organizational activities.
b) Strukturirano in celovito b) Structured and comprehensive
Strukturiran in celovit pristop k A structured and comprehensive approach
obvladovanju tveganja prispeva h to risk management contributes to
konsistentnim in primerljivim rezultatom. consistent and comparable results.
c) Prilagojeno c) Customized
Okvir in proces obvladovanja tveganja sta The risk management framework and
prilagojena in sorazmerna z zunanjim in process are customized and proportionate
notranjim kontekstom organizacije, to the organization’s external and internal
povezanim z njenimi cilji. context related to its objectives.
d) Vključujoče d) Inclusive
Ustrezno in pravočasno vključevanje Appropriate and timely involvement of
deležnikov omogoča upoštevanje njihovega stakeholders enables their knowledge,
znanja, pogledov in dojemanja. To se views and perceptions to be considered.
odraža v izboljšanem zavedanju in This results in improved awareness and
informiranem obvladovanju tveganja. informed risk management.
e) Dinamično e) Dynamic
Tveganja se lahko pojavijo, spremenijo ali Risks can emerge, change or disappear as
izginejo, ko se spremenita notranji in an organization’s external and internal
zunanji kontekst organizacije. Obvlado- context changes. Risk management
vanje tveganja vključuje ustrezno in anticipates, detects, acknowledges and
pravočasno pričakovanje, zaznavanje in responds to those changes and events in an
sprejemanje teh sprememb in dogodkov ter appropriate and timely manner.
odzivanje nanje.
f) Najboljše razpoložljive informacije f) Best available information
Vhodi v obvladovanje tveganja temeljijo na The inputs to risk management are based
preteklih in trenutnih informacijah ter tudi na on historical and current information, as well
pričakovanjih za prihodnost. Obvladovanje as on future expectations. Risk
tveganja izrecno upošteva vse omejitve in management explicitly takes into account
negotovosti v zvezi s takšnimi informacijami any limitations and uncertainties associated
in pričakovanji. Informacije naj bodo with such information and expectations.
pravočasne, jasne in na voljo ustreznim Information should be timely, clear and
deležnikom. available to relevant stakeholders.
g) Človeški in kulturni dejavniki g) Human and cultural factors
Človeško vedenje in kultura pomembno Human behaviour and culture significantly
vplivata na vse vidike obvladovanja influence all aspects of risk management at
tveganja na vseh ravneh in stopnjah. each level and stage.
h) Nenehno izboljševanje h) Continual improvement
Obvladovanje tveganja se nenehno Risk management is continually improved
izboljšuje z učenjem in izkušnjami. through learning and experience.
13
---------------------- Page: 13 ----------------------
SIST ISO 31000 : 2018
5 Okvir 5 Framework
5.1 Splošno 5.1 General
Namen okvira obvladovanja tveganja je The purpose of the risk management framework
pomagati organizaciji pri vključevanju is to assist the organization in integrating risk
obvladovanja tveganja v pomembne aktivnosti in management into significant activities and
funkcije. Uspeh obvladovanja tveganja bo functions. The effectiveness of risk management
odvisen od njegove vključenosti v vodenje will depend on its integration into the governance
organizacije, vključno s sprejemanjem odločitev. of the organization, including decision-making.
To zahteva podporo deležnikov, še posebej This requires support from stakeholders,
najvišjega vodstva. particularly top management.
Razvoj okvira obsega vključevanje, zasnovo, Framework development encompasses
izvajanje, ovrednotenje in izboljševanje integrating, designing, implementing, evaluating
obvladovanja tveganja v organizaciji. Slika 3 and improving risk management across the
prikazuje komponente okvira. organization. Figure 3 illustrates the components
of a framework.
14
---------------------- Page: 14 ----------------------
SIST ISO 31000 : 2018
Slika 3: Okvir
Figure 3 – Framework
15
---------------------- Page: 15 ----------------------
SIST ISO 31000 : 2018
Organizacija naj ovrednoti obstoječe prakse in The organization should evaluate its existing risk
procese obvladovanja tveganja, ovrednoti management practices and processes, evaluate
morebitne vrzeli in jih obravnava v tem okviru. any gaps and address th
...
SLOVENSKI STANDARD
oSIST ISO/DIS 31000:2017
01-april-2017
Obvladovanje tveganja - Smernice
Risk management - Guidelines
Management du risque -- Lignes directrices
Ta slovenski standard je istoveten z: ISO/DIS 31000
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
oSIST ISO/DIS 31000:2017 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
oSIST ISO/DIS 31000:2017
---------------------- Page: 2 ----------------------
oSIST ISO/DIS 31000:2017
DRAFT INTERNATIONAL STANDARD
ISO/DIS 31000
ISO/TC 262 Secretariat: BSI
Voting begins on: Voting terminates on:
2017-02-17 2017-05-11
Risk management — Guidelines
Management du risque — Lignes directrices
ICS: 03.100.01
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 31000:2017(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO 2017
---------------------- Page: 3 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000:2017(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
14 Contents Page
15 Foreword .3
16 Introduction.3
17 1 Scope.5
18 2 Normative references .5
19 3 Terms and definitions.5
20 4 Principles .7
21 5 Framework .9
22 5.1. General.9
23 5.2. Leadership and commitment. 10
24 5.2.1. General. 10
25 5.2.2. Integrating risk management. 10
26 5.3. Design . 11
27 5.3.1. Understanding the organization and its context . 11
28 5.3.2. Articulate risk management commitment(s). 11
29 5.3.3. Assigning organizational roles, accountabilities, responsibilities and authorities . 12
30 5.3.4. Allocating resources . 12
31 5.3.5. Establishing communication and consultation . 12
32 5.4. Implementation . 13
33 5.5. Evaluation. 13
34 5.6. Improvement . 13
35 5.6.1. Adapting . 13
36 5.6.2. Continually improving . 13
37 6 Process . 14
38 6.1. General. 14
39 6.2. Communication and consultation. 14
40 6.3. Establishing the context . 15
41 6.3.1. General. 15
42 6.3.2. Defining the purpose and scope of the process. 15
43 6.3.3. Internal and external context. 15
44 6.3.4. Defining risk criteria . 16
45 6.4. Risk assessment. 16
46 6.4.1. General. 16
47 6.4.2. Risk identification. 16
48 6.4.3. Risk analysis . 17
49 6.4.4. Risk evaluation. 18
50 6.5. Risk treatment. 18
51 6.5.1. General. 18
52 6.5.2. Selection of risk treatment options . 19
53 6.5.3. Preparing and implementing risk treatment plans . 19
54 6.6. Monitoring and review . 20
55 6.7. Recording and reporting . 20
56 Bibliography . 21
57
© ISO 2017 – All rights reserved
---------------------- Page: 5 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
58 Foreword
59 ISO (the International Organization for Standardization) is a worldwide federation of national
60 standards bodies (ISO member bodies). The work of preparing International Standards is normally
61 carried out through ISO technical committees. Each member body interested in a subject for which a
62 technical committee has been established has the right to be represented on that committee.
63 International organizations, governmental and non-governmental, in liaison with ISO, also take part in
64 the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all
65 matters of electrotechnical standardization.
66 The procedures used to develop this document and those intended for its further maintenance are
67 described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
68 different types of ISO documents should be noted. This document was drafted in accordance with the
69 editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
70 Attention is drawn to the possibility that some of the elements of this document may be the subject of
71 patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
72 any patent rights identified during the development of the document will be in the Introduction and/or
73 on the ISO list of patent declarations received (see www.iso.org/patents).
74 Any trade name used in this document is information given for the convenience of user s and does not
75 constitute an endorsement.
76 For an explanation on the meaning of ISO specific terms and expressions related to conformity
77 assessment, as well as information about ISO's adherence to the World Trade Organization (WTO)
78 principles in the Technical Barriers to Trade (TBT) see the following URL:
79 www.iso.org/iso/foreword.html.
80 The committee responsible for this document is ISO/TC 262
81 This second edition cancels and replaces the first edition which been technically revised.
© ISO 2017 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
82 Introduction
83 Organizations of all types and sizes face internal and external factors and influences that make it
84 uncertain whether and when they will achieve their objectives.
85 Managing risk is dynamic and assists organizations in making informed decisions about setting strategy
86 and achieving objectives.
87 Managing risk is part of governance and leadership and how the organization is managed.
88 Managing risk includes interaction with stakeholders as an integral part of all activities of the
89 organization.
90 Managing risk considers the internal and external context of the organization including human
91 behaviour and cultural factors.
92 Managing risk is based on the principles, framework and process outlined in this document. These
93 components might already exist in full or in part within the organization, however they might need to
94 be adapted or improved so that managing risk is consistent, efficient and effective. See Figure 1.
95 This document is for use by people who create and protect value in organizations by managing risks,
96 making decisions, setting and achieving objectives and improving performance.
97
98 Figure 1 — Relationship between the principles, framework and process
© ISO 2017 – All rights reserved
---------------------- Page: 7 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
99 Risk Management — Guidelines
100 1 Scope
101 This document provides adaptable guidelines on managing risk faced by organizations.
102 It can be used by any organization, provides a common approach to managing any type of risk and is not
103 specific to any industry or sector.
104 This document can be used throughout the life of the organization and applied to any activity, including
105 decision making at all levels.
106 2 Normative references
107 There are no normative references in this document.
108 3 Terms and definitions
109 For the purposes of this document, the terms and definitions given in ISO Guide 73 and the following
110 apply.
111 ISO and IEC maintain terminological databases for use in standardization at the following addresses:
112 ISO Online browsing platform: available at http://www.iso.org/obp
113 IEC Electropedia: available at http://www.electropedia.org
114 3.1
115 risk
116 effect of uncertainty on objectives
117 Note 1 to entry: An effect is a deviation from the expected. It can be positive (sometimes expressed as
118 opportunities), negative (sometimes expressed as threats) or both.
119 Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
120 Note 3 to entry: Risk is often characterized by reference to potential events, their consequences and their
121 likelihood.”
122 [SOURCE: ISO Guide 73:2009, 1.1, modified — The original Notes 1, 2 and 3 to entry have been
123 modified; the original Notes 4 and 5 to entry have been deleted.]
124 3.2
125 risk management
126 coordinated activities to direct and control an organization with regard to risk (3.1)
127 [SOURCE: ISO Guide 73:2009, 3.1]
128 3.3
129 stakeholder
130 person or organization that can affect, be affected by, or perceive themselves to be affected by a
131 decision or activity
© ISO 2017 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
132 Note 1 to entry: A decision maker can be a stakeholder.
133 [SOURCE: ISO Guide 73:2009, 3.2.1.1]
134 3.4
135 risk source
136 element which alone or in combination has the intrinsic potential to give rise to risk (3.1)
137 [SOURCE: ISO Guide 73:2009, 3.5.1.2, modified — The original Note to entry has been deleted.]
138 3.5
139 event
140 occurrence or change of a particular set of circumstances
141 Note 1 to entry: An event can be one or more occurrences, and can have several causes.
142 Note 2 to entry: An event can also be something that is expected, not happening.
143 [SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — The original Note 2 entry has been modified; the
144 original Notes 3 and 4 to entry have been deleted.]
145 3.6
146 consequence
147 outcome of an event (3.10) affecting objectives
148 Note 1 to entry: A consequence can be certain or uncertain and can have positive or negative effects on
149 objectives.
150 Note 2 to entry: Consequences can be expressed qualitatively or quantitatively.
151 Note 3 to entry: Initial consequences can escalate through cascading and cumulative effects.
152 [SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — The original Note 1 to entry has been deleted.]
153 3.6
154 likelihood
155 chance of something happening
156 Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of
157 something happening, whether defined, measured or determined objectively or subjectively, qualitatively or
158 quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a
159 given time period).
160 Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the
161 equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted
162 as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it
163 should have the same broad interpretation as the term “probability” has in many languages other than English.
164 [SOURCE: ISO Guide 73:2009, 3.6.1.1]
165 3.7
166 control
167 measure that maintains or modifies risk
168 Note 1 to entry: Controls include any process, policy, device, practice, or other conditions and/or actions which
169 maintain and modify risk.
© ISO 2017 – All rights reserved
---------------------- Page: 9 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
170 Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
171 [SOURCE: ISO Guide 73:2009, 3.8.1.1, modified — The original definition and Note 1 to entry have been
172 modified; Note 3 to entry has been added.]
173 4 Principles
174 These principles provide guidelines on the attributes of effective and efficient risk management,
175 communicating its value and explaining its intention and purpose. These principles should enable an
176 organization to manage the effects of uncertainty on its objectives. See Figure 2.
177 a) Value creation and protection
178 Risk management creates and protects value. It contributes to the achievement of objectives,
179 encourages innovation and improves performance.
180 b) Integrated
181 Risk management is an integral part of all organizational activities, including decision making. It is
182 not a stand-alone activity that is separate from the activities and processes of the organization.
183 Everyone in an organization has responsibility for managing risk. Risk management improves
184 decision making at all levels.
185 c) Structured
186 A systematic and structured approach to risk management contributes to efficiency and to
187 consistent, comparable, and reliable results.
188 d) Customized
189 The risk management framework and processes should be customized to the organization's
190 external and internal context and related to its objectives.
191 e) Inclusive
192 Appropriate and timely involvement of stakeholders enables their knowledge, views and
193 perceptions to be considered. This results in improved awareness and informed risk management
194 and decision making.
195 f) Dynamic and responsive
196 Risks may emerge, change or disappear as a result of changes and events in an organization’s
197 internal and external context. Risk management anticipates, detects, acknowledges and responds to
198 those changes and events in a timely manner.
199 g) Best available information
200 The inputs to risk management are based on historical and current information as well as futu re
201 expectations, taking into account any limitations and uncertainties associated with the information.
202 h) Human and cultural factors
© ISO 2017 – All rights reserved
---------------------- Page: 10 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
203 Human behaviour and culture significantly influence all aspects of risk management at each level
204 and stage.
205 i) Continual improvement
206 Risk management improves organizational performance through increasing awareness and
207 developing capabilities based on continuous learning and experience. These activities support
208 organizational learning and resilience.
209
210
211 Figure 2— Principles
© ISO 2017 – All rights reserved
---------------------- Page: 11 ----------------------
oSIST ISO/DIS 31000:2017
DRAFT INTERNATIONAL STANDARD ISO/DIS 31000 :2017(E)
212 5 Framework
213 5.1.General
214 The success of risk management will depend on the integration of risk management into the governance
215 and all activities of the organization; this requires support from stakeholders, particularly top
216 management.
217 The framework encompasses the organizational arrangements for designing, implementing, evaluating
218 and improving the use of risk management. Figure 3 illustrates the relationship between the
219 components of the framework.
220
221 Figure 3 — Framework
222 This framework is intended to assist the organization to integrate risk management into all its activities
223 by offering a structure for implementing the risk management process as a basis for decision making
224 and accountability at all levels of the organization.
225 The following clauses describe the components of the framework and the way in which they work
226 together. The components should be customized to the specific needs of the organization.
227 If an organization's existing management practices and processes include components of risk
228 management or if the organization has already adopted a formal risk management process for
229 particular types of risk or situations, then these should be critically reviewed and assessed against this
230 document.
© ISO 2017 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
231 5.2.Leadership and commitment
232 5.2.1. General
233 Top management and oversight bodies should establish the intent of the organization to manage risk
234 and demonstrate leadership and commitment by:
235 aligning risk management with the objectives and strategies of the organization;
236 ensuring that risk management and the organization's culture are aligned;
237 defining and endorsing the risk management policy;
238 ensuring that the necessary resources are allocated to the management of risk;
239 assigning accountabilities, responsibilities and authority at appropriate levels within the
240 organization;
241 recognising and addressing contractual obligations as well as voluntary commitments;
242 establishing risk criteria, risk appetite and risk tolerance, ensuring that they are understood,
243 articulated and communicated to stakeholders;
244 ensuring that the risk management performance indicators are part of the performance indicators
245 of the organization including communicating these indicators;
246 communicating the value of risk management to the organization and its stakeholders;
247 promoting systematic monitoring of risks;
248 ensuring that the framework and process for managing risk continue to remain appropriate;
249 Top management can demonstrate leadership by tracking continual improvement of risk management
250 within the organization by emphasising the setting of organizational performance goals, measurement,
251 review and the subsequent modification of processes, systems, resources, capability and skills.
252 Assessing the progress of risk management within an organization is an integral part of the
253 organization’s governance.
254 NOTE Top management is accountable for managing risk while risk oversight bodies such as boards of
255 directors are accountable for overseeing risk management.
256 5.2.2. Integrating risk management
257 Top management should ensure that risk management is integrated into all organizational activities.
258 Integrating risk management into an organization is a dynamic and iterative process, and should be
259 customized to the organization’s needs and culture.
260 The design of the risk management framework should facilitate the integration of the risk management
261 process into decision-making and the overall management of the organization. The organization should
262 evaluate any gaps in its existing approaches for managing risk, then address those gaps within the
263 framework. The risk management process should become part of, and not separate from, organizational
264 processes.
© ISO 2017 – All rights reserved
---------------------- Page: 13 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
265 5.3.Design
266 5.3.1. Understanding the organization and its context
267 When designing the framework for managing risk, the organization should examine and understand its
268 external and internal context.
269 Examining the organization's external context may include, but is not limited to:
270 the social, cultural, political, legal, regulatory, financial, technological, economic, natural and
271 competitive environment, whether international, national, regional or local;
272 key drivers and trends affecting the objectives of the organization;
273 external stakeholders’ relationships, perceptions, values and expectations;
274 contractual relationships and commitments; and
275 the complexity of networks and dependencies.
276 Examining the organization's internal context may include, but is not limited to:
277 vision, mission and values;
278 governance, organizational structure, roles and accountabilities;
279 strategies, objectives and policies;
280 standards, guidelines and models adopted by the organization;
281 capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,
282 systems and technologies);
283 information systems, information flows ;
284 relationships with internal stakeholders taking into account their perceptions and values;
285 the organization's culture;
286 contractual relationships and commitments; and
287 interdependencies.
288 5.3.2. Articulate risk management commitment(s)
289 Top management should articulate their commitment to risk management which can be through a
290 policy, a statement or other forms, that clearly convey an organization's objectives and commitment to
291 risk management. The commitment should include:
292 the organization's purpose for managing risk and links to the organization's objectives and other
293 policies;
294 accountabilities and responsibilities;
© ISO 2017 – All rights reserved
---------------------- Page: 14 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
295 making the necessary resources available;
296 the way in which conflicting objectives are dealt with;
297 measurement and reporting within the organization’s performance indicators; and
298 review and improvement.
299 The risk management commitment should be communicated as appropriate within an organization and
300 stakeholders.
301 5.3.3. Assigning organizational roles, accountabilities, responsibilities and authorities
302 Top management should ensure that the accountabilities, responsibilities and authorities for relevant
303 roles with respect to risk management are assigned and communicated at all levels of the organization:
304 emphasizing that risk management is a core responsibility; and
305 identifying individuals that have the accountability and authority to manage risk (sometimes
306 referenced as risk owners).
307 5.3.4. Allocating resources
308 Top management should ensure allocation of appropriate resources for risk management that can
309 include:
310 people, skills, experience and competence;
311 resources needed for each step of the risk management process;
312 the organization's processes, methods and tools to be used for managing risk;
313 documented processes and procedures;
314 information and knowledge management systems; and
315 professional development and training needs.
316 The organization should consider the capabilities of, and constraints on, existing resources.
317 5.3.5. Establishing communication and consultation
318 The organization should establish communication and consultation to facilitate the exchange of
319 information and effective application of risk management. Communication requires imparting or
320 exchanging information. Consultation is undertaken specifically to share views or knowledge.
321 Communication and consultation should reflect the expectations of identified inter nal and external
322 stakeholders.
323 Communication and consultation should be in a timely manner and ensure that relevant information is
324 captured, consolidated and shared as appropriate and, feedback is provided and improvements are
325 made.
© ISO 2017 – All rights reserved
---------------------- Page: 15 ----------------------
oSIST ISO/DIS 31000:2017
ISO/DIS 31000 :2017(E)
326 5.4.Implementation
327 The organization should implement the risk management framework by:
328 developing an appropriate plan including timing;
329 identifying where, when, and how different types of decisions are made across the organization,
330 and by whom;
331 modifying the applicable decision-making pr
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.