Identify, assess and treat organisational risks โ ISO 31000:2018 risk management principles, framework and process
ISO 31000:2018 Auto-Save Live Heat Map Risk Appetite CSV ยท TXT ยท JSON ยท PDF Velocity & Proximity
New Risk / Opportunity Entry
Risk Identification
Risk Assessment (ISO 31000 Cl. 6.4.3)
Assess the inherent (pre-control) risk level. Risk = Likelihood ร Impact. Also rate velocity and proximity to capture time dimensions of risk.
โLรI
โ
Complete scoring above
Risk Appetite & Tolerances
Risk Treatment (ISO 31000 Cl. 6.5)
ISO 31000:2018 Risk Management Process (Clause 6)
ISO 31000 defines a systematic, logical and comprehensive risk management process that is iterative and responsive to change. Communication, consultation, monitoring and review run throughout all stages.
1Scope, Context & Criteria (Cl. 6.3)
Define internal and external context. Establish risk criteria (significance thresholds, risk appetite, tolerance levels). Align with organisational objectives.
2Risk Identification (Cl. 6.4.2)
Identify all risks that could affect objectives โ both threats and opportunities. Use structured techniques: PESTLE, SWOT, workshops, interviews, checklists, incident data.
3Risk Analysis (Cl. 6.4.3)
Understand the nature of risk. Assess likelihood and impact. Consider controls in place. Analyse uncertainty, velocity, time horizon, and interdependencies with other risks.
4Risk Evaluation (Cl. 6.4.4)
Compare risk analysis results against risk criteria. Decide which risks need treatment. Prioritise by risk level. Determine if risk is within tolerance. Escalate as required.
5Risk Treatment (Cl. 6.5)
Select and implement options to address risk: Avoid, Reduce, Share, Accept, Exploit, Enhance. Prepare risk treatment plan. Verify residual risk is within tolerance.
6Monitoring & Review (Cl. 6.6)
Monitor effectiveness of controls and treatments. Review the risk landscape. Update risk register. Escalate emerging risks. Report to governance. Feed into management review.
โณ Communication, Consultation, Recording & Reporting โ These activities are continuous throughout the process. Stakeholder engagement is critical. Risk information must be recorded, communicated to decision-makers and reported to the governing body.
Risk Treatment Options โ ISO 31000:2018 Clause 6.5
Avoid
Decide not to start or continue the activity that gives rise to the risk, or change the objective. Eliminates the risk source entirely. May mean foregoing potential value.
Use when: Risk exceeds appetite and cannot be cost-effectively reduced, or the activity is not essential.
Reduce / Modify
Apply controls to reduce the likelihood of occurrence, the consequences, or both. Most common treatment. Implement policies, procedures, technology or process improvements.
Use when: Risk can be reduced to within tolerance through feasible, cost-effective controls.
Share / Transfer
Share the risk with another party through insurance, contracts, outsourcing, joint ventures or partnerships. Note: ownership and accountability are retained.
Use when: Risk cannot be cost-effectively reduced internally. Financial risks are commonly transferred via insurance.
Accept / Retain
Consciously decide to retain the risk. Requires documented approval from appropriate authority. Must be within risk appetite. Review at regular intervals.
Use when: Risk is within tolerance, or treatment costs outweigh the benefit gained.
Exploit
For opportunities: take deliberate action to ensure the opportunity materialises. Commit resources, accelerate timelines, build capability.
Use when: Opportunity aligns with strategy and appetite, and the organisation has capability to capture it.
Enhance
For opportunities: increase the likelihood or impact of the positive outcome. Remove barriers, invest in enablers, form partnerships, develop skills.
Use when: Opportunity could yield greater value with modest additional investment.
ISO 31000:2018 โ 8 Principles (Clause 4)
ISO 31000:2018 defines eight principles that form the foundation of effective risk management. These principles guide the design and implementation of the risk management framework and process.
Integrated
Risk management is embedded in all organisational activities, not a standalone add-on. It is part of governance, planning, culture and decision-making.
Structured & Comprehensive
A consistent, structured approach contributes to comparable and reliable results. The process is thorough and applicable across the whole organisation.
Customised
Risk management must be tailored to the organisation's internal and external context, objectives, structure and risk profile. One size does not fit all.
Inclusive
Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This improves awareness and decision quality.
Dynamic
Risks can appear, change and disappear as internal and external context changes. Risk management must anticipate, detect, acknowledge and respond to these changes.
Best Available Information
Inputs must be based on the best available information โ historical data, experience, expert opinion, stakeholder views and market intelligence. Acknowledge and manage uncertainty.
Human & Cultural Factors
Human behaviour and culture significantly influence risk management. Recognise that people have biases, perceptions and motivations that affect how risk is managed and communicated.
Continual Improvement
Risk management is improved continually through learning and experience. Regular review of outcomes, controls, processes and the framework itself drives maturity over time.
Enterprise Risk Register
All organisational risks and opportunities โ filter, edit, export. Auto-saved in browser.
0
Total Entries
0
Critical
0
High
0
Medium
0
Low
0
Open
0
Opportunities
Risk ID
Date
Type
Category
Business Unit
Description
L
I
Score
Risk Level
Appetite
Tolerance
Velocity
Treatment
Res.Score
Status
Owner
Target
Actions
No risks recorded yet
Add your first enterprise risk using the Tool tab above
Risk Heat Map
Live dynamic heat map โ risks plotted by Likelihood ร Impact. Updates as you add risks.
5ร5 Enterprise Risk Heat Map (Live)
Each cell shows the number of risks plotted at that Likelihood ร Impact intersection. Click cells to see which risks fall there. Dot colours indicate risk type (โ Risk โ Opportunity).
Within risk appetite for most organisations. Monitor via standard risk processes. Review at defined intervals. Document in risk register. Communicate to management as informational. Consider whether treatment would add value.
Medium (5โ9)
Requires active management attention. Assign risk owner with accountable treatment plan. Set target review date. Escalate to relevant committee. Monitor KRIs. Evaluate whether within risk tolerance and if treatment is proportionate.
High (10โ16)
Urgent attention and treatment required. Executive escalation. Robust treatment plan with named owner and milestones. Frequent monitoring. Consider whether activity should be paused pending risk reduction. Board awareness may be required.
Critical (17โ25)
Intolerable risk โ immediate board/executive escalation. Crisis management protocols may apply. Stop or suspend activities until controlled. Emergency treatment plan. Consider whether this represents an existential risk requiring external expertise.
ISO 31000 Risk Management Framework
Clause 5 โ Leadership, integration, design, implementation, evaluation and improvement
Leadership & Commitment (Cl. 5.2)
Leadership and commitment from top management is fundamental to effective risk management. The governing body and management must integrate risk management into all activities and continuously improve the framework.
Leadership actions: โข Publish and communicate risk management policy โข Define risk appetite and tolerances โข Ensure alignment with organisational objectives โข Allocate appropriate resources (people, tools, budget) โข Establish accountabilities and responsibilities โข Champion risk-aware culture โข Embed risk into performance management
Design of the Framework (Cl. 5.3)
Design the framework based on understanding the organisation's external and internal context. The framework must reflect the organisation's unique characteristics, objectives and risk profile.
Framework design elements: โข Articulate risk management commitment (policy) โข Assign roles, authorities and responsibilities โข Allocate resources (competent people, tools, processes) โข Establish communication and reporting โข Define integration with governance structures โข Set risk criteria and thresholds โข Document the framework design
Implementation (Cl. 5.4)
Implement the risk management framework and process. Ensure the risk process is embedded into business planning, strategy, project management and operational activities.
Implementation steps: โข Develop implementation plan with timelines โข Identify stakeholders and communicate โข Provide training and awareness โข Integrate into business processes and decisions โข Run risk workshops and identification exercises โข Populate and maintain risk registers โข Implement monitoring and reporting cadence
Evaluation & Improvement (Cl. 5.5โ5.6)
Regularly evaluate the performance and effectiveness of the risk management framework. Identify gaps and opportunities for improvement. Report findings to governing body.
Evaluation criteria: โข Is the framework fit for purpose? โข Are risk processes consistently applied? โข Is risk culture embedded? โข Are risks being identified, assessed and treated? โข Is reporting timely and appropriate? โข Are resources adequate? โข Is the framework adapting to context changes? โข Is continual improvement happening?
Three Lines of Defence / Assurance
ISO 31000 aligns with governance models such as the Three Lines Model. Risk management responsibilities should be clearly assigned across the organisation.
1st Line Business units and operations โ own and manage risks day-to-day
2nd Line Risk & Compliance functions โ frameworks, oversight and monitoring
3rd Line Internal Audit โ independent assurance to the governing body
Risk Appetite & Tolerance
Risk appetite and tolerance are core to ISO 31000. They define the boundaries within which risk is acceptable and guide treatment decisions.
Key definitions: โข Risk Appetite: Amount and type of risk an organisation is willing to take to achieve its objectives (strategic, voluntary) โข Risk Tolerance: Acceptable variation in outcomes relative to objectives (operational boundary) โข Risk Capacity: Maximum amount of risk the organisation can bear before threatening viability
Appetite should vary by risk type (strategic, operational, compliance, financial) and be set by the governing body.
ISO 31000 vs ISO 9001/27001/14001/45001: ISO 31000 is a guidance standard โ it is not a certification standard. You cannot be certified to ISO 31000 alone. Rather, it provides the risk management principles and framework that underpin certification standards like ISO 9001 (Clause 6.1), ISO 27001 (Clause 6.1.2), ISO 14001 (Clause 6.1), and ISO 45001 (Clause 6.1.2). ISO 31000 is designed for use across any type of organisation in any sector. Its principles and process are referenced by many governance frameworks including COSO, King IV, the UK Corporate Governance Code, and sector-specific regulations.
Contact ISO Xpert
Your ISO certification experts โ London-based, globally trusted
โก Need Enterprise Risk Management support?
Our consultants help organisations implement ISO 31000-aligned ERM frameworks and embed risk into strategy.
These Terms govern use of the website and digital tools provided by ISO Xpert Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
1. Acceptance
By using this tool, you confirm you are at least 18 years of age and agree to these Terms.
2. Intellectual Property
All content โ including the ISO 31000 Enterprise Risk Management Tool, text, graphics, logos and software โ is the exclusive property of ISO Xpert Ltd, protected by UK copyright law and international treaties. ISO Xpertโข and the ISO Xpert logo are proprietary trademarks.
3. Disclaimer
This tool is a practical support aid and does not constitute professional legal, financial, regulatory, governance or risk management advice. Enterprise risk assessments should be overseen by qualified risk professionals. ISO 31000 is a guidance standard and organisations remain responsible for their own risk management frameworks, governance arrangements and regulatory compliance. ISO Xpert Ltd accepts no liability for business decisions or outcomes based on use of this tool.
4. Limitation of Liability
ISO Xpert Ltd shall not be liable for any financial, operational, legal or reputational consequences arising from use of this tool.
5. Governing Law
Laws of England and Wales. Disputes subject to exclusive jurisdiction of courts of England and Wales.
ISO 31000 Enterprise Risk Management Tool โ Frequently Asked Questions
Quick answers about the ISO 31000 Enterprise Risk Management Tool gap analysis tool, data privacy, audit preparation, and ISO Xpert consulting.
What is the ISO 31000 Enterprise Risk Management Tool gap analysis tool and how does it work?
The ISO 31000 Enterprise Risk Management Tool gap analysis tool is a free browser-based checklist that compares your current management system against the clauses of ISO 31000 Enterprise Risk Management Tool. You answer clause-by-clause questions and rate each requirement as Compliant, Partial or Non-compliant. The tool calculates a live compliance score, highlights gaps on a heat-map, captures evidence and corrective-action notes, and exports the full assessment as JSON, CSV, TXT or print-ready PDF for management review and Stage 1 / Stage 2 audit preparation.
Is the ISO 31000 Enterprise Risk Management Tool gap analysis tool really free to use?
Yes โ the ISO 31000 Enterprise Risk Management Tool tool is 100% free with no sign-up, no email capture, no credit card, no watermarks, and no usage limits. It runs entirely in your browser; nothing is transmitted to ISO Xpert servers. You can clear or export your data at any time.
Where is my ISO 31000 Enterprise Risk Management Tool assessment data stored?
All ISO 31000 Enterprise Risk Management Tool assessment data is stored locally in your browser’s storage. Nothing is uploaded to our servers. This makes the tool GDPR-friendly and suitable for confidential audit data classified up to Restricted. Export anytime as JSON (re-importable), CSV (Excel-pivotable), TXT (executive summary) or PDF (audit-trail evidence).
Can I use this tool to prepare for ISO 31000 Enterprise Risk Management Tool certification or surveillance audits?
Yes. The ISO 31000 Enterprise Risk Management Tool gap analysis is designed to support preparation for certification by UKAS-, IAS- or ANAB-accredited bodies. Use the exported report as evidence of internal audit, feed it into management review, and prioritise high-severity non-conformities ahead of Stage 1 / Stage 2 visits. ISO Xpert consultants can assist with documented information, internal audits and full implementation if required.
How long does a ISO 31000 Enterprise Risk Management Tool gap analysis typically take?
Most users complete an initial ISO 31000 Enterprise Risk Management Tool gap analysis in 60 to 120 minutes for a single site, depending on system maturity and clause depth. The tool auto-saves continuously, so you can pause, switch devices via JSON export/import, and resume at any time. Re-assessments after corrective action usually take 20 to 40 minutes.
Does ISO Xpert offer ISO 31000 Enterprise Risk Management Tool consulting or training?
Yes. ISO Xpert Ltd (London, UK) provides ISO 31000 Enterprise Risk Management Tool gap analysis consulting, internal audits, Stage 1 and Stage 2 certification preparation, lead auditor / internal auditor training, and full management-system implementation. Contact info@iso-xpert.com or WhatsApp +44 7853 109840.
