ISO/TC 262 - Risk management

This document defines generic terms related to the management of risks faced by organizations.

This document gives guidance to organizations on how to manage the risk(s), to the organization and its travellers, as a result of undertaking travel. This document provides a structured approach to the development, implementation, evaluation and review of: policy; programme development; threat and hazard identification; opportunities and strengths; risk assessment; prevention and mitigation strategies. This document is applicable to any type of organization, irrespective of sector or size, including but not limited to: commercial organizations; charitable and not-for-profit organizations; governmental organizations; non-governmental organizations; educational organizations. This document does not apply to tourism and leisure-related travel, except in relation to travellers travelling on behalf of the organization.

This document gives guidelines for managing the specific challenges of legal risk faced by organizations, as a complementary document to ISO 31000. The application of these guidelines can be customized to any organization and its context. This document provides a common approach to the management of legal risk and is not industry or sector specific.

This document gives guidelines for integrating and using ISO 31000 in organizations that have implemented one or more ISO and IEC Management System Standards (MSS), or that have decided to undertake a project implementing one or more MSS incorporating ISO 31000. This document explains how the clauses of ISO 31000 relate to the high level structure (HLS) for MSS. This document does not provide guidance on implementing a management system in general. It does not specify requirements of a MSS. It does not provide a summary of ISO 31000; however, it does, as explained above, provide the background for understanding ISO 31000. Using this document does not remove the need to use other standards to address specific aspects of risk.

ISO 31000:2018 provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context. ISO 31000:2018 provides a common approach to managing any type of risk and is not industry or sector specific. ISO 31000:2018 can be used throughout the life of the organization and can be applied to any activity, including decision-making at all levels.

ISO/TR 31004:2013 provides guidance for organizations on managing risk effectively by implementing ISO 31000:2009. It provides: a structured approach for organizations to transition their risk management arrangements in order to be consistent with ISO 31000, in a manner tailored to the characteristics of the organization; an explanation of the underlying concepts of ISO 31000; guidance on aspects of the principles and risk management framework that are described in ISO 31000. ISO/TR 31004:2013 can be used by any public, private or community enterprise, association, group or individual. ISO/TR 31004:2013 is not specific to any industry or sector, or to any particular type of risk, and can be applied to all activities and to all parts of organizations.

IEC 31010:2009 is a dual logo IEC/ISO, single prefix IEC, supporting standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment. This standard is not intended for certification, regulatory or contractual use. NOTE: This standard does not deal specifically with safety. It is a generic risk management standard and any references to safety are purely of an informative nature. Guidance on the introduction of safety aspects into IEC standards is laid down in ISO/IEC Guide 51.

ISO 31000:2009 provides principles and generic guidelines on risk management. ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000:2009 is not specific to any industry or sector. ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed. It is intended that ISO 31000:2009 be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards. ISO 31000:2009 is not intended for the purpose of certification.