top of page
  • Julian Talbot

How to Select a Risk Management Standard

There are various risk management standards available, some of which include:

  • ISO 31000:2018 Risk Management Guidelines: This is an international standard that provides guidelines on risk management principles and a framework for implementation. It covers the entire risk management process, from risk identification to evaluation and treatment.

  • COSO ERM: This is a framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to help organizations manage risks related to their business objectives. It consists of eight interrelated components and emphasizes the importance of risk management as a strategic business function.

  • NIST SP 800-30: This is a guide developed by the National Institute of Standards and Technology (NIST) to help organizations manage information security risks. It provides a structured approach to risk management and emphasizes the importance of risk assessment and mitigation.

  • PMI Risk Management Professional (PMI-RMP): This is a certification offered by the Project Management Institute (PMI) that focuses on risk management in project management. It covers risk management planning, identification, analysis, response planning, and monitoring and control.

  • OSHA 1910.119: This is a standard developed by the Occupational Safety and Health Administration (OSHA) that provides guidelines on process safety management for highly hazardous chemicals. It emphasizes the importance of risk assessment, process safety information, and employee training in preventing accidents and incidents.

These are just a few of the many risk management standards available. The appropriate standard for an organization depends on its industry, size, and risk management needs.

For several reasons, I would recommend you start with ISO 31000. ISO31000 has been formally adopted by over 100 nations and is widely considered the best risk management standard in the world.

  1. Firstly, it is developed and maintained by the International Organization for Standardization (ISO), a globally recognized and respected organization. This means the standard has undergone thorough review and consultation from experts and stakeholders worldwide.

  2. Secondly, ISO 31000 is a generic standard, which means it can be applied to any organization, in any industry, and in any country. This makes it highly flexible and adaptable to a wide range of contexts.

  3. ISO 31000 can provide a common language and approach for assessing and comparing all types of risks across the organization. This standard approach can help organizations prioritize resources and achieve a consistent approach to risk management, leading to better decision-making and overall risk management effectiveness.

  4. Finally, ISO 31000 is based on a risk management process that is systematic, structured, and proactive, which helps organizations identify, assess, and control risks more efficiently and effectively.

ISO 31000 is a standard that provides guidelines and general principles for managing organizational risks. It aims to help organizations establish a risk management framework, a set of policies, procedures, and processes for managing risks.

The standard covers all aspects of risk management, including risk assessment, risk evaluation, risk treatment, and risk communication and consultation. It also guides how to integrate risk management into decision-making and how to monitor and review the effectiveness of the risk management process.

ISO 31000 can be applied in many ways.

  1. As a reference to develop risk management policies and procedures.

  2. To assess current risk management practices and identify areas for improvement.

  3. To train staff on risk management principles and practices.

  4. Demonstrate to stakeholders that the organization takes risk management seriously and has a robust risk management system.

If organizations apply any risk management standard effectively, they can expect to see benefits. ISO31000, in particular, will almost certainly result in improved decision-making, as risks are identified and addressed early on; increased efficiency, as risk management processes are streamlined and standardized; and improved stakeholder confidence, as the organization demonstrates its commitment to managing risks.

In addition, effective risk management can help organizations to protect assets, reduce the likelihood of adverse events occurring, and increase the chances of achieving their objectives.

Last but not least, of all the available standards, ISO 31000 is particularly focussed on achieving objectives. It is an internationally recognized and endorsed standard for organizations looking to manage risks systematically and effectively. An in the end, risk management is not a self-licking ice cream. It exists only to help individuals and organizations to achieve their objectives more effectively and efficiently.


If you found this article informative and want to learn more about risk management, check out the other articles on


Also, if you are struggling for time and money to implement a risk management standard, don’t let a lack of resources hold you back. Pick up a copy of “Business Cases for Risk Management” today and take the first step towards getting your projects funded and off the ground. I hope you find the book as helpful as I have found the process of creating it.

Recent Posts

See All


bottom of page