Comparing ISO 31000 (2009) with the draft ISO 31000 (2017) – Part 2

Part 2 – ISO 31000 – Scope – Narrative References – Terms & Definitions

A high level document

The revision for the ISO 31000 standard is to be finalized in 2017. In a series of articles we want to present and discuss the major changes that are to be expected. In Part 1 we discussed the introduction of the document and the new graphic lay-out of the framework and process of the revised ISO 31000 risk management standard (see figure below). It immediately shows what the intent of the revision is.

The update intends to make ISO 31000 a very concise high level document on risk management. It  is mainly achieved by reducing the level of information, keeping it to the strict minimum. This approach should be in concert with the ambition of ISO to develop a whole series of ISO 31000 documents, related to the different aspects of risk management. This similarly to the ISO 31004 and ISO 31010 documents that are already available at the moment. The idea is then for these supplementary documents to accommodate for any specific information regarding risk management which is not contained in the ISO 31000 document.

ISO 31000 Standard (2017) – Principles – Framework – Process


When looking at the section “Scope” in the revised standard, the reduction of the content is clearly visible. Instead of the scope being elaborated on half a page, it is now explained in less than 5 lines. This is mainly achieved by deleting large parts of the original text.

However, there are some remarkable changes in this draft 2017 edition. In the proposed version, ISO 31000 talks about “adaptable guidelines“, instead of “generic guidelines“. It also mentions that the standard is “to be used by any organisation“. This instead of the old phrase that the ISO 31000 standard “is not specific to any industry or sector“.


Maybe the most notable change in the scope is that the sentence “This International Standard is not intended for the purpose of certification” is no longer there. This leaves a door open for those who want to have a standard also to be used for certification.

Normative references

This is a new section in the standard. It only mentions that there are no normative references in the document. I suppose this is only to comply with the newer  formats ISO uses for its standards.

Terms and definitions

The major change in this section (at least to me) is the fact that the following sentence has changed.

“For the purpose of this document, the following terms and definitions apply.”

As this sentence was followed by 29 definitions that fully defined risk management the ISO 31000 way.

Now it goes as follows:

“For the purpose of this document the terms and definitions given in ISO Guide 73 and the following apply.”

As a consequence, now for ISO 31000 all definitions that are mentioned in the ISO Guide 73 apply. As the Guide 73 is to cover all ISO definitions regarding risk and risk management, this shouldn’t come as a surprise. It is to be noted that nothing of the wording of the actual definitions has been changed. The changes in the revision only concern the notes to the definitions.


The definitions still mentioned in the standard (… the following apply) are kept to a strict minimum and mainly those that have updated notes:

RISK (change for the notes), RISK MANAGEMENT (no change), STAKEHOLDER (no change), RISK SOURCE (change for the notes), EVENT (change for the notes), CONSEQUENCE (change for the notes), LIKELIHOOD (no change), CONTROL (change for the notes).

In general the changes are in the direction of a better wording and more complete coverage of what the notes want to convey. However, there’s one note that really catches my attention and that in my opinion can be improved. It is note 1 of the definition of risk.

“An effect is a deviation from the expected. It can be positive (sometimes expressed as opportunities), negative (sometimes expressed as threats) or both.”

The problem I have with this sentence is the parts between brackets. The content between brackets should be left out. Because in my opinion, opportunities and threats are (external) risk sources in the same way as weaknesses and strengths are (internal) risk sources. Although effects can also become risk sources, the way note 1 is phrased only leads to a short sighted view on what can be understood by effects.

For example, one could say that pursuing an opportunity, making use of ones strengths, while managing threats and weaknesses, can bring unexpected positive consequences. However, pursuing opportunities without managing threats and weaknesses and not building on strengths, can certainly bring about unexpected and unwanted consequences. The consequences are then the effects of uncertainty on the objectives related to the opportunity pursued.

So my proposal for note 1 is “An effect is a deviation from the expected. It can be positive, negative or both.”. There’s no need to add anything to that!

In general

In general, one can say “less is more” and this is certainly true for this revision. More interpretations are possible, more definitions come into play and more options in the use of the standard are provided (e.g. certification). The one remark I have is the note 1 on the definition of risk.

To be continued …


  • Do you want to know more about ISO 31000 and its revision?
  • Are you looking for certification for this standard?
  • Do you want learn how to integrate risk management at all levels of your organisation and all of its operations?

Join us for one of our certification courses in Brussels or Frankfurt or contact us for an in-house training!

Follow me
Latest posts by Peter BLOKLAND (see all)