The framework of ISO 31000:2018 consists of a set of parts that elaborate the basis and organizational areas for the design, implementation, monitoring, reviewing and continuous improvement of risk management throughout the organization.

The successful implementation of the framework supports in the effective management of risk by the application of the risk management process at different levels and within specific contexts of the organization. The framework stresses the adequate reporting of information about risk management that is derived from the implemented risk management process. This information is used as a basis for accountability and decision-making at all relevant organizational levels.


Integration of risk management into organizational structure and context, roles and responsibilities


Design of risk management framework based on legal, policy, operational requirements and needs, as well as the assignment of roles and responsibilities along with the allocation of resources. Internal and external communication and reporting mechanism should be also incorporated in the design phase.


Implementation of risk management framework and process by making specific plans as well as defining responsibilities, accountabilities, decisions about who does what, when, and how.

Evaluation and Improvement

Based on results of monitoring and reviews, decisions should be made on how the risk management framework, policy and plan can be improved. These decisions should lead to improvements in the organization's management of risk and its risk management culture.