Unrisk Guide

ISO 31000:2018 Risk Management

A practical guide to understanding and applying the ISO 31000:2018 international risk management standard.

Introduction

ISO 31000:2018 is an international standard that provides guidelines, principles, and a framework for managing risk within an organization. It is not industry-specific—any organization can apply these principles regardless of size, sector, or maturity.

This guide provides a practical translation of ISO 31000 for organizations new to formal risk management, bridging the gap between the standard's technical language and real-world application.

1. Scope

ISO 31000:2018 Text

“This document provides guidelines, principles and a framework for managing risk within an organization (see 4). This document is applicable to all organizations regardless of size, sector or activity.”

What It Means

ISO 31000 is designed to be universally applicable. Whether you're a solo entrepreneur, a growing startup, or a large enterprise, these guidelines provide a structured approach to identifying, assessing, and treating risks that could affect your objectives.

The standard is deliberately flexible—it doesn't prescribe specific methods or tools. Instead, it offers a framework that every organization can adapt to its own context and needs.

How Unrisk Implements This

Unrisk is built around the principles of ISO 31000. Our three-dimensional risk model (Consequence, Likelihood, Frequency) provides a structured yet flexible framework that any organization can adapt. Whether you're managing a single project or an entire enterprise, the tool scales to your needs.

2. Normative References

ISO 31000:2018 Text

“This document is a guideline and is not intended to be used as a prescriptive standard. It does not contain requirements the conformity of which can be claimed.”

What It Means

ISO 31000 is guidance, not a regulation or certification requirement. There are no external standards you must comply with, no mandatory audits, and no “ISO certified” status to achieve. It's a framework for thinking about risk systematically.

This makes ISO 31000 accessible: organizations can adopt its principles without fear of non-compliance penalties. The value lies in improved decision-making, not regulatory checkbox exercises.

How Unrisk Facilitates This

Unrisk helps organizations implement ISO 31000 principles without requiring external expertise. The tool guides users through risk identification, assessment, and treatment using a mathematically rigorous yet intuitive framework. There are no prerequisites—just start managing risk.

3. Terms and Definitions

ISO 31000 establishes specific terminology for risk management. Understanding these terms is essential for effective communication and implementation.

ISO 31000 Term	Definition	Unrisk
Risk	Effect of uncertainty on objectives	A risk entry with C/L/F scores
Risk management	Coordinated activities to direct and control risk	Full application
Risk criteria	Standards against which risk is evaluated	Client Sensitivity → Threshold (Risk Score Threshold)
Risk appetite	Amount/type of risk organization is willing to accept	Threshold (Risk Score Threshold)
Risk tolerance	Organization's readiness to bear residual risk	Risk state: unmitigated → mitigated
Risk owner	Person/accountable entity for risk	Assigned to (project member)
Risk treatment	Process to modify risk	Mitigation plans
Residual risk	Risk remaining after treatment	Projected Risk Score
Inherent risk	Risk before treatment is applied	Current Risk Score

4. Principles of Risk Management

ISO 31000 defines 8 guiding principles that should shape how your organization approaches risk management. These principles are not software-implementable—they are conceptual foundations that our tools facilitate.

Principle	ISO 31000:2018 Text	Interpretation + Implementation
4.1	creates and protects value	Effective risk management should contribute to achieving objectives. It's not about eliminating risk—it's about ensuring the risks you take are worthwhile and that threats don't destroy organizational value. How Unrisk Implements This We calculate a threshold based on your Client Sensitivity (1-10). Risks below this threshold are automatically accepted—they're within your risk appetite. This ensures you only spend resources on risks that genuinely threaten value.
4.2	is integral part of all organizational activities	Risk management must be embedded into every aspect of your work—not a separate "risk department" activity. Every project, decision, and process should consider risk. How Unrisk Implements This The app follows a hierarchical structure: Organization → Project → Risk. Risk tracking lives within project workspaces, making it a natural part of project management rather than an isolated task.
4.3	is part of decision making	Risk information should inform decisions. You should understand risk tradeoffs before committing resources or making strategic choices. How Unrisk Implements This The Risk Catalog automatically sorts risks by Risk Score (highest to lowest). The top of the list visually represents the most critical risks, so you always prioritize decisions around what matters most.
4.4	explicitly addresses uncertainty	Risk is the "effect of uncertainty on objectives." This means explicitly modeling what you don't know—how bad it could be, how likely it is, and how often it occurs. How Unrisk Implements This We break uncertainty into three measurable dimensions: Consequence (severity), Likelihood (probability), and Frequency (exposure rate). These three scores feed our Risk Score formula to convert uncertainty into a comparable metric.
4.5	is structured, timely and uses best available information	Risk decisions should be based on the best information you have. You should document your sources and track how risk assessments evolve over time. How Unrisk Implements This Our audit logging system tracks all changes to risks and mitigations with full user attribution. This creates a complete history: who changed what, when, and why—providing visibility into how risk assessments evolved.
4.6	takes human and cultural factors into account	Risk management is not purely mathematical. People's risk perceptions, biases, incentives, and organizational culture all affect how risks are identified and addressed. How Unrisk Facilitates This We provide contextual help content (tooltips with "?" icons) throughout the app to guide users who may be new to formal risk management. The help content explains both technical terms and the reasoning behind inputs.
4.7	is tailored and dynamic	Risk management is not static. As circumstances change, as new information emerges, and as mitigations are implemented, your risk understanding should evolve. How Unrisk Implements This Risk Score metrics recalculate instantly when C/L/F scores change. The 3D Manifold visualizer animates in real-time as you adjust scores, making it clear how changes affect your risk landscape.
4.8	continually improves	Risk management requires regular review. You should verify that risks remain accurate, confirm mitigations worked, and identify new threats. How Unrisk Facilitates This Planned Feature: Review cycles will prompt your team to verify risk accuracy on a regular schedule (weekly, monthly, or quarterly). When a review is due, you'll confirm whether the risk is still current or update scores based on new information.

5. Risk Management Framework

While Clause 4 defines the principles of risk management, Clause 5 describes how to embed those principles into your organization's governance and operations. This framework provides the structure for effective risk management at scale.

5.1 Leadership and Commitment

Top management must demonstrate commitment to risk management. Leadership sets the tone, establishes policy, and ensures resources are available for risk activities.

Subclause	ISO 31000:2018 Text	Interpretation + Implementation
5.1.1	Leaders shall be accountable	Those in leadership positions are accountable for risk management activities. Clear ownership ensures that risk decisions have authority and that resources can be allocated when needed. How Unrisk Implements This Unrisk uses a hierarchical role system: Organization Owner - manages the organization, members, and billing Project Owner - manages individual projects and their risks Member - team members who can view and work on assigned risks Each role has clear permissions and responsibilities.
5.1.2	Integrate into governance	Risk management must be integrated into the organization's governance structure—its policies, procedures, and decision-making processes. How Unrisk Implements This Every action in Unrisk is tied to a user with a verified role. We use Role-Based Access Control (RBAC) to ensure: Only authorized users can view organization data Only owners can manage members and billing Only project owners can create and manage risks All changes are attributed to the user who made them This embeds risk management directly into your organizational governance.
5.1.3	Policy statement	Organizations should publish a risk management policy statement—this defines your approach, commitment, and how risk fits into your culture. How Unrisk Implements This Unrisk includes a built-in Risk Policy Statement editor in your Organization Settings. Write and save your organization's risk policy, then have leadership confirm it annually. The policy: Defines your organization's risk approach Shows who approved it and when Resets confirmation when updated Appears in compliance reports for auditors

5.2 Design

Design the framework before implementing it. This involves understanding your organization, establishing policies, defining elements, and ensuring integration with existing structures.

Subclause	ISO 31000:2018 Text	Interpretation + Implementation
5.2.1	Understanding organization	Before designing a framework, understand your organization's context: its mission, values, structure, capabilities, and stakeholders. How Unrisk Implements This Unrisk's onboarding flow guides you through initial setup: Create your organization Define your first project and its scope Set your client's risk Sensitivity Score (1-10) This establishes the organizational context from day one.
5.2.2	Risk management policy	Your risk policy statement (from 5.1.3) should be formalized and approved. It defines how your organization approaches risk. How Unrisk Implements This The Risk Policy Statement is stored in your Organization Settings with: Freeform text editor Leadership approval tracking Annual confirmation workflow
5.2.3	Risk framework elements	Define the key elements of your risk framework: risk criteria, appetite, tolerance, roles, responsibilities, and escalation paths. How Unrisk Implements This Unrisk provides these framework elements: Risk Score Threshold - calculated from Client Sensitivity (1-10) Risk Criteria - Consequence, Likelihood, Frequency scoring Audit Logging - every change tracked with user attribution Role-Based Access Control - permissions enforced at each level Escalation Path - risks above threshold trigger action
5.2.4	Integration with organization	Ensure risk management integrates with existing organizational processes—not as a separate activity, but as part of how you work. How Unrisk Implements This Unrisk follows your organizational hierarchy: Organization → holds policy, stakeholders, billing Projects → belong to organizations Risks → belong to projects (see Risk Catalog) Risk management is embedded in project workflows, not siloed.
5.2.5	Resources	Assign appropriate resources: people, time, tools, and budget. Risk management needs sustained investment. How Unrisk Implements This Unrisk supports resource allocation through: Tiered pricing - scales with organization size Active/Inactive users - control who can access risk data Role-based limits - enforce seat limits per tier Resources are managed via the billing system.

5.3 Implementation

Put the framework into practice. This involves operational planning, process integration, and communication both internally and externally.

Subclause	ISO 31000:2018 Text	Interpretation + Implementation
5.3.1	Implementation plan	Create a plan for implementing your risk framework. Define timelines, responsibilities, and milestones. How Unrisk Implements This Project creation serves as your implementation plan: Define project scope and objectives Set client sensitivity (establishes risk tolerance) Invite team members Start tracking risks immediately
5.3.2	Operational planning	Integrate risk activities into daily operations. Risk management isn't a separate project—it's part of how the organization runs. How Unrisk Implements This The risk register is your operational hub: Risk Catalog - list view with sorting and filtering Real-time Risk Score calculation 3D Manifold visualization Mitigation workflow tracking Risk lives in the project, alongside your work.
5.3.3	Business processes	Risk management should fit into existing business processes—not require parallel ones. How Unrisk Implements This Unrisk integrates with project workflows: Create risks alongside project tasks Assign risks to team members Add mitigation plans inline Track risk state (unmitigated → mitigated)
5.3.4	Internal communications	Ensure everyone knows about risk management: its purpose, their responsibilities, and how to access tools. How Unrisk Implements This The stakeholder register tracks internal parties: Organization Stakeholders page Name, email, role, type (internal/external/regulatory) Full CRUD interface
5.3.5	External communications	Communicate with external stakeholders: clients, regulators, suppliers, and partners about risk. How Unrisk Implements This The stakeholder register includes external parties: Type: External (clients, partners, suppliers) Type: Regulatory (auditors, compliance bodies) Contact information for communications Compliance reports can be generated for external stakeholders.

5.4 Evaluation of Framework

Measure whether your framework is working. Regular evaluation ensures risk management remains effective and improves over time.

Subclause	ISO 31000:2018 Text	Interpretation + Implementation
5.4.1	Risk management performance	Measure how well risk management is working. Use metrics and indicators to assess effectiveness. How Unrisk Implements This Project dashboards provide metrics: Total risks tracked Risks by state (unmitigated/planned/mitigated) Risk Score distribution Critical vs nominal breakdown Real-time metrics show framework performance.
5.4.2	Internal audit readiness	Maintain records for internal audit. Demonstrate that risk management is happening as intended. How Unrisk Implements This Comprehensive audit logging tracks all changes: Risk Audit History (in Project Settings) Mitigation Audit History Project Audit Log Full user attribution (who, what, when) Every action is logged for audit readiness.
5.4.3	Review effectiveness	Evaluate whether reviews and improvements are actually making risk management better. How Unrisk Facilitates This The audit log history functions enable effectiveness tracking: Historical risk score changes over time Mitigation plan effectiveness (projected vs actual) Review completion rates Planned: Add explicit review effectiveness metrics.

5.5 Continual Improvement

Your risk framework must evolve. Regular improvements ensure it remains effective as circumstances change.

Subclause	ISO 31000:2018 Text	Interpretation + Implementation
5.5.1	Taking action	When issues are identified, take corrective action. Update policies, processes, and the framework itself. How Unrisk Implements This The Improvement Log tracks framework improvements: Improvements page Categories: Policy, Threshold, Process, Lesson Learned Organization and project level Included in compliance reports Document every improvement for audit trails.
5.5.2	Continual improvement	Regularly update the framework based on experience. Learn from successes and failures alike. How Unrisk Implements This The complete audit history shows how your framework evolved: All risk changes over time Mitigation effectiveness comparison Threshold adjustments Policy update history Learn from the past to improve the future.

Ready to Start Managing Risk?

Unrisk provides the tools to implement ISO 31000 principles in your organization, regardless of size or experience level.