ISO 31000 Checklist

ISO 31000 Risk

ISO 31000:2009 Checklist

Risk Management Principals

4.0 Framework

4.1 Mandate & Commitment

Have you:

  • Defined and endorsed a risk management policy
  • Determined risk performance indicators
  • Aligned risk objectives and indicators to organizational objectives and indicators
  • Ensured legal and regulatory compliance

4.2 Design Framework

Organisation & its Context

In designing your risk framework have you:

  • Evaluated external context
  • Evaluated internal context

Risk Policy

Does your policy include:

  • Rationale for managing risk
  • Accountabilities
  • How conflict of interest is dealt with
  • Links between organizations objectives and risk policy
  • Commitment to resource risk management
  • How risk performance managed, measured and reported
  • Commitment to review and improve the policy


Have you established accountability, authority and competence for managing risk.

Do you:

  • Identify risk owners
  • Identify responsibility for our framework
  • Identify risk responsibilities
  • Establish performance measures and reporting and escalation processes
  • Ensure appropriate levels of recognition

Integration into Organisation Processes

Is risk management embedded into your practices and processes in a way that is relevant, effective and efficient?

Internal Communicating & Reporting

Have you established internal communication and reporting mechanisms for risk management?


Have you allocated appropriate resources for risk management? Including a consideration of:

  • People
  • Organizational processes, methods and tools
  • Documented processes and procedures
  • Information and knowledge management systems
  • Training

External Communication & reporting

Have you determined and implemented how you will communicate with external stakeholders?

4.3 Implementing Risk Management Framework

In implementing your framework can you show you have:

  • Applied risk management policy to organizational processes
  • Complied with legal and regulatory requirements
  • Ensured decision making is aligned with risk management
  • processes
  • Held information and training sessions
  • Communicated and consulted with stakeholders

4.4 Monitoring & Review

Do you:

  • Measure risk management performance against indicators
  • Measure progress against risk management plans
  • Review whether the framework and policy are still appropriate
  • Report on risk
  • Review the effectiveness of the framework

4.5 Continual Improvement

Do you continually improve the risk policy, framework, plans?

5.0 Process

5.1 General

Is the risk management process:

  • An integral part of management
  • Embedded in culture and practices
  • Tailored to your organisation

5.2 Communication & Consultation

Can you demonstrate communication and consultation with external and internal stakeholders at all stages of the risk management process?

5.3 Establishing Context

Can you demonstrate you have considered internal and external context, factors and how they relate to the scope of the particular risk management process?

5.2 Defining Risk Criteria

Have you defined the criteria to be used to evaluate the significance of risk?

5.6 Risk Assessment

Risk Identification

Have you identified sources of risk, areas of impact and their causes and potential consequences?

Have you applied risk identification tools and techniques?

Do you use people with appropriate knowledge for risk identification?

Risk Identification

Do you have processes to consider causes and sources of risks, their consequences and the likelihood of the consequences to occur?

Risk Evaluation

Do you compare the level of risk found during analysis process (5.4.3) to you risk criteria to determine the need for treatment or further analysis?

5.7 Risk Treatment

Selection of Risk Treatment Options

Do you have processes for selecting treatment options that consider stakeholders, legal, regulatory and context?

Do you have processes to identify new risks introduced through treatment?

Does the treatment plan identify priority order for risk treatments?

Preparing & Implementing Risk Treatment Plans

Do you document how your risk treatment will be implemented?
Do you include:

  • Reasons for selection and expected benefits
  • Responsibilities
  • Proposed actions
  • Resource requirements
  • Performance measures
  • Reporting and monitoring requirements
  • Timing

5.8 Monitoring & Review

Have you included regular checks or surveillance in your risk processes at all levels?

Have you defined responsibilities for monitoring and review?

Do you check progress of risk treatment plans?

Do you report results of monitor and review?

5.9 Recording

Are your processes traceable?

Have you retained suitable records?

Request a Quick Quote

Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.

Get Your ISO Checklist

Training Sessions

Our training course are designed to provide a basic and contextualised introduction to ISO certification as well as provide a practical overview of how it applies to your business.

Contact Us

Speak to one of our helpful team about your certification needs.

Have your own Checklist

What is ISO 31000 Risk Management?

What is ISO 31000 Risk Management?

Some organisations are exposed to more risks than others due to the nature of their business or their business environment. Some organisations are willing to accept more risk than others because with more risk we expect more return.

Why do I need ISO 31000 Risk Assurance?

Why do I need ISO 31000 Risk Assurance?

Risk management can also help an organisation ensure that it complies with relevant legal and regulatory requirements and it can also improve stakeholder confidence and trust in an organisations performance.

How can I get certified

How can I get certified?

Getting ISO certification is a lot easier than you might think, We take you through the three step audit process from your initial enquiry to the final certification decision.

ISO 31000 Certification Throughout Australia

Compass Assurance Services have offices and staff located throughout Australia including Brisbane, Melbourne, Perth and Sydney.

Want to speak to someone?

Contact Us

Contact us and speak to one of our helpful team about your ISO certification needs. We can offer certification to smaller, niche standards and to other non-accredited (non ISO) standards as well.

Request a Quote

Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.

Our Values

Our Policies