Revision ISO 31000 Risk Management Standard

Dr. Bruno Bruehwiler, Vincent Tophoff | April 17, 2014 | 1

Standard and related guidance

The global International Organization for Standardization (ISO) Standard 31000:2009—Risk Management, published in 2009, sets out principles, a framework, and a process for managing risk that are applicable to any type of organization in the public or private sector. 

Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. However, while ISO 31000 cannot be used for certification purposes, it does provide guidance for internal or external audit programs. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.

In 2013, ISO published ISO/TR 31004:2013, Risk Management—Guidance for the Implementation of ISO 31000, which will help organizations smoothly align their risk management practices to ISO 31000. This technical report provides:

  • A structured approach to efficiently transition existing risk management practices to ISO 31000, with a dynamic outlook to adapt to future changes;
  • An explanation of the underlying concepts of ISO 31000 with advice and examples tailored to the user's individual needs; and
  • Additional guidance on the ISO 31000 principles and framework for the management of risk.


Organizations from around the world have had five years to implement the standard and gain experience with it. Generally, the standard has been well received and many organizations have successfully implemented the standard. This has led to new insights but the external environment has also changed. For that reason, the Core Risk Management Standards Working Group will meet in April 2014 in London to perform a limited editorial revision of the existing standard and prepare a substantial technical revision over the longer term. Almost 40 experts from 20 countries are engaged in these projects. 

Risk Management and the accountancy profession

Risk management is at the heart of the work of all professional accountants. Many professional accountants play a leading role in the management of risk in their organization or advise organizations evaluating and improving their risk management arrangements. In addition, all professional accountants deal with risk in all their daily activities.

As the global organization for the accountancy profession, IFAC actively participated in the development of the guidance for the implementation of ISO 31000 and will participate in the upcoming revisions of the standard itself. To this end, IFAC is very interested in your experiences with the standard and would like to hear from you on what, if anything, needs to be changed in the standard. Please share your comments below and we will share them with the working group. We look forward to your feedback and will keep visitors to the Gateway posted on the progress of the revision. Many thanks in advance!

Dr. Bruno Bruehwiler

ISO Core Risk Management Standards Working Group

Dr. Bruno Bruehwiler is the CEO of Euro Risk Limited in Zürich and has been appointed as convenor of ISO TC 262 Risk management WG “Core risk management standards”.  He is also the project manager of the ONR 49000-series which has been published in its 4th version recently. Dr. Bruehwiler is a professor for risk management at the Institute of Technology in Deggendorf/Bavaria and member of the board of its Institute for risk and compliance management. Dr. Bruehwiler is founder and chairman of the risk management network in Switzerland.  

Vincent Tophoff

Senior Technical Manager

Vincent Tophoff is senior technical manager with the Professional Accountants in Business (PAIB) Committee of IFAC. Previously, he was a partner at INTE-Q Integration Management, a management accountancy consulting firm in The Netherlands and senior lecturer at the postgraduate accountancy program of the Vrije University in Amsterdam.  See more by Vincent Tophoff

Join the Conversation (1)

To leave a comment below, login or register with


Frank Herdmann May 9, 2015

I agree that accountants should know about risk Management and like everbody taking decisions in an organization they should be part of the "risk management community" within the organization! They have to ensure that risk (well at least risk with negative consequences) is properly assessed (and treated) / provided for in the annual statements - otherwise the auditors would be badly advised to confirm them as showing a true and fair value...

Thank you for your interest in our publications. These valuable works are the product of substantial time, effort and resources, which you acknowledge by accepting the following terms of use. You may not reproduce, store, transmit in any form or by any means, with the exception of non-commercial use (e.g., professional and personal reference and research work), translate, modify or create derivative works or adaptations based on such publications, or any part thereof, without the prior written permission of IFAC.

Our reproduction and translation policies, as well as our online permission request and inquiry system, are accessible on the Permissions Information web page.

For additional information, please read our website Terms of Use. ALL RIGHTS RESERVED.