Pillar 1
Principles
11 success criteria for effective risk management – including integrated, structured, customised, inclusive and dynamic. They form the foundation for the framework and process.
11 PrinciplesCONSUVATION GmbH guides you in building an effective risk management system according to ISO 31000:2018 – from the initial assessment through to full integration into your existing management systems. With more than 25 years of consulting experience, our own correlation matrix, and 100% senior consultants. For the DACH region and international clients.
Quick Check
Find out in 30 seconds where your company stands on risk management according to ISO 31000 – free & without registration.
At a Glance
ISO 31000 is the world's leading guideline for risk management. It defines how organisations systematically identify, assess, treat and monitor risks – in order to create and protect value.
The current version ISO 31000:2018 rests on three pillars: 11 principles, a framework for organisational integration, and a concrete risk management process. Certification to ISO 31000 is not provided for – the standard is intended as a guideline.
ISO 31000 is the foundation for risk assessments in other standards – ISO 27001, ISO 22301 and NIS2 require risk analyses without prescribing their own methodology.
Our consultants combine risk management expertise with practical experience from ISO 27001, BCM and NIS2 projects. This cross-cutting perspective makes us an experienced partner for integrating ISO 31000 into your existing management systems in the DACH region.
ISO 31000:2018 – Aufbau der Norm
ISO 31000 is not a control catalogue like ISO 27001 Annex A, but a guideline with three interacting pillars: principles, framework and process.
Pillar 1
11 success criteria for effective risk management – including integrated, structured, customised, inclusive and dynamic. They form the foundation for the framework and process.
11 PrinciplesPillar 2
Embeds risk management in leadership, strategy and organisational structure. Governs responsibilities, resources, communication, and the ongoing evaluation of effectiveness.
Leadership & GovernancePillar 3
The operational core: defining the scope & context, identifying, analysing, evaluating and treating risks – supported by communication, consultation and monitoring.
6 Process StepsImportant to Know
ISO 31000 is designed as a guideline and – unlike ISO 27001 – does not provide for a certification procedure. Its effectiveness shows in genuine day-to-day integration, not in an audit certificate.
Guideline, Not a Requirements StandardOur Approach
Structured, predictable and without surprises – our proven approach follows the ISO 31000 risk management process and results in a framework that is genuinely used in everyday business.
01
Free initial consultation, defining the scope and context, identifying stakeholders, creating a project plan.
02
Current-state assessment of existing risk management, comparison against the 11 principles per ISO 31000:2018, identifying gaps.
03
Defining governance, roles and responsibilities, setting risk criteria, embedding risk management in leadership and strategy.
04
Identifying, analysing and evaluating risks – including opportunities. Creating a risk register, prioritising the risk treatment plan.
05
Implementing risk treatment measures, training responsible staff, establishing communication and escalation pathways.
06
Continually monitoring effectiveness, regularly re-assessing the risk landscape, continually developing the framework further.
ISO 31000 & Other Standards
ISO 31000 provides the generic risk management methodology – many other standards require risk assessments without prescribing a methodology of their own. CONSUVATION integrates ISO 31000 seamlessly into your existing management systems.
ISO 27001 requires a risk assessment for information security but does not prescribe a specific methodology. ISO 31000 provides the recognised framework for this – a consistent risk methodology across all management systems.
Business continuity management builds on a sound risk assessment. ISO 31000 provides the methodology for systematically identifying and assessing business disruption risks – the foundation for resilient contingency plans.
NIS2 requires risk management for cybersecurity measures but does not prescribe its own methodology. Companies already applying ISO 31000 can use their established risk methodology directly for NIS2 requirements.
COSO ERM originates from US auditing practice and is more strongly focused on internal controls and governance. ISO 31000 is more broadly recognised internationally and easier to integrate with other ISO management systems – CONSUVATION is familiar with both approaches.
The GDPR requires a data protection impact assessment for high-risk processing activities. The risk methodology from ISO 31000 provides a structured, traceable assessment approach to demonstrate this to supervisory authorities.
ISO 9001:2015 already requires risk-based thinking in quality management. ISO 31000 provides the in-depth methodology for systematically integrating quality risks into the existing QMS.
Core Elements
ISO 31000 is not a rigid set of requirements – it's about principles that flow into an organisation's leadership, processes and culture.
Understanding internal & external context, defining the scope and risk criteria, involving stakeholders and their expectations.
Systematically identifying risks (and opportunities), analysing causes and effects, assessing likelihood of occurrence.
Prioritising risks according to defined criteria, selecting suitable treatment options and creating a risk treatment plan.
Defining clear roles and escalation pathways, providing resources, integrating risk management into the leadership structure.
Consistently involving stakeholders, fostering risk awareness across the organisation, making the basis for decisions transparent.
Regularly evaluating the effectiveness of risk management, adapting the risk landscape to changing conditions, incorporating lessons learned.
Implementation Checklist
Services
From maturity assessment to full integration into your management systems – everything from a single source, with senior consultants and our own correlation matrix.
01
Systematic comparison of current state vs. target state against the 11 principles per ISO 31000:2018: what exists, what's missing, what needs to be prioritised – clearly documented with a measures plan.
02
Complete build-up according to ISO 31000: governance, roles, risk criteria, risk register, risk treatment plan and documentation.
03
Structured identification and assessment of risks and opportunities, prioritisation according to defined criteria, selection of suitable treatment options.
04
Linking the ISO 31000 methodology with ISO 27001, ISO 22301, ISO 9001 and NIS2 – a consistent risk methodology instead of isolated point solutions.
05
Developing concrete treatment measures (avoid, mitigate, transfer, accept), assigning responsibilities, tracking implementation.
06
ISO 31000 as a shared risk methodology for all other standards: NIS2, ISO 22301, ISO 9001 and ISO 27001 in one integrated project – maximum synergies.
07
Risk management training for all levels: basics for employees, in-depth training for risk owners, management briefings on governance obligations.
08
Ongoing support for risk management operations: regular risk reviews, updating risk registers, continual improvement of the framework.
Frequently Asked Questions
Our ISO 31000 Solutions
Project plan, process models, training portal, dashboard and an external risk management officer – all from a single source. Scalable for small, medium and large enterprises.
The 5 Building Blocks of Our Complete ISO 31000 Solution
Risk Management Framework
Foundation & Steering
Process Model & Risk Register
All 11 Principles
Training Portal
DE & EN, with test
Risk Dashboard
Operations & Steering
External Risk Manager
Remote + optional on-site
Entry-level solution for small companies. Includes all essential building blocks for a first functioning risk management system – pragmatic, fast and cost-efficient.
Complete ISO 31000 solution for mid-sized companies – including training portal, dashboard and an external risk management officer on demand.
Maximum solution for complex organisations – with an individual project structure plan, on-site support, and integration with ISO 27001, ISO 22301 or NIS2.
All packages include an individual project plan tailored to your company. Remote guidance included – on-site appointments available on request. Schedule a Consultation Now →
Our Expertise
CONSUVATION exclusively employs senior consultants. With more than 25 years of consulting experience in information security, business continuity and compliance, we are among the most experienced risk management consultancies in the DACH region.
Our consultants bring risk management experience from numerous ISO 27001, ISO 22301 and NIS2 projects. They combine this practice-proven knowledge with the generic methodology of ISO 31000:2018 to develop a framework that is genuinely lived in everyday operations.
As active members of ISO working groups, we bring insider knowledge that flows directly into your risk management implementation.
Our Tool: ISO 31000 Correlation Matrix
CONSUVATION has developed its own correlation matrix for risk management requirements, mapping all relevant standards – ISO 31000, ISO 27001, ISO 22301, ISO 9001 and NIS2. This allows us to spot synergies immediately and produce a complete maturity assessment in the shortest possible time – without duplicate work, with maximum standard coverage.
Experienced risk management consultants – from maturity assessment to complete framework integration
The most renowned ISACA certifications – from IT audit to IT governance to risk management
Integrated risk methodology for all related standards – in one project, without duplicate work
Risk management experience from information security, business continuity and compliance projects
Get Started Now
Get advice from an experienced CONSUVATION consultant – free, non-binding and without empty phrases.