ISO 31000 Risk Management Checklist

An ISO 31000 Risk Management Checklist is a self-assessment tool to help identify, assess, and reduce external and internal factors which could harm the organization. It's a framework for designing, implementing, and maintaining a risk management system on a company-wide level, useful for internal audits.

ISO 31000 Risk Management Checklist



Framework

1. Mandate and Commitment Have we: (a) defined and endorsed a risk management policy (b) determined risk performance indicators (c) aligned risk objectives and indicators to organizational objectives and indicators (d) ensured legal and regulatory compliance


Photo Comment

2. Organization and its context in designing our risk framework have we: (a) evaluated external context (b) evaluated internal context


Photo Comment

3. Does our policy include: (a) rationale for managing risk (b) accountabilities (c) how conflict of interest is dealt with (d) links between organizations objectives and risk policy (e) commitment to resource risk management (f) how risk performance managed, measured and reported (g) commitment to review and improve the policy


Photo Comment

4. Have we established accountability, authority and competence for managing risk?


Photo Comment

5. Do we: (a) identify risk owners (b) identify responsibility for our framework (c) identify risk responsibilities (d) establish performance measures and reporting and escalation processes (e) ensure appropriate levels of recognition


Photo Comment

6. Is risk management embedded into our practices and processes in a way that is relevant, effective and efficient?


Photo Comment

7. Have we allocated appropriate resources for risk management?


Photo Comment

8. Including a consideration of: (a) people (b) organizational processes, methods and tools (c) documented processes and procedures (d) information and knowledge management systems (e) training


Photo Comment

9. Reporting Have we established internal communication and reporting mechanisms for risk management?


Photo Comment

10. Reporting Have we determined and implemented how we will communicate with external stakeholders?


Photo Comment

11. In implementing our framework can we show we have: (a) applied risk management policy to organizational processes (b) complied with legal and regulatory requirements (c) ensured decision making is aligned with risk management processes (d) held information and training sessions (e) communicated and consulted with stakeholders


Photo Comment

12. Do we: (a) measure risk management performance against indicators (b) measure progress against risk management plans (c) review whether the framework and policy are still appropriate (d) report on risk (e) review the effectiveness of the framework Do we continually improve the risk policy, framework, plans?


Photo Comment
Process

1. General Is the risk management process: (a) an integral part of management (b) embedded in culture and practices (c) tailored to our organisation


Photo Comment

2. Can we demonstrate communication and consultation with external and internal stakeholders at all stages of the risk management process?


Photo Comment

3. Can we demonstrate we have considered internal and external context, factors and how they relate to the scope of the particular risk management process?


Photo Comment

4. Have we defined the criteria to be used to evaluate the significance of risk?


Photo Comment

5. Have we identified sources of risk, areas of impact and their causes and potential consequences?


Photo Comment

6. Have we applied risk identification tools and techniques?


Photo Comment

7. Do we use people with appropriate knowledge for risk identification?


Photo Comment

8. Do we have processes to consider causes and sources of risks, their consequences and the likelihood of the consequences to occur?


Photo Comment

9. Do we compare the level of risk found during analysis process to our risk criteria to determine the need for treatment or further analysis?


Photo Comment

10. Options Do we have processes for selecting treatment options that consider stakeholders, legal, regulatory and context?


Photo Comment

11. Do we have processes to identify new risks introduced through treatment?


Photo Comment

12. Does the treatment plan identify priority order for risk treatments?


Photo Comment

13. Plans Do we document how our risk treatment will be implemented?


Photo Comment

14. Do we include: (a) reasons for selection and expected benefits (b) responsibilities (c) proposed actions (d) resource requirements (e) performance measures (f) reporting and monitoring requirements (g) timing


Photo Comment

15. Have we included regular checks or surveillance in our risk processes at all levels?


Photo Comment

16. Have we defined responsibilities for monitoring and review?


Photo Comment

17. Do we check progress of risk treatment plans?


Photo Comment

18. Do we report results of monitor and review?


Photo Comment

19. Are our processes traceable?


Photo Comment

20. Have we retained suitable records?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists