The core principle is that risk management activity should help protect and create value in organisations. Value might be protected through the prevention of costly negative risk events.

Value might be created by using risk management to satisfy the expectations of stakeholders or to help an organisation fulfil its strategic objectives

Additional principles call for risk management frameworks to be structured, includive, customised, dynamic and responsive and integrated

The standard highlights how the external and internal context of an organisation will influence the design, implementation and ongoing review and improvement of the framework

External context means factors such as regulation, technological development and market forces

Internal context relates to factors such as the culture and structure of the organisation

The standard emphasises the importance of leadership in designing and implementing effective risk management frameworks

The standard argues that tangible commitment to effective risk management is needed from an organisation's leaders, including its managers, senior managers and board or equivalent.

Support for an organisation's risk management activities should be evidenced by what they leaders say and do. Leaders must communicate the importance of operating an effective framework and support this operation through their own actions

Establishing the context includes understanding the internal and external drivers that may affect an organisation's exposure to risk, such as the physical environment, technology, organisational structures and processes

Context also means understanding the types of risk that may affect an organisation and the various assessment and controls tools that are available for use

The aim is to ensure that the organisation understands the range and scope of its objectives and activities, and the risks that are associated with them

Risk assessment means that an organisation should identify, analyse and evaluate its exposure to all sources of risk to its objectives

Risk assessment may involve the use of statistical models or qualitative judgement

The aim is to ensure that the level of exposure is controlled - not too high or too law

The level of control will be influenced by the risk appetite of an organisation

This is about communicating risk management information (such as risk management policies and procedures, or risk exposures) in a timely, accurate and factual way

Risk communication includes consulting with key stakeholders to ensure that they understand the risks that an organisation is taking and are satisfied that the organisations approach to managing these risks is appropriate

Communication seeks to promote awareness and understanding of risk and how to deal with it whereas consultation involves obtaining feedback and information to support decision making

Recording means ensuring that identified risks are documented properly

It also means documenting risk management processes and procedures to ensure that they are understood clearly and implemented coherently across the organisation

Reporting means reporting on an organisation's risk exposures and the measures taken to control these exposures to relevant decision makers and stakeholders

Monitoring and reviewing is about learning, improving and adapting

The performance of an organisation's risk management framework can vary

If performance declines, changes may be required to maintain the efficiency and effectiveness of the framework

Performance monitoring and review night include activities such as audits, control effectiveness reviews and compliance reviews

ISO 31000 makes it clear that organisations should review and upgrade their risk management activities on a regular basis

It is essentially helps improve the management of risk against an international benchmark for good practice