ISO 31010 is the international standard that provides guidance on risk assessment techniques. It supports organisations in selecting and applying appropriate methods to identify, analyse, and evaluate risk as part of an effective risk management process.
ISO 31010 is not a certifiable standard. Instead, it complements ISO 31000 by offering practical tools and techniques that can be used across a wide range of risk types and organisational contexts.
What is ISO 31010?
ISO 31010 is published by the International Organization for Standardization. It describes a broad set of qualitative, semi-quantitative, and quantitative techniques that organisations can use to assess risk.
The standard does not mandate the use of any specific method. Its purpose is to help organisations choose techniques that are proportionate to the decision being made, the complexity of the risk, and the availability of data.
What does ISO 31010 cover?
ISO 31010 focuses on the risk assessment stage of risk management and supports:
- Risk identification
- Risk analysis (likelihood and consequence)
- Risk evaluation and prioritisation
- Decision-making under uncertainty
It can be applied to strategic, operational, financial, safety, environmental, cyber, compliance, and project risks.
How ISO 31010 fits with ISO 31000
ISO 31010 is designed to be used alongside ISO 31000:
- ISO 31000 explains how risk management should be structured and embedded
- ISO 31010 explains how to assess risk using appropriate techniques
Together, they provide a complete approach to risk management, from governance through to practical assessment.
Categories of risk assessment techniques
ISO 31010 groups techniques broadly by purpose and complexity.
Qualitative techniques
Used where risks are less complex or data is limited.
Examples include:
- Brainstorming
- Structured interviews
- Checklists
- Risk matrices
- Bow-tie analysis
These techniques rely on expert judgement and structured discussion.
Semi-quantitative techniques
Used where some data is available and greater prioritisation is required.
Examples include:
- Risk ranking and scoring
- Probability–impact matrices
- Failure mode and effects analysis (FMEA)
- Hazard and operability studies (HAZOP)
These approaches combine judgement with scoring or weighting systems.
Quantitative techniques
Used for complex, high-impact, or safety-critical risks where detailed data is available.
Examples include:
- Fault tree analysis (FTA)
- Event tree analysis (ETA)
- Monte Carlo simulation
- Bayesian analysis
- Quantitative risk assessment (QRA)
These techniques often require specialist expertise and reliable data.
Choosing the right risk assessment technique
ISO 31010 emphasises that technique selection should be based on:
- The nature and complexity of the risk
- The significance of the decision being supported
- Availability and quality of data
- Time and resource constraints
- Required level of confidence in the outcome
Simple risks do not require complex methods, and overly complex techniques can obscure rather than clarify risk.
Commonly used ISO 31010 techniques explained
Risk matrix
A visual tool that combines likelihood and consequence to prioritise risks. Widely used but should be carefully designed to avoid oversimplification.
Bow-tie analysis
Shows how threats lead to an event and the consequences that may follow, with preventive and mitigative controls mapped visually.
Failure mode and effects analysis (FMEA)
Identifies how processes or systems might fail and evaluates the impact of those failures, often used in engineering and manufacturing.
Fault tree analysis
A top-down, logical analysis of how combinations of failures can lead to a defined unwanted event.
Each technique has strengths and limitations depending on context.
Who is ISO 31010 for?
ISO 31010 is useful for:
- Risk and compliance professionals
- Health, safety, and environmental managers
- Information security and cyber risk teams
- Project and programme managers
- Engineers and technical specialists
- Organisations implementing ISO-based management systems
It is widely used to support standards such as ISO 27001, ISO 22301, ISO 45001, ISO 37001, and ISO 37301.
Is ISO 31010 certification possible?
No. ISO 31010 cannot be certified.
There are no accredited audits or certificates for ISO 31010. Organisations may state that their risk assessments are aligned with ISO 31010 techniques, but this does not constitute certification.
Benefits of using ISO 31010
Organisations that apply ISO 31010 effectively often achieve:
- More consistent and transparent risk assessments
- Better prioritisation of risks
- Improved decision-making
- Greater confidence in control selection
- Stronger alignment between risk analysis and business objectives
The value of ISO 31010 lies in improving the quality of risk assessment, not in formal recognition.
Common misunderstandings about ISO 31010
- “ISO 31010 prescribes one method” – it does not
- “ISO 31010 is only for safety risks” – it applies to all risk types
- “ISO 31010 replaces ISO 31000” – it supports it
- “ISO 31010 is too complex for small organisations” – it is scalable
Understanding these points helps organisations apply the guidance appropriately.
How ISO 31010 supports other ISO standards
ISO 31010 techniques are commonly used to support:
- ISO 27001 risk assessments
- ISO 22301 business impact and risk analysis
- ISO 45001 hazard identification
- ISO 37001 bribery risk assessments
- ISO 37301 compliance risk analysis
Using consistent techniques improves coherence across integrated management systems.
Next steps
If you want to improve risk assessment within your organisation:
- Review current risk assessment methods
- Select techniques that match risk complexity
- Train teams on consistent application
- Align assessments with ISO 31000 principles
ISOcertified.net provides practical guidance on risk management standards, including how ISO 31010 techniques can be applied alongside certifiable ISO management systems.