ISO 31000 · RISK MANAGEMENT · HEAT MAP · TREATMENT · APPETITE

Risk register, heat map and treatment in 3 seconds.

ISO 31000:2018 is the international risk management framework underpinning the risk requirements of ISO 9001, ISO 14001, ISO 45001 and ISO 27001. IgeraIndustria makes every clause queryable: identification, assessment, treatment, risk appetite and heat maps. The risk manager finds the answer in seconds.

ISO 31000:2018 pre-indexed Risk register & heat map supported <3s response time

ISO 31000: the most referenced risk framework and the least rigorously implemented

Every management system standard refers back to ISO 31000 for risk requirements. Yet most companies have outdated risk registers, uncalibrated heat maps and treatment plans without proper follow-up. The result: known risks that materialise without having been treated.

3 layers

Principles, Framework and Process: the ISO 31000:2018 structure that many organisations confuse or implement incompletely.

Cl. 6.4

Risk assessment: identification, analysis and evaluation. The three sub-phases that generate most of the gaps in internal risk audits.

Cl. 6.5

Risk treatment: 4 options (mitigate/transfer/accept/avoid). 60% of companies only apply one option in practice.

4 standards

ISO 9001, 14001, 45001 and ISO 27001 all refer to the ISO 31000 risk process. A single integrated framework avoids duplicating effort.

The risk manager spends hours looking up exactly what each phase of the ISO 31000 process requires, how to build the likelihood and impact scale, or what the difference is between inherent and residual risk. IgeraIndustria answers those questions in seconds, with the exact clause reference, so the team can focus on managing real risks rather than interpreting the standard.

Instant ISO 31000 query by process phase

IgeraIndustria locates the exact clause that applies to each risk management question and responds with the requirements, the recommended methodology and the most common mistakes in ISO 31000 implementations.

Establishing the context (cl. 6.3)

The external and internal context that determines the scope and risk criteria of the organisation. IgeraIndustria explains which factors must be considered, how to document the context and how the risk criteria condition the calibration of the heat map.

Risk identification (cl. 6.4.2)

Identification techniques: brainstorming, PESTLE analysis, sector-specific checklists, interviews with process owners and analysis of historical incidents. How to document sources, events, causes and consequences for each identified risk.

Risk analysis and evaluation (cl. 6.4.3 and 6.4.4)

Difference between qualitative, semi-quantitative and quantitative analysis. How to build the likelihood and impact scale, calculate the inherent and residual risk level, and position each risk on the heat map.

Risk treatment (cl. 6.5)

The 4 treatment options: avoid, mitigate, transfer and accept. How to select the most appropriate option based on the residual risk level vs. the risk appetite. Treatment plan structure with action, owner, deadline and effectiveness KPI.

Communication and consultation (cl. 6.2)

Stakeholder communication requirements throughout the entire process. How to integrate risk communication into governance bodies, how to report the risk profile to senior management and how to document risk acceptance decisions.

Monitoring and review (cl. 6.6)

Frequency and mechanisms for reviewing the risk register. Indicators of control effectiveness, updating the residual risk after treatment implementation and periodic review of risk appetite by senior management.

Full support for the ISO 31000 risk management process

From building the risk register to reviewing risk appetite with senior management, IgeraIndustria provides support at every phase of the risk management cycle in accordance with ISO 31000:2018.

Building the risk register

Risk register structure compliant with ISO 31000: mandatory columns, likelihood and impact scales, calculation of inherent and residual risk levels, treatment options and action plan status. IgeraIndustria generates templates tailored to the industrial sector.

Designing and calibrating the heat map

How to define heat map scales based on the organisation's context and risk appetite. Colour thresholds (green/yellow/orange/red), how to position risks and how to present the heat map to senior management.

Defining risk appetite and tolerance

Difference between risk appetite (the level the organisation deliberately accepts) and risk tolerance (acceptable variation around appetite). How to document appetite by category and communicate it to risk owners.

Treatment plans with follow-up

Treatment plan structure satisfying ISO 31000 clause 6.5.3: action description, treatment option, owner, deadline, estimated cost, expected residual risk after implementation and effectiveness verification KPI.

Integration with ISO 9001 / 14001 / 45001 / 27001

Mapping the risk requirements of each management system standard to the clauses of ISO 31000. How to build a single register serving all standards and a shared assessment process that avoids duplicating effort.

Risk reporting to senior management

Structure of the risk report for senior management: executive summary of the risk profile, top 10 critical risks, status of treatment plans, residual risk changes vs. the previous quarter and action recommendations.

The 4 key clauses of ISO 31000:2018

These clauses concentrate most of the practical questions in ISO 31000 implementations. IgeraIndustria explains each with the exact requirements, applicable methodologies and the most common mistakes in industrial companies.

6.3 — Establishing scope, context and criteria

The foundation of the risk process. The organisation must define the scope (which areas, processes or projects are included?), the external and internal context (factors that may influence risks) and the risk criteria (how likelihood and impact will be measured). Risk criteria are the foundation of the heat map: without well-defined criteria, risk assessment is subjective and inconsistent. IgeraIndustria explains how to calibrate criteria so that the matrix reflects the reality of the industrial sector.

6.4 — Risk assessment (identification, analysis and evaluation)

The core ISO 31000 process has three sub-phases: (1) Identification: what can happen, how and why (risk sources, events, causes and consequences). (2) Analysis: determining the likelihood and impact of each risk with existing controls to obtain the residual risk. (3) Evaluation: comparing the residual risk against the risk criteria to decide whether treatment is required. This sequence generates the risk register and feeds the heat map. Organisations that merge the three sub-phases produce inconsistent registers that auditors reject.

6.5 — Risk treatment

Once the risk has been evaluated, the organisation must select the most appropriate treatment option from the four established by the standard: avoid, mitigate, transfer or accept. The choice must be proportional to the risk level and the defined appetite. The treatment plan (6.5.3) documents the action, owner, deadline, cost and expected residual risk level after implementation. IgeraIndustria can explain which option is most suitable for each risk category and how to write treatment plans that pass an audit.

6.6 — Monitoring, review, recording and reporting

ISO 31000 requires the risk process to be continuous: risks change with context, controls may lose effectiveness and new risks emerge. Clause 6.6 establishes that the organisation must monitor risks and controls on an ongoing basis, review the register periodically, record the results of the process and report to senior management. Review frequency must be proportional to environmental dynamics: in high-volatility industrial sectors, quarterly review is standard practice.

How IgeraIndustria works for ISO 31000

Five steps from loading your risk management system to receiving an answer with the exact clause, applicable methodology and treatment recommendation.

01

Index your risk management documentation

Upload your risk register, risk policy, heat maps, treatment plans, risk committee minutes and monitoring reports. IgeraIndustria processes them together with the complete ISO 31000:2018 standard in under 24 hours.

02

Connect the assistant to your risk team

Embed it in the corporate portal, Teams, Slack or as a WhatsApp bot for the management team. One line of code. Compatible with any document management or GRC tool.

03

The risk manager asks in plain language

«How do I calculate the inherent risk of a critical supplier?», «What treatment options apply to a level-20 risk on my matrix?», «How often should I review the risk register according to ISO 31000?»

04

IgeraIndustria searches two knowledge layers

First in your internal documentation (risk register, treatment plans, monitoring reports), then in the indexed ISO 31000:2018 standard with all its clauses and risk management process requirements.

05

Answer with clause, methodology and action recommendation

The answer cites the applicable ISO 31000 clause, indicates the recommended methodology for the specific case (qualitative, semi-quantitative or quantitative), and provides a treatment recommendation based on the organisation's context.

IgeraIndustria in action — high-risk treatment (ISO 31000 cl. 6.5.2)

Query on the treatment of a high-likelihood, high-impact risk resolved in under 3 seconds with ISO 31000 options and a practical recommendation.

IgeraIndustria — Widget ISO 31000 Risk Management

Risk Manager

We have a critical supplier failure risk with likelihood 4 and impact 5 (level 20 on our 5x5 matrix). What treatment options does ISO 31000 establish and which do you recommend?

IgeraIndustria

ISO 31000:2018 — Clause 6.5.2 Selection of risk treatment options

A level-20/25 risk exceeds any standard appetite threshold. ISO 31000 establishes 4 options (cl. 6.5.2); at this level the valid ones are:

  • Mitigate: dual sourcing, penalty clauses in contracts, safety stock
  • Transfer: business interruption insurance, contractual SLAs with indemnification
  • Avoid: redesign the process to remove dependency on the supplier
  • Accept: NOT recommended — residual risk would exceed the defined appetite

⚠️ Document the chosen option in the treatment plan (cl. 6.5.3) with owner and deadline

✓ ISO 31000:2018 Clause 6.5.2 · Confidence: 99.4%

500

employees, manufacturing company

-40%

time spent on risk assessment

0

unanticipated incidents over 12 months

We had an 80-line risk register in Excel that nobody looked at between annual reviews. With IgeraIndustria, the risk team can instantly query which ISO 31000 clause applies to each decision, how to calibrate the heat map and which treatment options are appropriate for each risk level. We cut assessment time by 40% and have gone 12 months without a single incident that had not been identified and treated in the risk register.

Director of Operations and Risk

Manufacturing company — 500 employees — Vallès Occidental

*Representative testimonial based on results from real clients

Frequently asked questions — ISO 31000:2018

What is the difference between ISO 31000 and ISO 9001 clause 6.1?

ISO 9001:2015 clause 6.1 requires «risk-based thinking» applied to the quality management system: the organisation must identify risks that could affect product and service conformity and plan actions to address them, but does not require a formal framework or specific methodology. ISO 31000:2018, on the other hand, is a standard dedicated exclusively to risk management and provides the full principles, framework and process: from establishing the context through to communication and monitoring. ISO 31000 is the reference organisations use to give substance to the ISO 9001 clause 6.1 requirement, as well as the equivalent requirements in ISO 14001, ISO 45001 and ISO 27001. They are not certifiable in place of one another; they are complementary.

How do you build a risk register compliant with ISO 31000?

The risk register is the central document of the ISO 31000 process. According to the standard (clauses 6.4 and 6.5), each entry must include: (1) risk identification with a description of the event and its causes; (2) risk category (strategic, operational, financial, compliance, reputational); (3) likelihood of occurrence on a defined scale (e.g. 1–5 or percentage); (4) impact on a defined scale (1–5); (5) inherent risk level (likelihood × impact before controls); (6) existing controls; (7) residual risk level (after controls); (8) chosen treatment option (mitigate/transfer/accept/avoid); (9) treatment action with owner and deadline; (10) status. IgeraIndustria can generate the register structure and populate entries from the organisation’s context documents.

What is risk appetite and how is it defined?

Risk appetite is the level of risk the organisation is willing to accept in pursuit of its objectives (ISO 31000:2018, clause 6.3.1). It is not a single number: it is defined by risk category and organisational level. For example, a company may have zero appetite for occupational safety risks (any risk at level 3 or above requires immediate action) but a moderate appetite for commercial risks (it accepts level 3 risks if the expected return justifies it). Defining risk appetite is the responsibility of senior management (clause 5.4) and must be communicated throughout the organisation. It is typically expressed as thresholds on the heat map: red cells are risks that exceed appetite and require mandatory action.

How does the heat map work in ISO 31000?

The heat map is the most widely used visualisation tool for inherent or residual risk in ISO 31000 implementations. It is built with likelihood on one axis (typically 1–5, from rare to almost certain) and impact on the other (1–5, from negligible to catastrophic). The result (likelihood × impact) generates a score from 1 to 25, visualised with colours: green (1–4, low risk), yellow (5–9, moderate risk), orange (10–16, high risk), red (17–25, critical risk). The exact thresholds are defined by the organisation based on its risk appetite. ISO 31000 does not prescribe a specific matrix; the standard requires the methodology to be appropriate, proportional to the context and consistent. IgeraIndustria can explain how to calibrate the matrix according to the sector and size of the organisation.

What are the 4 risk treatment options according to ISO 31000?

ISO 31000:2018 clause 6.5.2 establishes four risk treatment options: (1) Avoid the risk: decide not to start or not to continue the activity that gives rise to the risk (e.g. not entering a market with excessive regulatory risk); (2) Take or increase the risk to pursue an opportunity (e.g. accept higher operational risk in exchange for higher margin); (3) Remove the risk source or reduce likelihood/impact through controls (mitigate): the most common option; (4) Share the risk: share it with another party through insurance, contracts or subcontracting arrangements. For risks that exceed the defined appetite, the valid options are avoid, mitigate or transfer; accept is only valid if the residual risk is within appetite. The choice must be documented in the treatment plan (6.5.3).

How does ISO 31000 integrate with ISO 27001, ISO 14001 and ISO 45001?

ISO 31000 is the horizontal risk management framework that serves as the methodological base for all management system standards that include risk requirements. ISO 27001:2022 (information security) requires a formal risk assessment and treatment process (clauses 6.1.2 and 6.1.3) aligned with ISO 31000. ISO 14001:2015 (environment) requires identification of environmental risks and opportunities (clause 6.1). ISO 45001:2018 (health and safety) requires identification of hazards and assessment of OH&S risks (clause 6.1.2). Practical integration involves using a single corporate risk register with categories per standard, a unified assessment process and a risk committee that consolidates risks across all disciplines. IgeraIndustria can query the requirements of each standard in a single question and map the overlaps.

IgeraIndustria ISO 31000 Plans

No lock-in. Cancel any time.

Starter

149/month

For industrial SMEs that need to implement or review their risk management system in accordance with ISO 31000 without spending weeks interpreting the standard.

  • ISO 31000:2018 pre-indexed
  • Queries by process clause
  • Risk register template
  • 1,000 queries/month
  • Widget for the risk manager
  • Email support
Start Starter
MOST POPULAR

Professional

299/month

For companies with an active risk management system, a risk committee and a need to integrate ISO 31000 with other management systems.

  • ISO 31000 + internal documentation indexed
  • Assisted risk register
  • Heat map calibrated to context
  • 5,000 queries/month
  • Integration ISO 9001 / 14001 / 45001
  • Priority support
Start Professional

Enterprise

599/month

For industrial groups with integrated corporate risk management, multiple sites and a need to report to governance bodies.

  • Multi-site and multi-standard
  • ISO 31000 + 27001 + 14001 + 45001 integrated
  • Executive risk reporting
  • Unlimited queries
  • SLA 99.9% uptime
  • Dedicated customer success
Contact sales

Manage risk in line with ISO 31000. Start today.

  • Free 14-day trial — no credit card required
  • Complete ISO 31000:2018 pre-indexed from day 1
  • Upload your risk register, risk policy and treatment plans
  • Heat map template calibrable to your organisation’s risk appetite
Start free trial