ISO 31000 Risk Management Process: A Practitioner's Guide for Switzerland (2026)

ISO 31000:2018 is the international reference standard for structuring risk management in any organization, regardless of sector or size. It is not certifiable at the organizational level and does not prescribe a single operational method: it provides principles, a framework, and a process to be articulated with the sectoral and regulatory obligations that apply to you. That is precisely what makes it useful: it provides the common grammar that each specialized standard, each regulator, and each sectoral framework then declines. For Swiss organizations, this grammar now intersects a dense regulatory layer, FINMA Circular 2023/01, the Information Security Act (ISA), the revised Federal Act on Data Protection (revFADP), and, through European extraterritoriality, DORA and the EU AI Act. ISO 31000 does not replace any of these obligations; it helps you address them consistently. This article explains the six-element process, the eight principles, and the seven treatment options and shows how these building blocks slot into the Swiss and European obligations that your clients and auditors reference.

What is the difference between framework, principles, and process in ISO 31000?

ISO 31000 is organized in three layers that are critical to distinguish so you don't mix conversations during an engagement.

• The 8 principles (article 4): the philosophy. They answer the question 'what does good risk management look like?'. They serve as arbitration criteria for design decisions (what to put in the framework, which techniques to favor, how to size the effort).
• The framework (article 5): the infrastructure. How the organization organizes itself to make risk management live day to day. Leadership and commitment at the center, surrounded by the design, implementation, evaluation, and improvement cycle.
• The process (article 6): the mechanics. The operational steps you run to treat a risk or a portfolio of risks. It is the most visible layer in deliverables and the least understood when it is disconnected from the other two.

An organization that focuses only on the process produces an aesthetically pleasing risk register disconnected from strategy. An organization that focuses only on the framework builds an inert risk function. The three layers feed each other: principles guide the framework, the framework keeps the process alive, the process produces the evidence that validates the framework, which in turn confirms or revises the principles applied.

The 8 ISO 31000 principles and what they really mean

Article 4 lists eight principles. Read literally, they look like a list of pleasant adjectives. Read in the field, they serve as arbitration criteria when the program drifts off course.

If three principles are to be singled out so you don't lose your way, they are principles 1, 3, and 7: integrated, customized, and human and cultural factors. A program that gets these right tends to carry the rest. A program that misses them ticks the others on the surface with no real result.

The ISO 31000 framework: leadership at the centre, PDCA cycle around it

Article 5 describes the framework. The major shift in the 2018 edition, compared to 2009, is having placed leadership and commitment at the center. This is not a visual detail: it is the recognition that without an executive sponsor, no risk framework survives the budgetary trade-offs of its second year.

Design covers understanding of the internal and external context, articulation of management commitment, allocation of responsibilities, allocation of resources, and definition of communication and consultation channels. Implementation deploys these choices. Evaluation measures their performance. Improvement is what turns it into a living system rather than an annual exercise. As in any PDCA-inspired standard, evaluation is what causes the most trouble in practice: organizations know how to design and implement; far fewer know how to measure whether their risk framework actually produces better decisions.

The ISO 31000 process step-by-step (article 6)

The ISO 31000:2018 risk management process has six elements, two of which are continuous and cut across all the others. This is the core of the ISO 31000 risk management process query, and it is also where most programs derail in the field, by confusing sequential steps with cross-cutting ones.

Scope, context and criteria (article 6.3)

This is the step most often rushed through and the most structurally important. The organization defines the perimeter covered, the internal context (governance, resources, culture, and internal stakeholders), and the external context (legal and regulatory framework, external stakeholders, market, and economic environment) and the risk criteria: what triggers attention and what is tolerable and what is not. For Swiss banks, the external context explicitly includes FINMA Circular 2023/01 and its requirements on tolerance for disruption for critical functions. For controllers of personal data processing, revFADP enters the criteria (risks to the personality and fundamental rights of data subjects).

Risk identification (article 6.4.2)

Identify the risks that could prevent, delay, or impair the achievement of objectives. Several techniques are combined to avoid replicating blind spots: structured brainstorming, semi-structured interviews, scenario analysis, document review (past incidents, audits, and penetration testing reports), and external peer review. The standard insists that this step cannot be outsourced to a tool; it requires judgemental maturity and fine-grained knowledge of the business context.

Risk analysis (article 6.4.3)

Assess the likelihood and consequences of each risk, qualitatively, semi-quantitatively, or quantitatively. ISO 31000 does not prescribe any specific technique and explicitly accepts all three approaches; its companion standard ISO/IEC 31010:2019 catalogues more than 40 assessment techniques (FMEA, HAZOP, bow-tie, Monte Carlo, Delphi, event and fault trees, Bayesian analysis, FAIR for cyber, etc.). The choice of technique depends on organizational maturity, materiality of the risk, and the decision context. Beyond a certain materiality threshold facing a supervisor or executive committee, a qualitative-only heat map becomes hard to defend: it needs to be complemented by traceable probabilistic estimates, or replaced by a semi-quantitative or quantitative technique. This is not a requirement of the standard; it is a requirement of defensibility before the stakeholder making the decision.

Risk evaluation (article 6.4.4)

Compare the resulting level of risk against the criteria defined at the context step, and decide which risks go to treatment, which are retained as is, which require further investigation. This step produces the explicit prioritization that management must validate. Without traceable validation at this point, the downstream treatment plan loses its legitimacy.

Risk treatment (article 6.5): the 7 options

Article 6.5.2 of ISO 31000:2018 lists seven treatment options. They are not mutually exclusive: a material risk is often treated through a combination of two or three options.

Monitoring and review (article 6.6, continuous)

A cross-cutting activity that continuously verifies that the criteria remain valid, that risks have not mutated, and that measures produce the expected effects. The cadence varies with materiality: monthly or quarterly reviews for material risks, semi-annual for secondary risks, plus any event-driven review triggered by an incident, a context change (new regulator, merger, or scope shift), or a management review.

Recording and reporting (article 6.7)

Trace decisions, assumptions, information sources, and trade-offs. Reporting must feed decision-making at the different levels: operational, tactical, and strategic. Beyond a certain volume, a spreadsheet-based risk register reaches its limits in terms of versioning, multi-user traceability, and linkage to controls. Several options exist at that point: evolve the spreadsheet's governance, move to a generalist GRC tool, or rely on a multi-framework platform such as acunagrc.ai which natively integrates the link between risks, controls, and regulatory obligations. Spreadsheet or platform, the underlying issue is the same: that an auditor or a new joiner can reconstruct the chain of decisions six months later.

Which assessment technique should you choose? ISO 31010 in practice

ISO 31000 says what to do for analysis; ISO/IEC 31010:2019 says how to tool it. The companion standard catalogues and describes more than 40 assessment techniques. The choice depends on three factors: organizational maturity (ability to produce and exploit data), the risk's materiality (the bigger the stake, the more quantitative defensibility matters), and the nature of the risk (cyber, operational, project, compliance, environmental don't call for the same tools).

The practitioner rule I give in training: for material risks facing a supervisor or executive committee, the 5x5 heat map is no longer enough on its own. From that point, either feed the heat map with precise and traceable probabilistic estimates, or move to a semi-quantitative or quantitative technique. The choice is not a sign of sophistication; it is a requirement of defensibility before the people who decide.

ISO 31000, ISO 27005, COSO ERM, and ISO 31022: Which framework, when?

These four frameworks come up regularly, often confused. Here is the practitioner reading, the way I explain it to teams in the field.

In practice, ISO 31000 is rarely alone in a mature organization. It serves as the common backbone. ISO 27005 plugs in for information security, COSO ERM for board-level reading, and ISO 31022 for legal risk. For organizations under dual oversight (US group and European entity), explicitly articulating ISO 31000 and COSO ERM in the framework documentation avoids sterile arbitration between local internal audit and the group.

ISO 31000 in the Swiss regulatory context

This is the layer that has changed the conversation for Swiss organizations since 2024. Several regulatory frameworks have been added or clarified, and they all intersect the ISO 31000 trunk.

FINMA Circular 2023/01: operational risks and resilience for banks

In force since 1 January 2024, FINMA Circular 2023/01 replaces 2008/21 and reformulates the supervisor's expectations on operational risk governance, ICT risk, cyber risk, BCM, third-party risk, and operational resilience (with a transition period extending through 2025-2026 for full implementation of the resilience requirements). Source: FINMA circulars documentation. For a bank that already structures its risk approach on ISO 31000, 23/01 does not change the architecture; it adds specific requirements: identification of critical functions, documented tolerance for disruption, severe but plausible scenarios, structured ICT governance, and mapping of the ICT supplier chain.

ISA (Information Security Act) and the cyber notification obligation

The Information Security Act (ISA) introduces, for operators of critical infrastructure (and federal authorities), an obligation to notify cyber incidents to the National Cyber Security Centre (NCSC, ncsc.admin.ch). According to the NCSC's official communication, the obligation entered into force on 1 April 2025, with a 24-hour notification deadline from incident discovery and a six-month transitional period during which no sanctions apply (sanctions become effective from 1 October 2025). Concretely, what this law adds to your ISO 31000 program: a notification criterion in the incident management processes, a communication and consultation clause (ISO 31000 article 6.2) with the NCSC, and a recording and reporting setup (article 6.7) capable of producing notifications within the deadlines. The precise modalities (scope, sanctions) are defined by the federal information security texts available via Fedlex.

revFADP: data protection and impact assessment

The revised Federal Act on Data Protection has been in force since 1 September 2023. Three main requirements articulate with ISO 31000: a data protection impact assessment (DPIA, Art. 22) when processing presents a high risk; the register of processing activities; and breach notification to the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch). An organization that structures its risk program on ISO 31000 must add a data protection-specific declination with its own criteria (risks to the personality and fundamental rights of the data subjects). The DPIA is not a by-product of the risk register: it is an identified, documented deliverable kept on file internally. Depending on the result of the assessment and the nature of the processing, it may lead to prior consultation with the FDPIC in the cases provided for by law and its application guides.

EU extraterritoriality: DORA and the EU AI Act

Two European regulations directly affect Swiss organizations operating in the EU or placing products on the EU market.

DORA (Regulation (EU) 2022/2554, EUR-Lex) applies to financial entities and their ICT providers from 17 January 2025. Five pillars: ICT risk governance, incident management, resilience testing, ICT third-party risk management, and information sharing. For a Swiss organization exposed to the EU, DORA and FINMA 23/01 share a common operational resilience and ICT third-party risk management logic; the two frameworks remain legally distinct, and a single control does not automatically cover the requirements of the other. On third-party risk (ICT subcontractors, personal data, and NIS 2 supply chain), a dedicated platform such as Supplier Shield operationalizes the continuous evaluation that goes beyond a one-off due diligence at contract signing.

The EU AI Act (Regulation (EU) 2024/1689, EUR-Lex) follows a staggered calendar: entry into force on 1 August 2024, prohibited practices and AI literacy applicable from 2 February 2025, GPAI models and governance from 2 August 2025, and core obligations on high-risk AI systems from 2 August 2026. Certain sectoral obligations applicable to high-risk AI systems embedded in products covered by other EU regulations (Annex I) follow a different timeline, with a phased application running through to 2 August 2027. For Swiss organizations placing an AI system on the EU market, the regulation requires, among other things, a risk management system specific to high-risk AI systems. ISO/IEC 42001 (published end-2023) provides the AI management system that plugs onto the ISO 31000 trunk and saves time on the compliance path.

The three failure patterns I see most often in the field

After thirty years of implementation and audit, three traps come back regardless of sector or size.

1. The risk register as compliance theatre

The register exists, it is filled in, it is validated, and it is nicely color-coded. But no operational decision references it. The objective symptom: the ExCo does not consult it before arbitrating a major investment, an organizational change, or entry into a new market. The root cause is almost always the absence of risk criteria articulated with appetite (article 6.3.4). The fix: reformulate the criteria so that they trigger concrete decisions (automatic escalation, investment block, board validation), not just ratings.

2. The risk function isolated from strategy

The CRO or risk manager reports to the CFO hierarchically, and risk only appears on the board agenda under the audit rubric. Principle number 1 (integrated) is dead on arrival. The structural fix: embed the register review in the annual and quarterly strategic cycle, and reconfigure the risk committee mandate so that it presents trade-offs directly to the board, not via the audit committee.

3. The heat map as religion

The 5x5 matrix is used everywhere, including where it is defensively indefensible before a supervisor. A cyber risk whose potential impact exceeds the organization's absolute capacity cannot be assessed on a 1-5 ordinal scale. It calls for a quantitative model (Monte Carlo, FAIR for cyber, or a traceable semi-quantitative approach). Beyond a certain materiality threshold, this is no longer an option; it is a requirement of regulatory defensibility and strategic credibility.

On the consulting side: Abilene Advisors, the GRC consulting arm of the Abilene group, supports Swiss organisations on the operational implementation of risk programmes (ISO 31000, ISO 27005, FINMA 23/01, DORA, revFADP). Website: abileneadvisors.ch.

How to get trained on ISO 31000? The PECB Risk Manager track

Certification does not apply to the organization; it applies to practitioners. The most internationally recognized individual certification scheme is the one run by the Professional Evaluation and Certification Board (PECB), structured in three levels.

For exact conditions (precise exam durations, minimum score, number of questions in the active version, experience requirements for the senior certification, and fees), the PECB candidate portal is authoritative: these parameters evolve and the official version prevails over any external summary.

Training at Abilene Academy is delivered in English, French, and Spanish, in person in Morges or Geneva, in a virtual classroom, in eLearning, or self-paced. Abilene Academy is the only PECB Titanium Partner in Switzerland (the highest PECB distinction), with a 99% pass rate on PECB exams, more than 2,500 professionals trained in 120 countries, and a coaching approach delivered by practitioner trainers, including myself, on the ISO 31000 track and business continuity.

The trainer's perspective: the standard structures and judgement decide.

Sources and references

• ISO 31000:2018 — Risk management — Guidelines (ISO catalogue, official)
• ISO/IEC 31010:2019 — Risk management — Risk assessment techniques (ISO catalogue, official)
• ISO/IEC 42001:2023 — AI management systems — Requirements (ISO catalogue, official)
• FINMA — Circulars (Swiss Financial Market Supervisory Authority)
• Fedlex — federal legal publications portal (Swiss Confederation, ISA, revFADP)
• FDPIC — Federal Data Protection and Information Commissioner (Swiss authority, revFADP guidance)
• NCSC — National Cyber Security Centre (Swiss authority, ISA cyber notifications)
• Regulation (EU) 2022/2554 — DORA (EUR-Lex, official text)
• Regulation (EU) 2024/1689 — EU AI Act (EUR-Lex, official text)
• Directive (EU) 2022/2555 — NIS 2 (EUR-Lex, official text)
• PECB — ISO 31000 certifications (official certification portal)
• COSO — Enterprise Risk Management 2017 (governance framework)

Go further

Related Abilene Academy training: ISO 31000 Risk Manager · ISO 31000 Lead Risk Manager · ISO/IEC 27005 Risk Manager · EBIOS Risk Manager.

Related articles: DORA — the complete compliance guide for financial institutions · EU AI Act — the complete compliance guide · EBIOS Risk Manager — method and PECB certification · ISO 27001 certification training in Switzerland — the complete guide · ISO 27001 for Swiss FinTechs — the FINMA reality guide · ISO 42001 — the executive playbook for AI governance.