ISO 31000:2018
Risk Management Framework
AUDIT CHECKLIST & COMPLIANCE ASSESSMENT TOOL
Based on ISO 31000:2018 – Guidelines for Risk Management
SECTION 1: AUDIT DETAILS
Organization Name
Audit Date
Lead Auditor
Audit Team Members
Scope of Audit
Applicable Standard
ISO 31000:2018 – Risk Management Guidelines
Previous Audit Date
Overall Compliance Score
Audit Outcome
☐ Compliant ☐ Conditionally Compliant ☐ Non-Compliant
SECTION 2: PURPOSE & SCOPE OF THIS AUDIT
This audit checklist is designed to assess the design, implementation, and effectiveness of an organization's Risk Management Framework against the requirements and guidelines of ISO 31000:2018. It evaluates compliance across all key clauses of the standard, from leadership commitment to continual improvement.
Objectives of this audit:
Evaluate the completeness and appropriateness of the risk management framework.
Identify gaps, weaknesses, or areas of non-conformance with ISO 31000:2018.
Assess the degree of integration of risk management into organizational processes.
Provide a prioritized action plan for improvement.
Support continual improvement of the organization's risk culture and capability.
Audit Scope:
This checklist covers the full lifecycle of the ISO 31000:2018 risk management framework, including: organizational context, leadership commitment, risk identification, analysis, evaluation, treatment, monitoring, reporting, communication, and continual improvement.
SECTION 3: SCORING METHODOLOGY
Each checklist item should be rated using the following scoring guide. Objective evidence must be referenced to support each rating assigned.
Rating
Score
Interpretation & Required Action
Compliant (C)
2 points
Requirement fully met with documented evidence
Partial (P)
1 point
Requirement partially met; improvement plan required
Non-Compliant (NC)
0 points
Requirement not met; immediate corrective action required
Not Applicable (N/A)
Excluded
Requirement does not apply; documented justification needed
Total Score Range
Compliance %
Maturity Level
90–100%
Exemplary
Risk management framework is mature and highly effective
75–89%
Advanced
Strong framework; minor improvements recommended
60–74%
Developing
Framework in place; notable gaps requiring attention
40–59%
Basic
Significant gaps; structured improvement program required
Below 40%
Inadequate
Framework is deficient; urgent remediation needed
How to Calculate Overall Compliance Score:
Overall Score (%) = (Total Points Achieved / Maximum Possible Points) × 100. Maximum possible points = 2 × number of applicable items.
SECTION 4: AUDIT CHECKLIST
Instructions: For each item, tick ONE column (Compliant, Partial, or Non-Compliant). Document supporting evidence, documents reviewed, observations, and any auditor notes in the Evidence / Auditor Notes column. Mark items as N/A only with documented justification.
Ref #
Audit Checklist Item
Compliant
Partial
Non-Compliant
Evidence / Auditor Notes
1. LEADERSHIP & ORGANIZATIONAL CONTEXT (Clause 5.2 & 6.3)
1.1
Has top management formally committed to and endorsed the risk management framework?
☐
☐
☐
1.2
Is there a documented risk management policy approved by senior leadership?
☐
☐
☐
1.3
Has the organization defined the scope and objectives of the risk management framework?
☐
☐
☐
1.4
Are roles, responsibilities, and authorities for risk management clearly defined and communicated?
☐
☐
☐
1.5
Does leadership allocate adequate resources (human, financial, technological) for risk management?
☐
☐
☐
1.6
Is accountability for risk ownership assigned at appropriate levels throughout the organization?
☐
☐
☐
1.7
Does the organization's culture support and encourage open risk reporting?
☐
☐
☐
1.8
Has leadership demonstrated visible commitment through active participation in risk reviews?
☐
☐
☐
1.9
Are risk management objectives aligned with overall strategic and business objectives?
☐
☐
☐
1.10
Is there a designated risk management function or champion with adequate authority?
☐
☐
☐
2. ESTABLISHING THE CONTEXT (Clause 6.3)
2.1
Has the organization defined the external context (regulatory, political, economic, social, technological environment)?
☐
☐
☐
2.2
Has the internal context been documented (governance, strategy, capabilities, culture, stakeholders)?
☐
☐
☐
2.3
Is a stakeholder analysis conducted to identify key risk-related stakeholders?
☐
☐
☐
2.4
Are stakeholder needs, expectations, and concerns incorporated into the risk management process?
☐
☐
☐
2.5
Are risk criteria established, including risk appetite and risk tolerance levels?
☐
☐
☐
2.6
Is the risk management scope clearly documented, including boundaries and interfaces?
☐
☐
☐
2.7
Are the context and risk criteria reviewed and updated when material changes occur?
☐
☐
☐
2.8
Is the relationship between external context factors and the organization's risk profile understood?
☐
☐
☐
2.9
Are legal, regulatory, and contractual obligations identified and factored into risk criteria?
☐
☐
☐
2.10
Has the organization identified key performance indicators (KPIs) relevant to risk management?
☐
☐
☐
3. RISK IDENTIFICATION (Clause 6.4.2)
3.1
Is a systematic and comprehensive risk identification process defined and documented?
☐
☐
☐
3.2
Are risk identification methods appropriate to the context (workshops, interviews, checklists, SWOT, etc.)?
☐
☐
☐
3.3
Are both internal and external risk sources identified (strategic, operational, financial, compliance, reputational)?
☐
☐
☐
3.4
Are emerging and future risks considered in the identification process?
☐
☐
☐
3.5
Are risks to objectives identified at all relevant organizational levels (strategic, tactical, operational)?
☐
☐
☐
3.6
Is a risk register maintained with sufficient detail (risk description, source, potential consequences)?
☐
☐
☐
3.7
Are positive risks (opportunities) identified alongside negative risks (threats)?
☐
☐
☐
3.8
Are interdependencies and cascading risks between risk areas considered?
☐
☐
☐
3.9
Are third-party and supply chain risks included in the identification process?
☐
☐
☐
3.10
Are relevant stakeholders involved in the risk identification process?
☐
☐
☐
3.11
Is the risk identification process repeated at defined intervals and triggered by significant changes?
☐
☐
☐
3.12
Are near-misses and incidents used as inputs to improve risk identification?
☐
☐
☐
4. RISK ANALYSIS (Clause 6.4.3)
4.1
Are risk analysis methodologies (qualitative, semi-quantitative, quantitative) appropriate and consistently applied?
☐
☐
☐
4.2
Are both likelihood and consequence assessed for each identified risk?
☐
☐
☐
4.3
Is a risk rating or scoring system documented and uniformly applied?
☐
☐
☐
4.4
Are existing controls considered when assessing the level of risk (inherent vs. residual risk)?
☐
☐
☐
4.5
Are uncertainty and assumptions in risk analysis documented and communicated?
☐
☐
☐
4.6
Is the effectiveness of existing controls evaluated as part of the analysis?
☐
☐
☐
4.7
Are risk interdependencies, correlations, and aggregation effects analyzed?
☐
☐
☐
4.8
Are worst-case, best-case, and most-likely scenarios considered in risk analysis?
☐
☐
☐
4.9
Is the risk analysis methodology validated and reviewed periodically?
☐
☐
☐
4.10
Are the results of risk analysis documented clearly in the risk register?
☐
☐
☐
5. RISK EVALUATION (Clause 6.4.4)
5.1
Are risks evaluated against established risk criteria and tolerance levels?
☐
☐
☐
5.2
Is a risk prioritization process in place to determine which risks require treatment?
☐
☐
☐
5.3
Are risks that exceed tolerance thresholds escalated to appropriate decision-makers?
☐
☐
☐
5.4
Does the evaluation process consider both the magnitude and the nature of the risk?
☐
☐
☐
5.5
Are risk evaluation results used to inform resource allocation and treatment priorities?
☐
☐
☐
5.6
Is the acceptability of residual risk formally approved by accountable management?
☐
☐
☐
5.7
Are the results of risk evaluation documented and linked to decision-making processes?
☐
☐
☐
5.8
Are trade-offs between risks and opportunities explicitly considered in evaluations?
☐
☐
☐
6. RISK TREATMENT (Clause 6.5)
6.1
Is a risk treatment process defined covering the selection of treatment options (avoid, reduce, transfer, accept)?
☐
☐
☐
6.2
Are risk treatment plans developed with clear objectives, actions, owners, timelines, and resources?
☐
☐
☐
6.3
Are treatment options evaluated for effectiveness, feasibility, and cost-benefit?
☐
☐
☐
6.4
Are residual risks assessed after treatment and formally accepted by appropriate authority?
☐
☐
☐
6.5
Are risk treatment plans implemented and tracked to completion?
☐
☐
☐
6.6
Are risks that cannot be adequately treated escalated and documented?
☐
☐
☐
6.7
Are secondary risks introduced by treatment options identified and managed?
☐
☐
☐
6.8
Are treatment plans reviewed and updated to reflect changes in the risk environment?
☐
☐
☐
6.9
Is the risk treatment process integrated with business planning and project management processes?
☐
☐
☐
6.10
Are lessons learned from treatment implementation captured and shared?
☐
☐
☐
7. MONITORING & REVIEW (Clause 6.6)
7.1
Is a monitoring and review process formally defined with documented frequency and responsibilities?
☐
☐
☐
7.2
Are key risk indicators (KRIs) established and tracked for significant risks?
☐
☐
☐
7.3
Is the risk register reviewed regularly and updated as risks change?
☐
☐
☐
7.4
Are risk management processes monitored for effectiveness and adherence?
☐
☐
☐
7.5
Are risk treatment plan actions tracked and reported on a regular basis?
☐
☐
☐
7.6
Are management reviews of risk conducted at defined intervals (e.g., quarterly, annually)?
☐
☐
☐
7.7
Are internal audit or independent reviews of the risk management framework conducted?
☐
☐
☐
7.8
Are audit findings and recommendations formally tracked and resolved?
☐
☐
☐
7.9
Is performance of risk management reported to appropriate governance bodies (Board, Audit Committee)?
☐
☐
☐
7.10
Are emerging risks monitored through horizon-scanning or intelligence-gathering activities?
☐
☐
☐
8. RECORDING & REPORTING (Clause 6.7)
8.1
Are risk management processes and outcomes documented and records maintained?
☐
☐
☐
8.2
Is a risk reporting framework defined with audience-specific reporting (operational, executive, board)?
☐
☐
☐
8.3
Are risk reports produced on a regular and timely basis?
☐
☐
☐
8.4
Do risk reports include risk status, trends, significant changes, and treatment progress?
☐
☐
☐
8.5
Are risk records retained in accordance with legal and organizational requirements?
☐
☐
☐
8.6
Is the quality and accuracy of risk documentation reviewed periodically?
☐
☐
☐
8.7
Are risk disclosures in external reports (annual reports, regulatory filings) aligned with the risk register?
☐
☐
☐
8.8
Are confidentiality and data protection requirements applied to sensitive risk information?
☐
☐
☐
9. COMMUNICATION & CONSULTATION (Clause 6.2)
9.1
Is a communication and consultation plan for risk management developed and maintained?
☐
☐
☐
9.2
Are stakeholders consulted throughout the risk management process (identification, analysis, treatment)?
☐
☐
☐
9.3
Is risk-related information communicated to relevant internal stakeholders in a timely manner?
☐
☐
☐
9.4
Are external stakeholders (regulators, suppliers, partners) engaged in risk communication as appropriate?
☐
☐
☐
9.5
Are communication channels defined for escalating urgent or high-impact risks?
☐
☐
☐
9.6
Is a mechanism in place for employees to report risks and near-misses confidentially?
☐
☐
☐
9.7
Are risk management decisions and rationale communicated transparently to affected parties?
☐
☐
☐
9.8
Is feedback from stakeholders incorporated into improvements to the risk management framework?
☐
☐
☐
10. INTEGRATION INTO ORGANIZATIONAL PROCESSES (Clause 5.4)
10.1
Is risk management integrated into strategic planning and business planning cycles?
☐
☐
☐
10.2
Are risk considerations embedded in project management methodologies?
☐
☐
☐
10.3
Is risk management linked to performance management and KPI frameworks?
☐
☐
☐
10.4
Are change management processes supported by risk assessments?
☐
☐
☐
10.5
Is risk management integrated into procurement, contracting, and supplier management?
☐
☐
☐
10.6
Are risk management requirements included in job descriptions and performance appraisals?
☐
☐
☐
10.7
Is risk management considered in business continuity and crisis management planning?
☐
☐
☐
10.8
Are risk management practices integrated into compliance and internal control frameworks?
☐
☐
☐
10.9
Is risk management factored into capital allocation and investment decision-making?
☐
☐
☐
10.10
Are risk management tools and systems integrated with core business systems (ERP, GRC platforms)?
☐
☐
☐
11. TRAINING, COMPETENCE & AWARENESS (Clause 5.4.4)
11.1
Are training needs for risk management identified across all relevant roles and levels?
☐
☐
☐
11.2
Is a risk management training program developed and delivered regularly?
☐
☐
☐
11.3
Are staff competencies in risk management assessed and tracked?
☐
☐
☐
11.4
Is awareness of the risk management framework promoted throughout the organization?
☐
☐
☐
11.5
Are risk owners and practitioners provided with specialized risk management training?
☐
☐
☐
11.6
Is onboarding training for new employees inclusive of risk management responsibilities?
☐
☐
☐
11.7
Are training records maintained and completion rates monitored?
☐
☐
☐
11.8
Are external training resources, certifications, or professional memberships supported?
☐
☐
☐
12. CONTINUAL IMPROVEMENT (Clause 7)
12.1
Is there a process for continual improvement of the risk management framework?
☐
☐
☐
12.2
Are lessons learned from risk events, near-misses, and audits captured and acted upon?
☐
☐
☐
12.3
Are best practices benchmarked against industry standards and peer organizations?
☐
☐
☐
12.4
Is the risk management framework reviewed following significant organizational changes or events?
☐
☐
☐
12.5
Are maturity assessments of the risk management framework conducted periodically?
☐
☐
☐
12.6
Is feedback from risk owners and stakeholders used to improve the framework?
☐
☐
☐
12.7
Are improvements to the framework formally approved, documented, and communicated?
☐
☐
☐
12.8
Is progress towards a mature risk culture tracked over time?
☐
☐
☐
SECTION 5: CORRECTIVE ACTION PLAN
List all findings rated as Partial or Non-Compliant. Assign priority (H=High, M=Medium, L=Low), a responsible owner, and a realistic target completion date. High-priority items should be addressed within 30 days; Medium within 90 days; Low within 180 days.
Ref #
Finding / Gap
Recommended Action
Priority (H/M/L)
Responsible Owner
Target Completion Date
SECTION 6: AUDITOR SIGN-OFF & DECLARATIONS
The following parties confirm that this audit was conducted in accordance with the defined scope and that the findings are an accurate representation of the evidence reviewed.
Role
Name (Print)
Signature
Date
Lead Auditor
Supporting Auditor
Risk Management Owner
Senior Management Representative
SECTION 7: DOCUMENT CONTROL
Version
Date
Author
Reviewed By
Change Summary
1.0
Initial Release
This document is the property of the Internal Audit / Risk Management Function. It is classified as CONFIDENTIAL and should not be distributed externally without prior written authorization.