Two of the most referenced frameworks in enterprise risk management — ISO 31000 and the FERMA/RIMS Risk Management Standard — approach risk governance from fundamentally different angles. One is an internationally developed guideline adopted across 81 countries. The other is a European‑crafted practitioner standard shaped by risk professionals for risk professionals. Choosing between them, or choosing to use both, has real consequences for how your organization identifies, assesses, and responds to risk.
This guide cuts through the abstract differences and gives you the specifics: where these frameworks diverge structurally, where they overlap, and which questions to ask before committing to either.
What ISO 31000 Actually Is
ISO 31000:2018 is an international standard published by the International Organization for Standardization (ISO), developed through ISO Technical Committee ISO/TC 262 with input from 81 participating countries. It is not a certifiable standard — there is no ISO 31000 audit or certificate. Instead, it provides principles, a framework, and a process for managing risk across any organization, in any industry, at any scale.
The standard defines risk as “the effect of uncertainty on objectives,” a deliberately neutral definition that encompasses both threats and opportunities. This broad framing is intentional: ISO 31000 is designed to be applicable whether you run a hospital in Nairobi, a manufacturer in Stuttgart, or a fintech in Singapore.
ISO 31000:2018 succeeded the 2009 version and introduced several refinements. The structure was simplified, the emphasis on leadership and organizational culture was strengthened, and the guidance moved further away from prescriptive steps toward principle‑based advice — telling organizations what to aim for, not how to do it step by step.
At the time of writing (April 2026), ISO 31000 is in the revision stage (90.92 — To be revised), meaning a new edition is under development. Organizations already invested in the 2018 version should monitor ISO’s progress and plan for an eventual transition.
What FERMA's Standard Actually Is
FERMA — the Federation of European Risk Management Associations — represents the professional interests of risk managers across Europe. In collaboration with AIRMIC (UK), ALARM (UK), and IRM (UK), FERMA produced the FERMA/RIMS Risk Management Standard, first published in 2002 and subsequently updated to reflect evolving practice.
This standard was built by practitioners, for practitioners. Where ISO 31000 originates from a standards body with international balance‑of‑participants considerations, the FERMA/RIMS Standard emerged from risk management professionals who needed a document that reflected the realities of day‑to‑day enterprise risk management (ERM) work.
The standard is practitioner‑facing rather than governance‑facing. It is most commonly referenced by corporate risk managers, risk committees, and internal audit functions in European organisations. It does not seek to be a universal guideline applicable to any organisation anywhere — it is specifically calibrated for the professional risk management function within organisations.
FERMA also publishes supplementary guidance, including a practitioner guide to ISO 31000 produced in collaboration with AIRMIC and IRM, which signals FERMA’s view that ISO 31000 and its own standard are complementary rather than competing.
How the Two Frameworks Compare
The differences between ISO 31000 and the FERMA/RIMS Standard are significant enough to affect implementation choices. Below are the key dimensions where they diverge.
Scope and Intended Audience
-
ISO 31000 is explicitly universal. Its audience is any organisation that wants to improve how it manages risk — from a two‑person startup to a multinational government agency. It provides a common language that works across cultural, regulatory, and industry boundaries.
-
FERMA/RIMS is professional‑facing. It speaks to risk managers and risk committees rather than to boards or general management. Its structure assumes a dedicated risk function with specific roles and responsibilities.
Why it matters: If you’re a CEO or board member looking for a high‑level governance reference, ISO 31000 is the more accessible document. If you’re a CRO or risk manager building an internal risk management programme, the FERMA/RIMS Standard gives you more granular, operationally relevant structure.
Framework Structure
| Dimension | ISO 31000:2018 | FERMA/RIMS Standard |
|---|---|---|
| Approach | Principle‑based; flexible guidelines | Practitioner‑structured; functional framework |
| Risk Definition | Effect of uncertainty on objectives (neutral) | Risk as events that may affect the organisation (includes opportunity) |
| Primary Audience | All organisations; broad governance audience | Risk management professionals; internal functions |
| Certifiable | No | No |
| Geographic Concentration | Global — 81 countries in development | European‑centric; strong UK/Ireland adoption |
| Integration | Designed to align with ISO 9001, ISO 14001, ISO 22301 | Designed for internal ERM programmes; maps to multiple frameworks |
| Process Model | Continuous cycle (scope → identification → analysis → evaluation → treatment → monitoring → communication) | Modular; allows practitioner judgement on sequencing |
ISO 31000 presents its risk management approach as a continuous cycle embedded within organisational governance. The FERMA/RIMS Standard presents a more modular structure that risk professionals can adapt to their organisation’s specific maturity and reporting requirements.
Risk Definition Nuances
Both frameworks take a broad view of risk, but the framing differs subtly:
- ISO 31000: “Effect of uncertainty on objectives” — explicitly neutral, covering both negative outcomes and positive surprises.
- FERMA/RIMS: “An event or circumstance that may affect the organisation” — also encompassing opportunity, but phrased in language more familiar to practitioners in operational and financial risk contexts.
The practical implication is small but worth noting: if your organisation’s risk taxonomy already references ISO’s definition (through your GRC tool or existing policy), aligning with ISO 31000 reduces definitional rework.
Integration with Other Frameworks
ISO 31000’s design explicitly supports integration with other ISO management‑system standards — ISO 9001 (Quality), ISO 14001 (Environmental), ISO 22301 (Business Continuity). For organisations already operating under one or more ISO management systems, adopting ISO 31000 adds risk‑management alignment without creating structural conflicts.
The FERMA/RIMS Standard is more agnostic about integration but highly compatible with common ERM tools and GRC platforms used in European enterprise environments. It maps effectively to the COSO ERM Framework (2017), which is worth noting if your organisation has U.S. regulatory exposure or publicly‑traded status requiring SOX‑aligned internal controls.
The FERMA and COSO ERM Connection
While the topic specifically compares ISO 31000 with FERMA, practitioners frequently encounter a third framework in this conversation: the COSO ERM Framework (2017), published by the Committee of Sponsoring Organizations of the Treadway Commission.
COSO ERM is U.S.‑centric and heavily oriented toward financial‑reporting controls and internal‑audit alignment. The 2017 update, titled “Integrating with Strategy and Performance,” moved COSO closer to ISO 31000’s philosophy by emphasizing strategic integration, value creation, and organisational culture.
A quick side‑by‑side look:
| Feature | ISO 31000:2018 | FERMA/RIMS Standard | COSO ERM (2017) |
|---|---|---|---|
| Origin | International (ISO/TC 262) | European (FERMA/AIRMIC/IRM) | United States (COSO/PwC) |
| Certifiable | No | No | No |
| Emphasis | Principles and process | Practitioner function | Internal controls and governance |
| Financial Focus | None | Partial | Strong (SOX, internal audit) |
| Strategic Integration | Broad | Moderate | Strong |
| Primary Users | All organisations | Risk professionals | Finance, audit, governance |
| Revision Status | Under revision (2026) | Current | Current (2017) |
The convergence between COSO ERM 2017 and ISO 31000 2018 — both now emphasizing strategy and culture — suggests a global harmonisation trend in risk‑management thinking. FERMA occupies a unique position: its standard is practitioner‑grounded, and its publications frequently bridge both ISO and COSO traditions.
When to Use Which Framework
There is no universal answer. The right choice depends on your organisation’s context, audience, and goals.
Lean toward ISO 31000 if:
- You operate across multiple countries or regulatory jurisdictions and need a common language.
- Your organisation already conforms to ISO management‑system standards (9001, 14001, 22301) and needs risk management to integrate cleanly.
- You are building a risk‑aware culture at the leadership level and need a governance‑level reference document.
- You want a framework that scales from board‑level policy to operational risk processes.
Lean toward the FERMA/RIMS Standard if:
- Your organisation is based in Europe and your risk‑management function needs a practitioner‑structured reference.
- Your risk team is building or maturing an internal ERM programme and needs operational granularity.
- You are already aligned with COSO ERM for internal audit and want a complementary European‑developed professional standard.
- You need a framework that maps cleanly to existing European regulatory expectations.
Consider both if:
- You have a multinational structure with European operating entities and a global governance mandate.
- Your risk function spans both strategic risk (board‑level) and operational risk (practitioner‑level) and needs consistent terminology across both.
- Your organisation seeks to harmonise multiple risk‑management inputs — internal audit, operational risk, compliance, and strategic planning.
FERMA’s own practitioner guide to ISO 31000 is, in this sense, an implicit endorsement of the hybrid approach. The organisation does not treat ISO 31000 and its own standard as competitors — it treats them as addressing different layers of the same challenge.
Implementation Considerations
Adopting either framework is not a certification exercise. Both are voluntary standards that require organisational commitment to implementation, not external audit. This distinction matters because implementation quality depends almost entirely on internal engagement, not external validation.
For ISO 31000: The standard provides a risk‑management process but leaves the specific implementation steps to the organisation. The 2018 revision emphasises that leadership must embed risk management into governance, culture, and decision‑making — not treat it as a standalone compliance checklist. Companies that treat ISO 31000 as a checklist typically achieve little. Those that treat it as a strategic orientation often see meaningful improvements in risk‑informed decision‑making within 12–18 months of structured implementation.
For the FERMA/RIMS Standard: Implementation is most effective when the risk‑management function takes ownership and adapts the standard’s structure to the organisation’s existing risk taxonomy, reporting lines, and decision‑making processes. The standard’s flexibility at the practitioner level is a strength, but also a risk — without a structured internal rollout, teams can default to familiar processes under a new label.
Practical steps that work for both frameworks:
- Secure executive sponsorship. A visible champion on the board or C‑suite signals that risk management is a priority, not an after‑thought.
- Conduct a gap analysis. Map your current risk practices against the chosen framework to identify missing elements and quick wins.
- Define roles and responsibilities. Clarify who owns risk identification, assessment, treatment, and reporting.
- Pilot the process. Start with a single business unit or project to test the workflow, then refine before scaling.
- Integrate with existing systems. Link risk registers to GRC tools, audit plans, and strategic dashboards to avoid duplication.
- Train and communicate. Provide hands‑on workshops for risk owners and regular updates to keep the language and expectations fresh.
- Monitor and iterate. Use key risk indicators (KRIs) and periodic reviews to ensure the framework remains fit for purpose.
Key Takeaways
- Scope matters: ISO 31000 is global and governance‑oriented; FERMA/RIMS is European and practitioner‑oriented. Choose the one that aligns with your audience and geographic footprint.
- Both are non‑certifiable: Success hinges on internal commitment, not external audits.
- Integration is possible: Many organisations blend ISO 31000’s high‑level principles with FERMA’s detailed practitioner guidance to cover both strategic and operational layers.
- Implementation is a journey: Start small, secure leadership buy‑in, and embed risk language into everyday decision‑making.
- Stay current: ISO 31000 is slated for a new edition; keep an eye on the revision timeline to avoid rework later.
Conclusion
Navigating the risk‑management landscape doesn’t have to feel like choosing between two competing philosophies. ISO 31000 and the FERMA/RIMS Standard each bring a distinct perspective—one universal and principle‑driven, the other hands‑on and practitioner‑focused. By understanding where they overlap and where they diverge, you can craft a risk‑management approach that speaks to both boardroom strategy and day‑to‑day operational reality.
Start by asking yourself: What language does my leadership need? What level of detail does my risk team require? Answer those questions, run a quick gap analysis, and then pick the framework (or combination) that fills the gaps most efficiently. With executive sponsorship, clear roles, and a phased rollout, you’ll turn the abstract language of standards into concrete, value‑adding risk decisions.
Ready to take the next step? Map your current risk processes against the tables above, identify the biggest gaps, and schedule a workshop with your risk owners to decide whether ISO 31000, FERMA/RIMS, or a hybrid model will drive the most impact for your organization.