ISO 31000: Understanding the context of the organisation

As part of ISO 31000, leadership need to demonstrate an understanding of the organisation and its context in regards to internal and external influences.

Being able to demonstrate the context of the organisation helps a business to properly align its risk management strategy with its overall risk appetite and risk tolerance in order to gain a competitive edge without compromising business continuity.



Considering PESTLE – Your External Contributors To Risk

Common factors to consider when understanding your organisation’s context in relation to external factors can be assessed using the PESTLE acronym:

  • Political
  • Economic
  • Social
  • Technological
  • Legal
  • Environmental

There are, of course, further factors which will influence the risk elements of an organisation, but it is these which are key to understand for any business.

With each element of the PESTLE acronym, it is important to consider: trends, external stakeholder relationships or impact, drivers affecting the organisation’s objectives, and contractual relationships and agreements.



Assessment Of Internal Context

Understanding the internal context could include the mission, vision, values and the alignment of strategic goals and objectives; standards or regulations adopted by the organisation (which are not required by legislation – that falls under external); and impact of resource.

Internal context can also cover:

  • Complexity of networks
  • Knowledge resource, sharing, and management
  • Contractual agreements and internal dependencies, and
  • Information systems including technological resource or reliance


Wistia video thumbnail - EQMS Risk Manager

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


The Role Of Leadership In Understanding The Context

When leaders have recognised the influence of external and internal factors which may impact on risk, it is up to them to use this information – the context of the organisation – to assess the severity and likelihood of risks posed within these parameters.

As part of the risk management strategy, once the context is defined it is helpful to the progress of an organisation adhering to an ISO 31000 framework to communicate definitions and understanding to key stakeholders.

Next in the series: Clauses 5.4, 5.5, and 5.6 – Implementation, Evaluation, and Improvement

New Call-to-action

Topics: ISO 31000, Tools

Share your thoughts on this article