Skip to main content

Risk Objective

Short Description

A risk objective is an objective, owned by a party, that aims to reach and maintain a state of affairs in which the risks associated with a specific set of its objectives become, and/or remain, acceptable. The (business) process that seeks to realize risk objectives is referred to as a risk management process - this is in line with well-known ISO standards, such as ISO 31000, ISO9001, ISO27001, etc.

There are various ways for parties to come to grips with specifying and managing their risk objectives. Here are some examples:

We have observed that (the management of) the risks associated with the objectives that risk management processes pursue themselves, are often 'forgotten', i.e. these objectives are not in the scope of any risk management process. Parties should set risk objectives that aim to mitigate the risks associated with (the objectives pursued by) their risk management processes.

Risk objectives should also be associated with assessment frameworks that auditors will use for determining the risk-levels for each of these objectives.


The purpose of risk-objectives is help parties determine and prioritize the work they need to do in order to ensure that the risks they run become, and/or remain, acceptable.


A risk-objective is an objective that