#iso31000/2018

### 5.4.1   Understanding the organization and its context
From ISO 31000:2018

When designing the framework for managing risk, the organization should examine and understand its external and internal context.

Examining the organization’s **external context** may include, but is not limited to:

- the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;
- key drivers and trends affecting the objectives of the organization;  
- external stakeholders’ relationships, perceptions, values, needs and expectations;  
- contractual relationships and commitments;  
- the complexity of networks and dependencies.    


Examining the organization’s **internal context** may include, but is not limited to:

- vision, mission and values;
- governance, organizational structure, roles and accountabilities;
- strategy, objectives and policies;
- the organization’s culture;
- standards, guidelines and models adopted by the organization;
- capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);
- data, information systems and information flows;
- relationships with internal stakeholders, taking into account their perceptions and values;
- contractual relationships and commitments;  
- interdependencies and interconnections.