ISO 31000 is the international standard for enterprise risk management, published by the International Organization for Standardization in 2018. It provides principles, a framework, and a process for managing any kind of risk — strategic, operational, financial, compliance, reputational, or safety-related — in any organization, regardless of size or sector. ISO 31000 defines risk as “the effect of uncertainty on objectives” and is intended to integrate risk management into governance, leadership, and decision-making rather than running as a parallel exercise. It is a voluntary, non-certifiable guidance document, meaning organizations apply it but are not audited or certified against it.  

ISO 14971 is the international standard for risk management of medical devices, currently in its 2019 third edition. It applies to manufacturers of medical devices, in vitro diagnostic devices (IVDs), and software as a medical device (SaMD) across the entire product lifecycle — from concept and design through production, post-market surveillance, and end-of-life. ISO 14971 is recognized by the U.S. FDA as a consensus standard for premarket submissions and is required for CE marking in the European Union under MDR (EU 2017/745) and IVDR (EU 2017/746) via the harmonized version EN ISO 14971:2019/A11:2021. Unlike ISO 31000, ISO 14971 is prescriptive: it requires a documented Risk Management Plan, a Risk Management File, and a Risk Management Report for each device.  

The core difference is scope and prescriptiveness: ISO 31000 is a voluntary, generic guideline for enterprise-wide risk management, while ISO 14971 is a prescriptive standard specific to medical device risk management across the product lifecycle. ISO 31000 treats risk broadly as any effect of uncertainty on objectives and lets organizations choose their own tools and methods. ISO 14971 narrows risk to the probability of harm multiplied by the severity of harm to a patient, user, or the environment, and requires specific deliverables: hazard identification, hazardous-situation analysis, risk evaluation against acceptability criteria, risk controls in a defined hierarchy, residual-risk and benefit-risk analysis, and a complete Risk Management File maintained throughout the device lifecycle. ISO 31000 is not certifiable; ISO 14971 is FDA-recognized and required under EU MDR/IVDR. 

21 CFR Part 117 is binding U.S. federal law for human food facilities, while ISO 31000 and ISO 14971 are voluntary international standards. 21 CFR Part 117 — the FDA's Preventive Controls for Human Food rule under the Food Safety Modernization Act (FSMA) — requires covered food facilities to develop a written Food Safety Plan based on HACCP principles, with hazard analysis, preventive controls, monitoring, corrective actions, verification, and supplier programs. The Food Safety Plan must be prepared or overseen by a Preventive Controls Qualified Individual (PCQI). Records must be retained for at least two years on-site. Non-compliance can result in FDA Form 483 observations, warning letters, civil penalties, injunction, or criminal referral. ISO 31000 and ISO 14971, by contrast, carry no direct legal penalty in the United States, though ISO 14971 effectively functions as a market-access requirement for medical device manufacturers.  

ISO 31000 applies voluntarily to any organization; ISO 14971 applies to medical device manufacturers; 21 CFR Part 117 applies to most U.S. human food facilities. Medical device, IVD, and SaMD manufacturers follow ISO 14971 and are usually expected to maintain an ISO 13485 quality management system. Pharmaceutical manufacturers are regulated under 21 CFR Parts 210 and 211 and follow ICH Q9 for quality risk management — they are generally not subject to ISO 14971 unless producing a combination product, and not subject to 21 CFR 117. Dietary supplement manufacturers follow 21 CFR Part 111 cGMP, and may also fall under 21 CFR 117 when conducting food-related activities. Human food producers are subject to 21 CFR Part 117 and frequently certified to FSSC 22000, SQF, or BRCGS. Tobacco companies are regulated under 21 CFR Parts 1100–1143 and the Family Smoking Prevention and Tobacco Control Act, not Part 117, and often use ISO 31000 to structure PMTA-related enterprise risk. ISO 31000 is appropriate enterprise-wide for any of these sectors. 

Each framework requires its own documentary architecture, and audit-readiness depends on having every required document current, signed, and retrievable. For ISO 31000, the expected documents include a risk management policy, framework document, context analysis, risk appetite statement, risk criteria, risk register, treatment plans, roles and authority matrix, monitoring and KRI reports, management review minutes, and training records. For ISO 14971, the Risk Management File must include a per-device Risk Management Plan, intended-use statement, hazard and harm list, risk analysis records, risk evaluation, risk control measures with verification of effectiveness, residual risk and benefit-risk analyses, the Risk Management Report prior to release, post-production information procedures, and change-control linked reassessments. For 21 CFR Part 117, required records include the written Food Safety Plan signed by the owner or operator, the hazard analysis, preventive controls (process, allergen, sanitation, supply chain), monitoring records, corrective action records, verification and validation activities, supplier programs, recall plan, environmental monitoring records, PCQI training certificates, and reanalysis of the Food Safety Plan at least every three years. 21 CFR 117 records must be retained for a minimum of two years.

Whether the framework is ISO 31000, ISO 14971, or 21 CFR Part 117, implementation follows the same four-phase rhythm: establish context, identify and analyze, treat and document, monitor and improve. Establishing context means defining scope, intended use, regulatory landscape, acceptability criteria, and assigning accountable leaders — naming a PCQI under 21 CFR 117, a risk management responsible person under ISO 14971, or a risk owner network under ISO 31000. Identifying and analyzing means systematic hazard identification (biological, chemical, physical, radiological, mechanical, environmental, software-related, as applicable) and consistent estimation of likelihood and severity. Treating and documenting means applying controls in priority order — design controls before protective measures before information for safety — and capturing every decision and residual risk in the appropriate file. Monitoring and improving means collecting post-production information, complaints, deviations, and supplier data, and reanalyzing at the cadence the standard requires (no later than every three years for 21 CFR 117; whenever change occurs for ISO 14971; continually for ISO 31000). 

The consequences range from reputational damage (ISO 31000) to loss of market access (ISO 14971) to federal enforcement action (21 CFR Part 117). Non-conformance with ISO 31000 carries no direct penalty because it is a voluntary guideline, but the absence of a functioning ERM framework is increasingly cited in investor due diligence, insurance underwriting, and board oversight. Non-conformance with ISO 14971 can result in FDA Form 483 observations, warning letters, refusal of premarket clearance, loss of CE marking under EU MDR or IVDR, recall, or product liability exposure. Non-compliance with 21 CFR Part 117 can trigger FDA Form 483 observations, FDA warning letters, civil monetary penalties, seizure or injunction, suspension of facility registration, and in serious cases criminal prosecution under the Federal Food, Drug, and Cosmetic Act. In every case, the most common citation is not the absence of controls but the absence of records demonstrating that controls were considered, justified, implemented, and verified.