Every organization has to take business risks in order to succeed. The role of enterprise risk management is to identify, assess and control those risks to ensure an organization is taking the right level to meet its business objectives without causing financial or legal problems. Different risk management standards have been created to help with that process. ISO 31000 and the COSO ERM framework are the most-followed guidelines.
Which one of the two should your organization use? To help you choose between them, let's look more closely at what the ISO 31000 and COSO standards are and how they differ from one another.
What are COSO and ISO?
COSO is short for the Committee of Sponsoring Organizations of the Treadway Commission. It was founded in 1985 to fund and oversee the National Commission on Fraudulent Financial Reporting, a private sector panel set up to study the factors that can lead companies to commit fraud in their financial reporting. The commission, informally named after its first chairman, issued a report with more than 150 recommendations in 1987. But COSO has continued to work on various projects since then.
Five organizations are part of COSO: the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors and the Institute of Management Accountants. COSO's stated mission is to help organizations improve their performance by offering guidance on internal controls, risk management, governance and fraud deterrence. The group's output includes standards frameworks and research studies; it also has published various thought papers that are available to view and download for free on the COSO website.
The International Organization for Standardization, commonly known as ISO to avoid different acronyms in different languages, was founded in 1947 to develop and publish standards for companies and other entities worldwide. ISO is an independent, nongovernmental group with a current membership of 165 national standards bodies. To date, it has developed nearly 24,000 international standards for management systems, quality management, occupational health and safety, information security and many other topics, including risk management.
What is the COSO ERM framework?
COSO's framework for enterprise risk management was first published in 2004. It was updated in 2017 to address the increasing complexity of ERM and the corresponding need for organizations to improve how they manage risk to meet changing business demands. Titled "Enterprise Risk Management -- Integrating with Strategy and Performance," the updated publication highlights the importance of considering risk in setting business strategies and managing operational performance.
The ERM framework can be used in organizations of all sizes and in all industries, according to the document's executive summary. It's a set of 20 principles organized into these five components of the enterprise risk management process:
- Governance and culture. This establishes oversight responsibilities for enterprise risk management and defines the desired organizational culture, including an understanding of risk and the importance of managing it.
- Strategy and objective-setting. As part of strategic planning, the organization determines its risk appetite and aligns that with business strategy. Specific business objectives are used as a basis to identify, evaluate and respond to risk.
- Performance. Different kinds of risks are identified, assessed for severity and prioritized in accordance with the risk appetite. The organization then decides how to respond to them and creates a portfolio view of the risk it has taken on.
- Review and revision. The organization reviews business performance and how well the ERM process is functioning and then decides whether changes are needed to improve the process.
- Information, communication and reporting. Information about the risk management process is collected and shared through ongoing communications and reporting on risk and business performance at multiple levels across the organization.
Each component contains various principles that describe the specific actions and practices required. However, they can be applied in different ways by different organizations. As further guidance on that, COSO has also published a "Compendium of Examples" supplement with case studies on implementations of the ERM framework by individual entities.
What is ISO 31000?
The ISO 31000 standard provides principles, a framework and a common approach to managing any type of risk faced by an organization -- for example, equipment failure, employee or customer accidents, cybersecurity breaches and financial fraud. Like the COSO ERM framework, ISO 31000 isn't specific to any industry or sector. Its purpose is to help organizations formalize their risk management practices across the entire enterprise, and ISO says it can be applied to or customized for any activity.
The standard was first released in 2009 and then revised in 2018. Formally known as ISO 31000:2018 and detailed in a publication titled "Risk Management -- Guidelines," the new version offers a shorter, clearer and more concise document that is easier to read while remaining widely applicable. To reduce the amount of specific terminology in ISO 31000, some terms were moved to ISO Guide 73, a risk management vocabulary document that's meant to be used with the standard.
In addition, ISO 31000:2018 provides more strategic guidance on ERM than the original standard "and places more emphasis on both the involvement of senior management and the integration of risk management into the organization," according to ISO. The standard has three primary components:
- Principles. ISO 31000 lists eight principles as the foundation for managing risk to create and protect business value. They provide guidance on the characteristics of effective and efficient risk management efforts and on how to explain the purpose of ERM and communicate its value.
- Framework. This is designed to help organizations apply risk management mechanisms in business functions and governance structures. It includes six customizable components: leadership and commitment, integration, design, implementation, evaluation and improvement.
- Process. The standard outlines the process that organizations should use to identify, evaluate, prioritize and mitigate risks, with guidance on how to apply policies, procedures and practices in a systematic way. It also includes steps for communication, monitoring and review, and reporting.
IEC 31010 is a complementary standard on risk assessment and analysis techniques that was updated in 2019 after also being introduced in 2009. It is jointly developed by ISO and the International Electrotechnical Commission, although it's published under the IEC's name.
COSO vs. ISO 31000: How they're similar
ISO 31000 and COSO's ERM framework have the same ultimate goal: helping organizations to implement effective risk management strategies and processes. Here are some similarities between the two standards that risk management experts and software vendors commonly cite:
- ISO 31000 and COSO both focus on techniques and methods used to evaluate, manage and monitor risks. In many ways, they're representations of the same body of knowledge.
- Both are designed to be guidelines for organizations, and there is no certification for compliance associated with either of them. Under each standard, an ERM system needs to be customized to the individual organization, and the guidelines can be adapted as needed to accomplish that.
- Both ISO 31000 and COSO stress the importance of embedding risk management into an organization's decision-making processes so corporate executives and business managers understand the risks and how they relate to organizational objectives when they make business decisions.
- Both emphasize the need to review risks and revise ERM strategies and controls as new business issues and requirements emerge.
- The two standards were both updated at about the same time to make it easier to understand and implement them.
COSO vs. ISO 31000: How they differ
There also are many differences between ISO 31000 and the COSO ERM framework. These are some typically listed by experts and vendors:
- Development. ISO 31000 is developed by a formal standards body, and ISO received more than 5,000 comments from people in 70-plus countries when it was working on the 2018 version. COSO, on the other hand, is a group of professional associations, and the 2017 ERM framework update was developed by consulting firm PwC with direction from COSO's board and input from external "advisors and observers."
- Focus. The COSO framework focuses more on general corporate governance and auditing of risk management activities, providing a standard against which to evaluate an organization's current ERM practices. ISO 31000 focuses squarely on risk management and its role in strategic planning and decision-making, providing guidance on the nature of the ERM and how to implement it.
- Presentation. ISO 31000 is just 16 pages long, although it is supplemented by the vocabulary guide and IEC 31010. The COSO framework's executive summary is 16 pages; altogether, it includes more than 100 pages of text and visual elements.
- Audience. Being a more generic risk management standard, ISO 31000 is written for a broad audience of people interested in ERM. Even with the changes made to expand the scope of COSO's framework in the 2017 update, it is still targeted more toward accounting and auditing professionals.
- Framework, principles and process. COSO combines its framework, principles and process into a single structure that incorporates risk management into a broader set of organizational governance and management practices. ISO 31000 distinguishes between those three elements and more directly details the required risk management tasks.
- Risk appetite vs. risk criteria. The COSO framework includes the concept of an organization's risk appetite, which it discusses in detail along with the related notions of risk tolerance and capacity. The 2018 version of ISO 31000 uses risk criteria to describe the amount and type of risk that an organization is willing to take.
- Risk reduction vs. business success. There's no longer as much of a difference on this in the updated standards. But the COSO framework is generally seen as being centered on risk reduction and avoidance, while ISO 31000 is oriented more toward using risk management to generate business value.
How to choose between COSO and ISO 31000
There's no single right way to manage a risk portfolio. Both the COSO ERM framework and ISO 31000 can help organizations improve their ERM practices. One isn't necessarily better than the other, and it may well be that elements of both are incorporated into a risk management system.
Therefore, any organization planning an ERM implementation should review both ISO 31000 and COSO to understand each approach and then decide which best fits its particular culture and requirements -- or if a combination of them is called for.
COSO is a multilayered and complicated framework that can be a daunting undertaking to fully implement. ISO 31000 is easier to understand and contains descriptions of risk management steps plus practical advice on how risk management should be integrated into decision-making processes. It also contains performance criteria that an organization can use to judge if its approach to risk management will be effective. The standard is ideal for anyone looking for a checklist to help make decisions regarding an ERM initiative or who has experience with other ISO-based management systems.
However, the COSO framework has ideas and advice that can be used to supplement the briefer ISO guidance. Because the framework starts by reviewing an organization's business objectives and strategies, it may help senior management to better define its risk tolerance and thus better understand the resulting risk mitigation strategies. COSO has also released documents on applying it to specific areas, such as cloud computing and managing compliance risks. Perhaps the best approach is to combine the broader directives of ISO 31000 with COSO's relevant risk management principles.
Whichever standard or combination an ERM system is based on, the system's effectiveness needs to be evaluated over time to ensure that it is benefiting an organization's business strategy, plans and performance. If it's inhibiting business activities in any way, the risk management program must be changed to remove the source of the friction. Every organization has to be dynamic, and that includes regularly appraising and adjusting an ERM initiative so risks are correctly managed.