Among leading risk professionals, it is commonly agreed that COSO and ISO 31000 are the leading risk management standards available today; however, when asking which risk management standard is preferred, the answer may be different depending on the background of the individual or the type of organization. Both COSO and ISO 31000 provide guidance for identifying, assessing, treating, communicating and continually monitoring risk. Where they differ is how they emphasize the various components of the risk management process and the way that process is described. Both emphasize the importance of integrating the consideration of risk into daily operations to improve organizational decision-making, and directly correlate the effectiveness of risk management activities with the organization’s value, resiliency and success. The purpose of this document is to compare, contrast and analyze each framework to assist organizations with selecting the risk management approach that aligns best with their ERM goals and organizational culture.
What is COSO?
The Committee of Sponsoring Organizations (COSO) was founded in 1985 with the goal of assisting the National Commission on Fraudulent Financial Reporting. The initial structure was designed to develop frameworks and guidance on internal controls, fraud prevention and risk management. COSO was originally founded by five professional associations as a part of the Treadway Commission: The American Accounting Organization (AAA), American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), and Financial Executives International (FEI). A COSO enterprise risk management (ERM) framework is most often adopted in organizations that are more regulatory or compliance focused, especially those that are publicly traded or must comply with Sarbanes-Oxley, and was last updated in June 2017.
The COSO framework presents a risk management approach centered around five interrelated components:
- Governance and culture
- Strategy and objective setting
- Review and revision
- Information, communication and reporting
These five components contain a series of 20 total principles that provide much more specific guidance for everything from governance to monitoring. They describe specific actions and practices that can be applied in a scalable manner to organizations of all kinds, but emphasize an overall correlation between the effectiveness of these risk-related activities and the successful achievement of the organizations’ strategy and business objectives.
What is ISO 31000?
The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies. ISO was established in 1946 and formed when delegates from 25 different countries gathered at the Institute of Civil Engineers in London to form a new organization that would create and unify industrial standards. Today, ISO has more than 160 members, and has published more than 23,000 different international standards covering topics such as manufacturing and engineering, environmental health protection and safety, management quality, and risk management. ISO standards represent a consolidation of knowledge, best practices and guidelines from around the world. The development and review process used to develop ISO standards are highly structured and rigorous. The ISO 31000 Risk Management Standard was initially released in 2009, updated in 2018 and has three main components, including a set of principles, the framework and the risk management process.
- The principles define the purpose of risk management as existing to create and protect value, and correlates eight different characteristics that must either be factored in or aligned with that central purpose.
- The framework highlights the essential role of leadership support and commitment with effective risk management, and illustrates the continuous improvement cycle required to ensure that risk management activities are sustainable and continually evolve to meet the organization’s needs. The framework is the infrastructure/governance structure used to support risk management activities in a sustainable fashion.
- The risk management process outlines the scalable approach used to identify, evaluate, prioritize and treat risks.
Similarities between COSO and ISO 31000
- Both COSO and ISO 31000 (hereafter referred to as ISO) provide a guide to analyzing and better understanding how to interpret and address risk within an organization.
- Both COSO and ISO have similar definitions of risk. COSO describes risk as the “possibility that events will occur and affect the achievement of strategy and business objectives.” ISO defines risk more simply as the “effect of uncertainty on objectives.” Both acknowledge risk as uncertainty, and both correlate this uncertainty with the successful achievement of objectives.
- The main goal of both risk management standards is to allow for a consistent approach to identify/evaluate risk, treat risk, and continually monitor and improve risk management capabilities.
- Both COSO and ISO successfully expanded the scope of risk management beyond the traditional view of risk, which was largely focused on insurable or compliance risks only. Not only did this expansion allow for the inclusion of strategic and operational risks, but it also expanded the understanding of risk beyond something that was always inherently bad to something that could also represent opportunity, or risk that should be pursued.
- Both risk management standards facilitate the consideration of risk at the correct time in the decision-making process, and consistently evaluate risk and uncertainty as part of that process.
- Each risk management standard adamantly focuses on reviewing risk over time as risks may evolve and new threats appear. A good example of this is cybersecurity. Over the past years, risks associated with cybersecurity have evolved drastically. For an organization to be prepared to address risk properly, it must be understood that risks need to be updated in terms of priority and potential impact.
- Both COSO and ISO are meant to act as guidelines that enable organizations to fit principles of risk and decision-making into corporate governance and oversight.
- Both COSO and ISO can be applied to any kind of organization, regardless of size, industry or geography.
- Neither COSO nor ISO are certifiable risk management standards, but rather guides for each specific organization to understand and apply a strategy that is tailored to their own structure, operations and corporate culture.
COSO and ISO have many similarities that are centered around their common purpose of helping organizations improve their decision-making processes by identifying, evaluating and monitoring risk on an ongoing basis. That being said, there are several key differences to take into account when determining which standard is a better fit for an organization.
Key Differences between COSO and ISO 31000
Although COSO and ISO each provide a standard for risk management, there are several important distinctions to acknowledge when deciding which to choose for an organization.
- COSO is a very detailed, comprehensive document that is more than 120 pages long. The COSO guide has visual resources to help individuals better understand the concepts being presented; however, some consider the document to be overwhelming and overly prescriptive. ISO, in contrast, is only 32 pages long, and has a much more concise and standardized structure. While COSO has been described as overwhelming, ISO has been criticized as lacking specific guidance on how to implement the risk management standard.
- Another variance between ISO and COSO are trends in the geography of their adoption. Like all ISO guidance, the ISO standard represents a collaboration of risk professionals around the world, which has contributed to further international adoption. COSO, on the other hand, has mostly had contributors from the United States and North America, and is more common in those regions.
- Another important distinction to make is the sources and contributors of each standard. COSO is founded by organizations that focus on the internal audit and financial reporting models, including a partnership with one of the Big Four accounting and consulting firms; therefore it is commonly used by organizations most concerned with financial controls or those that are publicly traded. ISO was developed primarily by management professionals, so it approaches risk from more of an operational standpoint than a control standpoint.
- The COSO model also differs from the ISO model in its scope. The COSO model provides guidelines on deliberately aligning risk management activities with the organization’s mission and strategy to support improved organizational performance. The ISO model is more broadly focused on creating and protecting value across an organization, but is not specifically correlated with an organization’s mission or strategy.
- ISO clearly states the purpose of risk management is to create and protect value, with a clear emphasis on the creation of value. This view of risk as both consequence and opportunity is emphasized more consistently in ISO. In contrast, though COSO acknowledges the importance of the upside of risk, it tends to be more focused on corporate governance and oversight, which leans more toward the perspective that risk is something that needs to be managed and controlled, rather than pursued.
The Common Goal of COSO and ISO 31000
Despite their differences, the COSO ERM Framework and ISO 31000 Risk Management Standard both facilitate a comprehensive, proactive and collaborative approach to identifying, prioritizing and managing risks. Such an approach enables improved decision-making at all levels of an organization, and enhances an organization’s resiliency and adaptability when crises occur. At the end of the day, there is no single right way to manage an organization’s portfolio of risks. What is most important is that an organization leverage a common playbook that is consistent with their culture and environment, and provides for a thoughtful and deliberate approach to managing risks of all kinds.
This article originally appeared on PRIMA.