ISO 31000 vs. COSO – Comparing and Contrasting the World’s Leading Risk Management Standards

There’s no doubt among risk professionals…

ISO 31000 and COSO are the two leading risk management standards in the world today.

I previously discussed the fundamentals and background of each standard – check out the separate articles on ISO 31000 and COSO.

As promised, the purpose of this article is to compare and contrast each standard…

But before we get into these similarities and differences, let’s first discuss what a risk management standard should help you do.

In a webinar sponsored by OCEG, three widely known risk management experts – Norman Marks, Alex Sidorenko, and Tim Leech – each provide their view…

Norman Marks explains that efforts to identify, assess, and treat risk should be about helping the company succeed, not avoiding failure.

Everyone takes risks in pursuit of objectives. The key and ultimate purpose of the risk management standard is to ensure the organization is “…taking the right risks at the right level.”

Alex Sidorenko of Risk Academy explains that a risk management standard’s foremost goal is to support not just decision-making, but any activity at any level of the organization that has any uncertainty associated with it.

Tim Leech of Risk Oversight Solutions concurred with Norman and Alex’s thoughts on this question, but added that a risk management standard should also provide everyone in the organization with clarity on what the organization would like to accomplish and the tools for considering risks that can impede these objectives.

Also, risk information has to be as close to real-time as possible in order for it to be valuable.

In the end, whether you use ISO 31000, COSO, another risk management standard, or a combination of two or more standards, the overarching goal of your risk-related activities should be to support decision-making by helping identify and properly assess both risks and opportunities to achieving strategic objectives.

Now that we have laid the groundwork for what a risk management standard should help you do, let’s discuss a few similarities and differences between the world’s two leading risk management standards.

ISO 31000 vs. COSO – Similarities

As I describe in the articles outlining each standard, both ISO 31000 and COSO were developed by different organizations with varying professional backgrounds. However, they do share a few similarities, including:

1.   Both standards expand the scope of risk management.

Rather than just limiting negative risks, both standards help guide and encourage risk taking. The book Prepare to Dare from Hans Læssøe includes an example from an organization on what this means…

We make money by taking risks, and we lose money, when we do not manage the risks we are taking.

The point about taking risks in order to succeed is one we keep seeing over and over again…it is becoming more relevant with each passing day.

2.   Both versions are meant to be guidelines.

Neither ISO 31000 nor COSO are designed for an organization to get a compliance certification. ISO 31000 especially is meant to provide high-level guidance on the components of a risk management framework. As I frequently mention, risk management should be tailored to each organization, so it makes sense that the standards are really guidelines. It is your responsibility to take the “standard” and put it into practice, making sure it fits the needs and culture of your organization.

3.  Both current versions are a dramatic improvement.

The updated COSO version was released in 2017 and the updated ISO 31000 in 2018. Every resource I have encountered mentions how both standards are a dramatic improvement. COSO’s 2004 version for example used a three dimensional “cube” that many found confusing to illustrate the framework’s principles.

4.  Both standards embed risk management in decision processes.

Embedding risk into the organization’s decision-making process is a key part to ensuring the organization is taking the right risks in the right amount. Both ISO 31000 and COSO make mention of the importance of this – ISO 31000 mentions it 17 times while COSO discusses decision-making but not as prominently.

Although each standard mentions the importance of factoring risk into the decision-making process, both ignore decision-making science altogether. As explained by Alex Sidorenko, ISO 31000 outlines a very traditional risk process (identification, assessment, etc.), when in reality, there is a “different sequence of events” when making decisions.

 

ISO 31000 vs. COSO – Differences

Differences between ISO 31000 and COSO far outnumber similarities. This is one reason why many organizations say they use a combination of both standards. A few of these differences include:

5.  Structure

The latest version of ISO 31000 is more standardized than COSO, likely because it was developed by an international standards organization. The ISO standard is only 16 pages and can be read in less than an hour.

COSO on the other hand is over 100 pages long. While it does include more visuals, it does not follow any sort of common “structural” standard.

6.  Geography

ISO 31000 has been adopted as the official risk management standard by national standards organizations in approximately 57 countries as of the end of 2015. When developing the 2018 version, the International Organization for Standardization received over 5000 comments from 70+ countries.

COSO, on the other hand, was developed in partnership with PwC, one of the “Big Four” accounting and consulting firms. Almost all of the principal contributors for the 2017 update are located in either Washington, D.C. or New York City.

7.  Target audience

Since COSO (the organization, not the standard) has its origins focusing on providing an internal control framework, the COSO ERM standard is targeted more toward people in accounting and audit. Hans Læssøe, former senior director of strategic risk management at LEGO and author of Prepare to Dare, states that COSO was “…created by and focused on the needs of auditors.” Although the 2017 updated version places greater emphasis on strategy, it is still heavily bent towards the auditable side of ERM.

On the flip side, ISO 31000 is written for anyone interested in risk management. Many organizations choose to heavily rely on it because of numerous other ISO standards they may be using.

8.  Focus

Perhaps again due to its origins in audit and internal control, COSO focuses more on general corporate governance. Alex Sidorenko explains that 50+ percent of COSO’s materials discuss things like how the board should oversee the entire organization, not necessarily risk. Many feel boards will struggle to see how risk can and should be more than more than just an add-on process.

ISO focuses almost exclusively on risk and incorporating it in the strategic planning process. It also provides more specific information to help boards better define and fulfill their risk oversight responsibilities.

9.  Framework and Processes

ISO provides a clear distinction between a framework and a process. While the process it outlines is still very traditional, it goes into more detail on the actual groundwork of risk identification, assessment, and more.

COSO combines these two concepts. However, only one out of five components of the framework mentions the actual process of risk management.

10.  Risk appetite

ISO’s original risk management standard released in 2009 did not mention the concept of risk appetite at all. The 2018 version briefly mentions the topic of risk “criteria” but the mention is minimal and uses different terminology than other resources.

COSO’s 2017 version discusses risk appetite at much greater length and provides many visual examples of the concepts of risk appetite, tolerance, and capacity.

11.  Risk vs. Success Centric

Although COSO’s 2017 update focuses more on achieving objectives, many feel it is still encouraging risk “hunting” or is risk-centric. As Hans Læssøe explains, the purpose of risk management is to “…create and protect value, not minimize risk taking.”  (Which I completely agree with!)

While it isn’t to the level many would like, ISO 31000 places greater emphasis on helping the organization accomplish its goals rather than simply avoid negative consequences of risk(s).

The above comparisons are not an exhaustive list of characteristics, just likely the more important ones. You could spend hours compiling a list of characteristics between the two standards.

So the question becomes…which one do you choose?

Personally, I have no preference and am a strong believer in using what fits the organization’s needs and culture. (Yes, I will keep repeating this mantra!)

When it comes to fitting the organization, one client of mine read summaries for both standards and found that COSO made more sense, despite the fact their organization was not in the finance industry, which is where COSO really originated from.

But do you have to choose just one? No!

Tim Leech believes that each standard contains “good nuggets” but neither can be taken and applied exclusively.  And Norman Marks says that both standards are useful to read and understand, and despite improvements over their original versions, the best risk management practices are well ahead of both ISO 31000 and COSO.

When it comes to practicalities, I’m in full agreement with both Tim and Norman’s comments, but I would add my own perspective.

Don’t try to use a standard you are struggling to make fit to your organization. If you feel you are having to push people too hard to understand what you are trying to do, or are getting tons of questions or blank stares, then you are trying too hard. And don’t forget that everyone (from the Board and executives down to entry-level managers and employees) will be able to tell that you are struggling, and your efforts will stall or just plain fail.

How have you used the ISO 31000 and/or COSO ERM standards to fit the needs of your organization?

I am interested in hearing your thoughts on this extensive topic. Feel free to leave a comment below or join the conversation on LinkedIn.

If you are struggling to understand risk management standards and how to apply them to your organization’s needs, visit my consulting website (Strategic Decision Solutions) to learn more about how I help organizations overcome challenges and ensure long-term success.

Sign Up For Our Newsletter

Sign Up For Our Newsletter

SDS-Logo
about-sidebar-v2

Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More