ISO 31000 and COSO are two of the world’s leading enterprise risk management standards.
Enterprise risk management (ERM) means embedding risk management everywhere in your enterprise.
Regardless of which risk management standard you choose: ISO 31000, COSO, a combination of the two, or something else, it’s important to keep in mind what the purpose of a risk management standard is.
Enterprise risk management standard should help your identify and assess not only the risks but also the opportunities in achieving your objectives.
Identifying and assessing risk should help your organization reach its objectives, not just avoid a crisis.
ISO 31000 vs COSO
SIMILARITIES between ISO 31000 and COSO
ISO 31000 and COSO are guidelines
The standards are not designed to get a compliance certification.
Enterprise risk management should be customized to your organization and as such the guidelines help you do just that.
Not just for limiting negative risks
Both standards look at risk management as more than minimizing negative risks. They encourage taking right risks to achieve objectives.
Both embed ERM in decision-making process
Both ISO 31000 and COSO stress the importance of embedding risk management into the organization’s decision-making process. The management must understand the risks and how they relate to organizational objectives.
ISO 31000 – COSO DIFFERENCES
There are many more differences between the two standards than similarities.
The length of the COSO is over 100 pages. ISO 31000 can be read in less than an hour.
ISO 31000 also follows a more organized structure than COSO.
ISO 31000 is the official risk management standard in over 50 countries.
COSO was developed in the United States in partnership with PwC, a large accounting and consulting firm.
ISO 31000 is a more generic risk management standard. It was created for anyone interested in risk management.
COSO is focused on financial reporting.
ISO 31000 focuses on risk and incorporating it everywhere in the organization.
COSO focuses more on general corporate governance.
Framework and Process
ISO 31000 clearly separates a framework and a process.
COSO combines the two concepts.
ISO 31000:2009 – no mention of risk appetite
ISO 31000: 2018 – brief mention, using different terminology
COSO – discusses risk appetite in great length
Risk vs. Success
ISO 31000 includes avoiding negative consequences of risk AND helping organizations to achieve their objectives.
COSO is focused on being risk-centric.
Which one is better? ISO 31000 or COSO?
So, which one should your choose? Which one is better for your organization.
The question is not about which one is a better standard. It comes down to which one fits your organization and culture. If you think they both do, the good news is that you could use both.
In deciding which standard to use it can be useful to read both standards and take the training to help you make the best decision. Keep in mind that if you implement on standard and you are struggling, it may be that the standard is not the right fit for your organization and it’s ok, and you should, to try a different standard.
ISO 31000 Training Course
You can learn the ISO 31000 Standard for ERM in a Student-Friendly Course.
In the course, complex topics are simplified into easy-to-understand lessons with instructions teaching you how to practically apply them.
After taking this course, you will immediately be able to begin applying the useful principles in ISO 31000 to your organization.
Read more about our ISO 31000 Training Course.