Among leading risk professionals, it is commonly agreed that COSO and ISO 31000 are the leading risk management standards available today, however, when asking which standard is preferred, the answer may be different depending on the background of the individual or the type of organization. Both COSO and ISO 31000 provide guidance for identifying and assessing risk, treating risk, communicating risk and continually monitoring risk. Where they differ is how they emphasize the various components of the risk management process and the way those processes are described. Both emphasize the importance of integrating the consideration of risk into daily operations to improve organizational decision-making and directly correlate the effectiveness of risk management activities with the organization’s value, resiliency and success.
What is COSO?
The Committee of Sponsoring Organizations (COSO) was founded in 1985 with the goal of assisting the National Commission on Fraudulent Financial Reporting. The initial structure was designed to develop frameworks and guidance on internal controls, fraud prevention and risk management. COSO was originally founded by five professional associations as a part of the Treadway Commission: The American Accounting Organization (AAA), American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), and Financial Executives International (FEI). A COSO ERM Framework is most often adopted in organizations that are more regulatory or compliance focused, especially those that are publicly traded or must comply with Sarbanes-Oxley, and was last updated in June 2017.
The COSO Framework presents a risk management approach centered around five interrelated components, including:
- Governance and Culture
- Strategy and Objective Setting
- Review and Revision
- Information, Communication and Reporting
These five components contain a series of 20 total principles which provide much more specific guidance for everything from governance to monitoring. They describe specific actions and practices that can be applied in a scalable manner to organizations of all kinds, but it emphasizes an overall correlation between the effectiveness of these risk related activities and the successful achievement of the organization’s strategy and business objectives.
What is ISO 31000
The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies. ISO was established in 1946 and was formed when delegates from 25 different countries gathered at the Institute of Civil Engineers in London to form a new organization that would create and unify industrial standards. Today, ISO has over 160 Members, and have published over 23,000 different international standards covering topics such as manufacturing and engineering, environment health protection and safety, management quality, and risk management, among many others. ISO Standards represent a consolidation of knowledge, best practices and guidelines from around the world, and the development and review process used to develop ISO standards are highly structured and rigorous. The ISO 31000 Risk Management Standard was initially released in 2009, then updated in 2018. The ISO 31000 Risk Management Standard has three main components, including a set of Principles, the Framework, and the Risk Management Process.
- The Principles define the purpose of risk management as existing to create and protect value, and correlates eight different characteristics that must either be factored in or aligned with that central purpose.
- The Framework highlights the essential role of leadership support and commitment with effective risk management, and illustrates the continuous improvement cycle required to ensure that risk management activities are sustainable and continually evolve to meet the organization’s needs. The Framework is the infrastructure / governance structure used to support risk management activities in a sustainable fashion.
- The Risk Management process outlines the scalable approach used to identify, evaluate, prioritize and treat risks.
Similarities Between COSO and ISO 31000
- Both COSO and ISO 31000 (hereafter referred to simply as ISO) provide a guide to analyzing and better understanding how to interpret and address risk within an organization.
- Both COSO and ISO have similar definitions of risk. COSO describes risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.” ISO defines risk more simply as “the effect of uncertainty on objectives.” Both acknowledge risk as uncertainty and both correlate this uncertainty with the successful achievement of objectives.
- The main goal of both standards is to allow for a consistent approach to identify / evaluate risk, treat risk, and continually monitor and improve risk management capabilities.
- Both COSO and ISO successfully expanded the scope of risk management beyond the traditional view of risk, which was largely focused on insurable or compliance risks only. Not only did this expansion allow for the inclusion of strategic and operational risks, but it also expanded the understanding of risk beyond something that was always inherently bad, to something that could also represent opportunity, or risk that should be pursued.
- Both standards facilitate the consideration of risk at the correct time in the decision-making process and consistently evaluating risk and uncertainty as part of that process.
- Each standard adamantly focuses on reviewing risk over time as risks may evolve and new threats appear. A good example of this is cyber security. Over the past years, risks associated with cyber security have evolved drastically. For an organization to be prepared to address risk properly, it must be understood that risks need to be updated in terms of priority and potential impact.
- Both COSO and ISO are meant to act as a guideline that enable organizations to fit principles of risk and decision making into corporate governance and oversight.
- Both COSO and ISO can be applied to any kind of organization, regardless of size, industry
- Neither COSO nor ISO are certifiable standards, but rather they are guides for each specific organization to understand and apply a strategy that is tailored to their own structure, operations and corporate culture.
COSO and ISO have many similarities which are centered around their common purpose of helping organizations improve their decision making process by identifying, evaluating and monitoring risk on an ongoing basis. That being said, there are several key differences to take into account when determining which standard is a better fit for an organization.
Key Differences Between COSO and ISO 31000
Although COSO and ISO each provide a standard for risk management, there are several important distinctions to acknowledge when deciding which to choose for an organization.
- COSO is a very detailed, comprehensive document that is over 120 pages long. The COSO guide has visual resources to help individuals better understand the concepts being presented, however, some consider the document to be overwhelming and overly prescriptive. ISO in contrast is only 32 pages long and has a much more concise and standardized structure. While COSO has been described as overwhelming, ISO has been criticized as lacking specific guidance on how to implement the Standard.
- Another variance between ISO and COSO are trends in the geography of their adoption. Like all ISO guidance, the ISO Standard represents a collaboration of risk professionals around the world, which has contributed to further international adoption. COSO, on the other hand, has mostly had contributors from the United States and North America, therefore COSO is more common in those regions.
- Another important distinction to make is the sources and contributors of each standard. COSO is founded by organizations that focus on the internal audit and financial reporting models, including a partnership with one of the “Big Four” accounting and consulting firms, and as such, it is commonly used by organizations most concerned with financial controls, or those that are publicly traded. ISO was developed primarily by management professionals, so it approaches risk from more of an operational standpoint than a control standpoint.
- The COSO model also differs from the ISO model in its scope. The COSO model provides guidelines on deliberately aligning risk management activities with the organization’s mission and strategy to support improved organizational performance. The ISO model is more broadly focused on creating and protecting value across an organization, but is not specifically correlated with an organization’s mission or strategy.
- ISO clearly states the purpose of risk management is to create and protect value, with a clear emphasis on the creation of value. This view of risk as both consequence and opportunity is emphasized more consistently in ISO. In contrast, though COSO acknowledges the importance of the “up-side” of risk, it tends to be more focused on corporate governance and oversight, which leans more towards the perspective that risk is something that needs to be managed and controlled, rather than pursued.
Despite their differences, the COSO ERM Framework and ISO 31000 Risk Management Standard both facilitate a comprehensive, proactive and collaborative approach to identifying, prioritizing and managing risks. Such an approach enables improved decision-making at all levels of an organization and enhances an organization’s resiliency and adaptability when crises occur. At the end of the day, there is no single “right” way to manage an organization’s portfolio of risks. What is most important is that an organization leverage a common playbook that is consistent with their culture and environment that provides for a thoughtful and deliberate approach to managing risks of all kinds.
By: Lisanne Sison
Managing Director, ERM Practice, Arthur J. Gallagher
By: Jim Doran
Area Vice President, Arthur J. Gallagher
You Might Also Be Interested In
Risk Management is Easy… Pinpointing it is Hard
Don’t tell the guys behind the actuarial tables, but managing risk is as much an art as it is a science. It’s also an art made easier because of science. By using a safety program to pinpoint risk, entities can improve driver retention and other factors along the way.
Navigating Class Action Lawsuits
From a legal standpoint, it’s valuable to distinguish a class action lawsuit from traditional lawsuits. For your organization, the difference in cost between a traditional lawsuit and a class action lawsuit can be hundreds of thousands dollars, and the difference in preparation requires another extensive layer to coordinate your defense.