ISO 31000 vs. COSO – Comparing and Contrasting the World’s Leading Risk Management Standards


There’s no doubt among risk professionals…

ISO 31000 and COSO are the two leading risk management standards in the world today.

I previously discussed the fundamentals and background of each standard – check out the separate articles on ISO 31000 and COSO.

As promised, the purpose of this article is to compare and contrast each standard…

But before we get into these similarities and differences, let’s first discuss what a risk management standard should help you do.

In a webinar sponsored by OCEG, three widely known risk management experts – Norman Marks, Alex Sidorenko, and Tim Leech – each provide their view…

Norman Marks explains that efforts to identify, assess, and treat risk should be about helping the company succeed, not avoiding failure.

Everyone takes risks in pursuit of objectives. The key and ultimate purpose of the risk management standard is to ensure the organization is “…taking the right risks at the right level.”

Alex Sidorenko of Risk Academy explains that a risk management standard’s foremost goal is to support not just decision-making, but any activity at any level of the organization that has any uncertainty associated with it.

Tim Leech of Risk Oversight Solutions concurred with Norman and Alex’s thoughts on this question, but added that a risk management standard should also provide everyone in the organization with clarity on what the organization would like to accomplish and the tools for considering risks that can impede these objectives.

Also, risk information has to be as close to real-time as possible in order for it to be valuable.

In the end, whether you use ISO 31000, COSO, another risk management standard, or a combination of two or more standards, the overarching goal of your risk-related activities should be to support decision-making by helping identify and properly assess both risks and opportunities to achieving strategic objectives.

Now that we have laid the groundwork for what a risk management standard should help you do, let’s discuss a few similarities and differences between the world’s two leading risk management standards.

ISO 31000 vs. COSO – Similarities

As I describe in the articles outlining each standard, both ISO 31000 and COSO were developed by different organizations with varying professional backgrounds. However, they do share a few similarities, including:

1.   Both standards expand the scope of risk management.

Rather than just limiting negative risks, both standards help guide and encourage risk taking. The book Prepare to Dare from Hans Læssøe includes an example from an organization on what this means…

We make money by taking risks, and we lose money, when we do not manage the risks we are taking.

The point about taking risks in order to succeed is one we keep seeing over and over again…it is becoming more relevant with each passing day.

2.   Both versions are meant to be guidelines.

Neither ISO 31000 nor COSO are designed for an organization to get a compliance certification. ISO 31000 especially is meant to provide high-level guidance on the components of a risk management framework. As I frequently mention, risk management should be tailored to each organization, so it makes sense that the standards are really guidelines. It is your responsibility to take the “standard” and put it into practice, making sure it fits the needs and culture of your organization.

3.  Both current versions are a dramatic improvement.

The updated COSO version was released in 2017 and the updated ISO 31000 in 2018. Every resource I have encountered mentions how both standards are a dramatic improvement. COSO’s 2004 version for example used a three dimensional “cube” that many found confusing to illustrate the framework’s principles.

4.  Both standards embed risk management in decision processes.

Embedding risk into the organization’s decision-making process is a key part to ensuring the organization is taking the right risks in the right amount. Both ISO 31000 and COSO make mention of the importance of this – ISO 31000 mentions it 17 times while COSO discusses decision-making but not as prominently.

Although each standard mentions the importance of factoring risk into the decision-making process, both ignore decision-making science altogether. As explained by Alex Sidorenko, ISO 31000 outlines a very traditional risk process (identification, assessment, etc.), when in reality, there is a “different sequence of events” when making decisions.


ISO 31000 vs. COSO – Differences

Differences between ISO 31000 and COSO far outnumber similarities. This is one reason why many organizations say they use a combination of both standards. A few of these differences include:

5.  Structure

The latest version of ISO 31000 is more standardized than COSO, likely because it was developed by an international standards organization. The ISO standard is only 16 pages and can be read in less than an hour.

COSO on the other hand is over 100 pages long. While it does include more visuals, it does not follow any sort of common “structural” standard.

6.  Geography

ISO 31000 has been adopted as the official risk management standard by national standards organizations in approximately 57 countries as of the end of 2015. When developing the 2018 version, the International Organization for Standardization received over 5000 comments from 70+ countries.

COSO, on the other hand, was developed in partnership with PwC, one of the “Big Four” accounting and consulting firms. Almost all of the principal contributors for the 2017 update are located in either Washington, D.C. or New York City.

7.  Target audience

Since COSO (the organization, not the standard) has its origins focusing on providing an internal control framework, the COSO ERM standard is targeted more toward people in accounting and audit. Hans Læssøe, former senior director of strategic risk management at LEGO and author of Prepare to Dare, states that COSO was “…created by and focused on the needs of auditors.” Although the 2017 updated version places greater emphasis on strategy, it is still heavily bent towards the auditable side of ERM.

On the flip side, ISO 31000 is written for anyone interested in risk management. Many organizations choose to heavily rely on it because of numerous other ISO standards they may be using.

8.  Focus

Perhaps again due to its origins in audit and internal control, COSO focuses more on general corporate governance. Alex Sidorenko explains that 50+ percent of COSO’s materials discuss things like how the board should oversee the entire organization, not necessarily risk. Many feel boards will struggle to see how risk can and should be more than more than just an add-on process.

ISO focuses almost exclusively on risk and incorporating it in the strategic planning process. It also provides more specific information to help boards better define and fulfill their risk oversight responsibilities.

9.  Framework and Processes

ISO provides a clear distinction between a framework and a process. While the process it outlines is still very traditional, it goes into more detail on the actual groundwork of risk identification, assessment, and more.

COSO combines these two concepts. However, only one out of five components of the framework mentions the actual process of risk management.

10.  Risk appetite

ISO’s original risk management standard released in 2009 did not mention the concept of risk appetite at all. The 2018 version briefly mentions the topic of risk “criteria” but the mention is minimal and uses different terminology than other resources.

COSO’s 2017 version discusses risk appetite at much greater length and provides many visual examples of the concepts of risk appetite, tolerance, and capacity.

11.  Risk vs. Success Centric

Although COSO’s 2017 update focuses more on achieving objectives, many feel it is still encouraging risk “hunting” or is risk-centric. As Hans Læssøe explains, the purpose of risk management is to “…create and protect value, not minimize risk taking.”  (Which I completely agree with!)

While it isn’t to the level many would like, ISO 31000 places greater emphasis on helping the organization accomplish its goals rather than simply avoid negative consequences of risk(s).

The above comparisons are not an exhaustive list of characteristics, just likely the more important ones. You could spend hours compiling a list of characteristics between the two standards.

So the question becomes…which one do you choose?

Personally, I have no preference and am a strong believer in using what fits the organization’s needs and culture. (Yes, I will keep repeating this mantra!)

When it comes to fitting the organization, one client of mine read summaries for both standards and found that COSO made more sense, despite the fact their organization was not in the finance industry, which is where COSO really originated from.

But do you have to choose just one? No!

Tim Leech believes that each standard contains “good nuggets” but neither can be taken and applied exclusively.  And Norman Marks says that both standards are useful to read and understand, and despite improvements over their original versions, the best risk management practices are well ahead of both ISO 31000 and COSO.

When it comes to practicalities, I’m in full agreement with both Tim and Norman’s comments, but I would add my own perspective.

Don’t try to use a standard you are struggling to make fit to your organization. If you feel you are having to push people too hard to understand what you are trying to do, or are getting tons of questions or blank stares, then you are trying too hard. And don’t forget that everyone (from the Board and executives down to entry-level managers and employees) will be able to tell that you are struggling, and your efforts will stall or just plain fail.

How have you used the ISO 31000 and/or COSO ERM standards to fit the needs of your organization?

I am interested in hearing your thoughts on this extensive topic. Feel free to leave a comment below or join the conversation on LinkedIn.

If you are struggling to understand risk management standards and how to apply them to your organization’s needs, visit my consulting website (Strategic Decision Solutions) to learn more about how I help organizations overcome challenges and ensure long-term success.

, , , ,

Related Posts

13 Comments. Leave new

  • […] Recently, she shared her advice on frameworks and standards in ISO 31000 VS. COSO – Comparing And Contrasting The World’s Leading Risk Management Standards. […]

  • Marshall Toburen
    April 17, 2019 9:07 am

    Thanks for the post, it was insightful. The thing I most like about ISO 31000 and supporting ISO Guide 73 is the broad nature of the standard and how easily it can be applied. ISO has done a good job aligning later risk management-related ISOs to these two. Consequently, I affectionately consider these two ISOs to be the Grandfather of risk management standards. On the other hand, the single most important idea conveyed to me in COSO ERM is depicted in Figure 4.2. That figure brings together the theoretical relationship between risk profile, risk appetite, and risk capacity.

  • Thanks for your comments, Marshall. I would agree that ISO is very broad. For some, that is good. For those not so experienced in risk management, it can be difficult not having explicit direction or how-to information. And thanks for your thoughts on COSO. (Unfortunately, we continue to wait for approval from ISO on including images from the standard in our post.)

  • Clauddette Delgado
    May 28, 2019 8:36 pm

    I just loved the content, help me really understand the difference and similarities between the two (even a non englisgh speaker). Also lov your voice to go throught it. Thanks!

  • Musa A. Egbunu
    July 16, 2020 7:05 pm

    .. going through your post has added more knowledge to my practice experience in environmental, social and strategic governance of simple to complex engineering projects. Your ERM qualification is salutary.

  • Noziphiwo Lubanga
    August 12, 2020 1:54 am

    This post came at the right time where I was reviewing an ERM framework for my organization which was mainly focusing on the ISO 31000 of 2009. I had to make a call that in my review of this framework I would like to adopt the combination of both ERM standards, which is ISO 31000 and COSO. This decision came after having procured both standards and made my own analysis and comparison of the standards. I found them to be complementing each other and in areas which I felt ISO 31000 fell short COSO was most in detail, areas such as Risk appetite and taking into consideration strategy, objectives, mission, vision and core values of organization in pursuit of risk management and decision making.
    This article came at the right time to confirm the work I have done and the decision I have made. Its worse today I will be presenting this framework to the Board and this article information will help me more in selling my decion of adopting the both ERM standards for the organization. Thank you very much Carol. You are blessing in disguise 🙏

    • Hi Nozie. Thank you…glad you found this article helpful! COSO certainly does seem to offer more detail in some areas, but as I’ve said in other articles, you have to tailor the process to your organization and not force the standard work. It appears this is what you’re doing by pulling different parts from each standard. In the end, both ISO 31000 and COSO are there for reference or a good baseline. Best of luck in your framework implementation.

  • For me, if you want to refer a full guideline for ERM we should refer COSO but if we have our own structure ERM then we should refer ISO because we should not establish a process that not according to risk management standard such as ISO31000.

    • Appreciate your perspective on this topic. Based on what I (and many others!) have experienced, the COSO ERM framework and ISO standard are not meant to be used as a “copy and paste” process for any organization. The comparison article you’re referring to includes a great summary of my views on organizations using them for ERM practices.

  • Thank you Carol. I found your post very insightful. Applying the learnings from both standards in implementing a bespoke ERM process in my organization is a goal my team and I intend to achieve.

    • Hi Emi…thank you so much! I hope this article and other resources on the site will be helpful for you and your team. The best thing to remember (pretty sure I mention in this article) is that ERM must ultimately be tailored to your organization, not strictly based on standards like ISO or COSO. This is even more true today than when this article was written. Wishing you all the best in achieving your goal.

  • Yes , the best is the ISOERM v.1 :), you can take and customize and integrate both features.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.