There’s no doubt among risk professionals…
ISO 31000 and COSO are the two leading risk management standards in the world today.
As promised, the purpose of this article is to compare and contrast each standard…
But before we get into these similarities and differences, let’s first discuss what a risk management standard should help you do.
In a webinar sponsored by OCEG, three widely known risk management experts – Norman Marks, Alex Sidorenko, and Tim Leech – each provide their view…
Norman Marks explains that efforts to identify, assess, and treat risk should be about helping the company succeed, not avoiding failure.
Everyone takes risks in pursuit of objectives. The key and ultimate purpose of the risk management standard is to ensure the organization is “…taking the right risks at the right level.”
Alex Sidorenko of Risk Academy explains that a risk management standard’s foremost goal is to support not just decision-making, but any activity at any level of the organization that has any uncertainty associated with it.
Tim Leech of Risk Oversight Solutions concurred with Norman and Alex’s thoughts on this question, but added that a risk management standard should also provide everyone in the organization with clarity on what the organization would like to accomplish and the tools for considering risks that can impede these objectives.
Also, risk information has to be as close to real-time as possible in order for it to be valuable.
In the end, whether you use ISO 31000, COSO, another risk management standard, or a combination of two or more standards, the overarching goal of your risk-related activities should be to support decision-making by helping identify and properly assess both risks and opportunities to achieving strategic objectives.
Now that we have laid the groundwork for what a risk management standard should help you do, let’s discuss a few similarities and differences between the world’s two leading risk management standards.
ISO 31000 vs. COSO – Similarities
As I describe in the articles outlining each standard, both ISO 31000 and COSO were developed by different organizations with varying professional backgrounds. However, they do share a few similarities, including:
1. Both standards expand the scope of risk management.
Rather than just limiting negative risks, both standards help guide and encourage risk taking. The book Prepare to Dare from Hans Læssøe includes an example from an organization on what this means…
We make money by taking risks, and we lose money, when we do not manage the risks we are taking.
The point about taking risks in order to succeed is one we keep seeing over and over again…it is becoming more relevant with each passing day.
2. Both versions are meant to be guidelines.
Neither ISO 31000 nor COSO are designed for an organization to get a compliance certification. ISO 31000 especially is meant to provide high-level guidance on the components of a risk management framework. As I frequently mention, risk management should be tailored to each organization, so it makes sense that the standards are really guidelines. It is your responsibility to take the “standard” and put it into practice, making sure it fits the needs and culture of your organization.
3. Both current versions are a dramatic improvement.
The updated COSO version was released in 2017 and the updated ISO 31000 in 2018. Every resource I have encountered mentions how both standards are a dramatic improvement. COSO’s 2004 version for example used a three dimensional “cube” that many found confusing to illustrate the framework’s principles.
4. Both standards embed risk management in decision processes.
Embedding risk into the organization’s decision-making process is a key part to ensuring the organization is taking the right risks in the right amount. Both ISO 31000 and COSO make mention of the importance of this – ISO 31000 mentions it 17 times while COSO discusses decision-making but not as prominently.
Although each standard mentions the importance of factoring risk into the decision-making process, both ignore decision-making science altogether. As explained by Alex Sidorenko, ISO 31000 outlines a very traditional risk process (identification, assessment, etc.), when in reality, there is a “different sequence of events” when making decisions.
ISO 31000 vs. COSO – Differences
Differences between ISO 31000 and COSO far outnumber similarities. This is one reason why many organizations say they use a combination of both standards. A few of these differences include:
The latest version of ISO 31000 is more standardized than COSO, likely because it was developed by an international standards organization. The ISO standard is only 16 pages and can be read in less than an hour.
COSO on the other hand is over 100 pages long. While it does include more visuals, it does not follow any sort of common “structural” standard.
ISO 31000 has been adopted as the official risk management standard by national standards organizations in approximately 57 countries as of the end of 2015. When developing the 2018 version, the International Organization for Standardization received over 5000 comments from 70+ countries.
COSO, on the other hand, was developed in partnership with PwC, one of the “Big Four” accounting and consulting firms. Almost all of the principal contributors for the 2017 update are located in either Washington, D.C. or New York City.
7. Target audience
Since COSO (the organization, not the standard) has its origins focusing on providing an internal control framework, the COSO ERM standard is targeted more toward people in accounting and audit. Hans Læssøe, former senior director of strategic risk management at LEGO and author of Prepare to Dare, states that COSO was “…created by and focused on the needs of auditors.” Although the 2017 updated version places greater emphasis on strategy, it is still heavily bent towards the auditable side of ERM.
On the flip side, ISO 31000 is written for anyone interested in risk management. Many organizations choose to heavily rely on it because of numerous other ISO standards they may be using.
Perhaps again due to its origins in audit and internal control, COSO focuses more on general corporate governance. Alex Sidorenko explains that 50+ percent of COSO’s materials discuss things like how the board should oversee the entire organization, not necessarily risk. Many feel boards will struggle to see how risk can and should be more than more than just an add-on process.
ISO focuses almost exclusively on risk and incorporating it in the strategic planning process. It also provides more specific information to help boards better define and fulfill their risk oversight responsibilities.
9. Framework and Processes
ISO provides a clear distinction between a framework and a process. While the process it outlines is still very traditional, it goes into more detail on the actual groundwork of risk identification, assessment, and more.
COSO combines these two concepts. However, only one out of five components of the framework mentions the actual process of risk management.
10. Risk appetite
ISO’s original risk management standard released in 2009 did not mention the concept of risk appetite at all. The 2018 version briefly mentions the topic of risk “criteria” but the mention is minimal and uses different terminology than other resources.
COSO’s 2017 version discusses risk appetite at much greater length and provides many visual examples of the concepts of risk appetite, tolerance, and capacity.
11. Risk vs. Success Centric
Although COSO’s 2017 update focuses more on achieving objectives, many feel it is still encouraging risk “hunting” or is risk-centric. As Hans Læssøe explains, the purpose of risk management is to “…create and protect value, not minimize risk taking.” (Which I completely agree with!)
While it isn’t to the level many would like, ISO 31000 places greater emphasis on helping the organization accomplish its goals rather than simply avoid negative consequences of risk(s).
The above comparisons are not an exhaustive list of characteristics, just likely the more important ones. You could spend hours compiling a list of characteristics between the two standards.
So the question becomes…which one do you choose?
Personally, I have no preference and am a strong believer in using what fits the organization’s needs and culture. (Yes, I will keep repeating this mantra!)
When it comes to fitting the organization, one client of mine read summaries for both standards and found that COSO made more sense, despite the fact their organization was not in the finance industry, which is where COSO really originated from.
But do you have to choose just one? No!
Tim Leech believes that each standard contains “good nuggets” but neither can be taken and applied exclusively. And Norman Marks says that both standards are useful to read and understand, and despite improvements over their original versions, the best risk management practices are well ahead of both ISO 31000 and COSO.
When it comes to practicalities, I’m in full agreement with both Tim and Norman’s comments, but I would add my own perspective.
Don’t try to use a standard you are struggling to make fit to your organization. If you feel you are having to push people too hard to understand what you are trying to do, or are getting tons of questions or blank stares, then you are trying too hard. And don’t forget that everyone (from the Board and executives down to entry-level managers and employees) will be able to tell that you are struggling, and your efforts will stall or just plain fail.
How have you used the ISO 31000 and/or COSO ERM standards to fit the needs of your organization?
I am interested in hearing your thoughts on this extensive topic. Feel free to leave a comment below or join the conversation on LinkedIn.
If you are struggling to understand risk management standards and how to apply them to your organization’s needs, contact me to discuss your organization’s specific situation or complete the form below!
The Coaching Program is Unfortunately Full
IMPORTANT NOTE: Because my clients tend to stay with me for a long time, it tends to be VERY difficult for me to make openings for new coaching clients. But if you’ll kindly complete the short form at the bottom of this page, I promise to let you know as soon as time is available. I’m sorry for the inconvenience.