When it comes to risk management, ISO 31000 and COSO are the two best-known standards. The main objective of this course is to help companies make the right decisions and achieve their strategic goals, whether by applying these standards individually, in combination, or even applying different standards.
The purpose of risk management is not to prevent companies from facing adversity, but rather so they can succeed. All organizations face risks when pursuing their goals. These two standards are intended to help organizations take the right risks, at the right level.
After this brief introduction, we will learn about the principal similarities and differences of the two main risk management standards.
The main similarities between ISO 31000 and COSO
Despite their different origins, ISO 31000 and COSO share some similarities:
1. Stimulus for risk management
Organizations make money by taking risks, and lose money when they fail to manage the risks they take. For this reason, both standards encourage organizations to take risks, that is, risks that occur frequently and are increasingly relevant.
2. Non-certifiable standards
Both ISO 31000 and COSO are merely guiding standards. They are different from ISO 9001 for example, which is a certifiable standard. It is up to each company to understand and implement the guidelines, taking into account their cultural aspects and their needs.
3. Recently updated
Both standards are very recent, with the latest version of COSO released in 2017 and ISO 31000 in 2018. They provide improvements that simplify their understanding and implementation, as well as meeting the current market needs.
4. Risk management in decision making
Incorporating risk into an organization’s decision-making process is a key part of ensuring that the organization is taking the right risks, in the right degree. Both ISO 31000 and COSO mention the importance of this.
The main differences between ISO 31000 vs COSO
There are more differences between ISO 31000 and COSO than similarities. For this reason, many risk management systems adhere to a combination of both standards:
1. Structure of the standards
ISO 31000:2018 was developed by an international standards organization, so it has a more standardized structure. The standard is very objective; it has only 16 pages.
COSO has more than 100 pages. It includes more visual resources and does not adhere to any kind of common “structural” pattern.
The process of developing ISO 31000:2018 involved the participation of members from more than 70 countries. In the case of COSO, most of the contributions came from the United States, from PricewaterhouseCoopers, one of the largest auditing and consulting service providers.
3. Target market
Although the latest version of COSO has a greater emphasis on strategy, the truth is the standard is more focused on accounting and auditing purposes, thus it was designed to meet the needs of auditors. On the other hand, ISO 31000 was created involving people from different areas and with different risk management needs. Many organizations already have other ISO-based management systems, so they end up opting for ISO 31000.
4. Focal point
Again, because of its origins, COSO focuses more on corporate governance, while ISO 31000 focuses almost exclusively on risk and incorporates it in the strategic planning process.
5. Structure and processes
ISO provides a clear distinction between the concepts of Structure and Process. Although the process it presents is very simple, it goes into detail identifying and assessing risks.
COSO, on the other hand, combines these two concepts. However, only one of the five framework components mention the risk management process.
6. Risk appetite
The first version of ISO 31000, released in 2009, did not address the concept of risk appetite. The 2018 version briefly mentions the topic of risk “criteria” and uses different terminology than used in other features. The 2017 version of COSO discusses risk appetite more thoroughly and provides many visual examples of the concepts of risk appetite, tolerance, and capacity.
7. Risk vs. Achieving Goals
Although the 2017 version of COSO focuses more on the achievement of goals, many people understand that it is encouraging the “pursuit” of risks, or focuses on risks. The purpose of risk management is to create and protect value, not to minimize risks. While not to the degree that many would like, ISO 31000 places more emphasis on helping organizations achieve their goals, rather than simply avoiding the negative consequences of risks.
This is not a definitive list. A more detailed analysis would demonstrate more similarities and differences.
It is important to emphasize that one standard is not better or more recommended than the other. You need to know both to understand how they can be applied in accordance with the needs and culture of your company.
Would you like to learn more about Risk Management after reading this article? Check out the other content we have on this topic here in the blog!