ISO 31000 and the COSO ERM framework are the two most popular risk management standards. Here's what they include and some of their similarities and differences. Show
Every organization has to take business risks in order to succeed. The role of enterprise risk management is to identify, assess and control those risks to ensure an organization is taking the right level to meet its business objectives without causing financial or legal problems. Different risk management standards have been created to help with that process. ISO 31000 and the COSO ERM framework are the most-followed guidelines. Which one of the two should your organization use? To help you choose between them, let's look more closely at what the ISO 31000 and COSO standards are and how they differ from one another. What are COSO and ISO?COSO is short for the Committee of Sponsoring Organizations of the Treadway Commission. It was founded in 1985 to fund and oversee the National Commission on Fraudulent Financial Reporting, a private sector panel set up to study the factors that can lead companies to commit fraud in their financial reporting. The commission, informally named after its first chairman, issued a report with more than 150 recommendations in 1987. But COSO has continued to work on various projects since then. Five organizations are part of COSO: the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors and the Institute of Management Accountants. COSO's stated mission is to help organizations improve their performance by offering guidance on internal controls, risk management, governance and fraud deterrence. The group's output includes standards frameworks and research studies; it also has published various thought papers that are available to view and download for free on the COSO website. The International Organization for Standardization, commonly known as ISO to avoid different acronyms in different languages, was founded in 1947 to develop and publish standards for companies and other entities worldwide. ISO is an independent, nongovernmental group with a current membership of 165 national standards bodies. To date, it has developed nearly 24,000 international standards for management systems, quality management, occupational health and safety, information security and many other topics, including risk management. What is the COSO ERM framework?COSO's framework for enterprise risk management was first published in 2004. It was updated in 2017 to address the increasing complexity of ERM and the corresponding need for organizations to improve how they manage risk to meet changing business demands. Titled "Enterprise Risk Management -- Integrating with Strategy and Performance," the updated publication highlights the importance of considering risk in setting business strategies and managing operational performance. The ERM framework can be used in organizations of all sizes and in all industries, according to the document's executive summary. It's a set of 20 principles organized into these five components of the enterprise risk management process:
Each component contains various principles that describe the specific actions and practices required. However, they can be applied in different ways by different organizations. As further guidance on that, COSO has also published a "Compendium of Examples" supplement with case studies on implementations of the ERM framework by individual entities. What is ISO 31000?The ISO 31000 standard provides principles, a framework and a common approach to managing any type of risk faced by an organization -- for example, equipment failure, employee or customer accidents, cybersecurity breaches and financial fraud. Like the COSO ERM framework, ISO 31000 isn't specific to any industry or sector. Its purpose is to help organizations formalize their risk management practices across the entire enterprise, and ISO says it can be applied to or customized for any activity. The standard was first released in 2009 and then revised in 2018. Formally known as ISO 31000:2018 and detailed in a publication titled "Risk Management -- Guidelines," the new version offers a shorter, clearer and more concise document that is easier to read while remaining widely applicable. To reduce the amount of specific terminology in ISO 31000, some terms were moved to ISO Guide 73, a risk management vocabulary document that's meant to be used with the standard. In addition, ISO 31000:2018 provides more strategic guidance on ERM than the original standard "and places more emphasis on both the involvement of senior management and the integration of risk management into the organization," according to ISO. The standard has three primary components:
IEC 31010 is a complementary standard on risk assessment and analysis techniques that was updated in 2019 after also being introduced in 2009. It is jointly developed by ISO and the International Electrotechnical Commission, although it's published under the IEC's name. COSO vs. ISO 31000: How they're similarISO 31000 and COSO's ERM framework have the same ultimate goal: helping organizations to implement effective risk management strategies and processes. Here are some similarities between the two standards that risk management experts and software vendors commonly cite:
COSO vs. ISO 31000: How they differThere also are many differences between ISO 31000 and the COSO ERM framework. These are some typically listed by experts and vendors:
How to choose between COSO and ISO 31000There's no single right way to manage a risk portfolio. Both the COSO ERM framework and ISO 31000 can help organizations improve their ERM practices. One isn't necessarily better than the other, and it may well be that elements of both are incorporated into a risk management system. Therefore, any organization planning an ERM implementation should review both ISO 31000 and COSO to understand each approach and then decide which best fits its particular culture and requirements -- or if a combination of them is called for. COSO is a multilayered and complicated framework that can be a daunting undertaking to fully implement. ISO 31000 is easier to understand and contains descriptions of risk management steps plus practical advice on how risk management should be integrated into decision-making processes. It also contains performance criteria that an organization can use to judge if its approach to risk management will be effective. The standard is ideal for anyone looking for a checklist to help make decisions regarding an ERM initiative or who has experience with other ISO-based management systems. However, the COSO framework has ideas and advice that can be used to supplement the briefer ISO guidance. Because the framework starts by reviewing an organization's business objectives and strategies, it may help senior management to better define its risk tolerance and thus better understand the resulting risk mitigation strategies. COSO has also released documents on applying it to specific areas, such as cloud computing and managing compliance risks. Perhaps the best approach is to combine the broader directives of ISO 31000 with COSO's relevant risk management principles. Whichever standard or combination an ERM system is based on, the system's effectiveness needs to be evaluated over time to ensure that it is benefiting an organization's business strategy, plans and performance. If it's inhibiting business activities in any way, the risk management program must be changed to remove the source of the friction. Every organization has to be dynamic, and that includes regularly appraising and adjusting an ERM initiative so risks are correctly managed. Next Steps8 top enterprise risk management trends in 2021 Traditional vs. enterprise risk management: How do they differ? Dig Deeper on CIO strategy
What are the 8 components of ERM?The COSO framework for ERM identifies eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring.
Which of the following items is one of the five components of COSO's enterprise risk management Framework?What are the five components of the COSO Framework?. Control environment. The control environment seeks to make sure that all business processes are based on the use of industry-standard practices. ... . Risk assessment and management. ... . Control activities. ... . Information and communications. ... . Monitoring.. What are the objectives and components of the COSO ERM 2004 framework?5 Components of the COSO Framework. Governance and culture. Commitment to integrity and ethical values. ... . Strategy and objective setting. Clear objectives specified. ... . Performance. Clear objectives specified. ... . Review and revision. Quality information obtained, generated, and used. ... . Monitoring activities.. Which of the following components of COSO's ERM Framework addresses an entity's integrity and ethical values?According to COSO, which of the following components of the enterprise risk management addresses an entity's integrity and ethical values? Internal environment.
|