In risk management, ISO 31000 and COSO are the two most popular standards. Standards are essential in a business as they set a baseline to avoid conflict over what is right or wrong.  ISO 31000 and the COSO framework provide a similar definition of what a risk is and recognise it as an uncertain occurrence. 

ISO and COSO are updated when necessary and are best known for making compliance easier. They both have the same goal: help employers manage risk in their organisation to achieve their goals. What other similarities do they have and what are their differences?

The COSO framework

COSO stands for the Committee of Sponsoring Organizations which was founded in 1985 by five professional associations: The Institute of Management Accountants, The American Accounting Organization, Financial Executives International, American Institute of Certified Public Accountants, and the Institute of Internal Auditors. 

The COSO framework was created in 1992 and was then updated in 2013. In 2017 the committee updated it as the COSO ERM (Enterprise Risk Management) framework. It is usually depicted as a three-dimensional cube The cube shows how COSO connects its three elements; the objectives are at the top, the components are at the front and the organisational structure on the side. It promotes accountability and confidence that controls will mitigate risks.

ISO 31000

ISO stands for International Organization for Standardization. It was founded by 25 countries in February 1947. ISO 31000 was firstly issued in 2009 and was later updated in 2018. It provides guidelines for implementing enterprise risk management strategies encouraging decision-making based on risk management. The second version introduces the concept of risk appetite which is a confusing term in risk management. It heavily focuses on creating and protecting the value of a business. 

ISO has stated that ISO 31000 cannot be used for certification purposes. However, these risk management standards underpin a lot of the practices in other standards that can be used for certification e.g. in ISO27001 as information security is highly dependent on managing risk.


Both standards explore risks widely. They encourage risk-taking and decision-making that is backed by risk management. They offer an approach that allows businesses to control risks so they can achieve their objectives and grow. Both COSO and ISO 31000 cover the ERM process in great detail. They promote a consistent approach to the risk management process that will drive the improvement of measures and strategies.

Both frameworks are guidelines. They do not intend to enforce rules. They allow organisations to customise their approach to fit the situation of that specific business. They do not provide companies with a certification, rather, they encourage continuous improvement and better governance. Businesses that use ISO 31000 and the COSO framework can compare their own risk management policies and procedures to standards that are globally recognised.

Another similarity between the two frameworks is that they recognise the importance of being updated. They accept that we live in a fast-changing world and the risk environment does not remain the same. Both documents get updates to add new concepts and address different kinds of situations. They provide guidelines on how to identify, assess and monitor constantly evolving risks.


COSO is a much larger document than ISO 31000. The latter has 16 to 32 pages while the former has over 120 pages. This allows COSO to explain concepts, such as risk appetite, more thoroughly than ISO and introduce other concepts such as risk tolerance and capacity. ISO 31000 is more concise and simple but businesses have said that it does not cover all elements of risk management implementation. Another reason that the COSO framework is longer is because it depicts many concepts using visual elements while ISO 31000 does not.

COSO is mainly targeted at accounting and auditing firms but ISO 31000 can be used by any organisation as it provides a general approach. This is because ISO offers a broad risk model and COSO focuses on financial reporting. The target market also differs geographically. Even though COSO and ISO are internationally recognised, ISO is used globally while the COSO framework is mostly used in North America.

ISO 31000

Which one is better: ISO 31000 or COSO ERM?

Both frameworks offer interesting perspectives on how to implement risk management in decision-making and how to use risk management to help a business achieve its objectives. The standards of the frameworks are just the base, the starting point companies can use to develop their processes and procedures. Which document is better heavily depends on the business, its industry and where it operates. It is important that business owners read both documents and understand their content before deciding which one to use.

There are other risk management standards such as the BS 31100, FERMA and OCEG. However, the COSO ERM and ISO 31000 remain the leading frameworks for multiple reasons, including their focus on risk management being an ongoing process rather than a one-time decision. They explain risk management as part of the core business rather than a separate strategy and highlight how every process will need to be customised to fit the needs of the organisation.

ISO 31000 and the COSO ERM can offer benefits such as the strengthening of internal controls and the effective response to a changing business environment. Since they assist organisations in improving their crisis management, they indirectly assist in improving the performance of the organisation as well. They also help in fostering a risk-aware culture which contributes to significant cost savings for the company.


Whether a company chooses to implement the COSO ERM framework or the ISO 31000, it will choose to take a step in the right direction by preparing the business for unpredictable events. While both frameworks have some similarities, they also have some significant differences, so it is important to read both before deciding which one to use. Managers must remember that the frameworks only offer guidelines, and it is up to the company to develop its own risk management process.