COSO ERM vs ISO 31000

Written by
How Can RMIS Support Risk Management?

With the  ISO 31000 and the COSO ERM Framework updates, organizations attempting to integrate multiple enterprise risk management strategies to meet compliance requirements feel overwhelmed. However, despite different definitions and processes for establishing risk tolerance, ISO 31000 and the COSO ERM Framework provide interrelated value helping organizations better manage risk.

Comparing the ISO 31000 and the COSO ERM

What is COSO?

In 1985, five professional associations founded COSO to sponsor the National Commission on Fraudulent Financial Reporting. The American Accounting Organization (AAA), American Insitute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA) organized to develop frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

What is ISO?

In 1946, twenty-five countries sent delegates to the Institute of Civil Engineers in London who decided to establish a new organization that would create and unify industrial standards.

What is the COSO Framework?

The COSO Framework, most recently updated in 2016, provides an applied risk management approach to internal controls. Applicable to both financial reporting and internal reporting, the COSO framework focuses on five interrelated strategic points.

“Governance and Culture” relate enterprise risk management (ERM) oversight to daily activities. “Strategy and Objective Setting” argues that risk tolerance sets goals but that those must be objectively measured. “The Performance” segment requires prioritization of risks and effectiveness reporting. “The Review and Revision” portion involves continuous monitoring and internal audit to revise controls as necessary. Finally, the “Information, Communication, and Reporting” proviso requires communication across internal and external stakeholders.

What is the ISO 31000 standard?

In 2018, ISO re-released the 31000 standard, streamlining the definitions. The newly redefined risk framework focuses on eleven integrated and iterative principles.

31000 starts from the premise that risk management establishes and sustains value. Next, organizations need to integrate ERM as part of all organizational processes. Once they have done that, they need to include risk in decision making. This inclusion arises out of the importance of addressing uncertainty. However, effective ERM requires a systematic, structured, and timely process. Moreover, effective risk management relies on incorporating the best information available. Thus, organizations need to tailor their ERM to their specific risks. To tailor the risk, they need to integrate human and cultural factors to ensure they address stakeholder needs. In doing so, organizations offer transparent and inclusive risk management. Ongoing effective risk management means companies need to respond to change by being dynamic and iterative in their process. Finally, this ERM process aids organizations to improve their risk and compliance continuously.

Why do IT professionals need to look to ISO 31000?

ISO 31000 provides generic risk principles for industries. While not specific to information technology, ISO 31000 provides ERM guidelines that match ISO’s desired outcomes.

IT professionals use 27001 to focus their Information Security Management Systems (ISMS). As part of that, 27001 references ISO 9000 which pulls in the risk principles from ISO 31000. As part of establishing an ISMS, organizations need a centrally managed framework to protect information that incorporates policies, procedures, technical and physical controls. However, before creating those controls, organizations must engage in risk assessments that review potential threats and likelihood of those risks. This risk assessment relies on the updated standards

What are the similarities between ISO 31000 and COSO ERM Framework?

COSO and ISO 31000 both focus on assessing risk, treating risk, monitoring risk, and continually monitoring risks.

The essential alignment between these two risk frameworks is their insistence on reviewing risk and revising as new threats evolve. In the information security space, malicious attackers adapt to find new exploits and vulnerabilities within systems.

The 2018 ISO 31000 revision focuses explicitly on highlighting management’s leadership and governance. COSO only responds to those controls related to fiduciary duty. Primarily designed to enable Sarbanes-Oxley (SOX) 404 requirements, COSO limits itself to a specific area of an organization’s IT environment. Thus, the ISO 31000 provides broader directives that help companies fit COSO’s principles of risk management into overarching corporate governance.

What are the differences between ISO 31000 and COSO ERM Framework?

COSO focuses directly on financial reporting. While this seems a small deviation from the more massive risk model of ISO 31000, it establishes a different focus.

ISO 31000 begins the risk process by defining the purpose and scope of risk management activities. The design process notes the value of scope and purpose in establishing risk criteria and decision making. However, ISO 31000, while focusing on leadership commitment, considers management’s business concerns after determining risk tolerance.

COSO, on the other hand, starts the risk process by reviewing the organization’s business strategies and aligning risks to those objectives. With this in mind, COSO provides a more meaningful approach to defining the risk tolerance. Beginning with the organization’s business objectives allows the c-suite to understand the risk mitigation strategies better.

How COSO ERM Framework and ISO 31000 help the Board of Directors oversee risk

Corporate governance requires the Board of Directors to oversee the risks inherent in business activities meaningfully. Both COSO and ISO 31000 stress the management’s value to the decision making process. This means executive management must understand both the risks how they overlap with organizational business goals.

In this manner, then COSO and ISO 31000 overlap with ISO 31000 providing insights into risk management strategies. Where COSO incorporates “governance and culture” as a principle, ISO 31000 focuses on integration to drive leadership commitment to overarching decision making. In this manner, the two working together almost provides a chicken-or-egg scenario. To define risk under COSO, organizations must understand their business objectives. To make decisions under ISO 31000, organizations must integrate risk.

Although more time-consuming, the dialogues that help define and integrate risk into business objectives create stronger organizations.

How can automating compliance help an organization?

To be agile decision makers, information security teams need equally agile tools to help them collect the necessary data about their control environments to meet the requirements of internal auditors certified by the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Institute of Internal Auditors, or Institute of Management Accountants .

ZenGRC’s automated platform addresses these future issues. The ease of documentation aggregation and reporting offers c-suite insight into a company’s trends. The rising cost of compliance comes not just in dollars but also in working hours. The ZenGRC platform cuts down on time spent managing compliance by helping stakeholders track changes and tasks.

To see how ZenGRC can help organize ISO and COSO compliance, contact us for a demo today.