COSO vs. ISO: Enterprise Risk Management

This course is all about Enterprise Risk Management (ERM) standards.

Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve its objectives.

In this course, we look at and compare two of the most popular risk management standards - the Committee of Sponsoring Organizations (COSO) framework and the International Organization for Standardization (ISO) 31000.

COSO started life in 1992 as the “Internal Control – Integrated Framework” which was updated in 2013, forming the basis for the now well-known COSO Enterprise Risk Management (or ERM) cube. The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of effectiveness and efficiency of a firm's operations.

According to ISO 31000, risk is the “effect of uncertainty on objectives”. An “effect” is a positive or negative deviation from what is expected. This definition recognizes that we all operate in an uncertain world. Whenever we try to achieve an objective, there’s always the chance that things will not go according to plan. Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we don't always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally, we get both. Because of this, we need to reduce uncertainty as much as possible.

COSO and ISO 31000 each represent a standard for managing risk. The key question is what do each of these standards say and most importantly how do they compare.  This is the context of this course.