The implementation of multiple enterprise risk management (ERM) systems is a complex process that most organizations may find overwhelming. Nevertheless, adopting the updated COSO ERM and ISO 31000 frameworks should be a priority if compliance requirements are to be met. Although there are different of definitions and processes for establishing risk tolerance available, COSO ERM and ISO31000 offer unified value, enabling organizations to effectively manage risk.
ISO 31000 and COSO ERM
What is COSO?
The Committee of Sponsoring Organizations (COSO) was founded in 1985 with the aim of aiding the National Commission on Fraudulent Financial Reporting. It was structured to develop frameworks and guidance on internal control, fraud prevention, and risk management. COSO was founded by five professional associations, which include the American Institute of Certified Public Accountants (AICPA), American Accounting Organization (AAA), Institute of Management Accountants (IMA), Institute of Internal Auditors (IIA), and Financial Executives International (FEI).
What is ISO?
The International Organization for Standardization (ISO) was established in 1946. It came about when delegates from 25 countries who met at the Institute of Civil Engineers in London agreed to institute a new organization that would form and unify industrial standards.
What Does the COSO Framework Entail?
The COSO Framework offers an applied risk management approach to internal controls and is applicable to both internal and financial reporting. It focuses on 5 interconnected strategic points, which include:
- Governance and Culture, which relates ERM oversight to day-to-day activities.
- Strategy and Objective Setting, which debates that risk tolerance must lay down goals that are objectively measured.
- The Performance, which requires risks prioritization and efficient reporting.
- The Review and Revision, which involves constant internal audit and monitoring to modify controls as necessary.
- Information, Communication and Reporting, which requires continuous communication with both external and internal stakeholders.
The most recent update to the COSO Framework occurred in 2016.
What is the ISO 31000 Standard?
In 2018, ISO re-released the ISO 31000 Standard, with the new version giving streamlined definitions that focus on 11 integrated and iterative principles.
- The ISO 31000 standard institutes from the assertion that risk management creates and maintains value.
- It’s necessary for organizations to incorporate ERM into their organizational processes.
- After incorporating ERM into their processes, organizations should include risk in decision making.
- Inclusion of risk arises out of the importance of addressing ambiguity.
- Effective ERM calls for a structured, systematic, and well-timed process.
- Effective ERM depends on integrating the best information available.
- Organizations should tailor their ERM to their specific risks.
- Organizations should incorporate cultural and human factors to ensure that stakeholders’ needs are addressed.
- This enables organizations to provide transparent and all-encompassing risk management.
- Continuous effective ERM means organizations must be dynamic and iterative in their processes in order to respond to change.
- ERM processes help organizations to enhance their risk and compliance incessantly.
Why ISO 31000 is Invaluable to IT Professionals
ISO 31000 is useful to IT professionals in the sense that it provides them with ERM guidelines that match ISO’s preferred outcomes. For instance, IT professionals utilize 27001 to focus their Information Management Systems (ISMS). As part of that, 27001 references ISO 9000 which draws the risk principles from ISO 31000.
Similarities between ISO 31000 and COSO ERM Framework
- They both focus on evaluating risk, treating risk, and continually monitoring risk.
- They are very insistent on assessing risk and revising as threats constantly evolve.
- ISO 31000 offers wider directives that enable organizations to fit COSO’s principles of ERM into overarching corporate governance.
Disparities between ISO 31000 and COSO ERM Framework
- While ISO 31000 presents a more massive risk model, COSO focuses directly on financial reporting.
- With ISO 31000, the risk process begins with defining the purpose and scope of ERM activities. With COSO, the risk process begins with reviewing the organization’s strategies and aligning risks to each one of them.
How COSO ERM Framework and ISO 31000
Help the Board of Directors Manage Risk
It’s the duty of the Board of Directors to supervise the risks that are inherent to their business activities in a meaningful manner. Both ISO 31000 and COSO insist on the management’s value to the decision-making process, which means that as the executive management, the BOD must understand all risks involved and determine how they hinder their organizations to achieve their business goals.
How Do Organizations Benefit from Automating Compliance?
In order to meet the requirements of certified internal auditors, information security teams need agile tools that enable them to efficiently collect relevant data regarding their control environments. One of these agile tools is the ZenGRC, which is an automated platform that not only helps stakeholders to keep track of tasks and changes, but also cuts down on the time and money spent on compliance efforts.