International Risk Management Institute’s The Risk Report published Kristina Narvaez’s article on “ERM Frameworks: COSO II Versus ISO 31000”
This article provides an overview of the two leading ERM frameworks, COSO II and ISO 31000, and explains the key difference between them. The critical difference is their focus. COSO II focuses on performance based risk management and ISO 31000 focuses on risk management principles for the organization to develop its own risk management plan. The primary difference from ISO 31000 and COSO II Enterprise Risk Management, Integrated Framework, is the shift from “an event” to the “the effect risk and risk management has on an organization’s objectives”. Trying to predict events can be difficult and challenging. Focusing on objectives can be clearer and more precisely articulated within an organization. ISO 31000 puts the emphasis squarely on risk management as a strategic discipline for making risk-adjusted decisions, rather than a compliance-based function that is the focus on COSO II.