Comparing COSO and the ISO 31000
Risks are a normal part of doing business. But if you ignore them, they can undermine the sustainability of your accounting firm. For instance, the risk of a cyber-attack can increase the chances that your firm will lose valuable data and clients, as well as have to settle expensive lawsuits.
Luckily, there are a variety of standardized risk management frameworks that can give you control over your firm's risk landscapes. Ideally, the ISO 31000 and the COSO ERM guidelines are the best ERM frameworks. Here is a comparison of the two guidelines, as well as how your business can leverage them in improving your daily operations.
What is COSO?
COSO was invented by five professional associations: The American Accounting Organization, The Institute of Management Accountants, American Institute of Certified Public Accountants, Financial Executives International, and the Institute of Internal Auditors.
As an ERM framework, COSO is meant to provide guidelines for enterprise risk management implementation.
What is the ISO?
The ISO (International Organization for Standardization) is a global organization that looks to set operational standards for different industries. While it was formed by 25 countries in February 1947, it aims at standardizing issues that cut across industries. Ideally, the ISO 31000 tends to be among the many guidelines that the ISO has made over the years.
The COSO ERM framework in a nutshell
The COSO ERM (Enterprise Risk Management-integrated Framework), which was updated in 2016, acts as a standardized ERM framework that defines the intricacies of various internal control and corporate risk management concepts.
Some of the framework's main objectives include defining essential ERM components, establishing a common language, and providing participating bodies with an ERM guiding document.
The framework has five components:
Strategic and objective setting: requires firms to set measurable goals as they draft their risk tolerance strategies.
Information, communication, and reporting: requires internal and external stakeholders to maintain high levels of effective communication.
Performance: it requires participating bodies to implement effective risk prioritization and reporting.
Governance and culture: requires ERM-related oversight to be done on a day to day basis within participating entities.
Review and revision: It outlines how firms can measure the effectiveness of their internal controls through auditing, evaluation, and monitoring. It also showcases how to improve these aspects.
ISO 31000 guidelines
The ISO 31000, which was released in 2018, offers participating entities a risk management framework that is not only standardized but also streamlined. As such, organizations can use the guidelines to implement strong ERM strategies that are custom-made for their needs.
From the ISO's perspective, ISO 31000 isn't a standard that can be evaluated and certified. However, it provides the entities that implement it as a solid benchmark that is internationally recognized.
While the ISO 31000 covers a variety of thematic areas, it recommends:
Risk management should be part and parcel of decision making
Risk management should be considered a source of sustained value and should be implemented as such
ERM should be part of the core processes of participating organizations
Instead of risk management being treated as a standard template, it should be customized to the specific needs of the participating entities.
The ISO 31000 comprises of two parts, which include the framework and the underlying process.
The framework is deemed the overall ERM structure that an organization upholds. The processes, on the other hand, outlines the best practices for risk identification and management.
Just like the COSO ERM framework, the guidelines contained in the ISO 31000 outline things like implementation, policy and governance, continual improvement, monitoring and review, and program design.
ISO 31000 and ICT risk management
Risk management touches on all aspects of doing business today, from cyber-security to accounting. Any new ICT threats can wreak havoc to other parts of the organization. That's why the global approach to ERM is essential.
The ISO 27001 policy framework has, for a long time, been the policy that ICT professionals refer to when designing their risk management strategies and policies. It comprises of more specific ERM procedures that deal with ISMS (Information Security Management Systems). However, by adopting a broad-based framework, such as the ISO 31000, IT departments can align their ERM activities with the rest of the organization. For instance, it can be easy for IT departments in accounting firms to craft strategies for the business as a whole.
Similarities between the ISO 31000 and COSO ERM
Both frameworks have a lot in common, even though they are from two completely different sources. They are both designed for organizations that want to use standardized ERM frameworks. They also cover vital thematic areas in ERM, such as continuous improvement, governance, and monitoring and review.
Differences between ISO 31000 and COSO ERM
While the frameworks provide firms with a pragmatic and unified ERM approach, they do have their differences.
Some of these differences include:
While COSO targets accounting and auditing agencies, ISO 31000 can be used by any organization
ISO 31000 is used globally, while COSO's main users are in North America
While COSO focuses broadly on corporate governance as a vital aspect of ERM, ISO offers risk management as a part of an organization's entire strategic planning.
ERM is crucial for the sustainability of any business. When implemented, enterprise risk management can help reduce or eliminate both internal and external risks that arise from uncertainty in different business environments. This will involve a variety of activities that may differ from one business to another.
The ISO 31000 and COSO ERM frameworks focus on all aspects of ERM deeply, including compliance, reporting, operations, and strategy. Your accounting firm can rely on either of the two or both frameworks to have some control over your risk landscape.