To further professionalize risk management, it is important to apply a good and recognized framework for risk management. COSO ERM and ISO 31000 are the world’s two most important standards for enterprise risk management (enterprise risk management). What exactly do these ERM standards mean? And what are the main similarities between COSO ERM and ISO 31000? You can read it in this blog article.

What is COSO ERM?

COSO ERM is a widely used risk management model that provides guidelines for internal controls and their management. It is a framework that helps you to gain more insight into the realisation of important organizational objectives, for example in the field of the efficiency of business processes or compliance with laws and regulations.

The COSO framework interweaves 4 types of risks (strategic and operational risks, risks in the field of management information and risks from legislation and regulations) in different process steps that you have to go through and that almost every large organization has to deal with.

What is ISO 31000?

ISO 31000 is an ERM framework that consists of three main parts:

  • The risk management principles that form the foundation of the model.
  • The framework that encompasses the entire policy cycle: support, risk policy, context analysis, implementation, review and improvement. This allows you to manage all processes surrounding risk management within your organization and you remain in control.
  • The process. These are the known steps of identification, analysis, evaluation and management of risks.

ISO 31000 was developed to seamlessly integrate risk management into existing management systems of organizations. This prevents an ERM system or policy from being developed that does not match your day-to-day business operations.

COSO ERM and ISO 31000: the similarities

But how do COSO ERM and ISO 31000 relate to each other? First, let’s look at the main similarities between the frameworks.

Broader view of risk management

Both guidelines broaden the scope of risk management. They view risk taking not only as negative, but also as a way of seizing opportunities responsibly.

Both frameworks are guidelines

COSO ERM and ISO 31000 are not associated with certifications or mandatory compliance. They are guidelines that provide high-level advice and act as direction indicators for effective risk management.


Both guidelines are an improvement over their predecessors, the COSO version from 2004 and the old ISO 31000 from before 2017 respectively.

Direct link to decision making

Both COSO ERM and ISO 31000 incorporate risk management into the day-to-day decision-making process within an organization. Risk management thus becomes a daily part of important business processes and decision-making processes.

COSO ERM and ISO 31000: the differences

In addition to similarities, there are also clear differences between COSO ERM and ISO 31000. We briefly summarize the most important ones.

Structure and size

The structure and size of the two frameworks differ. ISO 31000 is largely standardized and compact (16 pages), while the COSO ERM is very extensive (more than 100 pages) and less structured.

Geographical scope

ISO 31000 is the official ERM standard for organizations in about 70 countries. Most of the parties that have made an important contribution to COSO ERM are located in the United States.

Target audience

COSO ERM mainly targets people and organizations in fields such as auditing and accounting. ISO 31000 is written for anyone with an interest in risk management. As a result, ISO 31000 also places a stronger focus on risk management as an essential part of strategic planning processes.

Framework and process

ISO 31000 makes a clear distinction between framework and process, while COSO ERM combines those two principles of risk management.

Vision on risk

Both frameworks deal with the concepts of risk and risk management in a slightly different way. COSO ERM mainly focuses on minimizing risks, while ISO 31000 is not so much based on the constant avoidance of risks, but mainly wants to help an organization achieve its goals as well and quickly as possible.

Difficulties in making a choice? INTERMEDIATE helps you

Which framework is the best choice now? That depends entirely on your organisation, processes, working methods and personal preferences. Anyone who strives for a compact, generically applicable and highly standardized framework for risk management is better off with ISO 31000. Do you want a little more freedom in setting up your risk management? Or are you looking for a framework that takes into account the special needs of auditors and accountants? Then COSO ERM is more likely a better fit for your organization.

INTERMEDIATE can help you make the right choice. Our network houses various interim professionals who are completely at home in the world of risk management and who know ISO 3100 and COSO ERM like the back of their hand.

Curious about the possibilities?
Please feel free to contact us without obligation!