ISO 31000 and COSO - Risk Management: Understanding the References

ISO 31000 and COSO – Risk Management: Understanding the References

Risk management is an essential practice for companies of all sizes and sectors, and there are several important references that can guide its implementation. Two widely recognized references are ISO 31000 and COSO.

In this article, we will explore these references, their characteristics, and how they can be applied harmoniously to strengthen risk management in your organization. Two widely recognized references are ISO 31000 and COSO.


ISO 31000: A Generic International Standard

ISO 31000 is an internationally recognized standard in the field of risk management. It is part of the ISO framework and covers a variety of standards related to quality, environment, health, safety, information, and compliance. Unlike a requirements standard, ISO 31000 is a guideline standard, which means it is not certifiable. It provides indications that can be adopted by the organization according to its needs and the freedom to adapt and find alternative solutions.

ISO 31000 is designed to be generic, aiming to serve companies of different sizes and sectors. It encompasses risks of various natures, allowing the adoption of any type of risk within its framework. Although the standard does not establish specific treatments for risks, it highlights the importance of establishing actions to reduce and mitigate them when they occur.


COSO: Financial and Compliance Risk Management

COSO, short for Committee of Sponsoring Organizations, is another widely used reference for companies seeking to manage financial and compliance risks. COSO was established in response to corruption scandals that occurred in the 1960s and 1970s, particularly in the United States.

Like ISO 31000, COSO emphasizes the need to identify and manage risks. However, COSO goes further by establishing a framework that divides risk treatment into three lines of defense. While ISO 31000 does not define specific approaches to risk treatment, COSO establishes a structure known as the “Three Lines of Defense” model.


The Three Lines of Defense Model

COSO divides risk treatment into three distinct lines of defense:

  • First line of defense: It consists of controls applied in the processes where risks occur. For example, a finance department may have specific internal controls to mitigate financial risks.
  • Second line of defense: It involves controls performed by other processes that monitor and control the activities of the first line of defense. For example, an internal control department may verify the balances of financial processes.
  • Third line of defense: It refers to an independent process, usually an internal audit, that is not directly related to the other two lines of defense. This process conducts audits to verify if financial risks have been properly implemented and controlled.


ISO 45001: Hierarchy of Five Levels of Control

In addition to ISO 31000 and COSO, there is another relevant reference for risk management, ISO 45001. This standard specifically addresses risk management in health and occupational safety. Unlike COSO, which uses the Three Lines of Defense model, ISO 45001 presents a hierarchy of five levels of control for risk treatment.

This hierarchy assumes risk elimination as the preferred control. If that is not possible, controls that reduce or modify the risk are suggested, including engineering controls, administrative controls, and effects mitigation controls.



Although ISO 31000, COSO, and ISO 45001 have different approaches and structures for risk management, they are not contradictory. In fact, these references complement each other and can be implemented harmoniously. It is important to simplify and adapt the approaches to the specific needs of your organization. Both ISO 31000 and COSO go through similar stages, such as identifying the organization’s context, selecting key risk scenarios, and treating risks, followed by continuous learning and improvement of the risk management system. By understanding and utilizing these references in an integrated manner, your organization will be better prepared to face challenges and ensure the effectiveness of its risk management.

QMS Certification

QMS Certification

QMS is an accredited third party certification body, it is currently present in 33 countries and focuses on the certification of management systems. QMS America is managed by the US office and has consistently grown in market recognition by technical level, customer satisfaction and competitive pricing.

Join the newsletter!

Subscribe to get latest content by email.

The Importance of Management Systems in Achieving Results

The Importance of Management Systems in Achieving Results

Discover the secrets of business success! Understand the importance of management systems in achieving business results and reach the next level! Management systems (MSs) are, in summary, predefined organizational structures. They help build and manage a company’s processes, activities, and operations in the most effective and efficient

3 Risk Analysis Tools

3 Risk Analysis Tools

The use of risk analysis tools is of utmost importance for companies and organizations in various sectors. These tools, known as risk analysis tools, enable the identification, assessment, and management of risks associated with activities, projects, and processes, ensuring a proactive approach to mitigating potential negative impacts.

Step-by-Step Guide to Implementing ISO 9001

Step-by-Step Guide to Implementing ISO 9001

Implementing the ISO 9001 standard is a crucial process for organizations striving for excellence in their quality management systems. However, many companies still have doubts about how to start and navigate the path toward certification.

Scroll to Top