In this article, we will explore these references, their characteristics, and how they can be applied harmoniously to strengthen risk management in your organization. Two widely recognized references are ISO 31000 and COSO.
ISO 31000: A Generic International Standard
ISO 31000 is an internationally recognized standard in the field of risk management. It is part of the ISO framework and covers a variety of standards related to quality, environment, health, safety, information, and compliance. Unlike a requirements standard, ISO 31000 is a guideline standard, which means it is not certifiable. It provides indications that can be adopted by the organization according to its needs and the freedom to adapt and find alternative solutions.
ISO 31000 is designed to be generic, aiming to serve companies of different sizes and sectors. It encompasses risks of various natures, allowing the adoption of any type of risk within its framework. Although the standard does not establish specific treatments for risks, it highlights the importance of establishing actions to reduce and mitigate them when they occur.
COSO: Financial and Compliance Risk Management
COSO, short for Committee of Sponsoring Organizations, is another widely used reference for companies seeking to manage financial and compliance risks. COSO was established in response to corruption scandals that occurred in the 1960s and 1970s, particularly in the United States.
Like ISO 31000, COSO emphasizes the need to identify and manage risks. However, COSO goes further by establishing a framework that divides risk treatment into three lines of defense. While ISO 31000 does not define specific approaches to risk treatment, COSO establishes a structure known as the “Three Lines of Defense” model.
The Three Lines of Defense Model
COSO divides risk treatment into three distinct lines of defense:
- First line of defense: It consists of controls applied in the processes where risks occur. For example, a finance department may have specific internal controls to mitigate financial risks.
- Second line of defense: It involves controls performed by other processes that monitor and control the activities of the first line of defense. For example, an internal control department may verify the balances of financial processes.
- Third line of defense: It refers to an independent process, usually an internal audit, that is not directly related to the other two lines of defense. This process conducts audits to verify if financial risks have been properly implemented and controlled.
ISO 45001: Hierarchy of Five Levels of Control
In addition to ISO 31000 and COSO, there is another relevant reference for risk management, ISO 45001. This standard specifically addresses risk management in health and occupational safety. Unlike COSO, which uses the Three Lines of Defense model, ISO 45001 presents a hierarchy of five levels of control for risk treatment.
This hierarchy assumes risk elimination as the preferred control. If that is not possible, controls that reduce or modify the risk are suggested, including engineering controls, administrative controls, and effects mitigation controls.
Although ISO 31000, COSO, and ISO 45001 have different approaches and structures for risk management, they are not contradictory. In fact, these references complement each other and can be implemented harmoniously. It is important to simplify and adapt the approaches to the specific needs of your organization. Both ISO 31000 and COSO go through similar stages, such as identifying the organization’s context, selecting key risk scenarios, and treating risks, followed by continuous learning and improvement of the risk management system. By understanding and utilizing these references in an integrated manner, your organization will be better prepared to face challenges and ensure the effectiveness of its risk management.