QMS Certification Blog
ISO 31000 and COSO - Risk Management: Understanding the References

ISO 31000 and COSO – Risk Management: Understanding the References

Risk management is an essential practice for companies of all sizes and sectors, and there are several important references that can guide its implementation. Two widely recognized references are ISO 31000 and COSO.

In this article, we will explore these references, their characteristics, and how they can be applied harmoniously to strengthen risk management in your organization. Two widely recognized references are ISO 31000 and COSO.


ISO 31000: A Generic International Standard

ISO 31000 is an internationally recognized standard in the field of risk management. It is part of the ISO framework and covers a variety of standards related to quality, environment, health, safety, information, and compliance. Unlike a requirements standard, ISO 31000 is a guideline standard, which means it is not certifiable. It provides indications that can be adopted by the organization according to its needs and the freedom to adapt and find alternative solutions.

ISO 31000 is designed to be generic, aiming to serve companies of different sizes and sectors. It encompasses risks of various natures, allowing the adoption of any type of risk within its framework. Although the standard does not establish specific treatments for risks, it highlights the importance of establishing actions to reduce and mitigate them when they occur.


COSO: Financial and Compliance Risk Management

COSO, short for Committee of Sponsoring Organizations, is another widely used reference for companies seeking to manage financial and compliance risks. COSO was established in response to corruption scandals that occurred in the 1960s and 1970s, particularly in the United States.

Like ISO 31000, COSO emphasizes the need to identify and manage risks. However, COSO goes further by establishing a framework that divides risk treatment into three lines of defense. While ISO 31000 does not define specific approaches to risk treatment, COSO establishes a structure known as the “Three Lines of Defense” model.


The Three Lines of Defense Model

COSO divides risk treatment into three distinct lines of defense:

  • First line of defense: It consists of controls applied in the processes where risks occur. For example, a finance department may have specific internal controls to mitigate financial risks.
  • Second line of defense: It involves controls performed by other processes that monitor and control the activities of the first line of defense. For example, an internal control department may verify the balances of financial processes.
  • Third line of defense: It refers to an independent process, usually an internal audit, that is not directly related to the other two lines of defense. This process conducts audits to verify if financial risks have been properly implemented and controlled.


ISO 45001: Hierarchy of Five Levels of Control

In addition to ISO 31000 and COSO, there is another relevant reference for risk management, ISO 45001. This standard specifically addresses risk management in health and occupational safety. Unlike COSO, which uses the Three Lines of Defense model, ISO 45001 presents a hierarchy of five levels of control for risk treatment.

This hierarchy assumes risk elimination as the preferred control. If that is not possible, controls that reduce or modify the risk are suggested, including engineering controls, administrative controls, and effects mitigation controls.



Although ISO 31000, COSO, and ISO 45001 have different approaches and structures for risk management, they are not contradictory. In fact, these references complement each other and can be implemented harmoniously. It is important to simplify and adapt the approaches to the specific needs of your organization. Both ISO 31000 and COSO go through similar stages, such as identifying the organization’s context, selecting key risk scenarios, and treating risks, followed by continuous learning and improvement of the risk management system. By understanding and utilizing these references in an integrated manner, your organization will be better prepared to face challenges and ensure the effectiveness of its risk management.

QMS Certification

QMS Certification

QMS is an accredited third party certification body, it is currently present in 33 countries and focuses on the certification of management systems. QMS America is managed by the US office and has consistently grown in market recognition by technical level, customer satisfaction and competitive pricing.

Join the newsletter!

Subscribe to get latest content by email.

Compliance in the Third Sector Understand Its Importance

Compliance in the Third Sector Understand Its Importance

The third sector is a sphere of economic activity that encompasses non-governmental organizations (NGOs), associations, foundations, and other entities that operate for social, environmental, cultural, or community development purposes, but which are often used for fraudulent activities, hence the relevance of compliance in the third sector.

Become an ISO Certification Auditor

Become an ISO Certification Auditor

Everything you need to know about becoming an ISO certification auditor (ISO 9001, 14001, 45001, and other standards) and achieving professional success!

Scroll to Top