by Anastasija Rackovska, and the IRM Financial Services Group

Organisations of all sizes face risks that are more interconnected, faster moving, and harder to predict than ever before. Managing those risks effectively is not a back office exercise – it’s a strategic priority. And when it comes to Enterprise Risk Management (ERM), 2 names dominate the landscape: ISO 31000 and COSO ERM.

(It’s also worth noting the relevance of the Orange Book in the UK public sector context, although we won’t explore that in detail here.)

While both frameworks aim to improve how organisations manage risk, they come from different schools of thought and are used in different parts of the world. So let’s have a closer look…

The COSO ERM Framework, developed in the United States, is detailed, structured, and well-known in sectors like finance, audit, and governance. It’s especially popular in North America, where regulatory and financial reporting controls are tightly interlinked with risk management.

On the other hand, ISO 31000, published by the International Organization for Standardization, is used worldwide. Its flexible, principles-based design makes it adaptable across industries and geographies – from small companies to large corporations and even government agencies.

While survey data can be patchy, often lacking detail on geography or sample size, multiple sources indicate a clear trend:

  • COSO ERM is more prevalent in the United States.
  • ISO 31000 sees stronger global adoption, particularly across Europe, Asia, Africa, and within international institutions.

Comparison at a glance

 ISO 31000COSO ERM
PublisherISO (International)COSO (US-based)
ApproachPrinciples-based, adaptableStructured, governance-focused
Popular RegionsEurope, UK, Asia, globalNorth America
StrengthsFlexibility, simplicity, integrationFinancial control, audit, internal governance
CertificationISO 31000 Certified Risk Managers, Lead Risk Managers, or similar titles.

These are offered by recognised training bodies such as:

PECBBSI (British Standards Institution)And others		COSO Enterprise Risk Management Certificate Program – offered by partnering organisations

Now lets explore ISO31000 a bit more and what makes it stand out?

At just 16 pages long (15 without the bibliography), ISO 31000 might seem modest in size, but it offers a robust foundation for designing, implementing, and continuously improving risk management. Rather than providing a checklist of actions, ISO 31000 gives you a set of principles and a clear process. It’s less about compliance and more about building a mindset – one that gets people actually thinking and helps them make informed choices.

The standard is based on three core components:

Principles: The foundation for effective risk management, including integration, customisation, inclusion, and continual improvement.

Framework: The structure that ties risk management to leadership, culture, and strategic direction.

Process: A structured cycle that includes communication, context setting, risk identification, analysis, evaluation, treatment, and ongoing monitoring.

Together, these create a dynamic approach that can grow and evolve with your organisation.

The principles are key, they aim at value creation and define how the framework should be structured. The principles are:

  1. Integrated. Risk considerations should be seamlessly integrated into how the organisation operates, influencing everything from routine activities to strategic decisions. It must be actively used by the first line and decision-makers, not confined to the second line creating well-crafted documents purely for compliance. True integration means risk thinking becomes a natural part of how the organisation operates and makes decisions.
  2. Structured and Comprehensive. A consistent, well-organised approach helps ensure that no significant risks are overlooked. When everyone follows the same framework, it enhances clarity, reliability, and coordination across the organisation.
  3. Customized. There’s no one-size-fits-all. Your risk approach should reflect your organisation’s goals, culture, size, and environment. Adapt the framework to your reality.
  4. Inclusive. The more perspectives you include, the better your understanding of risks. Involve the right people at the right time, from across departments, levels, and roles.
  5. Dynamic. Risks evolve quickly and so should your approach. ISO 31000 promotes continuous monitoring, regular updates, and adaptability to changes in both your internal operations and the external environment.
  6. Best Available Information. You’ll never have all the information, if you did, there would be no uncertainty, and risk management would be simple. Instead, decisions should be based on the best information you have,  whether it’s data, expert insights, or stakeholder feedback. But also be aware of uncertainty and limitations.
  7. Human and Cultural Factors. People influence how risks are perceived, assessed, and managed, and human and cultural factors are risk sources in their own right. Effective risk management recognises that behaviours, biases, incentives, and organisational culture can shape decisions, introduce vulnerabilities, or strengthen resilience.
  8. Continual Improvement. Risk management isn’t a one-off project. It should improve over time – through learning, experience, and feedback.

As you can see, where ISO 31000 truly shines is in its philosophy. It doesn’t tell you what to do. It guides you on how to think about risk – in context, with purpose, and with adaptability.

It encourages you to:

  • Understand YOUR environment: internally and externally
  • Adapt to YOUR  size, complexity, and objectives
  • Think critically,  rather than follow steps blindly

Used well, ISO 31000 becomes a backbone. From there, you can build a risk management approach that reflects YOUR operations, supports YOUR strategy, and fits YOUR culture.

ISO 31000 isn’t just about managing risk. It’s about maturing how we manage risk. It emphasises clear information flow, timely communication across departments and of course Risk Awareness as part of everyday decision-making. When organisations embrace this way of thinking, risk management becomes embedded in planning, operations, and culture, not just a formality for auditors or regulators.

This maturity is what separates effective risk management from symbolic gestures. ISO 31000 helps you focus on what’s important, not just what’s easy to measure.

Conclusion: ISO 31000 Made Simple, But Powerful

If you’re looking for a way to improve risk management in a thoughtful, adaptable, and practical way – ISO 31000 is a strong starting point.

It won’t give you all the answers. But it will help you ask the right questions.

And when applied with intent and understanding, ISO 31000 offers something better than rigid controls: a sustainable approach to managing uncertainty in a way that fits your reality.

It’s not just about what you do. It’s about how you do it and why.

Additional sources:

And perhaps you may find this article useful – Risk Management: A Maturity Model Based on ISO 31000 (link). It presents a structured model for assessing the maturity of risk management practices in organisations, aligned with the ISO 31000 standard.