The Big Picture of ERM — COSO and ISO 31000

Seeing risk sliced up by department is the traditional model of management. Finance handles finance, quality handles quality, compliance handles compliance. ERM — enterprise risk management — does the opposite: it looks across the whole company, integrated with strategy. The world's two great frameworks for this are COSO ERM and ISO 31000. This piece sorts out the structure of the two frameworks, when to use each, and where materials review sits within them.

01Summing Up Isolated Controls Misses Something

Traditional risk management was self-contained within each department. Foreign-exchange risk to the finance department, product incidents to the quality division, advertising deviations to the review function. Each guards its own post. At first glance, this looks reasonable.

The problem arises when risks chain across departmental boundaries. Summing isolated risks cannot capture the correlation between risks, or the domino in which a single tear spreads into another domain. The path by which one materials deviation chains into regulatory response, press coverage, loss of trust, and a rising cost of capital (taken up in Vol. 9) is invisible if you look only at the review function. So management puts in place a framework that ties the whole company together along a single line — "objective → risk → response." This is the starting point of ERM.

02The Two Great Frameworks — COSO ERM and ISO 31000

Two frameworks are widely referenced for ERM. COSO ERM 2017, set out by the U.S. COSO, and ISO 31000:2018, from the International Organization for Standardization. Their aims are close, but their origins and emphases differ.

COSO ERM 2017 is a framework that integrates risk management into strategy and performance, built from 5 components and 20 principles: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting. "Governance and culture" sits at the foundation — if it gives way, the components above it stop working. ISO 31000, by contrast, is a general-purpose framework not bound to any particular industry or organization, organized in three layers: principles, framework (leadership and commitment), and process (risk identification, analysis, evaluation, and treatment).

03Which to Use — Governance-Leaning COSO, General-Purpose ISO

The two are not in opposition. COSO is continuous with internal control, which makes it easy to place in the context of board oversight and governance. When the conversation extends to compensation, evaluation, and control activities, COSO's five components mesh with the language of management. This lies on the same governance continuum as the mechanism by which outside directors supervise execution from an independent position (The Board's View, Vol. 4).

By contrast, ISO 31000, as a general-purpose frame, is suited to building the procedures of on-the-ground risk assessment. Because its process is explicit, it is easy to translate into the work of individual review and evaluation. Many companies use the two in layers — COSO at the governance level, ISO at the operating level. The choice is not which is correct, but which layer you happen to be talking about right now. Framed that way, the relationship between the two frameworks does not become confusing.

04Materials Review Is One Process Within ERM's Control Activities

So where does materials review sit within this framework? In COSO ERM terms, review is one of the control activities; in ISO 31000 terms, it corresponds to the risk-treatment process. The act of inspecting materials before they go out and stopping deviations has a clear place as part of enterprise-wide risk management.

Once you grasp this placement, the way you explain review changes. Frame review as "an isolated censorship that rejects the field's work," and all you create is conflict with sales. Frame it within the enterprise framework — "this is one process among ERM's control activities" — and review is understood as a function that serves the objectives of management. If you know the difference — COSO leaning toward internal control, ISO toward a general-purpose frame — you can tell whether the other party is talking about governance or about operations, and hold the dialogue on the same ground. Sharing the name of the framework is also a way for the reviewer to hold the same language as management.