1.5 Standards and models

The previously mentioned COSO ERM is a risk management framework developed by two organizations, the Society of Corporate Compliance and Ethics and the Health Care Compliance Association. Its background lies in the US Treadway Commission, which promotes the responsible operation of public and private organizations.

The starting point of COSO ERM is compliance, but, according to it, ERM is not just an internal audit, although it uses the same concepts.

COSO ERM presents five elements of risk management, which are divided into 20 principles. It also offers concrete models for risk assessments and valuations.

COSO ERM, the 20 risk management principles

The COSO ERM presentation can be downloaded from the following address:


ISO standards and guidelines

The International Organization for Standardization, ISO, has published several standards and guidelines related to risk management, including the following:

  • ISO 31000 is an industry-independent risk management standard. It describes risk management concepts and terms, a set of principles, and recommendations for creating a risk management framework and process. It views risk management as a strategic process that supports decision-making.
  • ISO 31004:2013 is an application guideline for ISO 31000.
  • ISO 31010:2009 includes systematic techniques for risk assessments.
  • ISO 27001 is an information security management system (ISMS) standard. The system is a key part of risk management.
  • ISO Guide 73:2009 is a vocabulary concerning risk management and assessment.

ISO standards are universal and highly recognised. Several certifications are also based on them.