COSO ERM 2017 vs ISO31000:2018

Can one of the documents be more useful than the other? And if yes, useful for whom, risk practitioners, regulators, auditors or consultants? Or have both documents failed to account for the actual growth in the risk management maturity and will be looked at with disappointment by risk professionals? Should you, as a risk practitioner, even bother to read both documents? And what should you tell an external auditor next time he recommends adopting one of the documents?

I will try and answer all these questions in the upcoming free webinar:


RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


2 thoughts on “COSO ERM 2017 vs ISO31000:2018

  1. Hello Alex,

    Just wanted to know why you always focus on ISO 31000 applicability on non-financial companies. In your opinion, do you feel that COSO ERM 2017 is a more suitable framework than ISO 31000 for financial companies and why?

    1. Of course not, coso erm is rubbish for any industry. The only reason why I always say applicable to non financial is because I never worked in a bank and feel I have no right to comment on risk management in fs

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.