Depends!  We’ve used both extensively.  Here’s some top on the mind thoughts.

COSO ERM and ISO 31000 are both reliable risk management frameworks.  We call COSO ‘ERM heavy’ and ISO 31000 ‘ERM light’.

So why is COSO ‘ERM heavy?’  COSO ERM addresses GRC, ERM, and other organizational issues.  COSO has been used by companies to design, deploy, and assure internal control systems.  COSO has developed non financial control systems that integrates well with financial control systems.  COSO emphasizes a system of control.

COSO risk taxonomy is also more mature than ISO 31000.  Let us look at the difference in the definition of ‘risk appetite.’  ISO 31,000 defines ‘risk appetite’ as:

“The amount and type of risk that organizations are prepared to pursue, retain, or take.”

COSO defines risk appetite as the:

“… Amount of risk, on a broad level, an organization is willing to accept in pursuit of value.  Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so. “[i]

COSO has a Board level, strategic, and more nuanced definition of risk appetite.  This is one of the reasons why we consider COSO to be more comprehensive, mature, and authoritative ERM guideline than ISO 31000.  ISO 31000 is also less than 25 pages, while COSO is more than 150 pages of narrative and guidelines.

Lesson Learned:  Follow these guidelines if you are in doubt about where to start your Risk Based Thinking  journey and what risk management framework to choose.  If you are a small company and are pursuing ISO 9001:2015 certification, adopt and adapt ISO 31000 for your RBT.  If you are a medium to large company pursuing ISO 9001:2015 certification, adopt and adapt COSO.  COSO has a financial orientation, is mature, is broader, and chances are your organization is already using it for Sarbanes Oxley compliance.