Every organisation needs a structured approach to managing risk, but the number of available risk management frameworks can be overwhelming. ISO 31000, COSO ERM, King IV, NIST RMF, IRM Standard — each has its strengths, its ideal use cases, and its limitations. Choosing the wrong framework wastes time and resources. Choosing the right one — or the right combination — gives your organisation a coherent, defensible approach to risk that satisfies regulators, boards, and stakeholders. This guide compares the major risk management frameworks in detail, with specific guidance for organisations operating in Africa.

Table of Contents

Why Choosing the Right Framework Matters

A risk management framework is more than a document on a shelf. It shapes how your organisation identifies, assesses, treats, monitors, and reports on risk. The framework you choose determines:

  • Governance alignment: Whether your risk management approach satisfies your board, regulators, and governance codes
  • Strategic integration: How closely risk management connects to strategy-setting and performance management
  • Operational practicality: How easy it is to implement across departments and business units
  • External credibility: Whether stakeholders, auditors, and partners recognise and trust your approach
  • Scalability: Whether the framework works as your organisation grows or expands into new markets

Organisations that select a framework thoughtfully build risk management practices that are coherent, sustainable, and valued by leadership. Those that pick one arbitrarily — or try to implement one without understanding its assumptions — often end up with risk management that exists on paper but adds little real value.

i

Framework vs Standard

It is important to distinguish between frameworks and standards. A framework provides principles, structure, and guidance (like ISO 31000 or COSO ERM). A standard provides specific, auditable requirements that can lead to certification (like ISO 27001 or ISO/IEC 42001). Some frameworks are also standards; many are not. COSO ERM, for example, is a framework with no certification pathway. ISO 31000 is a standard but is not certifiable.

ISO 31000: Risk Management — Guidelines

ISO 31000 is the international standard for risk management, published by the International Organization for Standardization. The current version (ISO 31000:2018) provides principles, a framework, and a process for managing risk in any organisation, regardless of size, sector, or geography.

Structure of ISO 31000

ISO 31000 is built on three pillars:

Pillar Description Key Elements
Principles The foundation — what good risk management should be Integrated, structured, inclusive, dynamic, best available information, human and cultural factors, continual improvement
Framework The organisational structure for embedding risk management Leadership and commitment, integration, design, implementation, evaluation, improvement
Process The operational steps for managing risk Scope/context/criteria, risk assessment (identification, analysis, evaluation), risk treatment, monitoring and review, recording and reporting, communication and consultation

Key Characteristics of ISO 31000

  • Universal applicability: Designed for any organisation, any sector, any geography
  • Principles-based: Provides guidance rather than prescriptive requirements
  • Not certifiable: Organisations cannot be certified to ISO 31000 (unlike ISO 27001 or ISO 9001)
  • Process-focused: Strongest on the operational risk management process
  • Technology-neutral: Does not prescribe specific tools or software
  • Internationally recognised: The most widely adopted risk management standard globally

Strengths

  • Clear, logical risk management process that is easy to follow
  • Flexible enough to adapt to any organisational context
  • Strong international recognition — understood by auditors, regulators, and partners globally
  • Integrates well with other ISO management system standards (ISO 9001, ISO 14001, ISO 27001)

Limitations

  • Less detailed on governance and board oversight than COSO ERM
  • Does not explicitly link risk to strategy and performance
  • No certification pathway — cannot demonstrate compliance through third-party audit
  • Provides limited guidance on risk culture and organisational behaviour

COSO ERM 2017: Enterprise Risk Management — Integrating with Strategy and Performance

The COSO ERM framework was developed by the Committee of Sponsoring Organizations of the Treadway Commission. The 2017 version represents a significant evolution from the original 2004 framework, shifting the emphasis from risk control to risk-strategy integration.

The Five Components and Twenty Principles

Component Focus Number of Principles Key Themes
1. Governance and Culture Foundation for ERM 5 Board oversight, operating structures, culture, core values, talent development
2. Strategy and Objective-Setting Risk in strategy 4 Business context, risk appetite, alternative strategies, business objectives
3. Performance Operational risk management 5 Risk identification, severity assessment, prioritisation, risk responses, portfolio view
4. Review and Revision Continuous improvement 3 Substantial change assessment, risk and performance review, ERM improvement
5. Information, Communication, and Reporting Risk data and reporting 3 Information systems, internal communication, external reporting

Key Characteristics of COSO ERM

  • Strategy-risk integration: Explicitly links risk management to strategy-setting and performance
  • Governance-heavy: Strong emphasis on board oversight, risk culture, and organisational accountability
  • Not certifiable: Like ISO 31000, there is no certification pathway
  • Principles-based: 20 principles provide structure without being prescriptive
  • North American origin: Widely adopted in the US and by organisations following US governance models
  • Internal control heritage: Closely related to the COSO Internal Control framework, making it familiar to auditors

Strengths

  • Strongest framework for connecting risk to strategy and business objectives
  • Comprehensive governance model — clear on board roles and accountability
  • Explicit treatment of risk appetite and risk culture
  • Well understood by auditors and governance professionals
  • Portfolio view of risk — considers risk across the enterprise, not in silos

Limitations

  • More complex to implement than ISO 31000
  • Less prescriptive on the operational risk management process
  • North American bias — may require adaptation for other governance contexts
  • No formal certification or assessment mechanism
  • Can feel abstract without concrete implementation guidance

Detailed Comparison: ISO 31000 vs COSO ERM

These are the two most widely used risk management frameworks globally. Understanding their differences is essential for making an informed choice.

Dimension ISO 31000:2018 COSO ERM 2017
Publisher International Organization for Standardization (ISO) Committee of Sponsoring Organizations (COSO)
Origin International (Geneva) United States
Primary focus Risk management process and principles Risk-strategy integration and governance
Structure 3 pillars: Principles, Framework, Process 5 components, 20 principles
Strategy link Implied — risk should be integrated into decision-making Explicit — risk is integral to strategy-setting and performance
Governance depth Moderate — requires leadership commitment Strong — detailed board oversight and culture principles
Risk appetite Mentioned but not deeply developed Central concept — drives strategy evaluation and risk responses
Risk culture Referenced as a human and cultural factor Dedicated principle on culture and core values
Process detail Strong — clear, step-by-step risk management process Moderate — principles-based, less prescriptive on process
Certification Not certifiable Not certifiable
Best for Organisations wanting a clear, flexible risk process Organisations wanting deep strategy-risk-governance integration
Complexity Lower — easier to implement Higher — more comprehensive but more demanding
International recognition Strongest globally, especially outside North America Strongest in North America and among audit professionals globally
ISO integration Seamless — same structure as other ISO standards Requires mapping — different structure from ISO standards
i

They Are Not Competitors

ISO 31000 and COSO ERM are complementary, not competing. Many mature organisations use COSO ERM for governance and strategic risk integration while applying ISO 31000’s process for operational risk management. The two frameworks address different aspects of risk management and work well together.

Other Major Risk Management Frameworks

King IV and King V (South Africa)

The King IV Code and emerging King V Code are governance codes, not pure risk management frameworks. However, they have significant risk management implications for South African organisations:

  • Principle 11 (King IV): The governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives
  • Principle 12 (King IV): The governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives
  • Combined assurance: King IV requires coordination of assurance activities across the three lines model
  • Integrated reporting: Risk information must be integrated into the organisation’s annual reporting

King IV/V does not replace ISO 31000 or COSO ERM — it provides the governance context within which a risk management framework operates. South African organisations typically use King IV/V for governance requirements and pair it with ISO 31000 or COSO ERM for the operational risk management approach.

NIST Risk Management Framework (NIST RMF)

The NIST RMF, published by the U.S. National Institute of Standards and Technology, is specifically focused on information security and cybersecurity risk. Its seven-step process (Prepare, Categorise, Select, Implement, Assess, Authorise, Monitor) is designed for managing risks to information systems.

  • Best for: Organisations focused on IT/cybersecurity risk management
  • Limitation: Not a general enterprise risk framework — focused specifically on information systems
  • African relevance: Useful for organisations with significant cybersecurity risk, particularly in financial services and telecommunications
  • Related: The NIST AI RMF extends similar thinking to artificial intelligence risk

IRM Risk Management Standard

The Institute of Risk Management (IRM) published a Risk Management Standard that provides a practical approach to risk management. It is process-focused, easy to understand, and widely used as a training and reference tool.

  • Best for: Organisations seeking a straightforward, practical risk management process
  • Limitation: Less comprehensive than ISO 31000 or COSO ERM on governance and strategy
  • African relevance: Popular among IRM-qualified risk professionals across Africa

AS/NZS 4360 (Historical)

The Australian/New Zealand Standard AS/NZS 4360 was the predecessor to ISO 31000. Published first in 1995 and revised in 2004, it was the first national risk management standard and heavily influenced the development of ISO 31000. While it has been superseded, organisations that adopted it early will find the transition to ISO 31000 straightforward as the process structure is very similar.

Framework Type Primary Focus Certifiable Best For
ISO 31000 Standard (guideline) General risk management No Any organisation wanting a flexible, internationally recognised approach
COSO ERM Framework Strategy-risk integration No Organisations with strong governance requirements and strategy focus
King IV/V Governance code Corporate governance No (apply or explain) South African and SADC organisations
NIST RMF Framework Cybersecurity risk No IT/cybersecurity-focused organisations
IRM Standard Standard Practical risk process No Organisations seeking simplicity and practicality
AS/NZS 4360 Standard (superseded) General risk management No Historical — migrate to ISO 31000

Framework Selection Guide for African Organisations

The right framework depends on your country, sector, regulatory environment, and organisational maturity. Here is practical guidance for the major African markets.

South Africa

South African organisations operate within one of the most developed governance environments on the continent. The recommended approach:

  • Governance layer: King IV (and King V as it is adopted) — this is non-negotiable for JSE-listed companies and recommended for all organisations
  • Risk management framework: ISO 31000 or COSO ERM, depending on your priorities. ISO 31000 if you want a clear, flexible process. COSO ERM if your board wants deep strategy-risk integration
  • Cybersecurity: NIST Cybersecurity Framework or ISO 27001 for information security risk
  • Combined assurance: King IV’s combined assurance requirements align well with both ISO 31000 and COSO ERM
i

South Africa: King IV + ISO 31000 Is the Most Common Pairing

In practice, most South African organisations use King IV for the governance context and ISO 31000 for the risk management process. This combination provides both the governance oversight the King Code requires and the operational risk management structure that ISO 31000 delivers. COSO ERM is more common in financial services and among organisations with US-headquartered parent companies.

Nigeria

Nigerian organisations operate under the Nigerian Code of Corporate Governance (NCCG 2018) and sector-specific regulations from the Central Bank of Nigeria (CBN), Securities and Exchange Commission (SEC), and National Insurance Commission (NAICOM).

  • Governance layer: NCCG 2018 — apply or explain, similar to King IV
  • Risk management framework: COSO ERM or ISO 31000. COSO ERM is popular in Nigerian financial services due to CBN requirements. ISO 31000 is gaining adoption in other sectors
  • Financial services: CBN risk management guidelines align more closely with COSO ERM principles
  • Oil and gas: ISO 31000 is more commonly used, aligning with broader ISO management system adoption

Kenya

Kenyan organisations are guided by the Mwongozo Code of Governance for State Corporations and the Capital Markets Authority (CMA) Code of Corporate Governance Practices.

  • Governance layer: Mwongozo (state corporations) or CMA Code (listed companies)
  • Risk management framework: ISO 31000 is the most commonly adopted framework, aligning with Kenya’s strong ISO adoption across multiple standards
  • Financial services: Central Bank of Kenya (CBK) risk management guidelines draw on both ISO 31000 and COSO principles
  • Public sector: Mwongozo’s risk management requirements align well with ISO 31000’s structure

Ghana

Ghanaian organisations follow the SEC Ghana Code of Best Practices for Listed Companies and Bank of Ghana governance requirements.

  • Governance layer: SEC Code or Bank of Ghana requirements
  • Risk management framework: ISO 31000 or COSO ERM. Both are used, with ISO 31000 somewhat more common outside financial services
  • Financial services: Bank of Ghana risk management directives draw on COSO principles
  • Mining and natural resources: ISO 31000, aligning with broader ISO management system adoption in the sector

Multi-Country Operations

Organisations operating across multiple African countries face the challenge of navigating different governance codes and regulatory expectations. The recommended approach:

  • Baseline: Adopt ISO 31000 as your group-level risk management framework — its international recognition and flexibility make it the strongest foundation for multi-country operations
  • Local governance: Layer country-specific governance code requirements on top (King IV in South Africa, NCCG in Nigeria, Mwongozo in Kenya, SEC Code in Ghana)
  • Sector-specific: Add sector-specific risk requirements as needed (e.g., Basel III for banking, NIST for cybersecurity)
  • Reporting harmonisation: Use a common risk taxonomy and reporting structure across countries, with local variations where regulatory requirements differ
Country Governance Code Recommended Framework Financial Services Preference
South Africa King IV / King V ISO 31000 or COSO ERM COSO ERM (banks); ISO 31000 (insurers, asset managers)
Nigeria NCCG 2018 COSO ERM or ISO 31000 COSO ERM (aligned with CBN guidelines)
Kenya Mwongozo / CMA Code ISO 31000 ISO 31000 (aligned with CBK guidelines)
Ghana SEC Code / BoG ISO 31000 or COSO ERM COSO ERM (aligned with BoG requirements)
Multi-country Varies by country ISO 31000 as baseline Depends on dominant regulatory environment

Can You Use Multiple Frameworks?

Yes — and most mature organisations do. The key is to use them intentionally rather than accidentally.

The Mapping Approach

Rather than implementing multiple frameworks independently (which creates duplication and confusion), use a mapping approach:

  1. Choose a primary framework: This is your operational backbone — the framework that structures your day-to-day risk management activities. ISO 31000 or COSO ERM is the usual choice
  2. Map secondary frameworks: Identify where other frameworks’ requirements align with your primary framework. For example, map King IV’s Principle 11 requirements to your ISO 31000 process steps
  3. Identify gaps: Where secondary frameworks require something your primary framework does not cover, add specific activities to address the gap
  4. Create a unified reporting structure: Report against your primary framework but include cross-references showing how you satisfy secondary framework requirements

Common Multi-Framework Combinations

Combination Use Case How They Work Together
King IV + ISO 31000 South African organisations King IV provides governance context; ISO 31000 provides the risk management process
COSO ERM + ISO 31000 Large enterprises COSO ERM for strategy-risk integration and governance; ISO 31000 for operational risk process
ISO 31000 + NIST CSF Technology companies ISO 31000 for enterprise risk; NIST CSF for cybersecurity-specific risk
King IV + COSO ERM + ISO 27001 SA financial services King IV for governance; COSO ERM for ERM; ISO 27001 for information security
NCCG + COSO ERM Nigerian corporates NCCG for governance compliance; COSO ERM for risk management structure

Avoid Framework Overload

Using multiple frameworks without a clear mapping approach leads to duplication, confusion, and “framework fatigue” — where teams spend more time satisfying framework requirements than actually managing risk. Be intentional: one primary framework, mapped to secondary requirements. Simplicity serves risk management better than complexity.

How Dimeri Supports Multiple Frameworks

Dimeri is designed to support organisations working with multiple risk management frameworks:

  • Framework-agnostic risk register: Structure your risk register to align with ISO 31000, COSO ERM, or both — Dimeri’s flexible architecture adapts to your chosen framework without forcing you into a rigid structure
  • Governance code alignment: Track compliance with King IV/V, NCCG, Mwongozo, or SEC Ghana Code requirements alongside your risk management framework
  • Framework mapping: Map controls and activities across multiple frameworks, eliminating duplication and showing how a single control satisfies requirements from different frameworks
  • Multi-country support: Manage different governance code requirements for each country your organisation operates in, from a single platform
  • Board reporting: Generate reports that demonstrate compliance with your chosen framework(s) and governance codes, in language that boards and audit committees understand
  • Combined assurance: Map assurance activities across the three lines model, supporting King IV combined assurance requirements and COSO ERM’s governance and culture component

Whether you are a South African organisation implementing King IV + ISO 31000, a Nigerian bank using NCCG + COSO ERM, a Kenyan state corporation aligning Mwongozo with ISO 31000, or a Ghanaian company mapping SEC Code requirements to COSO ERM, Dimeri provides the flexibility and structure to make it work.

Key Takeaways

Summary

  • ISO 31000 and COSO ERM are the two most widely used risk management frameworks globally — they are complementary, not competing
  • ISO 31000 is strongest on the risk management process; COSO ERM is strongest on strategy-risk integration and governance
  • Neither framework is certifiable — both provide principles and guidance rather than auditable requirements
  • King IV/V, NCCG, Mwongozo, and SEC Ghana Code are governance codes that provide the oversight context within which risk management frameworks operate
  • Most mature organisations use multiple frameworks together, with one primary framework mapped to secondary requirements
  • For multi-country African operations, ISO 31000 is the strongest baseline due to its international recognition and flexibility
  • The choice of framework should be driven by your governance environment, sector, regulatory requirements, and organisational maturity

Frequently Asked Questions

Is ISO 31000 or COSO ERM better for my organisation?

It depends on your priorities. If you want a clear, flexible risk management process that is internationally recognised and easy to implement, ISO 31000 is the better starting point. If your board wants deep integration between risk management, strategy-setting, and performance measurement, COSO ERM provides a more comprehensive governance-focused approach. Many organisations use both: COSO ERM for the strategic and governance dimensions, and ISO 31000 for the operational risk management process.

Can my organisation get certified to ISO 31000?

No. ISO 31000 is a guideline standard, not a requirements standard, and therefore cannot be used for certification. If you need a certifiable risk-related standard, consider ISO 27001 (information security management), ISO 22301 (business continuity), or ISO/IEC 42001 (AI management). These certifiable standards can be implemented alongside ISO 31000, which provides the overarching risk management approach.

Do I need King IV if I already use ISO 31000 or COSO ERM?

If you are a South African organisation, particularly a JSE-listed company, King IV compliance is expected on an “apply and explain” basis. King IV is a governance code, not a risk management framework — it tells you what your governing body must oversee, but not how to manage risk operationally. You need both: King IV for governance requirements and ISO 31000 or COSO ERM for the actual risk management framework. They serve different purposes and work together.

Which framework should a Nigerian bank use?

Nigerian banks typically use COSO ERM as their primary risk management framework, as the Central Bank of Nigeria’s risk management guidelines align most closely with COSO’s structure. The NCCG 2018 provides the governance overlay. For cybersecurity risk specifically, NIST Cybersecurity Framework or ISO 27001 should be layered on top. Some Nigerian banks also map their practices to ISO 31000 for international credibility, particularly those with cross-border operations or international shareholders.

How do I transition from one framework to another?

Start by mapping your current practices to the new framework. Identify what you already do that satisfies the new framework’s requirements and where there are gaps. Address gaps incrementally rather than attempting a wholesale replacement. Maintain your existing risk register, risk assessments, and controls — these are operational assets that transfer between frameworks. The framework changes the structure and governance overlay; the underlying risk data and controls remain largely the same. Plan for 6–12 months for a full transition, with board and leadership engagement from the start.