Risk Management Frameworks: ISO 31000, COSO & Basel III

Most organisations in emerging markets adopt a risk management framework for the wrong reason: because a regulator asked for it. The result is predictable. A document gets produced, a committee gets named, a matrix gets built — and six months later, nobody looks at any of it. The framework sits in a shared folder while the actual risks pile up unmanaged. This is not a framework problem. It is an implementation problem rooted in a misunderstanding of what frameworks are actually for.

Pirani's Risk Management Study 2026: Africa Chapter, conducted with more than 100 risk, compliance, audit, and cybersecurity leaders across 39 countries, confirms this with data. The number one organisational challenge identified for 2026 is not the absence of frameworks — it is risk management culture, cited by 62% of respondents. Most organisations already have risk maps, policies, and formal frameworks in place. The instruments exist. What fails is their internalization into everyday decision-making.

This article cuts through the jargon. It explains what a risk management framework is, what the three dominant global frameworks — ISO 31000, COSO ERM, and Basel III — actually require, and why the question of which framework to choose is almost always less important than the question of how to make any framework work inside a real African organisation.

What Is a Risk Management Framework? (The Definition That Actually Matters)

A risk management framework is a structured set of principles, processes, and governance mechanisms that an organisation uses to identify, assess, treat, monitor, and communicate risks in a consistent and repeatable way.

The word framework is key. A framework is not a policy document. It is not a risk register. It is not a compliance checklist. A framework is the infrastructure — the architecture — within which all of those tools operate. Without it, risk management is a series of isolated activities with no connection to each other or to the decisions that actually run the organisation.

ISO 31000:2018, the international standard for risk management, defines the purpose of a framework as helping organisations integrate risk management into all significant activities and functions — not as a separate department or annual exercise, but as a permanent dimension of how decisions get made at every level.

That definition has a practical implication that most implementation guides miss: if your risk management framework does not influence decisions, it is not a framework. It is paperwork.

The Three Frameworks Every African Risk Manager Needs to Know

ISO 31000 — The Universal Language of Risk

ISO 31000 is an international standard that provides principles and guidelines for risk management. It applies to any organisation, regardless of its size, sector, or industry, and offers a comprehensive, structured approach to identifying, assessing, managing, and monitoring risks.

Published originally in 2009 and revised in 2018, ISO 31000 is built around three interlocking layers: principles (the values that should guide risk management), a framework (the organisational structure that enables it), and a process (the step-by-step methodology for managing individual risks).

The 2018 revision places a greater emphasis on creating and protecting value as the key driver of risk management, and features principles such as continual improvement, the inclusion of stakeholders, customisation to the organisation, and consideration of human and cultural factors.

What makes ISO 31000 particularly relevant for Africa: It is non-prescriptive by design. The standard does not tell you exactly what your risk committee should look like or how many risk indicators you need to track. It gives you principles and lets you adapt. That flexibility is a strength in markets where organisational capacity, data availability, and regulatory maturity vary enormously — from a well-capitalised South African insurer to a growing fintech in Accra.

What ISO 31000 does not do: It cannot be used for certification. Organisations can align with it, demonstrate conformance to it, and use it as a benchmark — but unlike ISO 27001 for information security, there is no ISO 31000 certificate to obtain. This matters in conversations with boards and regulators who sometimes conflate the two.

A landmark data point for the African context: in January 2026, the African Export-Import Bank (Afreximbank) became one of the first pan-African multilateral financial institutions to receive formal ISO 31000:2018 registration, following independent assessments with zero non-conformities — a signal that the standard is gaining institutional weight across the continent, not just in global markets.

COSO ERM — Risk as a Strategic Tool

COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission — a consortium of five major professional accounting and audit associations in the United States. Its Enterprise Risk Management framework, updated in 2017, takes a fundamentally different starting point from ISO 31000.

The 2017 COSO ERM Framework consists of five interrelated components: Governance and Culture, which establishes the tone at the top and the role of culture in supporting ERM; Strategy and Objective-Setting, which integrates risk into strategy formulation; Performance, which covers identifying, assessing, prioritising, and responding to risks; Review and Revision, which evaluates how well the ERM process is functioning; and Information, Communication, and Reporting, which ensures risk information flows throughout the organisation.

The critical shift in the 2017 update is conceptual: COSO moved risk management out of the compliance function and positioned it as a strategic capability. Risk is not just something to be controlled — it is something to be understood well enough to make better strategic choices.

Who uses COSO ERM and why: It is particularly well-suited for listed companies, organisations with complex governance structures, and institutions subject to Sarbanes-Oxley-style accountability requirements. In Africa, corporates listed on the Johannesburg Stock Exchange (JSE), the Ghana Stock Exchange (GSE), or the Nigerian Exchange Group (NGX) increasingly need COSO-aligned ERM to satisfy investor and board governance expectations.

This alignment matters more than ever. Pirani's Africa study found that between 2026 and 2027, passive delegation of risk to specialised functions will no longer be acceptable — auditors and regulators increasingly expect active involvement from senior management and boards in the execution of governance frameworks. COSO ERM is precisely the framework designed to enable that board-level accountability.

The limitation: COSO ERM is more demanding to implement than ISO 31000. Its 20 principles require a mature governance infrastructure to operationalise properly — something that can be a stretch for mid-sized institutions building their risk function from scratch.

Basel III — Risk Management With Capital Consequences

Basel III occupies a different category from ISO 31000 and COSO ERM. It is not a general framework for managing organisational risk — it is a regulatory capital standard specifically for banks, issued by the Basel Committee on Banking Supervision (BCBS) under the Bank for International Settlements (BIS).

Basel III is an internationally agreed set of measures developed in response to the financial crisis of 2007–09. Its measures aim to strengthen the regulation, supervision, and risk management of banks, and apply as minimum requirements to internationally active banks.

For operational risk specifically, Basel III introduced a Standardised Measurement Approach that replaced the previous internal model-based methods. Under Basel III, banks must calculate operational risk capital using this standardised approach — making accurate and robust internal loss data more strategically important than ever before, since it directly influences the capital a bank must hold.

The implementation of Basel III across Africa is accelerating. According to Pirani's Africa Regulatory Horizon analysis, countries such as Morocco, Egypt, South Africa, and Mauritius have advanced significantly in implementing Basel III capital, liquidity, and leverage requirements, supported by technical guidance from the IMF and the World Bank. Nigeria and Ghana are at different stages of implementation, with the Central Bank of Nigeria (CBN) and the Bank of Ghana (BoG) both moving toward Basel III-aligned capital adequacy frameworks — a trend explored in depth in Pirani's analysis of what CBN and BoG expect from banks in 2026.

The Basel Committee's most recent progress report (September 2025) confirms that the revised credit risk and operational risk standards are now in effect in around 80% of member jurisdictions — making Basel III literacy non-optional for any institution with cross-border ambitions.

What Basel III is not: It is not a substitute for an enterprise risk management framework. Basel III tells a bank how much capital to hold against operational losses. It does not tell that bank how to build a risk-aware culture, how to structure its three lines of defence, or how to integrate risk thinking into strategic decisions. For that, you still need ISO 31000 or COSO.

The Comparison Table: Choosing the Right Framework

The Question Nobody Actually Asks — But Should 

Every conference on risk management in Africa eventually produces a panel on which framework is best. The panel rarely agrees. That is because it is almost always the wrong question.

The right question is: what does it take to make a risk management framework actually work inside an organisation with real constraints?

The data from Pirani's Risk Management Study 2026: Africa Chapter makes the gap visible. While 53% of African organisations rank regulatory change and compliance as their top external risk — validating why frameworks matter — the leading internal challenge is risk culture, not lack of frameworks. The instruments exist. What most organisations struggle to do is make those instruments influence real decisions.

This gap has a specific African dimension. The study found that 43% of African organisations identify fraud as a critical threat, compared to a global average of 23% — nearly double. That differential is not explained by higher criminal activity alone, but by the convergence of rapid digital financial inclusion, regulatory frameworks still maturing, and high dependence on third-party technology providers. A framework designed for a stable European banking environment does not automatically account for these structural realities.

As Monene Moila, Head of Legal, Risk and Compliance at FNB Connect, observed in the study: in sectors like fintech, digital banking, and AI, market evolution consistently outpaces regulation. "This gap is not cyclical but structural, and it will continue to shape risk management in the years ahead." The implication for frameworks is direct: organisations cannot wait for regulatory frameworks to catch up. They need internal risk architectures that anticipate, not just react.

Three variables determine whether a framework works in practice, and none of them appear in the frameworks themselves:

1. Leadership commitment. The study is explicit: risk culture fails when risk management is perceived as a specialised function confined to a specific department. The organisations that succeed treat risk as a shared responsibility embedded in leadership, operational execution, and accountability. Without this cultural foundation, even the most sophisticated frameworks remain on paper.
2. Data availability. Basel III's Standardised Measurement Approach requires detailed, reliable internal loss data. COSO ERM requires risk information that flows up and across the organisation. ISO 31000's monitoring principle requires metrics. All three frameworks assume data infrastructure that many African institutions are still building — a reality compounded by the fact that approximately 40% of African countries currently face high levels of public debt, constraining the fiscal space available for investment in risk infrastructure. The framework has to be sized to the data reality — not the other way around.
3. Team capacity. A risk function of two people cannot run three parallel frameworks simultaneously. The most common failure mode in African financial institutions is not choosing the wrong framework — it is over-engineering the framework relative to the team that has to maintain it.

How ISO 31000, COSO, and Basel III Are Used Together (In Practice)

In well-functioning organisations, these three frameworks are not competing alternatives. They operate at different layers of the same risk architecture.

ISO 31000 provides the common language and process — the vocabulary everyone in the organisation uses when talking about risk identification, assessment, and treatment. It is the foundation.

COSO ERM adds the governance and strategy layer — how the board exercises oversight, how risk appetite is set, how risk connects to strategic objectives. It sits above ISO 31000 and gives it institutional gravity.

Basel III adds the capital calculation layer for banks — it translates operational risk exposure into a specific regulatory capital number. It does not replace ISO 31000 or COSO; it uses their outputs as inputs. The practical implication: a bank in Ghana or Nigeria that is serious about risk management needs all three — not because regulators require it (though increasingly they do), but because each framework answers a different question. ISO 31000 answers how do we manage risk? COSO answers how does risk connect to our strategy? Basel III answers how much capital do we need to hold?

For organisations building or restructuring their risk function, Pirani's Risk Management School covers the practical application of these frameworks in the African and emerging market context — this month's session focuses specifically on frameworks, with live examples from the financial sector. Every third Wednesday of the month, free.

 

What Regulators in West Africa Are Looking For

Understanding frameworks in the abstract is useful. Understanding what regulators are specifically looking for is essential.

The Bank of Ghana's Risk Management Directive requires banks to have documented, board-approved risk frameworks aligned with international standards — which in practice means ISO 31000 or equivalent. The CBN's Internal Capital Adequacy Assessment Process (ICAAP) guidelines require Nigerian banks to demonstrate that their capital planning is integrated with their risk management framework — which requires Basel III literacy. The South African Prudential Authority references both COSO and ISO 31000 principles in its supervisory guidance for insurers and banks.

The pattern across all these jurisdictions is the same: regulators are not asking organisations to adopt any specific framework by name. They are asking organisations to demonstrate that:

• Risks are identified and assessed systematically, not reactively
• Risk appetite is formally defined and linked to strategic decisions
• Controls and mitigants are documented and tested
• Risk reporting reaches the board in a timely, actionable format
• The framework is reviewed and improved on an ongoing basis

Any of the three frameworks — implemented properly — satisfies those expectations. The question, as always, is implementation.

Pirani's study adds a sobering footnote: in 2026, compliance is shifting from a matter of regulatory interpretation to a matter of execution and evidence. Regulators and auditors increasingly demand concrete proof that controls operate consistently over time — not just that a framework document exists. For organisations with cross-border operations or highly digitised processes, where regulatory obligations can vary significantly across jurisdictions, this raises the bar considerably.

The Bottom Line

If you are building your risk management function from scratch: Start with ISO 31000. It gives you the process architecture and the vocabulary without over-engineering the governance layer before you are ready for it.

If you are a listed company or a financial institution with a mature board: Layer COSO ERM on top of ISO 31000 to formalise the strategy-risk connection and strengthen board-level oversight.

If you are a bank navigating CBN, BoG, or FSCA capital requirements: You need Basel III literacy in your risk function, specifically around operational risk capital calculation. Use ISO 31000 or COSO as the broader framework, and use Basel III to handle the capital layer.

If you are in all three situations at once — which is the reality for most mid-sized banks in West Africa — the answer is a coherent architecture that uses each framework at the layer it was designed for, supported by a technology platform that avoids tripling your team's workload.

That is exactly what Pirani's Operational Risk Management system is built to support: one platform, aligned to ISO 31000, COSO ERM, and Basel III requirements simultaneously, designed for financial institutions that cannot afford to run three separate tools for the same risk.

Frequently Asked Questions

What is a risk management framework? A risk management framework is a structured set of principles, processes, and governance mechanisms that an organisation uses to identify, assess, treat, monitor, and communicate risks in a consistent and repeatable way. It is the organisational infrastructure within which all risk tools — risk registers, matrices, indicators — operate. Without a framework, risk management is a series of isolated activities disconnected from strategic decision-making.

What is the difference between ISO 31000 and COSO ERM? ISO 31000 is a universal standard that provides principles and a process for managing risk across any type of organisation. COSO ERM is an enterprise risk management framework specifically designed to connect risk management with corporate governance, strategy, and performance. ISO 31000 is typically used as the operational foundation; COSO ERM adds the board governance and strategic layer on top. The two frameworks are complementary and are commonly used together.

Which risk management framework is best for banks in Africa? There is no single answer, because the frameworks serve different purposes. Most African banks benefit from a layered approach: ISO 31000 as the operational language and process foundation, COSO ERM to strengthen board governance and strategy integration, and Basel III to manage regulatory capital requirements for operational risk. The right balance depends on the institution's size, regulatory jurisdiction, and maturity of its risk function.

Is ISO 31000 mandatory for financial institutions in Africa? ISO 31000 is not mandatory by name in most African jurisdictions, but several regulators — including the Bank of Ghana and South Africa's Prudential Authority — require risk management frameworks aligned with international standards, which in practice means ISO 31000 or equivalent. The standard is non-prescriptive and non-certifiable, but increasingly used as the benchmark for supervisory assessments.

Can an organisation use both ISO 31000 and Basel III? Yes, and most banks should. ISO 31000 and Basel III address different dimensions of risk management. ISO 31000 provides the principles and process architecture for managing risk across the organisation. Basel III provides the specific methodology for calculating regulatory capital against operational risk. The two frameworks are designed to be used together, not as alternatives.

What does Basel III require for operational risk management? Under Basel III, banks must calculate operational risk capital using the Standardised Measurement Approach (SMA), which is based on the bank's business indicator and its historical internal loss data. This makes the quality and completeness of internal loss databases a regulatory priority. Beyond capital calculation, Basel III expects banks to demonstrate robust operational risk governance, incident reporting, and integration between risk management and capital planning.

How do I implement a risk management framework with limited resources? Start with ISO 31000, which is intentionally non-prescriptive and adaptable to organisations of any size. Focus first on three things: documenting your risk identification and assessment process, establishing a clear escalation path to leadership, and defining your risk appetite at board level. Avoid the common mistake of over-engineering the framework relative to your team's capacity. A simple, well-maintained framework that influences real decisions is always more valuable than a sophisticated one that sits unused.