Which is the better risk management guidance. COSO or ISO?
For the last few months, I have been running a survey of risk experts on which risk management guidance they prefer: the COSO ERM – Integrated Framework, or the ISO 31000:2009 risk management standard. I am fully aware that there are others, but these appear to be the prevalent ones. The purpose was to obtain an independent view; prior surveys have been run either by COSO or by individuals clearly linked to ISO advocacy.
The survey went out through my blogs and also through Twitter and LinkedIn.
Although only 180 risk practitioners answered the survey (meaningful but not authoritative), the results were interesting and the comments even more so! So much so that I have made all the comments available for you to peruse in detail.
There were only two questions:
1. Have you read both the COSO ERM framework and the ISO risk management standard?
| Yes. I have read both | 76% |
| No. I have only read the COSO ERM Framework | 12% |
| No. I have only read the ISO 31000:2009 standard | 7% |
| No. I have not read either | 6% |
2. Which do you prefer?
| I prefer the COSO ERM Framework | 15% |
| I prefer the ISO 31000:2009 risk management standard | 52% |
| I have no preference. Either can be used effectively | 25% |
| I have no preference. I don’t think either can be used effectively | 8% |
The answers to the second question are not materially different if you exclude those who had not read both the COSO ERM framework and the ISO risk management standard.
As I said, the comments are illuminating (see link in the first paragraph).
The people who prefer COSO ERM did so because, in their view:
- It is comprehensive and has stood the test of time
- Is the standard that has been adopted by their regulators
- Their organization previously adopted it
- It links to the COSO internal control framework
- It has a better discussion of risk appetite
- It is stronger on corporate governance
- There is a better linkage to strategies and objectives
By way of contrast, those who prefer ISO 31000:2009 offered these opinions:
- Easier to understand and explain to others. User friendly
- Written by practitioners instead of accountants and auditors
- Clear, logical, intuitive, and practical
- A better ‘how to’ guide, easier to use when implementing risk management
- More focused on risk and less on audit and controls than COSO
- Represents best practice and the collective wisdom of global risk leaders
- Flexible, less prescriptive, easily tailored
- Has a top-down approach to risk management
Those who said that neither were effective had some strong comments, including:
- There is little evidence that either actually works. The best solution is to take the best of each and develop something that works for you
- Neither effectively articulates the difference between risk and uncertainty
- COSO ERM is too detailed and the cube is confusing. ISO 31000 is too high level
A number of people thought that the two should be combined, taking the best of each. One thought I liked was the need to consider risk management as an element of governance (including strategy and performance management) rather than as a separate and distinct activity requiring a separate and distinct standard or framework.A few parting thoughts:
- All risk management practitioners should (IMHO) read both sets of guidance
- Board members and top executives responsible for risk management should be familiar with at least the executive summary of the selected guidance
- Empirically, based on my contacts with practitioners, awareness of ISO 31000:2009 is building and so is adoption
- I will write a separate post on my personal journey and share which I prefer and why
I encourage you to read the full set of comments and share your views.