Home > Risk > COSO ERM or ISO 31000? Which is better?

COSO ERM or ISO 31000? Which is better?

March 18, 2012 Leave a comment Go to comments

There seem to be camps of those that are avid advocates of the ISO 31000:2009 risk management standard and those that believe the COSO ERM Framework works well.

For a discussion with a 31000 believer (Grant Purdy), see this previous post.

COSO commissioned a study by Mark Beasley to understand what people thought of its risk management framework. However, very few who responded (perhaps because it came from COSO and was not independent) were using the ISO standard. Therefore, it didn’t provide a reasonable basis for comparison and arguably didn’t reach those using other guidance.

Please spare a few minutes to complete a simple set of questions on this topic, to see how many have read just one or both of the sets of guidance, and which more prefer.

The survey is here.

I will share the results and explain my views and why I hold them later.

Advertisements
  1. Mike
    March 18, 2012 at 5:17 PM
    Reply

    Norman, Have you given up on OCEG’s approach to ERM?

  2. Norman Marks
    March 19, 2012 at 6:51 AM
    Reply

    Mike, OCEG’s approach to ERM is to accept either ISO or COSO as representing the risk management portion of GRC or principled performance. The new version of Red Book contains more detail and is more closely aligned, in its language, with ISO than COSO.

    I continue to (a) prefer the ISO standard, (b) believe risk management operates within the context of governance and assists an organization identify and then optimize achievement of objectives.

  1. April 16, 2012 at 7:33 AM
    Strategic Risks – Threats and Opportunities | The Savvy Strategist ™
  2. April 26, 2012 at 6:30 PM
    ISO 31000: Dr Rorschach meets Humpty Dumpty…splat!!! « Get "fit for randomness" [with Ontonix UK]
  3. May 28, 2012 at 4:39 AM
    Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA … » http://infosecblog.antonaylward.com - System Integrity: Without Integrity you don’t have Security
  4. August 14, 2014 at 10:32 AM
    C-Suite must be owners of the ERM process | CFO Totality
  5. November 10, 2014 at 11:22 AM
    Pstopdffilter/pstocupsraster Failed Error 31000 - ORG.org

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w
Cancel

Connecting to %s

%d bloggers like this: