COSO ERM or ISO 31000? Which is better?
There seem to be camps of those that are avid advocates of the ISO 31000:2009 risk management standard and those that believe the COSO ERM Framework works well.
For a discussion with a 31000 believer (Grant Purdy), see this previous post.
COSO commissioned a study by Mark Beasley to understand what people thought of its risk management framework. However, very few who responded (perhaps because it came from COSO and was not independent) were using the ISO standard. Therefore, it didn’t provide a reasonable basis for comparison and arguably didn’t reach those using other guidance.
Please spare a few minutes to complete a simple set of questions on this topic, to see how many have read just one or both of the sets of guidance, and which more prefer.
I will share the results and explain my views and why I hold them later.
Norman, Have you given up on OCEG’s approach to ERM?
Mike, OCEG’s approach to ERM is to accept either ISO or COSO as representing the risk management portion of GRC or principled performance. The new version of Red Book contains more detail and is more closely aligned, in its language, with ISO than COSO.
I continue to (a) prefer the ISO standard, (b) believe risk management operates within the context of governance and assists an organization identify and then optimize achievement of objectives.