Home > Risk > Final results of COSO vs ISO risk management survey

Final results of COSO vs ISO risk management survey

For the last few months, I have been running a survey of risk experts on which risk management guidance they prefer: the COSO ERM – Integrated Framework, or the ISO 31000:2009 risk management standard. I am fully aware that there are others, but these appear to be the prevalent ones. The purpose was to obtain an independent view; prior surveys have been run either by COSO or by individuals clearly linked to ISO advocacy.

The survey went out through my blogs and also through Twitter and LinkedIn.

Although only 180 risk practitioners answered the survey (meaningful but not authoritative), the results were interesting and the comments even more so! So much so that I have made all the comments available for you to peruse in detail.

There were only two questions:

1. Have you read both the COSO ERM framework and the ISO risk management standard?

Yes. I have read both 76%
No. I have only read the COSO ERM Framework 12%
No. I have only read the ISO 31000:2009 standard 7%
No. I have not read either 6%

2. Which do you prefer?

I prefer the COSO ERM Framework 15%
I prefer the ISO 31000:2009 risk management standard 52%
I have no preference. Either can be used effectively 25%
I have no preference. I don’t think either can be used effectively 8%

The answers to the second question are not materially different if you exclude those who had not read both the COSO ERM framework and the ISO risk management standard.

As I said, the comments are illuminating (see link in the first paragraph).

The people who prefer COSO ERM did so because, in their view:

  • It is comprehensive and has stood the test of time
  • Is the standard that has been adopted by their regulators
  • Their organization previously adopted it
  • It links to the COSO internal control framework
  • It has a better discussion of risk appetite
  • It is stronger on corporate governance
  • There is a better linkage to strategies and objectives

By way of contrast, those who prefer ISO 31000:2009 offered these opinions:

  • Easier to understand and explain to others. User friendly
  • Written by practitioners instead of accountants and auditors
  • Clear, logical, intuitive, and practical
  • A better ‘how to’ guide, easier to use when implementing risk management
  • More focused on risk and less on audit and controls than COSO
  • Represents best practice and the collective wisdom of global risk leaders
  • Flexible, less prescriptive, easily tailored
  • Has a top-down approach to risk management

Those who said that neither were effective had some strong comments, including:

  • There is little evidence that either actually works. The best solution is to take the best of each and develop something that works for you
  • Neither effectively articulates the difference between risk and uncertainty
  • COSO ERM is too detailed and the cube is confusing. ISO 31000 is too high level

A number of people thought that the two should be combined, taking the best of each. One thought I liked was the need to consider risk management as an element of governance (including strategy and performance management) rather than as a separate and distinct activity requiring a separate and distinct standard or framework.

A few parting thoughts:

  1. All risk management practitioners should (IMHO) read both sets of guidance
  2. Board members and top executives responsible for risk management should be familiar with at least the executive summary of the selected guidance
  3. Empirically, based on my contacts with practitioners, awareness of ISO 31000:2009 is building and so is adoption
  4. I will write a separate post on my personal journey and share which I prefer and why

I encourage you to read the full set of comments and share your views.

  1. Mike Corcoran
    May 11, 2012 at 8:27 AM

    Hi Norman, could you please provide us with the countries or at least the continents where the responders were from so we can put the results in context. Thanks!

  2. Norman Marks
    May 11, 2012 at 9:09 AM

    Mike, to encourage more people to vote I didn’t ask any demographic questions. But in general about 45% of the people who read my blog are from the US.


  3. May 12, 2012 at 4:06 AM

    Very interesting Norman !

    As you know, G31000 has conducted the First Global survey on the ISO 31000 Risk Management standard from 17. October till 15. December 2011 with the collaboration of 70+ associations who have agreed to share the survey with their members.

    Your final results are aligned with our findings.
    Just a hint :

    We got 1823 responses from 111 countries
    On the question : Which of the following standards/guidelines are used in your organization? (multiple answers were allowed) :

    Inhouse, 40%
    ISO 31000 : Risk management Guideline, 36%
    ISO 27005 – Information security, 21%
    COSO ERM, 18%
    PMBOK : Project management,17%
    ISO Guide 73 : Risk management Vocabulary,16%
    AS 4360 : Austalian/New-Zealand Standard, 13%
    ISO 31010 : Risk assessment, 13%
    BASEL – Finance, 11%
    BS 31100,UK standard 4%

    The results will be presented at the ISO 31000 conference in Paris on 21 & 22 May 2012 at the following session : http://g31000conference2012.org/node/61

    We will discuss the details at the conference in Paris…

  4. Barbara Peter
    May 15, 2012 at 3:51 PM

    Re the comment that RM should be considered an element of governance….Seems lto me it should be the other way around. After all, the main reason we do all that governance and compliance stuff is to avoid being exposed to the undersirable effects/outcomes of not doing it.

    • May 15, 2012 at 4:12 PM

      Perfectly correct Barbara…I hope to see you joining the LinkedIn group on the ISO 31000 Risk Management :http://goo.gl/wolhN

    • Norman Marks
      May 15, 2012 at 5:07 PM

      Barbara, have a look at any of the definitions of governance (such as that of the OECD) and you will see its about how you manage and direct the organization. If you then look at any of the governance frameworks, such as the King III code in South Africa or the Combined Code in the UK, you will see risk management (or specifically the oversight of risk management) as a key board responsibility.

      Alex, while there are parts of governance that are essential to effective risk management, governance includes more – such as the setting of objectives and hiring and compensating the CEO.

      • May 15, 2012 at 5:22 PM

        I continue to see the meaning of governance all over the place from NACD/King at the BOD level to project management and team levels and everything in between. So I find I have to make sure in meetings we are talking the same language as Norman points out.

      • July 4, 2012 at 7:07 AM

        Certainly risk decisions at the enterprise level are within the role of the board but risks exist on every level, including above the enterprise level. If we are talking about a specialized risk management function, identifying risks for the purpose of designing controls, recommending insurances, noting areas that are out of sync with the perceived risk tolerance of the organization, etc. that is one thing – it needs access to and oversight from the board. If we are talking about managing the positive and negative risk that exists in the environment external to the organization, some of those are the organization’s raison d’être. Organizations are themselves a form of risk management and on that level risk management not only is a board function but transcends the board. Governance is neither greater than nor less than risk management, it is the solution set for the risk management problem and is inextricably connected to risk management at all levels from the shop floor to the shareholders’ meeting. There is a tendency among some to argue over whether ‘a failure in governance’ or ‘a failure in risk management’ is to blame for a particular organizational crisis, proving only that they don’t understand either.

  5. May 15, 2012 at 5:56 PM

    Risk management is a structured way for decision-makers to take into account the uncertain environment. Felix Kloman calls risk management, a discipline dealing with uncertainty.
    The institutions you are referring about have built their credentials into public governance, certainly not on corporate governance. Many continue to reduce risk management to a bureaucratic burdensome compliance/audit/reporting focus defining risk as events to be avoided, instead of recognizing the central element of efficiency and performance driving decision-making in an uncertain environment.

  6. May 24, 2012 at 8:35 AM

    I found this article quite helpful in providing some higher-level governance context to the situation at JP Morgan that enabled these losses to occur.

  7. October 21, 2012 at 8:52 PM

    I am also commenting to let you understand what a perfect encounter my daughter gained reading through your site. She noticed too many issues, including what it’s like to have an ideal giving nature to make most people completely know chosen tricky things. You actually exceeded readers’ expectations. Thanks for giving those beneficial, trusted, edifying and as well as easy tips on this topic to Emily.

  8. October 22, 2012 at 1:35 AM

    Announcing the availability of the First global ISO 31000 risk management survey

    Dear all,

    The results of the ISO 31000 risk management survey are now available in English, French and Spanish.

    These were first presented at the First international conference on ISO 31000 in Paris last May. The survey was conducted between the 17th of October and 15th of December 2011.

    With 1823 response it gives the most comprehensive view yet of how people view ISO 31000 and risk management in general. Regarding ISO vs COSO, our result indicates a similar picture those of the survey run by Norman Mark.

    Go to http://www.g31000conference2012.org/ISO31000Survey2011 to get the results.

    Best regards,

    Alex Dali
    President of G31000, non-profit organisation for raising awareness on ISO 31000

  9. Ted Dann
    April 15, 2013 at 7:40 AM

    Norman, I’m speaking at RIMS on ERM with a frame in the PP referencing COSO vs. ISO 31000. Can I reference your two-question survey above? Will you be attending RIMS this year?

    Thanks for your consideration of my request.


    Ted Dann CPA CRM ARM

    • Norman Marks
      April 15, 2013 at 7:51 AM

      You most certainly may. I won’t be there except in spirit Norman D. Marks, CPA, CRMAOCEG Fellow, Honorary Fellow of the Institute of Risk Management

      Join me online: IIA Governance blog | GRC and Audit blog | Twitter | LinkedIn


  10. Wayne Hart
    July 28, 2014 at 7:41 PM

    I am happy that 180 practitoners gives a reasonable survey base, but there needs to be just two more questions in the survey. (i) What are the specific weaknesses of your preferred framework/standard? and (ii) what suggestions would you make to improve your preferred framework/standard?

    • Norman Marks
      July 28, 2014 at 8:12 PM

      My answer, Wayne:

      I prefer ISO 31000 and i wish it provided guidance on how to use risk criteria to address the regulatory instruction in some sectors to have a risk appetite framework.

  1. May 18, 2012 at 6:11 AM
  2. May 28, 2012 at 4:38 AM
  3. July 15, 2012 at 1:25 PM
  4. August 14, 2014 at 7:27 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: