Jim de Loach MD of Protiviti said in a recent podcast that COSO RM framework is more of evaluation framework, while ISO 31000 based RM framwork is more of a illustrating process.
I am not sure what he meant by that. If he might not have mistaken ISO 31000 consists of stages such as Identification, Assessment and Measurement. Aren't these stages 'evaluation'?
If i have understood it wrongly then please i request Jim De Loach to clarify this point.
Replies
My view - as per attachment.
COSO vs ISO 31000.docx
Trevor, Thanks for the comments. You are right ISO31000 replaced ANZ4360 (Australian).
Trevor Levine (RISKCZAR) said:
Thank you Mathew, really appreicate your comments , please feel free to comment that would benefit organisations thinking or already implementing the RM.
Mathew Hancock said:
Alex, thank you for commenting i was going to mention about your specialist group if anyone would like to discuss it over there as well.
We appreciate your comments here on Global Risk Community as well. This is the reason why we like have such discussions on all the forums dealing with Risk.
Happy New Year to you too.!
Hi Fayaz,
As per the comments already made, I would say that both standards look at the same risk management process (context, identification, evaluation, management, etc), but talk about how to apply the process across an organisation differently. There are strengths and weaknesses to each approach, but both have useful elements to them.
If someone is looking at how to apply either the COSO ERM framework or ISO31000 I would suggest looking at a process maturity approach (as per the SEI-Carnegie Mellon University Capability Maturity Model). The COSO ERM framework and ISO31000 can help you define what you can do, while the maturity model framework can be used to provide a good understanding of the journey by which you can achieve it. I would put a cautionary note here though that not all maturity models are well put together. Happy to discuss the maturity concept further if there is interest.
Kind Regards,
Mathew
Fayaz Malik started this discussion from the LinkedIn group on the ISO 31000 Risk Management Standard.
We have reached 5000+ members and growing with 100 new members every week.
For those interested to listen to the original interview of Jim de Loach and read the 144 comments which it continues to generate, you are invited to join the following discussion :
Comparing the COSO ERM Framework with ISO 31000
Short link : http://goo.gl/OZzYV
I take this opportunity to wish you a Happy New Year 2012
Regards
Alex Dali, MBA,ARM
Moderator of the ISO 31000 Risk Management Standard group in LinkedIn
I referenced a 2003 article by the legendary Felix Kloman comparing 4360 to COSO a couple of years back. Since most people would agree 31000 is very similar to 4360, the Kloman article may help respond to the question.
My earlier reference to the 600 pages is not untrue as it is quite lengthy and given the choice between both I quote Winston Churchill: "The length of this document defends it well against the risk of its being read.”
Kloman is more eloquent in his assessment of COSO ERM "It is an exercise in cranial congestion: too many words, too much jargon and too little clarity".
31000 like 4360 is brief, simple and easy to understand. I employ more language from 4360 in my day-to-day risk life because it is simple. At the end of the day, all frameworks are pretty much the same: identify all your risks, write them down and assess them so you can prioritize them. Once you write them down, now you have to do something about them.
This is not rocket science.
But if you are going to hand a CFO both documents and say 'pick one to read so you know how to do risk management' unless you are named Frank Martens, I am pretty sure the CFO is going to reach for the 31000.
See the Deathmatch between 4360 and COSO here:
http://riskczar.com/2009/09/09/h-felix-kloman-coso-erm-vs-anz-4360-...
Trevor, we need just few points.
I believe no framework is a perfect evaluating tool but i don't think COSO is better than ISO31000. I thnk ISO31000 is better at both evaluation and guiding the implementing framework.
The main difference between COSO ERM and ISO 31000 is about 600 pages.