Jim de Loach MD of Protiviti said in a recent podcast that COSO RM framework is more of evaluation framework, while ISO 31000 based RM framwork is more of a illustrating process.

I am not sure what he meant by that. If he might not have mistaken ISO 31000 consists of stages such as Identification, Assessment and Measurement. Aren't these stages 'evaluation'?


If i have understood it wrongly then please i request Jim De Loach to clarify this point.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • My view - as per attachment.

    COSO vs ISO 31000.docx

  • Trevor, Thanks for the comments. You are right ISO31000 replaced ANZ4360 (Australian).

    Trevor Levine (RISKCZAR) said:

    I referenced a 2003 article by the legendary Felix Kloman comparing 4360 to COSO a couple of years back. Since most people would agree 31000 is very similar to 4360, the Kloman article may help respond to the question.

    My earlier reference to the 600 pages is not untrue as it is quite lengthy and given the choice between both I quote Winston Churchill: "The length of this document defends it well against the risk of its being read.”

    Kloman is more eloquent in his assessment of COSO ERM  "It is an exercise in cranial congestion: too many words, too much jargon and too little clarity".

    31000 like 4360 is brief, simple and easy to understand. I employ more language from 4360 in my day-to-day risk life because it is simple. At the end of the day, all frameworks are pretty much the same: identify all your risks, write them down and assess them so you can prioritize them. Once you write them down, now you have to do something about them.

    This is not rocket science.

    But if you are going to hand a CFO both documents and say 'pick one to read so you know how to do risk management' unless you are named Frank Martens, I am pretty sure the CFO is going to reach for the 31000.

    See the Deathmatch between 4360 and COSO here:

    http://riskczar.com/2009/09/09/h-felix-kloman-coso-erm-vs-anz-4360-...

  • Thank you Mathew, really appreicate your comments , please feel free to comment that would benefit organisations thinking or already implementing the RM.

    Mathew Hancock said:

    Hi Fayaz,

     

    As per the comments already made, I would say that both standards look at the same risk management process (context, identification, evaluation, management, etc), but talk about how to apply the process across an organisation differently.  There are strengths and weaknesses to each approach, but both have useful elements to them.

     

    If someone is looking at how to apply either the COSO ERM framework or ISO31000 I would suggest looking at a process maturity approach (as per the SEI-Carnegie Mellon University Capability Maturity Model).  The COSO ERM framework and ISO31000 can help you define what you can do, while the maturity model framework can be used to provide a good understanding of the journey by which you can achieve it.  I would put a cautionary note here though that not all maturity models are well put together.  Happy to discuss the maturity concept further if there is interest.

     

    Kind Regards,

     

    Mathew

     

     

  • Alex, thank you for commenting i was going to mention about your specialist group if anyone would like to discuss it over there as well. 

    We appreciate your comments here on Global Risk Community as well. This is the reason why we like have such discussions on all the forums dealing with Risk.

    Happy New Year to you too.!

  • Hi Fayaz,

     

    As per the comments already made, I would say that both standards look at the same risk management process (context, identification, evaluation, management, etc), but talk about how to apply the process across an organisation differently.  There are strengths and weaknesses to each approach, but both have useful elements to them.

     

    If someone is looking at how to apply either the COSO ERM framework or ISO31000 I would suggest looking at a process maturity approach (as per the SEI-Carnegie Mellon University Capability Maturity Model).  The COSO ERM framework and ISO31000 can help you define what you can do, while the maturity model framework can be used to provide a good understanding of the journey by which you can achieve it.  I would put a cautionary note here though that not all maturity models are well put together.  Happy to discuss the maturity concept further if there is interest.

     

    Kind Regards,

     

    Mathew

     

     

  • Fayaz Malik started this discussion from the LinkedIn group on the ISO 31000 Risk Management Standard.

    We have reached 5000+ members and growing with 100 new members every week.

    For those interested to listen to the original interview of Jim de Loach and read the 144 comments which it continues to generate, you are invited to join the following discussion :

    Comparing the COSO ERM Framework with ISO 31000
    Short link : http://goo.gl/OZzYV

    I take this opportunity to wish you a Happy New Year 2012

    Regards
    Alex Dali, MBA,ARM
    Moderator of the ISO 31000 Risk Management Standard group in LinkedIn

    Sign Up | LinkedIn
    500 million+ members | Manage your professional identity. Build and engage with your professional network. Access knowledge, insights and opportuniti…
  • I referenced a 2003 article by the legendary Felix Kloman comparing 4360 to COSO a couple of years back. Since most people would agree 31000 is very similar to 4360, the Kloman article may help respond to the question.

    My earlier reference to the 600 pages is not untrue as it is quite lengthy and given the choice between both I quote Winston Churchill: "The length of this document defends it well against the risk of its being read.”

    Kloman is more eloquent in his assessment of COSO ERM  "It is an exercise in cranial congestion: too many words, too much jargon and too little clarity".

    31000 like 4360 is brief, simple and easy to understand. I employ more language from 4360 in my day-to-day risk life because it is simple. At the end of the day, all frameworks are pretty much the same: identify all your risks, write them down and assess them so you can prioritize them. Once you write them down, now you have to do something about them.

    This is not rocket science.

    But if you are going to hand a CFO both documents and say 'pick one to read so you know how to do risk management' unless you are named Frank Martens, I am pretty sure the CFO is going to reach for the 31000.

    See the Deathmatch between 4360 and COSO here:

    http://riskczar.com/2009/09/09/h-felix-kloman-coso-erm-vs-anz-4360-...

    H. Felix Kloman – COSO ERM vs ANZ 4360 Deathmatch
  • Trevor, we need just few points.

  • I believe no framework is a perfect evaluating tool but i don't think COSO is better than ISO31000. I thnk ISO31000 is better at both evaluation and guiding the implementing framework.

  • The main difference between COSO ERM and ISO 31000 is about 600 pages.

This reply was deleted.

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 1132

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 244

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 175

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 381

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 113

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead