I have blogged about the roll-out of the COSO ERM update back in 2017. In 2018, ISO updated their well-known risk management standard, too. Since then, I’ve spent considerable time studying and using both standards. Hence, I now feel comfortable and confident to share my opinion about those two well-known ERM frameworks. In other words, bienvenu to the COSO vs ISO battle.
Specifically, my comments pertain to the ISO 31000:2018 standard and the “COSO Enterprise Risk Management, Integrating with Strategy and Performance – June 2017” edition. The latter being quite a “mouth-full”.
In this post I set the scene for my considerations and share some high-level, more general comments about each of the standards. The following instalments will contain more detailed elaborations and considerations.
Admittedly, I am an erstwhile COSO-fan who voluntarily turned more into an ISO supporter over the past few years. Over the course of this article I outline why I have changed my preference.
If you prefer to listen the audio version of this blogpost, click on the image below.
standards – why do we need standards?
The world is beautifully diverse, every company is different, and jurisdictions and regulations vary across the globe. Hence, why do practitioners need risk management standards in the first place?
Very strong arguments must be made in favour of standards:
- activities and outcomes of ERM-work undertaken by different companies and in different locations are easily comparable on a like for like basis
- standards set a common tone
- standards set a baseline, i.e. no more need to explain the basics
- practitioners and consumers of their work can focus on the outcomes and not the underlying methodology – particularly important for Board of Directors
- and there always is the “best practice” argument and defence
Which standard ?
Risk management standards are commonplace for a long time. Auditing bodies, ISO, COSO, the IRM, RIMS, AS/NZS 4360 and many other institutions have issued and are updating RM-manuals and standards. For this series of podcasts, I will focus on the most recent releases of the ISO and the COSO standards, respectively.
ISO and COSO – A High Level View
Both standards are well known and respected globally. In the same breath, the two guides desperately needed an update. ISO brushed-up after nine years: they released the most recent version in 2018. COSO on the other hand, took 13 years to update. Their most modern publication now dates to 2017.
At first glance, the ISO standard got more comprehensive in its coverage whilst shrinking in size. This was achieved by moving certain parts to other standards and focusing more on principles and high-level frameworks.
In stark contrast, the COSO document is impressive in length, the executive summary already covers 16 pages. The most eye-popping change is the abandonment of the famous COSO cube. COSO developed something akin to a triple helix to describe their view of ERM.
At this stage of the “COSO vs ISO smack down”, the score is even.
The first thing I noticed when reading through the ISO 3100:2018 is the lack of the word “enterprise” almost throughout the document. Has ISO gone back to the bad old days of silo-risk management? I don’t understand this apparent lack of the “E”-word. Having said that, the ISO standard goes to great length and detail referring to the enterprise and its entity, so there is nothing to worry, it seems.
I have a great liking for fluff-free written and spoken communication. ISO scores VERY big in this department. Simple, short sentences. Very little lingo & if there is specific vocabulary, then it gets explained separately in ISO 73.
ISO updated its definition of “risk” to a more modern meaning. They now give attention to the up-side and the downside of risk (FINALLY). Their previous focus on classical hazard risk, which by default knows only down-side, was a serious detractor to use ISO in a strategic and entrepreneurial context. I emphasise that proper management of hazard risk is very important, but ERM is so much more than that. The 2018 update emphasises more on strategic aspects of risk. In addition, it repeatedly calls the board of directors and senior management to duty.
ISO 31000:2018 focuses on principles and guidelines for ALL risks faced by any entity. On the flipside, the ISO document is rather generic and provides very little, detailed guidance for practitioners. That is a fair point of critique, however basic principles are – by the very nature of the term – generally applicable. The customisation to an industry, company-size and other idiosyncrasies is best left to the practitioners. In addition, regulators, trade bodies and other stakeholders often prescribe certain ERM standards, so the localisation is taken care of by other institutions.
When I set out as a full-time ERM-pro, I was immediately drawn to COSO. The main attraction was the strong link to business, opportunity risk and strategy. Almost like love at first sight.
My miss-perception that ISO is all about sequential processes that provide no entrepreneurial freedom and dictate compliant business almost how to sharpen their pencils added even more oil into the fire. Going through an ISO 9000 certification many many moons ago didn’t help either.
the “TRIPLE HELIX”
COSO abandoned their famous “cube” and developed something akin to a triple helix. The new shape is supposed to be as comprehensive as possible and depict the entire value chain. I give COSO a lot of credit for having the courage to defect one of their key “trademarks”. Having said that, the new triple helix appears to be too much of a good thing. It reminds me of the myriad of physicists who try to develop the unified “world formula”. This endeavour is a great thing. However, how many people will truly understand it and how practical is it?
The new COSO framework has the dimensions of a study textbook. Kudos for being that comprehensive. The illustrations look contemporary. However, I have a strong preference for a shorter and crisper version, something like the “core” ERM-approach. The more elaborate considerations, together with examples could have been published in a separate “book”.
COSO’s approach is very comprehensive. New risks, such as the ongoing development of technology and the ever-increasing connection between risks take an important spot in their framework. Furthermore, I like the ongoing emphasis that ERM is linked to strategy and performance. And lastly, COSO published a separate document delving into practical examples. Sadly, this compendium comes at an extra cost.
I give COSO a lot of credit for their (attention dear listeners: guff alert!!) reach-out to stakeholders through various channels. The authors and publishers released a comprehensive Podcast series, e-distributed brochures and set-up a YouTube channel.
Having said that, the executive summary that reaches almost 20 pages (with all due respect and consideration that COSO needs to give to various stakeholders) is a detractor. Depending on the format you choose, the COSO executive summary is about half the length of the entire ISO 31000 standard.
COSO vs ISO: THE VERDICT
After round one of the COSO vs ISO smack-down my score is as follows: taking conciseness, guff-free language and strong focus on general principles and guidelines into account, my verdict after round one is clear: “GAME and SET for ISO”. Bear in mind though, the match isn’t over yet!
Stay tuned for upcoming editions of the Megrow blog, in which I will take this COSO vs ISO contest into the next rounds. In the meantime, if you have questions about ERM or would like an outside-in-view at your current or planned ERM-efforts, kindly contact me via the links at the bottom of the page.