No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

COSO, ISO 31000 or Another ERM Framework?

by Jim DeLoach
June 25, 2018
in Risk
COSO, ISO 31000 or Another ERM Framework?

When defining an ERM process tailored to the organization’s needs, it helps to have a suitable framework as a point of reference. Otherwise, management begins with a blank sheet of paper and we all know that makes it harder.

There are different frameworks from which to choose, among them:

  • COSO Enterprise Risk Management – Integrated Framework
  • ISO 31000 Risk Management – Principles and Guidelines on Implementation
  • BS 31100 Code of Practice for Risk Management
  • FERMA A Risk Management Standard
  • OCEG Red Book 2.0 (GRC Capability Model)

Below, we contrast the most commonly used frameworks: COSO and ISO 31000 frameworks.

The COSO framework was issued in 2004, and ISO 31000 followed in 2009. COSO’s emphasis is on providing a flexible standard against which to evaluate an organization’s current ERM process — as opposed to focusing on the specific activities of the risk management process itself. On the other hand, ISO 31000 is intended to provide guidance on the nature of the risk management process and how to implement it. This distinction is a crucial one to understand when comparing the two frameworks and understanding how they can be used.

As part of its focus on risk management as a process, ISO 31000 devotes more attention to implementation, which broadens its appeal for those looking for insights on that subject. To that end, COSO has subsequently issued some implementation guidance in the form of a thought paper offering practical approaches for getting started. Companies that plan to implement the COSO ERM framework should review ISO 31000 (and other frameworks) for additional perspective and guidance on implementation considerations.

ISO 31000 states:

“[R]isk management creates value, is an integral part of organizational processes; is part of decision making; explicitly addresses uncertainty; is systematic, structured and timely; is based on best available information; is tailored; is transparent and inclusive; is dynamic, iterative and responsive to change; and facilitates continual improvement and enhancement of the organization.”

Therefore, ISO 31000 is focused on integration and change themes. COSO states that ERM is applied in strategy-setting, and its definition of ERM explicitly incorporates the concept of risk appetite and aligns it with strategy. ISO 31000 makes a passing mention of risk appetite as an aspect of policy.

Most organizations that have taken serious steps to implement ERM would assert that ERM is a journey. Therefore, because ERM can’t be implemented overnight, companies must evolve their thinking based on their experience and needs. All of the frameworks can be useful as companies continue to learn and advance their risk management capabilities. Both COSO ERM and ISO 31000, because of their maturity, holistic approach and methodological consistency, can help organizations realize the potential benefits connected with the application of a generic risk management standard.

The two frameworks (as well as the others mentioned earlier) touch on similar aspects of the risk management process. While there are nuances among the alternative frameworks, each is basically a representation of the same body of knowledge. All frameworks are built on the same model of selecting an objective and using that objective as a standard for evaluating risk management effectiveness and efficiency.

Whether a framework begins with quality focus or a focus on a strategic initiative, performance goal or risk, the evaluator must set down an objective by which to assess the performance of risk management capabilities. In practice, the framework of choice is often a matter of personal preference as to what’s needed to suit the enterprise’s purposes. That said, ALL of the frameworks can be useful when getting started.

One thing to keep in mind: The COSO framework is often selected because the project sponsor wants to “leverage prior work using the COSO internal control framework,” because COSO’s ERM framework incorporates its long-standing internal control framework within it. While on the surface this point of view has appeal, it also can lead to immersion of the ERM implementation into minutiae, an approach that doesn’t blend well with a strategic focus. COSO’s primary objective was to expand on internal control and provide a more robust and extensive focus on the broader subject of ERM. Used properly in strategy setting and across the enterprise, the framework can help companies accomplish that objective.

Finally, while a suitable framework has its role, it is not a panacea. What is equally important is a fully engaged board, a bought-in CEO, an approach to integrating risk management with the core management processes that matter, an open and transparent risk culture, a balanced compensation structure, and the will and discipline to act when the warning signs are clear. A framework alone cannot solve these issues, which are broader and largely cultural in nature.


Tags: COSORisk Management Frameworks
Previous Post

Managing Third-Party Risk in EERM Programs

Next Post

Update Your WAN Strategy and Secure Your Company Network

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

A stick figure holds up a ceiling which appears to be collapsing.

Cybersecurity Protocols Are Squeezing Developers, Who Are Already in Short Supply

by Trevor Morgan
August 10, 2021

Data security principles codified in cybersecurity protocols like GDPR, CCPA, PCI DSS and others are raising protection standards. They also...

man on tablet with cloud

COSO Releases New Guidance: Enterprise Risk Management for Cloud Computing

by Corporate Compliance Insights
July 28, 2021

Lake Mary, FL (July 28, 2021) – With increased need for more remote and flexible work environments as a result...

Strategic Resilience Will Be Key to the Post-Pandemic Future

Strategic Resilience Will Be Key to the Post-Pandemic Future

by Jim DeLoach
April 20, 2021

As the global economy remains in flux, most risk management strategies remain backward-looking. Risk needs to adopt strategic resilience strategies...

businessman jumping between increasingly taller stacks of coins

The Board-Management Risk Appetite Dialogue

by Jim DeLoach
December 17, 2019

Considering unpredictable markets, myriad uncertainties and unprecedented market opportunities, how should the board and executives engage with respect to the...

Next Post
cloud icon between tablet and laptop

Update Your WAN Strategy and Secure Your Company Network

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance Decision-Making DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring Ransomware RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT