COSO ERM - A Good Framework?

Recently, I had a conversation with Grant Purdy — a highly respected (and opinionated) risk management professional, and a leader in the development of the ANZ risk management standard and the subsequent ISO 31000:2009 standard. You can see his thoughts on COSO ERM here.

How do you feel about the COSO framework? Have you seen the more recent ISO:31000 standard, and if so which do you prefer?

COSO is in the process of updating the Internal Control Framework. Is it time for a fresh look at the ERM framework?

Finally, are there areas where both sets of guidance fail to meet the mark?

Posted on Feb 21, 2011 by Norman Marks

Share This Article:    

  1. ISO 31000 wins this hands down and it is useless to point out deficiencies in ISO as it is a work in progress and more needs to be done is various areas. More will be communicated soon. The US response to ISO will be issued this week. Howev er, I agree with the commentaries Grant makes on COSO ERM which we have previously seen and known about for some  time. Because of these deficiencies, the COSO ERM documents cannot be fixed. It would require dismantling the entire framework.

    What is quite troubling beyond the issues that Grant raises is getting to the root cause of how such a document could hit the marketplace. As you are aware ISO 31000 is built on the DNA of AS/NZS 4360:2004 which was released in 2004 as an update to AS/NZS 4360:1999. Why was the Australian framework not known about here in the US in 2004? Why did the professional bodies of the AICPA and IIA not promote the Australian framework? I think that I know  the answer and this is an unfortunate situation for all practitioners especially in this country that have suffered because of an absence of credible risk management guidance here in the US. We have to get out of  the mindset that "if its made in America, it must be better."

    Now we will be back on track in 2011 but there are many individuals out there including quite a few internal audit practitioners that will really have their work cut out for them.

    The few things I will add to Grant's blog are  that the COSO ERM documents approximated 250 pages in total for both books compared to 25 for ISO 31000. There are 120 principles compared to 15 or so from ISO. They use 20 or so disjointed cases and although ISO has no cases, we do have access to the Harvard Business School Case on Hydro One. Although  this is not exact replica of ISO, it has enough of the DNA in it, to be quite quite helpful.




  1. Arnold, I will differ from your view in a few respects:

    1. ISO 31000:2009 is not perfect and we should understand its deficiencies: (a) because they impact our use of the standard, and (b) they need to be addressed at some point.

    2. COSO ERM is not fatally flawed and the issues can be addressed - especially given the more recent material provided with the ISO guidance. It also has a number of strengths - which Grant has recognized.

    3. One of the severe issues with ISO, that needs to be recognized, is that it is not in the public domain. While the cost to purchase documents is free, ISO does not allow the materials to be used in external training and other guidance.

    We should recognize that the IIA is now and in future agnostic with respect to risk management standards and frameworks. It supports both COSO ERM and the ISO 31000:2009 framework.

  1.   I disagree with you Norman especially on point number two. Take a look at the flaws and let us know how you reach the conclusion that the issues can be addressed. Put some detail around your explanations especially for number ten

    Also let me know if you have any answers to my questions of above. Somebody must. I am not sure what the IIA supports and does not support and in any event it is not helpful to support two different frameworks

  1.  Also, what are the flaws that you see in ISO 31000?

  1. Arnold,

    COSO ERM can be upgraded, just as any standard (including ISO) can be upgraded by a revision process. The famous cube can be changed or replaced, for example. The discussion of inherent risk changed to one of potential exposure, and additional focus included on external events.

    As for flaws in ISO: how about the fact that it does not address changing the risk culture to one that embraces the consideration of risk. What the standard says now is that the risk management activity must be tailored to the internal context - but if that is one that is inadequate, no actions are suggested. In addition, there is no discussion of understanding the need for and value of risk management within the enterprise - and designing the risk management activity accordingly. Finally, the issue of speed (a dimension you and I have discussed) is not considered: the speed with which responses have to be made, the volatility of risk levels, etc., have to be considered when designing the related risk management activities.

    I believe COSO ERM is due to a review and upgrade, or (better) to integration with ISO 31000:2009 into a global standard that is in the public domain so all practitioners can use it. ISO 31000:2009 is not perfect, but it is a good product that will improve over time.

  1. Arnold, I was not part of the process where COSO produced the ERM framework and so cannot answer your questions.

    As to the comment about supporting two frameworks, IIA is a global organization that needs to support its members. The latter use a variety of frameworks and the IIA should not focus on a single one when others are popular (IMHO). I believe we should be commending not criticizing IIA leadership for their move to get more involved with ISO activities.

  1. Finally, I agree with a comment made by Richard Chambers tht we should have more positive comments shared on the good and great features of these frameworks. Who would like to contribute?

  1. Norman:

    I think a bigger issue that needs to be discussed is this:

    Can the IIA be considered independent when it is one of the members that "owns" the COSO ERM framework and the 1992 COSO control framework?

    Does the IIA endorse the fact that the COSO frameworks, control or ERM, do not have a mandatory improvement cycle that the ISO frameworks do? (ISO frameworks must be opened for review and revision every 4 years)

    I believe the IIA should promote the creation of an independent global standards body that has an IIA representative but also draws from groups and individuals outside of the currrent 5 COSO members that are all US based/headquartered organizations.

  1. Interesting question, Tim. I don't personally think (I can't speak for the IIA) that the IIA should be independent and stand on the sidelines as governance, risk, and control frameworks are developed and related guidance published. I am proud to say that I have been part of some IIA initiatives to influence such activities, and have watched IIA teams participate in King III, Cadbury, and other projects. The IIA is now engaged not only in COSO but also in ISO projects.

    As for a global standards board, I like the idea of a single set of standards that all can follow. However, I am somewhat disappointed that the ISO products are not open (ISO is such a global body). You have to pay for their products and third parties cannot include them to provide related training.

  1. Norman

    I think no true, independent standard are free, anywhere.  Certainly all ANSI, Canadian, BSI, Standards Australia standards are for sale.  I find this rather comforting as it means that the standards organisations do not have to reply on 'donations' from software companies and consultancies to complete their work which always introduces bias.

    Apart from the Executive Summary, you also have to buy the weighty tome that is the COSO ERM Framework and as it cannot be downloaded as a soft copy, this involves those of us outside the USA with additional freight charges.

    As to not being able to use the ISO product for training I think this is also incorrect.  You can copy text from the standard and make the appropriate reference and attribution. 

    ISO like most standards organisations is very much run on a shoe string.  Its objectives are standardisation and the removal of barriers to trade.  To achieve this it has to generate some income from the sale of its products.

  1. Grant;
    I think you raise an excellent point.  COSO products are produced by the big accounting firms (C&L, PwC, Grant Thornton)  that have the resources to offer pro bono services to author COSO products without charging a fee.  Having worked for the big 6 twice in my career,  the primary motivation to do thousands of hours of unpaid work links to practice development, training and branding. 

    Although these volunteer researchers/authors are guided by the COSO steering committees they see the world through a lens that is shaped by the environment they work in. This is a normal human condition.  Currently all of the COSO members are predominantly accounting/auditing  organizations.  I have stated in a number of forums COSO should expand to include representatives of the quality profession, IT security, fraud, ethics and compliance, and director institutes as full members to produce less biased products.  To date I have not seen any plans to expand the COSO membership..  

  1.  I agree with your comments Tim and as well Grant.

    The point above that COSO ERM can be easily modified is unfortunately without merit. COSO ERM will never be modified because the ten deadly sins are pervasive throughout the document. I suggest all readers of this blog read COSO ERM carefully and  then Grant Purdy's 10 deadly sins. There seems to be a greater concern expressed above that we need to make positive comments. Quite frankly if I do this, they will be untruthful remarks. The internal audit leadership has many stakeholders including its 175,000 members. I would suggest strongly that it satisfy the needs of those stakeholders in terms of  risk management knowledge or  training or the members should take their hard earned dollars and find alternative organizations to belong to that will  give them the training.

    I had strong positive comments on COSO ERM when it was initially issued for a period of about 2 years primarily as a consequence of my own ignorance of alternative risk and control guidance from around the globe from countries in which both you Tim and  you Grant reside (CoCo and AS/NZS 4360:2004). In hindsight, it is this exact guidance that should have been permeating the US landscape from 1995 through 2004, instead of what we have before us now. 

    In the long run. products which product no value will be seen for what they are. Most of the CFOs and CEOs that I have been talking to over the past several months have been rejecting COSO ERM and instead moving forward with either ISO 31000 or its predecessor of AS/NZS 4360:2004. This is what we need to do.  Yes it is true that the COSO steering committees see the world through a lens that is shaped by  the environment they work in.



  1.  By the way, I am one of the view that probably has positive comments to make on COSO ERM because I have worked with it extensively in addition to reading it from cover to cover at least 4-5 times. While it can never be redone, it will provide some valuable insights/research. Two examples are as follows:

    It is principles based as is ISO but there are 120 principles much more than can be utilized by top management however the detail of the 120 principles will be valuable for training purposes for the more junior staff and can be referenced in turn to the 10 or so ISO principles. A second area of COSO ERM I found particularly helpful and still do, is the section on quantification (risk analysis). The discussion of the different methods and examples is quite good.  I can provide additional examples but am almost afraid to lest my comments be taken out of context that the framework should be kept in use. It should not because it is inconsistent in thinking in so many  respects with ISO, erroneously so and will only confuse the public which already is quite confused about risk management.

Leave a Reply