#113 – CAN ISO 31K AND COSO ERM WORK TOGETHER? – GREG HUTCHINS

Posted on by

Greg Hutchins pixISO 31K and COSO ERM are the two competing risk management frameworks?  ISO 31K is the national standard for many countries.  However, COSO ERM is the de facto risk standard for many global and publicly listed companies.

We have used both.  There are differences.  However, the similarities outweigh the differences.  And, the critical question is:

So, can ISO 31000 and COSO ERM work together?

Yes. The COSO definition of control supports and reinforces ISO 9001:2015 control requirements, specifically both frameworks are:

  • Process based.  COSO is a process consisting of ongoing tasks and activities. ISO 31000 emphasizes the process approach throughout the standard.
  • Affected by people.   Both frameworks are affected by people.
  • Guideline documents. Both are risk management guideline documents.   Both allow an organization to architect, design, deploy, and assure risk management systems based on the company’s context.
  • Both are discretionary and interpretive documents.  This is critical since ISO 9001:2015 has eliminated the need for a quality manual in QMS documentation. Management system owners have more latitude in the design and deployment of management systems.
  • Provide reasonable assurance, not absolute assurance.  COSO emphasizes reasonable assurance, which is implied in ISO 31000.
  • Provide for internal auditing.  Both COSO and ISO 31000 rely on internal auditing to provide the requisite monitoring of control effectiveness.
  • Focus on the achievement of business objectives in operations and compliance.  Both focus on meeting business objectives.  ISO 31000 focuses on the achievement of objectives, which can be scoped to specific management system objectives.
  • Adaptable to different enterprises.  Both can be used in different types of organizations in different sectors.

Lesson Learned:  COSO and ISO 31000 are mutually compatible. They can be melded into a RBT or risk management system that is adaptable and meets varying requirements.

The challenge is how to adapt the risk management framework you choose to a specific organization.  So, use a risk professional otherwise you’ll be spinning your wheels.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

Leave a Reply

Your email address will not be published.