Yes. The COSO definition of control supports and reinforces ISO 9001:2015 control requirements, specifically both frameworks are:
- Process based. COSO is a process consisting of ongoing tasks and activities. ISO 31000 emphasizes the process approach throughout the standard.
- Affected by people. Both frameworks are affected by people.
- Guideline documents. Both are risk management guideline documents. Both allow an organization to architect, design, deploy, and assure risk management systems based on the company’s context.
- Interpretive. Both are discretionary and interpretive documents. This is critical since ISO 9001:2015 has eliminated the need for a quality manual in QMS documentation. Management system owners have more latitude in the design and deployment of management systems.
- Provide reasonable assurance, not absolute assurance. COSO emphasizes reasonable assurance, which is implied in ISO 31000.
- Provide for internal auditing. Both COSO and ISO 31000 rely on internal auditing to provide the requisite monitoring of control effectiveness.
- Focus on the achievement of business objectives in operations and compliance. Both focus on meeting business objectives. ISO 31000 focuses on the achievement of objectives, which can be scoped to specific management system objectives.
- Adaptable to different enterprises. Both can be used in different types of organizations in different sectors.
Lesson Learned: COSO and ISO 31000 are mutually compatible. They can be melded into a RBT or risk management system that is adaptable and meets varying requirements.
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below:
