ISO or COSO?

It does NOT matter

The crux of the matter lies in proper implementation and effective embedding!

The wheel has been invented!

Risk managers around the world can rely on well-known, tried-and-tested standards for enterprise-wide risk management (“ERM”). In other words, we don’t need to reinvent the wheel. Instead, we can funnel our energy to the implementation and the harvest of the metaphorical fruits of our labour.

an image with a wheel on it to illustrate the "wheel has been invented metaphor"

Despite this amazing starting position, a flurry of search queries looking for «ISO or COSO? » continues to reach the Megrow website.

Furthermore, the question and discussion, or controversy about the possible best standard for ERM is a perennial issue on social media. If you are curious about the nature and content of this debate, then spend some time on LinkedIn.

A detailed review of ERM-standards is not the subject of this Blogpost. I already did that six years ago in episode six of the Megrow Podcast . Both methods have advantages and disadvantages. At their core, the standards are very similar: principles-based and focused on linking ERM to strategy and business goals. Both standards were revised about five years ago, hence they are similarly contemporary.

If your organization is not subject to external regulations that dictate a certain standard, then  the choice is yours.

making a choice

Choose one standard, consider moderate adjustments, communicate your choice to the relevant stakeholders and then: “action”.

A word about “modifications”: Moderate adjustments to your organisation’s operating environment are meaningful. However, I advise against making so many mutations that the standard becomes unrecognizable, or more bluntly put, diluted to insignificance.

Occasionally, the idea of blending components from different standards into one new oeuvre gains popularity. This attempt to “create the best of many worlds” is, under almost all circumstances, inefficient and destined to fail.

Efficiency is important. However, omitting apparently non-core components of any standard for the sake of being lean and mean is a fallacy. 2/3 of COSO or 66.6% of ISO is not good enough.

On a side note, neither Megrow Consulting GmbH nor I receive any form of support from ISO or any other organsiation that publishes ERM standards.

Jumping Ship ?

showing a boat that is struggling to manage a stormy sea.

Customers do ask us whether they should switch from standard A to standard B to get more value from their ERM. Before taking such a drastic step, we recommend analysing why the current method does not deliver the desired results. If you are interested in “what good ERM looks like”, then please head over to episode 20 of our podcast. That episode describes the key ingredients of good ERM in a succinct manner. Alternatively, we published a compact guidebook about the same topic early 2023. This book is available on Amazon. If you are Kindle Unlimited subscriber, the download is for free!

An independent, outside party can add tremendous value to a review by providing you with best-practice advice, valuable benchmarking, and tangible input how to improve your organisation’s risk maturity and resilience.

Get in touch with us for a free first diagnosis about your ERM! Contact details are below.

Thank you for reading this post!