ISO 31000: 2018 and COSO ERM. Prevalence and suitability in enterprises
Abstract
In current extremely volatile business environment, all entities need to handle a wide range of risks that pose threat to their operations. Several risk management frameworks have been introduced to address these issues, with ISO 31000 and COSO ERM, having a holistic approach that involves all functions and levels of the enterprise simultaneously, being the most advanced and popular, currently.
Subject of this thesis is the critical evaluation of these 2 prevailing standards in risk management, as well as the field research of their prevalence and suitability in enterprises.
In the theoretic part, the study analyses the risk management concept and the two standards through a broad literature review focusing on their comparison, similarities and differences. In its main empirical part, the study investigates the characteristics of the companies (sector, size, location etc.) that determine the preference for one or the other standard.
Since neither ISO 31000, nor COSO ERM are officially certifiable and there do not exist official databases of entities that apply them, information that was indirectly derived through search in internet, management reports, press releases, articles, social media etc., concluded to a non-exhaustive dataset of 367 enterprises and organizations.
The results of statistically analyzing the above sample identify that: a) ISO 31000 is more popular around the globe, but a big percentage of entities (36.2%) chose to apply both standards, b) Size of the company is essential in the choice of the standard to follow, c) there are patterns of preference of one (or both) of the standards, related to the country of origin of the entity and d) economic sector has also an effect on the choice, with industries with more risk averse culture being those that apply both standards.
Finally, given the limitations and challenges of sampling, we suggest that future scientific research should consider: formation of an official registry of applications worldwide, investigation of additional factors that may affect the choice/preference of a specific risk management framework and follow up of existing applications to identify potential problems encountered, variations from the authentic standard’s concept, stakeholders’ experience etc.