Recently, I had a conversation with Grant Purdy — a highly respected (and opinionated) risk management professional, and a leader in the development of the ANZ risk management standard and the subsequent ISO 31000:2009 standard. You can see his thoughts on COSO ERM here.
How do you feel about the COSO framework? Have you seen the more recent ISO:31000 standard, and if so which do you prefer?
COSO is in the process of updating the Internal Control Framework. Is it time for a fresh look at the ERM framework?
Finally, are there areas where both sets of guidance fail to meet the mark?