Here’s a 2003 article written by Mr. Kloman where he reviews a draft version (at the time) of 4360 and one of COSO ERM authored by PwC. Although he is not reviewing the final versions, one can still draw similar conclusion. The terms “winner” or “draw” were added by me.
Mr Kloman noted:
- 4360: Model of clarity (winner)
- COSO: Feels like an elephant stepped on me
- 4360: Just calls it risk management (without the enterprise, business, integrated, holistic, business, etc.) (draw)
- COSO: Adds the E to the risk management
- 4360: Defines risk as: “exposure to the consequences of uncertainty, or potential changes from what is planned or expected.” (winner)
- COSO: Says no common terminology exists
- 4360: The draft reviewed as only 23 pages (winner)
- COSO: The Executive Summary was only 23 pages, and the entire document was 139 pages
- 4360: Uses the term “risk treatment” (winner)
- COSO: Very control focused and uses the term “risk response”
- 4360: The gold standard (winner)
- COSO: It is an exercise in cranial congestion: too many words, too much jargon and too little clarity.
With a final score of 5-0, 4360 wins hands down over COSO ERM.
If you had to chose based on the length of each document, perhaps this Churchill quote will help: “The length of this document defends it well against the risk of its being read.”