Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Introduction Graphic

A comparative overview of risk management and internal control guidance

by Matthew Leitch, 26 May 2010

The famous guides to risk control – like COSO's ERM framework, ISO's 31000 standard, and the UK government's Orange Book – have had a huge influence on theorising about risk control and also driven practical choices by organizations around the world.

Unfortunately, fame is no guarantee of quality or suitability. The table below is a simple guide to the main contenders in alphabetical order of the issuing organization. As you can see, the highest overall ratings do not go to the most famous documents.

In future I hope to add more detailed reviews, plus advice on implementing each of the guides.

The meaning of each of the criteria is explained below the table.

TitleIssued byLatest issueIntended applicabilityAvailabilityLocationLengthClarityIdeasGuidanceOpennessCommentsOverall star rating
BS 31100:2008 Risk management - Code of practiceBSI2008All risks, all organizationsPurchaseBSI website42 pages60603070Some good bits, some dull bits, some mistakes.***
Charities and Risk ManagementCharity Commission2007All risks, audited UK charities complying with a requirement to report on risk managementFree to downloadCharity Commission website5k words, 12 pages





A basic flaw is built into the regulations.*
Enterprise Risk Management - Integrated FrameworkCOSO2004All risks, all organizationsPurchaseStart at COSO's website2 volumes60504040Some interesting examples, but relies on risk appetite and does not handle upsides well.***
Internal Control - Integrated FrameworkCOSO1992All risks, all organizationsPurchaseStart at COSO's website2 volumes6540


50A landmark, but not very practical. Has added millions to the cost of SOX compliance.**
Internal Control over Financial Reporting Guidance for Smaller Public CompaniesCOSO2006All risks, smaller organizationsPurchaseStart at COSO's website4 volumes


252070Too abstract.*
The Green Book: Appraisal and Evaluation in Central Government (especially chapter 5 and Annex 4)HM Treasury2003Economic business casesFree to downloadHM Treasury's website114 pages plus supplementary materials65


4040Risk registers and over-reliance on sensitivity analysis and expected values, but excellent response options.***
TitleIssued byLatest issueIntended applicabilityAvailabilityLocationLengthClarityIdeasGuidanceOpennessCommentsOverall star rating
The Orange Book: Management of Risk - Principles and ConceptsHM Treasury2004All risks, all organizationsFree to downloadHM Treasury website46 pages45402030A dismal compendium of mistaken ideas.*
Risk governance: towards an integrative approachInternational Risk Governance Council2005Systemic risks, by governments and their agentsFree to downloadIRGC website152 pages


705060Ambitious and complex. Recognizes that risks are mental inventions. Problems about risk acceptance.***
A risk management standardIRM (originally IRM, ALARM, and AIRMIC)2002All risks, all organizationsFree to downloadIRM website14 pages




30Let down by focus on risk registers, ISO terminology, identification, use of 'risk appetite', and extensive probability-impact grid material.*
ISO 31000:2009 Risk management – Principles and guidelinesISO2009All risks, all organizationsPurchaseISO website29 pages25352560Ambiguous language and some logical flaws.**

Please notify me if you know there is a more recent version of any of these available, or if you know of other guidance that might be worth including. If you think any of this information is wrong in some way please let me know.

Guide to ratings

The ratings are based on my personal view after reading the document.

Clarity: This is out of 100, where 100 means perfectly clear and 0 means incomprehensible. Problems that can give a low score here include ambiguity, vagueness, low readability, and meaningless diagrams.

Ideas: This is out of 100, where 100 means the document has lots of good, fresh ideas in it and 0 means it has no good, fresh ideas in it. You might read a document with good ideas in it to gather those ideas. Having bad ideas too does not affect this score, nor does repeating very well known ideas.

Guidance: This is out of 100, where 100 means the guide can be understood and followed and nothing more is needed for an effective, efficient approach. A score 0 means the guide is useless. Problems that can give a low score here include failing to cover important topics, lack of clarity, and advocating practices that don't work very well or are logically flawed (see next section).

Openness: This is out of 100, where 100 means the document is consistent with all possible practices and 0 means it is not consistent with any practices. The more open a guide is the more likely it is that an organization can be consistent with it without doing anything differently.

Overall star rating: This is out of 6 stars, where 6 stars would be the ultimate document in this area and no stars means the document is abysmal. The fact that most guides get a low star rating reflects my belief that we can do much, much better.

Common flaws

In reading these documents certain flaws came up repeatedly:

© 2010 Matthew Leitch
New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr