3.3 COSO Enterprise Risk Management (ERM) Framework
COSO (Committee of Sponsoring Organizations of the Treadway Committee). The COSO standard, like the ISO 31000 standard previously discussed, is not a mandatory requirement by an organization seeking to build a risk management offering. The COSO 2017 definition of risk has moved away from its more traditional roots by stating that risk is “the possibility that events will occur and affect the achievement of strategy on business objectives.” When comparing it to the ISO 31000:2018 definition of risk, both definitions lean towards the uncertainty of risk and its effect on objectives with the goal of implementing an effective risk management offering in an organization. The effects could have an upside or a downside on the objectives of the organization.
Traditionally, the COSO ERM Framework was almost exclusively used by the financial sector due to its focus on financial reporting, audit, and compliance. The COSO ERM Framework, which was introduced in 2017, uses an intertwining double helix in the form of a ribbon-like rainbow instead of a cube known as the COSO ERM cube.
Image Description
A double helix shape made up of 5 colours representing one side: governance & culture and information, communication, & reporting. On the other side, strategy & objective-setting, performance, and review & revision. In between the loops of the helix are mission, vision, & core values, strategy development, business objective formulation, implementation & performance, and enhanced value.
The update was deemed necessary to address the changing business landscapes and failures and to integrate an organization’s risks with its strategies. There are five components for successful enterprise risk management that can be applied to an organization’s mission and core values:
- Governance and Culture: oversight from the top down.
- Strategy and Objective Setting: activities related to related to risk appetite and performance
- Performance: risk assessment and risk responses to address risks that could adversely affect the organization’s performance.
- Review and Revision: review the performance of ERM in the organization and make changes where necessary.
- Information, Communication and Reporting: communicating the effect of ERM on the organization using information obtained from inside and outside the organization.
There are 20 principles across the five components stated above that have a relationship with each of the components. The COSO ERM Framework is connected to the organization by the components and the principles in the 2017 model. The interrelated components and principles in the form of a double helix are the DNA of a COSO ERM Framework, allowing an organization to manage risks and drive performance while maximizing value.
| Governance & Culture |
Strategy & Objective-Setting | Performance | Review & Revision |
Information, Communication, & Reporting |
|---|---|---|---|---|
| 1. Exercises Board Risk Oversight 2. Establishes Operating Structures 3. Defines Desired Culture 4. Demonstrates Commitment to Core Values 5. Attracts, Develops, and Retains Capable Individuals |
6. Analyzes Business Context 7. Defines Risk Appetite 8. Evaluates Alternative Strategies 9. Formulates Business Objectives |
10. Identifies Risk 11. Assesses Severity of Risk 12. Prioritizes Risks 13. Implements Risk Responses 14. Develops Portfolio View |
15. Assesses Substantial Change 16. Reviews Risk and Performance 17. Pursues Improvement in Enterprise Risk Management |
18. Leverages Information and Technology 19. Communicates Risk Information 20. Reports on Risk, Culture, and Performance |
