3.3 COSO Enterprise Risk Management (ERM) Framework

COSO (Committee of Sponsoring Organizations of the Treadway Committee). The COSO standard, like the ISO 31000 standard previously discussed, is not a mandatory requirement by an organization seeking to build a risk management offering. The COSO 2017 definition of risk has moved away from its more traditional roots by stating that risk is “the possibility that events will occur and affect the achievement of strategy on business objectives.” When comparing it to the ISO 31000:2018 definition of risk, both definitions lean towards the uncertainty of risk and its effect on objectives with the goal of implementing an effective risk management offering in an organization. The effects could have an upside or a downside on the objectives of the organization.

Traditionally, the COSO ERM Framework was almost exclusively used by the financial sector due to its focus on financial reporting, audit, and compliance. The COSO ERM Framework, which was introduced in 2017, uses an intertwining double helix in the form of a ribbon-like rainbow instead of a cube known as the COSO ERM cube.

A double helix shape of colours representing the 5 elements. See image description below
Figure 3.3.1: “Enterprise Risk Management” in Enterprise Risk Management: Integrating with Strategy and Performance, © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. (See Acceptable Use of COSO Materials [PDF] for permission details).
Image Description

A double helix shape made up of 5 colours representing one side: governance & culture and information, communication, & reporting.  On the other side, strategy & objective-setting, performance, and review & revision. In between the loops of the helix are mission, vision, & core values, strategy development, business objective formulation, implementation & performance, and enhanced value.

The update was deemed necessary to address the changing business landscapes and failures and to integrate an organization’s risks with its strategies. There are five components for successful enterprise risk management that can be applied to an organization’s mission and core values:

  1. Governance and Culture: oversight from the top down.
  2. Strategy and Objective Setting: activities related to related to risk appetite and performance
  3. Performance: risk assessment and risk responses to address risks that could adversely affect the organization’s performance.
  4. Review and Revision: review the performance of ERM in the organization and make changes where necessary.
  5. Information, Communication and Reporting: communicating the effect of ERM on the organization using information obtained from inside and outside the organization.

There are 20 principles across the five components stated above that have a relationship with each of the components. The COSO ERM Framework is connected to the organization by the components and the principles in the 2017 model. The interrelated components and principles in the form of a double helix are the DNA of a COSO ERM Framework, allowing an organization to manage risks and drive performance while maximizing value.

Table 3.3.1: “20 principles of the COSO ERM Framework” in Enterprise Risk Management: Integrating with Strategy and Performance, © 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. (See Acceptable Use of COSO Materials [PDF] for permission details).
Governance
& Culture
Strategy & Objective-Setting Performance Review
& Revision
Information,
Communication,
& Reporting
1. Exercises Board Risk
Oversight
2. Establishes Operating
Structures
3. Defines Desired Culture
4. Demonstrates
Commitment
to Core Values
5. Attracts, Develops,
and Retains Capable
Individuals
6. Analyzes Business
Context
7. Defines Risk Appetite
8. Evaluates Alternative
Strategies
9. Formulates Business
Objectives
10. Identifies Risk
11. Assesses Severity
of Risk
12. Prioritizes Risks
13. Implements Risk
Responses
14. Develops
Portfolio View
 15. Assesses Substantial
Change
16. Reviews Risk and
Performance
17. Pursues Improvement
in Enterprise Risk
Management
18. Leverages Information
and Technology
19. Communicates Risk
Information
20. Reports on Risk,
Culture, and
Performance

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Risk Management - Supply Chain and Operations Perspective Copyright © 2024 by Azim Abbas and Larry Watson is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book