The COSO ERM framework explained
03 May 2021
If you are a risk, compliance or audit professional then it is likely you will have heard of the COSO ERM framework and its role in supporting effective risk management and internal control systems. Though if you are not overly familiar with how the framework is applied in practice, we summarise the key components and how it could benefit your organisation in achieving its long-term objectives.
The need for more effective risk management
In answer to a call for principles-based guidance to help businesses implement an enterprise-wide approach to risk management, COSO (the Committee of Sponsoring Organisations) launched its ERM Integrated Framework in 2004.
This original framework, whilst particularly well suited for enterprises where risk is driven by the internal audit function, came under some criticism for its lack of focus on identifying threats and opportunities - which is arguably where the true value of ERM lies.
To address this and the growing complexity of the risk environment, COSO later published an updated standard in 2017 which builds on the characteristics of the 2004 version, with a greater emphasis on strategy-setting and driving performance.
Today, the COSO risk management framework is used by thousands of enterprises worldwide to enhance their internal controls, providing a more extensive and robust focus on the area of ERM. Not only does it concentrate on broader strategic objectives but also company culture and concepts such as risk appetite. Plus, with stakeholders engaged with risk more than ever before and with less margin for error, the new standard helps organisations to meet the demands of heightened transparency and accountability when managing the impact of risk.
What are the five components of the COSO framework?
COSO believes that for ERM to be effective, it must be embedded throughout an organisation, since risk influences and aligns strategy and performance at all levels.
Comprising 20 principles that are grouped into five interrelated components, COSO’s latest framework acknowledges risk management as an iterative process, as shown in the model below.
- Governance and culture – Providing a foundation for the other four components, governance refers to the ‘tone from the top’ and the oversight responsibilities for ERM, whilst culture looks at risk awareness, desired behaviours, and instilling the right ethical values.
- Strategy and objective-setting – With a core focus on strategic planning, understanding the long-term impact of risk and the contributing factors, this section offers guidance on establishing the risk appetite, formulating key objectives, and defining the processes for adequately identifying, assessing and responding to risk.
- Performance – Once the strategy has been developed, the next step is to assess the risks that could hinder a business as it strives towards its goals. This component assists organisations in prioritising risks based on their severity, as well as effectively responding to these risks. The results of which are then shared with the key risk stakeholders.
- Review and revision – Now that risks have been prioritised along with their associated course of action, organisations can reflect on the ERM processes to examine how well they are functioning and, if the risk landscape has evolved, determine where improvements can be made.
- Information communication and reporting – The final component of the framework helps to ensure ERM is embedded as a continual practice, where information is shared from both internal and external sources across the organisation in the areas of risk, culture and performance.
Why implement the COSO enterprise risk management framework?
The ability to achieve your organisational objectives is largely accomplished through your reputation, which in turn is dependent on your commitment and focus on good governance and accountability.
As the risk landscape becomes ever more volatile and complex, the COSO ERM framework not only helps to provide assurance to key stakeholders but also offers an effective lens through which businesses can evaluate their ability to align strategy, risk and performance.
Since it also enforces greater transparency and culture around risk, organisations are better able to improve their resilience capabilities as well as identify risks before they pose a major threat in the evolving business environment.
Another key benefit of the COSO framework is that it accommodates modern-day risk management technology and the generation of data and analytics to support decision-making – a sure way to mitigate any unwanted surprises and harness opportunities for future organisational success.
Knowing where to start
Applying the COSO framework to your risk management operations may seem like a monumental endeavour, which is why it is recommended to approach its implementation in stages, prioritising one component at a time.
In order to do this, first assess where your business stands in relation to the five key principles of the framework. By answering the following questions, you can gain better clarity on where to concentrate your efforts:
- What is your organisation’s culture around risk and is this being exemplified from the top?
- How are decisions made when it comes to risk?
- How do you know if you are moving towards your business objectives or if there is an obstacle in the way?
- What is helping to drive organisational improvement?
- Does your business lack key insights and effective communication around risk?
- What are your businesses top pain points and could an ERM framework help to solve them?
With the right focus and a burgeoning ERM strategy, your business can be confident in tackling the uncertainty of not just today’s risk climate but also that of the future.
Now that you have had a whistle-stop tour of the COSO ERM framework, we explore a topic that has seen some debate over the years: Who owns enterprise risk? Download your free white paper to get our recommendations for auditors and risk managers.