coso erm framework

What You Need To Know About the COSO ERM Framework

Businesses that navigate the ever-changing risk management landscape are the ones that will be most likely to succeed. 

PWC’s 2022 Global Risk Survey reveals that organizations embracing risk management as a strategic organizational capability are twice as likely to expect revenue growth of 11% or more in the following year.

Robust risk management capabilities help protect an organization from downside risks, enabling it to look forward and take appropriate risks in pursuing growth. It’s a win-win.

For risk management to be both efficient and effective, it has to be structured. 

And that’s where the COSO ERM Framework comes in.

What is the COSO ERM Framework?

COSO is an acronym for the Committee of Sponsoring Organizations of the Treadway Commission. 

ERM stands for Enterprise Risk Management.

The COSO ERM Framework is one of two popular standards companies use to help manage business risks. 

The other is ISO 31000.

A Brief History of the COSO ERM Framework

The Framework has a lengthy history dating back to the 1980s.

In the wake of spectacular business failures in the 1970s and 1980s, including the $2.25 billion municipal bond default of the Washington Public Power Supply System, the National Commission on Fraudulent Financial Reporting was formed in the summer of 1985. 

The commission would be named after its chairperson, former SEC Commissioner James C. Treadway, Jr.

The National Commission on Fraudulent Financial Reporting, commonly known as the Treadway Commission, was sponsored and funded by five major professional associations ​headquartered in the United States, including the American Institute of Certified Public Accountants (AICPA). 

A fitting name would soon be coined: The Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The initial objective of the Treadway Commission was to study the causes of fraudulent financial reporting and make recommendations. It issued its first standard in 1992. The standard was called Internal Control–Integrated Framework. 

However, demands for better corporate governance and risk management standards, especially after Enron and other financial scandals, prompted COSO to create its Enterprise Risk Management–Integrated Framework in 2004.

COSO released an updated ERM Framework standard in 2013 and 2017 to emphasize integrating risk management when designing or implementing organizational strategies. 

How is the COSO ERM Framework Used?

Using the COSO ERM Framework requires organizations to embed risk management in every process, every department, and every fiber of a company’s operations. 

It starts at the organization’s top with senior leadership and flows through to the entry-level clerk. All employees must be trained and educated about their responsibility for risk control. Risk control doesn’t live strictly with the risk control department. Everyone has a role to play.

Many public companies prefer the COSO ERM framework over others, like ISO 31000, because the COSO ERM framework is more comprehensive.

Because it’s considered the gold standard for risk management, private companies can also benefit from using the COSO ERM framework to establish internal financial controls, including setting up internal audit departments.

What are the 5 components of the COSO ERM Framework?

The COSO ERM Framework breaks down its key pillars into five components. 

While these components impact risk management differently, they are all interrelated. This means the COSO ERM Framework will be as strong as its weakest link.

Component 1: Governance and Culture

Governance sets “the tone at the top,” and culture relates to the company’s ethical values, desired behaviors, and understanding of risk. 

Governance and culture are often considered the most crucial of the five components of the COSO ERM Framework. 

This component focuses on the ethical values of the organization, the organizational structure, and recruiting and keeping competent, honest team members.

If there’s a lesson we learned from the spectacular failures of Enron and WorldCom, it’s that ethics and integrity should define corporate leadership.

Component 2: Strategy and Objective-Setting

This component emphasizes aligning the company’s overall strategy with its mission, vision, and core values, and setting performance and risk management objectives. 

It involves understanding the processes for identifying, assessing, and responding to risk, defining risk appetite, and planning business objectives aligned with the overall strategy.

Component 3: Performance

This involves implementing the strategy and objectives from Component 2, including identifying and prioritizing risks, implementing risk responses, and reporting performance. 

Performance measurement, risk identification, and prioritization are vital aspects of this component.

Component 4: Review and Revision

This component is about adapting and improving the risk management practices over time. 

It involves assessing substantial changes and reviewing risk management capabilities to ensure they are aligned with the organization’s objectives and are functioning effectively.

Component 5: Information, Communication, and Reporting

This component focuses on the continuous flow of information that supports risk management across the organization. 

It includes information technology, communication of risk information, and reporting on risk, culture, and performance.

What are the Benefits and Limitations of the COSO ERM Framework?

While the COSO ERM framework comes with many benefits, it has limitations. Here’s a summary of the two ends of the spectrum.

Advantages of the COSO ERM FrameworkLimitations of the COSO ERM Framework
Provides a comprehensive, widely accepted ERM frameworkCan be complex and time-consuming to implement
Encourages proactive risk management.Might not be suitable for small organizations due to its complexity
Helps align risk management with company objectives to manage risk in contextRequires ongoing commitment and support from senior management
Encourages continuous improvement of risk management practicesNo guarantee of success in preventing all risks

The Importance of Risk Management

While it may be easy to overlook the importance of risk management, one unmitigated risk can create havoc. 

Look at the downfall of Blockbuster Video. Its failure to adapt to new technologies (e.g., Netflix and streaming) and recognize a shift in consumer preferences led to its competitors dominating the sector and Blockbuster’s inevitable bankruptcy.

Risk management must be a central pillar of every successful company. Besides identifying and mitigating risks, risk management also:

  • Improves decision-making by clarifying risks associated with various options
  • Protects against financial losses from unexpected events like natural disasters or legal claims
  • Promotes regulatory compliance that can also strengthen the company’s reputation by being a trustworthy organization that attracts and retains top talent
  • Provides a competitive advantage over competitors that are less prepared for the unexpected, resulting in strategic growth opportunities

The Future of the COSO ERM Framework

In an age of speed and disruption, the COSO ERM Framework needs to continuously evolve and adapt to remain useful. 

Areas where the ERM Framework will need to focus for the future include:

  • Integration with new technologies, including how AI, blockchain, and data analytics will impact risk management
  • Emphasis on cybersecurity and data privacy to mitigate risk and establish responses in case of breaches
  • Focus on sustainability and climate change to manage environmental risks and sustainable business processes
  • Allow customization and flexibility to serve additional types and sizes of companies better
  • Alignment with other international ERM frameworks (like ISO 31000) to provide a unified risk approach across jurisdictions

The COSO ERM Framework is more than just a set of guidelines and rules. It’s a strategic necessity to remain competitive, seize opportunities, and navigate risk potholes.