COSO’s new Enterprise Risk Management framework aligns risk with strategy

(excerpt from a COSO press release)

COSO ERM framework cover pageIn response to the importance of risk management as well as growing complexity and speed of risk over the past decade, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) unveiled an update to its Enterprise Risk Management – Integrated Framework and is seeking public comment of the proposal, beginning June 15. The update, Enterprise Risk Management — Aligning Risk with Strategy and Performance, is designed to address the needs of all organizations to improve their approach to managing new and existing risks as a way to help create, preserve, sustain and realize value.

COSO, which provides thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence, released the original ERM Framework in 2004. Today, it is used widely to enhance an organization’s ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the framework was released, demanding heightened board awareness and oversight of risk management as well as improved risk reporting.

The update reflects the critical importance of the connection between strategy and performance, offers perspective on current and evolving concepts and applications of enterprise risk management, and updates the core definitions of risk and enterprise risk management. One of the most significant enhancements is the introduction of components and supporting principles that reflect the evolution of risk management thinking and practices.  It also updates the importance of enterprise risk management’s role in strategic planning and emphasizes how critical it is to embed risk management practices across all departments and functions of an organization.

COSO has expanded its website,, with a section on the Framework update that includes the proposed Framework, survey and comment tools, and FAQs about the project, details of the most significant updates and how to respond to the survey. The site also includes a video that features four members of the Advisory Council addressing the ERM update process and the importance of obtaining input from a variety of risk professionals about the proposed changes. Public comment will be accepted June 15 through Sept. 30, 2016. Written comments on the exposure draft will become part of the public record and will be available on the COSO website through Dec. 31, 2016.


The new framework is available on the COSO web site. The full document runs over 125 pages, but the Executive Summary is a good read. It’s written for a general audience and provides a great overview of the principles of ERM. For example, I thought this section from the introduction about what ERM is (and isn’t) was a good refresher:

  • Enterprise risk management is more than a risk listing. Managing risk across an organization requires more than listing the “top 10” risks or making an inventory of all risks within the organization. Enterprise risk management is broader and includes practices that manage- ment puts in place to actively manage risk to appropriate levels.
  • Enterprise risk management addresses more than internal control. Internal control is an integral subset of enterprise risk management. But enterprise risk management also addresses other topics such as setting strategy, governance, communicating with stakeholders, and measuring performance. Its principles apply at all levels of the organization and across all functions.
  • Enterprise risk management is not a checklist. It is a set of principles on which processes can be built for a particular organization, and it is a system of monitoring, learning, and improving performance.
  • Enterprise risk management can be used by organizations of any size. If an organization has a mission, a strategy, and objec- tives—and the need to make decisions under uncertainty—then enterprise risk management can be applied. Enterprise risk management can and should be applied by all kinds of organizations, from small shops to community-based social enterprises to government agencies to Fortune 500 companies.
COSO's 23 principles of Enterprise Risk Management (ERM).

COSO’s 23 principles of Enterprise Risk Management (ERM).

Share this post:

Glen Gower

About the author

Glen is the director of marketing and communications at Iceberg.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign-up to our Risk Intelligence Newsletter for updates on new content, resources and events from the Iceberg team.

We promise to respect your time and inbox!

Thank you! Please check your email to confirm your subscription.