COSO ERM Update: A Vital Tool in 21st Century Risk Management

Internal auditors around the world should take note of an important development this week – the release of the updated COSO enterprise risk management framework.

Several of my blog posts in the past year have focused on the growing demands being placed on internal auditing by its stakeholders and the importance of practitioners being able to rise up to meet new tasks we are being asked to perform.

This new reality reflects the growing complexity of governance, risk, and control in a fast-moving world where powerful technological, socioeconomic, and geopolitical forces can quickly morph the risk landscape. As such, all those who help manage and assess risk across the enterprise must have the best tools and processes available to them.

In COSO’s newly released Enterprise Risk Management – Integrating With Strategy and Performance, risk professionals have a comprehensive and sophisticated tool that advocates the value of enterprise risk management (ERM) when setting and carrying out strategy.

Much has changed in risk and risk management since the original COSO ERM framework was introduced in 2004. For example, technological progress has created amazing new opportunities for business and government as well as an entire new risk category of cybercrime. The updated framework addresses these kinds of changes and provides a tool that not only allows organizations to improve risk management but also to better understand the impact of risk on performance.

Importantly, the update also provides stronger guidance on just what ERM is — and isn’t. The value of true ERM is that it promotes an enterprisewide approach and understanding of risk. Too often busy executives and board members pigeonhole ERM as a department or relegate it to a checklist of tasks. They should recognize that it is much more. From the update:

Enterprise risk management is not a function or department.It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.

This definition illuminates the degree to which risk and risk management influences all areas of the organization.

To help risk managers better understand the complexity and dynamics at play, the framework identifies five interrelated components that are vital to successful ERM:

• Governance and culture.
• Strategy and objective-setting.
• Performance.
• Review and revision.
• Information, communication, and reporting.

It further identifies sets of principles that support each component. For example, strategy and objective-setting is reinforced by analyzing business context, defining risk appetites, evaluating alternative strategies, and formulating business objectives.

All organizations, including those that currently use the original ERM framework, can benefit from the update, which in short:

• Provides greater insight into the value of enterprise risk management when setting and carrying out strategy.
• Enhances alignment between performance and risk management and builds awareness and understanding of the impact of risk on performance.
• Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored, approach across geographies.
• Expands reporting to address expectations for greater stakeholder transparency.
• Accommodates evolving technologies and the proliferation of data and analytics in supporting decision-making.
• And more.

Clearly, the update reflects the thorough and thoughtful approach that COSO took to revising one of its flagship products. I should note that Enterprise Risk Management–Integrating With Strategy and Performance drew not only on the expertise of update partner PwC, but also on a varied and talented group of risk professionals who made up its advisory group. The advisory group helped guide the update, which focused not only on revising and improving the framework’s utility but also on its ease of use and application across an array of industry types and organizational sizes.

I encourage anyone involved in managing risk, from the board and C-suite to first-year internal auditors, to seek out and examine the new update. Having a fundamental understanding of the interplay among risk, performance, strategy, and value should be table stakes for all those involved in modern risk management.

COSO has made the Executive Summary for the Framework free for download. The full document is available for purchase from The IIA.

As always, I look forward to your comments. ​​