United States

COSO Enterprise Risk Management

Integrating with strategy and performance


New COSO ERM framework increases alignment with strategy and culture

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a new enterprise risk management (ERM) framework in September 2017, titled Enterprise Risk Management—Integrating with Strategy and Performance. The new guidelines replace the previous publication, Enterprise Risk Management—Integrated Framework, which was released by the COSO board in 2004. The updated document is designed to address an evolving risk environment and better align with an organization’s internal culture and strategy.

Over the last 13 years, the risk environment has changed and organizations must be more nimble in how they assess and manage risks. Some specific reasons driving the need for an updated COSO ERM framework include:

  • Rising complexity for organizations operating today: It’s a very different business environment than in 2004, with new challenges and new demands
  • Risks emerging quicker with more velocity: Once a risk occurs, it now tends to manifest itself much more quickly than in past years, and with a more extensive exposure
  • Customer preferences have changed: How consumers purchase and consume goods has changed significantly, creating additional pressure and new risks on traditional strategies and business processes
  • Social media allows news to travel fast: With the continuing evolution of social media, news of events—real or not—spreads quickly, increasing the urgency for businesses to better anticipate public disclosures to proactively manage messaging
  • The regulatory environment has become more aggressive: Regulations that the typical organization has had to adhere to have increased over the past eight to 10 years, and the current political environment has resulted in uncertainty over ongoing requirements
  • Emerging technology creates both concerns and opportunities: An increased reliance on technology can create security and privacy risks, but big data can also provide more meaningful input for effective strategy and execution

All of these factors have a significant impact on risk, and the new COSO ERM framework allows organizations to more systematically look at risk to more effectively address potential issues.  

Analyzing the new COSO framework

Enterprise Risk Management—Integrating with Strategy and Performance has an enhanced focus on an organization’s strategy, performance and culture. While the prior framework included some guidance in those areas, they now serve as starting points for efforts to manage risk.

The framework sets out a basic conceptual structure of ideas, which an organization should integrate into existing practices. In addition, the guidelines help organizations align ERM practices with management philosophy and enhance performance by more closely linking strategy and business objectives to risk. This, in turn, helps drive stronger decision-making.

The ERM guidelines can be applied to all types of organizations, and should be aligned with the organization’s culture, which results in a positive and more connected influence in strategy development. ERM is linked to all aspects of the business including governance, performance management and internal control practices.

It will be important to review the COSO Internal Control—Integrated Framework (2013) as part of applying the ERM framework, as some concepts relating to internal control that are common to both publications are not repeated in the ERM framework to avoid redundancy. Ultimately, ERM helps develop a portfolio view of risk or risk profile for the organization, looking at both upside and downside risk.

How it is applicable to your organization

We live in a more complex world since the prior framework was developed and your risk framework should evolve accordingly.  Customers, vendors and other stakeholders want a better understanding of the risk management practices of companies they work with, and boards require more transparency to understand risks and how management is responding.

Risk is not just an event to be avoided and controlled but an opportunity to gain a competitive advantage. In order to achieve this, your organization must integrate ERM into its strategy selection. ERM increases your agility, adding perspectives into strengths and weaknesses of your business strategy as conditions change.

How the new framework can help

Implementing COSO’s new ERM guidelines can helps maximize value for your organization, with benefits including: increased range of opportunity, improved ability to identify and manage risk entity wide, increased positive outcomes and reduced negative surprises, reduced performance variability, and improved resource deployment and enhanced enterprise resilience. In addition, implementing the ERM framework addresses the expectations of greater stakeholder transparency, providing necessary insights up front.  

Next steps to take

In order to properly evaluate the Enterprise Risk Management—Integrating with Strategy and Performance framework and determine how it can align with your organization, you must first understand the guidelines and components. Next, assess your existing risk management practices, and determine what is working and where there is opportunity for improvement. Adopt practices in line with your management philosophy and build on existing components, but know that this takes time to implement and can be a culture shift for many organizations.

Another important factor to consider is the extent of the resources necessary to implement a more modern ERM framework, both from a people and technology perspective. An experienced advisor can help your organization understand the new COSO framework, properly deploy resources and effectively leverage the risk management guidelines to protect against threats and take advantage of potential opportunities.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.

Learn more