COSO’s enterprise risk management framework

Enterprise risks management framework

Through research, the Committee of Sponsoring Organizations (COSO) came up with frameworks that could be used to assess the efficiency of risk management and internal control systems. The organization was identified to sponsor research into fraudulent financial reporting.

The adoption of its findings and guidance was never mandatory but have become widely accepted because of the framework they provide; an enterprise risk management framework (ERM). The framework has been readily accepted and used in companies rocked by where corporate scandals resulting from internal control or risk management methods.

Understanding the ERM Model

The COSO ERM model is currently being used by enterprises around the world. The model has objectives and eight components that stand for the action the needs to be taken for the objectives to be achieved. A third dimension is the units within an organization.

COSO’s enterprise risk management framework
The eight components of COSO’s enterprise risk management framework
The eight components represented in the ERM model are:

    1. Internal environment

The internal environment that sets the tone of an organization. It shapes risk appetite, ethical values and attitudes towards risk management. The board of an organization sets the tone of an organization. Work directors also play a part especially those on audit and risk committees.

Some have criticized the ERM model for not reflecting the impact of a competitive environment and the role and effective of external stakeholders in regard to risk appetite and management sufficiently.

    1. Setting of objectives

A board should set objectives that support the mission of an organization and which are aligned to its risk appetite. Risk tolerance which is the acceptable variation of set objectives should be considered in relation to risk appetite.

One consideration that a board should make is how certain features in a control system can be strategically used. For instance, a code of ethics can be used to position an organization as one that is socially responsible.

    1. Event identification

An organization has to identify the internal and external events that affect its achieving its set objectives. The COSO enterprise risk management framework differentiates events that have a negative impact that represent risk and events with a positive impact that are opportunities. Both should inform strategy setting.

It is also important that organizations distinguish between strategic and operational risks. They should pay attention to occurrences that can disrupt operations as well as those that pose a danger to strategic objectives.

    1. Risk assessment

This is assessing the probability and impact of risks to effectively manage them. Organizational leaders need to consider how different risks are interrelated. The COSO guide emphasizes the importance of using qualitative and quantitative risk assessment methodologies. Inherent risk levels as well as residual risks should be assessed. Another criticism of the ERM model is oversimplifying to risk management. A lot of risks will have different possible outcomes and risk assessment should consider all the possibilities.

    1. Risk response

This is where management chooses actions believed to align risks with risk tolerance and with risk appetite. Risks can be responded in one of four ways- avoidance, reduction, acceptance or transfer. The COSO guide emphasizes taking a portfolio view of risk rather than considering risks in isolation.

Also, risk responses should be realistic and consider the costs of the response and impact. The environment of an organization will affect risk response. The ALARP principle of taking risks as low as is reasonably practical has become important more so in sectors where potential health or safety risks are potentially serious but can be avoided. COSO suggests a risk response of mixed controls including preventing and detecting risks and using both manual and automated controls.

    1. Control activities

These are the actions taken to ensure that selected risk responses are effective. COSO has created a supplement of the ERM model with a guide in Internal Control and integrated framework. The guide stresses that control activities are a means to achieving an end and that the activities are effected by people. The guide also emphasizes the need for controls to be put in place at every level of an organization.

    1. Information and communication

An organization should have information systems that will ensure that data is identified, captured and communicated in way and within a time frame that makes it possible for staff and managers to do their jobs.

Then, information needs to be communicated with members of staff. Communicating risk areas that pertain to staff activities is an effective way to strengthen the internal environment by making staff aware of risk in their thoughts and activities.

    1. Monitoring

The management system needs to be monitored and adjusted if necessary. In 2009, COSO supplement the ERM guide it had put out with precise guides on how to monitor internal controls. It stresses that there should be regular and periodic reviews and that there is feedback and action within an organization and that leaders in audit committee and internal audit departments play a major role.


erm structure The ERM model has widely been adopted as an enterprise risk management framework and has helped organizations to manage risk in a more effective manner. However, it is important that there is an awareness of its limitations and for organizations to come up with their own ways to fill the gaps and have a foolproof method of mitigating risks.

One Response to COSO’s enterprise risk management framework

  1. Annette McIlroy says:

    I understand there is an update of COSO risk management – please advise when this will be published.

Leave a Reply

Your email address will not be published. Required fields are marked *