What Is COSO ERM?
The COSO Enterprise Risk Management (ERM) framework is a principles-based approach developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It helps organisations identify, assess, manage, and monitor risks that may affect the achievement of objectives.
The current version, COSO ERM – Integrating with Strategy and Performance (2017), reframes risk management as an integral part of:
- Strategy-setting: Risk considered when objectives are defined
- Business performance: Risk integrated into performance measurement
- Decision-making: Risk information supports strategic choices
- Governance and oversight: Board-level accountability for risk
COSO ERM is:
- Not a certification standard
- Not prescriptive about tools or software
- Designed to be adaptable across industries
Its strength lies in connecting risk, strategy, and performance—making it particularly valuable for public sector organisations, utilities, and large enterprises with significant governance requirements.
Strategy-Risk Integration
Unlike operational risk frameworks, COSO ERM emphasises that risk management should begin during strategy formulation, not as an afterthought once objectives are set.
Why COSO ERM Exists
Historically, risk management was treated as a defensive activity—focused on compliance, loss prevention, and controls. COSO ERM was developed to address several recurring organisational failures:
- Risk discussions disconnected from strategy: Risk reviewed separately from planning
- Boards receiving risk reports too late: After issues have materialised
- Performance targets set without understanding risk exposure: Unrealistic objectives
- Risk ownership unclear at executive level: No accountability
COSO ERM exists to ensure that risk considerations are embedded into how organisations set objectives and measure success. It provides a common language for enterprise risk management across management, auditors, and the board.
The Five Components of COSO ERM Explained
COSO ERM is structured around five interrelated components, each supported by specific principles.
1. Governance and Culture
This component establishes the foundation for enterprise risk management.
Key elements include:
- Board oversight of risk: The governing body understands the organisation's risk profile
- Defined organisational structures: Clear lines of authority for risk
- Clear roles and accountability: Risk responsibilities explicitly assigned
- Ethical values and risk culture: Tone set by leadership
Common failure: Risk ownership exists on paper, but accountability is weak in practice. Leaders approve frameworks but don't actively engage with risk information.
2. Strategy and Objective-Setting
COSO ERM requires risk to be considered before strategy is approved—not after.
This component focuses on:
- Defining risk appetite: How much risk is the organisation willing to accept?
- Evaluating alternative strategies: Which approach best balances risk and reward?
- Aligning objectives with risk tolerance: Are goals realistic given risk exposure?
In mature organisations, strategic options are assessed against risk appetite, and risk appetite statements guide actual decision-making—not just documentation.
Common failure: Risk appetite statements are created but never operationalised. They exist in policies but don't influence real decisions.
3. Performance
This is where COSO ERM becomes operational. The performance component covers:
- Identifying risks that impact objectives: What could prevent success?
- Assessing severity: Likelihood and impact analysis
- Prioritising risks: Which risks require immediate attention?
- Selecting risk responses: How will each risk be treated?
Although COSO ERM does not prescribe specific tools, this is where risk registers, risk scoring matrices, and control assessments are commonly used.
Common failure: Risk assessments are performed inconsistently across departments with different criteria and rating scales.
4. Review and Revision
COSO ERM recognises that organisations and risks change over time.
This component ensures:
- Risks are reviewed as conditions evolve: Regular reassessment
- Control failures and incidents trigger reassessment: Learning from events
- ERM adapts to internal and external change: Framework evolution
Effective organisations use incidents and near misses to update risk profiles and review their risk registers based on performance outcomes.
Common failure: Risk assessments are reviewed annually on a fixed schedule, regardless of whether significant changes have occurred.
5. Information, Communication, and Reporting
Risk information must reach the right people at the right time.
This component focuses on:
- Quality and timeliness of risk data: Accurate, current information
- Internal communication: Risk awareness across the organisation
- Reporting to senior management and the board: Decision-useful insights
Effective reporting highlights top risks clearly, shows trends and emerging issues, and links risk exposure to performance outcomes.
Common failure: Risk reports are too detailed or too generic to support actual decisions. Boards receive lengthy documents without clear priorities.
Component Integration
The five components work together as a system. Governance without performance data is theoretical. Performance without review becomes stale. All components must function for COSO ERM to deliver value.
The Role of Risk Registers in COSO ERM
COSO ERM does not mandate the use of a risk register, but in practice, most organisations rely on one to support the Performance component.
In COSO-aligned organisations, risk registers:
- Reflect strategic and operational objectives
- Assign executive-level ownership
- Capture risk responses and controls
- Feed into board and audit committee reporting
The key difference from basic risk management is how the information is used, not how it is recorded. Risk registers should link risks to controls and actions and demonstrate how treatments address root causes.
Understanding inherent vs residual risk is essential for showing boards the value of implemented controls.
Common COSO ERM Implementation Mistakes
Despite its governance focus, organisations often struggle with COSO ERM due to:
| Mistake | Consequence |
|---|---|
| Treating COSO as a compliance checklist | Focus on documentation rather than decision-making |
| Overloading risk registers with low-value risks | Critical risks lost in noise |
| Weak linkage between strategy and risk assessment | Risk function isolated from business |
| Risk discussions disconnected from performance reviews | Risks not considered when evaluating results |
| Excessive reporting with little insight | Board disengagement |
These issues reduce COSO ERM to a reporting exercise rather than a management discipline that adds value.
COSO ERM in Practice
Organisations that apply COSO ERM effectively:
- Integrate risk discussions into strategy and budgeting cycles: Risk is on the agenda
- Use risk appetite to guide decisions: Not just as a policy statement
- Monitor key risks continuously: Real-time awareness
- Align risk reporting with executive and board needs: Concise, actionable information
COSO ERM works best when supported by:
- Clear governance structures
- Consistent risk assessment methods
- Integrated risk, control, and performance data
Industry Applications
COSO ERM is particularly valuable in:
- Public Sector: Government agencies with parliamentary oversight
- Utilities: Energy companies with regulatory requirements
- Healthcare: Health systems with clinical governance
- Large Manufacturing: Enterprises with complex supply chains
COSO ERM vs ISO 31000
ISO 31000 and COSO ERM are complementary frameworks that serve different purposes:
| Aspect | COSO ERM | ISO 31000 |
|---|---|---|
| Focus | Governance and strategy | Risk process and principles |
| Audience | Board and executives | Enterprise and operations |
| Structure | Component-based (5 components) | Principle-based |
| Strength | Strategic alignment | Flexibility and execution |
| Certification | No | No |
Many organisations use COSO ERM for governance and ISO 31000 for execution together. In South Africa, both frameworks complement King IV governance requirements.
When COSO ERM Is the Better Choice
COSO ERM is particularly well-suited for:
- Large or complex organisations: Multiple business units, geographies, or regulatory requirements
- Public sector and state-owned entities: Strong governance and accountability expectations
- Highly regulated environments: Financial services, utilities, healthcare
- Organisations with strong board oversight: Active audit and risk committees
COSO ERM provides a common language between management, auditors, and the board—essential for organisations where governance is a priority.
Summary
- COSO ERM integrates risk management with strategy, performance, and governance
- The framework has five components: Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, and Information & Reporting
- Risk appetite must be operationalised, not just documented
- Risk registers support COSO ERM but should feed into governance reporting
- Common failures involve treating COSO as compliance rather than decision support
- COSO ERM and ISO 31000 are complementary and often used together
Frequently Asked Questions
Is COSO ERM mandatory?
No. COSO ERM is a voluntary framework, but it is widely regarded as best practice for enterprise risk management. Many regulators, auditors, and governance bodies reference COSO ERM as a benchmark for effective risk oversight.
Is COSO ERM certifiable?
No certification exists for COSO ERM. Organisations can align their ERM frameworks to COSO principles and demonstrate this alignment through internal audit, but there is no formal certification process.
Which industries use COSO ERM?
COSO ERM is commonly used in public sector, financial services, utilities, healthcare, and large manufacturing organisations. It is particularly relevant for organisations with significant governance requirements and board-level risk oversight.
What is the difference between COSO ERM and ISO 31000?
COSO ERM focuses on governance, strategy alignment, and board-level oversight, while ISO 31000 provides principles and processes for operational risk management. Many organisations use COSO ERM for governance and ISO 31000 for execution together.