Effective Risk Management: The COSO ERM Framework

Enterprise risk management (ERM) frameworks allow organizations to identify, assess, manage, and monitor risks across all levels of an organization. One of the most well-known approaches to ERM is the COSO ERM framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The framework offers guidelines and best practices for organizations seeking to achieve a balanced perspective on risk.

This article explores the COSO ERM fundamentals, recent framework updates, and the benefits of this specific framework for organizations.

What is the COSO ERM Framework?

The COSO Enterprise Risk Management framework helps organizations identify, assess, respond to, and monitor risks to align with business objectives. The framework was published in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

COSO was founded in the mid-1980s by prominent accounting associations and institutes to research financial reporting and propose ways to stop fraudulent activities. The COSO internal control framework, “Internal Control–Integrated Framework,” was introduced in 1992 and focused on helping organizations assess and improve their internal control systems. Notable updates were published in 2004 and 2017 and are detailed below.

The COSO ERM works with a company’s control environment and is designed to give organizations a balanced perspective on risk. This allows organizations to view it as a potential threat and source of opportunity, promoting a culture of informed risk-taking.

Core Philosophy

The COSO ERM framework is based on the idea that organizations aim to provide value to their stakeholders. Every entity encounters uncertainty, which can either help or hinder its objectives.

The risk management standard believes in managing risks proactively and using them to achieve strategic and operational goals. This comprehensive approach integrates risk management into the organization's governance, strategy, and objective-setting processes.

Key Components of the COSO ERM Framework

The 2004 COSO ERM framework utilized a diagram called the “COSO Cube” to illustrate the multidimensional nature of risk management in organizations.

The top of the cube identifies organizational objectives, including strategic planning, operations, reporting, and compliance goals. The side panel represents organizational structure, emphasizing that ERM frameworks should focus on sustainability and be applied throughout the entire organization, from entity level to process level.

The front panel lists eight interrelated key components of the ERM framework that work together, including:

1. Internal Environment: Refers to the organizational culture, including the risk management philosophy, risk appetite, and the integrity and ethical values of the company
2. Objective Setting: Ensures that senior management, like the board of directors, has a clear direction and that risks are identified and assessed in the context of the organization's goals
3. Event Identification: Identifying potential events, both internal and external, that may affect the achievement of the organization's objectives
4. Risk Assessment: Once events are identified, they are analyzed to assess both their likelihood of occurrence and potential impact
5. Risk Response: Based on the risk assessment, organizations decide how to respond to identified risks, including avoiding the risk, accepting it, reducing it, or sharing it with others via risk reporting.
6. Control Activities: Actions, policies, and procedures that ensure risk responses are effectively implemented
7. Information and Communication: Ensures that relevant information about risks is captured, processed, and conveyed to the appropriate people within the organization so they can make informed decisions.
8. Monitoring: Regular reviews and internal audits to check that the other components are working as intended and implementing modifications as necessary to adapt to changes in the organization's internal and external environment

COSO ERM 2017 Update

Due to evolving business environments, the COSO ERM process was updated in 2017 to emphasize integrating risk with strategy-setting and performance. This continued the critical philosophy that risk is not just about preventing loss but also intrinsic to creating and preserving value.

The update, titled “Enterprise Risk Management—Integrating Strategy and Performance,” also included an updated diagram featuring a ribbon type illustrating the intertwining of five new categories throughout an organization’s lifecycle.

The ribbons illustrate the updated five key components, sorted into two groups: standard organizational processes (Strategy & Objective Setting, Performance, and Review and Revision) and supporting mechanisms of ERM (Governance and Culture, and Information, Communication, and Reporting).

1. Corporate Governance and Culture: Organizational culture should promote accountability, ethics, and transparency, including understanding and prioritizing stakeholder needs and expectations, defining clear roles and responsibilities, and ensuring that risk management practices are integrated into the governance structure.
2. Strategy & Objective Setting: Organizations must evaluate potential events and scenarios that could impact their ability to execute the organization’s strategy and achieve their objectives. This also involves aligning risk tolerance with strategy and considering the potential implications of various strategic options.
3. Performance: Organizations should understand how performance can deviate from expectations due to risks and establish key risk indicators to monitor this, evaluating how they capture and optimize value.
4. Review and Revision: Organizations must continually review and revise their risk management practices to account for lessons learned and the changing business environment. Regularly assessing the effectiveness of the risk management process and making necessary adjustments ensures it remains aligned with organizational objectives and stakeholder expectations.
5. Information, Communication, and Reporting: Organizations should have processes to capture, process, and communicate risk information to the appropriate stakeholders, ensuring informed decision-making and fostering transparency and trust with external stakeholders, such as investors, regulators, and the public.

Who Can Use the COSO ERM Framework?

The COSO ERM Framework is a versatile tool designed for broad applicability across various types of organizations. While it's not limited to any specific sector, there are certain industries where the adoption of such a structured approach to risk management is particularly common due to the inherent complexities and significant risks involved. These industries include:

• Financial Services: Banks, insurance companies, investment firms, and other financial institutions face numerous risks, including credit risk, market risk, operational risk, and compliance risks. The COSO ERM Framework helps them navigate these challenges and meet regulatory requirements.
• Healthcare: Healthcare providers, pharmaceutical companies, and other entities in this sector contend with regulatory risks, patient safety risks, and operational risks, making a structured risk management approach essential.‍
• Energy: Companies in the oil, gas, and electricity sectors often have vast and intricate operations with environmental, geopolitical, and market-related risks.‍
• Technology: Given the rapid pace of technological change, tech companies face risks related to cybersecurity, intellectual property, and market disruption.‍
• Manufacturing: Manufacturers must manage risks related to supply chain disruption, product quality and safety, and operational efficiency.

Benefits of the COSO ERM Framework

Having a good understanding of the COSO ERM framework can lead to substantial advantages for your organization. This framework offers direction on internal controls and how organizations should implement controls across their environment. A robust system of internal controls provides reasonable assurance an organization operates ethically, transparently, and in line with established industry standards.

Improved Decision-Making Processes

With the COSO ERM framework, organizations can make more informed decisions. The systematic approach to identifying and evaluating risks means that uncertainties are considered in decision-making processes. This leads to choices more aligned with an organization's risk appetite and ensures that potential pitfalls or opportunities are considered.

Enhanced Ability to Achieve Strategic Objectives

The COSO ERM framework ensures that risks are not viewed in isolation by tying risk management to organizational objectives. Instead, they are seen in the context of the organization's goals. This alignment means risk management directly supports achieving strategic objectives, ensuring potential barriers are identified and addressed proactively.

Strengthened Stakeholder Trust

Trust is enhanced when stakeholders, whether shareholders, employees, customers, or regulators, know that an organization is actively managing its risks using a recognized framework like COSO ERM. Stakeholders can have confidence that the organization is doing its utmost to protect its assets, reputation, and longevity, leading to increased credibility and trustworthiness in the market.

Better Preparedness for Unexpected Events

The COSO ERM framework emphasizes a proactive approach to risk management. By identifying potential events and assessing their likelihood and impact, organizations can implement measures to mitigate these risks or capitalize on opportunities. As a result, when unexpected events occur, organizations are better prepared to handle them, minimizing disruptions and potential damages.

Risk Management Frameworks vs Risk Management Regulations

There is an inherent difference between risk management frameworks and risk management regulations. The main difference is that regulations are enforceable security standards, whereas frameworks are guides to help organizations manage their risk.

However, some risk management frameworks help specific organizations achieve compliance with specific regulations. The COSO ERM framework is ideal for financial organizations because it incorporates the Sarbanes-Oxley Act (SOX). This US law requires public companies to test and certify financial statements and financial reporting.

Other notable risk management regulations include:

• Health Insurance Portability and Accountability Act (HIPAA)‍
• General Data Protection Regulation (GDPR)‍
• Basel Accords (Basel I, II, III, and IV)

Other Common Security Frameworks

Organizations looking to enhance their security or enterprise risk management can take advantage of a variety of other common frameworks, including:

• NIST Cybersecurity Framework (NIST CSF)
• Higher Education Community Vendor Assessment Tool (HECVAT)
• ISO/IEC 27001
• Control Objectives for Information Technology (COBIT)

How UpGuard Helps Organizations Manage Their Risks

No matter what industry sector your business is in, UpGuard has a line of products designed to help you manage organizational risks.

UpGuard Breach Risk manages your external attack surface, helping you understand the risks impacting your external security posture and ensuring your assets are constantly monitored and protected. Other features include:

• Data Leak Detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches‍
• Continuous Monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials‍
• Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍
• Shared Security Profile: Eliminate having to answer security questionnaires by creating an UpGuard Trust Page‍
• Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries‍
• Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface

If your organization utilizes third-party vendors, UpGuard's Vendor Risk Management tool automates your third-party risk assessment workflows and provides you with instant notifications about vendor security in one centralized dashboard. Other features include:

• Security Questionnaires: Automate security questionnaires with workflows to get deeper insights into your vendors’ security
• Security Ratings: Instantly understand your vendors' security posture with our data-driven, objective, and dynamic security ratings
• Risk Assessments: Let us guide you each step of the way, from gathering evidence, assessing risks, and requesting remediation
• Vendor Risk Monitoring: Monitor your vendors daily and view the details to understand what risks are impacting a vendor’s security posture
• Reporting and Insights: UpGuard’s Reports Library makes it easier and faster for you to access tailor-made reports for different stakeholders
• Managed Third-Party Risks: Let our expert analysts manage your third-party risk management program and allocate your security resources