Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

COSO publishes final version of updated ERM framework

Tammy Whitehouse | September 6, 2017

The Committee of Sponsoring Organizations has released its newly revised enterprise risk management framework, giving companies a new tool to consider in building out their ERM approaches.

The new COSO ERM framework is an update to the original 2004 framework, focusing new attention on baking ERM into a company’s strategic planning and embedding it throughout the organization. COSO says the updated version of the framework is designed to help companies create, preserve, and realize value while also improving their risk management approaches.

COSO says its ERM framework is among the most widely recognized and applied risk management frameworks globally. Its revision was driven by COSO’s sponsoring organizations, which have deep ties into U.S. public companies — the American Institute of Certified Public Accountants, Institute of Internal Auditors, Financial Executives International, American Accounting Association, and Institute of Management Accountants.

The new framework is heavily focused on integrating risk management into many of the good governance activities typically occurring in many companies, says COSO Chairman Bob Hirth. “It recognizes that businesses are already doing plenty of things,” he says. “They’ve got a mission, visions, and values. They’ve got a governance strategy and metrics around that. We intentionally don’t want to interfere with that.”

Instead, the framework steers companies toward folding ERM thinking into those activities, says Hirth. “Let’s integrate risk management concepts so it’s better and more risk-adjusted,” he says. “That helps you set probably better metrics. We’re really pushing on this idea that ERM not some separate thing or set of activities.”

Much the way COSO’s Internal Control — Integrated Framework is structured, the ERM framework is organized into five components — governance and culture, strategy and objectives, performance, review and revision, and communication and reporting. Each component is supported by a total of 20 principles that should be present and functioning in a sound ERM approach.

The framework update acknowledges and builds upon the realities of the modern business landscape, like economic market shifts, rapidly evolving technology, and changing demographics, COSO says. It also contemplates additional trends that will affect ERM approaches into the future, like the proliferation of data, artificial intelligence, and automation.

“There is no doubt that organizations will continue to face a future full of volatility, complexity, and ambiguity,” the framework says. “Enterprise risk management will be an important part of how an organization manages and prospers through these times.”

COSO is making the framework available in a variety of formats and is developing multiple translations.