What is the Committee of Sponsoring Organizations (COSO) ERM Framework?
The COSO Framework is a system used to establish internal controls to be integrated into business processes. Collectively, these controls provide reasonable assurance that the organization is operating ethically, transparently and in accordance with established industry standards.
History of the COSO ERM Framework
The committee created the framework in 1992, led by Executive Vice President and General Counsel, James Treadway, Jr. along with several private sector organizations, including the following:
- American Accounting Association
- Financial Executives International
- The Institute of Internal Auditors
- American Institute of Certified Public Accountants
- The Institute of Management Accountants (formerly the National Association of Cost Accountants)
COSO originally created an enterprise risk management (ERM) model in 1992 which was shaped like a pyramid and focused on the evaluation of existing controls. This was updated in 2013 to the COSO cube, which focused on the design and implementation of a risk management framework. The COSO cube became a widely-accepted framework for organisations to use and it became established as a model that could be used in different environments worldwide.
This original framework, whilst particularly well suited for enterprises where risk is driven by the internal audit function, came under some criticism for its lack of focus on identifying threats and opportunities – which is arguably where the true value of ERM lies.
To address this and the growing complexity of the risk environment, COSO later published an updated standard in 2017 which builds on the characteristics of the 2004 version, with a greater emphasis on strategy-setting and driving performance.
What are the COSO ERM Framework Components?
COSO ERM framework includes five components or categories with 20 principles spread throughout each component. Those components are:
- Governance and Culture – Forms the basis of the other components by providing guidance on board oversight responsibilities, operating structures, leadership’s tone, and attracting, developing, and retaining the right individuals.
- Strategy & Objective-Setting – This component focuses on strategic planning and how the organization can understand the effect of internal and external factors on risk. This section provides guidance on analyzing business context, defining risk appetite, and formulating objectives.
- Performance – After an organization develops its strategy, it then moves on to identify and assess risks that could affect its ability to achieve these goals. This section not only helps guide the organization’s risk identification and assessment, but also how to prioritize and respond to risks.
- Review and Revision – At some point after risks have been prioritized and a course of action been chosen, the organization moves into the review and revision phase where it assesses any changes that have taken place. This is also the opportunity to understand how the ERM process in the organization can be improved upon.
- Information, Communication, and Reporting – The last component of the COSO ERM framework involves sharing information from internal and external sources throughout the organization. Systems are used to capture, process, manage, and report on the organization’s risk, culture, and performance.