What We Think

September 11, 2020

Understanding enterprise risk management – the COSO approach

Entities, non-profit organisations and Governments face a evolving landscape of environmental, social and governance related risks that can impact their profitability, competitiveness and ultimately their success and survival.  As the COVID-19 crisis continues to unfold, organisations around the world are battling with the multidimensional set of risks it has unleashed.

Business leaders should always effectively manage risks, however it is in these increasingly unpredicted and tumultuous times where businesses should revert to a risk management framework. COSO (which is short for the Committee of Sponsoring Organisations) was initially set out to study financial reporting and to develop recommendations to prevent fraud. Its first framework issued in 1992 provided a comprehensive context to assist organisations assess and improve their internal control systems. It grew to become an extremely popular framework, with the majority of users claiming they utilised it as their guide on both internal controls and overall compliance acitivites for the organisation. However, it soon became apparent that there was a gap in the framework. Whilst it kept proving to be useful in miniminsing risks relating to fraudulent behaviour and kept companies in check from a regulatory compliance point of view, it failed to identify and assess the risks for which companies needed to establish a set of controls.

Increasing demands for stronger corporate governance and improved risk management standards led COSO to create its enterprise risk management framework in 2004. The purpose of the framework is to provide companies with key principles and concepts – essentially a common language – clear direction and guidance regarding the management of enterprise risks.  Companies may choose to adopt this framework to satisfy their internal controls and regulatory compliance, but also to move towards a fuller risk management process. The idea was that organisations which managed to oversee their risks in four main catergories, being strategy, operations, reporting and compliance, will manage in creating significant stakeholder value. However, a lot of organisations felt that this iteration of the COSO framework still leaned heavily toward audit, accounting and essentially consulting firms.

As a direct response to this criticism, an updated standard was released in 2017 and included some significant changes, in that the standard placed greater emphasis on the importance of intergrating risk considerations when designing and implementing strategies to accomplish an organisation’s performance goals and objectives.  The standard was revised to include five components with 20 principles spread throughout each component, being:

  • Governance and Culture – forms the basis of the other components by providing guidance on board oversight responsibilities, operating structures, leadership’s tone, and attracting, developing, and retaining the right individuals.
  • Strategy & Objective-Setting – this component focuses on strategic planning and how the organisation can understand the effect of internal and external factors on risk.
  • Performance – after an organisation develops its strategy, it then moves on to identify and assess risks that could affect its ability to achieve these goals.
  • Review and Revision – at some point after risks have been prioritized and a course of action been chosen, the organization moves into the review and revision phase where it assesses any changes that have taken place. This is also the opportunity to understand how the ERM process in the organization can be improved upon.
  • Information, Communication, and Reporting – the last component involves sharing information from internal and external sources throughout the organization. Systems are used to capture, process, manage, and report on the organization’s risk, culture, and performance.


Managing risk in a COVID world becomes more relevant and significant with each passing day. Whilst many companies might have paid lip service to enterprise risk management, the COVID pandemic illustrates the clear business benefits of managing risk from an enterprisewide perspective.  COVID may have drawn executive attention on ERM, but it’s crucial that business leaders and organisations alike understand that the benefits extend far beyond avoiding a crisis, as an agile and effective ERM function empowers an organisation to manage its risks in order to grow.

Skip to content