Skip to content

What’s New in COSO Enterprise Risk Management (ERM)?

Jul 9, 2018

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission has released its first revision since 2004 to one of the most well-known risk management frameworks in the U.S., Enterprise Risk Management – Integrated Framework. The updated edition, Enterprise Risk Management – Integrating with Strategy and Performance, addresses the evolution of risks businesses face today.

“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of ERM, while asking for improved risk reporting,” said Robert B. Hirth Jr., COSO chair. “Our overall goal is to continue to encourage a risk-conscious culture.”

As Hirth stated, risk is evolving in today’s world, and business leaders and boards of directors need to be aware of this ever-changing business environment in order to be more strategic and competitive when striving  to optimize outcomes. Some of these challenges include changing demographics in supporting decision-making, evolving technologies and shifts in economic markets. As risk influences and aligns strategy and performance across all departments and functions, the framework update illuminates the importance of ERM in strategic planning and circulates it throughout an organization.

The framework is a set of principles organized into five components: 1) Governance and Culture; 2) Strategy and Objective Setting; 3) Performance; 4) Review and Revision; and 5) Information, Communication and Reporting.  These five components are supported by the following set of principles:

Governance and Culture Strategy and Objective Setting Performance Review and Revision Information, Communication and Reporting

1. Exercises board risk oversight

6. Analyzes business context 10. Identifies risk

15. Assesses substantial change

18. Leverages information and technology

2. Establishes operating structures

7. Defines risk appetite

11. Assesses risk severity

16. Reviews risk and performance 19. Communicates risk information
3. Defines desired culture 8. Evaluates alternative strategies 12. Prioritizes risk 17. Pursues ERM improvement

20. Reports on risk, culture and performance

4. Demonstrates commitment to core values

9. Formulates business objectives

13. Implements risk responses    
5. Attracts, develops and retains capable individuals  

14. Develops portfolio view



This framework accommodates diverse viewpoints and operating structures as well as enhances strategies and decision-making. By following the framework’s guidelines, ERM, in conjunction with data analytics and robotics/process automation, can change and adapt to the future. If data can be collected and analyzed efficiently, it will allow businesses to more readily identify trends and potential risks and then effectively react to them. Businesses at the forefront of digital innovation can position themselves to be industry leaders today and going forward.








Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.