COSO Releases New ERM Framework

The landmark model serves as a broadly accepted benchmark to help organizations enhance their risk management efforts.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued its long-awaited Enterprise Risk Management - Integrated Framework, as well as a detailed practical application guide.

Designed to offer organizations a commonly accepted model for evaluating risk management efforts, the framework expands on internal control concepts by providing a more robust focus based on the broader subject of enterprise risk management (ERM). Detailing the essential components of an effective ERM process, the framework provides guidance to help organizations build effective programs for identifying, measuring, prioritizing, and responding to risk. Encompassing the criteria set forth in COSO's 12-year-old Internal Control - Integrated Framework, the new guidance addresses essential components, principles, and concepts of ERM, suggests a common ERM language, and provides clear direction and guidance. It also discusses the roles and responsibilities of those within an organization as they relate to ERM and further identifies the interrelationships between risk and ERM.

Engaged by the COSO board to lead the study, PricewaterhouseCoopers was assisted by an advisory council composed of representatives from the five COSO organizations in reviewing the project plan, drafts of the framework, and other related matters. As part of the validation process, the framework was refined based on comments submitted to the COSO Advisory Council by interested parties and individuals.

A Dynamic Process

Embedded within an organization's strategies and objectives, ERM's value is maximized when a balance is reached between growth, returns, risks, uncertainties, and opportunities. How much risk the entity is prepared to accept is inherent in ERM's capabilities, which encompass the following key components:

Aligning risk appetite and strategy.
Enhancing risk response decisions.
Reducing operational surprises and losses.
Identifying and managing multiple and cross-enterprise risks.
Seizing opportunities.
Improving deployment of capital.

In addition, the new framework presents a standard definition of risk and ERM and provides direction to enhance risk management, including criteria for companies to use in determining whether their risk management is effective, and if not, what is needed.

Considering activities at all levels of the organization, the ERM framework views entity objectives at the entity, division, business-unit, and subsidiary levels, in four key categories: strategic, operations, reporting, and compliance. At the same time, the framework focuses on eight interrelated components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.

ERM Framework Activities

The framework includes examples of ERM approaches used by various risk management practitioners. Activities to be established, which are each discussed and explained within the document, include:

Articulating and communicating the organization's objectives.
Determining the organization's risk appetite.
Establishing an appropriate internal environment, including a risk management framework.
Identifying potential threats to the achievement of objectives.
Assessing risks, including their impact and likelihood of occurring.
Selecting and implementing responses to risks.
Undertaking control and other response activities.
Communicating information on risks consistently at all levels in the organization.
Centrally monitoring and coordinating the risk management processes and the outcomes.
Providing assurance on the effectiveness with which risks are managed.

Impact on Internal Auditing

The new ERM - Integrated Framework will play a key role in the internal audit function. To help internal auditors understand these ERM relationships, The IIA developed answers to some commonly asked questions:

What is the internal auditor's role in risk management and how will this framework help that role? Internal auditors should assist both management and the audit committee in their risk management responsibilities and oversight roles by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management's risk processes. This framework provides a benchmark with detailed guidance for internal auditors to use in the evaluation of their organization's risk management efforts. It also suggests guidance on various risk management processes and tools to consider when implementing or strengthening an organization's ERM process.

How does the ERM framework affect an organization that already has a sound system of internal controls? A strong system of internal control supports the achievement of the organization's business objectives and therefore, good internal control is a way of managing risk. However, ERM is much broader than internal control and includes additional management efforts to ensure an organization achieves its business objectives.

How will the framework assist organizations to best reduce their exposure to risk? By formally organizing ERM responsibilities and activities, an organization is much better positioned to achieve its business objectives and to ensure that sound risk management processes are in place and functioning. The ERM - Integrated Framework provides a comprehensive road map for establishing the critical processes needed to ensure an effective ERM effort. The framework offers a structured, consistent, and continuous process to be used across the organization to identify, assess, respond to, and report on opportunities and threats that affect the achievement of objectives.

What are the benefits of implementing COSO's ERM framework? According to advocates of the ERM framework, organizations that implement the process will have:

A greater likelihood of achieving business objectives.
Consolidated reporting of disparate risks at the board level.
Improved understanding of the key risks facing the organization.
Greater management focus on risks that really matter.
More focus internally on doing the right things in the right way.
More informed risk-taking and decision-making.

Click here, or visit The IIA's Web site, to access a list of resources related to the COSO Enterprise Risk Management - Integrated Framework, including:

The COSO ERM Executive Summary.
COSO Fast Facts Flier.
Frequently Asked Questions on COSO's Enterprise Risk Management - Integrated Framework.
A link to the American Institute of Certified Public Accountants Web site to order the COSO ERM Framework and application techniques.

Quick Search Advanced Search Site Map IIA Popular Pages CIA Exam Content CFSA Individual Memberships Code of Ethics Information Technology Contact Information For more information, or if you have a question related to guidance or advocacy, please e-mail guidance@theiia.org, or call +1-407-937-1100.		Home / Professional Guidance / Standards and Practices / Additional Resources / COSO Related Resources / COSO Releases New ERM Framework COSO Releases New ERM Framework The landmark model serves as a broadly accepted benchmark to help organizations enhance their risk management efforts. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued its long-awaited Enterprise Risk Management - Integrated Framework, as well as a detailed practical application guide. Designed to offer organizations a commonly accepted model for evaluating risk management efforts, the framework expands on internal control concepts by providing a more robust focus based on the broader subject of enterprise risk management (ERM). Detailing the essential components of an effective ERM process, the framework provides guidance to help organizations build effective programs for identifying, measuring, prioritizing, and responding to risk. Encompassing the criteria set forth in COSO's 12-year-old Internal Control - Integrated Framework, the new guidance addresses essential components, principles, and concepts of ERM, suggests a common ERM language, and provides clear direction and guidance. It also discusses the roles and responsibilities of those within an organization as they relate to ERM and further identifies the interrelationships between risk and ERM. Engaged by the COSO board to lead the study, PricewaterhouseCoopers was assisted by an advisory council composed of representatives from the five COSO organizations in reviewing the project plan, drafts of the framework, and other related matters. As part of the validation process, the framework was refined based on comments submitted to the COSO Advisory Council by interested parties and individuals. A Dynamic Process Embedded within an organization's strategies and objectives, ERM's value is maximized when a balance is reached between growth, returns, risks, uncertainties, and opportunities. How much risk the entity is prepared to accept is inherent in ERM's capabilities, which encompass the following key components: Aligning risk appetite and strategy. Enhancing risk response decisions. Reducing operational surprises and losses. Identifying and managing multiple and cross-enterprise risks. Seizing opportunities. Improving deployment of capital. In addition, the new framework presents a standard definition of risk and ERM and provides direction to enhance risk management, including criteria for companies to use in determining whether their risk management is effective, and if not, what is needed. Considering activities at all levels of the organization, the ERM framework views entity objectives at the entity, division, business-unit, and subsidiary levels, in four key categories: strategic, operations, reporting, and compliance. At the same time, the framework focuses on eight interrelated components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. ERM Framework Activities The framework includes examples of ERM approaches used by various risk management practitioners. Activities to be established, which are each discussed and explained within the document, include: Articulating and communicating the organization's objectives. Determining the organization's risk appetite. Establishing an appropriate internal environment, including a risk management framework. Identifying potential threats to the achievement of objectives. Assessing risks, including their impact and likelihood of occurring. Selecting and implementing responses to risks. Undertaking control and other response activities. Communicating information on risks consistently at all levels in the organization. Centrally monitoring and coordinating the risk management processes and the outcomes. Providing assurance on the effectiveness with which risks are managed. Impact on Internal Auditing The new ERM - Integrated Framework will play a key role in the internal audit function. To help internal auditors understand these ERM relationships, The IIA developed answers to some commonly asked questions: What is the internal auditor's role in risk management and how will this framework help that role? Internal auditors should assist both management and the audit committee in their risk management responsibilities and oversight roles by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management's risk processes. This framework provides a benchmark with detailed guidance for internal auditors to use in the evaluation of their organization's risk management efforts. It also suggests guidance on various risk management processes and tools to consider when implementing or strengthening an organization's ERM process. How does the ERM framework affect an organization that already has a sound system of internal controls? A strong system of internal control supports the achievement of the organization's business objectives and therefore, good internal control is a way of managing risk. However, ERM is much broader than internal control and includes additional management efforts to ensure an organization achieves its business objectives. How will the framework assist organizations to best reduce their exposure to risk? By formally organizing ERM responsibilities and activities, an organization is much better positioned to achieve its business objectives and to ensure that sound risk management processes are in place and functioning. The ERM - Integrated Framework provides a comprehensive road map for establishing the critical processes needed to ensure an effective ERM effort. The framework offers a structured, consistent, and continuous process to be used across the organization to identify, assess, respond to, and report on opportunities and threats that affect the achievement of objectives. What are the benefits of implementing COSO's ERM framework? According to advocates of the ERM framework, organizations that implement the process will have: A greater likelihood of achieving business objectives. Consolidated reporting of disparate risks at the board level. Improved understanding of the key risks facing the organization. Greater management focus on risks that really matter. More focus internally on doing the right things in the right way. More informed risk-taking and decision-making. Click here, or visit The IIA's Web site, to access a list of resources related to the COSO Enterprise Risk Management - Integrated Framework, including: The COSO ERM Executive Summary. COSO Fast Facts Flier. Frequently Asked Questions on COSO's Enterprise Risk Management - Integrated Framework. A link to the American Institute of Certified Public Accountants Web site to order the COSO ERM Framework and application techniques.