KnowledgeLeader Blog

What is the COSO Enterprise Risk Management Framework?

Posted by Protiviti KnowledgeLeader on Mon, Nov 05, 2012 @ 10:30 AM

COSO broadly defines enterprise risk management (ERM) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The framework encompasses, but does not replace, the Internal Control – Integrated Framework published by COSO in 1992.

describe the image
Like its internal control counterpart, the ERM framework is presented in the form of a three-dimensional matrix. The matrix includes four categories of objectives across the top – strategic, operations, reporting and compliance. There are eight components of enterprise risk management, which are further explained below.

Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix for applying the framework. As outlined by COSO, the framework provides eight components for use when evaluating ERM:

1. Internal Environment

This component reflects an entity’s enterprise risk management philosophy, risk appetite, board oversight, commitment to ethical values, competence and development of people, and assignment of authority and responsibility. It encompasses the “tone at the top” of the enterprise and influences the organization’s governance process and the risk and control consciousness of its people.

2. Objective-Setting

Management sets strategic objectives, which provide a context for operational, reporting and compliance objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity, and are a precondition to event identification, risk assessment and risk response.

3. Event Identification

Management identifies potential events that may positively or negatively affect an entity’s ability to implement its strategy and achieve its objectives and performance goals. Potentially negative events represent risks that provide a context for assessing risk and alternative risk responses. Potentially positive events represent opportunities, which management channels back into the strategy and objective-setting processes.

4. Risk Assessment

Management considers qualitative and quantitative methods to evaluate the likelihood and impact of potential events, individually or by category, which might affect the achievement of objectives over a given time horizon.

5. Risk Response 

Management considers alternative risk response options and their effect on risk likelihood and impact as well as the resulting costs versus benefits, with the goal of reducing residual risk to desired risk tolerances. Risk response planning drives policy development. 

6. Control Activities

Management implements policies and procedures throughout the organization, at all levels and in all functions, to help ensure that risk responses are properly executed.

7. Information and Communication

The organization identifies, captures and communicates pertinent information from internal and external sources in a form and timeframe that enables personnel to carry out their responsibilities. Effective communication also flows down, across and up the organization. Reporting is vital to risk management and this component delivers it.

8. Monitoring

Ongoing activities and/or separate evaluations assess both the presence and functioning of enterprise risk management components and the quality of their performance over time. The thought process underlying the above framework works in the following manner: For any given objective, such as operations, management must evaluate the eight components of ERM at the appropriate level, such as the entity or business unit level.

Tags: enterprise risk management, COSO Framework

Subscribe To Our Blog

About KnowledgeLeader

KnowledgeLeader is the premier resource for internal audit and risk management professionals, provided by Protiviti.

Offering over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

View Our Site Tour