Skip to main content

Integrating COSO ERM with Strategy for Success – Enhance Performance

1. COSO (Committee of Sponsoring Organizations of the Treadway Commission )

To champion thought leadership and advance best practices in preventing fraudulent financial reporting, internal control, risk management, corporate governance, and fraud prevention, COSO ERM, along with prominent organizations such as the American Accounting Association, Financial Executives Institute, Institute of Internal Auditors, and Institute of Management Accountants, played a foundational role in the establishment of the American Institute of Certified Public Accountants in 1985.

(*) Treadway Commission (National Commission on Fraudulent Financial Reporting): This commission was established in the USA in 1985 to identify the causes of fraudulent financial reports and reduce the likelihood of their occurrence.

COSO (The Committee of Sponsoring Organizations of the Treadway Commission) There are two frameworks first published: Internal Control-Integrated Framework published in 1992, and “Enterprise Risk Management-Integrated Framework” published in 2004.yes” say(Enterprise Risk Management – Integrated Framework).

2. What did the COSO 2004 Enterprise Risk Management Framework achieve? Why was there a need for renewal?

Since the first framework was published, it has been successfully implemented in all countries and institutions worldwide to define and evaluate risk in line with the targeted purpose and risk attitude taken. However, it still had the potential to be developed to integrate risk with strategy and objectives.

In recent years, technology has developed at a dizzying pace. The Internet and mobile communication have become an integral part of our lives; the rapid spread of information, the rapid increase in globalization, the competition becoming global, the complexity of business life and corporate structure, and the financial problems experienced in various countries, especially in the USA. 

Organizations face many factors, such as reporting scandals and the resulting increase in obligations stipulated by legal regulations, the global effects of the financial crisis that started as the mortgage crisis in the USA in 2008, changes in customer demands, increased environmental awareness, and digital transformation requirements. These factors have increased risks and threatened corporate sustainability.

For the reasons stated, the Internal Control-Integrated Framework published in 1992 was revised and published in 2013. COSO Enterprise Risk Management Framework was revised and published in June 2017 as “Enterprise Risk Management – Integrated with Strategy and Performance” (“Enterprise Risk Management”). —Republished as Integrating with Strategy and Performance). 

Some of the reasons for the renewal are: It has been stated that since the framework was first introduced, new risks have emerged, risks have become more complex, stakeholders’ risk management awareness has increased, better risk reporting expectations and developments in corporate risk management have been reflected in the framework.

3. Differences between COSO ERM 2004 and COSO ERM 2017

The old 2004 framework had eight components. These are internal Environment, Goal Setting, Incident Identification, Risk Assessment, Control Activities, Information, Communication, and Monitoring.

There was no underlying structure in the form of principles. As seen below, the relationship between the corporate governance components, the institution’s objectives, and the corporate structure was expressed as a cube.

 COSO ERM cube

The name and structure of the framework have been changed with the renewal. The framework’s title emphasizes the relationship between strategy, risk, and performance. As shown below, in the new framework, Governance and culture, Strategy and objective-setting, Performance, Review and revision, Information, and Communication, five components named “& Reporting” and 20 principles related to them have been determined.

Teolupus Risk Management Components Principles - Integrating COSO ERM with Strategy for Success - Enhance Performance - 2024 - COSO ERM

Additionally, as shown below, the new representation has a spiral representation instead of a cube.

Figure 2: Risk Management Components in COSO ERM 2017

COSO ERM enterprise risk management

This new figure shows the relationship between the components of enterprise risk management and the institution’s mission, vision, and core values. It has been stated that the three stripes of the diagram (Strategy and Goal Establishment, Performance, Review, and Correction) represent the general processes flowing throughout the organization. 

In contrast, the other two strips (Governance and Culture and Information, Communication, and Reporting) represent the supporting elements of enterprise risk management.

According to the new representation, enterprise risk management is stated that when integrated with strategy development, establishment, and implementation of business goals and performance, this will increase the organization’s value. Enterprise risk management is not static through daily decisions. It has been stated that it is integrated into strategy development, establishment of business goals, and implementation of these goals.

The definition of Enterprise Risk Management has also been changed in the new framework.

Old Definition

  • Influenced by an institution’s board of directors, managers, and all employees,
  • In determining the strategy and applied throughout the institution,
  • Designed to identify events that have the potential to affect the institution and to manage risk within the framework of risk appetite,
  • The process provides reasonable assurance that the organization will achieve its objectives.

New Definition

  • In the organization’s ability to create, protect, and realize value,
  • They can trust to manage risk,
  • The culture, opportunities, and practices are integrated into the determination and execution of strategy.

As can be seen, the new definition states that the primary purpose of risk management is to create, protect, and realize value and that it should be integrated into the determination and execution of the strategy. 

Enterprise risk management does not only focus on preventing value decline and reducing risks to acceptable levels. Combined with strategy determination, it will also help create opportunities to increase and sustain value. It has been noted that enterprise risk management is not just a function, department, or listing of risks but includes the practices management uses to manage risks actively.

4. COSO ERM 2017 Components and Principles

The five interrelated components and their 20 principles included in the renewed COSO Enterprise Risk Management Framework are briefly expressed below.

4.1. Governance and Culture

Governance and culture underpin other elements of enterprise risk management. 

In general terms, governance refers to the distribution of roles, authorities, and responsibilities among stakeholders, the board of directors, and management. The government sets the tone for the organization and establishes oversight responsibilities. 

Culture is the attitude, behavior, and understanding of risk that influences management and staff decisions and reflects the organization’s vision, mission, and core values. There are five principles of this element:

Principle 1: The Board of Directors Performs Risk Oversight–Exercises Board Risk Oversight- The Board of Directors fulfills strategy oversight and governance responsibilities to support management in achieving its strategy and business objectives.

The board of directors is the organization’s primary responsibility for risk oversight. For effective risk oversight, the board of directors must collectively have the necessary skills, experience, and business knowledge, understand the organization’s strategy and the industry in which it operates, and be informed on issues affecting the organization.

Principle 2: Creates the Operational Structure–Establishes Operating Structures- The organization creates the operational structure to achieve strategy and business objectives.

The organization creates a working model and designs a reporting line to achieve strategy and business goals. Different working models may result in different perspectives of risk profiles that affect ERM practices. Organizations consider all relevant factors when deciding on the operating model to adopt.

Principle 3: Defines the Desired Culture–Defines Desired Culture- The organization defines the desired behaviors that characterize the organization’s culture.

An organization’s culture influences its core values, behaviors, and decisions and how it implements this Framework: ‘risk awareness culture.’ 

It can be created by providing strong leadership, applying a participatory management style, ensuring accountability in all actions, including risk in decision-making mechanisms, and providing open communication and reporting about risk.

Principle 4: Shows Commitment to Core Values– Demonstrate Commitment to Core Values- The organization demonstrates its commitment to its core values.

The solid and supportive attitude of the organization’s top management is fundamental to ERM. 

A consistent attitude helps an organization understand its core values, business objectives, and expected behavior from staff and business partners. A code of conduct guide communicates the organization’s expectations regarding ethical values ​​and desired behavior, including behavior related to ERM and decision-making.

Principle 5: Attracts, Develops, and Retains Talented Personnel– Attracts, Develops, and Retains Capable Individuals–The organization attaches great importance to building its human capital in line with its strategy and business objectives.

Under the supervision of the board of directors, management identifies the human capital needed to achieve strategy and business objectives. Leadership considers knowledge, skill, and experience requirements and creates the structure and process necessary to attract, train, evaluate, retain, and plan for succession of people.

4.2. Strategy and Goal Setting

Strategy planning, enterprise risk management, and strategic and goal setting act together. A risk appetite is determined in line with the strategy. Business objectives form the basis for identifying, evaluating, and responding to risks. Business objectives drive strategy implementation and shape the organization’s day-to-day operations and priorities. 

There are four principles underlying this element:

Principle 6: Analyzes the Business Environment–Analyzes Business Context- The organization analyzes the potential effects of its business environment on its risk profile.

“Business environment” includes trends, relationships, and other factors that will influence, clarify, or cause change in an organization’s current and future strategy and business objectives. 

Therefore, an organization considers the business environment when developing a strategy to support its mission, vision, and core values. Internal and external environments and stakeholders must be regarded as components of the business environment. All factors in the business environment impact the risk profile of the institution, which is seen in three stages: past, current, and future performance.

Principle 7: Defines Risk  Defines Risk Appetite – The organization defines risk appetite as creating, protecting, and realizing value.

“Risk appetite” refers to the type and amount of risk an institution is generally willing to accept. Instead of a specific limit, it outlines appropriate practices. 

No standard or “correct” risk appetite will apply to all institutions. Management and the board choose a risk appetite with a complete understanding of all the pros and cons involved. Various approaches to determining risk appetite include facilitating discussions, reviewing past and current performance targets, and modeling. 

Moreover, when choosing its risk appetite, an organization can consider its strategic, financial, and operational parameters, risk profile, risk capacity, ERM capabilities, and maturity. Risk appetite is communicated by management, approved by the board of directors, and communicated to the entire organization because the aim is for all decision-makers to understand this and apply it in all operations.

Principle 8: Evaluate Alternative Strategies–Evaluate Alternative Strategies- The organization evaluates alternative strategies and their impact on the risk profile.

As part of the strategy-setting process, an organization must evaluate alternative strategies and the risks and opportunities of each option. Alternative strategies are evaluated in the context of the organization’s resources and capabilities required to create, protect, and realize value.

Principle 9: Creates Business Goals– Formulates Business Objectives- When establishing business objectives, the organization considers risks at various levels in a way that is compatible with and supports the strategy.

The organization develops business goals that are measurable or observable, achievable, and appropriate. These goals include financial performance, customer demands, operational excellence, compliance obligations, efficiency gains, innovation leadership, etc.

Individual targets are aligned with the strategy and risk appetite and support achieving the organization’s mission and vision. An organization must understand the potential implications of selected business objectives on its risk profile, resources, and capabilities.

4.3. Performance

Risks that may affect the achievement of strategy and business objectives must be identified and evaluated. Risks should be prioritized according to risk appetite. The organization then chooses its response to risk and determines the chance it will undertake from a portfolio (at all levels of the organization) perspective. 

There are five principles of this element:

Principle 10: Identifies risks–The organization identifies risks affecting strategy and business objectives.

The organization identifies new, developing, and changing risks for achieving its strategy and business goals. These risks may arise from changes in business objectives or the business environment and may change the risk profile in the future. Identifying risks allows management to look to the end. 

It gives time to assess the potential severity of risks, anticipate the risk response, or review the organization’s strategy and business objectives as necessary. The risks identified during the risk identification process are generally defined as the “risk universe.” The risk universe is a qualitative list of risks faced by the organization.

Principle 11: Evaluate the Severity of Risks –Assess Severity of Risks- The organization evaluates the severity of risks.

Identified risks are evaluated to understand the degree of importance of each risk in relation to the achievement of the organization’s strategy and business goals. Risk assessment approaches can be qualitative, quantitative, or both. 

Types of approaches include scenario analyses, simulation, data analysis, and interviews. Management considers inherent (structural) risk, target residual risk, and realized residual risk as part of the risk assessment. The severity of risk is determined by management to select the appropriate risk response, allocate resources, and support decision-making and performance.

Principle 12: Prioritizes Risks –Prioritizes Risks – The organization prioritizes risks for responding to threats.

Organizations prioritize risks to identify and select appropriate risk responses. Priorities are determined by applying agreed-upon criteria such as adaptability, complexity, promptness, and continuity. Prioritization of risk occurs at all levels of the organization, and different risks may be given other priorities at different levels.

Principle 13: Implements Risk Responses –Implements Risk Responses–The organization determines and chooses its risk responses.

Management selects and implements an appropriate risk response for all identified risks. Responses can be classified as “risk acceptance, escalation, sharing, and avoidance.” 

Management considers the business environment, costs and benefits, liabilities and expectations, risk priority, risk severity, and risk appetite to select and implement risk responses.

Principle 14: Develops Portfolio Perspective-Develops Portfolio View- The organization develops and evaluates a portfolio view of risks.

Enterprise risk management requires the organization to consider potential impacts on its risk profile from an enterprise-wide, or portfolio, perspective. This perspective allows management and the board to consider risks’ type, severity, interdependence, and how risks may affect performance. From a portfolio perspective, management can determine whether the institution’s residual risk profile aligns with its overall risk appetite.

4.4. Rewiew and Revision

In light of significant changes, the organization reviews how performance has resulted against targets, whether corporate governance practices are working well, whether they add value to the organization, whether they continue to add value, and whether there are issues that need to be corrected. 

There are three principles underlying this element:

Principle 15: Evaluates Significant Changes -Assess Substantive Change – Identifies and evaluates changes that significantly impact organizational strategy and business objectives.

Significant changes that may cause new risks or changes in existing risks should be monitored and embedded in business processes, and monitoring should be carried out continuously. 

Rapid growth, new technologies, changes in legal regulations, mergers and acquisitions, etc. Significant changes in the internal and external environment could change the organization’s portfolio view of risk or impact enterprise risk management functions.

Principle 16: Review Risk and Performance – The organization reviews its performance results and addresses risks.

Organizations review their performance to determine how risks arise and how these risks impact strategy and business objectives compared to the organization’s risk appetite. Suppose an organization determines that version is outside acceptable variation. In that case, it may need to review the business objective or strategy, adjust target performance, repeat risk assessment, review how risks are prioritized, adjust risk responses, or adjust risk appetite.

Principle 17: Follows Improvements in Enterprise Risk Management – Pursues Improvement in Enterprise Risk Management – The organization pursues improvements in enterprise risk management.

By continuously evaluating the enterprise risk management system, organizations can systematically identify the potential to improve their efficiency and usefulness.

5. Information, Communication, and Reporting

Communication is the acquisition and sharing of information throughout the organization and is a constantly recurring process. Management uses appropriate both internal and external information to support enterprise risk management. The organization uses information systems to retain, process, and manage information and data. 

The organization reports on culture, risk, and performance using the information on all components. 

There are three principles underlying this element:

Principle 18: Benefits from the Advantages of Information and Technology: Leverages Informatıon and Technology–The organization takes advantage of the organization’s information system to support enterprise risk management.

Information systems provide organizations with the data and information they need to support enterprise risk management. Information systems can be as simple as spreadsheets or as complex as fully integrated systems and tools. The decision on which technology to implement depends on various factors, including organizational goals, market needs, competitive conditions, cost, and benefits.

Principle 19: Communicates Risk Information. The organization uses communication channels to support enterprise risk management.

Organizations use a variety of channels to effectively communicate risk data and information to all internal and external stakeholders, including the board of directors and shareholders. In addition, effective communication between the board of directors and management is critical in achieving strategy and business goals.

Risk responsibilities should be clearly defined at the board and management level. The board and management should discuss the risk appetite on an ongoing basis, and management should communicate to the board any information that will help fulfill its oversight responsibilities regarding risk.

Principle 20: Reports on Risk, Culture, and Performance– The organization reports on risk, culture, and performance at various organizational levels.

Reporting: It supports staff at all levels in understanding the relationships between risk, culture, and performance and improves decisions regarding strategy and target setting, governance, and daily operations. Reporting includes quantitative and qualitative risk information, and depending on the organization’s size, scale, and complexity, report presentations can be very simple or much more complex.


  • “COSO Enterprise Risk Management – Aligning Risk with Strategy and Performance,”  September 08, 2016. 
  • “Enterprise Risk Management – ​​Enterprise Risk Management compatible with Strategy and Performance,” 
  • COSO Enterprise Risk Management Integrating with Strategy and Performance –June 2017
  • Enterprise Risk Management Nazif Burca

Bu gönderi şu adreste de mevcuttur: Türkçe