Understanding the main changes in the new COSO ERM framework

Understand the main changes in the new COSO ERM framework and how it integrates with other areas of your organization. Read it now!

In September of 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a revision of its corporate risk management framework (ERM), now called ERM – Integrating with Strategy and Performance. The original framework was introduced in 2004 by COSO and has since become widely recognized and adopted by organizations around the world.

An interesting fact is that even after almost two years since the publication of the revision, the visibility and adoption of the 2017 version still does not seem to have met the expectations of the authors. In a simple internet search for COSO, the main results and images continue to show the previous revision, giving the reader the false impression that the latest revision is not as relevant.

Why update the COSO ERM Framework?

There are a number of reasons. The complexity of doing business is changing and new risks are emerging at a faster pace than we saw in the past. Changing customer behavior is exerting considerable influence on an unpredictable global economic scenario.

Meanwhile, the evolution of technology and the increasing call for transparency are overwhelming strategic planning processes and operational capabilities. Dealing with these challenges requires that organizations adopt a new approach to managing risks: one that helps to create, preserve and gain value today and in the future.

The main changes

1. Introducing a new structure

With only five components and twenty principles aligned with the business cycle, the key principles of the framework encompass processes ranging from governance to routine daily activities. They are manageable and applicable to all organizations, regardless of the size, type or business sector, and they allow for a broader discussion of risks between the board and management.

2. Exploring the different benefits of ERM

The framework presents a clear case for integrating corporate risk management practices with performance and strategy management practices, aimed at providing benefits that add value. Shifting the focus to these benefits promotes discussion on the importance of ERM.

3. Focus on integrating risk management

The framework provides guidance on how to better integrate corporate risk management, linking risk to the definition of day-to-day strategies and activities, incorporating them into the organization’s culture, capabilities and practices and promoting better and more assertive decision making.

4. Written from a business perspective

The language of the framework makes discussions about risk relevant and universal, establishing definitions, components and basic principles for all levels of management involved in planning, implementing and carrying out ERM practices.

5. Presenting new graphs

The framework provides new conceptual graphs. The main graph shows the relationship between risk management and the business model. Other graphs, such as risk curves, highlight the relationships between risk, strategy and performance, incorporating risk management in day-to-day discussions even more.

6. Exploring risk management at all levels of the organization

From the corporate level to risks at the process level, the framework explores how the identification, assessment and management of risk changes from transactional to strategic.

7. In-depth discussions on challenging topics

The framework examines topics such as risk appetite and a perspective on portfolio risk and addresses some of the errors that exist today, providing a comprehensive view on the matter.

8. Greater emphasis on culture

The framework examines how business risk management practices can bring more transparency and risk awareness to an organization’s culture, helping people make decisions while understanding the importance of culture in defining these decisions.

9. Addressing the evolving role of information technology

The framework sheds light on how business trends (such as data proliferation, artificial intelligence and automation) influence an organization’s strategy, the business context and risk management.

COSO ERM Framework

COSO ERM Framework
COSO ERM Framework

At a first glance, the main chart of the new framework may seem surprising. The term “risk” does not even appear among the 5 components. It is clear the intention is to relate the framework to something broader and strengthen the presence of ERM in corporate governance practices and strategy.

As we go down the list of the 20 principles, we see terms that are already familiar to us. Risks are there, and they still need to be identified, evaluated and monitored, perhaps without such a rigid structure, but rather with an approach that allows for the desired broader application.

For quite some time, we have seen a number of business areas move towards risk management. With the revision of COSO ERM, we see the opposite: risk management moving towards other business areas. It is a clear sign that in order to achieve excellence in corporate governance, we have to stop thinking in terms of isolated parts, but rather in terms of a unified and perfectly synchronized system.

Tobias Schroeder

Author

Tobias Schroeder

MBA in Strategic Management from UFPR. Business and market analyst at SoftExpert, a software provider for enterprise-wide business processes automation, improvement, compliance management and corporate governance.

You might also like:

All Content

FMEA method: what is it, where can it be used and what are its advantages

Get to know the FMEA method, and understand what this tool is, what it is for and what are the advantages and benefits for your company.

Read more
All Content

Why do change management plans fail?

Understand why most change management processes fail, eliminate obstacles and achieve implementation success.

Read more
Institutional

ISO 9001: SoftExpert maintains certification

For the fifth consecutive cycle, SoftExpert, a global provider of solutions for integrated management of compliance, innovation, and digital transformation, successfully completed the external audit process and maintains the ISO 9001 certification, reinforcing the company’s commitment to Quality management. The audit, conducted by the certification body Bureau Veritas, took place from July 11th to July … Continue reading “ISO 9001: SoftExpert maintains certification”

Read more
All Content

7 methods and tools for risk identification

Read this article to learn about 7 methods and tools for risk identification and improve your organization’s competitiveness and performance.

Read more
All Content

How to manage project risks

Read this article and see how to maximize the chances of achieving objectives and lessening threats by managing project risks.

Read more
All Content

The role of risk management and internal audits in corporate governance

How risk management and internal audits can be effectively used to strengthen the governance structures of the financial services sector.

Read more
Get free content in your inbox!

Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

By clicking the button below, you confirm that you have read and accept our Privacy Policy.

Please, fill out the form to download

Required field
Required field
Required field
Please enter a valid phone number
Required field

By clicking the button below, you confirm that you have read and accept our Privacy Policy