Framework
The Committee of Sponsoring Organizations of the Treadway Commission (C.O.S.O.) E.R.M. framework is a high-level tool to help board directors and top leadership ensure:
- Risks are considered and reviewed at the very top levels of the organization.
- Risk management is part of the fabric of the organization and done as part of business as usual.
- Risks are not just viewed as negative risks, but also at potential positive risks that are worth taking, given value and alignment to business objectives.
- Risks are connected to decisions regarding strategy as well as the impact on performance.
COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary
The E.R.M. Framework itself is a set of principles organized into five interrelated components:
- Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
- Strategy and Objective-Setting: Enterprise Risk Management, strategy, and objective-setting work together in the strategic-planning process. Risk appetite is established and aligned with strategy; business objectives put the strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
- Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
- Review and Revision: By reviewing entity performance, an organization can consider how well the Enterprise Risk Management components are functioning over time and in light of substantial changes, and what revisions are needed.
- Information, Communication, and Reporting: Enterprise Risk Management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.