PwC to Update COSO Enterprise Risk Management-Integrated Framework

22 October 2014

by Dennis L. Chesley

I’ve said many times before on this blog, one of the building blocks for resilience is the ability to adapt to a faster-changing and more uncertain world. This is true for organizational strategies set, people employed, and the frameworks that guide us. That’s why my colleagues and I at PwC so strongly support the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) announcement yesterday to review and update its Enterprise Risk Management–Integrated Framework.

The years after the financial crisis have caused significant change in the area of risk management. Risk practices have evolved, risk tolerance and risk appetite levels aren’t the same, regulators’ expectations and understanding of how risk management ties into an organization’s strategy, objectives, and governance structure are increasing.

As I said in the Wall Street Journal blog (subscription required) earlier this week, “The ERM goal is to set up a process whereby an organization can say here are the objectives we’ve set out, here are the risks or threats that could impact, how do we begin to manage, monitor and mitigate those risks.”

With this much risk change, complexity and velocity, it’s time to review COSO’s widely-accepted framework that guides how organizations can approach and manage risk. For, like any other business-critical function, risk management needs to reflect shifting realities, to provide leaders with today’s – and tomorrow’s - risk information. This is a pre-requisite to adaptability, resilience and being better-positioned to capture the upside of changing risk landscapes.

Our team at PwC will work with COSO to lead the review and refresh the Framework over the coming 12 to 24 months. I will update you as regularly as I can on what we learn.

If you have strong views or questions about COSO’s Enterprise Risk Management–Integrated Framework, I encourage you to share them with me here on this blog. Visit our COSO ERM Framework microsite to keep up to date on the changes.

Meet Dennis Chesley | Visit the PwC Resilience site


The effort could not be in better hands! You have always been a leader in the field, Dennis.

Dennis, good to see this initiative. The fast changing entities in ever changing environments 'demand' an update to guide them for a proper meaningful ERM.

Did you have a chance to look at SABSA for some possible added value to COSO ERM categories and components? I strongly believe COSO ERM can benefit by aligning with some parts of the SABSA methodology.

SABSA is a methodology to create a business security architecture, based on risks. Where security stands for being a property of something else. Because it's all about risks and treatment throughout all layers/business units/divisions in an entity.

A white paper about SABSA (to download at may better detail some benefits for an ongoing continuous ERM system.

Excellent news Dennis! I would like to suggest one potential topic for your consideration: enhanced emphasis on the cultural and organizational structures needed to support a successful ERM program. The cultural piece, historically covered by references to "tone at the top" needs to be more prominently addressed in the framework if we are to see improvement in how organizations implement and integrate ERM programs. Leaders need to know that historical cultural, organizational and operational practices must be objectively assessed and likely changed for ERM to work best. Things like adding risk management components to performance and bonus objectives,and creating the right environment for employees to be comfortable with the concept of self-identification of risks. Establishment of risk committees or other organizational components to support the framework and an organizational reporting structure that ensures the indenpendence and viability of the ERM program are other potential changes that an organization needs to understand are vital to making the framework useful. Too many organizations think they can just adopt the COSO framework and overlay it to their existing way of doing things. Incorporating the concept that some changes are likely needed for the framework to be utlized might improve the potential for more rapid and successful implementation and integration of COSO. All the best to you and your colleagues in this endeavor.


Great work COSO

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment