The top changes to the COSO ERM Framework you need to know now

05 September 2017

By Dennis Chesley, Global, Asia Pacific and Americas (APA) Risk Consulting Leader

When the Committee of Sponsoring Organisations of the Treadway Commission (COSO) decided to update one of the most widely recognised and applied risk management frameworks in the world, they engaged PwC to author the new COSO ERM Framework.

Why update the COSO ERM Framework?

Several reasons: The complexity of doing business is changing, and new risks continue to emerge at a faster pace than has been seen in the past. Shifting customer behaviour is exerting considerable influence on an unpredictable global economic landscape.

Meanwhile, technology evolution and a greater call for transparency are straining strategic planning processes and operational capabilities.  Addressing these challenges requires that organisations take a new approach to managing risk: one that helps to create, preserve and realise value now and in the future. 

A draft of the Framework was made public during a comment period, garnering widespread global and cross-sector interest and support by both private and public companies. That feedback helped to shape the updated Framework – now titled Enterprise Risk Management–Integrating with Strategy and Performance. 

Here are some of the key changes to the Framework.

The Framework:  

  1. Introduces a new structure: With just five components and twenty principles aligned to the business cycle, the Framework’s key principles cover processes from governance to day-to-day activities. They are manageable in number and applicable for all organisations regardless of size, type, or sector and allow for a more fulsome conversation about risk between the board and management.
  1. Explores the different benefits of ERM: The Framework presents a clear case for integrating enterprise risk management practices with strategy-setting and performance management practices to help realise benefits related to value. Bringing a focus to these benefits enhances conversations about why ERM matters.
  1. Provides a focus on integrating risk management: The Framework offers guidance on how to better integrate enterprise risk management: linking risk with strategy setting and day-to-day activities, embedding it throughout an organisation’s culture, capabilities and practices, and fostering better decision-making.
  1. Is written from the perspective of business: The Framework’s language makes conversations about risk relevant and universal by setting out core definitions, components and principles for all levels of management involved in designing, implementing and conducting ERM practices.
  1. Features a suite of new graphics: The Framework utilises new conceptual graphics. The core graphic brings to life the relationship between risk management and the business model. Other graphics, such as risk curves, highlight the relationships between risk, strategy, and performance further embedding the management of risk into day-to-day conversations.
  1. Explores risk management at all altitudes of the organisation: From entity-level to process-level risks, the Framework explores how the identification, assessment and management of risk changes from the transactional to the strategic.
  1. Dives into deeper discussions on challenging topics: The Framework examines such topics as risk appetite and the portfolio view of risk, and addresses some misconceptions that exist today, providing deeper insight.
  1. Includes greater emphasis on culture: The Framework explores how enterprise risk management practices can instill more transparency and risk awareness into an organisation’s culture, helping people make decisions while understanding the importance of culture in shaping those decisions.
  1. Addresses the evolving role of information technology: The Framework sheds light on how business trends, such as the proliferation of data, artificial intelligence and automation; influence an organisation’s strategy, business context, and risk management.

To complement the new Framework, we have also created a series of case studies to illustrate the application of all of the publication’s principles across different industries, entity sizes and types, and actual and expected company practices.  This compendium will be released in late fall this year.

Together with the Framework, both documents are designed to turn a preventative, process-based risk monologue into a proactive, opportunities-focused conversation to uncover how risk management can create, preserve and realize quality and value.

Explore our points of view on some of the key concepts covered in the Framework by visiting our COSO ERM Framework microsite and sign up for updates.

As always, I love to know what you think @Dchesl


Dennis Chesley | Global Risk Consulting Leader
Profile | Email | + 1 (202) 316 5089



So far I am significantly underwhelmed by what I have read that is publicly available. Maybe the value is in the detail. Up to now all we are hearing are ERM motherhood statements.
What has changed that will enhance business value?

Could the change in the framework influence operational excellence? and if it does, in what manner and level?

Dear Dennis.

Wonderful article and a fantastic job done. However i have concern over COSO definition on ERM i feel it do not address some key input or some key input are missing.

I came up with a definition and relate it side by side with the COSO ERM definition should you wish to know i will be glad to share this with you if you can furnish me with your email details.

Thanks for the article. What can the application of this iteration of COSO ERM enable in a organisation that cannot be achieved using ISO 31000?

I think there is a lot to be desired here - I agree with John. What is the enchanced business value? I really do not see it.

Wonderful article and a fantastic job done.
keep it up

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment