COSO ERM Framework Implementation: Beyond Checklists and Templates

14 June 2018

The release of the 2017 COSO ERM Framework changed the conversation about how companies consider the relationship between risk and value — from one that is typically only considered as an erosion to value to one that can, when properly embedded in an organisation’s DNA, lead to value creation.

In fact, I think it’s fair to say that this link — between risk, strategy and performance — is one of the defining features of the 2017 Framework.

But we also learned that once people began to use the new Framework, they wanted a bit more. 

As part of our rollout, the team and I had the privilege of traveling around the world talking with risk professionals, C-Suites and boards about these new concepts of enterprise risk management. Invariably we were asked if there was a checklist, a step-by-step case study, or a template — some kind of road map for implementation.

While we wanted to give our colleagues practical tools for implementing these new principles, we were also wary of suggesting there was a standardised, or “official” method for doing so.


After all, every organisation is unique to itself, to its industry, and to its operating environment. And risk management is as much an art as a science — in many ways it’s the nuances that are the most critical factors in both success and risk management.

So we decided that a far better method would be to offer illustrations that could illuminate the principles of our new ERM Framework.

For example: What are the types of benefits that you're seeking to derive from implementing ERM? What are the culture, capabilities and practices that you have to work with? And, based on those competencies, what is the most suitable approach for implementing its various parts?

I’m proud to share the result of all these conversations, interviews, and research into real-world industry practices. We call it the Compendium of Examples: nine examples that bring to life how organisations of varying types and sizes, across varying industries and jurisdictions, might choose to apply the principles and concepts of ERM.

In each example, the central character is an individual facing a typical business challenge — the launch of a new product, an investment decision, a resourcing challenge — the types of issues and decisions that businesspeople are facing every single day. These examples showcase how risk management — whether in culture, capabilities or practices — actually supports that decision making process… and leads to improved outcomes.

My hope is that risk professionals, boards and senior management alike enjoy reading the stories we’ve laid out — and that they spark innovation and creativity around how to weave enterprise risk management into the DNA of their own organisation.

As always, I love to know what you think @Dchesl


Dennis Chesley | Global Risk Consulting Leader
Profile | Email | + 1 (202) 316 5089



In the components of ERM risk appetite comes in (2)strategy & objective setting and where as risk are identified in (3) performance.
how come risk appetite comes before identifying the risks.

where are the residual Riks are identified in ERM

Please clarify

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment