COSO History and Development of ERM Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was established in 1985 in the United States. The group was named after its first chairman, James C. Treadway Jr., the former Commissioner of the U.S. Securities and Exchange Commission. The five sponsoring organizations consist of professional accounting and auditing associations: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA).

COSO's first mandate was to study fraudulent financial reporting with the Report of the National Commission on Fraudulent Reporting issued in 1987. One of the findings of the report was that there was no generally accepted view or framework for internal control. As a result, Internal Control—Integrated Framework was issued in 1992 (revised in 2013) and became recognized as the generally accepted framework for internal control. The framework became more widely used following the enactment of the Sarbanes-Oxley Act (2002) and similar legislation in other countries, requiring the use of a recognized internal control framework to guide the certification of internal control over external financial reporting.

As COSO pursued its overall mandate, they noted that there was no generally accepted framework for enterprise risk management, thus leading to COSO's current goal to provide thought leadership on this topic in addition to internal control and fraud deterrence. In 2004, COSO issued Enterprise Risk Management—Integrated Framework which was subsequently updated and released in 2017 as Enterprise Risk Management—Integrating with Strategy and Performance. As indicated by the title, the revised version emphasizes the importance of considering risk in both the strategy-setting process and in driving performance. The updated version did not alter the fundamental concepts of the 2004 publication and was revised to:

• Provide greater insight into the value of enterprise risk management when setting and carrying out strategy in addition to aligning it with performance.
• Reflect expectations for increased governance and oversight by the board of directors or other governing bodies.
• Recognize the role of culture as fundamental to defining the desired behaviors and actions that characterize the organization.
• Reflect the increased use of technology including analytics in support of decision making.
• Consider the globalization of markets and operations, which brings the need to apply a common, albeit tailored, approach across geographies.

COSO ERM Overview

The COSO ERM framework defines enterprise risk management as:

• The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

Risk is defined as:

• The possibility that events will occur and affect the achievement of strategy and business objectives.

The key graphical representation for the COSO ERM framework is the ribbon diagram shown in Exhibit 7.1. Mission, vision, and core values are the starting point in any organization. From there, strategy is developed. Management, with oversight from the board of directors or other governing body, chooses one—hopefully the best—of alternate strategies. Business objectives are developed as the basis for realizing the chosen strategy. Implementation is then the challenge, particularly in a rapidly changing environment. The quality of implementation will influence performance and the organization's ability to deliver on expectations and targets. The desired outcome is achievement of strategy and business objectives that enhance value.

The framework is strongly focused on the achievement of strategy and business objectives—which is typically of top concern to the board of directors and senior executives to support organizational success. It recognizes that organizations need to perform well to provide value. Overall, the framework emphasizes the linkage between strategy, risk, and performance, thus elevating its relevance to the C-suite and the board of directors. Nevertheless, the ERM framework, which is written in simple business language without technical terms, is meant for use by all entity personnel—not just risk professionals.

The framework considers three critical dimensions of strategy and the risks they bring:

1. The possibility of strategy not being aligned with mission, vision, and core values.
2. Understanding the implications from the strategy chosen.
3. The risks in executing the strategy to enhance performance.

Organizations have typically focused on the third type of risk, the risk to the execution of strategy, although the first and second can have dire consequences. In fact, for the first type of risk, some of the most significant organizational failures in recent history have occurred when the strategy selected did not align with the mission, vision, and core values of the entity. Further, for the second type of risk, even if that alignment is established, many organizations do not fully understand the risks that can result from the strategy and the sensitivity of assumptions embedded within it—particularly in an environment of rapid change and disruption. Finally, coming to the third type, the risks inherent in the strategy chosen, a myriad of risks must be identified and managed to achieve the desired performance. By distinguishing the three potential manifestations of risk impacting strategy, the framework provides a detailed analysis and recognition of the role and importance of ERM.

COSO Components

The framework consists of five interrelated components of enterprise risk management. Referring back to Exhibit 7.1, the graphic includes intertwined ribbons that represent the five interrelated components of ERM. In the diagram, the strand with the three ribbons of “Strategy and Objective Setting,” “Performance,” and “Review and Revision” represents the common processes that flow through the entity. The strand with the two ribbons of “Governance and Culture” and “Information, Communication, and Reporting” reflects the supporting aspects of enterprise risk management.

The five components are:

1. Governance and Culture (supporting aspect)

   Governance and culture together form a basis for all other components of enterprise risk management. Governance sets the entity's tone with a governing body (board of directors or other) establishing oversight and reinforcing the importance of enterprise risk management. Culture is the composite of the organization's norms, attitudes, and behaviors—all of which have a critical influence on risk-taking and decision-making.

2. Strategy and Objective Setting (common process)

   Every organization should have a strategy for bringing its mission and vision to fruition, and to drive value. By integrating enterprise risk management with strategy-setting, an organization gains insight into the risks associated with its strategic alternatives and, eventually, the chosen strategy. Business objectives allow strategy to be put into practice and shape the entity's day-to-day operations and priorities.

   Risk appetite is a strategic concept and defines boundaries to aid in decision making. Risk appetite is the types and amount of risk, on a broad level, an organization is willing to accept in the pursuit of value.

3. Performance (common process)

   This component includes risk identification, assessing severity of risk, prioritizing risks, implementing risk responses, and developing a portfolio view. These practices are iterative and performed across all levels. These practices approximate a risk process without explicitly labeling it as such.

4. Review and Revision (common process)

   Organizations should be alert to both internal and external changes and their impact on the achievement of the organization's strategy and objectives. Organizations monitor their performance against targets and assess their ability to increase value. Organizations also monitor the effectiveness of enterprise risk management and strive for continuous improvement.

5. Information, Communication, and Reporting (supporting aspect)

   Communication is the continual, iterative process of obtaining information and sharing it throughout the entity. Management uses relevant information from both internal and external sources to support enterprise risk management and decision-making. The organization leverages information systems to capture, process, and manage data and information. By using information that applies to all components, the organization reports on risk, culture, and performance.

COSO Principles

The five components above are supported by 20 principles. COSO ERM is thus a principles-based framework. The principles represent the fundamental concepts associated with each component and are illustrated in Exhibit 7.2.

Each of these principles is covered in more detail in the COSO ERM framework. The document includes a 10-page executive summary and the main volume is 110 pages in length.

ISO History and Development of Risk Management Standard

The International Organization for Standardization (ISO) was established in 1947 with members from 25 countries to develop international standards. The name, ISO, is not an acronym but comes from the Greek word “isos,” which means “equal.” The name of the organization is thus standardized to ISO in all countries with no translations or interpretation needed in any language. ISO is comprised of standards institutes in more than 160 countries that work together to create international standards. As reported on the ISO website at www.iso.org, as of the date of writing this chapter, the organization has published nearly 23,000 international standards covering almost all aspects of business and technology.

The ISO risk management standard was largely based upon AS/NZS 4360, Risk management (“AS/NZS 4360”), which was first published in 1995 (most recently revised in 2004) as a joint effort by the Australia and New Zealand standard-setting bodies. ISO became involved when the Australian and New Zealand standard-setters proposed elevating their well-known AS/NZS 4360 to an international standard. ISO took on the challenge but opted against a simple adoption of AS/NZS 4360. Instead, the development of a new standard was initiated, subject to the due process given to all other ISO standards.

In 2009, ISO issued ISO 31000, Risk management—Principles and guidelines. ISO standards are regularly reviewed and revised. As part of this process, the standard was updated in 2018 and released as ISO 31000:2018, Risk management—Guidelines. The updated version is generally consistent with the initial version. ISO describes the revised version as providing more strategic guidance than ISO 31000:2009 and placing more emphasis on both the involvement of senior management and the integration of risk management into the organization.

It should be pointed out that ISO has many standards, many of which are used for certification purposes—such as ISO 9000, Quality management. However, unlike these other Standards, ISO 31000 provides guidelines, not requirements, and is therefore not intended for certification purposes.

ISO 31000 Overview

ISO 31000:2018, Risk management—Guidelines, consist of three components: principles, a framework, and a process for managing risk. It is a short document of 16 pages in length.

The standard defines risk management as:

• coordinated activities to direct and control an organization with regard to risk.

Risk is defined as:

• the effect of uncertainty on objectives.

The graphical representation of the standard and its three components is shown in Exhibit 7.3.

Principles

The ISO 31000 standard is principles-based. The principles of risk management are viewed as a foundation for its success. “Value Creation and Protection” are at the center of the graphic as the purpose of risk management. The principles are to be considered when establishing the organization's risk management framework and processes.

The ISO standard has eight basic principles to support “Value Creation and Protection”:

1. Integrated—Risk management is an integral part of all organizational activities.
2. Structured and Comprehensive—A structured and comprehensive approach to risk management contributes to consistent and comparable results.
3. Customized—The risk management framework and process are customized and proportionate to the organization's external and internal context related to its objectives.
4. Inclusive—Appropriate and timely involvement of stakeholders enables their knowledge and views to be considered; this results in improved awareness and informed risk management.
5. Dynamic—Risks can change or disappear as an organization's external and internal context changes.
6. Best Available Information—The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear, and available to relevant stakeholders.
7. Human and Cultural Factors—Human behavior and culture significantly influence all aspects of risk management at each level and stage.
8. Continual Improvement—Risk management is continually improved through learning and experience.

Framework

The framework graphic is shown as one of the components, in the bottom left of Exhibit 7.3. At the center of the graphic is “Leadership and Commitment,” recognizing the importance of key stakeholders and, in particular, from top management with support from oversight bodies to assist in integrating risk management into significant activities, functions, and everyday decision making.

The framework states that one of the means for top management and oversight bodies to demonstrate leadership and commitment is by “issuing a statement or policy that establishes a risk management approach, plan or course of action.” It is a general practice for organizations to have corporate policies approved by the board of directors to govern major risks and activities. Given that risk management is a key activity, we concur that it should be enshrined in a corporate policy. It better enables risk leaders to spread risk management throughout the organization as sanctioned by executive management and the board of directors or governing body.

The other key elements of the framework include: (1) integration; (2) design; (3) implementation, (4) evaluation; and (5) improvement. The framework is meant to provide the foundation and organizational arrangements to embed risk management throughout the organization at all levels. The key messages put forth in these elements are as follows:

1. Integration

   Integrating risk management relies on an understanding of organizational structures and context. Structures differ depending on the organization's purpose, goals and complexity. Risk is managed in every part of the organization's structure. Everyone in an organization has responsibility for managing risk.

2. Design

   The design element includes the following:

   • The organization should examine and understand its external and internal context in designing the framework for risk management.
   • Top management and oversight bodies should:
     • Examine and understand the organization's external and internal context.
     • Demonstrate and articulate their continual commitment to risk management through a policy, a statement, or other forms that clearly convey an organization's objectives and commitment to risk management.
     • Ensure that the authorities, responsibilities, and accountabilities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization.
     • Ensure allocation of appropriate resources for risk management.
   • The organization should establish an approved approach to communication and consultation in order to support the framework and facilitate the effective application of risk management.
3. Implementation

   The organization should implement the risk management framework with active engagement and awareness of stakeholders.

4. Evaluation

   In order to evaluate the effectiveness of the risk management framework, the organization should periodically measure risk management framework performance against its purpose, implementation plans, indicators, and expected behavior, and determine whether it remains suitable to support achieving the objectives of the organization.

5. Improvement

   The organization should continually monitor and adapt the risk management framework to address external and internal changes. In doing so, the organization can improve its value. The organization should continually improve the suitability, adequacy, and effectiveness of the risk management framework and the way the risk management process is integrated. As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks and assign them to those accountable for implementation. Once implemented, these improvements should contribute to the enhancement of risk management.

Process

A graphical representation of the risk management process as one of the key components of the ISO standard is shown in the bottom right of Exhibit 7.3. The process includes the following six main activities:

1. Communication and Consultation

   The purpose of communication and consultation is to assist stakeholders in understanding risk and engage them in the process. Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision making. Communication and consultation with appropriate external and internal stakeholders should take place within and throughout all steps of the risk management process.

2. Scope, Context, Criteria

   The purpose of establishing the scope, context, and criteria is to customize the risk management process to maximize its effectiveness.

   The scope of risk management applicability should be defined to clarify at what levels it applies (i.e., strategic, operational, areas, functions, programs, projects, or other activities). It provides clarity about the scope under consideration, the relevant objectives to be considered, and their alignment with organizational strategy.

   The context includes both the internal and external context, which is the environment in which the organization seeks to define and achieve its objectives.

   Risk criteria are defined as “the amount and type of risk that it [organization] may or may not take, relative to objectives.” Development of criteria is an important part of this element and of successfully proceeding with the risk management process. If done well, the criteria developed will bring rigor and thoughtfulness to the assessment process and subsequent decision making.

3. Risk Assessment

   Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. Risk assessment should be conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by further enquiry, as necessary.

4. Risk Treatment

   Risk treatment is the selection of the best option for addressing the risk. Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in relation to the achievement of strategy and objectives against the costs, effort, or disadvantages of implementation.

5. Monitoring and Review

   Monitoring and review include ongoing monitoring and periodic review of the risk management process and its outcomes to foster continuous improvement to ensure that the process is appropriately designed and tailored to bring value to the organization.

6. Recording and Reporting

   The results of the risk management process should be documented and reported to key stakeholders. Risk management reporting is often a challenge for organizations, but it is of critical importance to communicate information for decision making and to foster meaningful discussions and risk conversations in the organization and among key stakeholders.

Academic Paper Comparing and Contrasting COSO and ISO

In 2008, Dr. Roland Franz Erben published a conference paper on Risk Management Standards—Role, Benefits & Applicability. The paper included a comparison of COSO ERM and ISO 31000. His assessment of the standards was based on the following five requirements:

1. Completeness: The principles described by a standard should cover all aspects of the implementation and operation of a risk management system.
2. Generic Breadth: The principles described by a standard should not set any constraints limiting its applicability but instead be suitable for a preferably wide range of organizations independent of their industry, legal structure, activities, products, location, size, and so forth.
3. Usability: The principles described by a standard should be comprehensible and practicable.
4. Integration: The principles described by a standard should make clear how the risk management system can interact with or can be integrated in other management systems.
5. External Assessment: The principles described by a standard should provide an adequate basis for an independent, objective assessment by (external) experts.

The results of the assessment are as shown in Exhibit 7.4.

Element	COSO ERM	ISO 31000
Completeness	Moderate	Moderate
General Breadth	Moderate	High
Usability	High	Moderate
Integration	High	High
External Assessment	Moderate	Low

In conclusion, both COSO ERM and ISO 31000 were viewed as useful support for organizations aiming to design and implement enterprise-wide risk management.

Dr. Erben's study on the comparison of COSO ERM and ISO 31000 was based on the initial version of the frameworks, before their later revisions in 2017 and 2018, respectively. The study is nevertheless insightful and, in our opinion, the findings not significantly affected by the revision of the frameworks.

Other Similarities and Differences

In looking at these frameworks, there are both similarities and differences. It is important to note that the organizations behind these documents grew from differing origins and those origins are reflected in the philosophy behind their publication. COSO ERM's origins are grounded in internal control and, as a result, early iterations of their work on enterprise risk management were viewed by some as having a greater focus on control. This perception remains. The origins of ISO 31000 are grounded more in the area of operational quality.

As a result, making a direct comparison of these two frameworks is challenging, and as such we have avoided making comparisons at a detailed level and instead focused on higher-level observations.

The following are key similarities between the frameworks:

• Focus on Objectives

  Both the COSO ERM framework and ISO 31000 focus on the achievement of objectives rather than on managing risk in isolation. Although each sets out considerations in managing risk, it is intended to be done in the context of achieving the organization's overall strategy and objectives.

• Downplay the Focus on Control

  Both the COSO ERM framework and ISO 31000 downplayed the focus on control in their updated versions. The COSO ERM framework includes a brief discussion on the relationship between ERM and internal control in the introductory chapter, and then refers to control only in the context that once management selects a risk response, control activities are necessary to ensure that those risk responses are carried out as intended. This is a significant reduction from the prior version, which had a full chapter devoted to the discussion of control activities. The ISO 31000 guidance also reduced its attention on control, referencing to it less than half as often as its initial publication.

The following are key differences between the frameworks:

• Length

  The COSO ERM document is longer than ISO 31000 (110 pages vs. 16 pages), thus providing more guidance and covering topics on a more detailed level. ISO has focused on keeping ISO 31000 short to deliver a more concise guide that helps organizations use risk management.

• Supporting Guidance

  COSO supports the ERM framework by publishing additional guidance such as the Compendium of Examples (2018) and other thought papers intended to ease implementation. Many of these are available free of charge on the COSO website at www.coso.org. In contrast, added guidance on ISO 31000 is often provided by other parties, including affiliated organizations within each country.

• Process

  ISO 31000 includes a process to guide implementation. The process is generic and high-level but it does provide insight into how to conduct risk management activities. Most of the ISO 31000 document is devoted to the process (7 out of 16 pages) as a prominent feature of the standard. COSO ERM does not describe a process, although the “Performance” component includes associated principles that imply a process, including: (i) identification; (ii) assessment; (iii) prioritization; (iv) response; and (v) developing a portfolio view.

• Risk Appetite

  Risk appetite has become a well-accepted concept—even more so since the 2007–2008 financial crisis, and especially for regulators of financial institutions. COSO ERM addresses risk appetite as one of its principles and strongly aligns it with strategy—casting it as a strategic concept. In contrast, ISO 31000 does not directly mention risk appetite. It does, however, include within its discussion of risk criteria a reference to the amount and type of risk that it [the organization] may or may not take, which is commonly referred to within the definition of risk appetite. As such, in ISO 31000, development of risk criteria implies existence or understanding of an overarching risk appetite, albeit implicit.

• Culture

  COSO ERM explicitly recognizes the importance of culture as one of its principles and the role of management and the board of directors to define and shape the desired culture of the entity as a whole and of individuals within it. ISO 31000 makes only passing mentions of culture as something to take into account.

Trends in Applying Frameworks

Both COSO ERM and ISO 31000 have been around in various versions for several years now. Since their inception, we have continued to see increasing adoption rates of both frameworks. The Risk and Insurance Management Society (RIMS) 2017 Enterprise Risk Management Benchmark Survey reported a high rate of adoption for both frameworks, as shown in Exhibit 7.5. Also, as of the date of the survey both COSO ERM and ISO 31000 represented more than half of the ERM frameworks in use.

Interestingly, the growth in using these frameworks closely parallels the perceived progress and improvements in ERM and its maturity as reported by various enterprise risk management surveys (see references). Nevertheless, in spite of significant improvements, “few executives describe their organization's approach to risk management as mature” as reported in the survey conducted for the 2020 State of Risk Oversight publication from the North Carolina State Poole College of Management Enterprise Risk Management Initiative. Most organizations described the level of ERM maturity as very immature to evolving. Very few described their processes as robust.

Influence of Framework on ERM Efforts in Organizations

While we continue to see increases in application, this is not necessarily the best measure of these frameworks intrinsic value. A recent survey by the Conference Board of Canada considered the extent to which these frameworks were influencing how ERM is applied within an entity, ranging from slightly influential to extremely influential (see Exhibit 7.6).

As expected, the most recent update of both COSO ERM and ISO 31000 are somewhat lagging the earlier versions of their frameworks in terms of influence. On an aggregate basis (the earlier and the current versions), the COSO ERM framework has a very or extremely high influence 35% of the time, whereas ISO 31000 has a very or extremely high influence 40% of the time. As we have noted in this chapter, and not surprisingly, those organizations that incur the effort to develop their own tailored framework see the greatest influence from their respective frameworks. Our experience, however, is that those that develop their own frameworks will still review both COSO ERM and ISO 31000 and incorporate the relevant concepts into their framework.

1. Côté-Freeman, Susan. 2019. The State of ERM in Canada: A Benchmarking Study Conference Board of Canada. April 15.
2. The Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2017. Enterprise Risk Management: Integrating with Strategy and Performance. June.
3. Erben, Dr. Roland Franz. 2008. Risk Management Standards—Role, Benefits & Applicability. 2nd European Risk Conference. Università Bocconi. September 11–12.
4. The International Organization for Standardization (ISO). 2018. ISO 31000: Risk management—Guidelines.
5. North Carolina State University. 2020. Poole College of Management, Enterprise Risk Management Initiative, 2020 The State of Risk Oversight. April 2.
6. Risk & Insurance Management Society (RIMS). 2017. RIMS 2017 Enterprise Risk Management Benchmark Survey. November 6.
7. Risk & Insurance Management Society (RIMS). 2013 RIMS Enterprise Risk Management (ERM) Survey. August.

Frank Martens, CPA, CA, is committed to helping boards and senior management enhance their risk management capabilities. Frank was the Global Risk Framework and Methodology Leader at PricewaterhouseCoopers and now owns his own firm. He has assisted clients across multiple geographies and industries to enhance their enterprise risk management practices. Frank was the Project Lead Director on COSO 2017 Enterprise Risk Management—Integrating with Strategy and Performance. He has participated in webinars, podcasts, and written blogs on numerous topics relating to enterprise risk management.

Carmen Rossiter, CPA, CA, ICD.D is Program Director for the Centre of Excellence in Governance, Risk Management & Control at the Schulich Executive Education Centre at York University. Carmen is a Corporate Director with various organizations. Her previous career experience was as a Partner with PricewaterhouseCoopers (Global Risk Management Solutions), Canadian Practice Leader and CEO for Protiviti Canada, and senior strategic and controllership positions in industry with CIBC, Royal Trust (now RBC Financial), and Crown Life Insurance.