Understanding the COSO 2017 Enterprise Risk Management Framework, Part 1: An Introduction

If oversight of cyber risks was trivial, it wouldn’t be an issue anymore. But it is still an issue because cyber risks are a business concern, and making smart business decisions is a nontrivial issue.

In September 2017, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand and prioritize the risks their organizations face and measure how these risks impact business performance.

Inside the COSO ERM Framework

According to the framework’s FAQ, “Enterprise risk management is no longer focused principally on preventing the erosion of value and minimizing risk to an acceptable level. Rather, it is viewed as integral to strategy setting and the identification of opportunities to create and maintain value.”

The COSO ERM framework is a high-level tool to help board directors and top leadership ensure that:

  • Risks are considered and reviewed at the very top levels of the organization.

  • Risk management is part of the fabric of the organization and done as part of business as usual.

  • Risks are not just viewed as negative risks, but also at potential positive risks that are worth taking, given value and alignment to business objectives.

  • Risks are connected to decisions regarding strategy as well as the impact on performance.

The strong link between risks, strategy and performance is one of the key defining features of the 2017 update to the COSO ERM framework. The FAQ noted the emergence of new and significantly more complex risks as key reasons for the update, as well as the rise of risk reporting and oversight requirements. In addition, key stakeholders’ expectations of greater transparency are also putting pressure on top leadership to deliver expected value, even in the face of more volatile markets, supply chain disruptions and rapid technological changes.

Put succinctly, according to the FAQ, the updated framework “provides greater insight into strategy and the role of enterprise risk management in the setting and execution of strategy,” and the achievement of performance goals.

The Importance of Enterprise Risk Management

As Harvard Business Review put it, “We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.” The article outlined the myriad biases that humans harbor when making decisions: anchoring bias, confirmation bias, commitment escalation bias, groupthink and normalization of deviance.

The 2017 COSO ERM framework builds on the solid foundation of the previous document, which was released in 2004, and better integrates the relationship between risks, strategy and performance. Each element influences the other two, and trying to manage each separately is like trying to pick up a bar of soap with wet hands: Every time you think you have a handle on it, it slips away from you.

On a more serious note, the COSO ERM also underscores the relationship between risk and value. It elevates the discussion of strategy and risk, looking at the possibility that strategy and business objectives are not in strong alignment with the organizational mission, vision and values. It allows for deep insight into the implications of the various strategies that management is contemplating and the risks that stem from executing a chosen strategy.

The COSO ERM update was designed to help organizations deal with risks that have increased in volatility and complexity as they face increased regulatory pressures. The framework is designed to be usable by entities of all sizes, regardless of their industry or geographic location. As the COSO executive summary pointed out, adoption of the framework allows the board and management to gain “a better understanding of how the explicit consideration of risk may impact the choice of strategy.”

The Nuts and Bolts of the Framework

The COSO ERM framework consists of 20 principles that are grouped to support one of five components: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication and reporting.

The components and their underlying principles form a simple but effective lens with which the board and top leadership can evaluate their ability to clearly link strategy, performance and risks. As an added benefit of clear vision and strong engagement, organizations are also likely to improve their resilience capabilities and their ability to see issues and take the best course of action to navigate around them — or perhaps through them.

A Road Map to Improve Cyber Risk Management

According to the framework’s executive summary, “Enterprise risk management allows organizations to anticipate the risks that would affect performance and enable them to put in place the actions needed to minimize disruption and maximize opportunity.”

By strongly linking strategy, performance and risk management, the COSO ERM framework provides a road map for board directors and top leadership to improve their engagement in ensuring that the business delivers ongoing value in the face of new and rapidly evolving risks. The document is written for business leaders, not cybersecurity experts, but every utterance of the word “risk” can be replaced with “cyber risks” and make perfect sense to both the business leaders and chief information security officers (CISOs).

A quick glance at the 20 principles confirms the strong relevance of the COSO ERM in improving management and oversight of cybersecurity risks, including desired culture, finding and retaining talent, defining risk appetite, identifying and evaluating risks, determining risk mitigation options, and reporting on risk, culture and performance. The framework specifically calls out the need to ensure that the board has the appropriate expertise or access to outside expertise to provide effective oversight of cyber risks. One additional principle that stands out is a focus on continuous improvement as applied to the ERM process itself.

As the COSO Executive Summary warned, “Every choice we make in the pursuit of objectives has its risks.” If you choose to ignore the 2017 COSO ERM framework, you do so at your own peril.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.