COSO ERM: Key Components Explained

In March 2024, cloud service giant Microsoft had their head hung in shame after the Cyber Safety Review Board (CSRB) provided a 30-page review of its inadequate security culture. 

The CSRP report read “..troubling examples of decision-making processes within the company that did not prioritize security risk management at a level commensurate with the threat.”

It highlighted that Microsoft’s security and compliance culture was not strong enough to prevent incidents. 

This was an oversight from the leaders who failed to set up a culture of security from button up. There is a lesson to be learned here: the importance of structured approach using a comprehensive guideline like COSO ERM to build a fail proof architecture of security rather than treating it as an ad hoc task. 

In this article, we explain what the COSO ERM is, its principles, and how to implement it. 

What is COSO?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a private sector organization that develops guidelines that help businesses evaluate their internal controls, risk management, and fraudulent activities. Formed in 1985, COSO was initially developed to combat fraudulent activities in financial reporting. Now it includes internal controls and enterprise risk management. 

The Treadway Commission is sponsored by major associations in the United States such as American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), American Accounting Association (AAA), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA). 

What is COSO ERM?

The Enterprise Risk Management Framework is a voluntary framework developed by COSO to implement a risk program driven by strategy and performance. It complements and aligns with existing compliance and ethics (C&E) frameworks to develop a single tool that enables businesses to identify, assess, and manage compliance risks. 

The COSO risk management framework provides a comprehensive structure for organizations to identify, assess, and manage risks effectively. By integrating risk management into business processes, companies can align their risk appetite with strategic goals, improve decision-making, and enhance operational resilience

“The CISO or security leaders must make the sales team and the rest of the business aware that security can be the ultimate prerequisite to get into business negotiations to bring a mindset shift”

Aron Lange with Sprinto

Five components of COSO ERM 

The five COSO ERM components collectively help organizations effectively manage risks while enabling them to explore new growth opportunities. 

The key components of the COSO enterprise risk management are as follows.

Component	Principles
Governance & Culture	Exercises board risk oversight Establishes operating structures Defines desired culture Demonstrates commitment to core values Attracts, develops, and retains capable individuals
Strategy & Objective Setting	Analyzes business context Defines risk appetite Evaluates alternative strategies Formulates business strategic objectives
Performance	Identifies risk Assesses severity of risk Prioritizes risks Implements risk responses Develops portfolio view
Review & Revision	Assesses substantial change Reviews risk and performance Pursues improvement in enterprise risk management
Information, Communication, & Reporting	Leverages information and technology Communicates risk information Reports on risk, culture, and performance

Governance & culture

This component describes how governance and culture impact compliance risk management. It focuses on ensuring board oversight, establishing operating structures, developing a culture of compliance, committing to a set of values, and employing the right individuals. This component has the following requirements: 

• Overlook compliance risk management and include at least one member who has sufficient experience and expertise
• Ensure adequate resource availability for the compliance and ethics program, receive regular reports from the chief compliance officer
• Run the compliance function separately from other functions 
• Document all policies and risk management processes related to the operation and establish new ones to escalate risk events
• Communicate ethics and compliance requirements, set up training programs, and adopt incentives to ensure their implementation
• Promote a culture of accountability, zero tolerance policy for retaliation, and fairness

Strategy & objective-setting

Concerned with implementing strategies and setting the COSO ERM framework’s objectives, this component helps to analyze business context, evaluate possible business strategies, set business objectives, and set the risk appetite. The strategy and objective setting component requires you to: 

• Conduct compliance risk assessment based on the adopted strategy and understand how compliance risks impact various functions
• Consider cultural and locational differences while implementing legal frameworks
• Assess how compliance risks affect business objectives and update risk appetite accordingly
• Develop risk-centric appetite statements of compliance risks 
• Conduct due diligence for mergers and acquisitions initiatives based on risk posture
• Include measurable compliance metrics in business goals to track compliance risk management and the effectiveness of C&E programs. Factor them into incentive and compensation decisions

Performance

The performance component deals with the application of compliance risk performance. This enables compliance and ethics programs to be effective and helps to meet the expectations of regulators in meeting legal obligations, assessing policies, non-compliant events, ethical misconduct, and more. To meet this component, you should: 

• Prioritize compliance based on the level of risk relative to business objectives using a scoring systems system aligned with the assessment
• Use assessment criteria like trends to prioritize compliance risks and consider the impact of risk on strategy changes
• Develop compliance risk responses taking non-compliance risks and risk responses into consideration
• Assign roles for compliance risk response and follow-up to ensure its implementation
• Develop monitoring and auditing plans taking compliance risks into account

Review and revision for compliance risks 

Given the dynamic nature of the legal, regulatory, and ethical environments, the level of complexity has become an increasing challenge. Technological advancements and stakeholder expectations are adding to the complexities. 

The review and revision component enables organizations to keep up with these changes by helping businesses assess significant changes, review risks and performance, and improve enterprise risk management initiatives. It has the following requirements: 

• Identify key drivers of compliance risk changes and the impact of new strategies 
• Evaluate how leadership change impacts compliance risk and risk tolerance
• Monitor performance against compliance and ethics metrics and develop monitoring plans for high-risk items
• Conduct internal audits taking compliance risk into account and include audit right clauses for third-party contracts 
• Implement corrective actions in performance monitoring and measuring metrics and analyze compliance risk events
• Keep track of current trends, evaluate the C&E program through independent channels, and get the board’s feedback on the quality of risk data shared 

Sprinto automatically maps risks to compliance criteria and controls. It launches automated checks to test controls and tracks health on a central dashboard. When checks detect anomalies, it triggers alerts and remediation workflows to the appropriate risk owners, ensuring timely resolution with context-rich, time-bound notifications that prevent risks from escalating. Get a demo now. 

Information, communication, and reporting

This section is concerned with the application of communication, reporting, and information of the framework. To implement the principles of information, communication, and reporting of compliance risks, you must: 

• Ensure that the compliance function has easy access to relevant data for risk management
• Use data analytics and relevant technology for monitoring and auditing purposes
• Use automated systems for compliance monitoring and reporting 
• Communicate with employees regarding their role in C&E, set up periodic reporting requirements, and train all stakeholders on escalation policies 
• Provide periodic, tailored reports on C&E risk assessments, remediation efforts, training completion, and investigation outcomes using a case management system
• Develop and track operational metrics to assess the effectiveness of the C&E program to ensure clear reporting of remediation efforts

How Sprinto helped Kodif step up towards enterprise-readiness with risk management and compliance

Internal control framework of COSO

COSO issued the Internal Control – Integrated Framework in 1992 and revised it in 2013. Also known as CRIME (control environment, risk assessment, information, and communication, monitoring activities, and existing control activities), its goal is to enable organizations to strategize ensure sustainable growth. 

The components operate as a single integrated system with many notable interrelationships. The controls include: 

• Control environment: Includes a set of ethical values, standards, and possesses that have a pervasive impact on the other controls. 
• Risk assessment: Helps you identify vulnerabilities that threaten the achievement of objectives. Here, it is critical to consider the impact of changes in the internal and external business environment that may render internal control systems ineffective
• Control activities: These are essentially actions performed under senior management’s direction to mitigate risks to achieve the objectives without any roadblocks. Control activities are performed at all layers of the organization’s processes
• Information and communication: Refers to the organization’s ability to convey information that aids in performing the control activities to ensure that internal and external key risk stakeholders clearly understand their roles and responsibilities
• Monitoring activities: Involves identifying the policies, processes, and practices that are not functioning as intended and require an inspection to identify the deficiencies

How to implement the COSO ERM regulatory framework easily?

You know the importance of using a risk management framework like COSO to manage hurdles to growth and business objectives. However, implementing a comprehensive risk framework is not easy and is likely to break some of your processes and systems. Before you realize, it is creating more problems within your organization than solving for. 

One way to solve this is by using a compliance and risk automation tool like Sprinto. This helps you manage the end-to-end processes and automate a significant chunk of your manual work. Here’s how you can use the tool to implement all five principles and objectives:

1. Automate policy management and role-based access control to foster a risk-aware culture without breaking workflows
2. Integrate risk management into the strategy by mapping controls and risks to organizational objectives. It offers tools to assess risks in real-time, helping businesses align their strategic decisions with the COSO framework’s risk tolerance.
3. Continuously monitor risk and compliance data using a dashboard that provides insights into identified risks, ongoing control measures, and compliance status. This ensures that risks are prioritized and managed effectively.
4. Automating regular risk reviews and control testing facilitates ongoing monitoring and evaluation of risk responses. It highlights gaps or changes in the risk landscape, enabling you to revise risk management approaches.
5. Automates the collection, analysis, and reporting of risk and compliance data to ensure timely and accurate communication across departments. Get audit-ready reports that enhance transparency and help to make informed decisions.

To know how we helped thousands of businesses launch and run compliance risk management frameworks from scratch to certification. Connect with our experts to see Sprinto in action. 

FAQs

What is the difference between the latest and old version of COSO ERM?

The latest version of COSO ERM emphasizes integrating risk management with strategy and decision-making, while the older version focused more on risk identification and control. The updated framework highlights the importance of managing risk in the context of performance, governance, and culture to offer a more comprehensive and value-driven approach.

What is the importance of COSO enterprise risk management implementation

Implementing COSO ERM helps organizations proactively identify, assess, and manage risks while aligning them with strategic goals. It enhances decision-making, improves performance, and safeguards value creation by integrating risk management into all aspects of governance, strategy, and operations, to foster long-term resilience.

What are the steps to get COSO ERM certification?

To get COSO ERM certification, follow these steps:

• Enroll in an accredited training program for COSO ERM.
• Study COSO’s ERM framework and its components.
• Complete the required coursework or self-study.
• Pass the certification exam, which assesses your understanding of ERM principles.
• Maintain certification through continuing education.

What are the COSO points of focus?

The COSO points of focus are specific elements within the Enterprise Risk Management (ERM) Framework that guide organizations in achieving effective risk management. These points of focus are aligned with the five core components of the COSO framework:

• Governance and culture
• Strategy and objective setting
• Performance 
• Review and revision
• Information, communication and reporting

What is the mission of COSO

COSO’s mission is to provide thought leadership and frameworks that help organizations improve their risk management, internal control, and governance practices to enhance performance and achieve long-term value.