COSO ERM 2017: A Practical Implementation Checklist
Priya Nair9 min read28 January 2026
The COSO ERM 2017 framework spans five components and twenty principles. This article condenses each component into a practical checklist your team can use to self-assess ERM maturity or prepare for an external review.
The 2017 update to COSO ERM — officially titled “Enterprise Risk Management: Integrating with Strategy and Performance” — was a major evolution from the 2004 cube model. The headline change was integrating ERM explicitly with strategic planning, recognising that risk management disconnected from strategy is theatre rather than governance.
The implementation checklist
Use this checklist to assess your organisation's ERM maturity against the COSO ERM 2017 framework. Each item maps to one or more of the framework's 20 principles.
1
Governance and culture
Board has established an ERM oversight mechanism (e.g., audit or risk committee)
Executive leadership has defined and communicated risk culture expectations
Organisational structures and reporting lines for risk are documented
Core values are defined and integrated into risk decision-making
Organisation attracts, develops, and retains professionals with risk competencies
2
Strategy and objective-setting
Business context analysis completed (internal and external factors)
Risk appetite statement formally approved by the board
Risk appetite articulated at the business unit / objective level (risk tolerance)
Alternative strategies evaluated with risk implications considered
Business objectives established with risk-informed success criteria
3
Performance
Risk identification process covers all relevant risk categories
Risks assessed by likelihood and impact using documented scales
Risk prioritisation methodology documented and consistently applied
Risk responses defined for all identified risks above appetite
Portfolio view of risk established — not just individual risk silos
4
Review and revision
Process in place to identify and respond to substantial change
ERM performance reviewed against strategy and business objectives
Risk assessments updated at defined intervals (at minimum annually)
ERM framework improvements implemented based on review findings
5
Information, communication, and reporting
Risk data captured in a documented system (register, platform, or tool)
Internal risk communication reaches all relevant levels of the organisation
External risk disclosures meet applicable governance and regulatory requirements
Board receives regular, meaningful ERM reporting (not just a heat map)
Scoring your maturity
After completing the checklist, count how many items you can confidently confirm. Use this rough guide:
22–23 items
Advanced. ERM is genuinely integrated with strategy. Ready for external assurance.
16–21 items
Managed. Solid ERM foundations. Focus areas exist but not gaps.
9–15 items
Developing. ERM exists but is fragmented. Key components missing.
0–8 items
Initial. ERM is ad hoc. Leadership commitment and framework design are first priorities.
COSO ERM template in RiskMatrix Pro
Start your COSO ERM-aligned risk assessment with our pre-built template, complete with sample risks across strategic, operational, reporting, and compliance categories.