COSO ERMEnterpriseStrategy

COSO ERM Framework: A Practitioner's Guide

18 min read · Updated February 2026

The COSO Enterprise Risk Management framework is the gold standard for integrating risk management with strategy and performance in corporate organisations. This guide covers the 2017 framework update and its five components, twenty principles, and practical application.

What is COSO ERM?

COSO — the Committee of Sponsoring Organizations of the Treadway Commission — published its first Enterprise Risk Management framework in 2004. The 2017 update, “Enterprise Risk Management: Integrating with Strategy and Performance,” significantly expanded the framework's scope, placing risk squarely in the context of business strategy.

Unlike ISO 31000, which is guidance-based and sector-agnostic, COSO ERM is more prescriptive and particularly well-suited to publicly listed companies, financial institutions, and organisations subject to Sarbanes-Oxley (SOX) or similar governance requirements.

The five components

Governance and culture

Sets the tone for ERM across the organisation. Includes board oversight, operating structures, commitment to core values, and attraction of skilled talent.

Board oversightOperating structuresDesired cultureCore valuesTalent commitment

Strategy and objective-setting

Integrates ERM with the strategic planning process. The organisation's strategy, business objectives, and risk appetite are established here.

Business context analysisRisk appetite definitionEvaluating alternative strategiesFormulating business objectives

Performance

How risks that may affect the achievement of strategy and objectives are identified and assessed. The classic risk register and matrix work happens here.

Risk identificationRisk assessmentRisk prioritisationRisk responsePortfolio view

Review and revision

Reviews ERM performance and revises the approach based on substantial change and how the organisation is performing.

Substantial change monitoringRisk and performance reviewERM improvements

Information, communication, and reporting

Information systems capture and communicate relevant risk information. The organisation reports on risk, culture, and performance to multiple stakeholder groups.

Leveraging information systemsRisk communicationERM reporting

Risk appetite in COSO ERM

COSO ERM places enormous weight on risk appetite — arguably more so than any other framework. Risk appetite in COSO ERM is defined as the “types and amount of risk, on a broad level, an organisation is willing to accept in pursuit of value.”

Critically, COSO ERM distinguishes between risk appetite and risk tolerance:

Risk appetite

The broad-level amount of risk the organisation accepts in pursuit of its mission. Set at the strategic level by the board.

Risk tolerance

Acceptable variation in performance related to achieving specific objectives. More operational and granular than appetite.

COSO ERM vs ISO 31000

DimensionCOSO ERMISO 31000

ScopeEnterprise-wide, strategy-linkedAny organisation, any context

CertificationNo (but SOX-linked)No

DepthHighly prescriptive (20 principles)Principles-based, flexible

Best forPublic companies, financial sectorAny organisation

Risk appetiteCentral and detailedMentioned, less detailed

Culture focusStrong (governance component)Mentioned in principles

Using the COSO ERM template in RiskMatrix Pro

Our COSO ERM template pre-loads a 5×5 matrix with risk categories aligned to the COSO ERM performance component, including strategic, operational, reporting, and compliance risks.

Try the COSO ERM template →