| Key Takeaways |
| The COSO ERM framework (2017) consists of five interrelated components and 20 principles designed to integrate risk management with strategy and performance. The framework replaced the 2004 “COSO Cube” model and shifts the focus from risk-as-compliance to risk-as-strategy-enabler. |
| The five components are: Governance and Culture (Principles 1-5), Strategy and Objective-Setting (Principles 6-9), Performance (Principles 10-14), Review and Revision (Principles 15-17), and Information, Communication, and Reporting (Principles 18-20). |
| COSO ERM is distinct from the COSO Internal Control framework (2013). Internal Control has 5 components and 17 principles focused on financial reporting and compliance controls. ERM has 5 components and 20 principles focused on integrating risk with strategy and value creation. |
| Only 64% of organizations have integrated risk and resilience into business strategy (KPMG, 2025). The COSO ERM framework provides the structure to close this gap by embedding risk considerations into every strategic decision. |
| Risk appetite is the central concept connecting all five components. Governance defines the appetite. Strategy sets objectives within the appetite. Performance identifies risks against the appetite. Review evaluates whether performance stayed within appetite. Reporting communicates appetite compliance to stakeholders. |
| COSO ERM and ISO 31000 are complementary, not competing. ISO 31000 provides the process (identify, analyze, evaluate, treat, monitor). COSO ERM provides the governance structure (board oversight, culture, strategy integration, performance measurement, reporting). |
| A 90-day roadmap takes your organization from ad hoc risk management to a structured COSO ERM implementation with board-approved risk appetite, populated risk register, and quarterly reporting cadence. |
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its updated Enterprise Risk Management framework in 2017, titled “Enterprise Risk Management: Integrating with Strategy and Performance.”
The update replaced the 2004 “COSO Cube” and fundamentally reframed how organizations should think about risk management. The 2004 framework treated ERM as a process layered on top of business operations. The 2017 framework positions ERM as inseparable from strategy, performance, and value creation.
This distinction matters because the data shows most organizations have not made this integration. Only 64% of organizations have integrated risk and resilience into their business strategy and planning (KPMG, 2025).
Nearly 75% of enterprises experienced at least one critical risk event in the past year (Forrester, 2025). Organizations without board-level ERM visibility were 20% more likely to suffer six or more critical events.
The COSO ERM framework addresses these gaps directly by requiring board oversight, risk-culture integration, and strategy-risk alignment as foundational elements.
This guide provides a complete walkthrough of the COSO ERM framework: all five components, all 20 principles with practitioner examples, a comparison with ISO 31000, and a 90-day implementation roadmap.
Each section includes tables that translate COSO’s principles into concrete actions, deliverables, and key risk indicators you can deploy immediately.
COSO: History and Context
COSO was formed in 1985 by five sponsoring organizations: the American Institute of CPAs (AICPA), Financial Executives International (FEI), the American Accounting Association (AAA), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). COSO’s original mission was to address fraudulent financial reporting, but its scope has expanded to cover internal control, enterprise risk management, and fraud risk management. In May 2025, COSO released a draft corporate governance framework, signaling continued evolution.
COSO Framework Timeline
| Year | Publication | Focus | Key Innovation |
| 1992 | Internal Control: Integrated Framework | Financial reporting controls | Introduced the COSO Cube with five control components. Became the global standard for internal control design. |
| 2004 | Enterprise Risk Management: Integrated Framework | Enterprise-wide risk management | Expanded from internal control to ERM. Eight components. Introduced risk appetite concept. |
| 2013 | Internal Control: Integrated Framework (Updated) | Updated internal control guidance | Refined to 5 components and 17 principles. Emphasized judgment and relevance of technology. |
| 2017 | ERM: Integrating with Strategy and Performance | Strategy-risk integration | Five components, 20 principles. Replaced the cube with the “ribbon” model. Explicit link between risk and value. |
| 2018 | ERM: Applying to ESG-Related Risks | ESG risk integration | COSO/WBCSD guidance mapping environmental, social, and governance risks to the 2017 ERM framework. |
| 2025 | Corporate Governance Framework (Draft) | Board governance oversight | Draft released May 2025; withdrawn for stakeholder feedback. Signals expansion into governance territory. |
COSO Internal Control vs. COSO ERM: Understanding the Difference
One of the most common errors in practice, and one present in the original article this guide replaces, is confusing the COSO Internal Control framework (2013) with the COSO ERM framework (2017).
They are separate publications with different purposes, components, and principles. The table below clarifies the distinction.
| Dimension | COSO Internal Control (2013) | COSO ERM (2017) |
| Purpose | Provide reasonable assurance regarding the achievement of objectives related to operations, reporting, and compliance through effective internal controls. | Integrate risk management with strategy-setting and performance to create, preserve, and realize value. |
| Components | 5: Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring Activities | 5: Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, Information, Communication & Reporting |
| Principles | 17 principles focused on control design, implementation, and effectiveness | 20 principles focused on risk governance, strategy integration, risk assessment, and value creation |
| Scope | Primarily internal: financial reporting accuracy, compliance with laws, operational efficiency | Enterprise-wide: strategic risk, operational risk, financial risk, compliance risk, reputation risk |
| Risk appetite | Not a core concept. Controls are designed to meet objectives, not to calibrate risk-taking. | Central concept. Risk appetite defines how much risk the organization is willing to accept in pursuit of value. |
| Board role | Monitor internal control effectiveness. Ensure management designs adequate controls. | Active risk oversight. Define risk appetite. Evaluate whether strategy aligns with appetite. Challenge management on risk assumptions. |
| Primary users | Internal auditors, compliance officers, financial controllers, external auditors | Board of directors, CRO, senior management, strategic planners, risk committees |
| Visual model | The COSO Cube (three-dimensional matrix) | The COSO Ribbon (linear flow from governance through reporting, with mission/vision/values as the foundation) |
Organizations need both frameworks. Internal control ensures that day-to-day operations, financial reporting, and compliance activities function properly.
ERM ensures that the organization’s strategy accounts for uncertainty, that risk-taking is intentional and within appetite, and that the board has visibility into the risk profile that supports or threatens strategic objectives.
The ERM framework sits above internal control: effective internal controls are a necessary enabler of ERM, but ERM goes far beyond controls to address strategy, culture, and value creation.
The Five Components and 20 Principles
The COSO ERM 2017 framework is principles-based. Each of the five components contains a set of principles that describe what effective ERM looks like. The 20 principles are not prescriptive checklists; they are outcomes that organizations must achieve in ways appropriate to their size, industry, and complexity. The table below maps all 20 principles with practitioner-level descriptions and the key deliverable each principle produces.
Component 1: Governance and Culture (Principles 1-5)
| # | Principle | What This Means in Practice | Key Deliverable |
| 1 | Exercises board risk oversight | The board (or equivalent governing body) actively oversees ERM. This includes approving risk appetite, reviewing top risks quarterly, and challenging management’s risk assumptions. | Board risk committee charter. Quarterly board risk report. Board meeting minutes documenting risk discussions. |
| 2 | Establishes operating structures | The organizational structure assigns clear risk management roles and responsibilities. A CRO or Head of Risk function is designated. The three lines model defines accountabilities. | Organizational risk governance chart. Three lines model RACI matrix. CRO job description and reporting line. |
| 3 | Defines desired culture | The organization fosters a risk-aware culture through tone from the top, incentive alignment, and behavioral expectations. Risk-taking is intentional, not accidental. | Risk culture assessment (annual survey). Code of conduct referencing risk management. Incentive structures that reward risk-informed decision-making. |
| 4 | Demonstrates commitment to core values | Integrity and ethical values are non-negotiable. The organization demonstrates commitment through actions, not just policies, including whistleblower protections and ethics training. | Ethics policy and training records. Whistleblower mechanism and usage statistics. Leadership communications reinforcing values. |
| 5 | Attracts, develops, and retains capable individuals | The organization invests in people with the skills to manage risk effectively, from board members with risk literacy to first-line managers trained in risk identification. | Risk management training program. Competency framework for risk roles. Board member risk literacy assessment. |
Component 2: Strategy and Objective-Setting (Principles 6-9)
| # | Principle | What This Means in Practice | Key Deliverable |
| 6 | Analyzes business context | The organization understands its internal and external environment, including industry trends, regulatory changes, competitive dynamics, and macroeconomic conditions. | PESTEL analysis. Industry risk landscape. Regulatory horizon scan. Competitor risk profile. |
| 7 | Defines risk appetite | The board articulates how much risk the organization is willing to accept in pursuit of its strategy. Risk appetite is expressed in measurable terms across risk categories. | Risk appetite statement with quantified thresholds (e.g., maximum acceptable downtime, loss limits, compliance tolerance). |
| 8 | Evaluates alternative strategies | Before committing to a strategy, the organization evaluates the risk profile of each strategic alternative. Strategy selection considers risk alongside expected return. | Strategy options with risk profiles. Decision memo documenting risk-return tradeoffs. Board approval of selected strategy. |
| 9 | Formulates business objectives | Business objectives are set with explicit consideration of risk. Objectives are SMART and include risk-adjusted targets where appropriate. | Strategic plan with risk-linked objectives. Cascaded objectives from enterprise to business unit with risk parameters. |
Component 3: Performance (Principles 10-14)
| # | Principle | What This Means in Practice | Key Deliverable |
| 10 | Identifies risk | The organization systematically identifies risks that could affect the achievement of its strategy and business objectives across all categories. | Populated risk register. Risk identification workshops. Emerging risk scan. |
| 11 | Assesses severity of risk | Identified risks are analyzed for likelihood and impact using qualitative and quantitative methods. Inherent and residual risk are both scored. | Scored risk register with inherent and residual ratings. Heat map. Quantitative analysis for top-tier risks. |
| 12 | Prioritizes risks | Risks are ranked relative to each other and against the organization’s risk appetite. The prioritization drives resource allocation for treatment. | Prioritized risk list. Risk appetite overlay on heat map. Treatment investment decisions documented. |
| 13 | Implements risk responses | The organization selects and implements responses: accept, avoid, pursue, reduce, or share. Each response has an owner, budget, and timeline. | Risk treatment action plans. Response owner assignments. Implementation timeline with milestones. |
| 14 | Develops portfolio view | Risks are aggregated across the enterprise to create a portfolio-level view that shows how risks interact, concentrate, and diversify. | Enterprise risk profile (portfolio view). Concentration analysis. Risk interconnection map. |
Component 4: Review and Revision (Principles 15-17)
| # | Principle | What This Means in Practice | Key Deliverable |
| 15 | Assesses substantial change | The organization identifies external and internal changes that could substantially affect strategy and business objectives, triggering a risk reassessment. | Change trigger matrix. Quarterly environmental scan. Reassessment protocol when triggers activate. |
| 16 | Reviews risk and performance | Management reviews whether the ERM process is effective at managing risks and whether performance outcomes align with risk-adjusted expectations. | Quarterly ERM performance review report. KPI/KRI trend analysis. Gap analysis between expected and actual risk outcomes. |
| 17 | Pursues improvement in ERM | The organization continuously improves its ERM capabilities based on lessons learned, benchmarking, and maturity assessments. | Annual ERM maturity assessment. Improvement action plan. Benchmarking against peers and standards. |
Component 5: Information, Communication, and Reporting (Principles 18-20)
| # | Principle | What This Means in Practice | Key Deliverable |
| 18 | Leverages information and technology | The organization uses quality data and technology to support risk identification, analysis, monitoring, and reporting. GRC platforms, dashboards, and analytics tools are deployed. | GRC platform or risk management tool. Data quality standards. Automated KRI threshold alerts. |
| 19 | Communicates risk information | Risk information flows across the organization and to external stakeholders as appropriate. Communication is timely, relevant, and audience-appropriate. | Tiered communication plan (board, management, operational). Risk report templates. Stakeholder-specific risk narratives. |
| 20 | Reports on risk, culture, and performance | The organization provides integrated reporting that connects risk, culture, and performance outcomes. The board receives a consolidated view that supports strategic decision-making. | Quarterly board risk pack (heatmap + narrative + decisions). Annual risk and culture report. Integrated performance-risk dashboard. |
COSO ERM vs. ISO 31000: Complementary Frameworks
Risk practitioners frequently debate COSO ERM versus ISO 31000. The debate misses the point. These frameworks address different levels of the same problem and are best used together. ISO 31000 provides the risk management process.
COSO ERM provides the governance and strategy integration. The table below maps where each framework leads.
| Dimension | COSO ERM 2017 | ISO 31000:2018 |
| Origin | U.S.-based. Developed by five accounting and auditing professional bodies. Strong in financial services, publicly traded companies, and SEC-regulated entities. | International. Published by ISO. Applicable to any organization regardless of sector, size, or geography. |
| Approach | Governance-first: starts with board oversight, culture, and strategy before addressing the risk management process. | Process-first: provides principles, a framework, and a six-step process (scope, identify, analyze, evaluate, treat, monitor). |
| Risk appetite | Central concept. Explicitly requires the board to define, communicate, and monitor risk appetite. | Referenced but not deeply developed. ISO 31000 mentions risk criteria but does not prescribe a risk appetite governance model. |
| Strategy integration | Core requirement. Principle 8 requires evaluation of alternative strategies based on their risk profiles. | Clause 5.4.1 establishes context but does not explicitly require risk-strategy integration at the board level. |
| Best suited to | Board and executive-level governance of risk. Strategy-risk alignment. Publicly traded and regulated organizations. | Operational risk management process. Universal applicability. Organizations seeking a flexible, adaptable process. |
| How to use together | COSO ERM defines the governance structure, risk appetite, and reporting. ISO 31000 provides the process that risk owners use within that governance structure. | ISO 31000 delivers the day-to-day risk identification, analysis, evaluation, treatment, and monitoring activities within the COSO ERM governance envelope. |
Many enterprise risk management frameworks in practice use COSO ERM as the governance and reporting structure with ISO 31000 as the operational risk management process. Board-level risk reporting follows COSO’s 20 principles.
Risk registers and treatment plans follow ISO 31000’s process steps. This combination satisfies both U.S. regulatory expectations (where COSO is the de facto standard) and international standards requirements (where ISO 31000 is the benchmark).
Risk Appetite: The Thread That Connects All Five Components
Risk appetite is the concept that distinguishes COSO ERM from simpler risk management approaches. Risk appetite is the amount and type of risk an organization is willing to accept in pursuit of value. The table below shows how risk appetite connects to each COSO ERM component.
| COSO ERM Component | How Risk Appetite Connects | Practical Application |
| Governance and Culture | The board defines and approves the risk appetite statement. Culture reinforces that risk-taking within appetite is encouraged; risk-taking beyond appetite is escalated. | Board approves a statement: “We accept up to $5M in annual operational losses. Zero tolerance for compliance violations. Moderate appetite for strategic growth risk.” |
| Strategy and Objective-Setting | Strategic alternatives are evaluated against the risk appetite. Strategies that exceed appetite are rejected or modified. Objectives include risk-adjusted targets. | Management presents three growth strategies. Strategy A exceeds the cyber risk appetite (requires new unproven technology). Strategy B fits within appetite. The board selects B. |
| Performance | Identified risks are assessed against appetite thresholds. Risks within appetite are accepted or monitored. Risks above appetite trigger mandatory treatment. | A newly identified supply chain risk scores 18 on the 5×5 matrix. The appetite threshold for operational risk is 12. The risk is above appetite and requires a treatment plan within 30 days. |
| Review and Revision | Performance is reviewed against appetite. Breaches are analyzed for root causes. The appetite statement is refreshed annually or when strategy changes. | Q3 review shows two risk appetite breaches. Root cause analysis reveals both originated from the same third-party vendor. Vendor remediation plan initiated. Appetite statement reviewed. |
| Information, Communication, and Reporting | The board risk report explicitly shows which risks are within appetite (green), approaching appetite (amber), and above appetite (red). The narrative explains movements. | Board sees a one-page dashboard: 85% of risks within appetite (green), 12% approaching (amber), 3% above (red). The three red risks are discussed with treatment proposals. |
Implementation Roadmap
Implementing COSO ERM does not require a multi-year consulting engagement. The roadmap below phases the implementation into three manageable stages that deliver visible value at each milestone.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Governance Foundation | Establish the risk governance structure: appoint CRO or designate Head of Risk. Define board risk oversight responsibilities (Principle 1). Draft risk appetite statement with the executive team (Principle 7). Map the three lines model to organizational roles (Principle 2). Conduct a risk culture baseline survey (Principle 3). | CRO appointment letter. Board risk committee charter (or updated terms of reference). Draft risk appetite statement. Three lines RACI matrix. Risk culture survey results. | CRO appointed and reporting to the board. Risk committee charter approved. Draft appetite statement reviewed by the board. Culture survey completed with >70% participation. |
| Days 31-60: Strategy and Performance | Conduct enterprise-wide risk identification workshops (Principle 10). Score risks using likelihood x impact matrix (Principle 11). Prioritize top 20 risks against the draft risk appetite (Principle 12). Link top risks to strategic objectives (Principle 9). Define 10-15 KRIs with RAG thresholds. | Populated risk register (minimum 50 risks across all categories). Scored and prioritized risk heat map. Risk-to-strategy linkage matrix. KRI catalogue with owners and thresholds. | Top 20 risks scored and assigned owners. Risk register reviewed by the risk committee. KRI thresholds approved. Risk-strategy linkage document presented to the board. |
| Days 61-90: Reporting and Improvement | Produce the first quarterly board risk report (Principle 20). Launch monthly KRI monitoring cycle. Conduct a tabletop exercise on the organization’s top risk. Plan the annual ERM maturity assessment (Principle 17). Finalize and publish the risk appetite statement. | First quarterly board risk pack (one-page heat map + narrative + decisions). Monthly KRI dashboard (operational). Tabletop exercise report. Published risk appetite statement. ERM maturity assessment plan. | Board report delivered on time. Board approves the risk appetite statement. At least one KRI triggers proactive risk treatment. Tabletop exercise produces one actionable improvement. Maturity assessment scheduled for Q2. |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Confusing the Internal Control framework with the ERM framework | The organization implements the 2013 Internal Control framework (17 principles) and calls it ERM. Controls are strengthened, but strategy-risk integration is absent. | Use the 2017 ERM framework (20 principles) for enterprise risk management. Use the 2013 Internal Control framework for control design and testing. They serve different purposes. |
| Risk appetite statement that nobody uses | The board approves a one-page appetite statement that is filed away and never referenced in operational decisions. | Print the appetite thresholds on every risk register. Require every risk above appetite to have a funded treatment plan. Report appetite compliance quarterly. |
| ERM treated as a compliance function | The ERM program focuses on producing reports for regulators and auditors rather than informing strategic decisions. | Anchor ERM to Principles 6-9 (Strategy and Objective-Setting). Present risk alongside strategy options at every planning session. Measure ERM value by decisions influenced, not reports produced. |
| No portfolio view of risk (Principle 14 ignored) | Each business unit manages its own risks in isolation. Concentration risks and cross-enterprise correlations go undetected. | Aggregate risks quarterly into a portfolio view. Identify concentrations (e.g., three business units all depend on the same cloud provider). Map risk interconnections visually. |
| Board risk reports that are 50 pages of detail | The risk function dumps the entire risk register into a board pack, overwhelming directors and preventing focused discussion. | Follow Principle 20: report on risk, culture, and performance in an integrated, concise format. One-page heat map, three-paragraph narrative, and two decision requests maximum. |
| ERM program built once, never improved (Principle 17 ignored) | The initial implementation is treated as a project with a start and end date rather than an ongoing capability. | Conduct an annual ERM maturity assessment. Set improvement targets each year. Benchmark against industry peers and COSO’s maturity model. Budget for continuous improvement. |
Looking Ahead: COSO ERM Trends 2025-2027
COSO’s draft corporate governance framework, released and then withdrawn in 2025, signals that the organization is expanding beyond risk management and internal control into broader governance territory.
Expect a revised draft in 2026 that will further integrate board oversight responsibilities with ERM principles.
ESG risk integration continues to gain momentum. The 2018 COSO/WBCSD guidance on applying ERM to environmental, social, and governance risks provides the methodology, but implementation has been uneven.
Expanding ESG disclosure requirements (ISSB, EU CSRD, SEC climate rules) are forcing organizations to operationalize ESG risk assessment within their COSO ERM frameworks. KRIs for ESG and sustainability are becoming standard additions to the enterprise KRI dashboard.
AI governance is the newest risk category that COSO ERM must accommodate. The 2026 ProSight CRO Survey identified strategic risk and digital disruption as the number one emerging risk. AI risk assessment frameworks must be integrated into the COSO ERM Performance component (Principles 10-14), covering model risk, data governance, bias, and shadow AI.
The NIST AI RMF and the December 2025 Cyber AI Profile provide complementary guidance that maps well to COSO’s principle-based approach.
The organizations that extract the most value from COSO ERM are those that treat the framework as a decision-making tool, not a documentation exercise. When the board uses risk appetite to choose between strategies, when management uses the risk register to allocate resources, and when the risk function uses KRIs to trigger early intervention, COSO ERM fulfills its promise: integrating risk management with strategy and performance to create, preserve, and realize value.
Ready to implement COSO ERM in your organization? Visit riskpublishing.com to access COSO vs ISO 31000 comparisons, risk appetite statement guides, and risk register templates. Need a tailored ERM implementation program? Contact our consulting team to design a COSO-aligned framework built around your organization’s strategy and governance structure.
References
1. COSO ERM: Integrating with Strategy and Performance (2017) — Committee of Sponsoring Organizations of the Treadway Commission
2. COSO’s ERM Framework Overview — NC State University ERM Initiative
3. IRM Guide: From the Cube to the Rainbow Double Helix — Institute of Risk Management
4. Understanding the COSO ERM Framework — Institute of Internal Auditors
5. COSO ERM Framework: Components and Principles — SC&H Group
6. What Are the COSO Frameworks? — TechTarget
7. COSO/WBCSD: Applying ERM to ESG-Related Risks — COSO and World Business Council for Sustainable Development, 2018
8. ISO 31000:2018 Risk Management Guidelines — International Organization for Standardization
9. The State of Enterprise Risk Management, 2025 — Forrester Research
10. 2025 KPMG Business Resiliency Survey — KPMG International
11. 2026 ProSight CRO Outlook Survey — ProSight Financial Association / Oliver Wyman
12. NIST Cybersecurity Framework 2.0 — National Institute of Standards and Technology
13. IIA Three Lines Model — Institute of Internal Auditors 14. Risk Management Principles: ISO 31000 and COSO ERM — Wolters K
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.