COSO ERM Framework
Also known as: Enterprise Risk Management Framework, COSO Cube
A comprehensive enterprise risk management framework that integrates risk management with strategy and performance, helping organizations identify, assess, and manage risks across the entire enterprise.
Quick Reference
Memory Aid
Governance → Strategy → Performance → Review → Report. Risk management IS strategy management.
TL;DR
COSO ERM integrates risk management with strategy and performance across five components and 20 principles. Start with board-level governance, connect risks to strategic objectives, assess enterprise-wide, respond proportionally, and monitor continuously.
What Is COSO ERM Framework?
A structured approach to identifying and managing all types of risks across an organization, connecting risk management directly to strategy and value creation.
On Integrating Risk with Strategy
Enterprise risk management is not a function or a department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy.
— COSO, Enterprise Risk Management — Integrating with Strategy and Performance (2017)
The COSO ERM Framework (2017 update) integrates enterprise risk management with strategy-setting and performance management. It consists of five interrelated components — Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, and Information, Communication & Reporting — supported by 20 principles. Unlike purely defensive risk management, COSO ERM views risk as both a threat and an opportunity, helping organizations make better strategic decisions under uncertainty.
COSO ERM Components
Five interrelated components flowing from mission through strategy to performance, with governance and reporting supporting the entire framework.
Governance & Culture
Board oversight, operating structures, and risk culture
Strategy & Objective-Setting
Risk-informed strategic planning
Performance
Identify, assess, and prioritize risks
Review & Revision
Review performance and revise practices
Information, Communication & Reporting
Capture, process, and report on risk
Origin & Context
Developed after major corporate scandals (Enron, WorldCom) to provide a comprehensive framework for enterprise-wide risk management. Updated significantly in 2017.
Core Components
Governance & Culture
Establishes board oversight, operating structures, and the desired risk culture.
Example
A board establishes a risk committee that meets quarterly and defines the organization's risk appetite statement.
Strategy & Objective-Setting
Integrates risk management into strategic planning and business objective setting.
Example
During annual planning, the executive team evaluates strategic alternatives through a risk lens before selecting priorities.
Performance
Identifies, assesses, and prioritizes risks that may affect the achievement of strategy and objectives.
Example
Business units maintain risk registers that are reviewed monthly, with risks rated on likelihood and impact.
Review & Revision
Reviews entity performance and revises risk management practices as needed.
Example
After a major market disruption, the organization reviews its risk assessments and updates mitigation strategies.
Information, Communication & Reporting
Uses information systems to capture, process, and report on risk throughout the organization.
Example
A monthly risk dashboard provides the board with a heat map of the organization's top 20 risks.
The 2017 update of COSO ERM shifted the focus from risk control to integrating risk with strategy and performance — recognizing that risk management should enable value creation, not just prevent losses.
When to Use COSO ERM Framework
Enterprise-wide risk governance
Problem it solves: Risks are managed in silos without a unified enterprise view.
Real-World Application
A multinational implements COSO ERM to create a single risk taxonomy and reporting structure across all regions and functions.
Strategic decision-making under uncertainty
Problem it solves: Strategy is set without adequate consideration of risks and opportunities.
Real-World Application
A board uses COSO ERM to evaluate an acquisition target, assessing strategic, financial, operational, and compliance risks before approving.
Regulatory compliance
Problem it solves: Organizations need a recognized framework for demonstrating risk management to regulators.
Real-World Application
A financial services firm adopts COSO ERM to satisfy regulatory requirements and demonstrate effective risk oversight.
Start with a clear risk appetite statement from the board. Without defined appetite, organizations either take too much risk or become risk-averse and miss opportunities.
How to Apply COSO ERM Framework: Step by Step
Before You Start
- →Board and executive commitment to ERM
- →Clear organizational strategy and objectives
- →Risk management roles and responsibilities defined
Establish governance and culture
Define board oversight, risk management roles, and desired risk culture.
Tips
- ✓Create a risk appetite statement approved by the board
- ✓Assign a Chief Risk Officer or equivalent
Common Mistakes
- ✗Making ERM a compliance exercise rather than a strategic tool
Integrate with strategy
Embed risk considerations into strategic planning and objective-setting processes.
Tips
- ✓Evaluate risks for each strategic alternative
- ✓Define risk appetite for each strategic objective
Common Mistakes
- ✗Treating risk management as separate from strategic planning
Identify and assess risks
Systematically identify risks across the enterprise and assess their likelihood and impact.
Tips
- ✓Use workshops, interviews, and data analysis
- ✓Consider both threats and opportunities
Common Mistakes
- ✗Only identifying obvious risks; missing emerging and interconnected risks
Implement responses and monitor
Select risk responses (accept, avoid, reduce, share), implement controls, and monitor continuously.
Tips
- ✓Match response cost to risk severity
- ✓Use Key Risk Indicators for early warning
Common Mistakes
- ✗Creating risk registers that are never reviewed or updated
Value & Outcomes
Primary Benefit
Provides a comprehensive, integrated approach to managing risks that supports better strategic decisions.
Additional Benefits
- ✓Satisfies regulatory and governance requirements
- ✓Creates a common risk language across the organization
- ✓Enables proactive rather than reactive risk management
What You'll Learn
- →How to integrate risk management with strategy
- →How to assess and prioritize enterprise-wide risks
- →How to build a risk-aware culture
Typical Outcomes
Best Practices
📋 Preparation
- •Secure board-level sponsorship before starting
- •Assess current risk management maturity
🚀 Execution
- •Start with the most critical strategic risks, not a comprehensive inventory
- •Make risk discussions a regular part of leadership meetings
- •Use risk appetite as a decision-making guide, not just a document
🔄 Follow-Up
- •Review and update the risk profile at least quarterly
- •Conduct annual ERM maturity assessments
- •Learn from risk events and near-misses
💎 Pro Tips
- •The best ERM programs make risk management part of daily decision-making, not a periodic compliance exercise
- •Focus on risk interdependencies — individual risks are often connected in ways that amplify impact
Microsoft's ERM Transformation
When Satya Nadella became CEO of Microsoft in 2014, the company overhauled its enterprise risk management approach. Instead of treating ERM as a compliance exercise, Microsoft integrated risk considerations directly into its strategic pivot to cloud computing. By systematically assessing risks and opportunities of the cloud-first strategy through COSO ERM principles, Microsoft identified both the competitive risks of staying course and the growth opportunities of Azure — contributing to a market cap increase from $300B to over $2T.
Limitations & Pitfalls
Can become bureaucratic and compliance-focused if not championed by leadership
Mitigation: Keep the focus on value creation and strategic decision support
Full implementation is resource-intensive for smaller organizations
Mitigation: Scale the framework to organizational size; apply the principles without all 20 sub-components
Risk assessments are inherently uncertain and can provide false confidence
Mitigation: Use scenario planning and stress testing to complement quantitative risk assessment
Apply COSO ERM Framework with Stratrix
Turn this framework into a professional strategy deck in under a minute. Stratrix applies COSO ERM Framework automatically to your business context.
Try Stratrix Free