Important Improvements Included in COSO’s New Enterprise Risk Management Framework

Vincent Tophoff | October 30, 2017 |

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the final version of its revised enterprise risk management (ERM) Framework, Enterprise Risk Management–Integrating with Strategy and Performance, in September 2017. In the Framework, COSO has come a long way since its initial exposure draft. The Framework takes important steps toward breaking down the siloed nature of managing risk and integrating the responsibly throughout the organization.

In IFAC’s response to the 2016 exposure draft, we noted that, while the Executive Summary stressed the importance of integration of risk management, the draft Framework itself did not yet sufficiently live up to those aspirations. The final version of the framework now highlights the importance of considering integrating risk in both determining strategy and in driving performance. In this respect it is now closely aligned with the central theme of IFAC’s thought paper From Bolt-on to Built-in, which addresses the centrality of managing risk as an integral part of the overall management of an organization.

For starters, the subtitle of the Framework has been changed from “Aligning Risk with Strategy and Performance” to “Integrating with Strategy and Performance,” highlighting the importance of integration in the final framework. In addition, a new chapter has been included on integrating risk management with strategy-setting through performance. In addition, the new signature graph—no longer a cube—now clearly depicts how the various enterprise risk management components are aligned with elements of common business models. 

Also, the components themselves are now, rightfully, stripped from their siloed risk focus and placed in a more logical order, following the business model.

Exposure Draft

1. Risk Governance and Culture

2. Risk, Strategy, and Objective-Setting

3. Risk in Execution

4. Risk Information, Communication, and Reporting

5. Monitoring Enterprise Risk Management Performance

Final Document

1. Governance and Culture

2. Strategy and Objective-Setting

3. Performance

4. Review and Revision

5. Information, Communication, and Reporting

While the subsequent guidance can support organizations in evaluating and improving their enterprise risk management arrangements, not all of the practice recommendations fully support the new approach. There is still a fair bit of inevitable “risk hunting” to satisfy those organizations that cannot say (yet?) goodbye to the old guard (think risk registers). Ultimately, it is not about managing risk or being in control, but about effectively setting and achieving your organization’s objectives. As long as you keep this big picture in mind, the revised framework provides many tips and hints.

The main recommendation in our 2016 comment letter was to: “reverse the perspective from risk-based to (strategic) objective-based: placing organizational strategy and execution at the forefront and then showing how organizations could actually integrate the management of risk into their (already existing) ‘culture, capabilities, and practices.’” We at IFAC believe that, in this final version, COSO has come a long way since the exposure draft, and by making this turn is now better following through with its own intentions.

Take a read through the framework yourself, and let us know your thoughts!

IFAC actively participated in the COSO Board’s Advisory Council for this update and we congratulate the COSO Board on this landmark revision.


Vincent Tophoff

Senior Technical Manager

Vincent Tophoff is senior technical manager with the Professional Accountants in Business (PAIB) Committee of IFAC. Previously, he was a partner at INTE-Q Integration Management, a management accountancy consulting firm in The Netherlands and senior lecturer at the postgraduate accountancy program of the Vrije University in Amsterdam.  See more by Vincent Tophoff

Join the Conversation

To leave a comment below, login or register with

Thank you for your interest in our publications. These valuable works are the product of substantial time, effort and resources, which you acknowledge by accepting the following terms of use. You may not reproduce, store, transmit in any form or by any means, with the exception of non-commercial use (e.g., professional and personal reference and research work), translate, modify or create derivative works or adaptations based on such publications, or any part thereof, without the prior written permission of IFAC.

Our reproduction and translation policies, as well as our online permission request and inquiry system, are accessible on the Permissions Information web page.

For additional information, please read our website Terms of Use. ALL RIGHTS RESERVED.