C o m m i t te e o f S p o n s o r i n g O rg a n iz a t i o n s o f t h e Tre a d w ay C o m m i s s i o n

Enterprise Risk Management

Integrating with Strategy and Performance
Executive Summary

io LY
ut N
rib O
n
st E
di US
er L
rth NA
fu O
o S
N R
PE

June 2017
 This project was commissioned by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO), which is dedicated to providing thought leadership
through the development of comprehensive frameworks and guidance on internal
control, enterprise risk management, and fraud deterrence designed to improve organi-
zational performance and oversight and to reduce the extent of fraud in organizations.
COSO is a private sector initiative, jointly sponsored and funded by:
• American Accounting Association
• American Institute of Certified Public Accountants
• Financial Executives International
• Institute of Management Accountants

io LY
• The Institute of Internal Auditors

ut N
rib O
n
st E
di US
er L
rth NA
fu O
o S
N R
PE

©2017 All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted, or displayed in any form or by any means
without written permission of COSO. P254469-01 0516
 Executive Summary

Foreword
In keeping with its overall mission, the COSO Board commissioned and published in 2004 Enterprise
Risk Management—Integrated Framework. Over the past decade, that publication has gained broad
acceptance by organizations in their efforts to manage risk. However, also through that period, the
complexity of risk has changed, new risks have emerged, and both boards and executives have
enhanced their awareness and oversight of enterprise risk management while asking for improved
risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk
management and the need for organizations to improve their approach to managing risk to meet the
demands of an evolving business environment.
The updated document, now titled Enterprise Risk Management—Integrating with Strategy and
Performance, highlights the importance of considering risk in both the strategy-setting process and

io LY
in driving performance. The first part of the updated publication offers a perspective on current and
evolving concepts and applications of enterprise risk management. The second part, the Framework,
is organized into five easy-to-understand components that accommodate different viewpoints and
operating structures, and enhance strategies and decision-making. In short, this update:

ut N
• Provides greater insight into the value of enterprise risk management when setting and

rib O
carrying out strategy.

n
• Enhances alignment between performance and enterprise risk management to improve the
setting of performance targets and understanding the impact of risk on performance.

st E
• Accommodates expectations for governance and oversight.
di US
• Recognizes the globalization of markets and operations and the need to apply a common,
albeit tailored, approach across geographies.
• Presents new ways to view risk to setting and achieving objectives in the context of greater
business complexity.
er L

• Expands reporting to address expectations for greater stakeholder transparency.

rth NA

• Accommodates evolving technologies and the proliferation of data and analytics in sup-
porting decision-making.
• Sets out core definitions, components, and principles for all levels of management involved
fu O

in designing, implementing, and conducting enterprise risk management practices.

o S

Readers may also wish to consult a complementary publication, COSO’s Internal Control—
Integrated Framework. The two publications are distinct and have different focuses; neither
N R

supersedes the other. However, they do connect. Internal Control—Integrated Framework

encompasses internal control, which is referenced in part in this updated publication, and therefore
PE

the earlier document remains viable and suitable for designing, implementing, conducting, and
assessing internal control, and for consequent reporting.
The COSO Board would like to thank PwC for its significant contributions in developing Enterprise
Risk Management—Integrating with Strategy and Performance. Their full consideration of input
provided by many stakeholders and their insight were instrumental in ensuring that the strengths of
the original publication have been preserved, and that text has been clarified or expanded where
it was deemed helpful to do so. The COSO Board and PwC together would also like to thank the
Advisory Council and Observers for their contributions in reviewing and providing feedback.

Robert B. Hirth Jr. Dennis L. Chesley

COSO Chair PwC Project Lead Partner and Global
and APA Risk and Regulatory Leader

June 2017 iii

 Enterprise Risk Management | Integrating with Strategy and Performance

Committee of Sponsoring Organizations of

the Treadway Commission

Board Members
Robert B. Hirth Jr. Richard F. Chambers Mitchell A. Danaher
COSO Chair The Institute of Internal Auditors Financial Executives International

Charles E. Landes Douglas F. Prawitt Sandra Richtermeyer

American Institute of Certified Public American Accounting Association Institute of Management

io LY
Accountants Accountants

ut N
rib O
PwC—Author

n
st E
Principal Contributors
di US
Miles E.A. Everson Dennis L. Chesley Frank J. Martens
Engagement Leader and Global Project Lead Partner and Global Project Lead Director and Global
and Asia, Pacific, and Americas and APA Risk and Regulatory Risk Framework and Methodology
(APA) Advisory Leader Leader Leader
New York, USA Washington DC, USA British Columbia, Canada
er L

Matthew Bagin Hélène Katz Katie T. Sylvis

rth NA

Director Director Director

Washington DC, USA New York, USA Washington DC, USA

Sallie Jo Perraglia Kathleen Crader Zelnik Maria Grimshaw

fu O

Manager Manager Senior Associate

New York, USA Washington DC, USA New York, USA
o S
N R
PE

iv June 2017
 Executive Summary

The Changing Risk Landscape

Our understanding of the nature of risk, the art and science of choice, lies at the core of our
modern economy. Every choice we make in the pursuit of objectives has its risks. From day-to-
day operational decisions to the fundamental trade-offs in the boardroom, dealing with risk in
these choices is a part of decision-making.
As we seek to optimize a range of possible outcomes, decisions are rarely binary, with a right
and wrong answer. That’s why enterprise risk management may be called both an art and
a science. And when risk is considered in the formulation of an organization’s strategy and
business objectives, enterprise risk management helps to optimize outcomes.
Our understanding of risk and our practice of enterprise risk management have improved greatly

io LY
over the past few decades. But the margin for error is shrinking. The World Economic Forum
has commented on the “increasing volatility, complexity and ambiguity of the world.”1 That’s
a phenomenon we all recognize. Organizations encounter challenges that impact reliability,

ut N
relevancy, and trust. Stakeholders are more engaged today, seeking greater transparency and
accountability for managing the impact of risk while also critically evaluating leadership’s ability

rib O
to crystalize opportunities. Even success can bring with it additional downside risk—the risk of

n
not being able to fulfill unexpectedly high demand, or maintain expected business momentum,
for example.

st E
Organizations need to be more adaptive to change. They need to think strategically about how
to manage the increasing volatility, complexity, and ambiguity of the world, particularly at the
di US
senior levels in the organization and in the boardroom where the stakes are highest.
Enterprise Risk Management—Integrating with Strategy and Performance provides a
Framework for boards and management in entities of all sizes. It builds on the current level of
risk management that exists in the normal course of business. Further, it demonstrates how
er L

integrating enterprise risk management practices throughout an entity helps to accelerate

growth and enhance performance. It also contains principles that can be applied—from
rth NA

strategic decision-making through to performance.

Below, we describe why it makes sense for management and boards to use the enterprise
risk management framework,2 what organizations have achieved by applying enterprise risk
fu O

management, and what further benefits they can realize through its continued use. We conclude
with a look into the future.
o S

Management’s Guide to Enterprise Risk Management

N R

Management holds overall responsibility for managing risk to the entity, but it is important for
PE

management to go further: to enhance the conversation with the board and stakeholders about
using enterprise risk management to gain a competitive advantage. That starts by deploying
enterprise risk management capabilities as part of selecting and refining a strategy.
Most notably, through this process, management will gain a better understanding of how the
explicit consideration of risk may impact the choice of strategy. Enterprise risk management
enriches management dialogue by adding perspective to the strengths and weaknesses of a
strategy as conditions change, and to how well a strategy fits with the organization’s mission
and vision. It allows management to feel more confident that they’ve examined alternative
strategies and considered the input of those in their organization who will implement the
strategy selected.

.....................................................................................................

1
The Global Risks Report 2016, 11th edition, World Economic Forum (2016).
2
The Framework uses the term “board of directors” or “board,” which encompasses the governing body, including
board, supervisory board, board of trustees, general partners, or owner.

June 2017 1
 Enterprise Risk Management | Integrating with Strategy and Performance

Once strategy is set, enterprise risk management provides an effective way for management to fulfill
its role, knowing that the organization is attuned to risks that can impact strategy and is managing
them well. Applying enterprise risk management helps to create trust and instill confidence in
stakeholders in the current environment, which demands greater scrutiny than ever before about
how risk is actively addressing and managing these risks.

The Board’s Guide to Enterprise Risk Management

Every board has an oversight role, helping to support the creation of value in an entity and prevent its
decline. Traditionally, enterprise risk management has played a strong supporting role at the board
level. Now, boards are increasingly expected to provide oversight of enterprise risk management.

io LY
The Framework supplies important considerations for boards in defining and addressing their
risk oversight responsibilities. These considerations include governance and culture; strategy and
objective-setting; performance; information, communications and reporting; and the review and

ut N
revision of practices to enhance entity performance.
The board’s risk oversight role may include, but is not limited to:

rib O
• Reviewing, challenging, and concurring with management on:

n
–– Proposed strategy and risk appetite.

st E –– Alignment of strategy and business objectives with the entity’s stated mission, vision, and
core values
di US
–– Significant business decisions including mergers acquisitions, capital allocations, funding, and
dividend-related decisions
–– Response to significant fluctuations in entity performance or the portfolio view of risk.
–– Responses to instances of deviation from core values.
er L

• Approving management incentives and remuneration.

rth NA

Questions for • Participating in investor and stakeholder relations.

management
Over the longer term, enterprise risk management can also enhance
Can all of management—not just enterprise resilience—the ability to anticipate and respond to
fu O

the chief risk officer—articulate how change. It helps organizations identify factors that represent not just
risk is considered in the selection of risk, but change, and how that change could impact performance
strategy or business decisions? Can
o S

and necessitate a shift in strategy. By seeing change more clearly,

they clearly articulate the entity’s risk an organization can fashion its own plan; for example, should it
appetite and how it might influence a
N R

defensively pull back or invest in a new business? Enterprise risk

specific decision? The resulting con- management provides the right framework for boards to assess risk
versation may shed light on what the
PE

and embrace a mindset of resilience.

mindset for risk taking is really like in
the organization.
Boards can also ask senior man- What Enterprise Risk Management
agement to talk not only about risk Has Achieved
processes but also about culture. COSO published Enterprise Risk Management—Integrated
How does the culture enable or inhibit Framework in 2004. The purpose of that publication was to help
responsible risk taking? What lens does entities better protect and enhance stakeholder value. Its underlying
management use to monitor the risk philosophy was that “value is maximized when management sets
culture, and how has that changed? As strategy and objectives to strike an optimal balance between growth
things change—and things will change and return goals and related risks, and efficiently and effectively
whether or not they’re on the entity’s deploys resources in pursuit of the entity’s objectives.”3
radar—how can the board be confident
of an appropriate and timely response
from management?
.....................................................................................................

3
Enterprise Risk Management—Integrated Framework, Executive Summary, COSO (2004).

2 June 2017
 Executive Summary

Since its publication, the Framework has been used successfully

around the world, across industries, and in organizations of all Clearing up a few
types and sizes to identify risks, manage those risks within a misconceptions
defined risk appetite, and support the achievement of objectives.
Yet, while many have applied the Framework in practice, it has We’ve heard a few misconceptions
the potential to be used more extensively. It would benefit from about the original Framework since
examining certain aspects with more depth and clarity, and by it was introduced in 2004. To set the
providing greater insight into the links between strategy, risk, and record straight:
performance. In response, therefore, the updated Framework in Enterprise risk management is not
this publication: a function or department. It is the
culture, capabilities, and practices that
• More clearly connects enterprise risk management with a

io LY
organizations integrate with strate-
multitude of stakeholder expectations.
gy-setting and apply when they carry
• Positions risk in the context of an organization’s out that strategy, with a purpose of
performance, rather than as the subject of an isolated managing risk in creating, preserving,

ut N
exercise. and realizing value.
Enterprise risk management is more

rib O
• Enables organizations to better anticipate risk so they can
get ahead of it, with an understanding that change creates than a risk listing. It requires more

n
opportunities, not simply the potential for crises. than taking an inventory of all the risks
within the organization. It is broader and

st E
This update also answers the call for a stronger emphasis on how
enterprise risk management informs strategy and its performance.
includes practices that management
di US puts in place to actively manage risk.
Enterprise risk management
Benefits of Effective Enterprise Risk addresses more than internal control.
Management It also addresses other topics such as
strategy-setting, governance, commu-
er L

All organizations need to set strategy and periodically adjust it,

nicating with stakeholders, and measur-
always staying aware of both ever-changing opportunities for
rth NA

ing performance. Its principles apply at

creating value and the challenges that will occur in pursuit of
all levels of the organization and across
that value. To do that, they need the best possible framework for
all functions.
optimizing strategy and performance.
Enterprise risk management is not
That’s where enterprise risk management comes into play.
fu O

a checklist. It is a set of principles on

Organizations that integrate enterprise risk management
which processes can be built or inte-
throughout the entity can realize many benefits, including, though
o S

grated for a particular organization, and

not limited to:
it is a system of monitoring, learning,
N R

• Increasing the range of opportunities: By considering all and improving performance.

possibilities—both positive and negative aspects of risk—
Enterprise risk management can be
PE

management can identify new opportunities and unique

used by organizations of any size. If an
challenges associated with current opportunities.
organization has a mission, a strategy,
• Identifying and managing risk entity-wide: Every entity faces and objectives—and the need to make
myriad risks that can affect many parts of the organization. decisions that fully consider risk—then
Sometimes a risk can originate in one part of the entity but enterprise risk management can be
impact a different part. Consequently, management iden- applied. It can and should be used by
tifies and manages these entity-wide risks to sustain and all kinds of organizations, from small
improve performance. businesses to community-based social
enterprises to government agencies to
• Increasing positive outcomes and advantage while reduc-
Fortune 500 companies.
ing negative surprises: Enterprise risk management allows
entities to improve their ability to identify risks and establish
appropriate responses, reducing surprises and related costs
or losses, while profiting from advantageous developments.

June 2017 3
 Enterprise Risk Management | Integrating with Strategy and Performance

• Reducing performance variability: For some, the challenge is less with surprises
and losses and more with variability in performance. Performing ahead of sched-
ule or beyond expectations may cause as much concern as performing short of
scheduling and expectations. Enterprise risk management allows organizations
to anticipate the risks that would affect performance and enable them to put in
place the actions needed to minimize disruption and maximize opportunity.
• Improving resource deployment: Every risk could be considered a request for
resources. Obtaining robust information on risk allows management, in the face
of finite resources, to assess overall resource needs, prioritize resource deploy-
ment and enhance resource allocation.

io LY
• Enhancing enterprise resilience: An entity’s medium- and long-term viability
depends on its ability to anticipate and respond to change, not only to survive
but also to evolve and thrive. This is, in part, enabled by effective enterprise risk
management. It becomes increasingly important as the pace of change acceler-

ut N
ates and business complexity increases.
These benefits highlight the fact that risk should not be viewed solely as a potential

rib O
constraint or challenge to setting and carrying out a strategy. Rather, the change that

n
underlies risk and the organizational responses to risk give rise to strategic opportunities
and key differentiating capabilities.

st E
di US
The Role of Risk in Strategy Selection
Strategy selection is about making choices and accepting trade-offs. So it makes
sense to apply enterprise risk management to strategy as that is the best approach for
untangling the art and science of making well-informed choices.
er L

Risk is a consideration in many strategy-setting processes. But risk is often evaluated

rth NA

primarily in relation to its potential effect on an already-determined strategy. In other

words, the discussions focus on risks to the existing strategy: We have a strategy in place,
what could affect the relevance and viability of our strategy?
But there are other questions to ask about strategy, which organizations are getting better
fu O

at asking: Have we modeled customer demand accurately? Will our supply chain deliver
on time and on budget? Will new competitors emerge? Is our technology infrastructure up
o S

to the task? These are the kinds of questions that executives grapple with every day, and
responding to them is fundamental to carrying out a strategy.
N R

However, the risk to the chosen strategy is only one aspect to consider. As this Framework
PE

emphasizes, there are two additional aspects to enterprise risk management that can
have far greater effect on an entity’s value: the possibility of the strategy not aligning, and
the implications from the strategy chosen.
The first of these, the possibility of the strategy not aligning with an organization’s
mission, vision, and core values, is central to decisions that underlie strategy selection.
Every entity has a mission, vision, and core values that define what it is trying to achieve
and how it wants to conduct business. Some organizations are skeptical about truly
embracing their corporate credos. But mission, vision, and core values have been
demonstrated to matter—and they matter most when it comes to managing risk and
remaining resilient during periods of change.

4 June 2017
 Executive Summary

A chosen strategy must support the organization’s mission and vision. A misaligned strategy
increases the possibility that the organization may not realize its mission and vision, or may
compromise its values, even if a strategy is successfully carried out. Therefore, enterprise risk
management considers the possibility of strategy not aligning with the mission and vision of the
organization.
The other additional aspect is the implications from the strategy chosen. When management
develops a strategy and works through alternatives with the board, they make decisions on the
trade-offs inherent in the strategy. Each alternative strategy has its own risk profile—these are the
implications arising from the strategy. The board of directors and management need to determine
if the strategy works in tandem with the organization’s risk appetite, and how it will help drive the
organization to set objectives and ultimately allocate resources efficiently.

io LY
Here’s what’s important: Enterprise risk management is as much about understanding the
implications from the strategy and the possibility of strategy not aligning as it is about managing
risks to set objectives. The figure below illustrates these considerations in the context of mission,

ut N
vision, core values, and as a driver of an entity’s overall direction and performance.

rib O
ng Implic
gn i

n
atio
t al i ns
no f

ro
y

st E
te g

m
the
tra

STRATEGY,
ib i li t y of s

st
rategy chosen
di US BUSINESS
MISSION, VISION & ENHANCED
CORE VALUES OBJECTIVES, & PERFORMANCE
Poss

PERFORMANCE

R
ce

is
kt an
er L

os m
tr ate for
gy & p er
rth NA

Enterprise risk management, as it has typically been practiced, has helped many organizations
identify, assess, and manage risks to the strategy. But the most significant causes of value
destruction are embedded in the possibility of the strategy not supporting the entity’s mission and
fu O

vision, and the implications from the strategy.

Enterprise risk management enhances strategy selection. Choosing a strategy calls for structured
o S

decision-making that analyzes risk and aligns resources with the mission and vision of the
organization.
N R
PE

June 2017 5
 Enterprise Risk Management | Integrating with Strategy and Performance

A Focused Framework
Enterprise Risk Management—Integrating with Strategy and Performance clarifies the
importance of enterprise risk management in strategic planning and embedding it throughout
an organization—because risk influences and aligns strategy and performance across all
departments and functions.

ENTERPRISE RISK MANAGEMENT

io LY
MISSION,VISION, STRATEGY BUSINESS IMPLEMENTATION ENHANCED
& CORE VALUES DEVELOPMENT OBJECTIVE & PERFORMANCE VALUE
FORMULATION

ut N
rib O
Governance Strategy & Performance Review Information,
& Culture Objective-Setting & Revision Communication,

n
& Reporting

st E
The Framework itself is a set of principles organized into five interrelated components:
di US
1. Governance and Culture: Governance sets the organization’s tone, reinforcing the
importance of, and establishing oversight responsibilities for, enterprise risk manage-
ment. Culture pertains to ethical values, desired behaviors, and understanding of risk
in the entity.
er L

2. Strategy and Objective-Setting: Enterprise risk management, strategy, and

objective-setting work together in the strategic-planning process. A risk appetite is
rth NA

established and aligned with strategy; business objectives put strategy into practice
while serving as a basis for identifying, assessing, and responding to risk.
3. Performance: Risks that may impact the achievement of strategy and business
fu O

objectives need to be identified and assessed. Risks are prioritized by severity in

the context of risk appetite. The organization then selects risk responses and takes
o S

a portfolio view of the amount of risk it has assumed. The results of this process are
reported to key risk stakeholders.
N R

4. Review and Revision: By reviewing entity performance, an organization can con-

sider how well the enterprise risk management components are functioning over time
PE

and in light of substantial changes, and what revisions are needed.

5. Information, Communication, and Reporting: Enterprise risk management
requires a continual process of obtaining and sharing necessary information,
from both internal and external sources, which flows up, down, and across the
organization.

6 June 2017
 Executive Summary

The five components in the updated Framework are supported by a set of principles.4 These princi-
ples cover everything from governance to monitoring. They’re manageable in size, and they describe
practices that can be applied in different ways for different organizations regardless of size, type,
or sector. Adhering to these principles can provide management and the board with a reasonable
expectation that the organization understands and strives to manage the risks associated with its
strategy and business objectives.

Governance Strategy & Performance Review Information,

& Culture Objective-Setting & Revision Communication,
& Reporting
1. Exercises Board Risk 6. Analyzes Business 10. Identifies Risk 15. Assesses Substantial 18. Leverages Information
Oversight Context 11. Assesses Severity Change and Technology
2. Establishes Operating 7. Defines Risk Appetite of Risk 16. Reviews Risk and 19. Communicates Risk

io LY
Structures 8. Evaluates Alternative 12. Prioritizes Risks Performance Information
3. Defines Desired Culture Strategies 13. Implements Risk 17. Pursues Improvement 20. Reports on Risk,
4. Demonstrates 9. Formulates Business Responses in Enterprise Risk Culture, and
Commitment Objectives Management Performance
14. Develops Portfolio

ut N
to Core Values View
5. Attracts, Develops,
and Retains Capable

rib O
Individuals

n
st E
Looking into the Future
di US
There is no doubt that organizations will continue to face a future full of volatility, complexity, and
ambiguity. Enterprise risk management will be an important part of how an organization manages
and prospers through these times. Regardless of the type and size of an entity, strategies need
to stay true to their mission. And all entities need to exhibit traits that drive an effective response
er L

to change, including agile decision-making, the ability to respond in a cohesive manner, and the
adaptive capacity to pivot and reposition while maintaining high levels of trust among stakeholders.
rth NA

As we look into the future, there are several trends that will have an effect on enterprise risk
management. Just four of these are:
• Dealing with the proliferation of data: As more and more data becomes available and the
fu O

speed at which new data can be analyzed increases, enterprise risk management will
need to adapt. The data will come from both inside and outside the entity, and it will be
o S

structured in new ways. Advanced analytics and data visualization tools will evolve and be
very helpful in understanding risk and its impact—both positive and negative.
N R

• Leveraging artificial intelligence and automation: Many people feel that we have entered
PE

the era of automated processes and artificial intelligence. Regardless of individual beliefs,
it is important for enterprise risk management practices to consider the impact of these
and future technologies, and leverage their capabilities. Previously unrecognizable
relationships, trends and patterns can be uncovered, providing a rich source of information
critical to managing risk.
• Managing the cost of risk management: A frequent concern expressed by many business
executives is the cost of risk management, compliance processes, and control activities
in comparison to the value gained. As enterprise risk management practices evolve, it will
become important that activities spanning risk, compliance, control, and even governance
be efficiently coordinated to provide maximum benefit to the organization. This may
represent one of the best opportunities for enterprise risk management to redefine its
importance to the organization.

......................................................................................................

4
A fuller description of these twenty principles is provided at the end of this document.

June 2017 7
 Enterprise Risk Management | Integrating with Strategy and Performance

• Building stronger organizations: As organizations become better at integrating

enterprise risk management with strategy and performance, an opportunity to
strengthen resilience will present itself. By knowing the risks that will have the
greatest impact on the entity, organizations can use enterprise risk management
to help put in place capabilities that allow them to act early. This will open up new
opportunities.
In summary, enterprise risk management will need to change and adapt to the future
to consistently provide the benefits outlined in the Framework. With the right focus, the
benefits derived from enterprise risk management will far outweigh the investments and
provide organizations with confidence in their ability to handle the future.

io LY
ut N
rib O
n
st E
di US
er L
rth NA
fu O
o S
N R
PE

8 June 2017
 Executive Summary

Acknowledgments
A special thank you to the following companies and organizations for allowing the participation of
Advisory Council Members and Observers.

Advisory Council Members (Harrison Greene)

• Government Accountability Office (James
Companies and Organizations Dalkin)
• Institute of Management Accountants
• Athene USA (Jane Karli) (Jeff Thompson)

io LY
• Edison International (David J. Heller) • Institut der Wirtschaftsprüfer (Horst
• First Data Corporation (Lee Marks) Kreisel)
• Georgia-Pacific LLC (Paul Sobel) • International Federation of Accountants
• Invesco Ltd. (Suzanne Christensen)

ut N
(Vincent Tophoff)
• Microsoft (Jeff Pratt) • ISACA (Jennifer Bayuk)
• US Department of Commerce (Karen

rib O
• Risk Management Society (Carol Fox)
Hardy)

n
• United Technologies Corporation
(Margaret Boissoneau)

st E
• Zurich Insurance Company (James
Davenport)
di US
Higher Education and Associations
• North Carolina State University (Mark
Beasley)
er L

• St. John’s University (Paul Walker)

• The Institute of Internal Auditors
rth NA

(Douglas J. Anderson)

Professional Service Firms

fu O

• Crowe Horwath LLP (William Watts)

• Deloitte & Touche LLP (Henry Ristuccia)
• Ernst & Young (Anthony J. Carmello)
o S

• James Lam & Associates (James Lam)

• Grant Thornton LLP (Bailey Jordan)
N R

• KPMG LLP Americas (Deon Minnaar)

• Mercury Business Advisors Inc. (Patrick
PE

Stroh)
• Protiviti Inc. (James DeLoach)

Former COSO Board Member

• COSO Chair, 2009–2013 (David
Landsittel)

Observers

• Federal Deposit Insurance Corporation

June 2017 9
 Enterprise Risk Management | Integrating with Strategy and Performance

Components and Principles

1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy
and carries out governance responsibilities to support management in achieving strategy and
business objectives.
2. Establishes Operating Structures—The organization establishes operating structures in the
pursuit of strategy and business objectives.
3. Defines Desired Culture—The organization defines the desired behaviors that characterize the
entity’s desired culture.
4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment

io LY
to the entity’s core values.
5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to
building human capital in alignment with the strategy and business objectives.

ut N
6. Analyzes Business Context—The organization considers potential effects of business context
on risk profile.

rib O
7. Defines Risk Appetite—The organization defines risk appetite in the context of creating,

n
preserving, and realizing value.

st E
8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and
potential impact on risk profile.
di US
9. Formulates Business Objectives—The organization considers risk while establishing the
business objectives at various levels that align and support strategy.
10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and
business objectives.
er L

11. Assesses Severity of Risk—The organization assesses the severity of risk.

rth NA

12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.
13. Implements Risk Responses—The organization identifies and selects risk responses.
14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.
fu O

15. Assesses Substantial Change—The organization identifies and assesses changes that may
substantially affect strategy and business objectives.
o S

16. Reviews Risk and Performance—The organization reviews entity performance and considers
N R

risk.
17. Pursues Improvement in Enterprise Risk Management—The organization pursues
PE

improvement of enterprise risk management.

18. Leverages Information and Technology—The organization leverages the entity’s information
and technology systems to support enterprise risk management.
19. Communicates Risk Information—The organization uses communication channels to support
enterprise risk management.
20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and
performance at multiple levels and across the entity.

10 June 2017
 PE
N R
o S
fu O
rth NA
er L
di US
st E
rib O
ut N
io LY
n
 io LY
ut N
rib O
n
st E
di US
er L
rth NA
fu O
o S
N R
PE

A full version of Enterprise Risk Management—Integrating with Strategy and Performance can be
purchased by visiting the www.coso.org website.