Skip to content
OnticBeta
Tier 2 — Industry Standard

COSO Enterprise Risk Management (ERM) 2017 — Oracle Source

Publisher

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Version

v1

Last verified

February 15, 2026

Frameworks

COSO ERM 2017Enterprise Risk Management—Integrating with Strategy and Performance

Industries

Applies to all industries

COSO ERM - Overview

The 2017 COSO Enterprise Risk Management (ERM) Framework, Enterprise Risk Management—Integrating with Strategy and Performance, provides a principles‑based framework for identifying, assessing, managing, and overseeing risks in alignment with strategy and performance objectives. It replaces and modernises the 2004 COSO ERM framework, emphasising integration of risk with strategy‑setting, performance, and value creation rather than treating risk management as a separate compliance function. The framework consists of five interrelated components and 20 principles that apply across the organisation and are intended for entities of all sizes and sectors. schgroup

COSO ERM - What It Is

COSO ERM is a conceptual framework, not a control catalogue or standard; it describes how organisations should structure risk governance and link risk with strategy and performance. The five components are: erm.ncsu

  1. Governance and Culture – Tone at the top, oversight, core values, and risk‑aware culture.
  2. Strategy and Objective-Setting – Integration of risk appetite and risk considerations into strategy and objectives.
  3. Performance – Identification, assessment, prioritisation, and response to risks affecting achievement of strategy and business objectives.
  4. Review and Revision – Assessment of changes, performance, and needed adjustments to ERM.
  5. Information, Communication & Reporting – Use of relevant information and reporting of risk, culture, and performance.

Each component is supported by specific principles (20 total) that represent necessary elements of effective ERM. COSO ERM is widely used by boards, audit committees, and management as the top‑level risk framework under which more detailed standards (ISO 27001, NIST CSF, NIST AI RMF, ISO 42001, SOC 2, etc.) operate. famu

COSO ERM - Who It Applies To

COSO ERM applies to all types of entities—public companies, private companies, governments, and nonprofits—regardless of size or sector. It is intended for: schgroup

  • Boards and governing bodies responsible for oversight of strategy, risk, and performance.
  • Executive management responsible for strategy, objective‑setting, and risk management.
  • Risk, compliance, audit, and business leaders who design and operate risk management processes. famu

Because it is high‑level and principles‑based, COSO ERM is used as a reference framework by regulators, rating agencies, and standard‑setters (e.g., it underpins COSO’s internal control framework used in SOX 404) and is increasingly referenced in discussions of AI and digital risk governance. arxiv

COSO ERM - What It Requires - Components & Principles

COSO ERM’s 20 principles are grouped into five components. erm.ncsu

Governance and Culture

Focuses on oversight, tone, and culture.

Representative principles: schgroup

  • Exercises board risk oversight.
  • Establishes operating structures.
  • Defines desired culture and demonstrates commitment to core values.
  • Attracts, develops, and retains capable individuals aligned with strategy and objectives.

Strategy and Objective-Setting

Integrates risk into strategy.

Representative principles: erm.ncsu

  • Analyses business context and the impact of internal/external factors.
  • Defines risk appetite and integrates it with strategy.
  • Formulates business objectives that are aligned with strategy and risk appetite.

Performance

Addresses risk identification, assessment, and response.

Representative principles: schgroup

  • Identifies risks that impact achievement of strategy and objectives.
  • Assesses severity of risks (likelihood and impact), including at portfolio level.
  • Prioritises risks and selects risk responses (accept, avoid, reduce, share).
  • Develops risk indicators and integrates risk information into performance measures.

Review and Revision

Ensures ERM remains effective as conditions change.

Representative principles: erm.ncsu

  • Assesses substantial changes in internal/external environment.
  • Reviews risk and performance and evaluates ERM effectiveness.
  • Pursues improvement in ERM.

Information, Communication & Reporting

Enables decision‑useful information flows.

Representative principles: schgroup

  • Leverages relevant information from internal and external sources.
  • Communicates risk information across the organisation.
  • Reports on risk, culture, and performance to stakeholders.

COSO ERM - Governance Implications

COSO ERM frames risk governance as integral to strategy and performance, not an add‑on.

Implications include: famu

  • Boards must understand and oversee risk in the context of strategy, risk appetite, and value creation.
  • Management must articulate risk appetite, design risk responses, and embed ERM into planning, budgeting, and performance management.
  • Culture, incentives, and talent management must align with risk and ethics, including digital and AI risks. arxiv

In your architecture, COSO ERM provides the top layer: NIST CSF, ISO 27001, SOC 2, NIST AI RMF, ISO 42001, and EU AI Act all become specific risk programs under COSO’s ERM umbrella, and your E/A/D axes can be framed as risk appetite and performance measures at the ERM level. arxiv

COSO ERM - Enforcement Penalties

COSO ERM is a voluntary framework and does not itself impose penalties. However, it is implicitly referenced in: erm.ncsu

  • Regulatory expectations for risk governance (e.g., securities regulators, banking supervisors, corporate governance codes).
  • SOX‑related internal control over financial reporting (ICFR), where COSO internal control and ERM frameworks are widely used. famu

Failure to implement ERM consistent with COSO principles can manifest as governance failures in regulatory enforcement, investor litigation, or rating downgrades, especially when major risk events (including AI incidents) reveal poor risk governance and board oversight. mdpi

COSO ERM - Intersection With Other Frameworks

COSO ERM acts as a meta‑framework:

  • ISO 31000 / ISO 27001 / NIST CSF / SOC 2 – Provide detailed risk process and control requirements; COSO ERM provides strategic integration and oversight context. mdpi
  • NIST AI RMF / ISO 42001 / EU AI Act – AI‑specific risk and management systems sit squarely in COSO’s ERM category of “emerging technology risks” and must be integrated into strategy, performance, and reporting. linkinghub.elsevier
  • DOJ ECCP – DOJ’s Evaluation of Corporate Compliance Programs aligns with COSO ERM principles on risk assessment, control, and continuous improvement; AI‑related compliance risk is evaluated through this lens. mdpi

COSO ERM - Recent Updates

The 2017 refresh is the current version; since publication, activity has focused on:

  • Guidance on applying COSO ERM to ESG, cyber, and digital transformation risks, emphasising integration of these emerging risks into strategy and performance. schgroup
  • Research and practice highlighting the need to incorporate AI and algorithmic risks into ERM portfolios, aligning with the broader trend toward management‑based AI regulation. arxiv
← Oracle LibraryChat with Goober →