Enterprise Risk Management Comprehensive Framework
What is ERM

The definition in COSO’s Enterprise Risk Management – Integrated Framework (2004) is:

Enterprise Risk Management is a process, effected by the entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

COSO's ERM framework

COSO's ERM framework consists of eight interrelated components:

  1. Internal Environment
  2. Objective Setting
  3. Event Identification
  4. Risk Assessment
  5. Risk Response
  6. Control Activities
  7. Information and Communication
  8. Monitoring

Each of the eight ERM components applies to the four categories of corporate objectives:

  • Strategic: High-level goals, aligned with and supporting the enterprise's mission
  • Operations: Effective and efficient use of its resources
  • Reporting: Reliability of reporting
  • Compliance: Compliance with applicable laws and regulations
Key Elements of Enterprise Risk Management
  • Support from Top
  • Involvement of All Employees
  • Process Driven
  • Applied Across the Enterprise
  • Portfolio Basis of Risk Management
  • Risk Appetite
  • Goal of Enhanced Value
  • Based on Reasonable Assurance