Management And Accounting Web

COSO. 2016. Enterprise Risk Management: Aligning Risk with Strategy and Performance. Public Exposure Draft. (June).

Summary by James R. Martin, Ph.D., CMA
Professor Emeritus, University of South Florida

Change and Risk Management Main Page | Strategy Main Page

This document begins by listing the COSO Board Members, Principal Contributors (Authors),  Advisory Council Members, Observers, and a Table of Contents.

Foreword p. iv

Robert B. Hirth Jr. (COSO Chair) and Dennis L. Chesley (PwC Project Lead Partner Global Risk Leader) explain why the 2004 ERM Integrated Framework needs to be updated. The complexity of risk has changed and new risk have emerged. This update puts more emphasis on the connection between ERM and strategy.

Applying the Framework: Putting it into Context

1. Introduction p. 3

Every organization exists to provide value and risks affect every organization's ability to achieve its objectives. Enterprise Risk Management provides a way to balance exposure with opportunity. ERM affects value, affects strategy, is linked to business, performance management, and internal control. Benefits or ERM include an increase in the range of opportunities, identifying and managing entity-wide risks, reducing surprises and losses and performance variability. ERM incorporates the concept of organization sustainability.

2. Understanding the Terms: Risk and Enterprise Risk Management p. 9

Risk - "The possibility that events will occur and affect the achievement of strategy and business objectives."

Enterprise Risk Management - "The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value."

Enterprise risk management is closely related to the culture of the organization and helps people understand risk in the context of the organization's strategy and objectives.

Enterprise risk management is a continual process involving day-to-day tasks such as business planning, operations, and financial management.

3. Enterprise Risk Management and Strategy p. 12

Integrating enterprise risk management with strategy helps the organization understand how its mission (core purpose), vision (future aspirations) and core values (beliefs about behavior) align with opportunities and risk.

Strategy in Context

This section includes additional information about mission, vision, and core values; the importance of aligning them with strategy; evaluating the chosen strategy; risk to executing the strategy; governance and operating models; legal structure; management structure; and managing risks through the value chain.

4. Considering Risk and Entity Performance p. 17

This section includes a discussion of risk and uncertainty and understanding the organization's risk profile that shows the level of acceptable risk, the related interdependencies of risks, and how they might affect performance.

A Risk Profile

Also included are discussions of an organization's risk appetite statement that might include strategic parameters (new products, investments, mergers), financial parameters (return on assets, return on capital, target debt rating, debt/equity ratio), and operating parameters (capacity management, environmental requirements, safety and quality targets, and customer concentrations).

Risk Profile, Appetite, and Capacity

Acceptable variation in performance, or risk tolerance is closely related to risk appetite. An illustration similar to the one above is included with the target area expanded to show that the optimal point is where the right boundary of acceptable performance intersects the risk appetite.

5. Components and Principles p. 21

The ERM Framework includes five interrelated components:

Risk Governance and Culture

Risk, Strategy, and Objective-Setting

Risk Execution

Risk Information, Communication and Reporting

Monitoring Risk Management Performance

ERM Principles

Assessing Enterprise Risk management - An organization should provide criteria for conducting an assessment of the overall effectiveness of its ERM practices including components, relevant principles and controls.

The five components or principles are discussed in Chapters 6-10.

6. Risk Governance and Culture p. 27

Principles related to risk governance and culture:

Exercises board risk oversight

Establishes governance and operating model

Defines desired organizational behaviors

Demonstrates commitment to integrity and ethics

Enforces accountability

Attracts, develops, and retains talented individuals 

7. Risk, Strategy, and Objective-Setting p. 43

Principles relating to risk, strategy, and objective-setting:

Considers risk and business context - External Categories: Political, Economic, Social, Technological, Legal, and Environmental. Internal Categories: Capital, People, Process, and Technology.

Defines risk appetite - Sample expressions: Target, Range, Ceiling, and Floor. Risk Appetite Continuum: LowerModerateHigher

Evaluates alternative strategies - Aligning with Mission and Vision, Aligning with Risk Appetite, and Mitigating Bias

Considers risk while establishing business objectives

Defines acceptable variation in performance

8. Risk in Execution p. 61

Principles related to risk in execution:

Identifies risk in execution

Assesses severity of risk - Risk Profile, Inherent, Target, and Residual Risk, Severity Measures, and Heat Maps

Prioritizes risks - Risk Appetite

Identifies and selects risk responses - Accept, Avoid, Pursue, Reduce, Share

Develops portfolio view - Risk Profile showing Total Risks

Assesses risk in execution

9. Risk Information, Communication, and Reporting p. 83

Principles related to information and communication channels:

Uses relevant information

Leverages information systems

Communicates risk information

Reports on risk, culture, and performance

10. Monitoring Enterprise Risk Management Performance p. 97

Principles related to monitoring entity performance:

Monitoring substantial change

Monitors enterprise risk management


A. Glossary of Terms p. 104

B. Roles and Responsibilities p. 107

C. Risk Profile Illustrations p. 114


Link to the COSO ERM document:

Link to the COSO site:

Related summaries:

Axson, D. A. J. 2011. Scenario planning: Navigating through today's uncertain world. Journal of Accountancy (March): 22-27. (Summary).

Kaplan, R. S. and A. Mikes. 2012. Managing risks: A new framework. Smart companies match their approach to the nature of the threats they face. Harvard Business Review (June): 48-60. (Discussion of three categories of risks: Preventable risks, strategy risks, and external risks that are beyond the organization's influence and control. Each type of risk requires a different risk-management approach). (Summary).

Malone, D. and M. Mouritsen. 2014. Change management: Risk, transition, and strategy. Cost Management (May/June): 6-13. (Summary).

McKay, S. 2016. CGMA tools: How to communicate risks using a heat map. Journal of Accountancy (June): 35-40. (Summary).

Merchant, K. A. 2012. ERM: Where to go from here. Journal of Accountancy (September): 32-34, 36. (Summary).

Porter, M. E. 1980. Competitive Strategy: Techniques for Analyzing Industries and Competitors. The Free Press. (Summary).

Porter, M. E. 1996. What is a strategy? Harvard Business Review (November-December): 61-78. (Summary).

Shenkir, W. G. and P. L. Walker. 2006. Enterprise risk management and the strategy-risk-focused organization. Cost Management (May/June): 32-38. (Summary).

Sull, D. N. 1999. Why good companies go bad. Harvard Business Review (July-August): 42-48, 50, 52. (Summary).