What COSO ERM Provides
The 2017 COSO ERM framework is organised around five interrelated components and twenty principles. The five components — Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting — describe the structural elements of an effective enterprise risk management programme at a high level of abstraction.
The framework articulates what an effective ERM programme should achieve: alignment between risk management and strategy, integration of risk thinking into performance management, a culture that supports appropriate risk-taking, and robust reporting that supports governance oversight. It does not tell organisations exactly how to achieve these outcomes — and intentionally so. The framework is designed to apply across organisations of all sizes, industries, and governance structures, which means it must be principle-based rather than prescriptive.
The Implementation Gap
The gap between the framework's principles and practical implementation is where most ERM programmes struggle. Organisations that adopt COSO ERM as a compliance framework — checking boxes against each of the twenty principles — often produce programmes that conform on paper but fail to deliver the governance value the framework envisions. The challenge is making the framework live in the organisation rather than residing in policy documents.
Several decisions are not addressed by the framework but are critical to effective implementation:
How to define and categorise risk: The framework emphasises the importance of a risk taxonomy but does not prescribe one. Organisations must decide how to categorise their risks in ways that are meaningful for their specific business model, industry, and strategic context. A taxonomy borrowed from a different industry or company will produce a risk register that does not reflect the organisation's actual risk profile.
How to calibrate risk assessment: The framework requires risk assessment but does not specify how to assess probability and impact — what time horizon to use, how to combine different impact dimensions, how to account for uncertainty. These calibration decisions have enormous practical consequences for how risks are prioritised and which risks reach board attention.
How to integrate ERM with existing processes: The framework emphasises integration with strategy and performance management, but the practical mechanisms for this integration must be designed organisation by organisation. Attaching ERM to the strategic planning cycle, the annual budgeting process, major capital decisions, and M&A due diligence requires deliberate workflow design that the framework cannot prescribe.
The Culture Component
The 2017 COSO ERM framework places considerably more emphasis on organisational culture than its predecessor — and rightly so. Culture is the foundation on which all other ERM components rest. An organisation whose culture incentivises risk concealment, penalises bad news, or rewards short-term performance at the expense of risk management will not produce effective ERM regardless of the quality of its frameworks, processes, and systems.
Yet culture is also the component that most ERM implementations address least rigorously. Statements about "tone from the top" and "risk culture" appear in policy documents, but the assessment of whether cultural conditions actually support effective risk management requires qualitative research methods — interviews, observation, analysis of incident reporting patterns and near-miss disclosure rates — that most risk functions are not equipped or resourced to conduct.
The most important question about any ERM programme is not whether it conforms to COSO ERM — it is whether it actually changes how decisions are made. Framework conformance and decision-making impact are related but not the same thing.
Internal Audit's Role in ERM Assessment
Internal audit can add significant value by assessing the effectiveness of the organisation's ERM programme — not just whether it has the components that the framework requires, but whether those components are functioning in ways that improve risk-informed decision-making. This means examining whether risk information is actually used in strategic and operational decisions, whether the risk appetite is connected to decision-making thresholds, whether the risk register reflects the organisation's actual risk profile, and whether the ERM programme is producing better governance outcomes over time. These are harder questions than conformance assessment — and they are the questions that actually matter.