Assess and implement the COSO 2017 Enterprise Risk Management — Integrating with Strategy and Performance framework. All 5 components and 20 principles with maturity ratings, assessment questions, evidence checklists, implementation guidance, and a prioritised action plan.
The board of directors is responsible for oversight of enterprise risk management. The board must be knowledgeable about the content and operation of the risk management program, exercise reasonable oversight, approve the risk appetite, and ensure sufficient resources and authority exist to manage risk effectively.
| Level | Characteristics |
|---|---|
| Initial | Board has minimal awareness of ERM. No formal oversight structure. |
| Developing | Board receives occasional risk reports but oversight is passive and informal. |
| Defined | Board has formal ERM oversight role; risk appetite approved; regular reporting. |
| Managed | Board actively challenges risk assessments; private sessions with CRO; risk expertise present. |
| Optimising | Board drives risk culture; ERM embedded in strategic decision-making; proactive oversight. |
| Level | Characteristics |
|---|---|
| Initial | No formal ERM structure. Risk management is ad hoc and uncoordinated. |
| Developing | Some risk roles exist but lack formal authority, charter, or board-level positioning. |
| Defined | Formal ERM structure with board-approved charter; CRO appointed; three lines defined. |
| Managed | CRO has direct board access; adequate resources; escalation protocols operating. |
| Optimising | ERM structure is best-in-class; risk function is a strategic partner to the board. |
| Level | Characteristics |
|---|---|
| Initial | No defined risk culture. Risk awareness is absent or inconsistent. |
| Developing | Some risk culture messaging but not embedded in performance or incentives. |
| Defined | Formal risk culture statement; training; speak-up mechanism; culture monitoring. |
| Managed | Risk culture metrics tracked; incentives aligned; board receives culture reports. |
| Optimising | Risk culture is a competitive strength; proactive risk awareness at all levels. |
| Level | Characteristics |
|---|---|
| Initial | Core values exist on paper but are not reflected in management behaviour. |
| Developing | Some commitment to values but accountability is inconsistent. |
| Defined | Formal accountability structure; investigation protocol; lessons learned process. |
| Managed | Consistent enforcement; balanced incentives; zero tolerance for retaliation enforced. |
| Optimising | Values drive strategic decisions; ethical leadership is a differentiator. |
| Level | Characteristics |
|---|---|
| Initial | No formal competency requirements for risk roles. Capabilities are ad hoc. |
| Developing | Some risk qualifications required but training and succession are undeveloped. |
| Defined | Competency framework; risk training plan; basic succession planning. |
| Managed | Talent strategy linked to risk objectives; third-party due diligence programme. |
| Optimising | Risk expertise embedded organisation-wide; third-party risk fully integrated. |
The organisation considers the potential effects of business context on its risk profile. Context includes internal drivers (people, process, technology, culture) and external drivers (regulatory, economic, competitive, environmental) that can create, change, or eliminate risks. The risk function must be involved in strategy-setting to anticipate and manage contextual risk drivers.
| Level | Characteristics |
|---|---|
| Initial | No systematic analysis of business context. Risk is assessed in isolation. |
| Developing | Some environmental monitoring but not systematically integrated into risk assessment. |
| Defined | Formal environmental scan; risk function involved in strategy; interdependencies mapped. |
| Managed | Dynamic context monitoring; risk updates triggered by strategic changes; board reporting. |
| Optimising | Real-time context monitoring; risk anticipates strategic shifts before they occur. |
| Level | Characteristics |
|---|---|
| Initial | No risk appetite defined. Risk decisions are made without a reference framework. |
| Developing | A risk appetite statement exists but is vague and not operationalised. |
| Defined | Board-approved risk appetite; tolerance thresholds; communicated to management. |
| Managed | Risk appetite drives resource allocation; escalation triggers in place; regularly reviewed. |
| Optimising | Dynamic risk appetite linked to strategy; real-time monitoring of appetite utilisation. |
| Level | Characteristics |
|---|---|
| Initial | Risk not considered in strategy evaluation. No due diligence process. |
| Developing | Some risk input to strategy but ad hoc — not systematic or mandated. |
| Defined | Risk function formally involved; due diligence protocol; strategic risk analysis documented. |
| Managed | Risk-adjusted strategy evaluation; risk appetite drives strategy selection; programme updated. |
| Optimising | Risk is central to strategic planning; risk-adjusted decisions are standard practice. |
| Level | Characteristics |
|---|---|
| Initial | No linkage between business objectives and risk. Objectives set without risk input. |
| Developing | Some risk consideration in objective-setting but not systematic. |
| Defined | Risk function consulted; risk KPIs in scorecards; incentives reviewed. |
| Managed | Risk-adjusted objectives; appetite-aligned incentives; objective changes trigger risk review. |
| Optimising | Risk and performance objectives fully integrated; dynamic risk KPI management. |
The organisation identifies risks to the achievement of its objectives across the entity. Risk identification should be systematic, comprehensive, and continuous — not limited to a single annual exercise. It should cover the full range of risk types including strategic, operational, financial, compliance, and reputational risks, as well as emerging risks.
| Level | Characteristics |
|---|---|
| Initial | No systematic risk identification. Risk universe is unknown. |
| Developing | Annual risk identification exercise; basic risk register; limited coverage. |
| Defined | Formal methodology; full risk inventory; multiple techniques; emerging risks monitored. |
| Managed | Continuous identification; data-driven; emerging risk watchlist; cross-functional view. |
| Optimising | Real-time risk sensing; AI-assisted identification; fully integrated with strategy. |
| Level | Characteristics |
|---|---|
| Initial | No consistent methodology. Risk severity is subjective and undocumented. |
| Developing | Basic likelihood/impact matrix; inconsistent application; no residual risk assessment. |
| Defined | Formal methodology; inherent and residual risk; multi-dimensional impact; control linkage. |
| Managed | Quantitative models for key risks; independent challenge; control effectiveness measured. |
| Optimising | Sophisticated quantitative modelling; dynamic assessments; real-time risk indicators. |
| Level | Characteristics |
|---|---|
| Initial | No formal prioritisation. All risks treated with similar attention. |
| Developing | Basic ranking by likelihood/impact; no appetite alignment; static prioritisation. |
| Defined | Formal prioritisation; appetite-aligned; risk heat map; priority-driven resource allocation. |
| Managed | Multi-factor prioritisation; quarterly reviews; escalation thresholds; board reporting. |
| Optimising | Dynamic prioritisation; real-time risk ranking; fully integrated with strategic planning. |
| Level | Characteristics |
|---|---|
| Initial | Risk responses are ad hoc and undocumented. No accountability. |
| Developing | Some risk responses documented but ownership and timelines are unclear. |
| Defined | Formal response register; root cause analysis; named owners; implementation follow-up. |
| Managed | Response effectiveness measured; monitoring plans aligned; interaction analysis. |
| Optimising | Dynamic response management; continuous effectiveness monitoring; rapid adaptation. |
| Level | Characteristics |
|---|---|
| Initial | No portfolio view. Risks managed in functional silos with no aggregation. |
| Developing | Some aggregation exists but entity-level portfolio is incomplete. |
| Defined | Entity-level portfolio view; interdependencies mapped; presented to board. |
| Managed | Risk concentration analysis; cross-functional forums; portfolio linked to strategy. |
| Optimising | Real-time portfolio view; dynamic correlation monitoring; fully board-integrated. |
The organisation identifies and assesses changes that could significantly impact the ERM programme. Changes in strategy, people, processes, technology, the regulatory environment, and societal expectations can rapidly alter the risk profile. The ERM programme must be agile enough to respond to these changes in a timely manner.
| Level | Characteristics |
|---|---|
| Initial | No process to assess substantial change. Risk profile becomes stale. |
| Developing | Some change assessment occurs but is ad hoc and not systematically triggered. |
| Defined | Formal change assessment protocol; regulatory monitoring; risk register updated. |
| Managed | Proactive risk function involvement in change planning; post-change reviews. |
| Optimising | Real-time change monitoring; dynamic risk update process; fully integrated. |
| Level | Characteristics |
|---|---|
| Initial | No systematic performance review. ERM effectiveness is unknown. |
| Developing | Some review occurs but no defined metrics; inconsistent; not board-reported. |
| Defined | Formal metrics; periodic reviews; internal audit involvement; culture assessed. |
| Managed | Comprehensive performance framework; quarterly reviews; corrective actions tracked. |
| Optimising | Continuous performance monitoring; predictive metrics; integrated with governance. |
| Level | Characteristics |
|---|---|
| Initial | No commitment to improvement. ERM programme is static and stale. |
| Developing | Some improvement actions but not systematically planned or tracked. |
| Defined | Annual self-assessment; improvement plan; external benchmarking. |
| Managed | Board feedback loop; independent evaluations; tracked improvement programme. |
| Optimising | Continuous improvement culture; best-in-class benchmarking; proactive evolution. |
The organisation leverages information and technology to support ERM. Technology enables timely access to risk-relevant information, more effective monitoring and auditing through data analytics, efficient risk training delivery, automated dashboards for risk reporting, and the identification of risk anomalies from large data sets.
| Level | Characteristics |
|---|---|
| Initial | No technology support for ERM. Spreadsheet-based and manual. |
| Developing | Basic risk register in a system; no analytics; limited dashboards. |
| Defined | GRC system in use; automated dashboards; data analytics in monitoring. |
| Managed | Advanced analytics; real-time KRI monitoring; technology-integrated risk workflow. |
| Optimising | AI-assisted risk sensing; predictive analytics; fully integrated enterprise risk platform. |
| Level | Characteristics |
|---|---|
| Initial | No structured risk communication. Risk information is informal and ad hoc. |
| Developing | Some risk reporting exists but is incomplete and not tailored by audience. |
| Defined | Formal communication plan; escalation protocol; CRO board reporting schedule. |
| Managed | Two-way communication; tailored reports; escalation protocol in operation. |
| Optimising | Seamless risk communication ecosystem; real-time escalation; board-driven feedback loop. |
| Level | Characteristics |
|---|---|
| Initial | No structured risk reporting. Reports are ad hoc and non-standardised. |
| Developing | Basic risk reporting exists but is not tailored or comprehensive. |
| Defined | Tailored reports by stakeholder; culture included; case management system. |
| Managed | Comprehensive metrics; third-party reporting; corrective action tracking. |
| Optimising | Dynamic reporting; real-time dashboards; board-driven reporting design. |
CTC Global delivers COSO ERM implementation support, risk appetite development, ERM gap assessments, and board-level ERM training workshops across Pakistan and the UAE.