Skip to main content

Are you getting value out of your risk program?

COSO’s ERM framework update comes with strategic risk advantage

Traditionally, enterprise risk management (ERM) has been implemented to focus on value protection and risk functions were tasked with identifying threats to the organisation’s business objectives or strategies. Increasingly, this has involved looking for obvious external threats, while also assessing fundamental challenges to how business is conducted. But in its implementation, ERM’s focus on the known threats, or downside of risk, missed the upside—that when made an essential component of decision making, the ability to spot and assess risk can help global organisations create value and seize competitive advantage.

Council of Sponsoring Organisations of the Treadway Commission


Transforming risk leadership and management in ways that are better attuned to the business realities of the 21st century means adapting to a more dynamic environment where risk is integrated with opportunity and innovation. Therefore, in today’s business climate, forging a stronger relationship between risk and strategy should be an imperative. Enter the Council of Sponsoring Organisations of the Treadway Commission (better known as COSO) and its ERM framework update, released for public comment in the summer of 2016.

How can a new view of risk management help leaders achieve their business objectives?


In many organisations, risk is an important, but largely supportive, function focused on well-defined risks, such as financial, operational, and cyber risk, yet rarely integrated with the core business. This can result in a risk mitigation culture that’s seen as separate from the core business needs for growth and innovation.

But risk management done right is tightly embedded in management’s core business processes, where identifying and managing strategic risks are an integral part of strategy setting and execution. This level of integration can help your organisation more effectively achieve intended business objectives and get better value from its ERM program.

There are advantages to enhancing ERM with a strategic risk approach. And the organisation can benefit from a view of the whole environment in which a company operates—which includes new and emerging disruptions and the inherent risks that accompany them. For example, actions that affect an organisation’s ability to go to market and operate successfully can be addressed more systematically and with greater agility.


What are the drivers for COSO’s ERM framework update?


With COSO’s 2004 ERM publication, risk management took a vital step forward. The framework became the basis for standard thinking about risk. But its implementation in many organisations focused on isolating, mitigating, and managing known risks.

Over the past dozen years, as the operating environment for business has grown more complex, technologically driven, and global, the board—as well as business and risk leaders—requires a much greater ability to identify, assess, and prepare for:

  • External forces that may affect the organisation’s strategy
  • Shifting conditions that could impact the assumptions the strategy rests upon
  • Risks that might result from carrying out the strategy

Now, thanks to diligent work by many in the risk field, an updated framework, Enterprise Risk Management—Aligning Risk with Strategy and Performance, was unveiled for public comment prior to its finalisation and publication slated for this summer.​

What’s different and how might the new framework help organisations manage risk differently?


The proposed COSO ERM framework elevates the role of risk in leadership’s conversation about the future of the company. It also emphasises the connections between risk, strategy, and value. The update provides a new lens for evaluating how risk informs strategic decisions, which ultimately affects an organisation’s performance.

In addition, the role of risk is more clearly emphasised when setting and executing strategy. By aligning risk and performance, organisations will be better positioned to embrace opportunity and steer toward the future with greater confidence.

How can you improve the future of risk in your own organisation?


Fostering risk-informed decision making at all levels of the organisation, especially as it relates to strategy, is an important first step. A few key action items include:

  • Ensure a strategic risk view, informed by both external and internal perspectives, is incorporated into your ERM program
  • Bridge organisational silos by embedding risk into strategic planning processes and strategic initiatives
  • Advocate for risk-based conversations and facilitate strategic and informed decision making among the C-suite
  • Adopt risk-based decision-making approaches, applied to strategy setting and execution, as well as through ongoing monitoring of existing, new, and emerging risks
  • Promote an integrated ERM program by facilitating consistent terms, approaches, and tools used by groups to identify, manage, and monitor risks within the organisation

By approaching risk differently and viewing it as a facilitator for better outcomes, leaders can adopt an integrated risk management approach that:

  • Improves the resilience of the company’s strategy and helps address barriers to execution
  • Encompasses activities to prepare for and respond to novel crises
  • Covers the spectrum of risks, from high-level strategic risks affecting all business units to the operational risks managed at lower levels of the company
  • Links risk data at different levels, allowing reallocation of resources to the organisation’s top risks
  • Embeds risk management into existing organisational processes

Understanding this updated framework will be a good starting point for anyone seeking to acquire a more strategic view of risk. All business leaders, and not just risk leaders, can benefit from this integrated perspective.

Risk as a value driver

When the focus of risk management is more operational than strategic, and risks tend to be addressed only after they occur, organisations miss out on the opportunity to use risk to power performance. That power comes from “strategic resiliency:" the ability to anticipate, know, and act on risks when introducing or executing new strategies in order to increase the chances of success—in spite of uncertainty.Strategic resiliency is rooted in a risk framework designed to strike the right balance between value creation and value protection. The framework includes scenario planning to prepare for potential industry, market, and company changes or disruptions. It applies risk valuation modeling to each scenario to yield a range of potential outcomes, assess the likelihood of each, and compare outcomes so the company can better choose the alternative that provides the optimal risk/reward profile. And it considers the company’s risk tolerance when deciding which strategic objectives to pursue and how to pursue them.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey