One of two commonly used standards for risk management that businesses employ to assist manage risks in a fluctuating, unpredictable business environment is the COSO ERM framework.
The United States-based nonprofit organization known as COSO, or the “Committee of Sponsoring Organizations of the Treadway Commission,” was founded in 1992 with the goal of advising executive management and governance units on various and important aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. Any business can assess the effectiveness of its control systems using the COSO internal control model.
The initial goal of COSO was to investigate financial reporting and create suggestions to stop fraud.
In contrast to other risk management frameworks, the COSO ERM framework defines key components, suggests a common vocabulary, and offers clear direction and guidance for enterprise risk management.
Enterprise Risk Management and COSO
ERM is described as “a procedure used by the board of directors, management, and other staff members of an entity in strategy-setting and throughout the business to identify dormant events that could have an impact on it, manage risks in line with its risk tolerance, and give reasonable assurance that its goals would be met.”
Principles of COSO
The COSO framework includes important ideas like:
- There is an internal control process.
- It is a procedure that can have an impact on people at the system’s entry-level, not just a simple policy or form.
- For COSO ERM, just a fair amount of assurance—not an absolute assurance—can be anticipated.
- It works to accomplish the predetermined goals in one or more different but related categories.
COSO’s five interconnected components
According to the COSO framework, ERM is composed of five connected elements. Which are:
Control Environment – A company’s moral principles and code of conduct, as well as the engagement of the board of directors and other acts that help create the company’s identity, are referred to as the control environment.
Risk assessment – Risk assessment is a procedure that the management must carry out to identify potential risk factors that could lead to fabricated financial statements and develop countermeasures to those risks.
Control Activities – Control activities can be regarded as “the internal controls” in and of themselves. These procedures safeguard assets and make it possible for an organization to produce accurate financial statements on schedule. They include the separation of roles, account reconciliations, and information processing controls.
Information and Communication – This crucial component includes the evaluation of the technological environment as well as internal and external reporting procedures.
Monitoring- Internal control is confirmed to be monitored over time in order to evaluate the effectiveness of a company’s internal control. This component also suggests essential steps to be taken in order to handle the organization’s risks.
Need more information on the COSO ERM framework? The COSO ERM framework can be better understood by attending CO webinars.