Guidance on Enterprise Risk Management

​​​​​​​​​​​​Enterprise Risk Management—Integrating with Strategy and Performance (2017)​

In keeping with its overall mission, the COSO Board commissioned and published in 2004 the Enterprise Risk Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk. However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance.

COSO issued a supplement with detailed examples for applying principles from the ERM Framework to day-to-day practices. This supplement, titled COSO Enterprise Risk Management - Integrating with Strategy and Performance: Compendium of Examples, was developed from industry practices identified through extensive research conducted when updating the Framework. Each example focuses on specific components covered in the Framework.

Written as a collection of case studies, the Compendium offers real-world advice about how to put the ERM Framework to use. Each case describes how a specific entity scaled and adapted the principles, and sets out a relationship between an organization’s mission, vision, and core values; its strategic goals and directions; and approaches used in carrying out its strategy.​

Executive Summary: Enterprise Risk Management—Integrating with Strategy and Performance (2017)​

Frequently Asked Questions

COSO 2017 ERM Slide P​resentation

How to purchase


News Release​

COSO Enterprise Risk Management - Integrating with Strategy and Performance: Compendium of Examples​​

Learn more about the COSO ERM Certif​i​cate Program​ ​​

​​​​​Enterprise Risk Management — Integrated Framework (2004)​​

In response to a need for principles-based guidance to help entities design and implement effective enterprise-wide approaches to risk management, COSO issued the Enterprise Risk Management — Integrated Framework in 2004. This framework defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management. The guidance introduces an enterprise-wide approach to risk management as well as concepts such as: risk appeti​te, risk tolerance, portfolio view. This framework is now being used by organizations around the world to design and implement effective ERM processes. Available for purchase in the AICPA Store. Learn more about Enterprise Risk Management ​​—​ Integrated Framework.

Purchase Enterprise Risk Management —​ Integrated Framework

Acceptable Use​ of COSO Materials​

Copyright Permission Request Form​​

Guidance on Enterprise Risk Management for Cloud Computing

Addressing the demands for remote and flexible work arrangements as a result of the pandemic, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), in collaboration with Crowe LLP, issues “Enterprise Risk Management for Cloud Computing.” This new guidance provides a roadmap for establishing cloud computing governance leveraging the principles of COSO’s Enterprise Risk Management (ERM) – Integrating with Strategy and Performance framework (2017). The project was commissioned by COSO and co-authored by Mike Grob, Principal, and Victoria Cheng, Managing Director, in Crowe LLP’s Consulting Services.


News Release

Guidance on Compliance Risk Management - Applying the COSO ERM Framework (2020)


News Release

Guidance on Managing Cyber Risk in a Digital Age (2019)


News Release

Guidance on Applying ERM to Environm​ental, Social and Governance-related Risks (2018)

Executive Summary

ERM Thought P​apers

Risk Appetite – Critical to Success: Using Risk Appetite to Thrive in a Changing World (2020)

At its core, risk appetite is critical to organizational success. Articulating risk appetite for your organization will provide board members and senior management with important insight. We hope to improve that understanding and promote risk appetite as an integral part of decision-making. This thought paper is intended to help directors and executives answer the following question: How will a better understanding and communication of risk appetite help our organization succeed?

News Release

Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management

This paper offers succinct, tangible steps to implement an effective ERM program based on successful practices used by organizations in taking an incremental, step-by-step approach to implementing ERM. Co-authored by co-authored by DePaul University’s Richard J. Anderson, Clinical Professor of Strategic Risk Management, and Dr. Mark L. Frigo, Co-founder and Director Emeritus of the Strategy, Execution and Valuation Initiative & Strategic Risk Management Lab at the Kellstadt Graduate School of Business/Driehaus College of Business - School of Accountancy & MIS.

News Release

Demystifying Sustainability Risk: Integrating the Triple Bottom Line Into an Enterprise Risk Management Program* (2013)

ERM Risk Assessment in Practice

This thought paper provides leadership thinking on risk assessment approaches and techniques that have emerged as the most useful and sustainable for decision-making. It represents another in a series of papers published by COSO aimed at helping organizations move up the maturity curve in their ongoing development of a robust ERM program.

News Re​l​ease

Enterprise Risk Management for Cloud Computing

This thought paper is published in response to the growing number of organizations utilizing cloud computing as a viable alternative for meeting their technology needs. The thought paper provides guidance on following the principles of the COSO Enterprise Risk Management — Integrated Framework to assess and mitigate the risks arising from cloud computing.

News Rel​ease

Enhancing Board Oversight: Avoiding and Challenging Traps and Biases in Professional Judgment​

A thought-paper detailing a five-step judgment process that board members and others can use to overcome common pitfalls and mitigate the effects of judgment bias. The judgment process is based on KPMG’s Professional Judgment Framework, which enables individuals to identify where and when the quality of judgments tends to be threatened by predictable, systematic judgment traps and biases.

News Rel​ease

Enterprise Risk Management —​ Und​erstanding and Communicating Risk Appetite​

Organizations encounter risk every day as they pursue their objectives. Risk appetite — the amount of risk organizations are willing to accept in pursuit of their objectives — is an integral part of an effective ERM system. This thought paper aims to help organizations develop, better articulate, and implement “risk appetite.” It provides examples of statements of risk appetite and emphasizes the notion that risk appetite should be clearly defined, communicated by management, embraced by the board, and continually monitored and updated.

News Release

Embracing Enterprise Risk Man​​agement: Practical Approaches for Getting Started

This paper is intended to help organizations start down the path toward improving risk management. This thought paper describes how an organization can start to move from informal risk management to ERM. Moreover, it discusses the increasing importance of and focus on ERM and the need for all types of organizations to understand and embrace ERM. The paper also examines perceived barriers to starting ERM and working through those barriers.

News Release

Developing Key Risk Indicators to S​​trengthen Enterprise Risk Management

This paper is directed towards managers. It provides practical examples to help executives develop effective key risk indicators to heighten board and management enterprise risk awareness in order to increase the effectiveness of an ERM process and improve the execution of an organization’s strategy.

News Release

Board Risk Oversig​​ht —​ A Progress Report: Where Boards of Directors Currently Stand in Executing their Risk Oversight Responsibilities

This report is based on a survey that sought input directly from over 200 corporate directors to obtain deeper knowledge of the current state and desired future state of the risk oversight process as it is applied by boards of directors.

News Release

COSO’s 2010 Report on​​​ ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework​

This report is based on a survey launched to obtained information from corporate management about the current state of their risk oversight processes and feedback about COSO’s 2004 Enterprise Risk Management —​ Integrated Framework.

News Release

Strengthening Enterp​​​rise Risk Management for Strategic Advantage

This document is a helpful resource for articulating the strategic value of effective ERM. The publication further develops the responsibilities of board of directors presented in the first thought paper on ERM. This paper highlights key elements of ERM for board and senior executive consideration as they re-examine their existing approaches to risk oversight. The paper also provides a list of four specific areas where senior management can work with its board to enhance the board’s risk oversight capabilities.

News Rel​ease

Effective Enterprise Risk Ov​​ersight: The Role of the Board of Directors

The paper emphasizes the role of the directors with regard to ERM. It lays out four core responsibilities of boards in the oversight of management’s risk processes and top risk exposures arising out of those processes.

News Release