Most conversations about COSO ERM start with a framework diagram and 20 principles. This one starts with a more useful question: given your team size, your regulatory environment, and the resources you actually have, is COSO ERM the right framework for your organisation right now — or is it something you grow into?The answer matters. Choosing the wrong framework does not just waste implementation effort. It creates friction between your risk function and your leadership team, produces documentation that nobody reads, and ultimately weakens the risk culture you are trying to build.
COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission — a private sector body founded in 1985, jointly sponsored by five professional associations, including the American Institute of Certified Public Accountants and the Institute of Internal Auditors.
The 2017 update to the COSO ERM framework addressed the evolution of enterprise risk management and the need for organisations to improve their approach to managing risk to meet the demands of an evolving business environment. The framework's full title — Enterprise Risk Management: Integrating with Strategy and Performance — tells you exactly what makes it distinct from other frameworks: it is built around the idea that risk management and strategy are inseparable.
The framework is future-focused and designed so that organisations worldwide can attain better value from enterprise risk management — addressing trends that entities are likely to face in an evolving business environment.
The 2017 COSO ERM Framework consists of five interrelated components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting. Together they span 20 principles.
Here is what each component means for a practical risk manager — not in theory, but on a Monday morning:
1. Governance and Culture This is the foundation. It defines who is responsible for risk oversight, how risk appetite is set, and what behaviours are expected across the organisation. In practice, it means your board needs to have an explicit role in risk oversight — not just receive reports, but actively participate in defining what risks are acceptable in pursuit of your strategic goals.
2. Strategy and Objective-Setting This is where COSO diverges most sharply from ISO 31000. COSO requires that risk management be integrated into strategic planning — meaning that when your leadership team sets objectives for the next year, risk considerations are part of that conversation from the start, not added as a compliance layer afterwards.
3. Performance This component covers risk identification, assessment, prioritisation, and response. It is the closest to what most teams think of as "traditional" risk management — building a risk register, scoring risks, assigning controls, and monitoring outcomes.
4. Review and Revision Risk management is not a one-time exercise. This component formalises the process of evaluating how well your ERM programme is working and revising it based on what you learn. It is where continuous improvement becomes structural rather than aspirational.
5. Information, Communication, and Reporting This component emphasises that ERM is a continual process that requires ongoing identification and sharing of risk and strategy information. In practical terms: who gets what risk information, at what frequency, and in what format — from the front line to the board.
Here is the honest answer: COSO ERM is not for every organisation, and it is definitely not where every organisation should start.
COSO is a strategy-linked framework. Its real value shows up when your organisation has reached a level of maturity where risk management needs to be connected to business objectives at the board level — where a risk committee exists or is being formalised, where leadership is asking how risk connects to performance, and where you have the governance infrastructure to make that connection real.
If you are still building your first risk register, formalising your first risk appetite statement, or trying to get your first quarterly risk review on the calendar, COSO ERM will feel like putting a second floor on a house that does not yet have walls.
That is not a criticism of COSO. It is a sequencing point.
COSO ERM is likely the right framework — or the right next step — for your organisation if:
You are a mid-to-large financial institution with multiple business units, a board risk committee, and a risk function that already produces regular reporting. The cross-functional governance structures COSO requires exist or are being built.
Your board is asking strategic risk questions. When your board chair asks "what risks are we taking to achieve our growth targets this year?" rather than "have we done our risk assessment?", you are ready for COSO.
You are preparing for M&A, investment, or expansion. COSO's structured approach to risk and performance documentation is the language institutional investors and international partners understand. If you are seeking international capital or expanding into new markets, a COSO-aligned ERM programme signals maturity.
Your regulator is pointing in this direction. Regulators across multiple markets are increasingly referencing international ERM standards in their supervisory expectations — and COSO is consistently one of the frameworks they cite. If your regulator is asking for evidence of board-level risk governance and strategic risk integration, COSO is the framework best positioned to demonstrate that.
If your organisation is in an earlier stage of risk maturity, ISO 31000 is almost always the right place to begin. Here is why:
ISO 31000 is non-prescriptive — it gives you principles and lets you adapt. It works at any organisational size, requires no specific governance structure, and has no certification or external audit requirement. You can implement it with a team of two and a spreadsheet, and it will still produce a functioning risk management programme.
As we covered in our article ISO 31000 for Small Risk Teams: 4 Steps to Make It Work in Practice, the standard is designed for flexibility — which makes it the right foundation for organisations that are still building their risk culture.
Start with ISO 31000. Build your register, define your risk appetite, run your first quarterly review. Once those habits are established and your governance structures are more mature, COSO ERM becomes the natural next layer.
These two frameworks are not competitors. They are complementary — and in practice, the most effective risk programmes combine both.
Think of it this way: ISO 31000 provides the operating model — the principles, the process, the day-to-day rhythm of risk identification, assessment, and monitoring. COSO ERM provides the strategic architecture — the governance layer, the connection to business objectives, the board-level risk oversight structure.
A mature risk programme will typically use ISO 31000 to structure its operational risk processes across business units, while using COSO ERM as the governance framework that connects those processes to its strategy and reports to the board.
As Pirani's Risk Management Study 2026: Africa Chapter found, the primary challenge for financial institutions is not identifying risks — it is embedding risk into everyday decision-making. COSO ERM, used at the right stage of maturity, is the mechanism that creates that connection at the highest level of the organisation.
The global regulatory direction is clear: risk management frameworks are moving from optional to expected, and board-level governance of risk is becoming a baseline requirement across markets.
In West Africa and South Africa the signals are particularly concrete. In June 2024, Nigeria's Securities and Exchange Commission directed all Capital Market Operators to implement an ERM framework conforming to international standards such as COSO. This is the clearest regional signal yet that COSO familiarity is becoming a regulatory expectation — not just a best practice — for Nigerian financial institutions.
The Bank of Ghana has progressively strengthened its corporate governance and risk management requirements for licensed institutions, and the South African Prudential Authority under the SARB has embedded ERM expectations into its supervisory framework for banks and insurers.
None of these regulators mandate COSO specifically — but they reference international standards, and COSO is the framework most aligned with what they mean when they ask for evidence of board-level risk governance and strategic risk integration. For institutions operating in these markets, knowing COSO's language is increasingly table stakes.
What does COSO stand for? COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission. It is a private sector body founded in 1985, jointly sponsored by five professional associations including the American Institute of Certified Public Accountants and the Institute of Internal Auditors. It publishes voluntary frameworks for internal control and enterprise risk management used by organisations globally.
Is COSO ERM the same as COSO Internal Control? No. COSO has two distinct frameworks: the Internal Control — Integrated Framework (2013), which focuses on the design and evaluation of internal control systems; and the Enterprise Risk Management framework (2017), which focuses on integrating risk management with strategy and performance. They are complementary but serve different purposes. Most organisations use both.
Is COSO ERM certifiable? No. Unlike ISO 27001, there is no external audit process or official certificate for COSO ERM. It is a voluntary, principles-based framework. Organisations adopt it to improve their risk management practices, not to obtain a credential. Some regulators reference it as a benchmark, but compliance is assessed through supervisory review rather than third-party certification.
How many principles does COSO ERM have? The 2017 COSO ERM Framework consists of five interrelated components and 20 principles in total. Each principle represents a practice that can be scaled and adapted regardless of organisation size, type, or sector.
Is COSO ERM relevant for smaller financial institutions? It can be, but sequencing matters. For organisations that are still building their foundational risk management processes, ISO 31000 is usually the right starting point. COSO ERM becomes most valuable when governance structures are more established and the organisation needs to connect risk management to strategic decision-making at the board level.
What is the difference between COSO ERM and ISO 31000? ISO 31000 is a universal, non-prescriptive standard for risk management that works at any scale and requires no specific governance structure. COSO ERM is a strategic framework that integrates risk with business objectives and board governance — it assumes a higher level of organisational maturity. In practice, many institutions use ISO 31000 as their operational risk framework and COSO ERM as their governance architecture.
Has COSO ERM been updated recently? The most recent COSO update from 2024 involves managing risks associated with alternative data from nontraditional sources. Other recent documents address AI, cloud computing, cyber-risk, and compliance risk management. The core framework remains the 2017 version.