What is COSO’s model? How do we manage risk?

🕑 6 minutes read

WHAT IS COSO’s model?

COSO (Committee of Sponsoring Organizations of the Treadway Commission) is an organization made up of private organizations, established in the USA, dedicated to providing a common model of guidance to entities on fundamental aspects of:

  • • executive management and governance,
  • • business ethics,
  • • internal control,
  • • business risk management,
  • • fraud deterrence, and
  • • financial reporting.

COSO’s model evolution:

1992: Internal Control – Integrated Framework (Report COSO or COSO I) was published as an integrated framework in order to help companies to evaluate and improve their internal control systems.

2004: COSO’s model ERM (Enterprise Risk Management – Integrated Framework) or COSO II was published, allowing companies to improve their internal control system through a fuller process of risk management.

2013: COSO III was published, updated in the COSO ERM 2017 model, which improves the Integrated Framework allowing greater coverage of the risks that organizations face. Presentation of COSO ERM 2017 model

Compliance with the COSO Model

Discover how GRC software can help you improve your organization

Representation of the COSO ERM Model 2017

Fuente: coso.org presentación “2017 ERM Slide Presentation”

Components of the COSO Model INTERNAL CONTROL RISKS:

Strategy and Objective-Setting:

Organization must reinforce the importance and understanding of its risk management, to establish the supervisory responsibilities necessary to carry it out and define its ethical values to follow.

Main actions to develop are the following:

  • • Approve a policy to be followed by the Board of Directors to supervise the Entity’s risk
  • • Establishes Operating Structures.
  • • Defines Desired Cultures and values.
  • • Senior management must demonstrate commitment to core values through, for example, the formation of committees and collegiate bodies for the control of its compliance.
  • • Attracts, Develops, and Retains Capable Individuals.


Strategic planning process by defining business risk management, work objectives and strategies, and establishing a risk appetite aligned with them.

To carry out this part, organization must to:

  • • Analyzes Business Context.
  • • Defines Risk Appetite.
  • • Evaluates alternative Strategies.
  • • Formulate Business Objectives.

Review and Revision:

It involves identifying and to assess risks that may affect the achievement of business objectives. Risks are prioritized by severity based on defined risk appetite. Then, organization selects the responses to the risk and checks the amount of risk it has assumed.

To carry out this performance includes:

  • • Identifies Risk.
  • • Assesses Severity of each identified risk.
  • • Identify, select and implement Risk responses.

Review and Monitoring:

In the performance review, the organization checks the operation of corporate risk management over time, and in view of the substantial changes that occur, decides which reviews or changes are necessary.

Points included in the review are following:

  • • Assesses Substantial changes produced.
  • • Reviews Risk and Performance produced during its management.
  • • Pursues improvement in Risk Management.

Information, Communication and Reporting:

Business risk management requires a continuous process of obtaining and sharing the necessary information, both from internal and external sources. Communication must flow up and down throughout the organization.

This section requires:

  • • Support risk management with systems and technology.
  • • Use adequate communication channels.
  • • Reports on Risk, Cultures and Performance to all involved parties.

What is the ERM Enterprise Risk Management methodology?

Enterprise Risk Management (ERM – Enterprise Risk Managementis a plan-based business strategy that aims to identify, assess, and prepare for any risks or events that may affect, both positively and negatively, an organization’s operations and objectives.

The objective of the ERM is to assess the risks relevant to the company (financial, strategic and operational), prioritize those risks and make informed decisions on how to manage them. The risk management plans they create estimate the impact of various threats and describe possible responses if one of these threats materializes.

An effective ERM process should be an important strategic tool for business leaders. Knowledge about the risks arising from the ERM process should be an important input to the organization’s strategic plan.

Because risks are constantly emerging and evolving, it is important to understand that ERM is a process that must be active and alive, with continuous updates and improvements.

The structure of the corporate risk management framework applies regardless of the size of the institution or how an institution wishes to categorize its risks, and is designed to help management and boards of directors properly manage the following main aspects:

  • Identification of all risks that may affect the strategy and business operations, and the interrelationship between them.
  • Acceptable level of risk.
  • How to manage risks (culture, governance and policies).
  • How to obtain the necessary information to manage risks.
  • How to control risks.
  • How to measure and evaluate the different risks.
  • What a response to the risks.
  • Which tests of response to harmful scenarios are most appropriate.

One of the main models developed for effective enterprise risk management (ERM) is currently the COSO ERM Model 2017.

Benefits for organizations:

It helps to better understand how to perform risk management and its role in implementing the best strategies to follow.

– It allows establishing objectives that relate performance and comprehensive management of business risk to increase the company’s profit.

It gives universal guidelines for corporate governance and oversight.

It helps to recognize the new context that globalization of the economy has brought about and the need to adapt to the changes and complexity of business world that it has brought with it.

It is a basis for expanding knowledge regarding risk management and responding to the expectations of managers and other interested parties.

It supports the evolution and use of new information and communications technology (ICT), and their application in data management and decision-making.

In GlobalSuite Solutions we have the GlobalSuite® software,entirely developed by our team, which allows the implementation, management and maintenance of a Risk Management System based on the established objectives, likewise, allows the evaluation and monitoring of the treatment of the defined risk.