COSO Enterprise Risk Management Framework (COSO ERM)

The COSO Enterprise Risk Management (ERM) Framework, often just referred to as COSO ERM, is a widely accepted and utilized framework for designing, implementing, conducting, and improving enterprise risk management in organizations. It aligns risk management with business strategy, driving performance.

Definition and purpose

The COSO ERM Framework offers a comprehensive approach to enterprise risk management, helping organizations better understand and manage the uncertainties they face as they create value. It's designed to improve decision-making, enhance performance-related outcomes, and support a risk-aware culture.

Governing Body

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is the governing body responsible for the COSO ERM Framework.

Last updated

The most recent update was released in March 2022.

Applies to

The COSO ERM Framework is industry-agnostic, meaning it's designed for application by any organization regardless of its size, industry, or sector, whether it's in the private, public, or nonprofit space.

Controls and requirements

The COSO ERM Framework is structured around several key components, which are:

Governance and Culture

  • Organizational Culture
  • Governance Structure
  • Resources
  • Information and Communication
  • Stakeholder Engagement

Strategy and Objective Setting

  • Strategy
  • Formulating Objectives


  • Performance Measures
  • Performance Management
  • Reporting

Review and Revision

  • Substantial Change
  • Improvement

Information, Communication, and Reporting

  • Information Needs
  • Communication
  • Reporting

Each component has its associated principles, which provide detailed performance expectations for the ERM. Please refer to the official COSO ERM Guidance documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

While COSO ERM itself doesn’t dictate specific audit types, frequencies, or durations, it provides the framework for organizations to set up a risk management system. Based on this system and the nature of their operations, organizations can determine the appropriate audit type, frequency, and duration.

Audits related to ERM often assess the effectiveness of risk management processes and practices in place. The frequency can be annual, bi-annual, or at other intervals, depending on the organization's needs, risk profile, regulatory requirements, and industry best practices. The duration varies based on the size and complexity of the organization and the scope of the audit.

Get compliant using Secureframe Custom Frameworks