Category: Risk management frameworks · Reviewed by Amy Price, Account Executive · Last reviewed
The COSO ERM framework — formally Enterprise Risk Management — Integrating with Strategy and Performance (2017) — is a globally referenced model for embedding risk into strategy-setting and performance. It is published by the Committee of Sponsoring Organizations of the Treadway Commission, a private-sector initiative formed in 1985 by five US accounting bodies.
1. Governance and culture (Principles 1–5): board risk oversight, operating structures, desired culture, core values, attracting and retaining talent.
2. Strategy and objective-setting (Principles 6–9): business context, risk appetite, evaluation of alternative strategies, formulation of business objectives.
3. Performance (Principles 10–14): identifying risk, severity assessment, prioritisation, response implementation, portfolio view.
4. Review and revision (Principles 15–17): assessing substantial change, reviewing risk and performance, pursuing improvement.
5. Information, communication and reporting (Principles 18–20): leveraging information systems, communicating risk information, reporting on risk, culture and performance.
While COSO is US in origin, the FRC’s UK Corporate Governance Code and the PRA’s expectations of insurer risk management can be evidenced through COSO-aligned controls. Many UK-listed insurers map their internal control attestation to COSO 2013 and their risk programme to COSO ERM 2017 or ISO 31000.
Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote