Name: Aries Carl V.

Lucero Date: April 08, 2024

Course Year-Block: BSA 3-1

PrE 4: Enterprise Risk Management

Activity- COSO Integrated Framework of 2017

1) What does COSO stand for in risk management?

In risk management, COSO stands for the Committee of Sponsoring Organizations

of the Treadway Commission. It is a leading organization that developed the COSO
framework, which provides guidance on internal control, enterprise risk management,
and fraud deterrence, and is widely used by organizations globally as a standard for
managing and mitigating risks efficiently and effectively.

2) How does the COSO 2017 framework define Enterprise Risk Management (ERM),
and what are its key components?

The COSO 2017 framework defines Enterprise Risk Management (ERM) as a process
used by organizations to identify, assess, and manage risks that could affect their
business. It is a systematic, cross-organizational risk management system that
emphasizes a comprehensive approach to managing risks throughout the organization.
Its key components are governance and culture, strategy and objective-setting,
performance, review and revision, and information, communication, and reporting. First,
the governance and culture component emphasizes the importance of fostering a risk-
aware culture and establishing governance structures that support effective risk
management throughout the organization. Second, strategy and objective-setting deal
with the need of organizations to align their risk management processes with their
overall strategic objectives. This involves identifying and assessing risks that could
impact the achievement of these objectives. Third, performance focuses on the
identification and assessment of risks related to the achievement of performance goals.
It involves evaluating risks in the context of both internal and external factors that may
affect performance. Fourth, review and revision highlight that risk management
processes should be regularly reviewed and updated to ensure they remain effective in
addressing the organization's evolving risk landscape. Fifth, and lastly, information,
communication, and reporting components are essential for ensuring that relevant
risk information is shared across the organization and with external stakeholders.

1
3) What are the differences between the COSO 2017 framework and the previous
versions regarding ERM?

The COSO 2017 framework represents an evolution of the previous versions, notably
the original COSO ERM framework released in 2004. One of the key differences between
the COSO 2017 framework and its previous versions regarding Enterprise Risk
Management (ERM) is that it focuses more on governance and culture in effective risk
management. It underscores the role of organizational culture in promoting a risk-aware
environment and the importance of strong governance structures to support risk
management processes. Aside from this, the COSO 2017 framework also provided
increased flexibility since it is designed to be more scalable, allowing organizations of all
sizes and industries to tailor their risk management processes to their specific needs and
circumstances. This flexibility enables organizations to adopt ERM in a way that best suits
their unique risk profiles and business objectives. Furthermore, it also places a stronger
emphasis on aligning risk management processes with an organization's strategy and
business objectives. It encourages organizations to consider risks and opportunities in
the context of their strategic goals and to integrate risk management into decision-
making processes at all levels of the organization. Lastly, it also expanded the focus on
information, communication, and reporting as key components of effective risk
management. It emphasizes the importance of timely and transparent communication of
risk information throughout the organization and with external stakeholders.

4) How does the COSO 2017 framework integrate with other risk management
standards, such as ISO 31000?

The COSO 2017 framework integrates with other risk management standards, such
as ISO 31000 by having common principles of risk management, including the need for a
systematic and proactive approach to identifying, assessing, and managing risks. They
both emphasize the importance of considering both internal and external factors that
may affect an organization's ability to achieve its objectives. Both frameworks also
provide flexibility for organizations to tailor their risk management processes to their
specific needs and circumstances. This allows organizations to integrate elements of both
frameworks in a way that best suits their unique risk profiles and business objectives. In
addition, both frameworks also emphasize the importance of fostering a risk-aware
culture within the organization and promoting effective communication of risk
information at all levels. By aligning their approaches to risk culture and communication,
organizations can enhance collaboration and decision-making around risk management.
In a nutshell, while there may be differences in terminology and specific approaches
between the COSO 2017 framework and ISO 31000, organizations can effectively
integrate these standards to enhance their overall risk management practices and
achieve their objectives more effectively.

2
5) Can you provide examples of how organizations have successfully implemented
the COSO 2017 framework for ERM?

An example of an organization that has successfully implemented the COSO 2017

framework for ERM is Toyota Motor Corporation. It has implemented the said framework
by aligning its risk management processes with the framework's principles and
components. Due to this, Toyota was able to improve its ability to identify, assess, and
manage risks across its global operations. This integration also helped Toyota to
strengthen its risk governance structures, enhance its risk culture, and improve decision-
making, about risks, especially in the areas of supply chain disruptions, regulatory
compliance, and operational risks. Another example is the multinational food and
beverage company, Nestlé. Similar to Toyota, it has also adopted the COSO 2017
framework to strengthen its enterprise risk management practices by integrating the
COSO framework's principles and components in its development and implementation
of risk management processes. In doing this, Nestlé was able to effectively and efficiently
manage risks across its diverse portfolio of products and markets, particularly in areas
such as food safety, product quality, and supply chain resilience. These examples
demonstrate how organizations across different industries have successfully leveraged
the COSO 2017 framework to enhance their risk management practices, align risk
management with strategic objectives, and adapt to changing business environments
which leads to improved performance, greater resilience, and enhanced stakeholder
confidence.

6) What role does the COSO 2017 framework play in enhancing risk culture within an
organization?

The COSO 2017 framework plays a significant role in enhancing risk culture within
an organization by providing guidance and principles that promote a risk-aware mindset
and behaviors throughout the organization. Because the framework emphasizes the
importance of governance structures and setting the tone at the top in promoting a strong
risk culture, it helps in establishing clear roles and responsibilities for risk oversight and
accountability. With this being said, senior leaders can foster a culture that values risk
awareness and encourages employees to actively engage in risk management activities
by demonstrating a commitment to ethical behavior and risk management. Moreover, the
framework also highlights the importance of demonstrating commitment to core values
through training and development programs focused on ethical leadership and
compliance. Through investing in programs that reinforce core values and promote
ethical decision-making, organizations can instill a culture of integrity and accountability
in managing risks. Lastly, the COSO 2017 framework also focuses on the importance of
effective communication and collaboration in risk management. By implementing this,
organizations can foster a culture where employees feel empowered to raise concerns,
share insights, and collaborate on risk mitigation efforts.

3
7) How does the COSO 2017 framework address emerging risks and uncertainties
faced by organizations today?

The COSO 2017 framework addresses emerging risks and uncertainties faced by
organizations today by providing a structured approach to risk management that is
adaptable to changing business environments. Specifically, the framework provides
guidance on identifying and assessing a broad range of risks, including emerging risks
that may arise from various factors. This is materialized by encouraging organizations to
adopt a proactive and forward-looking approach to risk identification and assessment.
Furthermore, the framework also emphasizes the importance of scenario analysis as a
tool for assessing the potential impact of emerging risks on the organization's objectives
which can anticipate various future scenarios and evaluate their resilience to different
risk scenarios, helping them identify potential vulnerabilities and opportunities for
improvement. In addition, it also highlights the importance of continuous monitoring
and reporting of risks to ensure that organizations stay informed about emerging risks
and their potential impact on the organization. This allows organizations to have
dynamic risk management processes that can adapt to changing circumstances, helping
organizations to build resilience and effectively navigate uncertainty.

8) What are the benefits of adopting the COSO 2017 framework for ERM compared to
other risk management approaches?

One of the benefits of adopting the COSO 2017 framework for Enterprise Risk
Management (ERM) compared to other risk management approaches is it provides a
comprehensive and widely recognized framework for ERM that covers all aspects of risk
management, including governance and culture, strategy and objective-setting,
performance, review and revision, and information, communication, and reporting. By
adopting the COSO framework, organizations can ensure that their risk management
processes are aligned with the industry's best practices and regulatory expectations. In
relation to this, the framework also allows organizations to tailor their risk management
processes to their specific needs and circumstances because it is designed to be flexible
and scalable. Whether an organization is a small startup or a large multinational
company, the COSO framework can be adapted to fit its specific needs. Furthermore, it
also improves decision-making by providing a structured approach to identifying,
assessing, and managing risks which can help organizations to anticipate and mitigate
potential risks while capitalizing on opportunities for innovation and growth. With these
positive effects of adopting the COSO framework, the stakeholders’ confidence in the
organization's ability to manage risks effectively and achieve its objectives can ultimately
be enhanced which is one of the most, if not the most, important benefit of all.

4
9) Can you explain how the COSO 2017 framework supports the identification and
assessment of key risks within an organization's operations?

The COSO 2017 framework supports the identification and assessment of key risks
within an organization's operations by its structured approach to enterprise risk
management (ERM). Since the framework emphasizes the importance of governance and
culture in setting the tone for risk management, it aids in establishing oversight
responsibilities and fostering a risk-aware culture in which by this, the organizations can
create an environment where key risks are identified and assessed effectively. In
addition, the framework also encourages organizations to use scenario analysis to assess
risks that could have a significant impact on their goals. By doing this, organizations can
identify key risks and their potential consequences on operations. Lastly, the framework
also encourages organizations to develop a portfolio view of risks relative to business
objectives. With this, organizations can identify key risks that may affect operations and
performance by considering the nature, likelihood, and interdependencies of risks.

10) What challenges might organizations encounter when implementing the COSO
2017 framework for ERM, and how can they overcome them?

One of the challenges the organizations might encounter when implementing the
COSO 2017 framework for Enterprise Risk Management (ERM) is a lack of awareness or
understanding of the COSO 2017 framework and its principles across the organization.
To overcome this challenge, organizations can provide comprehensive training and
education to employees at all levels to ensure they understand the framework and its
implications for risk management practices. Another challenge is that many
organizations may face resource constraints in implementing the framework. This can be
addressed by prioritizing their risk management efforts based on the most significant
risks to their objectives. Moreover, integrating the framework with existing risk
management processes and systems can also be challenging but organizations can
overcome this by conducting a thorough gap analysis to develop a roadmap for
integration of both the existing and new initiatives. Aside from these, resistance to
change can also be a hurdle when implementing the framework. Employees may be
accustomed to existing risk management practices but organizations can address this by
involving employees in the implementation process, asking for their input and feedback,
and emphasizing to them the benefits of adopting the COSO framework. By providing
training and support to employees to help them understand the rationale behind the
framework, their resistance can be mitigated.

5
 References

CDP CDP 2014 Investor CDP 2014 Information Request Nestlé. (2014).

https://www.nestle.com/sites/default/files/asset-library/documents/creating-

shared-value/environment/nestle-answer-cdp-2014.pdf

Cobb, M. (2023, August 15). ISO 31000 vs. COSO: Comparing Risk Management Standards.

CIO. https://www.techtarget.com/searchcio/feature/ISO-31000-vs-COSO-

Comparing-risk-management-

standards#:~:text=COSO%20combines%20its%20framework%2C%20principles

Enterprise Risk Management. (n.d.). COSO. https://www.coso.org/guidance-erm

Enterprise Risk Management Integrating with Strategy and Performance. (2017).

https://aaahq.org/portals/0/documents/coso/coso_erm_2017_main_v1_20230815.

pdf

Hawash, H. (2023, December 7). Evaluating the Main Weaknesses of the COSO Framework:

Strategies for Overcoming the Challenges. Www.linkedin.com.

https://www.linkedin.com/pulse/evaluating-main-weaknesses-coso-framework-

strategies-hussein-hawash-wedfc

Mature your use of the COSO Framework. (2024, March 26). Www.wolterskluwer.com.

https://www.wolterskluwer.com/en/expert-insights/mature-your-use-of-the-coso-

framework

Nkomo, T. (2019). Analysis of Toyota Motor Corporation (pp. 1–16). Harvard University.

https://scholar.harvard.edu/files/tnkomo/files/analysis_of_toyota.pdf

Posey, B. (2021, October). What is the COSO Framework? How is it Used? TechTarget.

https://www.techtarget.com/searchcio/definition/COSO-

6
 Framework#:~:text=COSO%20is%20an%20acronym%20for%20the%20Committe

e%20of%20Sponsoring%20Organizations.

Sadoian, L. (2023, November 22). Effective Risk Management: The COSO ERM Framework |

UpGuard. Www.upguard.com. https://www.upguard.com/blog/coso-erm-

framework#:~:text=Improved%20Decision%2DMaking%20Processes

Understanding the Foundations of the COSO ERM Framework to... (2021, December 1). SC&H

Group. https://www.schgroup.com/resource/blog-post/understand-coso-erm-

framework-maximize-value/

Williams, C. (2019, March 11). COSO ERM Framework – Background & Overview. Strategic

Decision Solutions. https://strategicdecisionsolutions.com/coso-erm-

framework/#:~:text=In%20feedback%2C%20many%20practitioners%20explaine