COSO Framework

Framework for enterprise risk management


COSO framework consists of 8 interrelated components

1. Internal or control environment
This covers the tone of an organization, and sets the basis for how risk is viewed and addressed by an organization’s people, including risk management philosophy and risk appetite, integrity and ethical values and the environment in which they operate.
The board’s attitude, participation and operating style will be a key factor in determining the strength of the control environment.


2. Objective Setting
Objectives for the entity should be in place and the chosen objectives should support and align with the entity’s mission and be consistent with the risk appetite.



3. Event Identification
Both internal and external events which affect the achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.



4. Risk Assessment
Risks are analysed, considering likelihood and impact, as basis for determining how they should be managed. The analysis process should clearly determine which risks are controllable, and which risks are not controllable.



5. Risk Response
Management selects risk responses such as avoidance, reduction, transfer, or acceptance which are used to develop a set of actions to align risks with the entity’s risk tolerances and risk appetite.



6. Control Activities or Procedures
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.



7. Information and Communication
Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication should be broad – flowing up, down and across the entity. There should also be effective communication with third parties such as shareholders and regulators.



8. Monitoring
Risk control processes are monitored and modifications are made if necessary. Effective monitoring requires active participation by the board and senior management, and strong information systems, so the data senior managers need is fed to them.




***********