COSO ERM Process

By /
1. Identify key business processes and objectives
  • Define core activities that drive organizational value.
  • Align processes with strategic and operational goals.
  • Ensure clarity in purpose and expected outcomes.
  • Break down functions into measurable components.
  • Link each process to specific business objectives.
  • Establish accountability for performance delivery.
2. Analyze business context
  • Evaluate external and internal factors affecting operations.
  • Consider regulatory, social, and market conditions.
  • Understand their influence on business objectives.
  • Identify constraints and opportunities in the environment.
  • Assess how changes impact risk exposure.
  • Align strategy with evolving external conditions.
3. Define risk appetite (≤ risk capacity)
  • Determine acceptable levels of risk for the organization.
  • Ensure appetite does not exceed capacity to absorb losses.
  • Align risk tolerance with strategic priorities.
  • Communicate risk limits across all management levels.
  • Balance growth ambitions with risk-taking ability.
  • Establish boundaries for decision-making.
4. Identify risks & prepare Risk Universe
  • Recognize potential events that may affect objectives.
  • Document risks across all functions and processes.
  • Create a comprehensive risk inventory.
  • Categorize risks (strategic, operational, financial, etc.).
  • Include both internal and external risk sources.
  • Build a structured “Risk Universe” database.
5. Assess severity (Impact & Likelihood analysis)
  • Evaluate potential impact of each identified risk.
  • Estimate likelihood of occurrence.
  • Combine both to determine risk severity.
  • Use qualitative and quantitative assessment methods.
  • Apply scoring models for consistency.
  • Focus on risks that threaten achievement of key objectives.
6. Prioritize risks (Risk ranking)
  • Rank risks based on severity and business impact.
  • Identify high-priority risks requiring immediate attention.
  • Allocate resources accordingly.
  • Use heat maps or ranking matrices.
  • Distinguish critical vs. manageable risks.
  • Support decision-making with clear prioritization.
7. Implement risk response (Accept, Avoid, Pursue, Reduce, Share)
  • Select appropriate response strategies for each risk.
  • Mitigate or transfer risks where possible.
  • Accept risks within tolerance levels.
  • Implement controls and action plans.
  • Assign ownership for each response.
  • Monitor effectiveness of mitigation strategies.
8. Develop portfolio view & Monitor, review, revise
  • Consolidate risks into an enterprise-wide view.
  • Understand interdependencies across risks.
  • Support strategic oversight and governance.
  • Continuously monitor risk environment and controls.
  • Review performance and update risk strategies.
  • Revise processes to adapt to changes.

You cannot copy content of this page

Scroll to Top