COSO Enterprise Risk Management—Integrating with Strategy and Performance (2017)

COSO ERM 2017, officially titled "Enterprise Risk Management—Integrating with Strategy and Performance," is a framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It updates the original 2004 framework to address the increasing complexity of the business environment. Its core concept is the explicit integration of risk management with strategy-setting and performance management. The framework is structured around five interrelated components: Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; and Information, Communication, & Reporting, which are supported by 20 principles. Unlike the more process-oriented guidelines of ISO 31000:2018, COSO ERM 2017 places a strong emphasis on how risk affects the achievement of strategic objectives and the importance of defining risk appetite. It provides a robust structure for organizations to manage uncertainty, improve decision-making, and ultimately create, preserve, and realize value, forming a foundational element for governance and compliance activities worldwide.

Applying COSO ERM 2017 involves embedding risk considerations into the core of business operations and strategy. The first step is "Strategy & Objective-Setting," where the board and management define the organization's risk appetite in the context of its strategic goals. For instance, a tech firm might set a low appetite for intellectual property theft. The second step, "Performance," involves identifying and assessing risks that could impact these goals and implementing appropriate responses, such as enhancing cybersecurity controls. The third step, "Review & Revision," requires continuous monitoring of the risk landscape and the effectiveness of responses. A practical example is a multinational bank using the framework to manage financial market volatility. By aligning its trading strategies with a clearly defined risk appetite, the bank improved its risk-adjusted returns by 10% and reduced regulatory capital charges. Measurable outcomes include a significant reduction in unexpected losses and fewer material weaknesses identified during internal audits.

Taiwan enterprises often face three key challenges when implementing COSO ERM 2017. First, a "cultural challenge" exists where risk management is siloed within audit or finance departments, rather than being a shared responsibility across the organization. Second, "resource constraints," particularly for small and medium-sized enterprises (SMEs), limit investment in dedicated risk management information systems (RMIS) and specialized talent. Third, there is often a "weak strategic link," where risk assessment outputs are treated as compliance paperwork and fail to meaningfully inform executive decision-making. To overcome these, a top-down approach is crucial, with the board championing a risk-aware culture. For resource issues, a phased implementation focusing on high-priority risks and leveraging cost-effective SaaS solutions is recommended. To strengthen the strategic link, risk scenario analysis should become a mandatory agenda item in strategic planning sessions. A priority action is to establish a cross-functional risk committee to drive initial implementation within 6-12 months.

Winners Consulting specializes in COSO ERM 2017 for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact