COSO ERM Guide
- Katarzyna Celińska
- 5 hours ago
- 2 min read
I really like COSO new guidance: “From Guidance to Action: Exploring Practical Enterprise Risk Management.”
For me, this publication does exactly what many ERM materials fail to do: it translates risk management from a framework, methodology, or reporting exercise into a practical operating model for decision-making.
The document makes a very important point: ERM should move organizations from documenting risks to influencing choices. Risk management should not be limited to heat maps, registers, long risk lists, and quarterly reports. It should provide decision-ready signals: what changed, what matters now, who owns the response, and what should trigger action.
Photo: https://www.magnific.com/pl/
This is very close to how I usually define risk management in one sentence:
Risk management is making conscious decisions based on the information available at a given moment.
COSO clearly emphasizes that strategy and risk are inseparable. Every strategic decision includes an explicit or implicit risk posture. The only question is whether the organization discusses that posture early enough, when decisions can still be shaped, or too late...
The publication also identifies four ideas that make the difference between ERM activity and ERM impact:
ERM creates value through both protection and creation.
Strategy and risk must be linked.
Many organizations still face a real implementation gap.
Effective ERM must be decision-led, lightweight, and embedded in how the business operates.
This is exactly the direction risk management should take.
The guide presents 10 ERM operating disciplines that, in my opinion, reflect very well what risk management should be in practice:
Link strategy and risk
Treat value creation as a required outcome
Make risk appetite meaningful and usable
Manage risk as a portfolio
Prioritize decisions over documentation
Measure value, not activity
Run governance as a behavior system
Embed ERM into operating rhythms
Build candor as a capability
Learn continuously
In many organizations, ERM still becomes a reporting cycle. Risks are identified, scored, mapped, updated, and presented. But the key question is often missing:
What decision did this change?
If ERM does not influence a decision, trigger an escalation, change a priority, improve resource allocation, or help leaders understand uncertainty, then it may be activity, but it is not value.
The goal is not a bigger risk register or a better-looking heat map. The goal is fewer surprises, faster pivots, visible ownership, and practices that work under real constraints.
Author: Sebastian Burgemejster
Comments