Chief risk officer, Michael Doyle, argues ERM has in fact stood the test of time and has made a significant contribution to the development of risk management as a profession.

The 2017 revision to the original COSO ERM paper makes for very interesting reading, primarily in that it recognises the gap(s) that risk should be better integrated with Strategy and Performance – I doubt there would be much argument among risk professionals about that!

There are 20 Principles are divided into 5 components:

  1. Governance & Culture,
  2. Strategy & Objective Setting,
  3. Performance,
  4. Review & Revision 
  5. Information, Communications and Reporting

These are very closely linked with the revised principles in the 2018 revision to the ISO31000 standard (Integrated, Structured & Comprehensive, Customised, Inclusive, Dynamic, Best Available Information, Human & Cultural Factors and Continual Improvement). It’s indeed pleasing to see these standards (and others, eg APRA Prudential Standard CPG 220) are aligning.

Whilst acknowledging that the revision does address these gaps (especially the earlier integration of risk into strategy setting (as opposed to “applied in a strategic setting”)), it’s worthwhile examining the original definition and how it has stood the test of time, particularly as it has formed the cornerstone of many risk programs over the last 14 years.

Let’s break down the definition, make some observations and see if the 2017 revision addresses gaps.

2004 DefinitionObservations2017 update and thoughts

ERM is a process[1]

It’s not a program, a system, a checklist or a heat map – it’s a process


affected by an entity’s Board of Directors, Management and other Personnel….

Starts with, and is championed by, top management but is “lived” by all staff

The update seeks to “accommodate expectations for governance and oversight” – these are only likely to increase in the future with growing evidence that ethical decision making and processes will be incorporated into reporting and auditing.

applied in a strategic setting and across the enterprise….

Key word here is “applied” – links back to process – it’s not something that is just looked at every quarter at the risk and audit committee

The update “provides greater insight into the value of enterprise risk management when setting and carrying out strategy” – If risk management (not just ERM) is to progress to the C-suite in organisations, being embedded in strategy development and decision making is vital.

designed to identify potential events that may affect the entity….

Is “events” the best word here? – “affect” correctly highlights that risks aren’t all bad - they can highlight competitive gaps

The update refers to “globalisations of markets and operations” and “presents new ways to view risk” – the ISO31000 Process for risk management (clause 6) highlights identification of risk > Analysis > Evaluation > Treatment. ERM MUST keep as its central tenet the process as outlined above.

and to manage risks to be within its appetite…

The Risk Appetite Statement (RAS) still remains a cornerstone of many ERM programs – it is understood by Boards, an excellent reference point for staff, value adding in its own right and provides the first strategic input and oversight for risk professionals.

The update states, among other references to RAS, “The board of directors and management need to determine if the strategy works in tandem with the organization’s risk appetite- it, in effect, “doubles down” on the importance of RAS.


to provide reasonable assurance regarding the achievement of entity objectives.

Highlights the role risk should have in management reporting and objective setting and measurement against targets (the feedback loop)

The update “Expands reporting to address expectations for greater stakeholder transparency” and also refers to “evolving technologies…data and analytics” – we as risk professionals need to keep ahead of the curve when it comes to rapidly changing technologies (if these are not “opportunities”, then what are?!) and position risk to be future focused.


It would be very easy to adopt the old adage of “if it isn’t broke, then don’t fix it”. As outlined above, the 2017 update does make important (and value-adding) enhancements to the original ERM framework, but on balance we can confidently state that ERM has indeed stood the test of time and has made a significant contribution to the development of risk management as a profession.

So perhaps we can liken the update to a digital remastering of The Beatles “White” album – improving on something that was already very good!.

[1] My favourite definition of process is still “how we do things here”