News and Info

Risk Management Leader

What is COSO and what does it mean for risk management?

What is COSO and what does it mean for risk management?

What is COSO and what does it mean for risk management?

As discussed in previous posts (see ISO 31000 and PMBOK for starters), the risk management world is full of important acronyms. In this installment of, “what does that risk management acronym mean?” we’ll look at COSO.

What is COSO?

The acronym “COSO” is short for the Committee of Sponsoring Organizations of the Treadway Commission. According to its website, COSO is a joint initiative of five private-sector organizations – the American Accounting Association, the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Association of Accountants and Financial Professionals in Business, and the Institute of Internal Auditors (IIA).

COSO is “dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deference.”

Clear as mud?

We understand. That’s a fine-sounding explanation and mission, but you may still be scratching your head and asking, “So how exactly does COSO relate to risk management?” Allow us to explain.  

In 1985, COSO was organized to sponsor the National Commission on Fraudulent Financial Reporting. According to COSO, the Commission is “an independent private-sector initiative that studied the casual factors that can lead to fraudulent financial reporting.” In addition, the Commission developed recommendations for both public companies and their independent auditors. It also created recommendations for regulators such as the SEC, as well as educational institutions.

Here’s the risk management part, so pay attention. COSO’s goal is to serve as a thought leader in three primary areas: enterprise risk management (ERM), internal control, and fraud deterrence. In 2004, COSO published Enterprise Risk Management – Integrated Framework. Beginning in 2009, COSO also began publishing papers on ERM, which are available for download free of charge.

What’s in the Integrated Framework?

According to COSO, its Enterprise Risk Management – Integrated Framework:

• Defines essential risk management components
• Discusses key ERM principles and concepts
• Suggests a common ERM language
• Provides clear direction and guidance for enterprise risk management

NOTE: In September, the Enterprise Risk Management – Integrated Framework, was updated. The 2017 revision addresses the evolution of enterprise risk management – learn more about it here.

Summary: why is COSO important to risk management?

In summary, COSO is a key player in the world of risk management because it:

1. Serves as a thought leader in the industry

2. Publishes one of the most widely recognized and applied risk management frameworks in the world (EnterpriseRisk Management – Integrated Framework)

3. Advises regulators such as the SEC

Learn more

To learn more about COSO, visit

  • OMB A-123
  • NIST 800-53
  • ISO 31000
  • ISO 9001-2015
  • COSO
  • CMMI