COSO pushes ERM into action

Risk management is getting pushed out of the binder and into the operating rhythm. That is the real news here. On May 4, COSO — the Committee of Sponsoring Organizations of the Treadway Commission — released a new paper called *From Guidance to Action: Exploring Practical Enterprise Risk Management*. The point is simple: a lot of ERM still exists as documentation, but companies need it to shape actual decisions. ### What did COSO actually release? COSO released a research paper meant to help organizations make ERM more useful in practice, not just more complete on paper. The paper is framed as a way to improve strategic relevance, decision-making, and “real-world impact,” which tells you exactly where COSO thinks the gap is today. This is not a rewrite of the ERM framework itself. It is more like a field guide for making the framework usable when managers have to choose, trade off, and move. (coso.org) ### Why does “from guidance to action” matter? Because most companies do not fail at naming risks. They fail at using risk thinking when a real decision shows up. COSO is basically saying the old pattern — maintain a register, update slides, brief the board, repeat — is not enough. If ERM is not showing up at key decision points, then it is governance theater more than management discipline. That is the nerve this paper is hitting. (coso.org) ### What gap is COSO trying to close? The gap is between strategy and execution. COSO says many ERM programs are not truly integrated into strategic decisions, which means the function can end up adjacent to the business instead of inside it. The new paper tries to close that by showing how to link strategy and risk at decision points, and by laying out operating disciplines that make risk insights timely and usable under real-world constraints. (coso.org) ### So what changes for managers? Managers are being told to treat ERM less like a periodic compliance exercise and more like a repeatable operating process. That means risk information has to be decision-ready, not just technically correct. A risk team that produces a perfect quarterly artifact after the decision is already made has not helped much. COSO is pushing for routines that fit how companies actually run — cross-functional, time-constrained, and forced to make calls with imperfect information. (accountingtoday.com) ### Is this mainly for boards or for operators? Both, but the center of gravity is shifting toward operators. Boards still care about oversight, obviously, but COSO’s language here is about strengthening decision confidence across the organization. That is a subtle but important move. It treats ERM as something that should help product, finance, operations, compliance, and leadership make better calls — not just something that produces a board packet. (coso.org) ### Does this replace the older COSO framework? No. It sits on top of the existing ERM framework and makes it more practical. COSO’s ERM materials have long emphasized integrating risk with strategy and performance, and the organization already offers examples and supplements for day-to-day use. The new paper extends that same direction, but with a sharper message: stop admiring the framework and start operationalizing it. (prnewswire.com) ### Why now? Because the environment keeps getting noisier, and static risk programs look weaker every year. COSO has been publishing ERM guidance for years, but this release lands in a period when organizations are under pressure to show they can connect uncertainty to action. The subtext is that leaders do not need another abstract case for ERM. They need a way to make it usable on Tuesday morning. (coso.org) ### Bottom line? COSO is not saying companies need more risk paperwork. It is saying they need risk habits. That is a bigger shift than it sounds — because once ERM becomes part of how decisions get made, it stops being a side function and starts becoming management itself. (coso.org 1) (coso.org 2)