Skip to main content
ERM Fundamentals

The Relationship between Internal Controls, ERM, and the Business Model


A COSO thought paper titled “Improving Organizational Performance and Governance- How the COSO Frameworks Can Help”, Jim Deloach and Jeff Thomson, COSO, February 2014, highlights the importance of using principles-based frameworks to organize an ERM process. The COSO Internal Control Integrated Framework and their ERM Integrated Framework can be related to overall business models and can contribute to an organization’s long-term success. COSO’s fundamental idea is that good risk management and internal control are necessary for long term success of all organizations. Improving organizational performance and governance will support this goal.

A Contextual Business Model

The article provides a general business model that nicely illustrates the integration of the COSO frameworks to the activities of the business. The model’s key elements are Governance, Strategy Settings, Business Planning, Execution, Monitoring, and Adapting. Governance and Strategy are environmental elements that must be executed first. Business Planning, Execution, Monitoring, and Adapting are a continuous management cycle that rely on governance and strategy setting in order to be successful.

The model begins with governance, which starts with the organization’s vision and mission and consists of oversight from the board of directors of the enterprise’s planning and operations. Next is strategy setting, which is the process by which executive management articulates a high-level plan for achieving one or more goals consistent with the organization’s mission. Business planning formally articulates specific goals or roadmaps on how management will contribute to achieving the overall strategic objectives, explains why those objectives are achievable, and provides an enabling process for deploying and executing the corporate strategy across the organization within the specified planning horizon.

Execution consists of the organization’s core operations in place to design, build and operate the processes that make the business plan work and deliver expected performance in accordance with the values and strategy of the organization. Monitoring consists of the activities established by management to review and oversee execution of the organization’s operations against the overall strategic plan, including the level of acceptable risk. Adapting describes the organizational processes by which issues identified through monitoring activities are translated into implementable changes to the corporate strategy, business plan and/or execution tactics (including risk responses and /or internal controls).

Relationship of ERM and Internal Control to Contextual Business Model

ERM and internal control contribute value to, and are integrated as part of, the overall governance and management process.  The COSO Internal Control Framework and ERM Integrated Framework show a relationship between the two frameworks and business activities. The internal environment and objectives setting components fill governance, strategy setting and business planning. The event identification, risk assessment and risk response components of the ERM framework are applied in strategy setting and business planning, the control activities component in execution and the monitoring component in monitoring of the COSO Internal Control Framework. Additionally, event identification, risk assessment and monitoring components are also applied in adapting. Information and communication components of both frameworks are alike throughout the elements of a business model. It is important to remember that as a subset of ERM, internal control also contributes value to the organization.

Why the Frameworks are Important to Governance

Both frameworks facilitate and support the governance process when implemented effectively.  Their purpose is to help the enterprise achieve its objectives and to optimize the enterprise’s value. The board of directors and senior management have two very different roles. It is the duty of the board to approve strategic decisions, establish boundaries, and oversee execution. Senior management aligns strategy, processes, people, reporting and technology to accomplish the organization’s mission in accordance with its established values. The board sets boundaries in relation to risk. ERM instills within the organization a discipline around management and discusses opportunities and risks and how they are managed. ERM makes this contribution in three ways: risk management philosophy, risk appetite, and control environment.

 Risk Management Philosophy  
One of the elements of the ERM internal environment is the risk management philosophy, which is the set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities. It communicates the importance of risk throughout the entire entity. Every organization has a risk management philosophy. Characteristics to consider of the philosophy is if it is developed, if it is implicit or explicit, and how its personnel understand and cooperate in its culture.

 Risk Appetite  
Risk appetite reflects the enterprise’s risk management philosophy, and in turn influences the entity’s culture and operating style. Risk appetite is usually established in a risk appetite statement; which, frames the risks the organization should accept, the risks it should avoid and the strategic, financial and operating parameters within which the organization should operate. Risk appetites are a fine balance. They must be flexible enough to respond to changes in the business environment, but not so flexible that the appetite is constantly changing. If an entity is altering the appetite frequently, it will lose value. Risk appetite is fundamental to any governance process that seeks to appropriately balance the organization around value creation and value protection.

Control Environment  
There are five principles in the control environment of both frameworks that support a strong governance process. They are the commitment to integrity and ethical values; the board of directors demonstrates independence and oversight; management establishes reporting lines; the organization’s commitment to competent individuals and; the organization’s commitment to accountability. A business is only as good as its people, and these principles support that theory.

In summary, applying either or both COSO frameworks will strengthen the impact of the governance process on the organization’s risk culture and, ultimately, the achievement of its business objectives as agreed upon by executive management and the board.

Why the Frameworks Are Important to Strategy Setting and Business Planning

Elements from the objective setting, event identification, risk assessment and risk response components of the ERM framework have a direct impact on strategy setting and business planning.

In objective setting, strategic and related objectives are established and risk appetite and risk tolerances are considered. A well-articulated risk appetite statement that is communicated effectively to operating units can provide clarity and focus to the business planning process. A result of objective setting, risk tolerances can be an effective tool in this regard if they are sufficiently granular and expressed in such a way that they can be: (a) mapped into the same metrics the organization uses to measure success in achieving an objective, (b) applied to all categories of objectives (strategic, operations, reporting and compliance) and (c) implemented by operating personnel throughout the organization.

Event Identification  
Event identification is important because it reflects whether or when an event will occur or the extent of its impact on the organization should it occur. This can create uncertainty over the planning horizon. Event identification supports strategy setting and business planning in many ways by considering key influencing factors, deploying appropriate event identification techniques, analyzing event interdependencies and identifying signs of relevant change.

Risk Assessment  
Risk assessment should be an integral part of the strategy-setting process. Strategic and other risks should be supported or rationalized by management. Another reason why the risk assessment component is applicable to strategy setting and business planning is because strategic objectives are included within the scope of the ERM framework.

Risk Response  
Risk response is the most important component when applying the ERM framework to strategy setting and business planning. The way an entity responds to risk is just as important as the way an entity plans for risk. ERM focuses on strategic objectives while internal control provides an important risk response option in executing the strategy and business plan.


Why the Frameworks Are Important to Execution

The control activities and information and communication components in either COSO framework support the execution of the strategy and business plan, because this is how business objectives are achieved.

Control Activities  
These activities consist of actions of people to implement established policies, directly or through application of technology, to help ensure that management’s risk responses are carried out. Once selected and developed, they support the implementation of risk responses and are deployed through policies and procedures. They are vital to successful execution of the business model because they are intended to mitigate the risks of relevant objectives not being achieved.

Information and Communication  
Both information and communication are vital to execution at all levels of an organization to identify, assess and respond to risk on an ongoing basis and ensure the achievement of objectives.

Why the Frameworks Are Important to Monitoring

The monitoring component of both frameworks plays an important role in an organization because it provides the discipline to improve risk management capabilities and internal control continuously in a changing business environment. Monitoring assesses progress towards attaining objectives and evaluates performance of processes, risk responses and internal control. It identifies new issues, risks and problems as well as deficiencies in ERM and/or internal control.

Why the Frameworks Are Important to Adapting

Adapting is all about positioning companies to quickly recognize a unique opportunity or risk and use that knowledge to evaluate their options and seize the initiative either before anyone else or along with other organizations that likewise recognize the significance of what’s developing in the marketplace. Failing to adapt can be fatal in today’s complex and dynamic business environment.


 The COSO ERM and internal control frameworks contribute value to the six attributes of the contextual business model— the governance, strategy setting, business planning, execution, monitoring and adapting processes of an organization. The COSO frameworks, whether applied singularly or together, enable directors, senior management, and internal and external stakeholders to communicate more effectively. This enhanced risk-focused communication facilitates discussion about issues important to improving governance, assessing risk, designing risk responses and control activities, facilitating relevant information and communication flows, and monitoring ERM and internal control performance.

Original Article Source: “Improving Organizational Performance and Governance- How the COSO Frameworks Can Help”, Jim Deloach and Jeff Thomson, COSO, February 2014