The COSO Internal Control System has been extended by a publication from September 2004 that expanded the existing model with an Enterprise Risk Management method. COSO ERM consists of the following components
- Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication
As with COSO ICS, the elements of COSO ERM are also often described in the form of a cube – shown in the figure. The ERM cube is more complex than the ICS cube, but some common elements can be found.
As the ERM represents business risk management, a mission critical aspect for every organisation, it was included in the models describing processes of Governance Framework implementation. For this purpose COSO ERM was selected.
The figure below shows elements of the COSO ERM process model. They are present both at the design level and execution level (where the monitoring takes place). It should be noted that information and communication is present at both levels: at the design level it deals with the development of a communication system, while at the execution level it provides additional information (like for example providing employees with actionable information).