COSO's New ERM Guidance: Shifting from Documentation to Decision-Making
COSO's latest guidance, "From Guidance to Action: Exploring Practical Enterprise Risk Management (2026)," emphasizes integrating ERM directly into organizational decision-making processes rather than treating it as a separate compliance function. This shift is crucial for internal audit and assurance professionals, as it redefines ERM's value proposition from merely identifying risks to actively influencing strategic choices, resource allocation, and operational effectiveness. The guidance advocates for a "Department of Know, not No" approach, positioning ERM as a strategic partner that helps leaders make better, more informed decisions.
COSO Redefines ERM's Purpose: From Activity to Effectiveness
COSO's new guidance, "From Guidance to Action: Exploring Practical Enterprise Risk Management (2026)," marks a significant evolution in how Enterprise Risk Management (ERM) should be perceived and implemented. The core message is a powerful call to move ERM beyond mere documentation of risks to actively influencing organizational decisions. This shift is critical for internal audit and assurance professionals, as it underscores that ERM's true value lies in its ability to contribute to clearer choices, earlier pivots, fewer surprises, and enhanced board confidence. The guidance challenges the traditional view of ERM as a compliance or assurance function, advocating instead for its integration into the very fabric of planning, investment, and operational rhythms.
Integrating ERM into Strategic and Operational Decisions
The paper highlights that effective ERM is not about updating heat maps or compiling risk and control self-assessments (RCSAs) on a schedule. These artifacts are only valuable if they genuinely change a decision, trigger an action, clarify ownership, or fulfill a regulatory requirement. When ERM is decision-useful, it frames real options, focuses attention on critical uncertainties, defines triggers for action, and ensures explicit ownership and follow-through. This perspective transforms ERM from a potential bottleneck into a strategic enabler, helping leaders make better "bets" by allocating resources with clearer trade-offs, setting appropriate risk-taking boundaries, and building flexibility into strategies. It reframes ERM as a "Department of Know, not No," supporting leaders in finding a "pathway to yes" through practical controls and resourcing, rather than simply preventing action.
Tailoring Risk Information for Diverse Decision-Makers
While the guidance offers many valuable insights, a notable omission is the explicit perspective of day-to-day decision-makers across various organizational levels. The article points out that risk information needs to be tailored to every decision to be truly useful, whether it's selecting a vendor, adjusting product prices, hiring a candidate, or implementing new technology. Internal audit professionals should recognize this gap and ensure that their ERM frameworks and reporting mechanisms cater to both strategic and tactical decision-making needs. By providing relevant, decision-specific risk insights, internal audit can help embed ERM throughout the organization, ensuring that risk considerations are an integral part of all choices, not just those at the executive level. This holistic approach will ultimately lead to a better-run business, where risk management is seen as a capability that actively shapes better outcomes and captures opportunities, rather than just preventing losses.
- Shift from Documentation to Decisioning: ERM's value is in influencing choices, not just listing risks.
- Integration with Business Processes: Embed ERM into planning, investment, and operational rhythms.
- Decision-Useful ERM: Focus on framing options, identifying critical uncertainties, and defining action triggers.
- Strategic Partnership: Position ERM as a "Department of Know, not No" to support better strategic decisions.
- Tailored Risk Information: Ensure risk insights are relevant and actionable for both strategic and tactical decision-makers.
Read more