Using the COSO ERM Framework to Move Forward from the Pandemic Crisis

Risk Management Magazine Article

By Thomas Holland, Kate Sylvis

As organizations emerge from the pandemic, the question has shifted from how to survive to how to thrive in this new environment. This is a challenging question because of the level of uncertainty that still exists. Which changes are temporary vs. which will remain permanent? What new changes will surface as more people are vaccinated and we approach herd immunity? Enterprise risk management (ERM) can help organizations navigate the uncertainty, and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2017 ERM Framework, “ERM — Integrating with Strategy and Performance,” provides insights that can help organizations manage their risk and realize opportunities.

In an article for Risk Management Magazine, our Thomas Holland and Kate Stylvis examine the framework components and provides considerations for organizations in navigating through these uncertain times and provides illustrative examples of some of the principles in action.

COSO framework

Governance & Culture

The new environment is likely to demand different governance and oversight and both require and force cultural shifts.  Organizations should examine how they can best position their boards to provide effective oversight in the new and rapidly changing environment. Consider whether your operating structures should be modified, either temporarily or permanently, and whether new additional operating structures are needed. The crisis has tested culture, and recovery will continue to provide an opportunity for leaders to demonstrate commitment to organizational values through their actions. Certain aspects of the culture will contribute to success or failure in the new environment. Examine the culture in the context of the new environment and use this understanding to inform action. Organizations may determine that the desired culture and behaviors have changed during the pandemic. The skills and capabilities needed at each level warrant a close examination of the current and potential future environment. For example, does the organization have the right technology and cyber skill sets embedded in appropriate parts of the organization to enable continued remote work, virtual collaboration, and digital interactions with stakeholders, without compromising the mission or accepting unnecessary risk?

Illustrative example: As COVID-19 began to spread across the globe, a university reviewed the composition of its board and its leadership team. The university decided to add an experienced virologist to its board and to also add a new executive leadership position: chief medical officer. The new member of the board proved valuable in providing forward-looking insights about what would likely transpire next on a national and international level, as well as keeping the board apprised of the latest reliable information about the virus to consider the impacts on the institution and its stakeholders. The chief medical officer kept the faculty apprised of the latest guidance regarding preventing the spread of the virus and also worked with the other leaders of the university to design and implement protocols to protect students and faculty. As a result of this proactive governance review and adjustment, the university was notably more prepared to adjust to fully virtual classes once the decision was made to do so, as well as to return safely to some in-person classes when the time was right.

Strategy & Objective-Setting

This crisis is changing every organizations’ business context. Now is the time to understand the implications of these changes on the very core of your existence—your mission, vision and strategies that drive value. It may also be time to revisit and question your overall risk profile and risk appetite. Be mindful and deliberate in applying changes to risk appetite; this will likely require revisiting existing strategies or developing new strategies. As organizations face new pressures, any new strategies you pursue must align with the mission and vision and reflect core values. Given changes in the business, organizations are likely to have to revisit performance expectations. Are there areas of new or increased opportunity, that with the right strategy could deliver greater value? Are there other strategies that are no longer optimal in the new environment and warrant revision or redirecting those resources?

Illustrative example: A restaurant food delivery business reviewed its strategies and supporting business operations in the context of the crisis, but also the changes expected to continue. The company observed that while there were continually increasing options for grocery delivery, there were not as many options for pet food and supplies delivery. The company partnered with a regional pet food and supplies store chain to implement same-day delivery for items ordered from their website and available at a nearby store.


Organizations should ensure that mechanisms are in place to identify and assess risks to objectives at each organizational level and to elevate them quickly if they might have broader impacts. As the environment changes, so do organizations’ risk profiles. Consider expanding your set of techniques used for risk identification (e.g., scenario analysis, gaming and simulations). Well-defined performance measures with defined acceptable variations in performance informed by risk appetite can help organizations track both risk and performance in an integrated manner, but organizations have to be prepared to adjust these as the new environment creates risks and opportunities. Organizations should be alert for potential opportunities, prioritizing those that improve overall resilience.

Illustrative example: A municipal agency whose responsibilities include processing and approving applications receives the applications both through an online portal as well as through the mail. The agency also has a relatively large call center. On a weekly basis, the senior leadership team meets to review the previous week’s performance metrics, including any deviations from defined tolerance bands, and discuss emerging risks. As part of one of these weekly meetings, one of the participants brought up that there was the possibility that the agency would have to switch to a complete telework posture in the coming weeks. Many entities had already taken this step in other countries seeing high numbers of COVID-19 cases. In reviewing the metrics, the team had also noted the relatively high backlog of paper applications. This was not surprising given the time of year but viewed in the context of potentially having to switch to 100% telework, this was very concerning. The paper applications were all processed onsite, and this was the main part of the agency’s operations that could not easily be switched to telework.

The team decided to prioritize scanning as many applications as possible, so that they could be processed virtually, if needed. In reviewing the performance metrics, the leadership team saw that the call center was exceeding their level of service target for both the previous week and the year-to-date. Knowing that the call center could be operated virtually, leadership decided to take nearly one-third of the call center employees off the phone lines in order for them to assist with scanning paper applications. The level of service would drop significantly for the next week, but overall, the agency would be able to stay above its lower acceptable performance target threshold for the year. In parallel to the work scanning the backlog, a team developed a plan for very small shifts of individuals to receive and scan paper applications to then be processed virtually, should the agency need to switch to maximum telework. The agency was able to have the full backlog worth of applications scanned and able to be processed virtually one day before the decision was made to switch to maximum telework. The agency also had a plan for paper applications received during maximum telework. As a result of the deliberate consideration of current performance and potential risks together, the agency was better equipped to continue its operations through COVID-19.

Review & Revision

The crisis forced organizations to examine the impact to strategy, objectives, performance and risk. The review and consideration of the impact on the new environment will need to be iterative. Organizations should establish mechanisms to regularly review the current and anticipated impact and to adjust strategy, risk taking, performance, and resource allocation accordingly. They may need to adjust normal performance and risk review processes for mission-critical areas or those likely to be most vulnerable or critical in the new environment. The crisis tested the effectiveness of organizations’ ERM programs, particularly in how the organization prepares for and responds to rapidly manifesting risks in a turbulent environment. This experience can provide insight into how to enhance ERM capabilities and organizational resilience. A deliberate look back at how the crisis was handled can identify these insights.

Information, Communication & Reporting

The crisis tested how well organizations could feed management timely and relevant information. This will continue to be critical in the new environment and organizations should consider how to best use technology to enable this. As organizations’ risk profiles and risk appetites continue to change, and their culture is tested, reporting on this in a manner that provides timely and actionable insights will prove valuable. Reviewing established indicators to identify those to monitor more closely, as well as establishing new indicators, will help organizations gauge emerging risk exposure and the effectiveness of new strategies. As new relationships emerge and reveal themselves between risks, understanding the web of relationships across risks will provide insight into their severity and potential impact on strategy. This requires bridging silos and bringing transparency through effective measures and reporting across both mission and mission support—back-office and front-office functions. 

Illustrative example: As a consumer products company adjusted operations due to the COVID-19 pandemic, the chief operating officer (COO) reviewed the information on risk, performance, and culture that was being reported to management and the board and the reporting cadence. As a result of this review, the COO engaged the chief human capital officer (CHCO) to suggest more frequent reporting on employee sentiment than the annual employee sentiment survey, given the substantial amount of change employees were experiencing. They agreed to implement a bi-weekly employee survey to gauge employee sentiments, including engagement and morale. As part of the review of reporting cadence, it was also determined that the bi-annual risk and performance report to the full management team and board would switch to monthly. Additionally, this report would be supplemented with information about the overall operating status of each function, as well as data on the number of employees teleworking and those continuing to work onsite within each function.

Early on, a notable trend emerged, where organizations with high percentages of employees teleworking were reporting lower levels of engagement and overall negative impacts to morale. Until that point, management had been primarily focused on the well-being of the individuals having to work onsite, given potential safety concerns despite the mitigations implemented. It became clear that the culture of the organization had revolved around being onsite and feeling part of a team. The COO and CHCO initiated an effort focused on remote employee engagement. By reviewing and revising existing reporting as a result of the substantial change the company was experiencing, the leadership was able to uncover a rapidly emerging risk and implement responses to help mitigate it.

Enhancing Resilience

As organizations emerge from the pandemic, significant uncertainty persists. While the COSO ERM Framework provides an overall structure through which organizations can pursue strategies and manage risk and performance, organizations need to tailor and apply the framework. This crisis provides an opportunity for organizations to enhance their resilience going forward. This requires taking a close look at how the organization’s existing structures, processes, and culture performed under this time of intense pressure and stress. By investing the time and resources now for such an evaluation, entities can bolster resilience and emerge from the crisis ultimately stronger.

Reprinted with permission from Risk Management Magazine. Copyright 2021 Risk and Insurance Management Society, Inc. All rights reserved.  

Let Us Help Guide You

Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.