If your COSO ERM program was built on the 2017 framework and hasn't changed since, the 2024 updates expose gaps you probably don't know about. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its landmark Enterprise Risk Management — Integrating with Strategy and Performance in 2017, establishing the dominant framework for how organizations identify, assess, and respond to risk. Nearly a decade later, 2024 brought updates that reshape how risk professionals approach ERM implementation.
The 2024 revisions respond to shifts in the operating environment: accelerating technological disruption, heightened stakeholder expectations, and lessons from organizations that implemented the 2017 framework at scale. If your risk program was built on COSO ERM 2017, the 2024 update demands a reassessment.
What COSO ERM Is and Why It Matters
COSO ERM provides a structured approach to managing enterprise risk across an entire organization. Published by the Committee of Sponsoring Organizations of the Treadway Commission—a joint initiative of five major professional associations including the AICPA, IIA, AAA, FEI, and IMA—the framework is the dominant ERM model used by organizations globally. The 2017 version introduced five components that replaced the earlier 2004 cube structure: Governance and Culture, Strategy and Objective‑Setting, Performance, Review and Revision, and Information, Communication, and Reporting.
The 2017 framework was a significant evolution. It emphasized that ERM is not a compliance exercise but a strategic capability—one that creates and preserves value by informing decision‑making at every level. It introduced risk appetite as a strategic tool rather than a board‑level statement, and provided 20 principles giving organizations concrete guidance on what effective ERM looks like.
The 2024 updates refine these components rather than replace them, but the refinements are substantive. COSO's updated guidance emphasizes three areas that received the most implementation feedback: integrating risk into strategic planning, improving communication of risk appetite across organizational levels, and addressing emerging risks that the 2017 framework handled inadequately.
Component 1: Governance and Culture
The 2017 framework treated culture as a component but provided limited guidance on how to assess it. Organizations struggled to translate broad principles into observable behaviors. Risk culture became a checkbox rather than a measurement target.
The 2024 update introduces more specific expectations for risk culture measurement, distinguishing between “tone at the top” and the broader risk behavioral patterns across the organization. This distinction matters: executives can communicate appropriate risk awareness while middle management consistently ignores it, and the 2017 framework offered no tool to identify this gap.
The most significant addition: explicit guidance on the board’s oversight role. The 2024 framework specifies that boards must demonstrate active engagement with risk information, not just receive reports. This includes requirements for independent board‑level risk committee structures in larger organizations, clearer expectations for non‑executive director involvement in risk decisions, and documentation standards for how the board fulfills its oversight responsibilities.
Regulators in financial services have increasingly focused on this exact issue—boards signing off on risk‑appetite statements they don’t genuinely understand. COSO's updated guidance addresses this by providing a maturity scale for risk‑culture assessment that organizations can use to benchmark themselves.
Component 2: Strategy and Objective‑Setting
The 2017 framework addressed risk in strategy formulation but treated it as a filter applied after strategy was set. A business unit would develop its strategy, then apply risk assessment to see if it exceeded risk appetite. This approach created an artificial separation between strategic planning and risk management.
The 2024 update requires risk considerations to be embedded in strategy development from the outset. Rather than developing strategy and then checking risk, organizations develop strategy with risk as a design constraint from the beginning.
COSO 2024 introduces the concept of strategic resilience—the ability of the strategy to absorb disruption without fundamental revision. This responds directly to post‑2020 experience where organizations with rigid strategies suffered when operating conditions changed rapidly. A strategy that can only execute in stable conditions is a bet on stability, not a sound strategy.
The updated framework also clarifies the relationship between risk appetite and strategic choices, providing a decision matrix that organizations can use to evaluate whether proposed strategic initiatives fall within acceptable risk boundaries. For each strategic option, the framework asks: what is the downside scenario, how likely is it, and does it fit within our defined risk appetite?
| Strategic Risk Integration | 2017 Approach | 2024 Update |
|---|---|---|
| Risk in Strategy Development | Filter applied after strategy set | Embedded from the beginning |
| Strategic Resilience | Not explicitly addressed | Dedicated concept with assessment criteria |
| Risk Appetite Integration | General principle | Decision matrix with evaluation criteria |
| Portfolio Risk Aggregation | Ambiguous | Explicit methodology for aggregation types |
Component 3: Performance
This component saw the most extensive revision. The 2017 framework described how organizations identify, assess, and respond to risks, but practitioners consistently reported ambiguity in applying these concepts in practice.
The 2024 update provides concrete criteria for risk‑assessment quality, distinguishing between initial screening, detailed analysis, and scenario‑based assessment. Organizations no longer have to determine for themselves what “thorough risk assessment” means—the updated framework supplies tiered standards that match the significance of the risk being evaluated.
The 2024 update also includes dedicated guidance on emerging‑risk identification. The 2017 framework mentioned emerging risks but offered no methodology for surfacing them. Many organizations defaulted to backward‑looking processes that catalogued known threats rather than uncovering unknown ones.
The updated framework introduces techniques such as horizon scanning, scenario planning, and cross‑industry trend analysis. It specifically calls out AI‑related risks, treats cybersecurity threats as enterprise‑level concerns, and highlights supply‑chain concentration risk—areas where the 2017 guidance was thin.
COSO also clarifies the relationship between ERM and internal controls. The 2017 framework sometimes blurred where risk response ends and control activities begin. The 2024 version draws a clearer line: risk response tackles the root cause, while control activities mitigate symptoms and consequences.
| Risk Assessment Enhancement | 2017 Guidance | 2024 Guidance |
|---|---|---|
| Risk Identification Scope | General methods | Industry‑specific techniques |
| Emerging Risks | Mentioned without methodology | Dedicated identification framework |
| Risk Analysis Rigor | Subjective tiering | Criteria‑based with examples |
| AI/Cyber Risks | Limited treatment | Dedicated expanded treatment |
| Controls vs. Risk Response | Ambiguous boundary | Clear distinction defined |
Component 4: Review and Revision
The 2017 framework treated monitoring as an afterthought—a periodic review rather than an ongoing process. Organizations scheduled annual risk reassessments and treated the results as current until the next scheduled review. This approach became increasingly untenable as business environments began changing faster than annual cycles could accommodate.
The 2024 update explicitly requires continuous monitoring of risk exposure, not just annual reassessment. Organizations are expected to maintain real‑time or near‑real‑time awareness of their risk position, updating assessments as conditions change rather than on a fixed calendar.
Key additions include guidance on early‑warning indicators and the concept of risk signal intelligence—systematic processes for identifying and escalating deteriorating risk conditions before they reach crisis levels. This mirrors developments in financial services where real‑time risk monitoring has become standard practice, and COSO extends this expectation to organizations across all sectors.
COSO 2024 also introduces requirements for post‑implementation review of risk responses. Organizations must verify that the risk response they implemented actually addressed the identified risk, not just that a control exists. Many firms had control environments that satisfied compliance checklists while leaving genuine risk exposure unaddressed—controls existed because they were on a list, not because they tackled a specific threat.
Component 5: Information, Communication, and Reporting
The 2017 framework treated information systems as a supporting function. Organizations built ERM databases and risk registers, but the framework provided limited guidance on what information was actually needed and how it should flow.
The 2024 update elevates information architecture to a first‑class ERM concern. Organizations are expected to have explicit data requirements for each risk domain, with defined quality standards for risk information. An assessment is only as good as the information that informs it.
COSO 2024 specifies that risk reports must be tailored to the audience—operational managers need different information than the board. Using a single standard format for all audiences was common in 2017‑era implementations and consistently identified as a failure mode in post‑incident reviews.
This component introduces guidance on risk narrative—the ability to explain risk position in business terms rather than purely technical language. Audit findings from 2017‑era implementations frequently cited communication failures as a root cause of risk events: the board didn’t understand the risk, the business unit didn’t realize they had exceeded appetite, the CEO received information too late to act. The updated framework provides standards for risk‑communication quality.
Why These Changes Matter for Your Program
The 2024 updates are responses to documented implementation gaps. COSO reviewed post‑implementation experience from thousands of organizations and identified patterns in where programs fell short.
-
Timing of risk information – The most common gap was risk information reaching decision‑makers too late to be useful. The 2017 framework’s periodic review approach meant that by the time risk assessments were updated and reported, the conditions they described had often changed. The 2024 framework’s emphasis on continuous monitoring and early‑warning indicators directly targets this problem.
-
Strategic‑risk disconnect – Organizations that treated ERM as a separate compliance exercise—run in parallel to strategy rather than integrated with it—consistently underperformed on risk‑adjusted outcomes. Their strategies were bolder than their risk position justified, or they missed opportunities because risk assessment processes couldn’t keep pace with strategic decision timelines.
-
Emerging‑risk blindness – The COVID‑19 pandemic exposed firms whose risk identification processes were backward‑looking by design. They catalogued known threats and assessed known vulnerabilities but had no systematic process for surfacing unknown, high‑impact risks. The 2024 guidance on horizon scanning and scenario planning fills that blind spot.
-
Board engagement – Regulators are now scrutinizing board‑level risk oversight more closely. The new maturity scale and explicit board‑oversight duties give boards a clearer roadmap for accountability, reducing the risk of “sign‑off without understanding.”
By addressing these gaps, COSO ERM 2024 helps organizations move from a static, compliance‑focused checklist to a dynamic, strategy‑aligned risk engine.
How to Assess Your Current Program Against COSO ERM 2024
- Gap‑analysis worksheet – Download Truvara’s free COSO 2024 gap‑analysis template. Map each of the five components to your existing processes and note where the 2024 criteria are unmet.
- Maturity scoring – Use the new COSO risk‑culture maturity scale to score your organization on a 1‑5 scale for tone‑at‑the‑top, middle‑management engagement, and board oversight.
- Pilot emerging‑risk scans – Run a horizon‑scanning exercise in one business unit using the scenario‑planning techniques outlined in the 2024 guidance. Compare results with your current risk register.
- Update reporting cadence – Shift from an annual risk report to a quarterly “risk pulse” that includes early‑warning indicators and a concise risk narrative for each key stakeholder group.
- Board workshop – Facilitate a half‑day session with your board to walk through the new oversight expectations, the decision matrix for strategic risk, and the documentation standards.
These steps give you a practical roadmap to transition without overhauling your entire ERM infrastructure.
Key Takeaways
- Integrate risk early – Embed risk considerations in strategy formulation, not as a post‑hoc filter.
- Elevate risk culture measurement – Adopt the 2024 maturity scale to differentiate tone‑at‑the‑top from everyday risk behaviors.
- Adopt continuous monitoring – Implement real‑time risk signal intelligence and early‑warning indicators.
- Formalize emerging‑risk processes – Use horizon scanning, cross‑industry trend analysis, and scenario planning to surface unknown threats.
- Tailor communication – Develop risk narratives and reporting formats that match the needs of operational managers, executives, and the board.
- Engage the board – Follow the new board‑oversight duties and documentation standards to satisfy regulator expectations.
Next Steps for Your Organization
- Run a quick self‑assessment using Truvara’s COSO 2024 checklist (link).
- Prioritize gaps that have the highest impact on strategic resilience and board oversight.
- Create a 90‑day implementation plan that includes pilot projects for continuous monitoring and emerging‑risk identification.
- Leverage Truvara’s GRC platform to automate risk data collection, real‑time dashboards, and customized reporting.
- Schedule a board‑level briefing to align expectations and secure sponsorship for the transition.
Conclusion
COSO ERM 2024 is not a brand‑new framework; it is a sharpened version of the 2017 model that directly addresses the pain points many organizations discovered after years of implementation. By tightening governance expectations, weaving risk into strategy from day one, clarifying performance and emerging‑risk methods, demanding continuous review, and insisting on audience‑specific communication, the 2024 update turns ERM into a true strategic advantage.
For risk leaders, the message is clear: the clock is ticking on the 2017‑era approach. Conduct a gap analysis, prioritize the most critical updates, and use technology—such as Truvara’s GRC suite—to embed the new practices into everyday workflows. Doing so will not only bring your program into compliance with the latest COSO guidance but also position your organization to anticipate disruption, seize opportunities, and protect value in an increasingly volatile world.
Related reading: