This document is the best thing COSO has published in years. I mean… ever… The decision-led framing is genuine, not cosmetic. The practical guidance is actionable. The critique of documentation-heavy ERM is honest.
It’s still a COSO document, which means it carries legacy baggage: risk appetite as a meaningful construct, the five-component framework as the organizing structure, and an implicit assumption that ERM programs exist as separate functions rather than being fully embedded into business planning, performance and decision processes. We’ll take it, it is still the best guidance published this year so far and huge jump from the latest FERMA publication on the same topic.
This document finally points in the right direction.
The 10 Operating Disciplines
Let’s start with what’s genuinely good. The ten disciplines listed are, in aggregate, a significant step forward from traditional ERM language. Let me call out the ones that actually matter:
“Prioritize decisions over documentation” — this is the single most important sentence in the entire document. If organizations actually internalized this one line, it would eliminate roughly 60% of the useless risk register activity happening globally. The fact that COSO is now saying this explicitly is meaningful.
“Link strategy and risk” — yes, finally. Risk analysis that doesn’t connect to a strategic choice is just noise. The document at least names this as a discipline, even if it doesn’t fully operationalize it. Also, it is not just strategy that needs to be integrated with risk, any choice or decision, new vendor, new equipment, new logistical routes, anything.
“Treat value creation as a required outcome” — again, correct. Risk management that only talks about protection is half a job. Every risk function should be able to point to decisions it improved, not just risks it logged.
“Build candor as a capability” — underrated. Most risk cultures fail not because of methodology but because people don’t say what they actually think in the room. This is a behavioral and organizational design problem, and I’m glad it made the list.
No so good: “Make risk appetite meaningful and usable” and “Manage risk as a portfolio” are still framed in ways that assume the underlying constructs are sound. Risk appetite as a concept remains deeply problematic — it implies organizations can define in advance how much risk they’re willing to take as an abstract number or label, which is not how human decision-making works and not how uncertainty behaves. The document doesn’t challenge this; it tries to rehabilitate it. That’s a missed opportunity.
The Decision-Led Approach Section
This is the best section of the document, and I want to give credit where it’s due.
The framing — “What decision is needed? What are the options? What could change the outcome? Who owns what happens next?” — is exactly right. This is what risk analysis should look like at the point of decision. Four questions, decision-ready, actionable. If every risk conversation in every organization started here instead of with a 5×5 matrix, we’d be in a much better place.
The acknowledgment of the execution gap is also honest and important. The document correctly identifies that many organizations agree with decision-led ERM in theory but drift back into scoring exercises and abstract appetite language in practice. That’s a real diagnosis. The causes are deeper than the document admits — they include incentive structures, audit expectations, and the fact that compliance-style risk management is easier to defend to a board than probabilistic analysis — but at least the problem is named.
The “artifacts are concise, consistent, and designed to enable action — not compliance” line is excellent. Frame it on your wall.
What’s missing here: the document still doesn’t address how to quantify the uncertainty behind those four questions. Saying “what could change the outcome” is step one. Knowing whether that outcome shifts by 5% or 500% requires actual risk modeling — scenario analysis, simulations, sensitivity analysis. The document gestures toward this without committing to it. Still ok, we’ll take it.
The Practitioner Translation Guide
This section has the most operational value and also the most frustrating near-misses.
What works: The explicit call to replace “scoring debates, abstract appetite language, after-the-fact reviews, and board packets that compile rather than clarify” with repeatable behaviors at the point of decision. That’s a clean, honest critique of how most ERM programs actually operate. The substitution framing — “these are substitutions, not add-ons” — is the right mental model. You cannot bolt decision-usefulness onto a compliance process. You have to replace the compliance behavior with something better.
The document also correctly calls out that risk assessment must move beyond single-point estimates: “The COSO ERM Framework is clear that severity is not a single point estimate. There may be a range of possible impacts associated with a risk.” That’s a direct repudiation of the heat map religion. Saying it in a COSO publication matters.
What’s still weak: The guide still operates within the COSO framework as a given. It tries to make COSO decision-useful through translation rather than asking whether the framework’s architecture is itself part of the problem. The five-component COSO structure was designed for compliance reporting, not decision support. Translating it into decision language is possible — the document shows how — but it’s a retrofit. Organizations building from scratch would design something simpler and more directly tied to decision points.
There’s also no discussion of what happens when the risk function’s outputs contradict what management wants to hear. Candor as a capability is listed as a discipline, but the translation guide doesn’t address the political reality that decision-useful risk analysis is often unwelcome risk analysis. That’s the hardest part of the job, and it’s glossed over.
The biggest structural gap: The guide still talks about X — managing risks, risk reporting, risk registers. In an RM2 world, those things don’t exist as standalone artifacts. There is no “risk report.” There is a business performance report that incorporates uncertainty ranges. There is a project approval document that embeds risk implications and responses. There is a budget that shows distributions and contingencies, not point estimates. The guide describes F(X) in words but keeps reverting to X in its outputs.
The document acknowledges it: “ERM doesn’t exist to create artifacts. Its purpose is to help leaders make informed choices in the face of uncertainty. Documentation matters — for formality, auditability, regulatory requirements and coordination — but it is never the outcome.”
Correct and well done to authors.