COSO shows how to put risk assessment into practice

By Ken Tysiac

Please note: This item is from our archives and was published in 2012. It is provided for historical reference. The content may be out of date and links may no longer function.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) on Friday released a thought paper, Risk Assessment in Practice, designed to help organisations find the optimal risk-taking zone, which the paper refers to as the “sweet spot.”

“Risk assessment is all about measuring and prioritising risks so that risk levels are managed within defined tolerance thresholds without being over controlled or forgoing desirable opportunities,” Deloitte & Touche LLP partner and paper co-author Patchin Curtis said in a news release.

The thought paper describes a risk assessment process that should be practical, sustainable and understandable. The enterprise risk management process (ERM) must be structured, disciplined, and correctly scaled to the organisation’s size, complexity and geographic reach, according to the paper.

Identifying risks requires casting a wide net at first to understand the possibilities that need to be included in the organisation’s risk profile, according to the paper. Prioritisation then takes place to focus senior management and board attention on key risks.

The risk assessment process outlined in the paper includes:

  • developing assessment criteria
  • assigning values to each risk and opportunity
  • considering risk interactions because risks, when combined, can cause compounded damage
  • prioritising risks
  • responding to risks

The authors advocate developing “assessment scales” to measure the impact, likelihood, organisational vulnerability and speed of onset of risks on a scale from 1 (low) to 5 (high). Any two of those factors can be plotted against each other in graphical representations known as “risk maps” or “heat maps” to inform decisions, according to the paper.

Although many organisations begin this ERM process by using simple spreadsheets, the paper says, software and systems that quickly will pay for themselves in saved labour costs are available.

The paper advises that the information learned from the risk management process must feed into the strategic planning process to facilitate the proper actions.

“You’ll know you’re doing risk assessment right,” the paper concludes, “when leaders at every level use the information to make decisions regarding value.”

Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine senior editor.

 

Up Next

FP&A stimulates economic confidence amidst trade shocks

By Steph Brown
September 10, 2025
FP&A capabilities continue to increase in importance for finance teams, partly through the ability to predict emerging tariff developments.
Advertisement

Most Read

Shadow AI emerges as significant cybersecurity threat
Young employees are the most engaged — but the hardest to retain
Could AI be your next boss?
Professionals worry their organisations could fall behind in AI
How accountants can combat the rising threat of deepfake fraud

LATEST STORIES

FP&A stimulates economic confidence amidst trade shocks

Looking inward: A mindful approach to regulating stress, uncertainty

5 ways AI augments the accountant’s role

Cost concerns considerably restrict UK hiring and pay growth

With greenhouse gas reporting, sizable gaps persist

Advertisement
Read the latest FM digital edition, exclusively for CIMA members and AICPA members who hold the CGMA designation.
Advertisement

Related Articles

Image of AI-generated woman's face.

How accountants can combat the rising threat of deepfake fraud

August 19, 2025 Faked, live video and audio of executives can fool employees and cost companies millions, but accountants can take steps to mitigate the risk.
Shadow AI emerges as significant cybersecurity threat

Shadow AI emerges as significant cybersecurity threat

August 15, 2025 Security incidents involving shadow AI accounted for 20% of data breaches globally and were more expensive for companies to resolve.