Received 17.04.2025, Revised 04.08.2025, Accepted 30.09.2025

Analysis of the COSO risk management model: Main aspects

Inna Vishtak, Alina Podorozhnyuk, Eliza Voitko

The relevance of the study was determined by the growing uncertainty in the external environment, which requires the implementation of effective risk management systems. The aim of the study was to analyse the key aspects of the Committee of Sponsoring Organisations of the Treadway Commission Enterprise Risk Management (COSO ERM) model and to justify its application for integrated risk management in enterprises. The study uses methods of analysis of scientific sources, structural and logical generalisation, and a systematic approach. The theoretical and practical aspects of risk management in an enterprise are considered, taking into account the challenges and trends of the global market. A systematic approach to risk management is analysed, which provides comprehensive coverage of all business processes related to the identification, assessment and response to risks. The key components of the COSO ERM methodology, which is one of the most recognised in global practice, are identified. The COSO ERM model is based on the principles of integrated management, where risks are viewed not as isolated threats, but as part of strategic planning and management processes. The application of the three-component COSO structure, which included enterprise objectives, internal environment and organisational levels of influence, was considered. This approach made it possible to harmonise strategic, operational and reporting processes within a single control system. The essence of the relationship between the main elements of risk management was revealed, which made it possible to adapt the model to the specifics of the functioning of enterprises in various industries. The feasibility of implementing the COSO model as a tool for increasing business resilience to external uncertainty is argued. Methodological approaches to improving risk management in accordance with the requirements of economic security and strategic development are proposed. The practical value of the study lies in the possibility of using the results by specialists in the field of risk management, internal audit and strategic management 

internal control; strategic planning; risk assessment; corporate governance; model adaptation; risk integration; business resilience
42-52
Vishtak, I., Podorozhnyuk, A., & Voitko, E. (2025). Analysis of the COSO risk management model: Main aspects. Innovation and Sustainability, 5(3), 42-52. https://doi.org/10.31649/vis/3.2025.42

References

  1. Airbus Group – case study. (n.d.). Retrieved from https://riskonnect.com/customer-success-stories/airbus-group/.
  2. Awad, J., & Martín-Rojas, R. (2024). Digital transformation influence on organisational resilience through organisational learning and innovation. Journal of Innovation and Entrepreneurship, 13, article number 69. doi: 10.1186/s13731-024-00405-4.
  3. Beasley, M.S., Branson, B.C., & Hancock, B.V. (2017). Developing key risk indicators to strengthen enterprise risk management. Retrieved from https://www.scribd.com/document/802587278.
  4. Benekos, I., Yannis, G., & Mavromatis, S. (2020). Implementing enterprise risk management in road organizations: Considerations and a proposed roadmap. Risk and Decision Analysis, 8(1-2), 39-65. doi: 10.3233/RDA-190055.
  5. Braim, S.J., & Bilal, R.B. (2023). The (COSO) framework: Implications of internal control components on the performance manufacturing companies. Qalaai Zanist Scientific Journal, 8(1), 1203-1227. doi: 10.25212/lfu.qzj.8.1.48.
  6. Cobb, M. (2023). ISO 31000 vs. COSO ERM risk management standards. Retrieved from https://www.techtarget.com/ searchcio/feature/ISO-31000-vs-COSO-Comparing-risk-management-standards.
  7. COSO. (2013). Internal control – integrated framework: Executive summary. Retrieved from https://www.sechistorical. org/collection/papers/2010/2013_0501_COSOInternal.pdf.
  8. COSO. (2017). Enterprise risk management: Integrating with strategy and performance. Retrieved from https://web.archive.org/web/20171029145946/https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategyand-Performance-Executive-Summary.pdf.
  9. Cybersecurity and ERM top audit committee agendas. (2024). Retrieved from https://deloitte.wsj.com/cfo/ cybersecurity-and-erm-top-audit-committee-agendas-5f67bb08.
  10. Dahmen, P. (2023). Organizational resilience as a key property of enterprise risk management in response to novel and severe crisis events. Risk Management and Insurance Review, 26(2), 203-245. doi: 10.1111/rmir.12245.
  11. Dvorski Lacković, I., Kurnoga, N., & Miloš Sprčić, D. (2022). Three-factor model of Enterprise Risk Management implementation: Exploratory study of non-financial companies. Risk Management, 24(2), 101-122. doi: 10.1057/ s41283-021-00086-3.
  12. Fraser, J.R.S., Quail, R., & Simkins, B. (2021). Enterprise risk management (2nd ed.). Hoboken: Wiley.
  13. Frigo, M.L., & Anderson, R.J. (2011). Strategic risk management: A foundation for improving enterprise risk management and governance. Journal of Corporate Accounting & Finance, 22(3), 81-88. doi: 10.1002/jcaf.20677.
  14. Gleißner, W., & Berger, T.B. (2024). Enterprise risk management: Improving embedded risk management and risk governance. Risks, 12(12), article number 196. doi: 10.3390/risks12120196.
  15. Hayne, C., & Free, C. (2014). Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management. Accounting, Organizations and Society, 39(5), 309-330. doi: 10.1016/j.aos.2014.05.002.
  16. Hillson, D. (2020). What is risk? Towards a common definition. A common definition. Retrieved from https://www.scribd.com/document/319840259/What-is-Risk-A-Common-Definition.
  17. Hopkin, P. (2017). Fundamentals of risk management: Understanding, evaluating and implementing effective risk management. London: Kogan Page Publishers.
  18. How power and utility companies can proactively manage risks in a new era of uncertainty. (2025). Retrieved from https://surl.li/vjnnmw.
  19. Huber, C., Kraus, K., & Meidell, A. (2025). Integrating the balanced scorecard and enterprise risk management: Exploring the dynamics between management control anchor practices and subsidiary practices. Management Accounting Research, 66, article number 100924. doi: 10.1016/j.mar.2024.100924.
  20. ISO 22301:2019. (2019). Security and resilience – business continuity management systems – requirements. Retrieved from https://www.iso.org/standard/75106.html.
  21. ISO 31000:2018. (2018). Risk management – guidelines. Retrieved from https://www.iso.org/standard/65694.html.
  22. Koli, L., Kalra, S., Thakur, R., Saifi, A., & Singh, K. (2025). AI-driven IRM: Transforming insider risk management with adaptive scoring and LLM-based threat detection. ArXivdoi: 10.48550/arXiv.2505.03796.
  23. Lam, J. (2014). Enterprise risk management: From incentives to controls (2nd ed.). Hoboken: John Wiley & Sons.
  24. Law of Ukraine No. 2258-VIII “On Auditing Financial Statements and Auditing Activities”. (2017, December). Retrieved from https://zakon.rada.gov.ua/laws/show/en/2258-19/ed20171221#Text.
  25. Law of Ukraine No. 996-XIV “On Accounting and Financial Reporting in Ukraine”. (1999, July). Retrieved from https://zakon.rada.gov.ua/laws/show/en/996-14/ed19990716#Text.
  26. Liu, T., & Qi, J. (2024). The mechanism of enterprise digital transformation on resilience from the perspective of financial sustainability. Sustainability, 16(17), article number 7409. doi: 10.3390/su16177409.
  27. Makarchuk, I. (2020). Strategic enterprise risk management. Economy and State, 8, 107-111. doi: 10.32702/23066806.2020.8.107.
  28. Mensah, G., & Gottwald, D. (2016). Enterprise risk management: Factors associated with effective implementation. Risk Governance and Control: Financial Markets & Institutions, 6(4), 175-206. doi: 10.22495/rcgv6i4c1art9.
  29. Moeller, R.R. (2013). Executive’s guide to COSO internal controls: Understanding and implementing the new framework. Hoboken: John Wiley & Sons.
  30. Moeller, R.R. (2016). Brink’s modern internal auditing: A common body of knowledge (8th ed.). Hoboken: John Wiley & Sons.
  31. Moshesh, R., Niemann, W., & Kotzé, T. (2018). Enterprise risk management implementation challenges: A case study in a petrochemical supply chain. South African Journal of Industrial Engineering, 29(4), 230-244. doi: 10.7166/29-41782.
  32. National Competitiveness and Productivity Council. (2024). Bulletin 24-4 IMD world competitiveness rankings. Retrieved from https://competitiveness.ie/media/mgybdk2g/ncpc-bulletin-24-4-imd-world-competitivenessrankings-2024.pdf.
  33. Nazarova, K., Nezhyva, M., Neviadomski, K., Kyrushko, P., & Bondar, N. (2021). Questionnaire as a tool for assessment of internal control system against COSO internal control – integrated framework. International Journal of Scientific Research and Management, 9(11), 2569-2576. doi: 10.18535/ijsrm/v9i11.em06.
  34. Public Law No. 107-204 “An Act to Protect Investors by Improving the Accuracy and Reliability of Corporate Disclosures Made Pursuant to the Securities Laws, and for Other Purposes”. (2002, July). Retrieved from https://www. dol.gov/sites/dolgov/files/oalj/PUBLIC/WHISTLEBLOWER/REFERENCES/STATUTES/SARBANES_OXLEY_ ACT_OF_2002.PDF.
  35. Reuters, T. (2025). COSO updates its Enterprise Risk Management (ERM) framework to address modern data sources. Retrieved from https://www.rehmann.com/resource/coso-updates-its-enterprise-risk-management-ermframework-to-address-modern-data-sources/.
  36. Risk Management Association of India. (2025). COSO ERM framework made easy: Turning risk into strategy. Retrieved from https://rmaindia.org/coso-erm-framework-made-easy-turning-risk-into-strategy/.
  37. Scale digital transformation with risk management. (2021). Retrieved from https://deloitte.wsj.com/cfo/scale-digitaltransformation-with-risk-management-01638384271.
  38. SCCE & HCCA. (2020). Compliance risk management: Applying the COSO ERM framework. Retrieved from https:// www.coso.org/_files/ugd/3059fc_5f9c50e005034badb07f94e9712d9a56.pdf.
  39. University of Massachusetts Amherst. (2024). FY24 enterprise risk management biennial report. Amherst: University of Massachusetts Amherst.
  40. Viscelli, T.R., Beasley, M.S., & Hermanson, D.R. (2016). Research insights about risk governance: Implications from a review of ERM research. SAGE Open, 6(4). doi: 10.1177/2158244016680230.
  41. Walker, P.L. (2022). Enabling organizational agility in an age of speed and disruption. Retrieved from https://www. coso.org/_files/ugd/3059fc_cef1343e024a43c0b65d23ad0178d41e.pdf.
  42. Zajc Kejžar, K., Peljhan, D., Trkman, P., Vangeli, A., & Sprčić, D.M. (2024). Risk management practices of European companies in times of high global uncertainty. Economic and Business Review, 26(4), 222-225. doi: 10.15458/23354216.1345.