Explain the COSO ERM framework.
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
COSO ERM (the 2017 'Enterprise Risk Management — Integrating with Strategy and Performance') frames risk management not as a standalone compliance exercise but as integral to setting and executing strategy and driving performance. It has five interrelated components: Governance & Culture (board oversight, operating structure, ethical values); Strategy & Objective-Setting (analyzing business context, defining risk appetite, evaluating alternative strategies); Performance (identifying, assessing, prioritizing risks and selecting responses in pursuit of objectives); Review & Revision (assessing how the ERM is working and improving it); and Information, Communication & Reporting. Underpinning these are around twenty principles. The key 2017 shift from the older cube was linking ERM explicitly to strategy — recognizing that the biggest risk is often choosing the wrong strategy — and putting risk appetite at the center of decision-making, rather than treating ERM as a back-office risk-list exercise.
WHAT INTERVIEWERS LISTEN FOR
- ✓2017 ERM integrates risk with strategy and performance (not compliance silo)
- ✓Five components: Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; Information, Communication & Reporting
- ✓~20 underlying principles
- ✓Key shift: link to strategy, risk appetite central
COMMON MISTAKES
- ✗Describing ERM as a standalone risk list
- ✗Not knowing the five components
- ✗Missing the strategy-integration shift
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- Explain risk appetite versus risk tolerance.
- What is the primary purpose of the ICAAP under Basel?
- Explain the three lines of defense model and its role in risk management.
- What is the purpose of the ICAAP under Basel?
- What is the difference between a risk appetite statement and a risk limit?
- What is the difference between the LCR and the NSFR, and what does each one protect against?