COSO's 10 ERM Operating Disciplines: A Culture-First Perspective
- juliachinjfourth
- 2 days ago
- 5 min read
What the new COSO guidance gets right and what it takes to make it work
The Framework Isn't the Problem
COSO has been around for decades. The frameworks are solid. So why do 80% of organisations still report a gap between how they talk about risk and how they talk about strategy?
The answer isn't in the framework. It's in the culture.
COSO's 2026 paper, "From Guidance to Action," addresses this head-on. The research is sobering:
98% believe ERM should be more strategic
Only 7% are fully integrated into strategy decisions
Only 20% report high psychological safety in leadership discussions
That last number sets a hard ceiling on everything else. When leaders don't feel safe to challenge assumptions or name uncertainty, ERM becomes performative "we scored it", or a paperwork exercise "we documented it."
The paper introduces 10 Operating Disciplines to bridge the gap between ERM theory and decision-ready behavior. But disciplines don't self-execute. They require culture to take root.
Here's what each discipline demands and the culture question you should be asking.
The 10 Operating Disciplines
Strategy and Value
1. Link Strategy and Risk
Every strategic decision carries uncertainty. COSO argues that strategy and risk should be discussed together, not in parallel workstreams with different language and different people.
Culture implication: This requires candor at the leadership table. If people can't challenge assumptions during strategy discussions, risk remains implicit and unmanaged.
Ask yourself: In your last strategy session, did anyone explicitly name the assumptions that must hold for the plan to work?
2. Treat Value Creation as a Required Outcome
ERM shouldn't just prevent losses. It should help leaders place better bets with clearer trade-offs and defined triggers for when to pivot.
Culture implication: Risk teams need permission and credibility to contribute to strategic conversations, not just flag concerns after decisions are made.
Ask yourself: When did your risk function last improve a business decision, not just raise a red flag?
Enterprise View
3. Make Risk Appetite Meaningful and Usable
Risk appetite statements that can't guide real-time decisions are just documentation. COSO's test: Can leaders answer three questions without reaching for a policy document?
What are we willing to accept?
How will we know we're nearing the boundary?
What will we do if we cross it?
Culture implication: Leaders must be willing to set thresholds — and revise them without blame when conditions change.
Ask yourself: Can a mid-level manager apply your risk appetite to a real decision in under 60 seconds?
4. Manage Risk as a Portfolio
Organisations rarely fail from a single risk. They fail when multiple risks collide or compete for the same constrained resources.
Culture implication: Portfolio thinking requires cross-functional visibility. It means breaking silos that allow risks to accumulate unnoticed.
Ask yourself: Do you have visibility into how risks interact across your major initiatives?
Decisions and Proof
5. Prioritise Decisions Over Documentation
ERM exists to improve decisions, not produce artifacts. If a risk register doesn't change a decision, it's activity, not effectiveness.
Culture implication: Stop measuring workshops held and reports produced. Start measuring decisions influenced and surprises avoided.
Ask yourself: What decision did your last risk report actually change?
6. Measure Value, Not Activity
COSO challenges organisations to answer: "What did ERM change this quarter?" Not what was produced, but what was influenced.
Culture implication: This requires leadership to ask different questions. If executives only ask "Are we compliant?" they'll only get compliance theater.
Ask yourself: What questions do your leaders ask about ERM, and what does that signal?
Governance in Motion
7. Run Governance as a Behavior System
Governance isn't structure. It's repeatable decision behavior. Committees that "note" risks without action aren't governing they're performing.
Culture implication: Every material risk raised should end with a clear disposition: a decision, an escalation, or a named owner with a next step.
Ask yourself: In your last risk committee, how many items were "noted" versus actually decided?
8. Embed ERM into Operating Rhythms
When ERM runs on its own calendar, it becomes peripheral. Risk conversations should happen where decisions are made in planning, performance reviews, and delivery checkpoints.
Culture implication: Risk becomes invisible when it's woven into how the organisation already runs, not bolted on as a separate process.
Ask yourself: Is risk in the room when priorities are set and resources allocated?
Culture and Adaptation
9. Build Candor as a Capability
This is the linchpin. COSO states it directly: "The most damaging risks are rarely unknown. They are known but left unsaid."
Candor isn't a personality trait. It's a capability that must be deliberately practiced and protected.
Culture implication: Psychological safety isn't a declaration. It's a design choice built through consistent responses that reward honesty, not punish it.
Ask yourself: When someone raises an uncomfortable concern, what happens next? Does the response encourage or discourage future escalation?
10. Learn Continuously
Annual refreshes aren't learning. Real learning happens through post-mortems, pattern recognition, and updated triggers based on what actually happened.
Culture implication: This requires a blame-free environment where near-misses are celebrated as data, not buried as embarrassments.
Ask yourself: When was your last post-mortem and did it change anything?
Where to Start
Don't try to implement all ten disciplines at once. Start with the one that addresses your biggest pain point. For most organisations, that's either:
Three practical actions for this quarter:
Audit your heat map. When did a green risk last trigger a decision? If never, it's decoration, not governance.
Test psychological safety. In your next leadership meeting, ask: "What are we least certain about right now?" Watch how people respond. Silence tells you everything.
Track decisions, not documents. For one quarter, measure how many decisions ERM influenced — not how many reports were produced.
The Bottom Line
COSO's 10 Operating Disciplines are a meaningful step forward. They acknowledge what practitioners have known for years: the problem isn't the framework. It's the translation into behavior.
But disciplines require culture to take hold. They require leaders who model uncertainty-naming, structures that make escalation safe, and environments where candor is practiced not just permitted.
The question isn't whether your organisation has an ERM framework.
It's whether your culture can carry it.
Where JFourth Fits
This is what transformation-focused advisory looks like.
Not just frameworks and policies. Not just risk and compliance programmes and training. But the deeper work of building organisations where risk culture, governance, and conduct are embedded in how people think, not just what they document.
We work with boards, leadership teams, and risk functions navigating these challenges.
Our focus: Building risk and compliance into business design, not bolting it on as an afterthought.
Whether you're facing a leadership transition, scaling rapidly, or recognising that your culture hasn't kept pace with your growth, the question is the same:
What kind of organisation do you want to build?
We help you answer that. And then we help you build it.
💙
JFourth Solutions helps financial institutions build compliance cultures that survive leadership transitions. From culture assessments to board advisory and team training, we focus on the human side of risk and compliance.
If your team is navigating a leadership transition, operationalising ERM, or building risk and compliance culture from scratch, let's talk.
Related Reading
Follow our Blog for more.
Comments