# COSO ERM One-sentence definition: Enterprise Risk Management framework integrating strategy, performance, and risk across the organization. ## Key Facts - Components: Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; Information, Communication & Reporting. - Focus on risk appetite and portfolio view. - Aligns with internal control (COSO cube) and reporting. - Useful for board-level risk oversight and metrics. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Tie security metrics and appetite to enterprise ERM. **Mnemonic:** “GSPRI” → Govern, Strategy, Performance, Review, Info. ## Mini Scenario Q: Board asks if cyber risk fits appetite—what model helps? A: COSO ERM (linking appetite to objectives). ## Revision Checklist - Name two COSO ERM components. - Explain portfolio vs individual risk. - Describe linkage to appetite. ## Related [[ISO 31000 Risk Management Principles]] · [[Security Metrics, KPIs, KRIs]] · [[Risk Appetite, Tolerance, Capacity]] · [[Security Strategy and Roadmap]] · [[Risk Register and Reporting]] · [[Domain 1 - Index]]